1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_NETLINK
7 config NETFILTER_NETLINK_ACCT
8 tristate "Netfilter NFACCT over NFNETLINK interface"
9 depends on NETFILTER_ADVANCED
10 select NETFILTER_NETLINK
12 If this option is enabled, the kernel will include support
13 for extended accounting via NFNETLINK.
15 config NETFILTER_NETLINK_QUEUE
16 tristate "Netfilter NFQUEUE over NFNETLINK interface"
17 depends on NETFILTER_ADVANCED
18 select NETFILTER_NETLINK
20 If this option is enabled, the kernel will include support
21 for queueing packets via NFNETLINK.
23 config NETFILTER_NETLINK_LOG
24 tristate "Netfilter LOG over NFNETLINK interface"
25 default m if NETFILTER_ADVANCED=n
26 select NETFILTER_NETLINK
28 If this option is enabled, the kernel will include support
29 for logging packets via NFNETLINK.
31 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
32 and is also scheduled to replace the old syslog-based ipt_LOG
36 tristate "Netfilter connection tracking support"
37 default m if NETFILTER_ADVANCED=n
39 Connection tracking keeps a record of what packets have passed
40 through your machine, in order to figure out how they are related
43 This is required to do Masquerading or other kinds of Network
44 Address Translation. It can also be used to enhance packet
45 filtering (see `Connection state match support' below).
47 To compile it as a module, choose M here. If unsure, say N.
51 config NF_CONNTRACK_MARK
52 bool 'Connection mark tracking support'
53 depends on NETFILTER_ADVANCED
55 This option enables support for connection marks, used by the
56 `CONNMARK' target and `connmark' match. Similar to the mark value
57 of packets, but this mark value is kept in the conntrack session
58 instead of the individual packets.
60 config NF_CONNTRACK_SECMARK
61 bool 'Connection tracking security mark support'
62 depends on NETWORK_SECMARK
63 default m if NETFILTER_ADVANCED=n
65 This option enables security markings to be applied to
66 connections. Typically they are copied to connections from
67 packets using the CONNSECMARK target and copied back from
68 connections to packets with the same target, with the packets
69 being originally labeled via SECMARK.
73 config NF_CONNTRACK_ZONES
74 bool 'Connection tracking zones'
75 depends on NETFILTER_ADVANCED
76 depends on NETFILTER_XT_TARGET_CT
78 This option enables support for connection tracking zones.
79 Normally, each connection needs to have a unique system wide
80 identity. Connection tracking zones allow to have multiple
81 connections using the same identity, as long as they are
82 contained in different zones.
86 config NF_CONNTRACK_PROCFS
87 bool "Supply CT list in procfs (OBSOLETE)"
91 This option enables for the list of known conntrack entries
92 to be shown in procfs under net/netfilter/nf_conntrack. This
93 is considered obsolete in favor of using the conntrack(8)
94 tool which uses Netlink.
96 config NF_CONNTRACK_EVENTS
97 bool "Connection tracking events"
98 depends on NETFILTER_ADVANCED
100 If this option is enabled, the connection tracking code will
101 provide a notifier chain that can be used by other kernel code
102 to get notified about changes in the connection tracking state.
106 config NF_CONNTRACK_TIMEOUT
107 bool 'Connection tracking timeout'
108 depends on NETFILTER_ADVANCED
110 This option enables support for connection tracking timeout
111 extension. This allows you to attach timeout policies to flow
116 config NF_CONNTRACK_TIMESTAMP
117 bool 'Connection tracking timestamping'
118 depends on NETFILTER_ADVANCED
120 This option enables support for connection tracking timestamping.
121 This allows you to store the flow start-time and to obtain
122 the flow-stop time (once it has been destroyed) via Connection
127 config NF_CT_PROTO_DCCP
128 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
129 depends on EXPERIMENTAL
130 depends on NETFILTER_ADVANCED
133 With this option enabled, the layer 3 independent connection
134 tracking code will be able to do state tracking on DCCP connections.
138 config NF_CT_PROTO_GRE
141 config NF_CT_PROTO_SCTP
142 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
143 depends on EXPERIMENTAL
144 depends on NETFILTER_ADVANCED
147 With this option enabled, the layer 3 independent connection
148 tracking code will be able to do state tracking on SCTP connections.
150 If you want to compile it as a module, say M here and read
151 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
153 config NF_CT_PROTO_UDPLITE
154 tristate 'UDP-Lite protocol connection tracking support'
155 depends on NETFILTER_ADVANCED
157 With this option enabled, the layer 3 independent connection
158 tracking code will be able to do state tracking on UDP-Lite
161 To compile it as a module, choose M here. If unsure, say N.
163 config NF_CONNTRACK_AMANDA
164 tristate "Amanda backup protocol support"
165 depends on NETFILTER_ADVANCED
167 select TEXTSEARCH_KMP
169 If you are running the Amanda backup package <http://www.amanda.org/>
170 on this machine or machines that will be MASQUERADED through this
171 machine, then you may want to enable this feature. This allows the
172 connection tracking and natting code to allow the sub-channels that
173 Amanda requires for communication of the backup data, messages and
176 To compile it as a module, choose M here. If unsure, say N.
178 config NF_CONNTRACK_FTP
179 tristate "FTP protocol support"
180 default m if NETFILTER_ADVANCED=n
182 Tracking FTP connections is problematic: special helpers are
183 required for tracking them, and doing masquerading and other forms
184 of Network Address Translation on them.
186 This is FTP support on Layer 3 independent connection tracking.
187 Layer 3 independent connection tracking is experimental scheme
188 which generalize ip_conntrack to support other layer 3 protocols.
190 To compile it as a module, choose M here. If unsure, say N.
192 config NF_CONNTRACK_H323
193 tristate "H.323 protocol support"
194 depends on (IPV6 || IPV6=n)
195 depends on NETFILTER_ADVANCED
197 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
198 important VoIP protocols, it is widely used by voice hardware and
199 software including voice gateways, IP phones, Netmeeting, OpenPhone,
202 With this module you can support H.323 on a connection tracking/NAT
205 This module supports RAS, Fast Start, H.245 Tunnelling, Call
206 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
207 whiteboard, file transfer, etc. For more information, please
208 visit http://nath323.sourceforge.net/.
210 To compile it as a module, choose M here. If unsure, say N.
212 config NF_CONNTRACK_IRC
213 tristate "IRC protocol support"
214 default m if NETFILTER_ADVANCED=n
216 There is a commonly-used extension to IRC called
217 Direct Client-to-Client Protocol (DCC). This enables users to send
218 files to each other, and also chat to each other without the need
219 of a server. DCC Sending is used anywhere you send files over IRC,
220 and DCC Chat is most commonly used by Eggdrop bots. If you are
221 using NAT, this extension will enable you to send files and initiate
222 chats. Note that you do NOT need this extension to get files or
223 have others initiate chats, or everything else in IRC.
225 To compile it as a module, choose M here. If unsure, say N.
227 config NF_CONNTRACK_BROADCAST
230 config NF_CONNTRACK_NETBIOS_NS
231 tristate "NetBIOS name service protocol support"
232 select NF_CONNTRACK_BROADCAST
234 NetBIOS name service requests are sent as broadcast messages from an
235 unprivileged port and responded to with unicast messages to the
236 same port. This make them hard to firewall properly because connection
237 tracking doesn't deal with broadcasts. This helper tracks locally
238 originating NetBIOS name service requests and the corresponding
239 responses. It relies on correct IP address configuration, specifically
240 netmask and broadcast address. When properly configured, the output
241 of "ip address show" should look similar to this:
243 $ ip -4 address show eth0
244 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
245 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
247 To compile it as a module, choose M here. If unsure, say N.
249 config NF_CONNTRACK_SNMP
250 tristate "SNMP service protocol support"
251 depends on NETFILTER_ADVANCED
252 select NF_CONNTRACK_BROADCAST
254 SNMP service requests are sent as broadcast messages from an
255 unprivileged port and responded to with unicast messages to the
256 same port. This make them hard to firewall properly because connection
257 tracking doesn't deal with broadcasts. This helper tracks locally
258 originating SNMP service requests and the corresponding
259 responses. It relies on correct IP address configuration, specifically
260 netmask and broadcast address.
262 To compile it as a module, choose M here. If unsure, say N.
264 config NF_CONNTRACK_PPTP
265 tristate "PPtP protocol support"
266 depends on NETFILTER_ADVANCED
267 select NF_CT_PROTO_GRE
269 This module adds support for PPTP (Point to Point Tunnelling
270 Protocol, RFC2637) connection tracking and NAT.
272 If you are running PPTP sessions over a stateful firewall or NAT
273 box, you may want to enable this feature.
275 Please note that not all PPTP modes of operation are supported yet.
276 Specifically these limitations exist:
277 - Blindly assumes that control connections are always established
278 in PNS->PAC direction. This is a violation of RFC2637.
279 - Only supports a single call within each session
281 To compile it as a module, choose M here. If unsure, say N.
283 config NF_CONNTRACK_SANE
284 tristate "SANE protocol support (EXPERIMENTAL)"
285 depends on EXPERIMENTAL
286 depends on NETFILTER_ADVANCED
288 SANE is a protocol for remote access to scanners as implemented
289 by the 'saned' daemon. Like FTP, it uses separate control and
292 With this module you can support SANE on a connection tracking
295 To compile it as a module, choose M here. If unsure, say N.
297 config NF_CONNTRACK_SIP
298 tristate "SIP protocol support"
299 default m if NETFILTER_ADVANCED=n
301 SIP is an application-layer control protocol that can establish,
302 modify, and terminate multimedia sessions (conferences) such as
303 Internet telephony calls. With the ip_conntrack_sip and
304 the nf_nat_sip modules you can support the protocol on a connection
305 tracking/NATing firewall.
307 To compile it as a module, choose M here. If unsure, say N.
309 config NF_CONNTRACK_TFTP
310 tristate "TFTP protocol support"
311 depends on NETFILTER_ADVANCED
313 TFTP connection tracking helper, this is required depending
314 on how restrictive your ruleset is.
315 If you are using a tftp client behind -j SNAT or -j MASQUERADING
318 To compile it as a module, choose M here. If unsure, say N.
321 tristate 'Connection tracking netlink interface'
322 select NETFILTER_NETLINK
323 default m if NETFILTER_ADVANCED=n
325 This option enables support for a netlink-based userspace interface
327 config NF_CT_NETLINK_TIMEOUT
328 tristate 'Connection tracking timeout tuning via Netlink'
329 select NETFILTER_NETLINK
330 depends on NETFILTER_ADVANCED
332 This option enables support for connection tracking timeout
333 fine-grain tuning. This allows you to attach specific timeout
334 policies to flows, instead of using the global timeout policy.
338 config NF_CT_NETLINK_HELPER
339 tristate 'Connection tracking helpers in user-space via Netlink'
340 select NETFILTER_NETLINK
341 depends on NF_CT_NETLINK
342 depends on NETFILTER_NETLINK_QUEUE
343 depends on NETFILTER_ADVANCED
345 This option enables the user-space connection tracking helpers
352 # transparent proxy support
353 config NETFILTER_TPROXY
354 tristate "Transparent proxying support (EXPERIMENTAL)"
355 depends on EXPERIMENTAL
356 depends on IP_NF_MANGLE
357 depends on NETFILTER_ADVANCED
359 This option enables transparent proxying support, that is,
360 support for handling non-locally bound IPv4 TCP and UDP sockets.
361 For it to work you will have to configure certain iptables rules
362 and use policy routing. For more information on how to set it up
363 see Documentation/networking/tproxy.txt.
365 To compile it as a module, choose M here. If unsure, say N.
367 config NETFILTER_XTABLES
368 tristate "Netfilter Xtables support (required for ip_tables)"
369 default m if NETFILTER_ADVANCED=n
371 This is required if you intend to use any of ip_tables,
372 ip6_tables or arp_tables.
376 comment "Xtables combined modules"
378 config NETFILTER_XT_MARK
379 tristate 'nfmark target and match support'
380 default m if NETFILTER_ADVANCED=n
382 This option adds the "MARK" target and "mark" match.
384 Netfilter mark matching allows you to match packets based on the
385 "nfmark" value in the packet.
386 The target allows you to create rules in the "mangle" table which alter
387 the netfilter mark (nfmark) field associated with the packet.
389 Prior to routing, the nfmark can influence the routing method (see
390 "Use netfilter MARK value as routing key") and can also be used by
391 other subsystems to change their behavior.
393 config NETFILTER_XT_CONNMARK
394 tristate 'ctmark target and match support'
395 depends on NF_CONNTRACK
396 depends on NETFILTER_ADVANCED
397 select NF_CONNTRACK_MARK
399 This option adds the "CONNMARK" target and "connmark" match.
401 Netfilter allows you to store a mark value per connection (a.k.a.
402 ctmark), similarly to the packet mark (nfmark). Using this
403 target and match, you can set and match on this mark.
405 config NETFILTER_XT_SET
406 tristate 'set target and match support'
408 depends on NETFILTER_ADVANCED
410 This option adds the "SET" target and "set" match.
412 Using this target and match, you can add/delete and match
413 elements in the sets created by ipset(8).
415 To compile it as a module, choose M here. If unsure, say N.
417 # alphabetically ordered list of targets
419 comment "Xtables targets"
421 config NETFILTER_XT_TARGET_AUDIT
422 tristate "AUDIT target support"
424 depends on NETFILTER_ADVANCED
426 This option adds a 'AUDIT' target, which can be used to create
427 audit records for packets dropped/accepted.
429 To compileit as a module, choose M here. If unsure, say N.
431 config NETFILTER_XT_TARGET_CHECKSUM
432 tristate "CHECKSUM target support"
433 depends on IP_NF_MANGLE || IP6_NF_MANGLE
434 depends on NETFILTER_ADVANCED
436 This option adds a `CHECKSUM' target, which can be used in the iptables mangle
439 You can use this target to compute and fill in the checksum in
440 a packet that lacks a checksum. This is particularly useful,
441 if you need to work around old applications such as dhcp clients,
442 that do not work well with checksum offloads, but don't want to disable
443 checksum offload in your device.
445 To compile it as a module, choose M here. If unsure, say N.
447 config NETFILTER_XT_TARGET_CLASSIFY
448 tristate '"CLASSIFY" target support'
449 depends on NETFILTER_ADVANCED
451 This option adds a `CLASSIFY' target, which enables the user to set
452 the priority of a packet. Some qdiscs can use this value for
453 classification, among these are:
455 atm, cbq, dsmark, pfifo_fast, htb, prio
457 To compile it as a module, choose M here. If unsure, say N.
459 config NETFILTER_XT_TARGET_CONNMARK
460 tristate '"CONNMARK" target support'
461 depends on NF_CONNTRACK
462 depends on NETFILTER_ADVANCED
463 select NETFILTER_XT_CONNMARK
465 This is a backwards-compat option for the user's convenience
466 (e.g. when running oldconfig). It selects
467 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
469 config NETFILTER_XT_TARGET_CONNSECMARK
470 tristate '"CONNSECMARK" target support'
471 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
472 default m if NETFILTER_ADVANCED=n
474 The CONNSECMARK target copies security markings from packets
475 to connections, and restores security markings from connections
476 to packets (if the packets are not already marked). This would
477 normally be used in conjunction with the SECMARK target.
479 To compile it as a module, choose M here. If unsure, say N.
481 config NETFILTER_XT_TARGET_CT
482 tristate '"CT" target support'
483 depends on NF_CONNTRACK
484 depends on IP_NF_RAW || IP6_NF_RAW
485 depends on NETFILTER_ADVANCED
487 This options adds a `CT' target, which allows to specify initial
488 connection tracking parameters like events to be delivered and
489 the helper to be used.
491 To compile it as a module, choose M here. If unsure, say N.
493 config NETFILTER_XT_TARGET_DSCP
494 tristate '"DSCP" and "TOS" target support'
495 depends on IP_NF_MANGLE || IP6_NF_MANGLE
496 depends on NETFILTER_ADVANCED
498 This option adds a `DSCP' target, which allows you to manipulate
499 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
501 The DSCP field can have any value between 0x0 and 0x3f inclusive.
503 It also adds the "TOS" target, which allows you to create rules in
504 the "mangle" table which alter the Type Of Service field of an IPv4
505 or the Priority field of an IPv6 packet, prior to routing.
507 To compile it as a module, choose M here. If unsure, say N.
509 config NETFILTER_XT_TARGET_HL
510 tristate '"HL" hoplimit target support'
511 depends on IP_NF_MANGLE || IP6_NF_MANGLE
512 depends on NETFILTER_ADVANCED
514 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
515 targets, which enable the user to change the
516 hoplimit/time-to-live value of the IP header.
518 While it is safe to decrement the hoplimit/TTL value, the
519 modules also allow to increment and set the hoplimit value of
520 the header to arbitrary values. This is EXTREMELY DANGEROUS
521 since you can easily create immortal packets that loop
522 forever on the network.
524 config NETFILTER_XT_TARGET_HMARK
525 tristate '"HMARK" target support'
526 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
527 depends on NETFILTER_ADVANCED
529 This option adds the "HMARK" target.
531 The target allows you to create rules in the "raw" and "mangle" tables
532 which set the skbuff mark by means of hash calculation within a given
533 range. The nfmark can influence the routing method (see "Use netfilter
534 MARK value as routing key") and can also be used by other subsystems to
535 change their behaviour.
537 To compile it as a module, choose M here. If unsure, say N.
539 config NETFILTER_XT_TARGET_IDLETIMER
540 tristate "IDLETIMER target support"
541 depends on NETFILTER_ADVANCED
544 This option adds the `IDLETIMER' target. Each matching packet
545 resets the timer associated with label specified when the rule is
546 added. When the timer expires, it triggers a sysfs notification.
547 The remaining time for expiration can be read via sysfs.
549 To compile it as a module, choose M here. If unsure, say N.
551 config NETFILTER_XT_TARGET_LED
552 tristate '"LED" target support'
553 depends on LEDS_CLASS && LEDS_TRIGGERS
554 depends on NETFILTER_ADVANCED
556 This option adds a `LED' target, which allows you to blink LEDs in
557 response to particular packets passing through your machine.
559 This can be used to turn a spare LED into a network activity LED,
560 which only flashes in response to FTP transfers, for example. Or
561 you could have an LED which lights up for a minute or two every time
562 somebody connects to your machine via SSH.
564 You will need support for the "led" class to make this work.
566 To create an LED trigger for incoming SSH traffic:
567 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
569 Then attach the new trigger to an LED on your system:
570 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
572 For more information on the LEDs available on your system, see
573 Documentation/leds/leds-class.txt
575 config NETFILTER_XT_TARGET_LOG
576 tristate "LOG target support"
577 default m if NETFILTER_ADVANCED=n
579 This option adds a `LOG' target, which allows you to create rules in
580 any iptables table which records the packet header to the syslog.
582 To compile it as a module, choose M here. If unsure, say N.
584 config NETFILTER_XT_TARGET_MARK
585 tristate '"MARK" target support'
586 depends on NETFILTER_ADVANCED
587 select NETFILTER_XT_MARK
589 This is a backwards-compat option for the user's convenience
590 (e.g. when running oldconfig). It selects
591 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
593 config NETFILTER_XT_TARGET_NFLOG
594 tristate '"NFLOG" target support'
595 default m if NETFILTER_ADVANCED=n
596 select NETFILTER_NETLINK_LOG
598 This option enables the NFLOG target, which allows to LOG
599 messages through nfnetlink_log.
601 To compile it as a module, choose M here. If unsure, say N.
603 config NETFILTER_XT_TARGET_NFQUEUE
604 tristate '"NFQUEUE" target Support'
605 depends on NETFILTER_ADVANCED
606 select NETFILTER_NETLINK_QUEUE
608 This target replaced the old obsolete QUEUE target.
610 As opposed to QUEUE, it supports 65535 different queues,
613 To compile it as a module, choose M here. If unsure, say N.
615 config NETFILTER_XT_TARGET_NOTRACK
616 tristate '"NOTRACK" target support'
617 depends on IP_NF_RAW || IP6_NF_RAW
618 depends on NF_CONNTRACK
620 The NOTRACK target allows a select rule to specify
621 which packets *not* to enter the conntrack/NAT
622 subsystem with all the consequences (no ICMP error tracking,
623 no protocol helpers for the selected packets).
625 If you want to compile it as a module, say M here and read
626 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
628 config NETFILTER_XT_TARGET_RATEEST
629 tristate '"RATEEST" target support'
630 depends on NETFILTER_ADVANCED
632 This option adds a `RATEEST' target, which allows to measure
633 rates similar to TC estimators. The `rateest' match can be
634 used to match on the measured rates.
636 To compile it as a module, choose M here. If unsure, say N.
638 config NETFILTER_XT_TARGET_TEE
639 tristate '"TEE" - packet cloning to alternate destination'
640 depends on NETFILTER_ADVANCED
641 depends on (IPV6 || IPV6=n)
642 depends on !NF_CONNTRACK || NF_CONNTRACK
644 This option adds a "TEE" target with which a packet can be cloned and
645 this clone be rerouted to another nexthop.
647 config NETFILTER_XT_TARGET_TPROXY
648 tristate '"TPROXY" target support (EXPERIMENTAL)'
649 depends on EXPERIMENTAL
650 depends on NETFILTER_TPROXY
651 depends on NETFILTER_XTABLES
652 depends on NETFILTER_ADVANCED
653 select NF_DEFRAG_IPV4
654 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
656 This option adds a `TPROXY' target, which is somewhat similar to
657 REDIRECT. It can only be used in the mangle table and is useful
658 to redirect traffic to a transparent proxy. It does _not_ depend
659 on Netfilter connection tracking and NAT, unlike REDIRECT.
661 To compile it as a module, choose M here. If unsure, say N.
663 config NETFILTER_XT_TARGET_TRACE
664 tristate '"TRACE" target support'
665 depends on IP_NF_RAW || IP6_NF_RAW
666 depends on NETFILTER_ADVANCED
668 The TRACE target allows you to mark packets so that the kernel
669 will log every rule which match the packets as those traverse
670 the tables, chains, rules.
672 If you want to compile it as a module, say M here and read
673 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
675 config NETFILTER_XT_TARGET_SECMARK
676 tristate '"SECMARK" target support'
677 depends on NETWORK_SECMARK
678 default m if NETFILTER_ADVANCED=n
680 The SECMARK target allows security marking of network
681 packets, for use with security subsystems.
683 To compile it as a module, choose M here. If unsure, say N.
685 config NETFILTER_XT_TARGET_TCPMSS
686 tristate '"TCPMSS" target support'
687 depends on (IPV6 || IPV6=n)
688 default m if NETFILTER_ADVANCED=n
690 This option adds a `TCPMSS' target, which allows you to alter the
691 MSS value of TCP SYN packets, to control the maximum size for that
692 connection (usually limiting it to your outgoing interface's MTU
695 This is used to overcome criminally braindead ISPs or servers which
696 block ICMP Fragmentation Needed packets. The symptoms of this
697 problem are that everything works fine from your Linux
698 firewall/router, but machines behind it can never exchange large
700 1) Web browsers connect, then hang with no data received.
701 2) Small mail works fine, but large emails hang.
702 3) ssh works fine, but scp hangs after initial handshaking.
704 Workaround: activate this option and add a rule to your firewall
707 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
708 -j TCPMSS --clamp-mss-to-pmtu
710 To compile it as a module, choose M here. If unsure, say N.
712 config NETFILTER_XT_TARGET_TCPOPTSTRIP
713 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
714 depends on EXPERIMENTAL
715 depends on IP_NF_MANGLE || IP6_NF_MANGLE
716 depends on NETFILTER_ADVANCED
718 This option adds a "TCPOPTSTRIP" target, which allows you to strip
719 TCP options from TCP packets.
721 # alphabetically ordered list of matches
723 comment "Xtables matches"
725 config NETFILTER_XT_MATCH_ADDRTYPE
726 tristate '"addrtype" address type match support'
727 depends on NETFILTER_ADVANCED
729 This option allows you to match what routing thinks of an address,
730 eg. UNICAST, LOCAL, BROADCAST, ...
732 If you want to compile it as a module, say M here and read
733 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
735 config NETFILTER_XT_MATCH_CLUSTER
736 tristate '"cluster" match support'
737 depends on NF_CONNTRACK
738 depends on NETFILTER_ADVANCED
740 This option allows you to build work-load-sharing clusters of
741 network servers/stateful firewalls without having a dedicated
742 load-balancing router/server/switch. Basically, this match returns
743 true when the packet must be handled by this cluster node. Thus,
744 all nodes see all packets and this match decides which node handles
745 what packets. The work-load sharing algorithm is based on source
748 If you say Y or M here, try `iptables -m cluster --help` for
751 config NETFILTER_XT_MATCH_COMMENT
752 tristate '"comment" match support'
753 depends on NETFILTER_ADVANCED
755 This option adds a `comment' dummy-match, which allows you to put
756 comments in your iptables ruleset.
758 If you want to compile it as a module, say M here and read
759 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
761 config NETFILTER_XT_MATCH_CONNBYTES
762 tristate '"connbytes" per-connection counter match support'
763 depends on NF_CONNTRACK
764 depends on NETFILTER_ADVANCED
766 This option adds a `connbytes' match, which allows you to match the
767 number of bytes and/or packets for each direction within a connection.
769 If you want to compile it as a module, say M here and read
770 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
772 config NETFILTER_XT_MATCH_CONNLIMIT
773 tristate '"connlimit" match support"'
774 depends on NF_CONNTRACK
775 depends on NETFILTER_ADVANCED
777 This match allows you to match against the number of parallel
778 connections to a server per client IP address (or address block).
780 config NETFILTER_XT_MATCH_CONNMARK
781 tristate '"connmark" connection mark match support'
782 depends on NF_CONNTRACK
783 depends on NETFILTER_ADVANCED
784 select NETFILTER_XT_CONNMARK
786 This is a backwards-compat option for the user's convenience
787 (e.g. when running oldconfig). It selects
788 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
790 config NETFILTER_XT_MATCH_CONNTRACK
791 tristate '"conntrack" connection tracking match support'
792 depends on NF_CONNTRACK
793 default m if NETFILTER_ADVANCED=n
795 This is a general conntrack match module, a superset of the state match.
797 It allows matching on additional conntrack information, which is
798 useful in complex configurations, such as NAT gateways with multiple
799 internet links or tunnels.
801 To compile it as a module, choose M here. If unsure, say N.
803 config NETFILTER_XT_MATCH_CPU
804 tristate '"cpu" match support'
805 depends on NETFILTER_ADVANCED
807 CPU matching allows you to match packets based on the CPU
808 currently handling the packet.
810 To compile it as a module, choose M here. If unsure, say N.
812 config NETFILTER_XT_MATCH_DCCP
813 tristate '"dccp" protocol match support'
814 depends on NETFILTER_ADVANCED
817 With this option enabled, you will be able to use the iptables
818 `dccp' match in order to match on DCCP source/destination ports
821 If you want to compile it as a module, say M here and read
822 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
824 config NETFILTER_XT_MATCH_DEVGROUP
825 tristate '"devgroup" match support'
826 depends on NETFILTER_ADVANCED
828 This options adds a `devgroup' match, which allows to match on the
829 device group a network device is assigned to.
831 To compile it as a module, choose M here. If unsure, say N.
833 config NETFILTER_XT_MATCH_DSCP
834 tristate '"dscp" and "tos" match support'
835 depends on NETFILTER_ADVANCED
837 This option adds a `DSCP' match, which allows you to match against
838 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
840 The DSCP field can have any value between 0x0 and 0x3f inclusive.
842 It will also add a "tos" match, which allows you to match packets
843 based on the Type Of Service fields of the IPv4 packet (which share
844 the same bits as DSCP).
846 To compile it as a module, choose M here. If unsure, say N.
848 config NETFILTER_XT_MATCH_ECN
849 tristate '"ecn" match support'
850 depends on NETFILTER_ADVANCED
852 This option adds an "ECN" match, which allows you to match against
853 the IPv4 and TCP header ECN fields.
855 To compile it as a module, choose M here. If unsure, say N.
857 config NETFILTER_XT_MATCH_ESP
858 tristate '"esp" match support'
859 depends on NETFILTER_ADVANCED
861 This match extension allows you to match a range of SPIs
862 inside ESP header of IPSec packets.
864 To compile it as a module, choose M here. If unsure, say N.
866 config NETFILTER_XT_MATCH_HASHLIMIT
867 tristate '"hashlimit" match support'
868 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
869 depends on NETFILTER_ADVANCED
871 This option adds a `hashlimit' match.
873 As opposed to `limit', this match dynamically creates a hash table
874 of limit buckets, based on your selection of source/destination
875 addresses and/or ports.
877 It enables you to express policies like `10kpps for any given
878 destination address' or `500pps from any given source address'
881 config NETFILTER_XT_MATCH_HELPER
882 tristate '"helper" match support'
883 depends on NF_CONNTRACK
884 depends on NETFILTER_ADVANCED
886 Helper matching allows you to match packets in dynamic connections
887 tracked by a conntrack-helper, ie. ip_conntrack_ftp
889 To compile it as a module, choose M here. If unsure, say Y.
891 config NETFILTER_XT_MATCH_HL
892 tristate '"hl" hoplimit/TTL match support'
893 depends on NETFILTER_ADVANCED
895 HL matching allows you to match packets based on the hoplimit
896 in the IPv6 header, or the time-to-live field in the IPv4
897 header of the packet.
899 config NETFILTER_XT_MATCH_IPRANGE
900 tristate '"iprange" address range match support'
901 depends on NETFILTER_ADVANCED
903 This option adds a "iprange" match, which allows you to match based on
904 an IP address range. (Normal iptables only matches on single addresses
905 with an optional mask.)
909 config NETFILTER_XT_MATCH_IPVS
910 tristate '"ipvs" match support'
912 depends on NETFILTER_ADVANCED
913 depends on NF_CONNTRACK
915 This option allows you to match against IPVS properties of a packet.
919 config NETFILTER_XT_MATCH_LENGTH
920 tristate '"length" match support'
921 depends on NETFILTER_ADVANCED
923 This option allows you to match the length of a packet against a
924 specific value or range of values.
926 To compile it as a module, choose M here. If unsure, say N.
928 config NETFILTER_XT_MATCH_LIMIT
929 tristate '"limit" match support'
930 depends on NETFILTER_ADVANCED
932 limit matching allows you to control the rate at which a rule can be
933 matched: mainly useful in combination with the LOG target ("LOG
934 target support", below) and to avoid some Denial of Service attacks.
936 To compile it as a module, choose M here. If unsure, say N.
938 config NETFILTER_XT_MATCH_MAC
939 tristate '"mac" address match support'
940 depends on NETFILTER_ADVANCED
942 MAC matching allows you to match packets based on the source
943 Ethernet address of the packet.
945 To compile it as a module, choose M here. If unsure, say N.
947 config NETFILTER_XT_MATCH_MARK
948 tristate '"mark" match support'
949 depends on NETFILTER_ADVANCED
950 select NETFILTER_XT_MARK
952 This is a backwards-compat option for the user's convenience
953 (e.g. when running oldconfig). It selects
954 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
956 config NETFILTER_XT_MATCH_MULTIPORT
957 tristate '"multiport" Multiple port match support'
958 depends on NETFILTER_ADVANCED
960 Multiport matching allows you to match TCP or UDP packets based on
961 a series of source or destination ports: normally a rule can only
962 match a single range of ports.
964 To compile it as a module, choose M here. If unsure, say N.
966 config NETFILTER_XT_MATCH_NFACCT
967 tristate '"nfacct" match support'
968 depends on NETFILTER_ADVANCED
969 select NETFILTER_NETLINK_ACCT
971 This option allows you to use the extended accounting through
974 To compile it as a module, choose M here. If unsure, say N.
976 config NETFILTER_XT_MATCH_OSF
977 tristate '"osf" Passive OS fingerprint match'
978 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
980 This option selects the Passive OS Fingerprinting match module
981 that allows to passively match the remote operating system by
982 analyzing incoming TCP SYN packets.
984 Rules and loading software can be downloaded from
985 http://www.ioremap.net/projects/osf
987 To compile it as a module, choose M here. If unsure, say N.
989 config NETFILTER_XT_MATCH_OWNER
990 tristate '"owner" match support'
991 depends on NETFILTER_ADVANCED
993 Socket owner matching allows you to match locally-generated packets
994 based on who created the socket: the user or group. It is also
995 possible to check whether a socket actually exists.
997 config NETFILTER_XT_MATCH_POLICY
998 tristate 'IPsec "policy" match support'
1000 default m if NETFILTER_ADVANCED=n
1002 Policy matching allows you to match packets based on the
1003 IPsec policy that was used during decapsulation/will
1004 be used during encapsulation.
1006 To compile it as a module, choose M here. If unsure, say N.
1008 config NETFILTER_XT_MATCH_PHYSDEV
1009 tristate '"physdev" match support'
1010 depends on BRIDGE && BRIDGE_NETFILTER
1011 depends on NETFILTER_ADVANCED
1013 Physdev packet matching matches against the physical bridge ports
1014 the IP packet arrived on or will leave by.
1016 To compile it as a module, choose M here. If unsure, say N.
1018 config NETFILTER_XT_MATCH_PKTTYPE
1019 tristate '"pkttype" packet type match support'
1020 depends on NETFILTER_ADVANCED
1022 Packet type matching allows you to match a packet by
1023 its "class", eg. BROADCAST, MULTICAST, ...
1026 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1028 To compile it as a module, choose M here. If unsure, say N.
1030 config NETFILTER_XT_MATCH_QUOTA
1031 tristate '"quota" match support'
1032 depends on NETFILTER_ADVANCED
1034 This option adds a `quota' match, which allows to match on a
1037 If you want to compile it as a module, say M here and read
1038 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1040 config NETFILTER_XT_MATCH_RATEEST
1041 tristate '"rateest" match support'
1042 depends on NETFILTER_ADVANCED
1043 select NETFILTER_XT_TARGET_RATEEST
1045 This option adds a `rateest' match, which allows to match on the
1046 rate estimated by the RATEEST target.
1048 To compile it as a module, choose M here. If unsure, say N.
1050 config NETFILTER_XT_MATCH_REALM
1051 tristate '"realm" match support'
1052 depends on NETFILTER_ADVANCED
1053 select IP_ROUTE_CLASSID
1055 This option adds a `realm' match, which allows you to use the realm
1056 key from the routing subsystem inside iptables.
1058 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1061 If you want to compile it as a module, say M here and read
1062 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1064 config NETFILTER_XT_MATCH_RECENT
1065 tristate '"recent" match support'
1066 depends on NETFILTER_ADVANCED
1068 This match is used for creating one or many lists of recently
1069 used addresses and then matching against that/those list(s).
1071 Short options are available by using 'iptables -m recent -h'
1072 Official Website: <http://snowman.net/projects/ipt_recent/>
1074 config NETFILTER_XT_MATCH_SCTP
1075 tristate '"sctp" protocol match support (EXPERIMENTAL)'
1076 depends on EXPERIMENTAL
1077 depends on NETFILTER_ADVANCED
1080 With this option enabled, you will be able to use the
1081 `sctp' match in order to match on SCTP source/destination ports
1082 and SCTP chunk types.
1084 If you want to compile it as a module, say M here and read
1085 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1087 config NETFILTER_XT_MATCH_SOCKET
1088 tristate '"socket" match support (EXPERIMENTAL)'
1089 depends on EXPERIMENTAL
1090 depends on NETFILTER_TPROXY
1091 depends on NETFILTER_XTABLES
1092 depends on NETFILTER_ADVANCED
1093 depends on !NF_CONNTRACK || NF_CONNTRACK
1094 select NF_DEFRAG_IPV4
1095 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1097 This option adds a `socket' match, which can be used to match
1098 packets for which a TCP or UDP socket lookup finds a valid socket.
1099 It can be used in combination with the MARK target and policy
1100 routing to implement full featured non-locally bound sockets.
1102 To compile it as a module, choose M here. If unsure, say N.
1104 config NETFILTER_XT_MATCH_STATE
1105 tristate '"state" match support'
1106 depends on NF_CONNTRACK
1107 default m if NETFILTER_ADVANCED=n
1109 Connection state matching allows you to match packets based on their
1110 relationship to a tracked connection (ie. previous packets). This
1111 is a powerful tool for packet classification.
1113 To compile it as a module, choose M here. If unsure, say N.
1115 config NETFILTER_XT_MATCH_STATISTIC
1116 tristate '"statistic" match support'
1117 depends on NETFILTER_ADVANCED
1119 This option adds a `statistic' match, which allows you to match
1120 on packets periodically or randomly with a given percentage.
1122 To compile it as a module, choose M here. If unsure, say N.
1124 config NETFILTER_XT_MATCH_STRING
1125 tristate '"string" match support'
1126 depends on NETFILTER_ADVANCED
1128 select TEXTSEARCH_KMP
1129 select TEXTSEARCH_BM
1130 select TEXTSEARCH_FSM
1132 This option adds a `string' match, which allows you to look for
1133 pattern matchings in packets.
1135 To compile it as a module, choose M here. If unsure, say N.
1137 config NETFILTER_XT_MATCH_TCPMSS
1138 tristate '"tcpmss" match support'
1139 depends on NETFILTER_ADVANCED
1141 This option adds a `tcpmss' match, which allows you to examine the
1142 MSS value of TCP SYN packets, which control the maximum packet size
1143 for that connection.
1145 To compile it as a module, choose M here. If unsure, say N.
1147 config NETFILTER_XT_MATCH_TIME
1148 tristate '"time" match support'
1149 depends on NETFILTER_ADVANCED
1151 This option adds a "time" match, which allows you to match based on
1152 the packet arrival time (at the machine which netfilter is running)
1153 on) or departure time/date (for locally generated packets).
1155 If you say Y here, try `iptables -m time --help` for
1158 If you want to compile it as a module, say M here.
1161 config NETFILTER_XT_MATCH_U32
1162 tristate '"u32" match support'
1163 depends on NETFILTER_ADVANCED
1165 u32 allows you to extract quantities of up to 4 bytes from a packet,
1166 AND them with specified masks, shift them by specified amounts and
1167 test whether the results are in any of a set of specified ranges.
1168 The specification of what to extract is general enough to skip over
1169 headers with lengths stored in the packet, as in IP or TCP header
1172 Details and examples are in the kernel module source.
1174 endif # NETFILTER_XTABLES
1178 source "net/netfilter/ipset/Kconfig"
1180 source "net/netfilter/ipvs/Kconfig"