1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_INGRESS
5 bool "Netfilter ingress support"
9 This allows you to classify packets from ingress using the Netfilter
12 config NETFILTER_NETLINK
15 config NETFILTER_FAMILY_BRIDGE
18 config NETFILTER_FAMILY_ARP
21 config NETFILTER_NETLINK_ACCT
22 tristate "Netfilter NFACCT over NFNETLINK interface"
23 depends on NETFILTER_ADVANCED
24 select NETFILTER_NETLINK
26 If this option is enabled, the kernel will include support
27 for extended accounting via NFNETLINK.
29 config NETFILTER_NETLINK_QUEUE
30 tristate "Netfilter NFQUEUE over NFNETLINK interface"
31 depends on NETFILTER_ADVANCED
32 select NETFILTER_NETLINK
34 If this option is enabled, the kernel will include support
35 for queueing packets via NFNETLINK.
37 config NETFILTER_NETLINK_LOG
38 tristate "Netfilter LOG over NFNETLINK interface"
39 default m if NETFILTER_ADVANCED=n
40 select NETFILTER_NETLINK
42 If this option is enabled, the kernel will include support
43 for logging packets via NFNETLINK.
45 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
46 and is also scheduled to replace the old syslog-based ipt_LOG
49 config NETFILTER_NETLINK_OSF
50 tristate "Netfilter OSF over NFNETLINK interface"
51 depends on NETFILTER_ADVANCED
52 select NETFILTER_NETLINK
54 If this option is enabled, the kernel will include support
55 for passive OS fingerprint via NFNETLINK.
58 tristate "Netfilter connection tracking support"
59 default m if NETFILTER_ADVANCED=n
61 select NF_DEFRAG_IPV6 if IPV6 != n
63 Connection tracking keeps a record of what packets have passed
64 through your machine, in order to figure out how they are related
67 This is required to do Masquerading or other kinds of Network
68 Address Translation. It can also be used to enhance packet
69 filtering (see `Connection state match support' below).
71 To compile it as a module, choose M here. If unsure, say N.
77 tristate "Netdev packet logging"
81 config NETFILTER_CONNCOUNT
84 config NF_CONNTRACK_MARK
85 bool 'Connection mark tracking support'
86 depends on NETFILTER_ADVANCED
88 This option enables support for connection marks, used by the
89 `CONNMARK' target and `connmark' match. Similar to the mark value
90 of packets, but this mark value is kept in the conntrack session
91 instead of the individual packets.
93 config NF_CONNTRACK_SECMARK
94 bool 'Connection tracking security mark support'
95 depends on NETWORK_SECMARK
96 default y if NETFILTER_ADVANCED=n
98 This option enables security markings to be applied to
99 connections. Typically they are copied to connections from
100 packets using the CONNSECMARK target and copied back from
101 connections to packets with the same target, with the packets
102 being originally labeled via SECMARK.
106 config NF_CONNTRACK_ZONES
107 bool 'Connection tracking zones'
108 depends on NETFILTER_ADVANCED
110 This option enables support for connection tracking zones.
111 Normally, each connection needs to have a unique system wide
112 identity. Connection tracking zones allow to have multiple
113 connections using the same identity, as long as they are
114 contained in different zones.
118 config NF_CONNTRACK_PROCFS
119 bool "Supply CT list in procfs (OBSOLETE)"
122 This option enables for the list of known conntrack entries
123 to be shown in procfs under net/netfilter/nf_conntrack. This
124 is considered obsolete in favor of using the conntrack(8)
125 tool which uses Netlink.
127 config NF_CONNTRACK_EVENTS
128 bool "Connection tracking events"
129 depends on NETFILTER_ADVANCED
131 If this option is enabled, the connection tracking code will
132 provide a notifier chain that can be used by other kernel code
133 to get notified about changes in the connection tracking state.
137 config NF_CONNTRACK_TIMEOUT
138 bool 'Connection tracking timeout'
139 depends on NETFILTER_ADVANCED
141 This option enables support for connection tracking timeout
142 extension. This allows you to attach timeout policies to flow
147 config NF_CONNTRACK_TIMESTAMP
148 bool 'Connection tracking timestamping'
149 depends on NETFILTER_ADVANCED
151 This option enables support for connection tracking timestamping.
152 This allows you to store the flow start-time and to obtain
153 the flow-stop time (once it has been destroyed) via Connection
158 config NF_CONNTRACK_LABELS
159 bool "Connection tracking labels"
161 This option enables support for assigning user-defined flag bits
162 to connection tracking entries. It can be used with xtables connlabel
163 match and the nftables ct expression.
165 config NF_CT_PROTO_DCCP
166 bool 'DCCP protocol connection tracking support'
167 depends on NETFILTER_ADVANCED
170 With this option enabled, the layer 3 independent connection
171 tracking code will be able to do state tracking on DCCP connections.
175 config NF_CT_PROTO_GRE
178 config NF_CT_PROTO_SCTP
179 bool 'SCTP protocol connection tracking support'
180 depends on NETFILTER_ADVANCED
184 With this option enabled, the layer 3 independent connection
185 tracking code will be able to do state tracking on SCTP connections.
189 config NF_CT_PROTO_UDPLITE
190 bool 'UDP-Lite protocol connection tracking support'
191 depends on NETFILTER_ADVANCED
194 With this option enabled, the layer 3 independent connection
195 tracking code will be able to do state tracking on UDP-Lite
200 config NF_CONNTRACK_AMANDA
201 tristate "Amanda backup protocol support"
202 depends on NETFILTER_ADVANCED
204 select TEXTSEARCH_KMP
206 If you are running the Amanda backup package <http://www.amanda.org/>
207 on this machine or machines that will be MASQUERADED through this
208 machine, then you may want to enable this feature. This allows the
209 connection tracking and natting code to allow the sub-channels that
210 Amanda requires for communication of the backup data, messages and
213 To compile it as a module, choose M here. If unsure, say N.
215 config NF_CONNTRACK_FTP
216 tristate "FTP protocol support"
217 default m if NETFILTER_ADVANCED=n
219 Tracking FTP connections is problematic: special helpers are
220 required for tracking them, and doing masquerading and other forms
221 of Network Address Translation on them.
223 This is FTP support on Layer 3 independent connection tracking.
224 Layer 3 independent connection tracking is experimental scheme
225 which generalize ip_conntrack to support other layer 3 protocols.
227 To compile it as a module, choose M here. If unsure, say N.
229 config NF_CONNTRACK_H323
230 tristate "H.323 protocol support"
231 depends on IPV6 || IPV6=n
232 depends on NETFILTER_ADVANCED
234 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
235 important VoIP protocols, it is widely used by voice hardware and
236 software including voice gateways, IP phones, Netmeeting, OpenPhone,
239 With this module you can support H.323 on a connection tracking/NAT
242 This module supports RAS, Fast Start, H.245 Tunnelling, Call
243 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
244 whiteboard, file transfer, etc. For more information, please
245 visit http://nath323.sourceforge.net/.
247 To compile it as a module, choose M here. If unsure, say N.
249 config NF_CONNTRACK_IRC
250 tristate "IRC protocol support"
251 default m if NETFILTER_ADVANCED=n
253 There is a commonly-used extension to IRC called
254 Direct Client-to-Client Protocol (DCC). This enables users to send
255 files to each other, and also chat to each other without the need
256 of a server. DCC Sending is used anywhere you send files over IRC,
257 and DCC Chat is most commonly used by Eggdrop bots. If you are
258 using NAT, this extension will enable you to send files and initiate
259 chats. Note that you do NOT need this extension to get files or
260 have others initiate chats, or everything else in IRC.
262 To compile it as a module, choose M here. If unsure, say N.
264 config NF_CONNTRACK_BROADCAST
267 config NF_CONNTRACK_NETBIOS_NS
268 tristate "NetBIOS name service protocol support"
269 select NF_CONNTRACK_BROADCAST
271 NetBIOS name service requests are sent as broadcast messages from an
272 unprivileged port and responded to with unicast messages to the
273 same port. This make them hard to firewall properly because connection
274 tracking doesn't deal with broadcasts. This helper tracks locally
275 originating NetBIOS name service requests and the corresponding
276 responses. It relies on correct IP address configuration, specifically
277 netmask and broadcast address. When properly configured, the output
278 of "ip address show" should look similar to this:
280 $ ip -4 address show eth0
281 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
282 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
284 To compile it as a module, choose M here. If unsure, say N.
286 config NF_CONNTRACK_SNMP
287 tristate "SNMP service protocol support"
288 depends on NETFILTER_ADVANCED
289 select NF_CONNTRACK_BROADCAST
291 SNMP service requests are sent as broadcast messages from an
292 unprivileged port and responded to with unicast messages to the
293 same port. This make them hard to firewall properly because connection
294 tracking doesn't deal with broadcasts. This helper tracks locally
295 originating SNMP service requests and the corresponding
296 responses. It relies on correct IP address configuration, specifically
297 netmask and broadcast address.
299 To compile it as a module, choose M here. If unsure, say N.
301 config NF_CONNTRACK_PPTP
302 tristate "PPtP protocol support"
303 depends on NETFILTER_ADVANCED
304 select NF_CT_PROTO_GRE
306 This module adds support for PPTP (Point to Point Tunnelling
307 Protocol, RFC2637) connection tracking and NAT.
309 If you are running PPTP sessions over a stateful firewall or NAT
310 box, you may want to enable this feature.
312 Please note that not all PPTP modes of operation are supported yet.
313 Specifically these limitations exist:
314 - Blindly assumes that control connections are always established
315 in PNS->PAC direction. This is a violation of RFC2637.
316 - Only supports a single call within each session
318 To compile it as a module, choose M here. If unsure, say N.
320 config NF_CONNTRACK_SANE
321 tristate "SANE protocol support"
322 depends on NETFILTER_ADVANCED
324 SANE is a protocol for remote access to scanners as implemented
325 by the 'saned' daemon. Like FTP, it uses separate control and
328 With this module you can support SANE on a connection tracking
331 To compile it as a module, choose M here. If unsure, say N.
333 config NF_CONNTRACK_SIP
334 tristate "SIP protocol support"
335 default m if NETFILTER_ADVANCED=n
337 SIP is an application-layer control protocol that can establish,
338 modify, and terminate multimedia sessions (conferences) such as
339 Internet telephony calls. With the ip_conntrack_sip and
340 the nf_nat_sip modules you can support the protocol on a connection
341 tracking/NATing firewall.
343 To compile it as a module, choose M here. If unsure, say N.
345 config NF_CONNTRACK_TFTP
346 tristate "TFTP protocol support"
347 depends on NETFILTER_ADVANCED
349 TFTP connection tracking helper, this is required depending
350 on how restrictive your ruleset is.
351 If you are using a tftp client behind -j SNAT or -j MASQUERADING
354 To compile it as a module, choose M here. If unsure, say N.
357 tristate 'Connection tracking netlink interface'
358 select NETFILTER_NETLINK
359 default m if NETFILTER_ADVANCED=n
361 This option enables support for a netlink-based userspace interface
363 config NF_CT_NETLINK_TIMEOUT
364 tristate 'Connection tracking timeout tuning via Netlink'
365 select NETFILTER_NETLINK
366 depends on NETFILTER_ADVANCED
367 depends on NF_CONNTRACK_TIMEOUT
369 This option enables support for connection tracking timeout
370 fine-grain tuning. This allows you to attach specific timeout
371 policies to flows, instead of using the global timeout policy.
375 config NF_CT_NETLINK_HELPER
376 tristate 'Connection tracking helpers in user-space via Netlink'
377 select NETFILTER_NETLINK
378 depends on NF_CT_NETLINK
379 depends on NETFILTER_NETLINK_QUEUE
380 depends on NETFILTER_NETLINK_GLUE_CT
381 depends on NETFILTER_ADVANCED
383 This option enables the user-space connection tracking helpers
388 config NETFILTER_NETLINK_GLUE_CT
389 bool "NFQUEUE and NFLOG integration with Connection Tracking"
391 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
393 If this option is enabled, NFQUEUE and NFLOG can include
394 Connection Tracking information together with the packet is
395 the enqueued via NFNETLINK.
405 config NF_NAT_PROTO_DCCP
407 depends on NF_NAT && NF_CT_PROTO_DCCP
408 default NF_NAT && NF_CT_PROTO_DCCP
410 config NF_NAT_PROTO_UDPLITE
412 depends on NF_NAT && NF_CT_PROTO_UDPLITE
413 default NF_NAT && NF_CT_PROTO_UDPLITE
415 config NF_NAT_PROTO_SCTP
417 default NF_NAT && NF_CT_PROTO_SCTP
418 depends on NF_NAT && NF_CT_PROTO_SCTP
422 depends on NF_CONNTRACK && NF_NAT
423 default NF_NAT && NF_CONNTRACK_AMANDA
427 depends on NF_CONNTRACK && NF_NAT
428 default NF_NAT && NF_CONNTRACK_FTP
432 depends on NF_CONNTRACK && NF_NAT
433 default NF_NAT && NF_CONNTRACK_IRC
437 depends on NF_CONNTRACK && NF_NAT
438 default NF_NAT && NF_CONNTRACK_SIP
442 depends on NF_CONNTRACK && NF_NAT
443 default NF_NAT && NF_CONNTRACK_TFTP
445 config NF_NAT_REDIRECT
448 config NETFILTER_SYNPROXY
454 select NETFILTER_NETLINK
455 tristate "Netfilter nf_tables support"
457 nftables is the new packet classification framework that intends to
458 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
459 provides a pseudo-state machine with an extensible instruction-set
460 (also known as expressions) that the userspace 'nft' utility
461 (http://www.netfilter.org/projects/nftables) uses to build the
462 rule-set. It also comes with the generic set infrastructure that
463 allows you to construct mappings between matchings and actions
464 for performance lookups.
466 To compile it as a module, choose M here.
471 tristate "Netfilter nf_tables set infrastructure"
473 This option enables the nf_tables set infrastructure that allows to
474 look up for elements in a set and to build one-way mappings between
475 matchings and actions.
477 config NF_TABLES_INET
479 select NF_TABLES_IPV4
480 select NF_TABLES_IPV6
481 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support"
483 This option enables support for a mixed IPv4/IPv6 "inet" table.
485 config NF_TABLES_NETDEV
486 bool "Netfilter nf_tables netdev tables support"
488 This option enables support for the "netdev" table.
491 tristate "Netfilter nf_tables number generator module"
493 This option adds the number generator expression used to perform
494 incremental counting and random numbers bound to a upper limit.
497 depends on NF_CONNTRACK
498 tristate "Netfilter nf_tables conntrack module"
500 This option adds the "ct" expression that you can use to match
501 connection tracking information such as the flow state.
503 config NFT_FLOW_OFFLOAD
504 depends on NF_CONNTRACK && NF_FLOW_TABLE
505 tristate "Netfilter nf_tables hardware flow offload module"
507 This option adds the "flow_offload" expression that you can use to
508 choose what flows are placed into the hardware.
511 tristate "Netfilter nf_tables counter module"
513 This option adds the "counter" expression that you can use to
514 include packet and byte counters in a rule.
517 tristate "Netfilter nf_tables connlimit module"
518 depends on NF_CONNTRACK
519 depends on NETFILTER_ADVANCED
520 select NETFILTER_CONNCOUNT
522 This option adds the "connlimit" expression that you can use to
523 ratelimit rule matchings per connections.
526 tristate "Netfilter nf_tables log module"
528 This option adds the "log" expression that you can use to log
529 packets matching some criteria.
532 tristate "Netfilter nf_tables limit module"
534 This option adds the "limit" expression that you can use to
535 ratelimit rule matchings.
538 depends on NF_CONNTRACK
540 tristate "Netfilter nf_tables masquerade support"
542 This option adds the "masquerade" expression that you can use
543 to perform NAT in the masquerade flavour.
546 depends on NF_CONNTRACK
548 tristate "Netfilter nf_tables redirect support"
550 This options adds the "redirect" expression that you can use
551 to perform NAT in the redirect flavour.
554 depends on NF_CONNTRACK
556 tristate "Netfilter nf_tables nat module"
558 This option adds the "nat" expression that you can use to perform
559 typical Network Address Translation (NAT) packet transformations.
562 tristate "Netfilter nf_tables tunnel module"
564 This option adds the "tunnel" expression that you can use to set
568 tristate "Netfilter nf_tables stateful object reference module"
570 This option adds the "objref" expression that allows you to refer to
571 stateful objects, such as counters and quotas.
574 depends on NETFILTER_NETLINK_QUEUE
575 tristate "Netfilter nf_tables queue module"
577 This is required if you intend to use the userspace queueing
578 infrastructure (also known as NFQUEUE) from nftables.
581 tristate "Netfilter nf_tables quota module"
583 This option adds the "quota" expression that you can use to match
584 enforce bytes quotas.
587 default m if NETFILTER_ADVANCED=n
588 tristate "Netfilter nf_tables reject support"
589 depends on !NF_TABLES_INET || (IPV6!=m || m)
591 This option adds the "reject" expression that you can use to
592 explicitly deny and notify via TCP reset/ICMP informational errors
595 config NFT_REJECT_INET
596 depends on NF_TABLES_INET
601 depends on NETFILTER_XTABLES
602 tristate "Netfilter x_tables over nf_tables module"
604 This is required if you intend to use any of existing
605 x_tables match/target extensions over the nf_tables
609 tristate "Netfilter nf_tables hash module"
611 This option adds the "hash" expression that you can use to perform
612 a hash operation on registers.
618 depends on NF_TABLES_INET
619 depends on NFT_FIB_IPV4
620 depends on NFT_FIB_IPV6
621 tristate "Netfilter nf_tables fib inet support"
623 This option allows using the FIB expression from the inet table.
624 The lookup will be delegated to the IPv4 or IPv6 FIB depending
625 on the protocol of the packet.
628 tristate "Netfilter nf_tables socket match support"
629 depends on IPV6 || IPV6=n
630 select NF_SOCKET_IPV4
631 select NF_SOCKET_IPV6 if NF_TABLES_IPV6
633 This option allows matching for the presence or absence of a
634 corresponding socket and its attributes.
637 tristate "Netfilter nf_tables passive OS fingerprint support"
638 depends on NETFILTER_ADVANCED
639 select NETFILTER_NETLINK_OSF
641 This option allows matching packets from an specific OS.
644 tristate "Netfilter nf_tables tproxy support"
645 depends on IPV6 || IPV6=n
646 select NF_DEFRAG_IPV4
647 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
648 select NF_TPROXY_IPV4
649 select NF_TPROXY_IPV6 if NF_TABLES_IPV6
651 This makes transparent proxy support available in nftables.
656 tristate "Netfilter packet duplication support"
658 This option enables the generic packet duplication infrastructure
661 config NFT_DUP_NETDEV
662 tristate "Netfilter nf_tables netdev packet duplication support"
665 This option enables packet duplication for the "netdev" family.
667 config NFT_FWD_NETDEV
668 tristate "Netfilter nf_tables netdev packet forwarding support"
671 This option enables packet forwarding for the "netdev" family.
673 config NFT_FIB_NETDEV
674 depends on NFT_FIB_IPV4
675 depends on NFT_FIB_IPV6
676 tristate "Netfilter nf_tables netdev fib lookups support"
678 This option allows using the FIB expression from the netdev table.
679 The lookup will be delegated to the IPv4 or IPv6 FIB depending
680 on the protocol of the packet.
682 endif # NF_TABLES_NETDEV
686 config NF_FLOW_TABLE_INET
687 tristate "Netfilter flow table mixed IPv4/IPv6 module"
688 depends on NF_FLOW_TABLE
690 This option adds the flow table mixed IPv4/IPv6 support.
692 To compile it as a module, choose M here.
695 tristate "Netfilter flow table module"
696 depends on NETFILTER_INGRESS
697 depends on NF_CONNTRACK
700 This option adds the flow table core infrastructure.
702 To compile it as a module, choose M here.
704 config NETFILTER_XTABLES
705 tristate "Netfilter Xtables support (required for ip_tables)"
706 default m if NETFILTER_ADVANCED=n
708 This is required if you intend to use any of ip_tables,
709 ip6_tables or arp_tables.
713 comment "Xtables combined modules"
715 config NETFILTER_XT_MARK
716 tristate 'nfmark target and match support'
717 default m if NETFILTER_ADVANCED=n
719 This option adds the "MARK" target and "mark" match.
721 Netfilter mark matching allows you to match packets based on the
722 "nfmark" value in the packet.
723 The target allows you to create rules in the "mangle" table which alter
724 the netfilter mark (nfmark) field associated with the packet.
726 Prior to routing, the nfmark can influence the routing method and can
727 also be used by other subsystems to change their behavior.
729 config NETFILTER_XT_CONNMARK
730 tristate 'ctmark target and match support'
731 depends on NF_CONNTRACK
732 depends on NETFILTER_ADVANCED
733 select NF_CONNTRACK_MARK
735 This option adds the "CONNMARK" target and "connmark" match.
737 Netfilter allows you to store a mark value per connection (a.k.a.
738 ctmark), similarly to the packet mark (nfmark). Using this
739 target and match, you can set and match on this mark.
741 config NETFILTER_XT_SET
742 tristate 'set target and match support'
744 depends on NETFILTER_ADVANCED
746 This option adds the "SET" target and "set" match.
748 Using this target and match, you can add/delete and match
749 elements in the sets created by ipset(8).
751 To compile it as a module, choose M here. If unsure, say N.
753 # alphabetically ordered list of targets
755 comment "Xtables targets"
757 config NETFILTER_XT_TARGET_AUDIT
758 tristate "AUDIT target support"
760 depends on NETFILTER_ADVANCED
762 This option adds a 'AUDIT' target, which can be used to create
763 audit records for packets dropped/accepted.
765 To compileit as a module, choose M here. If unsure, say N.
767 config NETFILTER_XT_TARGET_CHECKSUM
768 tristate "CHECKSUM target support"
769 depends on IP_NF_MANGLE || IP6_NF_MANGLE
770 depends on NETFILTER_ADVANCED
772 This option adds a `CHECKSUM' target, which can be used in the iptables mangle
773 table to work around buggy DHCP clients in virtualized environments.
775 Some old DHCP clients drop packets because they are not aware
776 that the checksum would normally be offloaded to hardware and
777 thus should be considered valid.
778 This target can be used to fill in the checksum using iptables
779 when such packets are sent via a virtual network device.
781 To compile it as a module, choose M here. If unsure, say N.
783 config NETFILTER_XT_TARGET_CLASSIFY
784 tristate '"CLASSIFY" target support'
785 depends on NETFILTER_ADVANCED
787 This option adds a `CLASSIFY' target, which enables the user to set
788 the priority of a packet. Some qdiscs can use this value for
789 classification, among these are:
791 atm, cbq, dsmark, pfifo_fast, htb, prio
793 To compile it as a module, choose M here. If unsure, say N.
795 config NETFILTER_XT_TARGET_CONNMARK
796 tristate '"CONNMARK" target support'
797 depends on NF_CONNTRACK
798 depends on NETFILTER_ADVANCED
799 select NETFILTER_XT_CONNMARK
801 This is a backwards-compat option for the user's convenience
802 (e.g. when running oldconfig). It selects
803 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
805 config NETFILTER_XT_TARGET_CONNSECMARK
806 tristate '"CONNSECMARK" target support'
807 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
808 default m if NETFILTER_ADVANCED=n
810 The CONNSECMARK target copies security markings from packets
811 to connections, and restores security markings from connections
812 to packets (if the packets are not already marked). This would
813 normally be used in conjunction with the SECMARK target.
815 To compile it as a module, choose M here. If unsure, say N.
817 config NETFILTER_XT_TARGET_CT
818 tristate '"CT" target support'
819 depends on NF_CONNTRACK
820 depends on IP_NF_RAW || IP6_NF_RAW
821 depends on NETFILTER_ADVANCED
823 This options adds a `CT' target, which allows to specify initial
824 connection tracking parameters like events to be delivered and
825 the helper to be used.
827 To compile it as a module, choose M here. If unsure, say N.
829 config NETFILTER_XT_TARGET_DSCP
830 tristate '"DSCP" and "TOS" target support'
831 depends on IP_NF_MANGLE || IP6_NF_MANGLE
832 depends on NETFILTER_ADVANCED
834 This option adds a `DSCP' target, which allows you to manipulate
835 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
837 The DSCP field can have any value between 0x0 and 0x3f inclusive.
839 It also adds the "TOS" target, which allows you to create rules in
840 the "mangle" table which alter the Type Of Service field of an IPv4
841 or the Priority field of an IPv6 packet, prior to routing.
843 To compile it as a module, choose M here. If unsure, say N.
845 config NETFILTER_XT_TARGET_HL
846 tristate '"HL" hoplimit target support'
847 depends on IP_NF_MANGLE || IP6_NF_MANGLE
848 depends on NETFILTER_ADVANCED
850 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
851 targets, which enable the user to change the
852 hoplimit/time-to-live value of the IP header.
854 While it is safe to decrement the hoplimit/TTL value, the
855 modules also allow to increment and set the hoplimit value of
856 the header to arbitrary values. This is EXTREMELY DANGEROUS
857 since you can easily create immortal packets that loop
858 forever on the network.
860 config NETFILTER_XT_TARGET_HMARK
861 tristate '"HMARK" target support'
862 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
863 depends on NETFILTER_ADVANCED
865 This option adds the "HMARK" target.
867 The target allows you to create rules in the "raw" and "mangle" tables
868 which set the skbuff mark by means of hash calculation within a given
869 range. The nfmark can influence the routing method and can also be used
870 by other subsystems to change their behaviour.
872 To compile it as a module, choose M here. If unsure, say N.
874 config NETFILTER_XT_TARGET_IDLETIMER
875 tristate "IDLETIMER target support"
876 depends on NETFILTER_ADVANCED
879 This option adds the `IDLETIMER' target. Each matching packet
880 resets the timer associated with label specified when the rule is
881 added. When the timer expires, it triggers a sysfs notification.
882 The remaining time for expiration can be read via sysfs.
884 To compile it as a module, choose M here. If unsure, say N.
886 config NETFILTER_XT_TARGET_LED
887 tristate '"LED" target support'
888 depends on LEDS_CLASS && LEDS_TRIGGERS
889 depends on NETFILTER_ADVANCED
891 This option adds a `LED' target, which allows you to blink LEDs in
892 response to particular packets passing through your machine.
894 This can be used to turn a spare LED into a network activity LED,
895 which only flashes in response to FTP transfers, for example. Or
896 you could have an LED which lights up for a minute or two every time
897 somebody connects to your machine via SSH.
899 You will need support for the "led" class to make this work.
901 To create an LED trigger for incoming SSH traffic:
902 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
904 Then attach the new trigger to an LED on your system:
905 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
907 For more information on the LEDs available on your system, see
908 Documentation/leds/leds-class.txt
910 config NETFILTER_XT_TARGET_LOG
911 tristate "LOG target support"
914 select NF_LOG_IPV6 if IP6_NF_IPTABLES
915 default m if NETFILTER_ADVANCED=n
917 This option adds a `LOG' target, which allows you to create rules in
918 any iptables table which records the packet header to the syslog.
920 To compile it as a module, choose M here. If unsure, say N.
922 config NETFILTER_XT_TARGET_MARK
923 tristate '"MARK" target support'
924 depends on NETFILTER_ADVANCED
925 select NETFILTER_XT_MARK
927 This is a backwards-compat option for the user's convenience
928 (e.g. when running oldconfig). It selects
929 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
931 config NETFILTER_XT_NAT
932 tristate '"SNAT and DNAT" targets support'
935 This option enables the SNAT and DNAT targets.
937 To compile it as a module, choose M here. If unsure, say N.
939 config NETFILTER_XT_TARGET_NETMAP
940 tristate '"NETMAP" target support'
943 NETMAP is an implementation of static 1:1 NAT mapping of network
944 addresses. It maps the network address part, while keeping the host
947 To compile it as a module, choose M here. If unsure, say N.
949 config NETFILTER_XT_TARGET_NFLOG
950 tristate '"NFLOG" target support'
951 default m if NETFILTER_ADVANCED=n
952 select NETFILTER_NETLINK_LOG
954 This option enables the NFLOG target, which allows to LOG
955 messages through nfnetlink_log.
957 To compile it as a module, choose M here. If unsure, say N.
959 config NETFILTER_XT_TARGET_NFQUEUE
960 tristate '"NFQUEUE" target Support'
961 depends on NETFILTER_ADVANCED
962 select NETFILTER_NETLINK_QUEUE
964 This target replaced the old obsolete QUEUE target.
966 As opposed to QUEUE, it supports 65535 different queues,
969 To compile it as a module, choose M here. If unsure, say N.
971 config NETFILTER_XT_TARGET_NOTRACK
972 tristate '"NOTRACK" target support (DEPRECATED)'
973 depends on NF_CONNTRACK
974 depends on IP_NF_RAW || IP6_NF_RAW
975 depends on NETFILTER_ADVANCED
976 select NETFILTER_XT_TARGET_CT
978 config NETFILTER_XT_TARGET_RATEEST
979 tristate '"RATEEST" target support'
980 depends on NETFILTER_ADVANCED
982 This option adds a `RATEEST' target, which allows to measure
983 rates similar to TC estimators. The `rateest' match can be
984 used to match on the measured rates.
986 To compile it as a module, choose M here. If unsure, say N.
988 config NETFILTER_XT_TARGET_REDIRECT
989 tristate "REDIRECT target support"
991 select NF_NAT_REDIRECT
993 REDIRECT is a special case of NAT: all incoming connections are
994 mapped onto the incoming interface's address, causing the packets to
995 come to the local machine instead of passing through. This is
996 useful for transparent proxies.
998 To compile it as a module, choose M here. If unsure, say N.
1000 config NETFILTER_XT_TARGET_TEE
1001 tristate '"TEE" - packet cloning to alternate destination'
1002 depends on NETFILTER_ADVANCED
1003 depends on IPV6 || IPV6=n
1004 depends on !NF_CONNTRACK || NF_CONNTRACK
1005 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES
1007 select NF_DUP_IPV6 if IP6_NF_IPTABLES
1009 This option adds a "TEE" target with which a packet can be cloned and
1010 this clone be rerouted to another nexthop.
1012 config NETFILTER_XT_TARGET_TPROXY
1013 tristate '"TPROXY" target transparent proxying support'
1014 depends on NETFILTER_XTABLES
1015 depends on NETFILTER_ADVANCED
1016 depends on IPV6 || IPV6=n
1017 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1018 depends on IP_NF_MANGLE
1019 select NF_DEFRAG_IPV4
1020 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1021 select NF_TPROXY_IPV4
1022 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES
1024 This option adds a `TPROXY' target, which is somewhat similar to
1025 REDIRECT. It can only be used in the mangle table and is useful
1026 to redirect traffic to a transparent proxy. It does _not_ depend
1027 on Netfilter connection tracking and NAT, unlike REDIRECT.
1028 For it to work you will have to configure certain iptables rules
1029 and use policy routing. For more information on how to set it up
1030 see Documentation/networking/tproxy.txt.
1032 To compile it as a module, choose M here. If unsure, say N.
1034 config NETFILTER_XT_TARGET_TRACE
1035 tristate '"TRACE" target support'
1036 depends on IP_NF_RAW || IP6_NF_RAW
1037 depends on NETFILTER_ADVANCED
1039 The TRACE target allows you to mark packets so that the kernel
1040 will log every rule which match the packets as those traverse
1041 the tables, chains, rules.
1043 If you want to compile it as a module, say M here and read
1044 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1046 config NETFILTER_XT_TARGET_SECMARK
1047 tristate '"SECMARK" target support'
1048 depends on NETWORK_SECMARK
1049 default m if NETFILTER_ADVANCED=n
1051 The SECMARK target allows security marking of network
1052 packets, for use with security subsystems.
1054 To compile it as a module, choose M here. If unsure, say N.
1056 config NETFILTER_XT_TARGET_TCPMSS
1057 tristate '"TCPMSS" target support'
1058 depends on IPV6 || IPV6=n
1059 default m if NETFILTER_ADVANCED=n
1061 This option adds a `TCPMSS' target, which allows you to alter the
1062 MSS value of TCP SYN packets, to control the maximum size for that
1063 connection (usually limiting it to your outgoing interface's MTU
1066 This is used to overcome criminally braindead ISPs or servers which
1067 block ICMP Fragmentation Needed packets. The symptoms of this
1068 problem are that everything works fine from your Linux
1069 firewall/router, but machines behind it can never exchange large
1071 1) Web browsers connect, then hang with no data received.
1072 2) Small mail works fine, but large emails hang.
1073 3) ssh works fine, but scp hangs after initial handshaking.
1075 Workaround: activate this option and add a rule to your firewall
1078 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1079 -j TCPMSS --clamp-mss-to-pmtu
1081 To compile it as a module, choose M here. If unsure, say N.
1083 config NETFILTER_XT_TARGET_TCPOPTSTRIP
1084 tristate '"TCPOPTSTRIP" target support'
1085 depends on IP_NF_MANGLE || IP6_NF_MANGLE
1086 depends on NETFILTER_ADVANCED
1088 This option adds a "TCPOPTSTRIP" target, which allows you to strip
1089 TCP options from TCP packets.
1091 # alphabetically ordered list of matches
1093 comment "Xtables matches"
1095 config NETFILTER_XT_MATCH_ADDRTYPE
1096 tristate '"addrtype" address type match support'
1097 default m if NETFILTER_ADVANCED=n
1099 This option allows you to match what routing thinks of an address,
1100 eg. UNICAST, LOCAL, BROADCAST, ...
1102 If you want to compile it as a module, say M here and read
1103 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1105 config NETFILTER_XT_MATCH_BPF
1106 tristate '"bpf" match support'
1107 depends on NETFILTER_ADVANCED
1109 BPF matching applies a linux socket filter to each packet and
1110 accepts those for which the filter returns non-zero.
1112 To compile it as a module, choose M here. If unsure, say N.
1114 config NETFILTER_XT_MATCH_CGROUP
1115 tristate '"control group" match support'
1116 depends on NETFILTER_ADVANCED
1118 select CGROUP_NET_CLASSID
1120 Socket/process control group matching allows you to match locally
1121 generated packets based on which net_cls control group processes
1124 config NETFILTER_XT_MATCH_CLUSTER
1125 tristate '"cluster" match support'
1126 depends on NF_CONNTRACK
1127 depends on NETFILTER_ADVANCED
1129 This option allows you to build work-load-sharing clusters of
1130 network servers/stateful firewalls without having a dedicated
1131 load-balancing router/server/switch. Basically, this match returns
1132 true when the packet must be handled by this cluster node. Thus,
1133 all nodes see all packets and this match decides which node handles
1134 what packets. The work-load sharing algorithm is based on source
1137 If you say Y or M here, try `iptables -m cluster --help` for
1140 config NETFILTER_XT_MATCH_COMMENT
1141 tristate '"comment" match support'
1142 depends on NETFILTER_ADVANCED
1144 This option adds a `comment' dummy-match, which allows you to put
1145 comments in your iptables ruleset.
1147 If you want to compile it as a module, say M here and read
1148 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1150 config NETFILTER_XT_MATCH_CONNBYTES
1151 tristate '"connbytes" per-connection counter match support'
1152 depends on NF_CONNTRACK
1153 depends on NETFILTER_ADVANCED
1155 This option adds a `connbytes' match, which allows you to match the
1156 number of bytes and/or packets for each direction within a connection.
1158 If you want to compile it as a module, say M here and read
1159 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1161 config NETFILTER_XT_MATCH_CONNLABEL
1162 tristate '"connlabel" match support'
1163 select NF_CONNTRACK_LABELS
1164 depends on NF_CONNTRACK
1165 depends on NETFILTER_ADVANCED
1167 This match allows you to test and assign userspace-defined labels names
1168 to a connection. The kernel only stores bit values - mapping
1169 names to bits is done by userspace.
1171 Unlike connmark, more than 32 flag bits may be assigned to a
1172 connection simultaneously.
1174 config NETFILTER_XT_MATCH_CONNLIMIT
1175 tristate '"connlimit" match support'
1176 depends on NF_CONNTRACK
1177 depends on NETFILTER_ADVANCED
1178 select NETFILTER_CONNCOUNT
1180 This match allows you to match against the number of parallel
1181 connections to a server per client IP address (or address block).
1183 config NETFILTER_XT_MATCH_CONNMARK
1184 tristate '"connmark" connection mark match support'
1185 depends on NF_CONNTRACK
1186 depends on NETFILTER_ADVANCED
1187 select NETFILTER_XT_CONNMARK
1189 This is a backwards-compat option for the user's convenience
1190 (e.g. when running oldconfig). It selects
1191 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1193 config NETFILTER_XT_MATCH_CONNTRACK
1194 tristate '"conntrack" connection tracking match support'
1195 depends on NF_CONNTRACK
1196 default m if NETFILTER_ADVANCED=n
1198 This is a general conntrack match module, a superset of the state match.
1200 It allows matching on additional conntrack information, which is
1201 useful in complex configurations, such as NAT gateways with multiple
1202 internet links or tunnels.
1204 To compile it as a module, choose M here. If unsure, say N.
1206 config NETFILTER_XT_MATCH_CPU
1207 tristate '"cpu" match support'
1208 depends on NETFILTER_ADVANCED
1210 CPU matching allows you to match packets based on the CPU
1211 currently handling the packet.
1213 To compile it as a module, choose M here. If unsure, say N.
1215 config NETFILTER_XT_MATCH_DCCP
1216 tristate '"dccp" protocol match support'
1217 depends on NETFILTER_ADVANCED
1220 With this option enabled, you will be able to use the iptables
1221 `dccp' match in order to match on DCCP source/destination ports
1224 If you want to compile it as a module, say M here and read
1225 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1227 config NETFILTER_XT_MATCH_DEVGROUP
1228 tristate '"devgroup" match support'
1229 depends on NETFILTER_ADVANCED
1231 This options adds a `devgroup' match, which allows to match on the
1232 device group a network device is assigned to.
1234 To compile it as a module, choose M here. If unsure, say N.
1236 config NETFILTER_XT_MATCH_DSCP
1237 tristate '"dscp" and "tos" match support'
1238 depends on NETFILTER_ADVANCED
1240 This option adds a `DSCP' match, which allows you to match against
1241 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1243 The DSCP field can have any value between 0x0 and 0x3f inclusive.
1245 It will also add a "tos" match, which allows you to match packets
1246 based on the Type Of Service fields of the IPv4 packet (which share
1247 the same bits as DSCP).
1249 To compile it as a module, choose M here. If unsure, say N.
1251 config NETFILTER_XT_MATCH_ECN
1252 tristate '"ecn" match support'
1253 depends on NETFILTER_ADVANCED
1255 This option adds an "ECN" match, which allows you to match against
1256 the IPv4 and TCP header ECN fields.
1258 To compile it as a module, choose M here. If unsure, say N.
1260 config NETFILTER_XT_MATCH_ESP
1261 tristate '"esp" match support'
1262 depends on NETFILTER_ADVANCED
1264 This match extension allows you to match a range of SPIs
1265 inside ESP header of IPSec packets.
1267 To compile it as a module, choose M here. If unsure, say N.
1269 config NETFILTER_XT_MATCH_HASHLIMIT
1270 tristate '"hashlimit" match support'
1271 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1272 depends on NETFILTER_ADVANCED
1274 This option adds a `hashlimit' match.
1276 As opposed to `limit', this match dynamically creates a hash table
1277 of limit buckets, based on your selection of source/destination
1278 addresses and/or ports.
1280 It enables you to express policies like `10kpps for any given
1281 destination address' or `500pps from any given source address'
1284 config NETFILTER_XT_MATCH_HELPER
1285 tristate '"helper" match support'
1286 depends on NF_CONNTRACK
1287 depends on NETFILTER_ADVANCED
1289 Helper matching allows you to match packets in dynamic connections
1290 tracked by a conntrack-helper, ie. ip_conntrack_ftp
1292 To compile it as a module, choose M here. If unsure, say Y.
1294 config NETFILTER_XT_MATCH_HL
1295 tristate '"hl" hoplimit/TTL match support'
1296 depends on NETFILTER_ADVANCED
1298 HL matching allows you to match packets based on the hoplimit
1299 in the IPv6 header, or the time-to-live field in the IPv4
1300 header of the packet.
1302 config NETFILTER_XT_MATCH_IPCOMP
1303 tristate '"ipcomp" match support'
1304 depends on NETFILTER_ADVANCED
1306 This match extension allows you to match a range of CPIs(16 bits)
1307 inside IPComp header of IPSec packets.
1309 To compile it as a module, choose M here. If unsure, say N.
1311 config NETFILTER_XT_MATCH_IPRANGE
1312 tristate '"iprange" address range match support'
1313 depends on NETFILTER_ADVANCED
1315 This option adds a "iprange" match, which allows you to match based on
1316 an IP address range. (Normal iptables only matches on single addresses
1317 with an optional mask.)
1321 config NETFILTER_XT_MATCH_IPVS
1322 tristate '"ipvs" match support'
1324 depends on NETFILTER_ADVANCED
1325 depends on NF_CONNTRACK
1327 This option allows you to match against IPVS properties of a packet.
1331 config NETFILTER_XT_MATCH_L2TP
1332 tristate '"l2tp" match support'
1333 depends on NETFILTER_ADVANCED
1336 This option adds an "L2TP" match, which allows you to match against
1337 L2TP protocol header fields.
1339 To compile it as a module, choose M here. If unsure, say N.
1341 config NETFILTER_XT_MATCH_LENGTH
1342 tristate '"length" match support'
1343 depends on NETFILTER_ADVANCED
1345 This option allows you to match the length of a packet against a
1346 specific value or range of values.
1348 To compile it as a module, choose M here. If unsure, say N.
1350 config NETFILTER_XT_MATCH_LIMIT
1351 tristate '"limit" match support'
1352 depends on NETFILTER_ADVANCED
1354 limit matching allows you to control the rate at which a rule can be
1355 matched: mainly useful in combination with the LOG target ("LOG
1356 target support", below) and to avoid some Denial of Service attacks.
1358 To compile it as a module, choose M here. If unsure, say N.
1360 config NETFILTER_XT_MATCH_MAC
1361 tristate '"mac" address match support'
1362 depends on NETFILTER_ADVANCED
1364 MAC matching allows you to match packets based on the source
1365 Ethernet address of the packet.
1367 To compile it as a module, choose M here. If unsure, say N.
1369 config NETFILTER_XT_MATCH_MARK
1370 tristate '"mark" match support'
1371 depends on NETFILTER_ADVANCED
1372 select NETFILTER_XT_MARK
1374 This is a backwards-compat option for the user's convenience
1375 (e.g. when running oldconfig). It selects
1376 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1378 config NETFILTER_XT_MATCH_MULTIPORT
1379 tristate '"multiport" Multiple port match support'
1380 depends on NETFILTER_ADVANCED
1382 Multiport matching allows you to match TCP or UDP packets based on
1383 a series of source or destination ports: normally a rule can only
1384 match a single range of ports.
1386 To compile it as a module, choose M here. If unsure, say N.
1388 config NETFILTER_XT_MATCH_NFACCT
1389 tristate '"nfacct" match support'
1390 depends on NETFILTER_ADVANCED
1391 select NETFILTER_NETLINK_ACCT
1393 This option allows you to use the extended accounting through
1396 To compile it as a module, choose M here. If unsure, say N.
1398 config NETFILTER_XT_MATCH_OSF
1399 tristate '"osf" Passive OS fingerprint match'
1400 depends on NETFILTER_ADVANCED
1401 select NETFILTER_NETLINK_OSF
1403 This option selects the Passive OS Fingerprinting match module
1404 that allows to passively match the remote operating system by
1405 analyzing incoming TCP SYN packets.
1407 Rules and loading software can be downloaded from
1408 http://www.ioremap.net/projects/osf
1410 To compile it as a module, choose M here. If unsure, say N.
1412 config NETFILTER_XT_MATCH_OWNER
1413 tristate '"owner" match support'
1414 depends on NETFILTER_ADVANCED
1416 Socket owner matching allows you to match locally-generated packets
1417 based on who created the socket: the user or group. It is also
1418 possible to check whether a socket actually exists.
1420 config NETFILTER_XT_MATCH_POLICY
1421 tristate 'IPsec "policy" match support'
1423 default m if NETFILTER_ADVANCED=n
1425 Policy matching allows you to match packets based on the
1426 IPsec policy that was used during decapsulation/will
1427 be used during encapsulation.
1429 To compile it as a module, choose M here. If unsure, say N.
1431 config NETFILTER_XT_MATCH_PHYSDEV
1432 tristate '"physdev" match support'
1433 depends on BRIDGE && BRIDGE_NETFILTER
1434 depends on NETFILTER_ADVANCED
1436 Physdev packet matching matches against the physical bridge ports
1437 the IP packet arrived on or will leave by.
1439 To compile it as a module, choose M here. If unsure, say N.
1441 config NETFILTER_XT_MATCH_PKTTYPE
1442 tristate '"pkttype" packet type match support'
1443 depends on NETFILTER_ADVANCED
1445 Packet type matching allows you to match a packet by
1446 its "class", eg. BROADCAST, MULTICAST, ...
1449 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1451 To compile it as a module, choose M here. If unsure, say N.
1453 config NETFILTER_XT_MATCH_QUOTA
1454 tristate '"quota" match support'
1455 depends on NETFILTER_ADVANCED
1457 This option adds a `quota' match, which allows to match on a
1460 If you want to compile it as a module, say M here and read
1461 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1463 config NETFILTER_XT_MATCH_RATEEST
1464 tristate '"rateest" match support'
1465 depends on NETFILTER_ADVANCED
1466 select NETFILTER_XT_TARGET_RATEEST
1468 This option adds a `rateest' match, which allows to match on the
1469 rate estimated by the RATEEST target.
1471 To compile it as a module, choose M here. If unsure, say N.
1473 config NETFILTER_XT_MATCH_REALM
1474 tristate '"realm" match support'
1475 depends on NETFILTER_ADVANCED
1476 select IP_ROUTE_CLASSID
1478 This option adds a `realm' match, which allows you to use the realm
1479 key from the routing subsystem inside iptables.
1481 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1484 If you want to compile it as a module, say M here and read
1485 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1487 config NETFILTER_XT_MATCH_RECENT
1488 tristate '"recent" match support'
1489 depends on NETFILTER_ADVANCED
1491 This match is used for creating one or many lists of recently
1492 used addresses and then matching against that/those list(s).
1494 Short options are available by using 'iptables -m recent -h'
1495 Official Website: <http://snowman.net/projects/ipt_recent/>
1497 config NETFILTER_XT_MATCH_SCTP
1498 tristate '"sctp" protocol match support'
1499 depends on NETFILTER_ADVANCED
1502 With this option enabled, you will be able to use the
1503 `sctp' match in order to match on SCTP source/destination ports
1504 and SCTP chunk types.
1506 If you want to compile it as a module, say M here and read
1507 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1509 config NETFILTER_XT_MATCH_SOCKET
1510 tristate '"socket" match support'
1511 depends on NETFILTER_XTABLES
1512 depends on NETFILTER_ADVANCED
1513 depends on IPV6 || IPV6=n
1514 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1515 select NF_SOCKET_IPV4
1516 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES
1517 select NF_DEFRAG_IPV4
1518 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1520 This option adds a `socket' match, which can be used to match
1521 packets for which a TCP or UDP socket lookup finds a valid socket.
1522 It can be used in combination with the MARK target and policy
1523 routing to implement full featured non-locally bound sockets.
1525 To compile it as a module, choose M here. If unsure, say N.
1527 config NETFILTER_XT_MATCH_STATE
1528 tristate '"state" match support'
1529 depends on NF_CONNTRACK
1530 default m if NETFILTER_ADVANCED=n
1532 Connection state matching allows you to match packets based on their
1533 relationship to a tracked connection (ie. previous packets). This
1534 is a powerful tool for packet classification.
1536 To compile it as a module, choose M here. If unsure, say N.
1538 config NETFILTER_XT_MATCH_STATISTIC
1539 tristate '"statistic" match support'
1540 depends on NETFILTER_ADVANCED
1542 This option adds a `statistic' match, which allows you to match
1543 on packets periodically or randomly with a given percentage.
1545 To compile it as a module, choose M here. If unsure, say N.
1547 config NETFILTER_XT_MATCH_STRING
1548 tristate '"string" match support'
1549 depends on NETFILTER_ADVANCED
1551 select TEXTSEARCH_KMP
1552 select TEXTSEARCH_BM
1553 select TEXTSEARCH_FSM
1555 This option adds a `string' match, which allows you to look for
1556 pattern matchings in packets.
1558 To compile it as a module, choose M here. If unsure, say N.
1560 config NETFILTER_XT_MATCH_TCPMSS
1561 tristate '"tcpmss" match support'
1562 depends on NETFILTER_ADVANCED
1564 This option adds a `tcpmss' match, which allows you to examine the
1565 MSS value of TCP SYN packets, which control the maximum packet size
1566 for that connection.
1568 To compile it as a module, choose M here. If unsure, say N.
1570 config NETFILTER_XT_MATCH_TIME
1571 tristate '"time" match support'
1572 depends on NETFILTER_ADVANCED
1574 This option adds a "time" match, which allows you to match based on
1575 the packet arrival time (at the machine which netfilter is running)
1576 on) or departure time/date (for locally generated packets).
1578 If you say Y here, try `iptables -m time --help` for
1581 If you want to compile it as a module, say M here.
1584 config NETFILTER_XT_MATCH_U32
1585 tristate '"u32" match support'
1586 depends on NETFILTER_ADVANCED
1588 u32 allows you to extract quantities of up to 4 bytes from a packet,
1589 AND them with specified masks, shift them by specified amounts and
1590 test whether the results are in any of a set of specified ranges.
1591 The specification of what to extract is general enough to skip over
1592 headers with lengths stored in the packet, as in IP or TCP header
1595 Details and examples are in the kernel module source.
1597 endif # NETFILTER_XTABLES
1601 source "net/netfilter/ipset/Kconfig"
1603 source "net/netfilter/ipvs/Kconfig"