1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_NETLINK
7 config NETFILTER_NETLINK_ACCT
8 tristate "Netfilter NFACCT over NFNETLINK interface"
9 depends on NETFILTER_ADVANCED
10 select NETFILTER_NETLINK
12 If this option is enabled, the kernel will include support
13 for extended accounting via NFNETLINK.
15 config NETFILTER_NETLINK_QUEUE
16 tristate "Netfilter NFQUEUE over NFNETLINK interface"
17 depends on NETFILTER_ADVANCED
18 select NETFILTER_NETLINK
20 If this option is enabled, the kernel will include support
21 for queueing packets via NFNETLINK.
23 config NETFILTER_NETLINK_LOG
24 tristate "Netfilter LOG over NFNETLINK interface"
25 default m if NETFILTER_ADVANCED=n
26 select NETFILTER_NETLINK
28 If this option is enabled, the kernel will include support
29 for logging packets via NFNETLINK.
31 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
32 and is also scheduled to replace the old syslog-based ipt_LOG
36 tristate "Netfilter connection tracking support"
37 default m if NETFILTER_ADVANCED=n
39 Connection tracking keeps a record of what packets have passed
40 through your machine, in order to figure out how they are related
43 This is required to do Masquerading or other kinds of Network
44 Address Translation. It can also be used to enhance packet
45 filtering (see `Connection state match support' below).
47 To compile it as a module, choose M here. If unsure, say N.
51 config NF_CONNTRACK_MARK
52 bool 'Connection mark tracking support'
53 depends on NETFILTER_ADVANCED
55 This option enables support for connection marks, used by the
56 `CONNMARK' target and `connmark' match. Similar to the mark value
57 of packets, but this mark value is kept in the conntrack session
58 instead of the individual packets.
60 config NF_CONNTRACK_SECMARK
61 bool 'Connection tracking security mark support'
62 depends on NETWORK_SECMARK
63 default m if NETFILTER_ADVANCED=n
65 This option enables security markings to be applied to
66 connections. Typically they are copied to connections from
67 packets using the CONNSECMARK target and copied back from
68 connections to packets with the same target, with the packets
69 being originally labeled via SECMARK.
73 config NF_CONNTRACK_ZONES
74 bool 'Connection tracking zones'
75 depends on NETFILTER_ADVANCED
76 depends on NETFILTER_XT_TARGET_CT
78 This option enables support for connection tracking zones.
79 Normally, each connection needs to have a unique system wide
80 identity. Connection tracking zones allow to have multiple
81 connections using the same identity, as long as they are
82 contained in different zones.
86 config NF_CONNTRACK_PROCFS
87 bool "Supply CT list in procfs (OBSOLETE)"
91 This option enables for the list of known conntrack entries
92 to be shown in procfs under net/netfilter/nf_conntrack. This
93 is considered obsolete in favor of using the conntrack(8)
94 tool which uses Netlink.
96 config NF_CONNTRACK_EVENTS
97 bool "Connection tracking events"
98 depends on NETFILTER_ADVANCED
100 If this option is enabled, the connection tracking code will
101 provide a notifier chain that can be used by other kernel code
102 to get notified about changes in the connection tracking state.
106 config NF_CONNTRACK_TIMESTAMP
107 bool 'Connection tracking timestamping'
108 depends on NETFILTER_ADVANCED
110 This option enables support for connection tracking timestamping.
111 This allows you to store the flow start-time and to obtain
112 the flow-stop time (once it has been destroyed) via Connection
117 config NF_CT_PROTO_DCCP
118 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
119 depends on EXPERIMENTAL
120 depends on NETFILTER_ADVANCED
123 With this option enabled, the layer 3 independent connection
124 tracking code will be able to do state tracking on DCCP connections.
128 config NF_CT_PROTO_GRE
131 config NF_CT_PROTO_SCTP
132 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
133 depends on EXPERIMENTAL
134 depends on NETFILTER_ADVANCED
137 With this option enabled, the layer 3 independent connection
138 tracking code will be able to do state tracking on SCTP connections.
140 If you want to compile it as a module, say M here and read
141 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
143 config NF_CT_PROTO_UDPLITE
144 tristate 'UDP-Lite protocol connection tracking support'
145 depends on NETFILTER_ADVANCED
147 With this option enabled, the layer 3 independent connection
148 tracking code will be able to do state tracking on UDP-Lite
151 To compile it as a module, choose M here. If unsure, say N.
153 config NF_CONNTRACK_AMANDA
154 tristate "Amanda backup protocol support"
155 depends on NETFILTER_ADVANCED
157 select TEXTSEARCH_KMP
159 If you are running the Amanda backup package <http://www.amanda.org/>
160 on this machine or machines that will be MASQUERADED through this
161 machine, then you may want to enable this feature. This allows the
162 connection tracking and natting code to allow the sub-channels that
163 Amanda requires for communication of the backup data, messages and
166 To compile it as a module, choose M here. If unsure, say N.
168 config NF_CONNTRACK_FTP
169 tristate "FTP protocol support"
170 default m if NETFILTER_ADVANCED=n
172 Tracking FTP connections is problematic: special helpers are
173 required for tracking them, and doing masquerading and other forms
174 of Network Address Translation on them.
176 This is FTP support on Layer 3 independent connection tracking.
177 Layer 3 independent connection tracking is experimental scheme
178 which generalize ip_conntrack to support other layer 3 protocols.
180 To compile it as a module, choose M here. If unsure, say N.
182 config NF_CONNTRACK_H323
183 tristate "H.323 protocol support"
184 depends on (IPV6 || IPV6=n)
185 depends on NETFILTER_ADVANCED
187 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
188 important VoIP protocols, it is widely used by voice hardware and
189 software including voice gateways, IP phones, Netmeeting, OpenPhone,
192 With this module you can support H.323 on a connection tracking/NAT
195 This module supports RAS, Fast Start, H.245 Tunnelling, Call
196 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
197 whiteboard, file transfer, etc. For more information, please
198 visit http://nath323.sourceforge.net/.
200 To compile it as a module, choose M here. If unsure, say N.
202 config NF_CONNTRACK_IRC
203 tristate "IRC protocol support"
204 default m if NETFILTER_ADVANCED=n
206 There is a commonly-used extension to IRC called
207 Direct Client-to-Client Protocol (DCC). This enables users to send
208 files to each other, and also chat to each other without the need
209 of a server. DCC Sending is used anywhere you send files over IRC,
210 and DCC Chat is most commonly used by Eggdrop bots. If you are
211 using NAT, this extension will enable you to send files and initiate
212 chats. Note that you do NOT need this extension to get files or
213 have others initiate chats, or everything else in IRC.
215 To compile it as a module, choose M here. If unsure, say N.
217 config NF_CONNTRACK_BROADCAST
220 config NF_CONNTRACK_NETBIOS_NS
221 tristate "NetBIOS name service protocol support"
222 select NF_CONNTRACK_BROADCAST
224 NetBIOS name service requests are sent as broadcast messages from an
225 unprivileged port and responded to with unicast messages to the
226 same port. This make them hard to firewall properly because connection
227 tracking doesn't deal with broadcasts. This helper tracks locally
228 originating NetBIOS name service requests and the corresponding
229 responses. It relies on correct IP address configuration, specifically
230 netmask and broadcast address. When properly configured, the output
231 of "ip address show" should look similar to this:
233 $ ip -4 address show eth0
234 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
235 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
237 To compile it as a module, choose M here. If unsure, say N.
239 config NF_CONNTRACK_SNMP
240 tristate "SNMP service protocol support"
241 depends on NETFILTER_ADVANCED
242 select NF_CONNTRACK_BROADCAST
244 SNMP service requests are sent as broadcast messages from an
245 unprivileged port and responded to with unicast messages to the
246 same port. This make them hard to firewall properly because connection
247 tracking doesn't deal with broadcasts. This helper tracks locally
248 originating SNMP service requests and the corresponding
249 responses. It relies on correct IP address configuration, specifically
250 netmask and broadcast address.
252 To compile it as a module, choose M here. If unsure, say N.
254 config NF_CONNTRACK_PPTP
255 tristate "PPtP protocol support"
256 depends on NETFILTER_ADVANCED
257 select NF_CT_PROTO_GRE
259 This module adds support for PPTP (Point to Point Tunnelling
260 Protocol, RFC2637) connection tracking and NAT.
262 If you are running PPTP sessions over a stateful firewall or NAT
263 box, you may want to enable this feature.
265 Please note that not all PPTP modes of operation are supported yet.
266 Specifically these limitations exist:
267 - Blindly assumes that control connections are always established
268 in PNS->PAC direction. This is a violation of RFC2637.
269 - Only supports a single call within each session
271 To compile it as a module, choose M here. If unsure, say N.
273 config NF_CONNTRACK_SANE
274 tristate "SANE protocol support (EXPERIMENTAL)"
275 depends on EXPERIMENTAL
276 depends on NETFILTER_ADVANCED
278 SANE is a protocol for remote access to scanners as implemented
279 by the 'saned' daemon. Like FTP, it uses separate control and
282 With this module you can support SANE on a connection tracking
285 To compile it as a module, choose M here. If unsure, say N.
287 config NF_CONNTRACK_SIP
288 tristate "SIP protocol support"
289 default m if NETFILTER_ADVANCED=n
291 SIP is an application-layer control protocol that can establish,
292 modify, and terminate multimedia sessions (conferences) such as
293 Internet telephony calls. With the ip_conntrack_sip and
294 the nf_nat_sip modules you can support the protocol on a connection
295 tracking/NATing firewall.
297 To compile it as a module, choose M here. If unsure, say N.
299 config NF_CONNTRACK_TFTP
300 tristate "TFTP protocol support"
301 depends on NETFILTER_ADVANCED
303 TFTP connection tracking helper, this is required depending
304 on how restrictive your ruleset is.
305 If you are using a tftp client behind -j SNAT or -j MASQUERADING
308 To compile it as a module, choose M here. If unsure, say N.
310 config NF_CONNTRACK_SLP
311 tristate "SLP protocol support"
312 depends on NF_CONNTRACK
313 depends on NETFILTER_ADVANCED
315 SLP queries are sometimes sent as broadcast messages from an
316 unprivileged port and responded to with unicast messages to the
317 same port. This make them hard to firewall properly because connection
318 tracking doesn't deal with broadcasts. This helper tracks locally
319 originating broadcast SLP queries and the corresponding
320 responses. It relies on correct IP address configuration, specifically
321 netmask and broadcast address.
323 To compile it as a module, choose M here. If unsure, say N.
326 tristate 'Connection tracking netlink interface'
327 select NETFILTER_NETLINK
328 default m if NETFILTER_ADVANCED=n
330 This option enables support for a netlink-based userspace interface
334 # transparent proxy support
335 config NETFILTER_TPROXY
336 tristate "Transparent proxying support (EXPERIMENTAL)"
337 depends on EXPERIMENTAL
338 depends on IP_NF_MANGLE
339 depends on NETFILTER_ADVANCED
341 This option enables transparent proxying support, that is,
342 support for handling non-locally bound IPv4 TCP and UDP sockets.
343 For it to work you will have to configure certain iptables rules
344 and use policy routing. For more information on how to set it up
345 see Documentation/networking/tproxy.txt.
347 To compile it as a module, choose M here. If unsure, say N.
349 config NETFILTER_XTABLES
350 tristate "Netfilter Xtables support (required for ip_tables)"
351 default m if NETFILTER_ADVANCED=n
353 This is required if you intend to use any of ip_tables,
354 ip6_tables or arp_tables.
358 comment "Xtables combined modules"
360 config NETFILTER_XT_MARK
361 tristate 'nfmark target and match support'
362 default m if NETFILTER_ADVANCED=n
364 This option adds the "MARK" target and "mark" match.
366 Netfilter mark matching allows you to match packets based on the
367 "nfmark" value in the packet.
368 The target allows you to create rules in the "mangle" table which alter
369 the netfilter mark (nfmark) field associated with the packet.
371 Prior to routing, the nfmark can influence the routing method (see
372 "Use netfilter MARK value as routing key") and can also be used by
373 other subsystems to change their behavior.
375 config NETFILTER_XT_CONNMARK
376 tristate 'ctmark target and match support'
377 depends on NF_CONNTRACK
378 depends on NETFILTER_ADVANCED
379 select NF_CONNTRACK_MARK
381 This option adds the "CONNMARK" target and "connmark" match.
383 Netfilter allows you to store a mark value per connection (a.k.a.
384 ctmark), similarly to the packet mark (nfmark). Using this
385 target and match, you can set and match on this mark.
387 config NETFILTER_XT_SET
388 tristate 'set target and match support'
390 depends on NETFILTER_ADVANCED
392 This option adds the "SET" target and "set" match.
394 Using this target and match, you can add/delete and match
395 elements in the sets created by ipset(8).
397 To compile it as a module, choose M here. If unsure, say N.
399 # alphabetically ordered list of targets
401 comment "Xtables targets"
403 config NETFILTER_XT_TARGET_AUDIT
404 tristate "AUDIT target support"
406 depends on NETFILTER_ADVANCED
408 This option adds a 'AUDIT' target, which can be used to create
409 audit records for packets dropped/accepted.
411 To compileit as a module, choose M here. If unsure, say N.
413 config NETFILTER_XT_TARGET_CHECKSUM
414 tristate "CHECKSUM target support"
415 depends on IP_NF_MANGLE || IP6_NF_MANGLE
416 depends on NETFILTER_ADVANCED
418 This option adds a `CHECKSUM' target, which can be used in the iptables mangle
421 You can use this target to compute and fill in the checksum in
422 a packet that lacks a checksum. This is particularly useful,
423 if you need to work around old applications such as dhcp clients,
424 that do not work well with checksum offloads, but don't want to disable
425 checksum offload in your device.
427 To compile it as a module, choose M here. If unsure, say N.
429 config NETFILTER_XT_TARGET_CLASSIFY
430 tristate '"CLASSIFY" target support'
431 depends on NETFILTER_ADVANCED
433 This option adds a `CLASSIFY' target, which enables the user to set
434 the priority of a packet. Some qdiscs can use this value for
435 classification, among these are:
437 atm, cbq, dsmark, pfifo_fast, htb, prio
439 To compile it as a module, choose M here. If unsure, say N.
441 config NETFILTER_XT_TARGET_CONNMARK
442 tristate '"CONNMARK" target support'
443 depends on NF_CONNTRACK
444 depends on NETFILTER_ADVANCED
445 select NETFILTER_XT_CONNMARK
447 This is a backwards-compat option for the user's convenience
448 (e.g. when running oldconfig). It selects
449 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
451 config NETFILTER_XT_TARGET_CONNSECMARK
452 tristate '"CONNSECMARK" target support'
453 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
454 default m if NETFILTER_ADVANCED=n
456 The CONNSECMARK target copies security markings from packets
457 to connections, and restores security markings from connections
458 to packets (if the packets are not already marked). This would
459 normally be used in conjunction with the SECMARK target.
461 To compile it as a module, choose M here. If unsure, say N.
463 config NETFILTER_XT_TARGET_CT
464 tristate '"CT" target support'
465 depends on NF_CONNTRACK
466 depends on IP_NF_RAW || IP6_NF_RAW
467 depends on NETFILTER_ADVANCED
469 This options adds a `CT' target, which allows to specify initial
470 connection tracking parameters like events to be delivered and
471 the helper to be used.
473 To compile it as a module, choose M here. If unsure, say N.
475 config NETFILTER_XT_TARGET_DSCP
476 tristate '"DSCP" and "TOS" target support'
477 depends on IP_NF_MANGLE || IP6_NF_MANGLE
478 depends on NETFILTER_ADVANCED
480 This option adds a `DSCP' target, which allows you to manipulate
481 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
483 The DSCP field can have any value between 0x0 and 0x3f inclusive.
485 It also adds the "TOS" target, which allows you to create rules in
486 the "mangle" table which alter the Type Of Service field of an IPv4
487 or the Priority field of an IPv6 packet, prior to routing.
489 To compile it as a module, choose M here. If unsure, say N.
491 config NETFILTER_XT_TARGET_HL
492 tristate '"HL" hoplimit target support'
493 depends on IP_NF_MANGLE || IP6_NF_MANGLE
494 depends on NETFILTER_ADVANCED
496 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
497 targets, which enable the user to change the
498 hoplimit/time-to-live value of the IP header.
500 While it is safe to decrement the hoplimit/TTL value, the
501 modules also allow to increment and set the hoplimit value of
502 the header to arbitrary values. This is EXTREMELY DANGEROUS
503 since you can easily create immortal packets that loop
504 forever on the network.
506 config NETFILTER_XT_TARGET_IDLETIMER
507 tristate "IDLETIMER target support"
508 depends on NETFILTER_ADVANCED
511 This option adds the `IDLETIMER' target. Each matching packet
512 resets the timer associated with label specified when the rule is
513 added. When the timer expires, it triggers a sysfs notification.
514 The remaining time for expiration can be read via sysfs.
516 To compile it as a module, choose M here. If unsure, say N.
518 config NETFILTER_XT_TARGET_LED
519 tristate '"LED" target support'
520 depends on LEDS_CLASS && LEDS_TRIGGERS
521 depends on NETFILTER_ADVANCED
523 This option adds a `LED' target, which allows you to blink LEDs in
524 response to particular packets passing through your machine.
526 This can be used to turn a spare LED into a network activity LED,
527 which only flashes in response to FTP transfers, for example. Or
528 you could have an LED which lights up for a minute or two every time
529 somebody connects to your machine via SSH.
531 You will need support for the "led" class to make this work.
533 To create an LED trigger for incoming SSH traffic:
534 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
536 Then attach the new trigger to an LED on your system:
537 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
539 For more information on the LEDs available on your system, see
540 Documentation/leds/leds-class.txt
542 config NETFILTER_XT_TARGET_MARK
543 tristate '"MARK" target support'
544 depends on NETFILTER_ADVANCED
545 select NETFILTER_XT_MARK
547 This is a backwards-compat option for the user's convenience
548 (e.g. when running oldconfig). It selects
549 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
551 config NETFILTER_XT_TARGET_NFLOG
552 tristate '"NFLOG" target support'
553 default m if NETFILTER_ADVANCED=n
554 select NETFILTER_NETLINK_LOG
556 This option enables the NFLOG target, which allows to LOG
557 messages through nfnetlink_log.
559 To compile it as a module, choose M here. If unsure, say N.
561 config NETFILTER_XT_TARGET_NFQUEUE
562 tristate '"NFQUEUE" target Support'
563 depends on NETFILTER_ADVANCED
564 select NETFILTER_NETLINK_QUEUE
566 This target replaced the old obsolete QUEUE target.
568 As opposed to QUEUE, it supports 65535 different queues,
571 To compile it as a module, choose M here. If unsure, say N.
573 config NETFILTER_XT_TARGET_NOTRACK
574 tristate '"NOTRACK" target support'
575 depends on IP_NF_RAW || IP6_NF_RAW
576 depends on NF_CONNTRACK
578 The NOTRACK target allows a select rule to specify
579 which packets *not* to enter the conntrack/NAT
580 subsystem with all the consequences (no ICMP error tracking,
581 no protocol helpers for the selected packets).
583 If you want to compile it as a module, say M here and read
584 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
586 config NETFILTER_XT_TARGET_RATEEST
587 tristate '"RATEEST" target support'
588 depends on NETFILTER_ADVANCED
590 This option adds a `RATEEST' target, which allows to measure
591 rates similar to TC estimators. The `rateest' match can be
592 used to match on the measured rates.
594 To compile it as a module, choose M here. If unsure, say N.
596 config NETFILTER_XT_TARGET_TEE
597 tristate '"TEE" - packet cloning to alternate destination'
598 depends on NETFILTER_ADVANCED
599 depends on (IPV6 || IPV6=n)
600 depends on !NF_CONNTRACK || NF_CONNTRACK
602 This option adds a "TEE" target with which a packet can be cloned and
603 this clone be rerouted to another nexthop.
605 config NETFILTER_XT_TARGET_TPROXY
606 tristate '"TPROXY" target support (EXPERIMENTAL)'
607 depends on EXPERIMENTAL
608 depends on NETFILTER_TPROXY
609 depends on NETFILTER_XTABLES
610 depends on NETFILTER_ADVANCED
611 select NF_DEFRAG_IPV4
612 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
614 This option adds a `TPROXY' target, which is somewhat similar to
615 REDIRECT. It can only be used in the mangle table and is useful
616 to redirect traffic to a transparent proxy. It does _not_ depend
617 on Netfilter connection tracking and NAT, unlike REDIRECT.
619 To compile it as a module, choose M here. If unsure, say N.
621 config NETFILTER_XT_TARGET_TRACE
622 tristate '"TRACE" target support'
623 depends on IP_NF_RAW || IP6_NF_RAW
624 depends on NETFILTER_ADVANCED
626 The TRACE target allows you to mark packets so that the kernel
627 will log every rule which match the packets as those traverse
628 the tables, chains, rules.
630 If you want to compile it as a module, say M here and read
631 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
633 config NETFILTER_XT_TARGET_SECMARK
634 tristate '"SECMARK" target support'
635 depends on NETWORK_SECMARK
636 default m if NETFILTER_ADVANCED=n
638 The SECMARK target allows security marking of network
639 packets, for use with security subsystems.
641 To compile it as a module, choose M here. If unsure, say N.
643 config NETFILTER_XT_TARGET_TCPMSS
644 tristate '"TCPMSS" target support'
645 depends on (IPV6 || IPV6=n)
646 default m if NETFILTER_ADVANCED=n
648 This option adds a `TCPMSS' target, which allows you to alter the
649 MSS value of TCP SYN packets, to control the maximum size for that
650 connection (usually limiting it to your outgoing interface's MTU
653 This is used to overcome criminally braindead ISPs or servers which
654 block ICMP Fragmentation Needed packets. The symptoms of this
655 problem are that everything works fine from your Linux
656 firewall/router, but machines behind it can never exchange large
658 1) Web browsers connect, then hang with no data received.
659 2) Small mail works fine, but large emails hang.
660 3) ssh works fine, but scp hangs after initial handshaking.
662 Workaround: activate this option and add a rule to your firewall
665 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
666 -j TCPMSS --clamp-mss-to-pmtu
668 To compile it as a module, choose M here. If unsure, say N.
670 config NETFILTER_XT_TARGET_TCPOPTSTRIP
671 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
672 depends on EXPERIMENTAL
673 depends on IP_NF_MANGLE || IP6_NF_MANGLE
674 depends on NETFILTER_ADVANCED
676 This option adds a "TCPOPTSTRIP" target, which allows you to strip
677 TCP options from TCP packets.
679 # alphabetically ordered list of matches
681 comment "Xtables matches"
683 config NETFILTER_XT_MATCH_ADDRTYPE
684 tristate '"addrtype" address type match support'
685 depends on NETFILTER_ADVANCED
687 This option allows you to match what routing thinks of an address,
688 eg. UNICAST, LOCAL, BROADCAST, ...
690 If you want to compile it as a module, say M here and read
691 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
693 config NETFILTER_XT_MATCH_CLUSTER
694 tristate '"cluster" match support'
695 depends on NF_CONNTRACK
696 depends on NETFILTER_ADVANCED
698 This option allows you to build work-load-sharing clusters of
699 network servers/stateful firewalls without having a dedicated
700 load-balancing router/server/switch. Basically, this match returns
701 true when the packet must be handled by this cluster node. Thus,
702 all nodes see all packets and this match decides which node handles
703 what packets. The work-load sharing algorithm is based on source
706 If you say Y or M here, try `iptables -m cluster --help` for
709 config NETFILTER_XT_MATCH_COMMENT
710 tristate '"comment" match support'
711 depends on NETFILTER_ADVANCED
713 This option adds a `comment' dummy-match, which allows you to put
714 comments in your iptables ruleset.
716 If you want to compile it as a module, say M here and read
717 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
719 config NETFILTER_XT_MATCH_CONNBYTES
720 tristate '"connbytes" per-connection counter match support'
721 depends on NF_CONNTRACK
722 depends on NETFILTER_ADVANCED
724 This option adds a `connbytes' match, which allows you to match the
725 number of bytes and/or packets for each direction within a connection.
727 If you want to compile it as a module, say M here and read
728 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
730 config NETFILTER_XT_MATCH_CONNLIMIT
731 tristate '"connlimit" match support"'
732 depends on NF_CONNTRACK
733 depends on NETFILTER_ADVANCED
735 This match allows you to match against the number of parallel
736 connections to a server per client IP address (or address block).
738 config NETFILTER_XT_MATCH_CONNMARK
739 tristate '"connmark" connection mark match support'
740 depends on NF_CONNTRACK
741 depends on NETFILTER_ADVANCED
742 select NETFILTER_XT_CONNMARK
744 This is a backwards-compat option for the user's convenience
745 (e.g. when running oldconfig). It selects
746 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
748 config NETFILTER_XT_MATCH_CONNTRACK
749 tristate '"conntrack" connection tracking match support'
750 depends on NF_CONNTRACK
751 default m if NETFILTER_ADVANCED=n
753 This is a general conntrack match module, a superset of the state match.
755 It allows matching on additional conntrack information, which is
756 useful in complex configurations, such as NAT gateways with multiple
757 internet links or tunnels.
759 To compile it as a module, choose M here. If unsure, say N.
761 config NETFILTER_XT_MATCH_CPU
762 tristate '"cpu" match support'
763 depends on NETFILTER_ADVANCED
765 CPU matching allows you to match packets based on the CPU
766 currently handling the packet.
768 To compile it as a module, choose M here. If unsure, say N.
770 config NETFILTER_XT_MATCH_DCCP
771 tristate '"dccp" protocol match support'
772 depends on NETFILTER_ADVANCED
775 With this option enabled, you will be able to use the iptables
776 `dccp' match in order to match on DCCP source/destination ports
779 If you want to compile it as a module, say M here and read
780 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
782 config NETFILTER_XT_MATCH_DEVGROUP
783 tristate '"devgroup" match support'
784 depends on NETFILTER_ADVANCED
786 This options adds a `devgroup' match, which allows to match on the
787 device group a network device is assigned to.
789 To compile it as a module, choose M here. If unsure, say N.
791 config NETFILTER_XT_MATCH_DSCP
792 tristate '"dscp" and "tos" match support'
793 depends on NETFILTER_ADVANCED
795 This option adds a `DSCP' match, which allows you to match against
796 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
798 The DSCP field can have any value between 0x0 and 0x3f inclusive.
800 It will also add a "tos" match, which allows you to match packets
801 based on the Type Of Service fields of the IPv4 packet (which share
802 the same bits as DSCP).
804 To compile it as a module, choose M here. If unsure, say N.
806 config NETFILTER_XT_MATCH_ECN
807 tristate '"ecn" match support'
808 depends on NETFILTER_ADVANCED
810 This option adds an "ECN" match, which allows you to match against
811 the IPv4 and TCP header ECN fields.
813 To compile it as a module, choose M here. If unsure, say N.
815 config NETFILTER_XT_MATCH_ESP
816 tristate '"esp" match support'
817 depends on NETFILTER_ADVANCED
819 This match extension allows you to match a range of SPIs
820 inside ESP header of IPSec packets.
822 To compile it as a module, choose M here. If unsure, say N.
824 config NETFILTER_XT_MATCH_HASHLIMIT
825 tristate '"hashlimit" match support'
826 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
827 depends on NETFILTER_ADVANCED
829 This option adds a `hashlimit' match.
831 As opposed to `limit', this match dynamically creates a hash table
832 of limit buckets, based on your selection of source/destination
833 addresses and/or ports.
835 It enables you to express policies like `10kpps for any given
836 destination address' or `500pps from any given source address'
839 config NETFILTER_XT_MATCH_HELPER
840 tristate '"helper" match support'
841 depends on NF_CONNTRACK
842 depends on NETFILTER_ADVANCED
844 Helper matching allows you to match packets in dynamic connections
845 tracked by a conntrack-helper, ie. ip_conntrack_ftp
847 To compile it as a module, choose M here. If unsure, say Y.
849 config NETFILTER_XT_MATCH_HL
850 tristate '"hl" hoplimit/TTL match support'
851 depends on NETFILTER_ADVANCED
853 HL matching allows you to match packets based on the hoplimit
854 in the IPv6 header, or the time-to-live field in the IPv4
855 header of the packet.
857 config NETFILTER_XT_MATCH_IPRANGE
858 tristate '"iprange" address range match support'
859 depends on NETFILTER_ADVANCED
861 This option adds a "iprange" match, which allows you to match based on
862 an IP address range. (Normal iptables only matches on single addresses
863 with an optional mask.)
867 config NETFILTER_XT_MATCH_IPVS
868 tristate '"ipvs" match support'
870 depends on NETFILTER_ADVANCED
871 depends on NF_CONNTRACK
873 This option allows you to match against IPVS properties of a packet.
877 config NETFILTER_XT_MATCH_LENGTH
878 tristate '"length" match support'
879 depends on NETFILTER_ADVANCED
881 This option allows you to match the length of a packet against a
882 specific value or range of values.
884 To compile it as a module, choose M here. If unsure, say N.
886 config NETFILTER_XT_MATCH_LIMIT
887 tristate '"limit" match support'
888 depends on NETFILTER_ADVANCED
890 limit matching allows you to control the rate at which a rule can be
891 matched: mainly useful in combination with the LOG target ("LOG
892 target support", below) and to avoid some Denial of Service attacks.
894 To compile it as a module, choose M here. If unsure, say N.
896 config NETFILTER_XT_MATCH_MAC
897 tristate '"mac" address match support'
898 depends on NETFILTER_ADVANCED
900 MAC matching allows you to match packets based on the source
901 Ethernet address of the packet.
903 To compile it as a module, choose M here. If unsure, say N.
905 config NETFILTER_XT_MATCH_MARK
906 tristate '"mark" match support'
907 depends on NETFILTER_ADVANCED
908 select NETFILTER_XT_MARK
910 This is a backwards-compat option for the user's convenience
911 (e.g. when running oldconfig). It selects
912 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
914 config NETFILTER_XT_MATCH_MULTIPORT
915 tristate '"multiport" Multiple port match support'
916 depends on NETFILTER_ADVANCED
918 Multiport matching allows you to match TCP or UDP packets based on
919 a series of source or destination ports: normally a rule can only
920 match a single range of ports.
922 To compile it as a module, choose M here. If unsure, say N.
924 config NETFILTER_XT_MATCH_NFACCT
925 tristate '"nfacct" match support'
926 depends on NETFILTER_ADVANCED
927 select NETFILTER_NETLINK_ACCT
929 This option allows you to use the extended accounting through
932 To compile it as a module, choose M here. If unsure, say N.
934 config NETFILTER_XT_MATCH_OSF
935 tristate '"osf" Passive OS fingerprint match'
936 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
938 This option selects the Passive OS Fingerprinting match module
939 that allows to passively match the remote operating system by
940 analyzing incoming TCP SYN packets.
942 Rules and loading software can be downloaded from
943 http://www.ioremap.net/projects/osf
945 To compile it as a module, choose M here. If unsure, say N.
947 config NETFILTER_XT_MATCH_OWNER
948 tristate '"owner" match support'
949 depends on NETFILTER_ADVANCED
951 Socket owner matching allows you to match locally-generated packets
952 based on who created the socket: the user or group. It is also
953 possible to check whether a socket actually exists.
955 config NETFILTER_XT_MATCH_POLICY
956 tristate 'IPsec "policy" match support'
958 default m if NETFILTER_ADVANCED=n
960 Policy matching allows you to match packets based on the
961 IPsec policy that was used during decapsulation/will
962 be used during encapsulation.
964 To compile it as a module, choose M here. If unsure, say N.
966 config NETFILTER_XT_MATCH_PHYSDEV
967 tristate '"physdev" match support'
968 depends on BRIDGE && BRIDGE_NETFILTER
969 depends on NETFILTER_ADVANCED
971 Physdev packet matching matches against the physical bridge ports
972 the IP packet arrived on or will leave by.
974 To compile it as a module, choose M here. If unsure, say N.
976 config NETFILTER_XT_MATCH_PKTTYPE
977 tristate '"pkttype" packet type match support'
978 depends on NETFILTER_ADVANCED
980 Packet type matching allows you to match a packet by
981 its "class", eg. BROADCAST, MULTICAST, ...
984 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
986 To compile it as a module, choose M here. If unsure, say N.
988 config NETFILTER_XT_MATCH_QUOTA
989 tristate '"quota" match support'
990 depends on NETFILTER_ADVANCED
992 This option adds a `quota' match, which allows to match on a
995 If you want to compile it as a module, say M here and read
996 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
998 config NETFILTER_XT_MATCH_RATEEST
999 tristate '"rateest" match support'
1000 depends on NETFILTER_ADVANCED
1001 select NETFILTER_XT_TARGET_RATEEST
1003 This option adds a `rateest' match, which allows to match on the
1004 rate estimated by the RATEEST target.
1006 To compile it as a module, choose M here. If unsure, say N.
1008 config NETFILTER_XT_MATCH_REALM
1009 tristate '"realm" match support'
1010 depends on NETFILTER_ADVANCED
1011 select IP_ROUTE_CLASSID
1013 This option adds a `realm' match, which allows you to use the realm
1014 key from the routing subsystem inside iptables.
1016 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1019 If you want to compile it as a module, say M here and read
1020 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1022 config NETFILTER_XT_MATCH_RECENT
1023 tristate '"recent" match support'
1024 depends on NETFILTER_ADVANCED
1026 This match is used for creating one or many lists of recently
1027 used addresses and then matching against that/those list(s).
1029 Short options are available by using 'iptables -m recent -h'
1030 Official Website: <http://snowman.net/projects/ipt_recent/>
1032 config NETFILTER_XT_MATCH_SCTP
1033 tristate '"sctp" protocol match support (EXPERIMENTAL)'
1034 depends on EXPERIMENTAL
1035 depends on NETFILTER_ADVANCED
1038 With this option enabled, you will be able to use the
1039 `sctp' match in order to match on SCTP source/destination ports
1040 and SCTP chunk types.
1042 If you want to compile it as a module, say M here and read
1043 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1045 config NETFILTER_XT_MATCH_SOCKET
1046 tristate '"socket" match support (EXPERIMENTAL)'
1047 depends on EXPERIMENTAL
1048 depends on NETFILTER_TPROXY
1049 depends on NETFILTER_XTABLES
1050 depends on NETFILTER_ADVANCED
1051 depends on !NF_CONNTRACK || NF_CONNTRACK
1052 select NF_DEFRAG_IPV4
1053 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1055 This option adds a `socket' match, which can be used to match
1056 packets for which a TCP or UDP socket lookup finds a valid socket.
1057 It can be used in combination with the MARK target and policy
1058 routing to implement full featured non-locally bound sockets.
1060 To compile it as a module, choose M here. If unsure, say N.
1062 config NETFILTER_XT_MATCH_STATE
1063 tristate '"state" match support'
1064 depends on NF_CONNTRACK
1065 default m if NETFILTER_ADVANCED=n
1067 Connection state matching allows you to match packets based on their
1068 relationship to a tracked connection (ie. previous packets). This
1069 is a powerful tool for packet classification.
1071 To compile it as a module, choose M here. If unsure, say N.
1073 config NETFILTER_XT_MATCH_STATISTIC
1074 tristate '"statistic" match support'
1075 depends on NETFILTER_ADVANCED
1077 This option adds a `statistic' match, which allows you to match
1078 on packets periodically or randomly with a given percentage.
1080 To compile it as a module, choose M here. If unsure, say N.
1082 config NETFILTER_XT_MATCH_STRING
1083 tristate '"string" match support'
1084 depends on NETFILTER_ADVANCED
1086 select TEXTSEARCH_KMP
1087 select TEXTSEARCH_BM
1088 select TEXTSEARCH_FSM
1090 This option adds a `string' match, which allows you to look for
1091 pattern matchings in packets.
1093 To compile it as a module, choose M here. If unsure, say N.
1095 config NETFILTER_XT_MATCH_TCPMSS
1096 tristate '"tcpmss" match support'
1097 depends on NETFILTER_ADVANCED
1099 This option adds a `tcpmss' match, which allows you to examine the
1100 MSS value of TCP SYN packets, which control the maximum packet size
1101 for that connection.
1103 To compile it as a module, choose M here. If unsure, say N.
1105 config NETFILTER_XT_MATCH_TIME
1106 tristate '"time" match support'
1107 depends on NETFILTER_ADVANCED
1109 This option adds a "time" match, which allows you to match based on
1110 the packet arrival time (at the machine which netfilter is running)
1111 on) or departure time/date (for locally generated packets).
1113 If you say Y here, try `iptables -m time --help` for
1116 If you want to compile it as a module, say M here.
1119 config NETFILTER_XT_MATCH_U32
1120 tristate '"u32" match support'
1121 depends on NETFILTER_ADVANCED
1123 u32 allows you to extract quantities of up to 4 bytes from a packet,
1124 AND them with specified masks, shift them by specified amounts and
1125 test whether the results are in any of a set of specified ranges.
1126 The specification of what to extract is general enough to skip over
1127 headers with lengths stored in the packet, as in IP or TCP header
1130 Details and examples are in the kernel module source.
1132 endif # NETFILTER_XTABLES
1136 source "net/netfilter/ipset/Kconfig"
1138 source "net/netfilter/ipvs/Kconfig"