1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_NETLINK
7 config NETFILTER_NETLINK_QUEUE
8 tristate "Netfilter NFQUEUE over NFNETLINK interface"
9 depends on NETFILTER_ADVANCED
10 select NETFILTER_NETLINK
12 If this option is enabled, the kernel will include support
13 for queueing packets via NFNETLINK.
15 config NETFILTER_NETLINK_LOG
16 tristate "Netfilter LOG over NFNETLINK interface"
17 default m if NETFILTER_ADVANCED=n
18 select NETFILTER_NETLINK
20 If this option is enabled, the kernel will include support
21 for logging packets via NFNETLINK.
23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
24 and is also scheduled to replace the old syslog-based ipt_LOG
28 tristate "Netfilter connection tracking support"
29 default m if NETFILTER_ADVANCED=n
31 Connection tracking keeps a record of what packets have passed
32 through your machine, in order to figure out how they are related
35 This is required to do Masquerading or other kinds of Network
36 Address Translation. It can also be used to enhance packet
37 filtering (see `Connection state match support' below).
39 To compile it as a module, choose M here. If unsure, say N.
43 config NF_CONNTRACK_MARK
44 bool 'Connection mark tracking support'
45 depends on NETFILTER_ADVANCED
47 This option enables support for connection marks, used by the
48 `CONNMARK' target and `connmark' match. Similar to the mark value
49 of packets, but this mark value is kept in the conntrack session
50 instead of the individual packets.
52 config NF_CONNTRACK_SECMARK
53 bool 'Connection tracking security mark support'
54 depends on NETWORK_SECMARK
55 default m if NETFILTER_ADVANCED=n
57 This option enables security markings to be applied to
58 connections. Typically they are copied to connections from
59 packets using the CONNSECMARK target and copied back from
60 connections to packets with the same target, with the packets
61 being originally labeled via SECMARK.
65 config NF_CONNTRACK_ZONES
66 bool 'Connection tracking zones'
67 depends on NETFILTER_ADVANCED
68 depends on NETFILTER_XT_TARGET_CT
70 This option enables support for connection tracking zones.
71 Normally, each connection needs to have a unique system wide
72 identity. Connection tracking zones allow to have multiple
73 connections using the same identity, as long as they are
74 contained in different zones.
78 config NF_CONNTRACK_EVENTS
79 bool "Connection tracking events"
80 depends on NETFILTER_ADVANCED
82 If this option is enabled, the connection tracking code will
83 provide a notifier chain that can be used by other kernel code
84 to get notified about changes in the connection tracking state.
88 config NF_CT_PROTO_DCCP
89 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
90 depends on EXPERIMENTAL
91 depends on NETFILTER_ADVANCED
94 With this option enabled, the layer 3 independent connection
95 tracking code will be able to do state tracking on DCCP connections.
99 config NF_CT_PROTO_GRE
102 config NF_CT_PROTO_SCTP
103 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
104 depends on EXPERIMENTAL
105 depends on NETFILTER_ADVANCED
108 With this option enabled, the layer 3 independent connection
109 tracking code will be able to do state tracking on SCTP connections.
111 If you want to compile it as a module, say M here and read
112 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
114 config NF_CT_PROTO_UDPLITE
115 tristate 'UDP-Lite protocol connection tracking support'
116 depends on NETFILTER_ADVANCED
118 With this option enabled, the layer 3 independent connection
119 tracking code will be able to do state tracking on UDP-Lite
122 To compile it as a module, choose M here. If unsure, say N.
124 config NF_CONNTRACK_AMANDA
125 tristate "Amanda backup protocol support"
126 depends on NETFILTER_ADVANCED
128 select TEXTSEARCH_KMP
130 If you are running the Amanda backup package <http://www.amanda.org/>
131 on this machine or machines that will be MASQUERADED through this
132 machine, then you may want to enable this feature. This allows the
133 connection tracking and natting code to allow the sub-channels that
134 Amanda requires for communication of the backup data, messages and
137 To compile it as a module, choose M here. If unsure, say N.
139 config NF_CONNTRACK_FTP
140 tristate "FTP protocol support"
141 default m if NETFILTER_ADVANCED=n
143 Tracking FTP connections is problematic: special helpers are
144 required for tracking them, and doing masquerading and other forms
145 of Network Address Translation on them.
147 This is FTP support on Layer 3 independent connection tracking.
148 Layer 3 independent connection tracking is experimental scheme
149 which generalize ip_conntrack to support other layer 3 protocols.
151 To compile it as a module, choose M here. If unsure, say N.
153 config NF_CONNTRACK_H323
154 tristate "H.323 protocol support"
155 depends on (IPV6 || IPV6=n)
156 depends on NETFILTER_ADVANCED
158 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
159 important VoIP protocols, it is widely used by voice hardware and
160 software including voice gateways, IP phones, Netmeeting, OpenPhone,
163 With this module you can support H.323 on a connection tracking/NAT
166 This module supports RAS, Fast Start, H.245 Tunnelling, Call
167 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
168 whiteboard, file transfer, etc. For more information, please
169 visit http://nath323.sourceforge.net/.
171 To compile it as a module, choose M here. If unsure, say N.
173 config NF_CONNTRACK_IRC
174 tristate "IRC protocol support"
175 default m if NETFILTER_ADVANCED=n
177 There is a commonly-used extension to IRC called
178 Direct Client-to-Client Protocol (DCC). This enables users to send
179 files to each other, and also chat to each other without the need
180 of a server. DCC Sending is used anywhere you send files over IRC,
181 and DCC Chat is most commonly used by Eggdrop bots. If you are
182 using NAT, this extension will enable you to send files and initiate
183 chats. Note that you do NOT need this extension to get files or
184 have others initiate chats, or everything else in IRC.
186 To compile it as a module, choose M here. If unsure, say N.
188 config NF_CONNTRACK_NETBIOS_NS
189 tristate "NetBIOS name service protocol support"
190 depends on NETFILTER_ADVANCED
192 NetBIOS name service requests are sent as broadcast messages from an
193 unprivileged port and responded to with unicast messages to the
194 same port. This make them hard to firewall properly because connection
195 tracking doesn't deal with broadcasts. This helper tracks locally
196 originating NetBIOS name service requests and the corresponding
197 responses. It relies on correct IP address configuration, specifically
198 netmask and broadcast address. When properly configured, the output
199 of "ip address show" should look similar to this:
201 $ ip -4 address show eth0
202 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
203 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
205 To compile it as a module, choose M here. If unsure, say N.
207 config NF_CONNTRACK_PPTP
208 tristate "PPtP protocol support"
209 depends on NETFILTER_ADVANCED
210 select NF_CT_PROTO_GRE
212 This module adds support for PPTP (Point to Point Tunnelling
213 Protocol, RFC2637) connection tracking and NAT.
215 If you are running PPTP sessions over a stateful firewall or NAT
216 box, you may want to enable this feature.
218 Please note that not all PPTP modes of operation are supported yet.
219 Specifically these limitations exist:
220 - Blindly assumes that control connections are always established
221 in PNS->PAC direction. This is a violation of RFC2637.
222 - Only supports a single call within each session
224 To compile it as a module, choose M here. If unsure, say N.
226 config NF_CONNTRACK_SANE
227 tristate "SANE protocol support (EXPERIMENTAL)"
228 depends on EXPERIMENTAL
229 depends on NETFILTER_ADVANCED
231 SANE is a protocol for remote access to scanners as implemented
232 by the 'saned' daemon. Like FTP, it uses separate control and
235 With this module you can support SANE on a connection tracking
238 To compile it as a module, choose M here. If unsure, say N.
240 config NF_CONNTRACK_SIP
241 tristate "SIP protocol support"
242 default m if NETFILTER_ADVANCED=n
244 SIP is an application-layer control protocol that can establish,
245 modify, and terminate multimedia sessions (conferences) such as
246 Internet telephony calls. With the ip_conntrack_sip and
247 the nf_nat_sip modules you can support the protocol on a connection
248 tracking/NATing firewall.
250 To compile it as a module, choose M here. If unsure, say N.
252 config NF_CONNTRACK_TFTP
253 tristate "TFTP protocol support"
254 depends on NETFILTER_ADVANCED
256 TFTP connection tracking helper, this is required depending
257 on how restrictive your ruleset is.
258 If you are using a tftp client behind -j SNAT or -j MASQUERADING
261 To compile it as a module, choose M here. If unsure, say N.
264 tristate 'Connection tracking netlink interface'
265 select NETFILTER_NETLINK
266 default m if NETFILTER_ADVANCED=n
268 This option enables support for a netlink-based userspace interface
272 # transparent proxy support
273 config NETFILTER_TPROXY
274 tristate "Transparent proxying support (EXPERIMENTAL)"
275 depends on EXPERIMENTAL
276 depends on IP_NF_MANGLE
277 depends on NETFILTER_ADVANCED
279 This option enables transparent proxying support, that is,
280 support for handling non-locally bound IPv4 TCP and UDP sockets.
281 For it to work you will have to configure certain iptables rules
282 and use policy routing. For more information on how to set it up
283 see Documentation/networking/tproxy.txt.
285 To compile it as a module, choose M here. If unsure, say N.
287 config NETFILTER_XTABLES
288 tristate "Netfilter Xtables support (required for ip_tables)"
289 default m if NETFILTER_ADVANCED=n
291 This is required if you intend to use any of ip_tables,
292 ip6_tables or arp_tables.
296 comment "Xtables combined modules"
298 config NETFILTER_XT_MARK
299 tristate 'nfmark target and match support'
300 default m if NETFILTER_ADVANCED=n
302 This option adds the "MARK" target and "mark" match.
304 Netfilter mark matching allows you to match packets based on the
305 "nfmark" value in the packet.
306 The target allows you to create rules in the "mangle" table which alter
307 the netfilter mark (nfmark) field associated with the packet.
309 Prior to routing, the nfmark can influence the routing method (see
310 "Use netfilter MARK value as routing key") and can also be used by
311 other subsystems to change their behavior.
313 config NETFILTER_XT_CONNMARK
314 tristate 'ctmark target and match support'
315 depends on NF_CONNTRACK
316 depends on NETFILTER_ADVANCED
317 select NF_CONNTRACK_MARK
319 This option adds the "CONNMARK" target and "connmark" match.
321 Netfilter allows you to store a mark value per connection (a.k.a.
322 ctmark), similarly to the packet mark (nfmark). Using this
323 target and match, you can set and match on this mark.
325 # alphabetically ordered list of targets
327 comment "Xtables targets"
329 config NETFILTER_XT_TARGET_CLASSIFY
330 tristate '"CLASSIFY" target support'
331 depends on NETFILTER_ADVANCED
333 This option adds a `CLASSIFY' target, which enables the user to set
334 the priority of a packet. Some qdiscs can use this value for
335 classification, among these are:
337 atm, cbq, dsmark, pfifo_fast, htb, prio
339 To compile it as a module, choose M here. If unsure, say N.
341 config NETFILTER_XT_TARGET_CONNMARK
342 tristate '"CONNMARK" target support'
343 depends on NF_CONNTRACK
344 depends on NETFILTER_ADVANCED
345 select NETFILTER_XT_CONNMARK
347 This is a backwards-compat option for the user's convenience
348 (e.g. when running oldconfig). It selects
349 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
351 config NETFILTER_XT_TARGET_CONNSECMARK
352 tristate '"CONNSECMARK" target support'
353 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
354 default m if NETFILTER_ADVANCED=n
356 The CONNSECMARK target copies security markings from packets
357 to connections, and restores security markings from connections
358 to packets (if the packets are not already marked). This would
359 normally be used in conjunction with the SECMARK target.
361 To compile it as a module, choose M here. If unsure, say N.
363 config NETFILTER_XT_TARGET_CT
364 tristate '"CT" target support'
365 depends on NF_CONNTRACK
366 depends on IP_NF_RAW || IP6_NF_RAW
367 depends on NETFILTER_ADVANCED
369 This options adds a `CT' target, which allows to specify initial
370 connection tracking parameters like events to be delivered and
371 the helper to be used.
373 To compile it as a module, choose M here. If unsure, say N.
375 config NETFILTER_XT_TARGET_DSCP
376 tristate '"DSCP" and "TOS" target support'
377 depends on IP_NF_MANGLE || IP6_NF_MANGLE
378 depends on NETFILTER_ADVANCED
380 This option adds a `DSCP' target, which allows you to manipulate
381 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
383 The DSCP field can have any value between 0x0 and 0x3f inclusive.
385 It also adds the "TOS" target, which allows you to create rules in
386 the "mangle" table which alter the Type Of Service field of an IPv4
387 or the Priority field of an IPv6 packet, prior to routing.
389 To compile it as a module, choose M here. If unsure, say N.
391 config NETFILTER_XT_TARGET_HL
392 tristate '"HL" hoplimit target support'
393 depends on IP_NF_MANGLE || IP6_NF_MANGLE
394 depends on NETFILTER_ADVANCED
396 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
397 targets, which enable the user to change the
398 hoplimit/time-to-live value of the IP header.
400 While it is safe to decrement the hoplimit/TTL value, the
401 modules also allow to increment and set the hoplimit value of
402 the header to arbitrary values. This is EXTREMELY DANGEROUS
403 since you can easily create immortal packets that loop
404 forever on the network.
406 config NETFILTER_XT_TARGET_IDLETIMER
407 tristate "IDLETIMER target support"
408 depends on NETFILTER_ADVANCED
411 This option adds the `IDLETIMER' target. Each matching packet
412 resets the timer associated with label specified when the rule is
413 added. When the timer expires, it triggers a sysfs notification.
414 The remaining time for expiration can be read via sysfs.
416 To compile it as a module, choose M here. If unsure, say N.
418 config NETFILTER_XT_TARGET_LED
419 tristate '"LED" target support'
420 depends on LEDS_CLASS && LEDS_TRIGGERS
421 depends on NETFILTER_ADVANCED
423 This option adds a `LED' target, which allows you to blink LEDs in
424 response to particular packets passing through your machine.
426 This can be used to turn a spare LED into a network activity LED,
427 which only flashes in response to FTP transfers, for example. Or
428 you could have an LED which lights up for a minute or two every time
429 somebody connects to your machine via SSH.
431 You will need support for the "led" class to make this work.
433 To create an LED trigger for incoming SSH traffic:
434 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
436 Then attach the new trigger to an LED on your system:
437 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
439 For more information on the LEDs available on your system, see
440 Documentation/leds-class.txt
442 config NETFILTER_XT_TARGET_MARK
443 tristate '"MARK" target support'
444 depends on NETFILTER_ADVANCED
445 select NETFILTER_XT_MARK
447 This is a backwards-compat option for the user's convenience
448 (e.g. when running oldconfig). It selects
449 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
451 config NETFILTER_XT_TARGET_NFLOG
452 tristate '"NFLOG" target support'
453 default m if NETFILTER_ADVANCED=n
454 select NETFILTER_NETLINK_LOG
456 This option enables the NFLOG target, which allows to LOG
457 messages through nfnetlink_log.
459 To compile it as a module, choose M here. If unsure, say N.
461 config NETFILTER_XT_TARGET_NFQUEUE
462 tristate '"NFQUEUE" target Support'
463 depends on NETFILTER_ADVANCED
465 This target replaced the old obsolete QUEUE target.
467 As opposed to QUEUE, it supports 65535 different queues,
470 To compile it as a module, choose M here. If unsure, say N.
472 config NETFILTER_XT_TARGET_NOTRACK
473 tristate '"NOTRACK" target support'
474 depends on IP_NF_RAW || IP6_NF_RAW
475 depends on NF_CONNTRACK
476 depends on NETFILTER_ADVANCED
478 The NOTRACK target allows a select rule to specify
479 which packets *not* to enter the conntrack/NAT
480 subsystem with all the consequences (no ICMP error tracking,
481 no protocol helpers for the selected packets).
483 If you want to compile it as a module, say M here and read
484 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
486 config NETFILTER_XT_TARGET_RATEEST
487 tristate '"RATEEST" target support'
488 depends on NETFILTER_ADVANCED
490 This option adds a `RATEEST' target, which allows to measure
491 rates similar to TC estimators. The `rateest' match can be
492 used to match on the measured rates.
494 To compile it as a module, choose M here. If unsure, say N.
496 config NETFILTER_XT_TARGET_TEE
497 tristate '"TEE" - packet cloning to alternate destination'
498 depends on NETFILTER_ADVANCED
499 depends on (IPV6 || IPV6=n)
500 depends on !NF_CONNTRACK || NF_CONNTRACK
502 This option adds a "TEE" target with which a packet can be cloned and
503 this clone be rerouted to another nexthop.
505 config NETFILTER_XT_TARGET_TPROXY
506 tristate '"TPROXY" target support (EXPERIMENTAL)'
507 depends on EXPERIMENTAL
508 depends on NETFILTER_TPROXY
509 depends on NETFILTER_XTABLES
510 depends on NETFILTER_ADVANCED
511 select NF_DEFRAG_IPV4
513 This option adds a `TPROXY' target, which is somewhat similar to
514 REDIRECT. It can only be used in the mangle table and is useful
515 to redirect traffic to a transparent proxy. It does _not_ depend
516 on Netfilter connection tracking and NAT, unlike REDIRECT.
518 To compile it as a module, choose M here. If unsure, say N.
520 config NETFILTER_XT_TARGET_TRACE
521 tristate '"TRACE" target support'
522 depends on IP_NF_RAW || IP6_NF_RAW
523 depends on NETFILTER_ADVANCED
525 The TRACE target allows you to mark packets so that the kernel
526 will log every rule which match the packets as those traverse
527 the tables, chains, rules.
529 If you want to compile it as a module, say M here and read
530 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
532 config NETFILTER_XT_TARGET_SECMARK
533 tristate '"SECMARK" target support'
534 depends on NETWORK_SECMARK
535 default m if NETFILTER_ADVANCED=n
537 The SECMARK target allows security marking of network
538 packets, for use with security subsystems.
540 To compile it as a module, choose M here. If unsure, say N.
542 config NETFILTER_XT_TARGET_TCPMSS
543 tristate '"TCPMSS" target support'
544 depends on (IPV6 || IPV6=n)
545 default m if NETFILTER_ADVANCED=n
547 This option adds a `TCPMSS' target, which allows you to alter the
548 MSS value of TCP SYN packets, to control the maximum size for that
549 connection (usually limiting it to your outgoing interface's MTU
552 This is used to overcome criminally braindead ISPs or servers which
553 block ICMP Fragmentation Needed packets. The symptoms of this
554 problem are that everything works fine from your Linux
555 firewall/router, but machines behind it can never exchange large
557 1) Web browsers connect, then hang with no data received.
558 2) Small mail works fine, but large emails hang.
559 3) ssh works fine, but scp hangs after initial handshaking.
561 Workaround: activate this option and add a rule to your firewall
564 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
565 -j TCPMSS --clamp-mss-to-pmtu
567 To compile it as a module, choose M here. If unsure, say N.
569 config NETFILTER_XT_TARGET_TCPOPTSTRIP
570 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
571 depends on EXPERIMENTAL
572 depends on IP_NF_MANGLE || IP6_NF_MANGLE
573 depends on NETFILTER_ADVANCED
575 This option adds a "TCPOPTSTRIP" target, which allows you to strip
576 TCP options from TCP packets.
578 # alphabetically ordered list of matches
580 comment "Xtables matches"
582 config NETFILTER_XT_MATCH_CLUSTER
583 tristate '"cluster" match support'
584 depends on NF_CONNTRACK
585 depends on NETFILTER_ADVANCED
587 This option allows you to build work-load-sharing clusters of
588 network servers/stateful firewalls without having a dedicated
589 load-balancing router/server/switch. Basically, this match returns
590 true when the packet must be handled by this cluster node. Thus,
591 all nodes see all packets and this match decides which node handles
592 what packets. The work-load sharing algorithm is based on source
595 If you say Y or M here, try `iptables -m cluster --help` for
598 config NETFILTER_XT_MATCH_COMMENT
599 tristate '"comment" match support'
600 depends on NETFILTER_ADVANCED
602 This option adds a `comment' dummy-match, which allows you to put
603 comments in your iptables ruleset.
605 If you want to compile it as a module, say M here and read
606 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
608 config NETFILTER_XT_MATCH_CONNBYTES
609 tristate '"connbytes" per-connection counter match support'
610 depends on NF_CONNTRACK
611 depends on NETFILTER_ADVANCED
613 This option adds a `connbytes' match, which allows you to match the
614 number of bytes and/or packets for each direction within a connection.
616 If you want to compile it as a module, say M here and read
617 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
619 config NETFILTER_XT_MATCH_CONNLIMIT
620 tristate '"connlimit" match support"'
621 depends on NF_CONNTRACK
622 depends on NETFILTER_ADVANCED
624 This match allows you to match against the number of parallel
625 connections to a server per client IP address (or address block).
627 config NETFILTER_XT_MATCH_CONNMARK
628 tristate '"connmark" connection mark match support'
629 depends on NF_CONNTRACK
630 depends on NETFILTER_ADVANCED
631 select NETFILTER_XT_CONNMARK
633 This is a backwards-compat option for the user's convenience
634 (e.g. when running oldconfig). It selects
635 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
637 config NETFILTER_XT_MATCH_CONNTRACK
638 tristate '"conntrack" connection tracking match support'
639 depends on NF_CONNTRACK
640 default m if NETFILTER_ADVANCED=n
642 This is a general conntrack match module, a superset of the state match.
644 It allows matching on additional conntrack information, which is
645 useful in complex configurations, such as NAT gateways with multiple
646 internet links or tunnels.
648 To compile it as a module, choose M here. If unsure, say N.
650 config NETFILTER_XT_MATCH_DCCP
651 tristate '"dccp" protocol match support'
652 depends on NETFILTER_ADVANCED
655 With this option enabled, you will be able to use the iptables
656 `dccp' match in order to match on DCCP source/destination ports
659 If you want to compile it as a module, say M here and read
660 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
662 config NETFILTER_XT_MATCH_DSCP
663 tristate '"dscp" and "tos" match support'
664 depends on NETFILTER_ADVANCED
666 This option adds a `DSCP' match, which allows you to match against
667 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
669 The DSCP field can have any value between 0x0 and 0x3f inclusive.
671 It will also add a "tos" match, which allows you to match packets
672 based on the Type Of Service fields of the IPv4 packet (which share
673 the same bits as DSCP).
675 To compile it as a module, choose M here. If unsure, say N.
677 config NETFILTER_XT_MATCH_ESP
678 tristate '"esp" match support'
679 depends on NETFILTER_ADVANCED
681 This match extension allows you to match a range of SPIs
682 inside ESP header of IPSec packets.
684 To compile it as a module, choose M here. If unsure, say N.
686 config NETFILTER_XT_MATCH_HASHLIMIT
687 tristate '"hashlimit" match support'
688 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
689 depends on NETFILTER_ADVANCED
691 This option adds a `hashlimit' match.
693 As opposed to `limit', this match dynamically creates a hash table
694 of limit buckets, based on your selection of source/destination
695 addresses and/or ports.
697 It enables you to express policies like `10kpps for any given
698 destination address' or `500pps from any given source address'
701 config NETFILTER_XT_MATCH_HELPER
702 tristate '"helper" match support'
703 depends on NF_CONNTRACK
704 depends on NETFILTER_ADVANCED
706 Helper matching allows you to match packets in dynamic connections
707 tracked by a conntrack-helper, ie. ip_conntrack_ftp
709 To compile it as a module, choose M here. If unsure, say Y.
711 config NETFILTER_XT_MATCH_HL
712 tristate '"hl" hoplimit/TTL match support'
713 depends on NETFILTER_ADVANCED
715 HL matching allows you to match packets based on the hoplimit
716 in the IPv6 header, or the time-to-live field in the IPv4
717 header of the packet.
719 config NETFILTER_XT_MATCH_IPRANGE
720 tristate '"iprange" address range match support'
721 depends on NETFILTER_ADVANCED
723 This option adds a "iprange" match, which allows you to match based on
724 an IP address range. (Normal iptables only matches on single addresses
725 with an optional mask.)
729 config NETFILTER_XT_MATCH_LENGTH
730 tristate '"length" match support'
731 depends on NETFILTER_ADVANCED
733 This option allows you to match the length of a packet against a
734 specific value or range of values.
736 To compile it as a module, choose M here. If unsure, say N.
738 config NETFILTER_XT_MATCH_LIMIT
739 tristate '"limit" match support'
740 depends on NETFILTER_ADVANCED
742 limit matching allows you to control the rate at which a rule can be
743 matched: mainly useful in combination with the LOG target ("LOG
744 target support", below) and to avoid some Denial of Service attacks.
746 To compile it as a module, choose M here. If unsure, say N.
748 config NETFILTER_XT_MATCH_MAC
749 tristate '"mac" address match support'
750 depends on NETFILTER_ADVANCED
752 MAC matching allows you to match packets based on the source
753 Ethernet address of the packet.
755 To compile it as a module, choose M here. If unsure, say N.
757 config NETFILTER_XT_MATCH_MARK
758 tristate '"mark" match support'
759 depends on NETFILTER_ADVANCED
760 select NETFILTER_XT_MARK
762 This is a backwards-compat option for the user's convenience
763 (e.g. when running oldconfig). It selects
764 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
766 config NETFILTER_XT_MATCH_MULTIPORT
767 tristate '"multiport" Multiple port match support'
768 depends on NETFILTER_ADVANCED
770 Multiport matching allows you to match TCP or UDP packets based on
771 a series of source or destination ports: normally a rule can only
772 match a single range of ports.
774 To compile it as a module, choose M here. If unsure, say N.
776 config NETFILTER_XT_MATCH_OSF
777 tristate '"osf" Passive OS fingerprint match'
778 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
780 This option selects the Passive OS Fingerprinting match module
781 that allows to passively match the remote operating system by
782 analyzing incoming TCP SYN packets.
784 Rules and loading software can be downloaded from
785 http://www.ioremap.net/projects/osf
787 To compile it as a module, choose M here. If unsure, say N.
789 config NETFILTER_XT_MATCH_OWNER
790 tristate '"owner" match support'
791 depends on NETFILTER_ADVANCED
793 Socket owner matching allows you to match locally-generated packets
794 based on who created the socket: the user or group. It is also
795 possible to check whether a socket actually exists.
797 config NETFILTER_XT_MATCH_POLICY
798 tristate 'IPsec "policy" match support'
800 default m if NETFILTER_ADVANCED=n
802 Policy matching allows you to match packets based on the
803 IPsec policy that was used during decapsulation/will
804 be used during encapsulation.
806 To compile it as a module, choose M here. If unsure, say N.
808 config NETFILTER_XT_MATCH_PHYSDEV
809 tristate '"physdev" match support'
810 depends on BRIDGE && BRIDGE_NETFILTER
811 depends on NETFILTER_ADVANCED
813 Physdev packet matching matches against the physical bridge ports
814 the IP packet arrived on or will leave by.
816 To compile it as a module, choose M here. If unsure, say N.
818 config NETFILTER_XT_MATCH_PKTTYPE
819 tristate '"pkttype" packet type match support'
820 depends on NETFILTER_ADVANCED
822 Packet type matching allows you to match a packet by
823 its "class", eg. BROADCAST, MULTICAST, ...
826 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
828 To compile it as a module, choose M here. If unsure, say N.
830 config NETFILTER_XT_MATCH_QUOTA
831 tristate '"quota" match support'
832 depends on NETFILTER_ADVANCED
834 This option adds a `quota' match, which allows to match on a
837 If you want to compile it as a module, say M here and read
838 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
840 config NETFILTER_XT_MATCH_RATEEST
841 tristate '"rateest" match support'
842 depends on NETFILTER_ADVANCED
843 select NETFILTER_XT_TARGET_RATEEST
845 This option adds a `rateest' match, which allows to match on the
846 rate estimated by the RATEEST target.
848 To compile it as a module, choose M here. If unsure, say N.
850 config NETFILTER_XT_MATCH_REALM
851 tristate '"realm" match support'
852 depends on NETFILTER_ADVANCED
855 This option adds a `realm' match, which allows you to use the realm
856 key from the routing subsystem inside iptables.
858 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
861 If you want to compile it as a module, say M here and read
862 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
864 config NETFILTER_XT_MATCH_RECENT
865 tristate '"recent" match support'
866 depends on NETFILTER_ADVANCED
868 This match is used for creating one or many lists of recently
869 used addresses and then matching against that/those list(s).
871 Short options are available by using 'iptables -m recent -h'
872 Official Website: <http://snowman.net/projects/ipt_recent/>
874 config NETFILTER_XT_MATCH_SCTP
875 tristate '"sctp" protocol match support (EXPERIMENTAL)'
876 depends on EXPERIMENTAL
877 depends on NETFILTER_ADVANCED
880 With this option enabled, you will be able to use the
881 `sctp' match in order to match on SCTP source/destination ports
882 and SCTP chunk types.
884 If you want to compile it as a module, say M here and read
885 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
887 config NETFILTER_XT_MATCH_SOCKET
888 tristate '"socket" match support (EXPERIMENTAL)'
889 depends on EXPERIMENTAL
890 depends on NETFILTER_TPROXY
891 depends on NETFILTER_XTABLES
892 depends on NETFILTER_ADVANCED
893 depends on !NF_CONNTRACK || NF_CONNTRACK
894 select NF_DEFRAG_IPV4
896 This option adds a `socket' match, which can be used to match
897 packets for which a TCP or UDP socket lookup finds a valid socket.
898 It can be used in combination with the MARK target and policy
899 routing to implement full featured non-locally bound sockets.
901 To compile it as a module, choose M here. If unsure, say N.
903 config NETFILTER_XT_MATCH_STATE
904 tristate '"state" match support'
905 depends on NF_CONNTRACK
906 default m if NETFILTER_ADVANCED=n
908 Connection state matching allows you to match packets based on their
909 relationship to a tracked connection (ie. previous packets). This
910 is a powerful tool for packet classification.
912 To compile it as a module, choose M here. If unsure, say N.
914 config NETFILTER_XT_MATCH_STATISTIC
915 tristate '"statistic" match support'
916 depends on NETFILTER_ADVANCED
918 This option adds a `statistic' match, which allows you to match
919 on packets periodically or randomly with a given percentage.
921 To compile it as a module, choose M here. If unsure, say N.
923 config NETFILTER_XT_MATCH_STRING
924 tristate '"string" match support'
925 depends on NETFILTER_ADVANCED
927 select TEXTSEARCH_KMP
929 select TEXTSEARCH_FSM
931 This option adds a `string' match, which allows you to look for
932 pattern matchings in packets.
934 To compile it as a module, choose M here. If unsure, say N.
936 config NETFILTER_XT_MATCH_TCPMSS
937 tristate '"tcpmss" match support'
938 depends on NETFILTER_ADVANCED
940 This option adds a `tcpmss' match, which allows you to examine the
941 MSS value of TCP SYN packets, which control the maximum packet size
944 To compile it as a module, choose M here. If unsure, say N.
946 config NETFILTER_XT_MATCH_TIME
947 tristate '"time" match support'
948 depends on NETFILTER_ADVANCED
950 This option adds a "time" match, which allows you to match based on
951 the packet arrival time (at the machine which netfilter is running)
952 on) or departure time/date (for locally generated packets).
954 If you say Y here, try `iptables -m time --help` for
957 If you want to compile it as a module, say M here.
960 config NETFILTER_XT_MATCH_U32
961 tristate '"u32" match support'
962 depends on NETFILTER_ADVANCED
964 u32 allows you to extract quantities of up to 4 bytes from a packet,
965 AND them with specified masks, shift them by specified amounts and
966 test whether the results are in any of a set of specified ranges.
967 The specification of what to extract is general enough to skip over
968 headers with lengths stored in the packet, as in IP or TCP header
971 Details and examples are in the kernel module source.
973 endif # NETFILTER_XTABLES
977 source "net/netfilter/ipvs/Kconfig"