1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_NETLINK
7 config NETFILTER_NETLINK_ACCT
8 tristate "Netfilter NFACCT over NFNETLINK interface"
9 depends on NETFILTER_ADVANCED
10 select NETFILTER_NETLINK
12 If this option is enabled, the kernel will include support
13 for extended accounting via NFNETLINK.
15 config NETFILTER_NETLINK_QUEUE
16 tristate "Netfilter NFQUEUE over NFNETLINK interface"
17 depends on NETFILTER_ADVANCED
18 select NETFILTER_NETLINK
20 If this option is enabled, the kernel will include support
21 for queueing packets via NFNETLINK.
23 config NETFILTER_NETLINK_LOG
24 tristate "Netfilter LOG over NFNETLINK interface"
25 default m if NETFILTER_ADVANCED=n
26 select NETFILTER_NETLINK
28 If this option is enabled, the kernel will include support
29 for logging packets via NFNETLINK.
31 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
32 and is also scheduled to replace the old syslog-based ipt_LOG
36 tristate "Netfilter connection tracking support"
37 default m if NETFILTER_ADVANCED=n
39 Connection tracking keeps a record of what packets have passed
40 through your machine, in order to figure out how they are related
43 This is required to do Masquerading or other kinds of Network
44 Address Translation. It can also be used to enhance packet
45 filtering (see `Connection state match support' below).
47 To compile it as a module, choose M here. If unsure, say N.
51 config NF_CONNTRACK_MARK
52 bool 'Connection mark tracking support'
53 depends on NETFILTER_ADVANCED
55 This option enables support for connection marks, used by the
56 `CONNMARK' target and `connmark' match. Similar to the mark value
57 of packets, but this mark value is kept in the conntrack session
58 instead of the individual packets.
60 config NF_CONNTRACK_SECMARK
61 bool 'Connection tracking security mark support'
62 depends on NETWORK_SECMARK
63 default m if NETFILTER_ADVANCED=n
65 This option enables security markings to be applied to
66 connections. Typically they are copied to connections from
67 packets using the CONNSECMARK target and copied back from
68 connections to packets with the same target, with the packets
69 being originally labeled via SECMARK.
73 config NF_CONNTRACK_ZONES
74 bool 'Connection tracking zones'
75 depends on NETFILTER_ADVANCED
76 depends on NETFILTER_XT_TARGET_CT
78 This option enables support for connection tracking zones.
79 Normally, each connection needs to have a unique system wide
80 identity. Connection tracking zones allow to have multiple
81 connections using the same identity, as long as they are
82 contained in different zones.
86 config NF_CONNTRACK_PROCFS
87 bool "Supply CT list in procfs (OBSOLETE)"
91 This option enables for the list of known conntrack entries
92 to be shown in procfs under net/netfilter/nf_conntrack. This
93 is considered obsolete in favor of using the conntrack(8)
94 tool which uses Netlink.
96 config NF_CONNTRACK_EVENTS
97 bool "Connection tracking events"
98 depends on NETFILTER_ADVANCED
100 If this option is enabled, the connection tracking code will
101 provide a notifier chain that can be used by other kernel code
102 to get notified about changes in the connection tracking state.
106 config NF_CONNTRACK_TIMEOUT
107 bool 'Connection tracking timeout'
108 depends on NETFILTER_ADVANCED
110 This option enables support for connection tracking timeout
111 extension. This allows you to attach timeout policies to flow
116 config NF_CONNTRACK_TIMESTAMP
117 bool 'Connection tracking timestamping'
118 depends on NETFILTER_ADVANCED
120 This option enables support for connection tracking timestamping.
121 This allows you to store the flow start-time and to obtain
122 the flow-stop time (once it has been destroyed) via Connection
127 config NF_CONNTRACK_LABELS
130 This option enables support for assigning user-defined flag bits
131 to connection tracking entries. It selected by the connlabel match.
133 config NF_CT_PROTO_DCCP
134 tristate 'DCCP protocol connection tracking support'
135 depends on NETFILTER_ADVANCED
138 With this option enabled, the layer 3 independent connection
139 tracking code will be able to do state tracking on DCCP connections.
143 config NF_CT_PROTO_GRE
146 config NF_CT_PROTO_SCTP
147 tristate 'SCTP protocol connection tracking support'
148 depends on NETFILTER_ADVANCED
151 With this option enabled, the layer 3 independent connection
152 tracking code will be able to do state tracking on SCTP connections.
154 If you want to compile it as a module, say M here and read
155 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
157 config NF_CT_PROTO_UDPLITE
158 tristate 'UDP-Lite protocol connection tracking support'
159 depends on NETFILTER_ADVANCED
161 With this option enabled, the layer 3 independent connection
162 tracking code will be able to do state tracking on UDP-Lite
165 To compile it as a module, choose M here. If unsure, say N.
167 config NF_CONNTRACK_AMANDA
168 tristate "Amanda backup protocol support"
169 depends on NETFILTER_ADVANCED
171 select TEXTSEARCH_KMP
173 If you are running the Amanda backup package <http://www.amanda.org/>
174 on this machine or machines that will be MASQUERADED through this
175 machine, then you may want to enable this feature. This allows the
176 connection tracking and natting code to allow the sub-channels that
177 Amanda requires for communication of the backup data, messages and
180 To compile it as a module, choose M here. If unsure, say N.
182 config NF_CONNTRACK_FTP
183 tristate "FTP protocol support"
184 default m if NETFILTER_ADVANCED=n
186 Tracking FTP connections is problematic: special helpers are
187 required for tracking them, and doing masquerading and other forms
188 of Network Address Translation on them.
190 This is FTP support on Layer 3 independent connection tracking.
191 Layer 3 independent connection tracking is experimental scheme
192 which generalize ip_conntrack to support other layer 3 protocols.
194 To compile it as a module, choose M here. If unsure, say N.
196 config NF_CONNTRACK_H323
197 tristate "H.323 protocol support"
198 depends on (IPV6 || IPV6=n)
199 depends on NETFILTER_ADVANCED
201 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
202 important VoIP protocols, it is widely used by voice hardware and
203 software including voice gateways, IP phones, Netmeeting, OpenPhone,
206 With this module you can support H.323 on a connection tracking/NAT
209 This module supports RAS, Fast Start, H.245 Tunnelling, Call
210 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
211 whiteboard, file transfer, etc. For more information, please
212 visit http://nath323.sourceforge.net/.
214 To compile it as a module, choose M here. If unsure, say N.
216 config NF_CONNTRACK_IRC
217 tristate "IRC protocol support"
218 default m if NETFILTER_ADVANCED=n
220 There is a commonly-used extension to IRC called
221 Direct Client-to-Client Protocol (DCC). This enables users to send
222 files to each other, and also chat to each other without the need
223 of a server. DCC Sending is used anywhere you send files over IRC,
224 and DCC Chat is most commonly used by Eggdrop bots. If you are
225 using NAT, this extension will enable you to send files and initiate
226 chats. Note that you do NOT need this extension to get files or
227 have others initiate chats, or everything else in IRC.
229 To compile it as a module, choose M here. If unsure, say N.
231 config NF_CONNTRACK_BROADCAST
234 config NF_CONNTRACK_NETBIOS_NS
235 tristate "NetBIOS name service protocol support"
236 select NF_CONNTRACK_BROADCAST
238 NetBIOS name service requests are sent as broadcast messages from an
239 unprivileged port and responded to with unicast messages to the
240 same port. This make them hard to firewall properly because connection
241 tracking doesn't deal with broadcasts. This helper tracks locally
242 originating NetBIOS name service requests and the corresponding
243 responses. It relies on correct IP address configuration, specifically
244 netmask and broadcast address. When properly configured, the output
245 of "ip address show" should look similar to this:
247 $ ip -4 address show eth0
248 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
249 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
251 To compile it as a module, choose M here. If unsure, say N.
253 config NF_CONNTRACK_SNMP
254 tristate "SNMP service protocol support"
255 depends on NETFILTER_ADVANCED
256 select NF_CONNTRACK_BROADCAST
258 SNMP service requests are sent as broadcast messages from an
259 unprivileged port and responded to with unicast messages to the
260 same port. This make them hard to firewall properly because connection
261 tracking doesn't deal with broadcasts. This helper tracks locally
262 originating SNMP service requests and the corresponding
263 responses. It relies on correct IP address configuration, specifically
264 netmask and broadcast address.
266 To compile it as a module, choose M here. If unsure, say N.
268 config NF_CONNTRACK_PPTP
269 tristate "PPtP protocol support"
270 depends on NETFILTER_ADVANCED
271 select NF_CT_PROTO_GRE
273 This module adds support for PPTP (Point to Point Tunnelling
274 Protocol, RFC2637) connection tracking and NAT.
276 If you are running PPTP sessions over a stateful firewall or NAT
277 box, you may want to enable this feature.
279 Please note that not all PPTP modes of operation are supported yet.
280 Specifically these limitations exist:
281 - Blindly assumes that control connections are always established
282 in PNS->PAC direction. This is a violation of RFC2637.
283 - Only supports a single call within each session
285 To compile it as a module, choose M here. If unsure, say N.
287 config NF_CONNTRACK_SANE
288 tristate "SANE protocol support"
289 depends on NETFILTER_ADVANCED
291 SANE is a protocol for remote access to scanners as implemented
292 by the 'saned' daemon. Like FTP, it uses separate control and
295 With this module you can support SANE on a connection tracking
298 To compile it as a module, choose M here. If unsure, say N.
300 config NF_CONNTRACK_SIP
301 tristate "SIP protocol support"
302 default m if NETFILTER_ADVANCED=n
304 SIP is an application-layer control protocol that can establish,
305 modify, and terminate multimedia sessions (conferences) such as
306 Internet telephony calls. With the ip_conntrack_sip and
307 the nf_nat_sip modules you can support the protocol on a connection
308 tracking/NATing firewall.
310 To compile it as a module, choose M here. If unsure, say N.
312 config NF_CONNTRACK_TFTP
313 tristate "TFTP protocol support"
314 depends on NETFILTER_ADVANCED
316 TFTP connection tracking helper, this is required depending
317 on how restrictive your ruleset is.
318 If you are using a tftp client behind -j SNAT or -j MASQUERADING
321 To compile it as a module, choose M here. If unsure, say N.
324 tristate 'Connection tracking netlink interface'
325 select NETFILTER_NETLINK
326 default m if NETFILTER_ADVANCED=n
328 This option enables support for a netlink-based userspace interface
330 config NF_CT_NETLINK_TIMEOUT
331 tristate 'Connection tracking timeout tuning via Netlink'
332 select NETFILTER_NETLINK
333 depends on NETFILTER_ADVANCED
335 This option enables support for connection tracking timeout
336 fine-grain tuning. This allows you to attach specific timeout
337 policies to flows, instead of using the global timeout policy.
341 config NF_CT_NETLINK_HELPER
342 tristate 'Connection tracking helpers in user-space via Netlink'
343 select NETFILTER_NETLINK
344 depends on NF_CT_NETLINK
345 depends on NETFILTER_NETLINK_QUEUE
346 depends on NETFILTER_NETLINK_QUEUE_CT
347 depends on NETFILTER_ADVANCED
349 This option enables the user-space connection tracking helpers
354 config NETFILTER_NETLINK_QUEUE_CT
355 bool "NFQUEUE integration with Connection Tracking"
357 depends on NETFILTER_NETLINK_QUEUE
359 If this option is enabled, NFQUEUE can include Connection Tracking
360 information together with the packet is the enqueued via NFNETLINK.
370 config NF_NAT_PROTO_DCCP
372 depends on NF_NAT && NF_CT_PROTO_DCCP
373 default NF_NAT && NF_CT_PROTO_DCCP
375 config NF_NAT_PROTO_UDPLITE
377 depends on NF_NAT && NF_CT_PROTO_UDPLITE
378 default NF_NAT && NF_CT_PROTO_UDPLITE
380 config NF_NAT_PROTO_SCTP
382 default NF_NAT && NF_CT_PROTO_SCTP
383 depends on NF_NAT && NF_CT_PROTO_SCTP
388 depends on NF_CONNTRACK && NF_NAT
389 default NF_NAT && NF_CONNTRACK_AMANDA
393 depends on NF_CONNTRACK && NF_NAT
394 default NF_NAT && NF_CONNTRACK_FTP
398 depends on NF_CONNTRACK && NF_NAT
399 default NF_NAT && NF_CONNTRACK_IRC
403 depends on NF_CONNTRACK && NF_NAT
404 default NF_NAT && NF_CONNTRACK_SIP
408 depends on NF_CONNTRACK && NF_NAT
409 default NF_NAT && NF_CONNTRACK_TFTP
411 config NETFILTER_SYNPROXY
417 depends on NETFILTER_NETLINK
418 tristate "Netfilter nf_tables support"
422 tristate "Netfilter nf_tables IPv6 exthdr module"
426 tristate "Netfilter nf_tables meta module"
430 depends on NF_CONNTRACK
431 tristate "Netfilter nf_tables conntrack module"
435 tristate "Netfilter nf_tables rbtree set module"
439 tristate "Netfilter nf_tables hash set module"
443 tristate "Netfilter nf_tables counter module"
447 tristate "Netfilter nf_tables log module"
451 tristate "Netfilter nf_tables limit module"
455 depends on NETFILTER_XTABLES
456 tristate "Netfilter x_tables over nf_tables module"
458 This is required if you intend to use any of existing
459 x_tables match/target extensions over the nf_tables
462 config NETFILTER_XTABLES
463 tristate "Netfilter Xtables support (required for ip_tables)"
464 default m if NETFILTER_ADVANCED=n
466 This is required if you intend to use any of ip_tables,
467 ip6_tables or arp_tables.
471 comment "Xtables combined modules"
473 config NETFILTER_XT_MARK
474 tristate 'nfmark target and match support'
475 default m if NETFILTER_ADVANCED=n
477 This option adds the "MARK" target and "mark" match.
479 Netfilter mark matching allows you to match packets based on the
480 "nfmark" value in the packet.
481 The target allows you to create rules in the "mangle" table which alter
482 the netfilter mark (nfmark) field associated with the packet.
484 Prior to routing, the nfmark can influence the routing method (see
485 "Use netfilter MARK value as routing key") and can also be used by
486 other subsystems to change their behavior.
488 config NETFILTER_XT_CONNMARK
489 tristate 'ctmark target and match support'
490 depends on NF_CONNTRACK
491 depends on NETFILTER_ADVANCED
492 select NF_CONNTRACK_MARK
494 This option adds the "CONNMARK" target and "connmark" match.
496 Netfilter allows you to store a mark value per connection (a.k.a.
497 ctmark), similarly to the packet mark (nfmark). Using this
498 target and match, you can set and match on this mark.
500 config NETFILTER_XT_SET
501 tristate 'set target and match support'
503 depends on NETFILTER_ADVANCED
505 This option adds the "SET" target and "set" match.
507 Using this target and match, you can add/delete and match
508 elements in the sets created by ipset(8).
510 To compile it as a module, choose M here. If unsure, say N.
512 # alphabetically ordered list of targets
514 comment "Xtables targets"
516 config NETFILTER_XT_TARGET_AUDIT
517 tristate "AUDIT target support"
519 depends on NETFILTER_ADVANCED
521 This option adds a 'AUDIT' target, which can be used to create
522 audit records for packets dropped/accepted.
524 To compileit as a module, choose M here. If unsure, say N.
526 config NETFILTER_XT_TARGET_CHECKSUM
527 tristate "CHECKSUM target support"
528 depends on IP_NF_MANGLE || IP6_NF_MANGLE
529 depends on NETFILTER_ADVANCED
531 This option adds a `CHECKSUM' target, which can be used in the iptables mangle
534 You can use this target to compute and fill in the checksum in
535 a packet that lacks a checksum. This is particularly useful,
536 if you need to work around old applications such as dhcp clients,
537 that do not work well with checksum offloads, but don't want to disable
538 checksum offload in your device.
540 To compile it as a module, choose M here. If unsure, say N.
542 config NETFILTER_XT_TARGET_CLASSIFY
543 tristate '"CLASSIFY" target support'
544 depends on NETFILTER_ADVANCED
546 This option adds a `CLASSIFY' target, which enables the user to set
547 the priority of a packet. Some qdiscs can use this value for
548 classification, among these are:
550 atm, cbq, dsmark, pfifo_fast, htb, prio
552 To compile it as a module, choose M here. If unsure, say N.
554 config NETFILTER_XT_TARGET_CONNMARK
555 tristate '"CONNMARK" target support'
556 depends on NF_CONNTRACK
557 depends on NETFILTER_ADVANCED
558 select NETFILTER_XT_CONNMARK
560 This is a backwards-compat option for the user's convenience
561 (e.g. when running oldconfig). It selects
562 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
564 config NETFILTER_XT_TARGET_CONNSECMARK
565 tristate '"CONNSECMARK" target support'
566 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
567 default m if NETFILTER_ADVANCED=n
569 The CONNSECMARK target copies security markings from packets
570 to connections, and restores security markings from connections
571 to packets (if the packets are not already marked). This would
572 normally be used in conjunction with the SECMARK target.
574 To compile it as a module, choose M here. If unsure, say N.
576 config NETFILTER_XT_TARGET_CT
577 tristate '"CT" target support'
578 depends on NF_CONNTRACK
579 depends on IP_NF_RAW || IP6_NF_RAW
580 depends on NETFILTER_ADVANCED
582 This options adds a `CT' target, which allows to specify initial
583 connection tracking parameters like events to be delivered and
584 the helper to be used.
586 To compile it as a module, choose M here. If unsure, say N.
588 config NETFILTER_XT_TARGET_DSCP
589 tristate '"DSCP" and "TOS" target support'
590 depends on IP_NF_MANGLE || IP6_NF_MANGLE
591 depends on NETFILTER_ADVANCED
593 This option adds a `DSCP' target, which allows you to manipulate
594 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
596 The DSCP field can have any value between 0x0 and 0x3f inclusive.
598 It also adds the "TOS" target, which allows you to create rules in
599 the "mangle" table which alter the Type Of Service field of an IPv4
600 or the Priority field of an IPv6 packet, prior to routing.
602 To compile it as a module, choose M here. If unsure, say N.
604 config NETFILTER_XT_TARGET_HL
605 tristate '"HL" hoplimit target support'
606 depends on IP_NF_MANGLE || IP6_NF_MANGLE
607 depends on NETFILTER_ADVANCED
609 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
610 targets, which enable the user to change the
611 hoplimit/time-to-live value of the IP header.
613 While it is safe to decrement the hoplimit/TTL value, the
614 modules also allow to increment and set the hoplimit value of
615 the header to arbitrary values. This is EXTREMELY DANGEROUS
616 since you can easily create immortal packets that loop
617 forever on the network.
619 config NETFILTER_XT_TARGET_HMARK
620 tristate '"HMARK" target support'
621 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
622 depends on NETFILTER_ADVANCED
624 This option adds the "HMARK" target.
626 The target allows you to create rules in the "raw" and "mangle" tables
627 which set the skbuff mark by means of hash calculation within a given
628 range. The nfmark can influence the routing method (see "Use netfilter
629 MARK value as routing key") and can also be used by other subsystems to
630 change their behaviour.
632 To compile it as a module, choose M here. If unsure, say N.
634 config NETFILTER_XT_TARGET_IDLETIMER
635 tristate "IDLETIMER target support"
636 depends on NETFILTER_ADVANCED
639 This option adds the `IDLETIMER' target. Each matching packet
640 resets the timer associated with label specified when the rule is
641 added. When the timer expires, it triggers a sysfs notification.
642 The remaining time for expiration can be read via sysfs.
644 To compile it as a module, choose M here. If unsure, say N.
646 config NETFILTER_XT_TARGET_LED
647 tristate '"LED" target support'
648 depends on LEDS_CLASS && LEDS_TRIGGERS
649 depends on NETFILTER_ADVANCED
651 This option adds a `LED' target, which allows you to blink LEDs in
652 response to particular packets passing through your machine.
654 This can be used to turn a spare LED into a network activity LED,
655 which only flashes in response to FTP transfers, for example. Or
656 you could have an LED which lights up for a minute or two every time
657 somebody connects to your machine via SSH.
659 You will need support for the "led" class to make this work.
661 To create an LED trigger for incoming SSH traffic:
662 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
664 Then attach the new trigger to an LED on your system:
665 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
667 For more information on the LEDs available on your system, see
668 Documentation/leds/leds-class.txt
670 config NETFILTER_XT_TARGET_LOG
671 tristate "LOG target support"
672 default m if NETFILTER_ADVANCED=n
674 This option adds a `LOG' target, which allows you to create rules in
675 any iptables table which records the packet header to the syslog.
677 To compile it as a module, choose M here. If unsure, say N.
679 config NETFILTER_XT_TARGET_MARK
680 tristate '"MARK" target support'
681 depends on NETFILTER_ADVANCED
682 select NETFILTER_XT_MARK
684 This is a backwards-compat option for the user's convenience
685 (e.g. when running oldconfig). It selects
686 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
688 config NETFILTER_XT_TARGET_NETMAP
689 tristate '"NETMAP" target support'
692 NETMAP is an implementation of static 1:1 NAT mapping of network
693 addresses. It maps the network address part, while keeping the host
696 To compile it as a module, choose M here. If unsure, say N.
698 config NETFILTER_XT_TARGET_NFLOG
699 tristate '"NFLOG" target support'
700 default m if NETFILTER_ADVANCED=n
701 select NETFILTER_NETLINK_LOG
703 This option enables the NFLOG target, which allows to LOG
704 messages through nfnetlink_log.
706 To compile it as a module, choose M here. If unsure, say N.
708 config NETFILTER_XT_TARGET_NFQUEUE
709 tristate '"NFQUEUE" target Support'
710 depends on NETFILTER_ADVANCED
711 select NETFILTER_NETLINK_QUEUE
713 This target replaced the old obsolete QUEUE target.
715 As opposed to QUEUE, it supports 65535 different queues,
718 To compile it as a module, choose M here. If unsure, say N.
720 config NETFILTER_XT_TARGET_NOTRACK
721 tristate '"NOTRACK" target support (DEPRECATED)'
722 depends on NF_CONNTRACK
723 depends on IP_NF_RAW || IP6_NF_RAW
724 depends on NETFILTER_ADVANCED
725 select NETFILTER_XT_TARGET_CT
727 config NETFILTER_XT_TARGET_RATEEST
728 tristate '"RATEEST" target support'
729 depends on NETFILTER_ADVANCED
731 This option adds a `RATEEST' target, which allows to measure
732 rates similar to TC estimators. The `rateest' match can be
733 used to match on the measured rates.
735 To compile it as a module, choose M here. If unsure, say N.
737 config NETFILTER_XT_TARGET_REDIRECT
738 tristate "REDIRECT target support"
741 REDIRECT is a special case of NAT: all incoming connections are
742 mapped onto the incoming interface's address, causing the packets to
743 come to the local machine instead of passing through. This is
744 useful for transparent proxies.
746 To compile it as a module, choose M here. If unsure, say N.
748 config NETFILTER_XT_TARGET_TEE
749 tristate '"TEE" - packet cloning to alternate destination'
750 depends on NETFILTER_ADVANCED
751 depends on (IPV6 || IPV6=n)
752 depends on !NF_CONNTRACK || NF_CONNTRACK
754 This option adds a "TEE" target with which a packet can be cloned and
755 this clone be rerouted to another nexthop.
757 config NETFILTER_XT_TARGET_TPROXY
758 tristate '"TPROXY" target transparent proxying support'
759 depends on NETFILTER_XTABLES
760 depends on NETFILTER_ADVANCED
761 depends on IP_NF_MANGLE
762 select NF_DEFRAG_IPV4
763 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
765 This option adds a `TPROXY' target, which is somewhat similar to
766 REDIRECT. It can only be used in the mangle table and is useful
767 to redirect traffic to a transparent proxy. It does _not_ depend
768 on Netfilter connection tracking and NAT, unlike REDIRECT.
769 For it to work you will have to configure certain iptables rules
770 and use policy routing. For more information on how to set it up
771 see Documentation/networking/tproxy.txt.
773 To compile it as a module, choose M here. If unsure, say N.
775 config NETFILTER_XT_TARGET_TRACE
776 tristate '"TRACE" target support'
777 depends on IP_NF_RAW || IP6_NF_RAW
778 depends on NETFILTER_ADVANCED
780 The TRACE target allows you to mark packets so that the kernel
781 will log every rule which match the packets as those traverse
782 the tables, chains, rules.
784 If you want to compile it as a module, say M here and read
785 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
787 config NETFILTER_XT_TARGET_SECMARK
788 tristate '"SECMARK" target support'
789 depends on NETWORK_SECMARK
790 default m if NETFILTER_ADVANCED=n
792 The SECMARK target allows security marking of network
793 packets, for use with security subsystems.
795 To compile it as a module, choose M here. If unsure, say N.
797 config NETFILTER_XT_TARGET_TCPMSS
798 tristate '"TCPMSS" target support'
799 depends on (IPV6 || IPV6=n)
800 default m if NETFILTER_ADVANCED=n
802 This option adds a `TCPMSS' target, which allows you to alter the
803 MSS value of TCP SYN packets, to control the maximum size for that
804 connection (usually limiting it to your outgoing interface's MTU
807 This is used to overcome criminally braindead ISPs or servers which
808 block ICMP Fragmentation Needed packets. The symptoms of this
809 problem are that everything works fine from your Linux
810 firewall/router, but machines behind it can never exchange large
812 1) Web browsers connect, then hang with no data received.
813 2) Small mail works fine, but large emails hang.
814 3) ssh works fine, but scp hangs after initial handshaking.
816 Workaround: activate this option and add a rule to your firewall
819 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
820 -j TCPMSS --clamp-mss-to-pmtu
822 To compile it as a module, choose M here. If unsure, say N.
824 config NETFILTER_XT_TARGET_TCPOPTSTRIP
825 tristate '"TCPOPTSTRIP" target support'
826 depends on IP_NF_MANGLE || IP6_NF_MANGLE
827 depends on NETFILTER_ADVANCED
829 This option adds a "TCPOPTSTRIP" target, which allows you to strip
830 TCP options from TCP packets.
832 # alphabetically ordered list of matches
834 comment "Xtables matches"
836 config NETFILTER_XT_MATCH_ADDRTYPE
837 tristate '"addrtype" address type match support'
838 depends on NETFILTER_ADVANCED
840 This option allows you to match what routing thinks of an address,
841 eg. UNICAST, LOCAL, BROADCAST, ...
843 If you want to compile it as a module, say M here and read
844 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
846 config NETFILTER_XT_MATCH_BPF
847 tristate '"bpf" match support'
848 depends on NETFILTER_ADVANCED
850 BPF matching applies a linux socket filter to each packet and
851 accepts those for which the filter returns non-zero.
853 To compile it as a module, choose M here. If unsure, say N.
855 config NETFILTER_XT_MATCH_CLUSTER
856 tristate '"cluster" match support'
857 depends on NF_CONNTRACK
858 depends on NETFILTER_ADVANCED
860 This option allows you to build work-load-sharing clusters of
861 network servers/stateful firewalls without having a dedicated
862 load-balancing router/server/switch. Basically, this match returns
863 true when the packet must be handled by this cluster node. Thus,
864 all nodes see all packets and this match decides which node handles
865 what packets. The work-load sharing algorithm is based on source
868 If you say Y or M here, try `iptables -m cluster --help` for
871 config NETFILTER_XT_MATCH_COMMENT
872 tristate '"comment" match support'
873 depends on NETFILTER_ADVANCED
875 This option adds a `comment' dummy-match, which allows you to put
876 comments in your iptables ruleset.
878 If you want to compile it as a module, say M here and read
879 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
881 config NETFILTER_XT_MATCH_CONNBYTES
882 tristate '"connbytes" per-connection counter match support'
883 depends on NF_CONNTRACK
884 depends on NETFILTER_ADVANCED
886 This option adds a `connbytes' match, which allows you to match the
887 number of bytes and/or packets for each direction within a connection.
889 If you want to compile it as a module, say M here and read
890 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
892 config NETFILTER_XT_MATCH_CONNLABEL
893 tristate '"connlabel" match support'
894 select NF_CONNTRACK_LABELS
895 depends on NF_CONNTRACK
896 depends on NETFILTER_ADVANCED
898 This match allows you to test and assign userspace-defined labels names
899 to a connection. The kernel only stores bit values - mapping
900 names to bits is done by userspace.
902 Unlike connmark, more than 32 flag bits may be assigned to a
903 connection simultaneously.
905 config NETFILTER_XT_MATCH_CONNLIMIT
906 tristate '"connlimit" match support"'
907 depends on NF_CONNTRACK
908 depends on NETFILTER_ADVANCED
910 This match allows you to match against the number of parallel
911 connections to a server per client IP address (or address block).
913 config NETFILTER_XT_MATCH_CONNMARK
914 tristate '"connmark" connection mark match support'
915 depends on NF_CONNTRACK
916 depends on NETFILTER_ADVANCED
917 select NETFILTER_XT_CONNMARK
919 This is a backwards-compat option for the user's convenience
920 (e.g. when running oldconfig). It selects
921 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
923 config NETFILTER_XT_MATCH_CONNTRACK
924 tristate '"conntrack" connection tracking match support'
925 depends on NF_CONNTRACK
926 default m if NETFILTER_ADVANCED=n
928 This is a general conntrack match module, a superset of the state match.
930 It allows matching on additional conntrack information, which is
931 useful in complex configurations, such as NAT gateways with multiple
932 internet links or tunnels.
934 To compile it as a module, choose M here. If unsure, say N.
936 config NETFILTER_XT_MATCH_CPU
937 tristate '"cpu" match support'
938 depends on NETFILTER_ADVANCED
940 CPU matching allows you to match packets based on the CPU
941 currently handling the packet.
943 To compile it as a module, choose M here. If unsure, say N.
945 config NETFILTER_XT_MATCH_DCCP
946 tristate '"dccp" protocol match support'
947 depends on NETFILTER_ADVANCED
950 With this option enabled, you will be able to use the iptables
951 `dccp' match in order to match on DCCP source/destination ports
954 If you want to compile it as a module, say M here and read
955 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
957 config NETFILTER_XT_MATCH_DEVGROUP
958 tristate '"devgroup" match support'
959 depends on NETFILTER_ADVANCED
961 This options adds a `devgroup' match, which allows to match on the
962 device group a network device is assigned to.
964 To compile it as a module, choose M here. If unsure, say N.
966 config NETFILTER_XT_MATCH_DSCP
967 tristate '"dscp" and "tos" match support'
968 depends on NETFILTER_ADVANCED
970 This option adds a `DSCP' match, which allows you to match against
971 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
973 The DSCP field can have any value between 0x0 and 0x3f inclusive.
975 It will also add a "tos" match, which allows you to match packets
976 based on the Type Of Service fields of the IPv4 packet (which share
977 the same bits as DSCP).
979 To compile it as a module, choose M here. If unsure, say N.
981 config NETFILTER_XT_MATCH_ECN
982 tristate '"ecn" match support'
983 depends on NETFILTER_ADVANCED
985 This option adds an "ECN" match, which allows you to match against
986 the IPv4 and TCP header ECN fields.
988 To compile it as a module, choose M here. If unsure, say N.
990 config NETFILTER_XT_MATCH_ESP
991 tristate '"esp" match support'
992 depends on NETFILTER_ADVANCED
994 This match extension allows you to match a range of SPIs
995 inside ESP header of IPSec packets.
997 To compile it as a module, choose M here. If unsure, say N.
999 config NETFILTER_XT_MATCH_HASHLIMIT
1000 tristate '"hashlimit" match support'
1001 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
1002 depends on NETFILTER_ADVANCED
1004 This option adds a `hashlimit' match.
1006 As opposed to `limit', this match dynamically creates a hash table
1007 of limit buckets, based on your selection of source/destination
1008 addresses and/or ports.
1010 It enables you to express policies like `10kpps for any given
1011 destination address' or `500pps from any given source address'
1014 config NETFILTER_XT_MATCH_HELPER
1015 tristate '"helper" match support'
1016 depends on NF_CONNTRACK
1017 depends on NETFILTER_ADVANCED
1019 Helper matching allows you to match packets in dynamic connections
1020 tracked by a conntrack-helper, ie. ip_conntrack_ftp
1022 To compile it as a module, choose M here. If unsure, say Y.
1024 config NETFILTER_XT_MATCH_HL
1025 tristate '"hl" hoplimit/TTL match support'
1026 depends on NETFILTER_ADVANCED
1028 HL matching allows you to match packets based on the hoplimit
1029 in the IPv6 header, or the time-to-live field in the IPv4
1030 header of the packet.
1032 config NETFILTER_XT_MATCH_IPRANGE
1033 tristate '"iprange" address range match support'
1034 depends on NETFILTER_ADVANCED
1036 This option adds a "iprange" match, which allows you to match based on
1037 an IP address range. (Normal iptables only matches on single addresses
1038 with an optional mask.)
1042 config NETFILTER_XT_MATCH_IPVS
1043 tristate '"ipvs" match support'
1045 depends on NETFILTER_ADVANCED
1046 depends on NF_CONNTRACK
1048 This option allows you to match against IPVS properties of a packet.
1052 config NETFILTER_XT_MATCH_LENGTH
1053 tristate '"length" match support'
1054 depends on NETFILTER_ADVANCED
1056 This option allows you to match the length of a packet against a
1057 specific value or range of values.
1059 To compile it as a module, choose M here. If unsure, say N.
1061 config NETFILTER_XT_MATCH_LIMIT
1062 tristate '"limit" match support'
1063 depends on NETFILTER_ADVANCED
1065 limit matching allows you to control the rate at which a rule can be
1066 matched: mainly useful in combination with the LOG target ("LOG
1067 target support", below) and to avoid some Denial of Service attacks.
1069 To compile it as a module, choose M here. If unsure, say N.
1071 config NETFILTER_XT_MATCH_MAC
1072 tristate '"mac" address match support'
1073 depends on NETFILTER_ADVANCED
1075 MAC matching allows you to match packets based on the source
1076 Ethernet address of the packet.
1078 To compile it as a module, choose M here. If unsure, say N.
1080 config NETFILTER_XT_MATCH_MARK
1081 tristate '"mark" match support'
1082 depends on NETFILTER_ADVANCED
1083 select NETFILTER_XT_MARK
1085 This is a backwards-compat option for the user's convenience
1086 (e.g. when running oldconfig). It selects
1087 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1089 config NETFILTER_XT_MATCH_MULTIPORT
1090 tristate '"multiport" Multiple port match support'
1091 depends on NETFILTER_ADVANCED
1093 Multiport matching allows you to match TCP or UDP packets based on
1094 a series of source or destination ports: normally a rule can only
1095 match a single range of ports.
1097 To compile it as a module, choose M here. If unsure, say N.
1099 config NETFILTER_XT_MATCH_NFACCT
1100 tristate '"nfacct" match support'
1101 depends on NETFILTER_ADVANCED
1102 select NETFILTER_NETLINK_ACCT
1104 This option allows you to use the extended accounting through
1107 To compile it as a module, choose M here. If unsure, say N.
1109 config NETFILTER_XT_MATCH_OSF
1110 tristate '"osf" Passive OS fingerprint match'
1111 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1113 This option selects the Passive OS Fingerprinting match module
1114 that allows to passively match the remote operating system by
1115 analyzing incoming TCP SYN packets.
1117 Rules and loading software can be downloaded from
1118 http://www.ioremap.net/projects/osf
1120 To compile it as a module, choose M here. If unsure, say N.
1122 config NETFILTER_XT_MATCH_OWNER
1123 tristate '"owner" match support'
1124 depends on NETFILTER_ADVANCED
1126 Socket owner matching allows you to match locally-generated packets
1127 based on who created the socket: the user or group. It is also
1128 possible to check whether a socket actually exists.
1130 config NETFILTER_XT_MATCH_POLICY
1131 tristate 'IPsec "policy" match support'
1133 default m if NETFILTER_ADVANCED=n
1135 Policy matching allows you to match packets based on the
1136 IPsec policy that was used during decapsulation/will
1137 be used during encapsulation.
1139 To compile it as a module, choose M here. If unsure, say N.
1141 config NETFILTER_XT_MATCH_PHYSDEV
1142 tristate '"physdev" match support'
1143 depends on BRIDGE && BRIDGE_NETFILTER
1144 depends on NETFILTER_ADVANCED
1146 Physdev packet matching matches against the physical bridge ports
1147 the IP packet arrived on or will leave by.
1149 To compile it as a module, choose M here. If unsure, say N.
1151 config NETFILTER_XT_MATCH_PKTTYPE
1152 tristate '"pkttype" packet type match support'
1153 depends on NETFILTER_ADVANCED
1155 Packet type matching allows you to match a packet by
1156 its "class", eg. BROADCAST, MULTICAST, ...
1159 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1161 To compile it as a module, choose M here. If unsure, say N.
1163 config NETFILTER_XT_MATCH_QUOTA
1164 tristate '"quota" match support'
1165 depends on NETFILTER_ADVANCED
1167 This option adds a `quota' match, which allows to match on a
1170 If you want to compile it as a module, say M here and read
1171 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1173 config NETFILTER_XT_MATCH_RATEEST
1174 tristate '"rateest" match support'
1175 depends on NETFILTER_ADVANCED
1176 select NETFILTER_XT_TARGET_RATEEST
1178 This option adds a `rateest' match, which allows to match on the
1179 rate estimated by the RATEEST target.
1181 To compile it as a module, choose M here. If unsure, say N.
1183 config NETFILTER_XT_MATCH_REALM
1184 tristate '"realm" match support'
1185 depends on NETFILTER_ADVANCED
1186 select IP_ROUTE_CLASSID
1188 This option adds a `realm' match, which allows you to use the realm
1189 key from the routing subsystem inside iptables.
1191 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1194 If you want to compile it as a module, say M here and read
1195 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1197 config NETFILTER_XT_MATCH_RECENT
1198 tristate '"recent" match support'
1199 depends on NETFILTER_ADVANCED
1201 This match is used for creating one or many lists of recently
1202 used addresses and then matching against that/those list(s).
1204 Short options are available by using 'iptables -m recent -h'
1205 Official Website: <http://snowman.net/projects/ipt_recent/>
1207 config NETFILTER_XT_MATCH_SCTP
1208 tristate '"sctp" protocol match support'
1209 depends on NETFILTER_ADVANCED
1212 With this option enabled, you will be able to use the
1213 `sctp' match in order to match on SCTP source/destination ports
1214 and SCTP chunk types.
1216 If you want to compile it as a module, say M here and read
1217 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1219 config NETFILTER_XT_MATCH_SOCKET
1220 tristate '"socket" match support'
1221 depends on NETFILTER_XTABLES
1222 depends on NETFILTER_ADVANCED
1223 depends on !NF_CONNTRACK || NF_CONNTRACK
1224 depends on (IPV6 || IPV6=n)
1225 select NF_DEFRAG_IPV4
1226 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1228 This option adds a `socket' match, which can be used to match
1229 packets for which a TCP or UDP socket lookup finds a valid socket.
1230 It can be used in combination with the MARK target and policy
1231 routing to implement full featured non-locally bound sockets.
1233 To compile it as a module, choose M here. If unsure, say N.
1235 config NETFILTER_XT_MATCH_STATE
1236 tristate '"state" match support'
1237 depends on NF_CONNTRACK
1238 default m if NETFILTER_ADVANCED=n
1240 Connection state matching allows you to match packets based on their
1241 relationship to a tracked connection (ie. previous packets). This
1242 is a powerful tool for packet classification.
1244 To compile it as a module, choose M here. If unsure, say N.
1246 config NETFILTER_XT_MATCH_STATISTIC
1247 tristate '"statistic" match support'
1248 depends on NETFILTER_ADVANCED
1250 This option adds a `statistic' match, which allows you to match
1251 on packets periodically or randomly with a given percentage.
1253 To compile it as a module, choose M here. If unsure, say N.
1255 config NETFILTER_XT_MATCH_STRING
1256 tristate '"string" match support'
1257 depends on NETFILTER_ADVANCED
1259 select TEXTSEARCH_KMP
1260 select TEXTSEARCH_BM
1261 select TEXTSEARCH_FSM
1263 This option adds a `string' match, which allows you to look for
1264 pattern matchings in packets.
1266 To compile it as a module, choose M here. If unsure, say N.
1268 config NETFILTER_XT_MATCH_TCPMSS
1269 tristate '"tcpmss" match support'
1270 depends on NETFILTER_ADVANCED
1272 This option adds a `tcpmss' match, which allows you to examine the
1273 MSS value of TCP SYN packets, which control the maximum packet size
1274 for that connection.
1276 To compile it as a module, choose M here. If unsure, say N.
1278 config NETFILTER_XT_MATCH_TIME
1279 tristate '"time" match support'
1280 depends on NETFILTER_ADVANCED
1282 This option adds a "time" match, which allows you to match based on
1283 the packet arrival time (at the machine which netfilter is running)
1284 on) or departure time/date (for locally generated packets).
1286 If you say Y here, try `iptables -m time --help` for
1289 If you want to compile it as a module, say M here.
1292 config NETFILTER_XT_MATCH_U32
1293 tristate '"u32" match support'
1294 depends on NETFILTER_ADVANCED
1296 u32 allows you to extract quantities of up to 4 bytes from a packet,
1297 AND them with specified masks, shift them by specified amounts and
1298 test whether the results are in any of a set of specified ranges.
1299 The specification of what to extract is general enough to skip over
1300 headers with lengths stored in the packet, as in IP or TCP header
1303 Details and examples are in the kernel module source.
1305 endif # NETFILTER_XTABLES
1309 source "net/netfilter/ipset/Kconfig"
1311 source "net/netfilter/ipvs/Kconfig"