net/netfilter/Kconfig at v4.18

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / netfilter / Kconfig
at v4.18 1572 lines 51 kB view raw
wrap content
   1menu "Core Netfilter Configuration"
   2	depends on NET && INET && NETFILTER
   3
   4config NETFILTER_INGRESS
   5	bool "Netfilter ingress support"
   6	default y
   7	select NET_INGRESS
   8	help
   9	  This allows you to classify packets from ingress using the Netfilter
  10	  infrastructure.
  11
  12config NETFILTER_NETLINK
  13	tristate
  14
  15config NETFILTER_FAMILY_BRIDGE
  16	bool
  17
  18config NETFILTER_FAMILY_ARP
  19	bool
  20
  21config NETFILTER_NETLINK_ACCT
  22tristate "Netfilter NFACCT over NFNETLINK interface"
  23	depends on NETFILTER_ADVANCED
  24	select NETFILTER_NETLINK
  25	help
  26	  If this option is enabled, the kernel will include support
  27	  for extended accounting via NFNETLINK.
  28
  29config NETFILTER_NETLINK_QUEUE
  30	tristate "Netfilter NFQUEUE over NFNETLINK interface"
  31	depends on NETFILTER_ADVANCED
  32	select NETFILTER_NETLINK
  33	help
  34	  If this option is enabled, the kernel will include support
  35	  for queueing packets via NFNETLINK.
  36	  
  37config NETFILTER_NETLINK_LOG
  38	tristate "Netfilter LOG over NFNETLINK interface"
  39	default m if NETFILTER_ADVANCED=n
  40	select NETFILTER_NETLINK
  41	help
  42	  If this option is enabled, the kernel will include support
  43	  for logging packets via NFNETLINK.
  44
  45	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
  46	  and is also scheduled to replace the old syslog-based ipt_LOG
  47	  and ip6t_LOG modules.
  48
  49config NF_CONNTRACK
  50	tristate "Netfilter connection tracking support"
  51	default m if NETFILTER_ADVANCED=n
  52	help
  53	  Connection tracking keeps a record of what packets have passed
  54	  through your machine, in order to figure out how they are related
  55	  into connections.
  56
  57	  This is required to do Masquerading or other kinds of Network
  58	  Address Translation.  It can also be used to enhance packet
  59	  filtering (see `Connection state match support' below).
  60
  61	  To compile it as a module, choose M here.  If unsure, say N.
  62
  63config NF_LOG_COMMON
  64	tristate
  65
  66config NF_LOG_NETDEV
  67	tristate "Netdev packet logging"
  68	select NF_LOG_COMMON
  69
  70if NF_CONNTRACK
  71config NETFILTER_CONNCOUNT
  72	tristate
  73
  74config NF_CONNTRACK_MARK
  75	bool  'Connection mark tracking support'
  76	depends on NETFILTER_ADVANCED
  77	help
  78	  This option enables support for connection marks, used by the
  79	  `CONNMARK' target and `connmark' match. Similar to the mark value
  80	  of packets, but this mark value is kept in the conntrack session
  81	  instead of the individual packets.
  82
  83config NF_CONNTRACK_SECMARK
  84	bool  'Connection tracking security mark support'
  85	depends on NETWORK_SECMARK
  86	default m if NETFILTER_ADVANCED=n
  87	help
  88	  This option enables security markings to be applied to
  89	  connections.  Typically they are copied to connections from
  90	  packets using the CONNSECMARK target and copied back from
  91	  connections to packets with the same target, with the packets
  92	  being originally labeled via SECMARK.
  93
  94	  If unsure, say 'N'.
  95
  96config NF_CONNTRACK_ZONES
  97	bool  'Connection tracking zones'
  98	depends on NETFILTER_ADVANCED
  99	depends on NETFILTER_XT_TARGET_CT
 100	help
 101	  This option enables support for connection tracking zones.
 102	  Normally, each connection needs to have a unique system wide
 103	  identity. Connection tracking zones allow to have multiple
 104	  connections using the same identity, as long as they are
 105	  contained in different zones.
 106
 107	  If unsure, say `N'.
 108
 109config NF_CONNTRACK_PROCFS
 110	bool "Supply CT list in procfs (OBSOLETE)"
 111	default y
 112	depends on PROC_FS
 113	---help---
 114	This option enables for the list of known conntrack entries
 115	to be shown in procfs under net/netfilter/nf_conntrack. This
 116	is considered obsolete in favor of using the conntrack(8)
 117	tool which uses Netlink.
 118
 119config NF_CONNTRACK_EVENTS
 120	bool "Connection tracking events"
 121	depends on NETFILTER_ADVANCED
 122	help
 123	  If this option is enabled, the connection tracking code will
 124	  provide a notifier chain that can be used by other kernel code
 125	  to get notified about changes in the connection tracking state.
 126
 127	  If unsure, say `N'.
 128
 129config NF_CONNTRACK_TIMEOUT
 130	bool  'Connection tracking timeout'
 131	depends on NETFILTER_ADVANCED
 132	help
 133	  This option enables support for connection tracking timeout
 134	  extension. This allows you to attach timeout policies to flow
 135	  via the CT target.
 136
 137	  If unsure, say `N'.
 138
 139config NF_CONNTRACK_TIMESTAMP
 140	bool  'Connection tracking timestamping'
 141	depends on NETFILTER_ADVANCED
 142	help
 143	  This option enables support for connection tracking timestamping.
 144	  This allows you to store the flow start-time and to obtain
 145	  the flow-stop time (once it has been destroyed) via Connection
 146	  tracking events.
 147
 148	  If unsure, say `N'.
 149
 150config NF_CONNTRACK_LABELS
 151	bool
 152	help
 153	  This option enables support for assigning user-defined flag bits
 154	  to connection tracking entries.  It selected by the connlabel match.
 155
 156config NF_CT_PROTO_DCCP
 157	bool 'DCCP protocol connection tracking support'
 158	depends on NETFILTER_ADVANCED
 159	default y
 160	help
 161	  With this option enabled, the layer 3 independent connection
 162	  tracking code will be able to do state tracking on DCCP connections.
 163
 164	  If unsure, say Y.
 165
 166config NF_CT_PROTO_GRE
 167	tristate
 168
 169config NF_CT_PROTO_SCTP
 170	bool 'SCTP protocol connection tracking support'
 171	depends on NETFILTER_ADVANCED
 172	default y
 173	select LIBCRC32C
 174	help
 175	  With this option enabled, the layer 3 independent connection
 176	  tracking code will be able to do state tracking on SCTP connections.
 177
 178	  If unsure, say Y.
 179
 180config NF_CT_PROTO_UDPLITE
 181	bool 'UDP-Lite protocol connection tracking support'
 182	depends on NETFILTER_ADVANCED
 183	default y
 184	help
 185	  With this option enabled, the layer 3 independent connection
 186	  tracking code will be able to do state tracking on UDP-Lite
 187	  connections.
 188
 189	  If unsure, say Y.
 190
 191config NF_CONNTRACK_AMANDA
 192	tristate "Amanda backup protocol support"
 193	depends on NETFILTER_ADVANCED
 194	select TEXTSEARCH
 195	select TEXTSEARCH_KMP
 196	help
 197	  If you are running the Amanda backup package <http://www.amanda.org/>
 198	  on this machine or machines that will be MASQUERADED through this
 199	  machine, then you may want to enable this feature.  This allows the
 200	  connection tracking and natting code to allow the sub-channels that
 201	  Amanda requires for communication of the backup data, messages and
 202	  index.
 203
 204	  To compile it as a module, choose M here.  If unsure, say N.
 205
 206config NF_CONNTRACK_FTP
 207	tristate "FTP protocol support"
 208	default m if NETFILTER_ADVANCED=n
 209	help
 210	  Tracking FTP connections is problematic: special helpers are
 211	  required for tracking them, and doing masquerading and other forms
 212	  of Network Address Translation on them.
 213
 214	  This is FTP support on Layer 3 independent connection tracking.
 215	  Layer 3 independent connection tracking is experimental scheme
 216	  which generalize ip_conntrack to support other layer 3 protocols.
 217
 218	  To compile it as a module, choose M here.  If unsure, say N.
 219
 220config NF_CONNTRACK_H323
 221	tristate "H.323 protocol support"
 222	depends on IPV6 || IPV6=n
 223	depends on NETFILTER_ADVANCED
 224	help
 225	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
 226	  important VoIP protocols, it is widely used by voice hardware and
 227	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
 228	  Gnomemeeting, etc.
 229
 230	  With this module you can support H.323 on a connection tracking/NAT
 231	  firewall.
 232
 233	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
 234	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
 235	  whiteboard, file transfer, etc. For more information, please
 236	  visit http://nath323.sourceforge.net/.
 237
 238	  To compile it as a module, choose M here.  If unsure, say N.
 239
 240config NF_CONNTRACK_IRC
 241	tristate "IRC protocol support"
 242	default m if NETFILTER_ADVANCED=n
 243	help
 244	  There is a commonly-used extension to IRC called
 245	  Direct Client-to-Client Protocol (DCC).  This enables users to send
 246	  files to each other, and also chat to each other without the need
 247	  of a server.  DCC Sending is used anywhere you send files over IRC,
 248	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
 249	  using NAT, this extension will enable you to send files and initiate
 250	  chats.  Note that you do NOT need this extension to get files or
 251	  have others initiate chats, or everything else in IRC.
 252
 253	  To compile it as a module, choose M here.  If unsure, say N.
 254
 255config NF_CONNTRACK_BROADCAST
 256	tristate
 257
 258config NF_CONNTRACK_NETBIOS_NS
 259	tristate "NetBIOS name service protocol support"
 260	select NF_CONNTRACK_BROADCAST
 261	help
 262	  NetBIOS name service requests are sent as broadcast messages from an
 263	  unprivileged port and responded to with unicast messages to the
 264	  same port. This make them hard to firewall properly because connection
 265	  tracking doesn't deal with broadcasts. This helper tracks locally
 266	  originating NetBIOS name service requests and the corresponding
 267	  responses. It relies on correct IP address configuration, specifically
 268	  netmask and broadcast address. When properly configured, the output
 269	  of "ip address show" should look similar to this:
 270
 271	  $ ip -4 address show eth0
 272	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
 273	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
 274
 275	  To compile it as a module, choose M here.  If unsure, say N.
 276
 277config NF_CONNTRACK_SNMP
 278	tristate "SNMP service protocol support"
 279	depends on NETFILTER_ADVANCED
 280	select NF_CONNTRACK_BROADCAST
 281	help
 282	  SNMP service requests are sent as broadcast messages from an
 283	  unprivileged port and responded to with unicast messages to the
 284	  same port. This make them hard to firewall properly because connection
 285	  tracking doesn't deal with broadcasts. This helper tracks locally
 286	  originating SNMP service requests and the corresponding
 287	  responses. It relies on correct IP address configuration, specifically
 288	  netmask and broadcast address.
 289
 290	  To compile it as a module, choose M here.  If unsure, say N.
 291
 292config NF_CONNTRACK_PPTP
 293	tristate "PPtP protocol support"
 294	depends on NETFILTER_ADVANCED
 295	select NF_CT_PROTO_GRE
 296	help
 297	  This module adds support for PPTP (Point to Point Tunnelling
 298	  Protocol, RFC2637) connection tracking and NAT.
 299
 300	  If you are running PPTP sessions over a stateful firewall or NAT
 301	  box, you may want to enable this feature.
 302
 303	  Please note that not all PPTP modes of operation are supported yet.
 304	  Specifically these limitations exist:
 305	    - Blindly assumes that control connections are always established
 306	      in PNS->PAC direction. This is a violation of RFC2637.
 307	    - Only supports a single call within each session
 308
 309	  To compile it as a module, choose M here.  If unsure, say N.
 310
 311config NF_CONNTRACK_SANE
 312	tristate "SANE protocol support"
 313	depends on NETFILTER_ADVANCED
 314	help
 315	  SANE is a protocol for remote access to scanners as implemented
 316	  by the 'saned' daemon. Like FTP, it uses separate control and
 317	  data connections.
 318
 319	  With this module you can support SANE on a connection tracking
 320	  firewall.
 321
 322	  To compile it as a module, choose M here.  If unsure, say N.
 323
 324config NF_CONNTRACK_SIP
 325	tristate "SIP protocol support"
 326	default m if NETFILTER_ADVANCED=n
 327	help
 328	  SIP is an application-layer control protocol that can establish,
 329	  modify, and terminate multimedia sessions (conferences) such as
 330	  Internet telephony calls. With the ip_conntrack_sip and
 331	  the nf_nat_sip modules you can support the protocol on a connection
 332	  tracking/NATing firewall.
 333
 334	  To compile it as a module, choose M here.  If unsure, say N.
 335
 336config NF_CONNTRACK_TFTP
 337	tristate "TFTP protocol support"
 338	depends on NETFILTER_ADVANCED
 339	help
 340	  TFTP connection tracking helper, this is required depending
 341	  on how restrictive your ruleset is.
 342	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
 343	  you will need this.
 344
 345	  To compile it as a module, choose M here.  If unsure, say N.
 346
 347config NF_CT_NETLINK
 348	tristate 'Connection tracking netlink interface'
 349	select NETFILTER_NETLINK
 350	default m if NETFILTER_ADVANCED=n
 351	help
 352	  This option enables support for a netlink-based userspace interface
 353
 354config NF_CT_NETLINK_TIMEOUT
 355	tristate  'Connection tracking timeout tuning via Netlink'
 356	select NETFILTER_NETLINK
 357	depends on NETFILTER_ADVANCED
 358	help
 359	  This option enables support for connection tracking timeout
 360	  fine-grain tuning. This allows you to attach specific timeout
 361	  policies to flows, instead of using the global timeout policy.
 362
 363	  If unsure, say `N'.
 364
 365config NF_CT_NETLINK_HELPER
 366	tristate 'Connection tracking helpers in user-space via Netlink'
 367	select NETFILTER_NETLINK
 368	depends on NF_CT_NETLINK
 369	depends on NETFILTER_NETLINK_QUEUE
 370	depends on NETFILTER_NETLINK_GLUE_CT
 371	depends on NETFILTER_ADVANCED
 372	help
 373	  This option enables the user-space connection tracking helpers
 374	  infrastructure.
 375
 376	  If unsure, say `N'.
 377
 378config NETFILTER_NETLINK_GLUE_CT
 379	bool "NFQUEUE and NFLOG integration with Connection Tracking"
 380	default n
 381	depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
 382	help
 383	  If this option is enabled, NFQUEUE and NFLOG can include
 384	  Connection Tracking information together with the packet is
 385	  the enqueued via NFNETLINK.
 386
 387config NF_NAT
 388	tristate
 389
 390config NF_NAT_NEEDED
 391	bool
 392	depends on NF_NAT
 393	default y
 394
 395config NF_NAT_PROTO_DCCP
 396	bool
 397	depends on NF_NAT && NF_CT_PROTO_DCCP
 398	default NF_NAT && NF_CT_PROTO_DCCP
 399
 400config NF_NAT_PROTO_UDPLITE
 401	bool
 402	depends on NF_NAT && NF_CT_PROTO_UDPLITE
 403	default NF_NAT && NF_CT_PROTO_UDPLITE
 404
 405config NF_NAT_PROTO_SCTP
 406	bool
 407	default NF_NAT && NF_CT_PROTO_SCTP
 408	depends on NF_NAT && NF_CT_PROTO_SCTP
 409
 410config NF_NAT_AMANDA
 411	tristate
 412	depends on NF_CONNTRACK && NF_NAT
 413	default NF_NAT && NF_CONNTRACK_AMANDA
 414
 415config NF_NAT_FTP
 416	tristate
 417	depends on NF_CONNTRACK && NF_NAT
 418	default NF_NAT && NF_CONNTRACK_FTP
 419
 420config NF_NAT_IRC
 421	tristate
 422	depends on NF_CONNTRACK && NF_NAT
 423	default NF_NAT && NF_CONNTRACK_IRC
 424
 425config NF_NAT_SIP
 426	tristate
 427	depends on NF_CONNTRACK && NF_NAT
 428	default NF_NAT && NF_CONNTRACK_SIP
 429
 430config NF_NAT_TFTP
 431	tristate
 432	depends on NF_CONNTRACK && NF_NAT
 433	default NF_NAT && NF_CONNTRACK_TFTP
 434
 435config NF_NAT_REDIRECT
 436	bool
 437
 438config NETFILTER_SYNPROXY
 439	tristate
 440
 441endif # NF_CONNTRACK
 442
 443config NF_OSF
 444	tristate
 445
 446config NF_TABLES
 447	select NETFILTER_NETLINK
 448	tristate "Netfilter nf_tables support"
 449	help
 450	  nftables is the new packet classification framework that intends to
 451	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
 452	  provides a pseudo-state machine with an extensible instruction-set
 453	  (also known as expressions) that the userspace 'nft' utility
 454	  (http://www.netfilter.org/projects/nftables) uses to build the
 455	  rule-set. It also comes with the generic set infrastructure that
 456	  allows you to construct mappings between matchings and actions
 457	  for performance lookups.
 458
 459	  To compile it as a module, choose M here.
 460
 461if NF_TABLES
 462
 463config NF_TABLES_SET
 464	tristate "Netfilter nf_tables set infrastructure"
 465	help
 466	  This option enables the nf_tables set infrastructure that allows to
 467	  look up for elements in a set and to build one-way mappings between
 468	  matchings and actions.
 469
 470config NF_TABLES_INET
 471	depends on IPV6
 472	select NF_TABLES_IPV4
 473	select NF_TABLES_IPV6
 474	bool "Netfilter nf_tables mixed IPv4/IPv6 tables support"
 475	help
 476	  This option enables support for a mixed IPv4/IPv6 "inet" table.
 477
 478config NF_TABLES_NETDEV
 479	bool "Netfilter nf_tables netdev tables support"
 480	help
 481	  This option enables support for the "netdev" table.
 482
 483config NFT_NUMGEN
 484	tristate "Netfilter nf_tables number generator module"
 485	help
 486	  This option adds the number generator expression used to perform
 487	  incremental counting and random numbers bound to a upper limit.
 488
 489config NFT_CT
 490	depends on NF_CONNTRACK
 491	tristate "Netfilter nf_tables conntrack module"
 492	help
 493	  This option adds the "ct" expression that you can use to match
 494	  connection tracking information such as the flow state.
 495
 496config NFT_FLOW_OFFLOAD
 497	depends on NF_CONNTRACK && NF_FLOW_TABLE
 498	tristate "Netfilter nf_tables hardware flow offload module"
 499	help
 500	  This option adds the "flow_offload" expression that you can use to
 501	  choose what flows are placed into the hardware.
 502
 503config NFT_COUNTER
 504	tristate "Netfilter nf_tables counter module"
 505	help
 506	  This option adds the "counter" expression that you can use to
 507	  include packet and byte counters in a rule.
 508
 509config NFT_CONNLIMIT
 510	tristate "Netfilter nf_tables connlimit module"
 511	depends on NF_CONNTRACK
 512	depends on NETFILTER_ADVANCED
 513	select NETFILTER_CONNCOUNT
 514	help
 515	  This option adds the "connlimit" expression that you can use to
 516	  ratelimit rule matchings per connections.
 517
 518config NFT_LOG
 519	tristate "Netfilter nf_tables log module"
 520	help
 521	  This option adds the "log" expression that you can use to log
 522	  packets matching some criteria.
 523
 524config NFT_LIMIT
 525	tristate "Netfilter nf_tables limit module"
 526	help
 527	  This option adds the "limit" expression that you can use to
 528	  ratelimit rule matchings.
 529
 530config NFT_MASQ
 531	depends on NF_CONNTRACK
 532	depends on NF_NAT
 533	tristate "Netfilter nf_tables masquerade support"
 534	help
 535	  This option adds the "masquerade" expression that you can use
 536	  to perform NAT in the masquerade flavour.
 537
 538config NFT_REDIR
 539	depends on NF_CONNTRACK
 540	depends on NF_NAT
 541	tristate "Netfilter nf_tables redirect support"
 542	help
 543	  This options adds the "redirect" expression that you can use
 544	  to perform NAT in the redirect flavour.
 545
 546config NFT_NAT
 547	depends on NF_CONNTRACK
 548	select NF_NAT
 549	tristate "Netfilter nf_tables nat module"
 550	help
 551	  This option adds the "nat" expression that you can use to perform
 552	  typical Network Address Translation (NAT) packet transformations.
 553
 554config NFT_OBJREF
 555	tristate "Netfilter nf_tables stateful object reference module"
 556	help
 557	  This option adds the "objref" expression that allows you to refer to
 558	  stateful objects, such as counters and quotas.
 559
 560config NFT_QUEUE
 561	depends on NETFILTER_NETLINK_QUEUE
 562	tristate "Netfilter nf_tables queue module"
 563	help
 564	  This is required if you intend to use the userspace queueing
 565	  infrastructure (also known as NFQUEUE) from nftables.
 566
 567config NFT_QUOTA
 568	tristate "Netfilter nf_tables quota module"
 569	help
 570	  This option adds the "quota" expression that you can use to match
 571	  enforce bytes quotas.
 572
 573config NFT_REJECT
 574	default m if NETFILTER_ADVANCED=n
 575	tristate "Netfilter nf_tables reject support"
 576	depends on !NF_TABLES_INET || (IPV6!=m || m)
 577	help
 578	  This option adds the "reject" expression that you can use to
 579	  explicitly deny and notify via TCP reset/ICMP informational errors
 580	  unallowed traffic.
 581
 582config NFT_REJECT_INET
 583	depends on NF_TABLES_INET
 584	default NFT_REJECT
 585	tristate
 586
 587config NFT_COMPAT
 588	depends on NETFILTER_XTABLES
 589	tristate "Netfilter x_tables over nf_tables module"
 590	help
 591	  This is required if you intend to use any of existing
 592	  x_tables match/target extensions over the nf_tables
 593	  framework.
 594
 595config NFT_HASH
 596	tristate "Netfilter nf_tables hash module"
 597	help
 598	  This option adds the "hash" expression that you can use to perform
 599	  a hash operation on registers.
 600
 601config NFT_FIB
 602	tristate
 603
 604config NFT_FIB_INET
 605	depends on NF_TABLES_INET
 606	depends on NFT_FIB_IPV4
 607	depends on NFT_FIB_IPV6
 608	tristate "Netfilter nf_tables fib inet support"
 609	help
 610	  This option allows using the FIB expression from the inet table.
 611	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
 612	  on the protocol of the packet.
 613
 614config NFT_SOCKET
 615	tristate "Netfilter nf_tables socket match support"
 616	depends on IPV6 || IPV6=n
 617	select NF_SOCKET_IPV4
 618	select NF_SOCKET_IPV6 if IPV6
 619	help
 620	  This option allows matching for the presence or absence of a
 621	  corresponding socket and its attributes.
 622
 623if NF_TABLES_NETDEV
 624
 625config NF_DUP_NETDEV
 626	tristate "Netfilter packet duplication support"
 627	help
 628	  This option enables the generic packet duplication infrastructure
 629	  for Netfilter.
 630
 631config NFT_DUP_NETDEV
 632	tristate "Netfilter nf_tables netdev packet duplication support"
 633	select NF_DUP_NETDEV
 634	help
 635	  This option enables packet duplication for the "netdev" family.
 636
 637config NFT_FWD_NETDEV
 638	tristate "Netfilter nf_tables netdev packet forwarding support"
 639	select NF_DUP_NETDEV
 640	help
 641	  This option enables packet forwarding for the "netdev" family.
 642
 643config NFT_FIB_NETDEV
 644	depends on NFT_FIB_IPV4
 645	depends on NFT_FIB_IPV6
 646	tristate "Netfilter nf_tables netdev fib lookups support"
 647	help
 648	  This option allows using the FIB expression from the netdev table.
 649	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
 650	  on the protocol of the packet.
 651
 652endif # NF_TABLES_NETDEV
 653
 654endif # NF_TABLES
 655
 656config NF_FLOW_TABLE_INET
 657	tristate "Netfilter flow table mixed IPv4/IPv6 module"
 658	depends on NF_FLOW_TABLE
 659	help
 660          This option adds the flow table mixed IPv4/IPv6 support.
 661
 662	  To compile it as a module, choose M here.
 663
 664config NF_FLOW_TABLE
 665	tristate "Netfilter flow table module"
 666	depends on NETFILTER_INGRESS
 667	depends on NF_CONNTRACK
 668	depends on NF_TABLES
 669	help
 670	  This option adds the flow table core infrastructure.
 671
 672	  To compile it as a module, choose M here.
 673
 674config NETFILTER_XTABLES
 675	tristate "Netfilter Xtables support (required for ip_tables)"
 676	default m if NETFILTER_ADVANCED=n
 677	help
 678	  This is required if you intend to use any of ip_tables,
 679	  ip6_tables or arp_tables.
 680
 681if NETFILTER_XTABLES
 682
 683comment "Xtables combined modules"
 684
 685config NETFILTER_XT_MARK
 686	tristate 'nfmark target and match support'
 687	default m if NETFILTER_ADVANCED=n
 688	---help---
 689	This option adds the "MARK" target and "mark" match.
 690
 691	Netfilter mark matching allows you to match packets based on the
 692	"nfmark" value in the packet.
 693	The target allows you to create rules in the "mangle" table which alter
 694	the netfilter mark (nfmark) field associated with the packet.
 695
 696	Prior to routing, the nfmark can influence the routing method and can
 697	also be used by other subsystems to change their behavior.
 698
 699config NETFILTER_XT_CONNMARK
 700	tristate 'ctmark target and match support'
 701	depends on NF_CONNTRACK
 702	depends on NETFILTER_ADVANCED
 703	select NF_CONNTRACK_MARK
 704	---help---
 705	This option adds the "CONNMARK" target and "connmark" match.
 706
 707	Netfilter allows you to store a mark value per connection (a.k.a.
 708	ctmark), similarly to the packet mark (nfmark). Using this
 709	target and match, you can set and match on this mark.
 710
 711config NETFILTER_XT_SET
 712	tristate 'set target and match support'
 713	depends on IP_SET
 714	depends on NETFILTER_ADVANCED
 715	help
 716	  This option adds the "SET" target and "set" match.
 717
 718	  Using this target and match, you can add/delete and match
 719	  elements in the sets created by ipset(8).
 720
 721	  To compile it as a module, choose M here.  If unsure, say N.
 722
 723# alphabetically ordered list of targets
 724
 725comment "Xtables targets"
 726
 727config NETFILTER_XT_TARGET_AUDIT
 728	tristate "AUDIT target support"
 729	depends on AUDIT
 730	depends on NETFILTER_ADVANCED
 731	---help---
 732	  This option adds a 'AUDIT' target, which can be used to create
 733	  audit records for packets dropped/accepted.
 734
 735	  To compileit as a module, choose M here. If unsure, say N.
 736
 737config NETFILTER_XT_TARGET_CHECKSUM
 738	tristate "CHECKSUM target support"
 739	depends on IP_NF_MANGLE || IP6_NF_MANGLE
 740	depends on NETFILTER_ADVANCED
 741	---help---
 742	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle
 743	  table.
 744
 745	  You can use this target to compute and fill in the checksum in
 746	  a packet that lacks a checksum.  This is particularly useful,
 747	  if you need to work around old applications such as dhcp clients,
 748	  that do not work well with checksum offloads, but don't want to disable
 749	  checksum offload in your device.
 750
 751	  To compile it as a module, choose M here.  If unsure, say N.
 752
 753config NETFILTER_XT_TARGET_CLASSIFY
 754	tristate '"CLASSIFY" target support'
 755	depends on NETFILTER_ADVANCED
 756	help
 757	  This option adds a `CLASSIFY' target, which enables the user to set
 758	  the priority of a packet. Some qdiscs can use this value for
 759	  classification, among these are:
 760
 761  	  atm, cbq, dsmark, pfifo_fast, htb, prio
 762
 763	  To compile it as a module, choose M here.  If unsure, say N.
 764
 765config NETFILTER_XT_TARGET_CONNMARK
 766	tristate  '"CONNMARK" target support'
 767	depends on NF_CONNTRACK
 768	depends on NETFILTER_ADVANCED
 769	select NETFILTER_XT_CONNMARK
 770	---help---
 771	This is a backwards-compat option for the user's convenience
 772	(e.g. when running oldconfig). It selects
 773	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
 774
 775config NETFILTER_XT_TARGET_CONNSECMARK
 776	tristate '"CONNSECMARK" target support'
 777	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
 778	default m if NETFILTER_ADVANCED=n
 779	help
 780	  The CONNSECMARK target copies security markings from packets
 781	  to connections, and restores security markings from connections
 782	  to packets (if the packets are not already marked).  This would
 783	  normally be used in conjunction with the SECMARK target.
 784
 785	  To compile it as a module, choose M here.  If unsure, say N.
 786
 787config NETFILTER_XT_TARGET_CT
 788	tristate '"CT" target support'
 789	depends on NF_CONNTRACK
 790	depends on IP_NF_RAW || IP6_NF_RAW
 791	depends on NETFILTER_ADVANCED
 792	help
 793	  This options adds a `CT' target, which allows to specify initial
 794	  connection tracking parameters like events to be delivered and
 795	  the helper to be used.
 796
 797	  To compile it as a module, choose M here.  If unsure, say N.
 798
 799config NETFILTER_XT_TARGET_DSCP
 800	tristate '"DSCP" and "TOS" target support'
 801	depends on IP_NF_MANGLE || IP6_NF_MANGLE
 802	depends on NETFILTER_ADVANCED
 803	help
 804	  This option adds a `DSCP' target, which allows you to manipulate
 805	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
 806
 807	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
 808
 809	  It also adds the "TOS" target, which allows you to create rules in
 810	  the "mangle" table which alter the Type Of Service field of an IPv4
 811	  or the Priority field of an IPv6 packet, prior to routing.
 812
 813	  To compile it as a module, choose M here.  If unsure, say N.
 814
 815config NETFILTER_XT_TARGET_HL
 816	tristate '"HL" hoplimit target support'
 817	depends on IP_NF_MANGLE || IP6_NF_MANGLE
 818	depends on NETFILTER_ADVANCED
 819	---help---
 820	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
 821	targets, which enable the user to change the
 822	hoplimit/time-to-live value of the IP header.
 823
 824	While it is safe to decrement the hoplimit/TTL value, the
 825	modules also allow to increment and set the hoplimit value of
 826	the header to arbitrary values. This is EXTREMELY DANGEROUS
 827	since you can easily create immortal packets that loop
 828	forever on the network.
 829
 830config NETFILTER_XT_TARGET_HMARK
 831	tristate '"HMARK" target support'
 832	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
 833	depends on NETFILTER_ADVANCED
 834	---help---
 835	This option adds the "HMARK" target.
 836
 837	The target allows you to create rules in the "raw" and "mangle" tables
 838	which set the skbuff mark by means of hash calculation within a given
 839	range. The nfmark can influence the routing method and can also be used
 840	by other subsystems to change their behaviour.
 841
 842	To compile it as a module, choose M here. If unsure, say N.
 843
 844config NETFILTER_XT_TARGET_IDLETIMER
 845	tristate  "IDLETIMER target support"
 846	depends on NETFILTER_ADVANCED
 847	help
 848
 849	  This option adds the `IDLETIMER' target.  Each matching packet
 850	  resets the timer associated with label specified when the rule is
 851	  added.  When the timer expires, it triggers a sysfs notification.
 852	  The remaining time for expiration can be read via sysfs.
 853
 854	  To compile it as a module, choose M here.  If unsure, say N.
 855
 856config NETFILTER_XT_TARGET_LED
 857	tristate '"LED" target support'
 858	depends on LEDS_CLASS && LEDS_TRIGGERS
 859	depends on NETFILTER_ADVANCED
 860	help
 861	  This option adds a `LED' target, which allows you to blink LEDs in
 862	  response to particular packets passing through your machine.
 863
 864	  This can be used to turn a spare LED into a network activity LED,
 865	  which only flashes in response to FTP transfers, for example.  Or
 866	  you could have an LED which lights up for a minute or two every time
 867	  somebody connects to your machine via SSH.
 868
 869	  You will need support for the "led" class to make this work.
 870
 871	  To create an LED trigger for incoming SSH traffic:
 872	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
 873
 874	  Then attach the new trigger to an LED on your system:
 875	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
 876
 877	  For more information on the LEDs available on your system, see
 878	  Documentation/leds/leds-class.txt
 879
 880config NETFILTER_XT_TARGET_LOG
 881	tristate "LOG target support"
 882	select NF_LOG_COMMON
 883	select NF_LOG_IPV4
 884	select NF_LOG_IPV6 if IPV6
 885	default m if NETFILTER_ADVANCED=n
 886	help
 887	  This option adds a `LOG' target, which allows you to create rules in
 888	  any iptables table which records the packet header to the syslog.
 889
 890	  To compile it as a module, choose M here.  If unsure, say N.
 891
 892config NETFILTER_XT_TARGET_MARK
 893	tristate '"MARK" target support'
 894	depends on NETFILTER_ADVANCED
 895	select NETFILTER_XT_MARK
 896	---help---
 897	This is a backwards-compat option for the user's convenience
 898	(e.g. when running oldconfig). It selects
 899	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
 900
 901config NETFILTER_XT_NAT
 902	tristate '"SNAT and DNAT" targets support'
 903	depends on NF_NAT
 904	---help---
 905	This option enables the SNAT and DNAT targets.
 906
 907	To compile it as a module, choose M here. If unsure, say N.
 908
 909config NETFILTER_XT_TARGET_NETMAP
 910	tristate '"NETMAP" target support'
 911	depends on NF_NAT
 912	---help---
 913	NETMAP is an implementation of static 1:1 NAT mapping of network
 914	addresses. It maps the network address part, while keeping the host
 915	address part intact.
 916
 917	To compile it as a module, choose M here. If unsure, say N.
 918
 919config NETFILTER_XT_TARGET_NFLOG
 920	tristate '"NFLOG" target support'
 921	default m if NETFILTER_ADVANCED=n
 922	select NETFILTER_NETLINK_LOG
 923	help
 924	  This option enables the NFLOG target, which allows to LOG
 925	  messages through nfnetlink_log.
 926
 927	  To compile it as a module, choose M here.  If unsure, say N.
 928
 929config NETFILTER_XT_TARGET_NFQUEUE
 930	tristate '"NFQUEUE" target Support'
 931	depends on NETFILTER_ADVANCED
 932	select NETFILTER_NETLINK_QUEUE
 933	help
 934	  This target replaced the old obsolete QUEUE target.
 935
 936	  As opposed to QUEUE, it supports 65535 different queues,
 937	  not just one.
 938
 939	  To compile it as a module, choose M here.  If unsure, say N.
 940
 941config NETFILTER_XT_TARGET_NOTRACK
 942	tristate  '"NOTRACK" target support (DEPRECATED)'
 943	depends on NF_CONNTRACK
 944	depends on IP_NF_RAW || IP6_NF_RAW
 945	depends on NETFILTER_ADVANCED
 946	select NETFILTER_XT_TARGET_CT
 947
 948config NETFILTER_XT_TARGET_RATEEST
 949	tristate '"RATEEST" target support'
 950	depends on NETFILTER_ADVANCED
 951	help
 952	  This option adds a `RATEEST' target, which allows to measure
 953	  rates similar to TC estimators. The `rateest' match can be
 954	  used to match on the measured rates.
 955
 956	  To compile it as a module, choose M here.  If unsure, say N.
 957
 958config NETFILTER_XT_TARGET_REDIRECT
 959	tristate "REDIRECT target support"
 960	depends on NF_NAT
 961	select NF_NAT_REDIRECT
 962	---help---
 963	REDIRECT is a special case of NAT: all incoming connections are
 964	mapped onto the incoming interface's address, causing the packets to
 965	come to the local machine instead of passing through. This is
 966	useful for transparent proxies.
 967
 968	To compile it as a module, choose M here. If unsure, say N.
 969
 970config NETFILTER_XT_TARGET_TEE
 971	tristate '"TEE" - packet cloning to alternate destination'
 972	depends on NETFILTER_ADVANCED
 973	depends on IPV6 || IPV6=n
 974	depends on !NF_CONNTRACK || NF_CONNTRACK
 975	select NF_DUP_IPV4
 976	select NF_DUP_IPV6 if IPV6
 977	---help---
 978	This option adds a "TEE" target with which a packet can be cloned and
 979	this clone be rerouted to another nexthop.
 980
 981config NETFILTER_XT_TARGET_TPROXY
 982	tristate '"TPROXY" target transparent proxying support'
 983	depends on NETFILTER_XTABLES
 984	depends on NETFILTER_ADVANCED
 985	depends on IPV6 || IPV6=n
 986	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
 987	depends on IP_NF_MANGLE
 988	select NF_DEFRAG_IPV4
 989	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
 990	select NF_TPROXY_IPV4
 991	select NF_TPROXY_IPV6 if IP6_NF_IPTABLES
 992	help
 993	  This option adds a `TPROXY' target, which is somewhat similar to
 994	  REDIRECT.  It can only be used in the mangle table and is useful
 995	  to redirect traffic to a transparent proxy.  It does _not_ depend
 996	  on Netfilter connection tracking and NAT, unlike REDIRECT.
 997	  For it to work you will have to configure certain iptables rules
 998	  and use policy routing. For more information on how to set it up
 999	  see Documentation/networking/tproxy.txt.
1000
1001	  To compile it as a module, choose M here.  If unsure, say N.
1002
1003config NETFILTER_XT_TARGET_TRACE
1004	tristate  '"TRACE" target support'
1005	depends on IP_NF_RAW || IP6_NF_RAW
1006	depends on NETFILTER_ADVANCED
1007	help
1008	  The TRACE target allows you to mark packets so that the kernel
1009	  will log every rule which match the packets as those traverse
1010	  the tables, chains, rules.
1011
1012	  If you want to compile it as a module, say M here and read
1013	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1014
1015config NETFILTER_XT_TARGET_SECMARK
1016	tristate '"SECMARK" target support'
1017	depends on NETWORK_SECMARK
1018	default m if NETFILTER_ADVANCED=n
1019	help
1020	  The SECMARK target allows security marking of network
1021	  packets, for use with security subsystems.
1022
1023	  To compile it as a module, choose M here.  If unsure, say N.
1024
1025config NETFILTER_XT_TARGET_TCPMSS
1026	tristate '"TCPMSS" target support'
1027	depends on IPV6 || IPV6=n
1028	default m if NETFILTER_ADVANCED=n
1029	---help---
1030	  This option adds a `TCPMSS' target, which allows you to alter the
1031	  MSS value of TCP SYN packets, to control the maximum size for that
1032	  connection (usually limiting it to your outgoing interface's MTU
1033	  minus 40).
1034
1035	  This is used to overcome criminally braindead ISPs or servers which
1036	  block ICMP Fragmentation Needed packets.  The symptoms of this
1037	  problem are that everything works fine from your Linux
1038	  firewall/router, but machines behind it can never exchange large
1039	  packets:
1040	        1) Web browsers connect, then hang with no data received.
1041	        2) Small mail works fine, but large emails hang.
1042	        3) ssh works fine, but scp hangs after initial handshaking.
1043
1044	  Workaround: activate this option and add a rule to your firewall
1045	  configuration like:
1046
1047	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1048	                 -j TCPMSS --clamp-mss-to-pmtu
1049
1050	  To compile it as a module, choose M here.  If unsure, say N.
1051
1052config NETFILTER_XT_TARGET_TCPOPTSTRIP
1053	tristate '"TCPOPTSTRIP" target support'
1054	depends on IP_NF_MANGLE || IP6_NF_MANGLE
1055	depends on NETFILTER_ADVANCED
1056	help
1057	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
1058	  TCP options from TCP packets.
1059
1060# alphabetically ordered list of matches
1061
1062comment "Xtables matches"
1063
1064config NETFILTER_XT_MATCH_ADDRTYPE
1065	tristate '"addrtype" address type match support'
1066	default m if NETFILTER_ADVANCED=n
1067	---help---
1068	  This option allows you to match what routing thinks of an address,
1069	  eg. UNICAST, LOCAL, BROADCAST, ...
1070
1071	  If you want to compile it as a module, say M here and read
1072	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1073
1074config NETFILTER_XT_MATCH_BPF
1075	tristate '"bpf" match support'
1076	depends on NETFILTER_ADVANCED
1077	help
1078	  BPF matching applies a linux socket filter to each packet and
1079	  accepts those for which the filter returns non-zero.
1080
1081	  To compile it as a module, choose M here.  If unsure, say N.
1082
1083config NETFILTER_XT_MATCH_CGROUP
1084	tristate '"control group" match support'
1085	depends on NETFILTER_ADVANCED
1086	depends on CGROUPS
1087	select CGROUP_NET_CLASSID
1088	---help---
1089	Socket/process control group matching allows you to match locally
1090	generated packets based on which net_cls control group processes
1091	belong to.
1092
1093config NETFILTER_XT_MATCH_CLUSTER
1094	tristate '"cluster" match support'
1095	depends on NF_CONNTRACK
1096	depends on NETFILTER_ADVANCED
1097	---help---
1098	  This option allows you to build work-load-sharing clusters of
1099	  network servers/stateful firewalls without having a dedicated
1100	  load-balancing router/server/switch. Basically, this match returns
1101	  true when the packet must be handled by this cluster node. Thus,
1102	  all nodes see all packets and this match decides which node handles
1103	  what packets. The work-load sharing algorithm is based on source
1104	  address hashing.
1105
1106	  If you say Y or M here, try `iptables -m cluster --help` for
1107	  more information.
1108
1109config NETFILTER_XT_MATCH_COMMENT
1110	tristate  '"comment" match support'
1111	depends on NETFILTER_ADVANCED
1112	help
1113	  This option adds a `comment' dummy-match, which allows you to put
1114	  comments in your iptables ruleset.
1115
1116	  If you want to compile it as a module, say M here and read
1117	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1118
1119config NETFILTER_XT_MATCH_CONNBYTES
1120	tristate  '"connbytes" per-connection counter match support'
1121	depends on NF_CONNTRACK
1122	depends on NETFILTER_ADVANCED
1123	help
1124	  This option adds a `connbytes' match, which allows you to match the
1125	  number of bytes and/or packets for each direction within a connection.
1126
1127	  If you want to compile it as a module, say M here and read
1128	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1129
1130config NETFILTER_XT_MATCH_CONNLABEL
1131	tristate '"connlabel" match support'
1132	select NF_CONNTRACK_LABELS
1133	depends on NF_CONNTRACK
1134	depends on NETFILTER_ADVANCED
1135	---help---
1136	  This match allows you to test and assign userspace-defined labels names
1137	  to a connection.  The kernel only stores bit values - mapping
1138	  names to bits is done by userspace.
1139
1140	  Unlike connmark, more than 32 flag bits may be assigned to a
1141	  connection simultaneously.
1142
1143config NETFILTER_XT_MATCH_CONNLIMIT
1144	tristate '"connlimit" match support'
1145	depends on NF_CONNTRACK
1146	depends on NETFILTER_ADVANCED
1147	select NETFILTER_CONNCOUNT
1148	---help---
1149	  This match allows you to match against the number of parallel
1150	  connections to a server per client IP address (or address block).
1151
1152config NETFILTER_XT_MATCH_CONNMARK
1153	tristate  '"connmark" connection mark match support'
1154	depends on NF_CONNTRACK
1155	depends on NETFILTER_ADVANCED
1156	select NETFILTER_XT_CONNMARK
1157	---help---
1158	This is a backwards-compat option for the user's convenience
1159	(e.g. when running oldconfig). It selects
1160	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1161
1162config NETFILTER_XT_MATCH_CONNTRACK
1163	tristate '"conntrack" connection tracking match support'
1164	depends on NF_CONNTRACK
1165	default m if NETFILTER_ADVANCED=n
1166	help
1167	  This is a general conntrack match module, a superset of the state match.
1168
1169	  It allows matching on additional conntrack information, which is
1170	  useful in complex configurations, such as NAT gateways with multiple
1171	  internet links or tunnels.
1172
1173	  To compile it as a module, choose M here.  If unsure, say N.
1174
1175config NETFILTER_XT_MATCH_CPU
1176	tristate '"cpu" match support'
1177	depends on NETFILTER_ADVANCED
1178	help
1179	  CPU matching allows you to match packets based on the CPU
1180	  currently handling the packet.
1181
1182	  To compile it as a module, choose M here.  If unsure, say N.
1183
1184config NETFILTER_XT_MATCH_DCCP
1185	tristate '"dccp" protocol match support'
1186	depends on NETFILTER_ADVANCED
1187	default IP_DCCP
1188	help
1189	  With this option enabled, you will be able to use the iptables
1190	  `dccp' match in order to match on DCCP source/destination ports
1191	  and DCCP flags.
1192
1193	  If you want to compile it as a module, say M here and read
1194	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1195
1196config NETFILTER_XT_MATCH_DEVGROUP
1197	tristate '"devgroup" match support'
1198	depends on NETFILTER_ADVANCED
1199	help
1200	  This options adds a `devgroup' match, which allows to match on the
1201	  device group a network device is assigned to.
1202
1203	  To compile it as a module, choose M here.  If unsure, say N.
1204
1205config NETFILTER_XT_MATCH_DSCP
1206	tristate '"dscp" and "tos" match support'
1207	depends on NETFILTER_ADVANCED
1208	help
1209	  This option adds a `DSCP' match, which allows you to match against
1210	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1211
1212	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
1213
1214	  It will also add a "tos" match, which allows you to match packets
1215	  based on the Type Of Service fields of the IPv4 packet (which share
1216	  the same bits as DSCP).
1217
1218	  To compile it as a module, choose M here.  If unsure, say N.
1219
1220config NETFILTER_XT_MATCH_ECN
1221	tristate '"ecn" match support'
1222	depends on NETFILTER_ADVANCED
1223	---help---
1224	This option adds an "ECN" match, which allows you to match against
1225	the IPv4 and TCP header ECN fields.
1226
1227	To compile it as a module, choose M here. If unsure, say N.
1228
1229config NETFILTER_XT_MATCH_ESP
1230	tristate '"esp" match support'
1231	depends on NETFILTER_ADVANCED
1232	help
1233	  This match extension allows you to match a range of SPIs
1234	  inside ESP header of IPSec packets.
1235
1236	  To compile it as a module, choose M here.  If unsure, say N.
1237
1238config NETFILTER_XT_MATCH_HASHLIMIT
1239	tristate '"hashlimit" match support'
1240	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1241	depends on NETFILTER_ADVANCED
1242	help
1243	  This option adds a `hashlimit' match.
1244
1245	  As opposed to `limit', this match dynamically creates a hash table
1246	  of limit buckets, based on your selection of source/destination
1247	  addresses and/or ports.
1248
1249	  It enables you to express policies like `10kpps for any given
1250	  destination address' or `500pps from any given source address'
1251	  with a single rule.
1252
1253config NETFILTER_XT_MATCH_HELPER
1254	tristate '"helper" match support'
1255	depends on NF_CONNTRACK
1256	depends on NETFILTER_ADVANCED
1257	help
1258	  Helper matching allows you to match packets in dynamic connections
1259	  tracked by a conntrack-helper, ie. ip_conntrack_ftp
1260
1261	  To compile it as a module, choose M here.  If unsure, say Y.
1262
1263config NETFILTER_XT_MATCH_HL
1264	tristate '"hl" hoplimit/TTL match support'
1265	depends on NETFILTER_ADVANCED
1266	---help---
1267	HL matching allows you to match packets based on the hoplimit
1268	in the IPv6 header, or the time-to-live field in the IPv4
1269	header of the packet.
1270
1271config NETFILTER_XT_MATCH_IPCOMP
1272	tristate '"ipcomp" match support'
1273	depends on NETFILTER_ADVANCED
1274	help
1275	  This match extension allows you to match a range of CPIs(16 bits)
1276	  inside IPComp header of IPSec packets.
1277
1278	  To compile it as a module, choose M here.  If unsure, say N.
1279
1280config NETFILTER_XT_MATCH_IPRANGE
1281	tristate '"iprange" address range match support'
1282	depends on NETFILTER_ADVANCED
1283	---help---
1284	This option adds a "iprange" match, which allows you to match based on
1285	an IP address range. (Normal iptables only matches on single addresses
1286	with an optional mask.)
1287
1288	If unsure, say M.
1289
1290config NETFILTER_XT_MATCH_IPVS
1291	tristate '"ipvs" match support'
1292	depends on IP_VS
1293	depends on NETFILTER_ADVANCED
1294	depends on NF_CONNTRACK
1295	help
1296	  This option allows you to match against IPVS properties of a packet.
1297
1298	  If unsure, say N.
1299
1300config NETFILTER_XT_MATCH_L2TP
1301	tristate '"l2tp" match support'
1302	depends on NETFILTER_ADVANCED
1303	default L2TP
1304	---help---
1305	This option adds an "L2TP" match, which allows you to match against
1306	L2TP protocol header fields.
1307
1308	To compile it as a module, choose M here. If unsure, say N.
1309
1310config NETFILTER_XT_MATCH_LENGTH
1311	tristate '"length" match support'
1312	depends on NETFILTER_ADVANCED
1313	help
1314	  This option allows you to match the length of a packet against a
1315	  specific value or range of values.
1316
1317	  To compile it as a module, choose M here.  If unsure, say N.
1318
1319config NETFILTER_XT_MATCH_LIMIT
1320	tristate '"limit" match support'
1321	depends on NETFILTER_ADVANCED
1322	help
1323	  limit matching allows you to control the rate at which a rule can be
1324	  matched: mainly useful in combination with the LOG target ("LOG
1325	  target support", below) and to avoid some Denial of Service attacks.
1326
1327	  To compile it as a module, choose M here.  If unsure, say N.
1328
1329config NETFILTER_XT_MATCH_MAC
1330	tristate '"mac" address match support'
1331	depends on NETFILTER_ADVANCED
1332	help
1333	  MAC matching allows you to match packets based on the source
1334	  Ethernet address of the packet.
1335
1336	  To compile it as a module, choose M here.  If unsure, say N.
1337
1338config NETFILTER_XT_MATCH_MARK
1339	tristate '"mark" match support'
1340	depends on NETFILTER_ADVANCED
1341	select NETFILTER_XT_MARK
1342	---help---
1343	This is a backwards-compat option for the user's convenience
1344	(e.g. when running oldconfig). It selects
1345	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1346
1347config NETFILTER_XT_MATCH_MULTIPORT
1348	tristate '"multiport" Multiple port match support'
1349	depends on NETFILTER_ADVANCED
1350	help
1351	  Multiport matching allows you to match TCP or UDP packets based on
1352	  a series of source or destination ports: normally a rule can only
1353	  match a single range of ports.
1354
1355	  To compile it as a module, choose M here.  If unsure, say N.
1356
1357config NETFILTER_XT_MATCH_NFACCT
1358	tristate '"nfacct" match support'
1359	depends on NETFILTER_ADVANCED
1360	select NETFILTER_NETLINK_ACCT
1361	help
1362	  This option allows you to use the extended accounting through
1363	  nfnetlink_acct.
1364
1365	  To compile it as a module, choose M here.  If unsure, say N.
1366
1367config NETFILTER_XT_MATCH_OSF
1368	tristate '"osf" Passive OS fingerprint match'
1369	depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1370	select NF_OSF
1371	help
1372	  This option selects the Passive OS Fingerprinting match module
1373	  that allows to passively match the remote operating system by
1374	  analyzing incoming TCP SYN packets.
1375
1376	  Rules and loading software can be downloaded from
1377	  http://www.ioremap.net/projects/osf
1378
1379	  To compile it as a module, choose M here.  If unsure, say N.
1380
1381config NETFILTER_XT_MATCH_OWNER
1382	tristate '"owner" match support'
1383	depends on NETFILTER_ADVANCED
1384	---help---
1385	Socket owner matching allows you to match locally-generated packets
1386	based on who created the socket: the user or group. It is also
1387	possible to check whether a socket actually exists.
1388
1389config NETFILTER_XT_MATCH_POLICY
1390	tristate 'IPsec "policy" match support'
1391	depends on XFRM
1392	default m if NETFILTER_ADVANCED=n
1393	help
1394	  Policy matching allows you to match packets based on the
1395	  IPsec policy that was used during decapsulation/will
1396	  be used during encapsulation.
1397
1398	  To compile it as a module, choose M here.  If unsure, say N.
1399
1400config NETFILTER_XT_MATCH_PHYSDEV
1401	tristate '"physdev" match support'
1402	depends on BRIDGE && BRIDGE_NETFILTER
1403	depends on NETFILTER_ADVANCED
1404	help
1405	  Physdev packet matching matches against the physical bridge ports
1406	  the IP packet arrived on or will leave by.
1407
1408	  To compile it as a module, choose M here.  If unsure, say N.
1409
1410config NETFILTER_XT_MATCH_PKTTYPE
1411	tristate '"pkttype" packet type match support'
1412	depends on NETFILTER_ADVANCED
1413	help
1414	  Packet type matching allows you to match a packet by
1415	  its "class", eg. BROADCAST, MULTICAST, ...
1416
1417	  Typical usage:
1418	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1419
1420	  To compile it as a module, choose M here.  If unsure, say N.
1421
1422config NETFILTER_XT_MATCH_QUOTA
1423	tristate '"quota" match support'
1424	depends on NETFILTER_ADVANCED
1425	help
1426	  This option adds a `quota' match, which allows to match on a
1427	  byte counter.
1428
1429	  If you want to compile it as a module, say M here and read
1430	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1431
1432config NETFILTER_XT_MATCH_RATEEST
1433	tristate '"rateest" match support'
1434	depends on NETFILTER_ADVANCED
1435	select NETFILTER_XT_TARGET_RATEEST
1436	help
1437	  This option adds a `rateest' match, which allows to match on the
1438	  rate estimated by the RATEEST target.
1439
1440	  To compile it as a module, choose M here.  If unsure, say N.
1441
1442config NETFILTER_XT_MATCH_REALM
1443	tristate  '"realm" match support'
1444	depends on NETFILTER_ADVANCED
1445	select IP_ROUTE_CLASSID
1446	help
1447	  This option adds a `realm' match, which allows you to use the realm
1448	  key from the routing subsystem inside iptables.
1449
1450	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
1451	  in tc world.
1452
1453	  If you want to compile it as a module, say M here and read
1454	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1455
1456config NETFILTER_XT_MATCH_RECENT
1457	tristate '"recent" match support'
1458	depends on NETFILTER_ADVANCED
1459	---help---
1460	This match is used for creating one or many lists of recently
1461	used addresses and then matching against that/those list(s).
1462
1463	Short options are available by using 'iptables -m recent -h'
1464	Official Website: <http://snowman.net/projects/ipt_recent/>
1465
1466config NETFILTER_XT_MATCH_SCTP
1467	tristate  '"sctp" protocol match support'
1468	depends on NETFILTER_ADVANCED
1469	default IP_SCTP
1470	help
1471	  With this option enabled, you will be able to use the 
1472	  `sctp' match in order to match on SCTP source/destination ports
1473	  and SCTP chunk types.
1474
1475	  If you want to compile it as a module, say M here and read
1476	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1477
1478config NETFILTER_XT_MATCH_SOCKET
1479	tristate '"socket" match support'
1480	depends on NETFILTER_XTABLES
1481	depends on NETFILTER_ADVANCED
1482	depends on IPV6 || IPV6=n
1483	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1484	depends on NF_SOCKET_IPV4
1485	depends on NF_SOCKET_IPV6
1486	select NF_DEFRAG_IPV4
1487	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1488	help
1489	  This option adds a `socket' match, which can be used to match
1490	  packets for which a TCP or UDP socket lookup finds a valid socket.
1491	  It can be used in combination with the MARK target and policy
1492	  routing to implement full featured non-locally bound sockets.
1493
1494	  To compile it as a module, choose M here.  If unsure, say N.
1495
1496config NETFILTER_XT_MATCH_STATE
1497	tristate '"state" match support'
1498	depends on NF_CONNTRACK
1499	default m if NETFILTER_ADVANCED=n
1500	help
1501	  Connection state matching allows you to match packets based on their
1502	  relationship to a tracked connection (ie. previous packets).  This
1503	  is a powerful tool for packet classification.
1504
1505	  To compile it as a module, choose M here.  If unsure, say N.
1506
1507config NETFILTER_XT_MATCH_STATISTIC
1508	tristate '"statistic" match support'
1509	depends on NETFILTER_ADVANCED
1510	help
1511	  This option adds a `statistic' match, which allows you to match
1512	  on packets periodically or randomly with a given percentage.
1513
1514	  To compile it as a module, choose M here.  If unsure, say N.
1515
1516config NETFILTER_XT_MATCH_STRING
1517	tristate  '"string" match support'
1518	depends on NETFILTER_ADVANCED
1519	select TEXTSEARCH
1520	select TEXTSEARCH_KMP
1521	select TEXTSEARCH_BM
1522	select TEXTSEARCH_FSM
1523	help
1524	  This option adds a `string' match, which allows you to look for
1525	  pattern matchings in packets.
1526
1527	  To compile it as a module, choose M here.  If unsure, say N.
1528
1529config NETFILTER_XT_MATCH_TCPMSS
1530	tristate '"tcpmss" match support'
1531	depends on NETFILTER_ADVANCED
1532	help
1533	  This option adds a `tcpmss' match, which allows you to examine the
1534	  MSS value of TCP SYN packets, which control the maximum packet size
1535	  for that connection.
1536
1537	  To compile it as a module, choose M here.  If unsure, say N.
1538
1539config NETFILTER_XT_MATCH_TIME
1540	tristate '"time" match support'
1541	depends on NETFILTER_ADVANCED
1542	---help---
1543	  This option adds a "time" match, which allows you to match based on
1544	  the packet arrival time (at the machine which netfilter is running)
1545	  on) or departure time/date (for locally generated packets).
1546
1547	  If you say Y here, try `iptables -m time --help` for
1548	  more information.
1549
1550	  If you want to compile it as a module, say M here.
1551	  If unsure, say N.
1552
1553config NETFILTER_XT_MATCH_U32
1554	tristate '"u32" match support'
1555	depends on NETFILTER_ADVANCED
1556	---help---
1557	  u32 allows you to extract quantities of up to 4 bytes from a packet,
1558	  AND them with specified masks, shift them by specified amounts and
1559	  test whether the results are in any of a set of specified ranges.
1560	  The specification of what to extract is general enough to skip over
1561	  headers with lengths stored in the packet, as in IP or TCP header
1562	  lengths.
1563
1564	  Details and examples are in the kernel module source.
1565
1566endif # NETFILTER_XTABLES
1567
1568endmenu
1569
1570source "net/netfilter/ipset/Kconfig"
1571
1572source "net/netfilter/ipvs/Kconfig"
Configure Feed

Configure Feed
