1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_NETLINK
7 config NETFILTER_NETLINK_QUEUE
8 tristate "Netfilter NFQUEUE over NFNETLINK interface"
9 depends on NETFILTER_ADVANCED
10 select NETFILTER_NETLINK
12 If this option is enabled, the kernel will include support
13 for queueing packets via NFNETLINK.
15 config NETFILTER_NETLINK_LOG
16 tristate "Netfilter LOG over NFNETLINK interface"
17 default m if NETFILTER_ADVANCED=n
18 select NETFILTER_NETLINK
20 If this option is enabled, the kernel will include support
21 for logging packets via NFNETLINK.
23 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
24 and is also scheduled to replace the old syslog-based ipt_LOG
28 tristate "Netfilter connection tracking support"
29 default m if NETFILTER_ADVANCED=n
31 Connection tracking keeps a record of what packets have passed
32 through your machine, in order to figure out how they are related
35 This is required to do Masquerading or other kinds of Network
36 Address Translation. It can also be used to enhance packet
37 filtering (see `Connection state match support' below).
39 To compile it as a module, choose M here. If unsure, say N.
42 bool "Connection tracking flow accounting"
43 depends on NETFILTER_ADVANCED
44 depends on NF_CONNTRACK
46 If this option is enabled, the connection tracking code will
47 keep per-flow packet and byte counters.
49 Those counters can be used for flow-based accounting or the
52 Please note that currently this option only sets a default state.
53 You may change it at boot time with nf_conntrack.acct=0/1 kernel
54 paramater or by loading the nf_conntrack module with acct=0/1.
56 You may also disable/enable it on a running system with:
57 sysctl net.netfilter.nf_conntrack_acct=0/1
59 This option will be removed in 2.6.29.
63 config NF_CONNTRACK_MARK
64 bool 'Connection mark tracking support'
65 depends on NETFILTER_ADVANCED
66 depends on NF_CONNTRACK
68 This option enables support for connection marks, used by the
69 `CONNMARK' target and `connmark' match. Similar to the mark value
70 of packets, but this mark value is kept in the conntrack session
71 instead of the individual packets.
73 config NF_CONNTRACK_SECMARK
74 bool 'Connection tracking security mark support'
75 depends on NF_CONNTRACK && NETWORK_SECMARK
76 default m if NETFILTER_ADVANCED=n
78 This option enables security markings to be applied to
79 connections. Typically they are copied to connections from
80 packets using the CONNSECMARK target and copied back from
81 connections to packets with the same target, with the packets
82 being originally labeled via SECMARK.
86 config NF_CONNTRACK_EVENTS
87 bool "Connection tracking events"
88 depends on NF_CONNTRACK
89 depends on NETFILTER_ADVANCED
91 If this option is enabled, the connection tracking code will
92 provide a notifier chain that can be used by other kernel code
93 to get notified about changes in the connection tracking state.
97 config NF_CT_PROTO_DCCP
98 tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
99 depends on EXPERIMENTAL && NF_CONNTRACK
100 depends on NETFILTER_ADVANCED
103 With this option enabled, the layer 3 independent connection
104 tracking code will be able to do state tracking on DCCP connections.
108 config NF_CT_PROTO_GRE
110 depends on NF_CONNTRACK
112 config NF_CT_PROTO_SCTP
113 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
114 depends on EXPERIMENTAL && NF_CONNTRACK
115 depends on NETFILTER_ADVANCED
118 With this option enabled, the layer 3 independent connection
119 tracking code will be able to do state tracking on SCTP connections.
121 If you want to compile it as a module, say M here and read
122 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
124 config NF_CT_PROTO_UDPLITE
125 tristate 'UDP-Lite protocol connection tracking support'
126 depends on NF_CONNTRACK
127 depends on NETFILTER_ADVANCED
129 With this option enabled, the layer 3 independent connection
130 tracking code will be able to do state tracking on UDP-Lite
133 To compile it as a module, choose M here. If unsure, say N.
135 config NF_CONNTRACK_AMANDA
136 tristate "Amanda backup protocol support"
137 depends on NF_CONNTRACK
138 depends on NETFILTER_ADVANCED
140 select TEXTSEARCH_KMP
142 If you are running the Amanda backup package <http://www.amanda.org/>
143 on this machine or machines that will be MASQUERADED through this
144 machine, then you may want to enable this feature. This allows the
145 connection tracking and natting code to allow the sub-channels that
146 Amanda requires for communication of the backup data, messages and
149 To compile it as a module, choose M here. If unsure, say N.
151 config NF_CONNTRACK_FTP
152 tristate "FTP protocol support"
153 depends on NF_CONNTRACK
154 default m if NETFILTER_ADVANCED=n
156 Tracking FTP connections is problematic: special helpers are
157 required for tracking them, and doing masquerading and other forms
158 of Network Address Translation on them.
160 This is FTP support on Layer 3 independent connection tracking.
161 Layer 3 independent connection tracking is experimental scheme
162 which generalize ip_conntrack to support other layer 3 protocols.
164 To compile it as a module, choose M here. If unsure, say N.
166 config NF_CONNTRACK_H323
167 tristate "H.323 protocol support"
168 depends on NF_CONNTRACK && (IPV6 || IPV6=n)
169 depends on NETFILTER_ADVANCED
171 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
172 important VoIP protocols, it is widely used by voice hardware and
173 software including voice gateways, IP phones, Netmeeting, OpenPhone,
176 With this module you can support H.323 on a connection tracking/NAT
179 This module supports RAS, Fast Start, H.245 Tunnelling, Call
180 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
181 whiteboard, file transfer, etc. For more information, please
182 visit http://nath323.sourceforge.net/.
184 To compile it as a module, choose M here. If unsure, say N.
186 config NF_CONNTRACK_IRC
187 tristate "IRC protocol support"
188 depends on NF_CONNTRACK
189 default m if NETFILTER_ADVANCED=n
191 There is a commonly-used extension to IRC called
192 Direct Client-to-Client Protocol (DCC). This enables users to send
193 files to each other, and also chat to each other without the need
194 of a server. DCC Sending is used anywhere you send files over IRC,
195 and DCC Chat is most commonly used by Eggdrop bots. If you are
196 using NAT, this extension will enable you to send files and initiate
197 chats. Note that you do NOT need this extension to get files or
198 have others initiate chats, or everything else in IRC.
200 To compile it as a module, choose M here. If unsure, say N.
202 config NF_CONNTRACK_NETBIOS_NS
203 tristate "NetBIOS name service protocol support"
204 depends on NF_CONNTRACK
205 depends on NETFILTER_ADVANCED
207 NetBIOS name service requests are sent as broadcast messages from an
208 unprivileged port and responded to with unicast messages to the
209 same port. This make them hard to firewall properly because connection
210 tracking doesn't deal with broadcasts. This helper tracks locally
211 originating NetBIOS name service requests and the corresponding
212 responses. It relies on correct IP address configuration, specifically
213 netmask and broadcast address. When properly configured, the output
214 of "ip address show" should look similar to this:
216 $ ip -4 address show eth0
217 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
218 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
220 To compile it as a module, choose M here. If unsure, say N.
222 config NF_CONNTRACK_PPTP
223 tristate "PPtP protocol support"
224 depends on NF_CONNTRACK
225 depends on NETFILTER_ADVANCED
226 select NF_CT_PROTO_GRE
228 This module adds support for PPTP (Point to Point Tunnelling
229 Protocol, RFC2637) connection tracking and NAT.
231 If you are running PPTP sessions over a stateful firewall or NAT
232 box, you may want to enable this feature.
234 Please note that not all PPTP modes of operation are supported yet.
235 Specifically these limitations exist:
236 - Blindly assumes that control connections are always established
237 in PNS->PAC direction. This is a violation of RFC2637.
238 - Only supports a single call within each session
240 To compile it as a module, choose M here. If unsure, say N.
242 config NF_CONNTRACK_SANE
243 tristate "SANE protocol support (EXPERIMENTAL)"
244 depends on EXPERIMENTAL && NF_CONNTRACK
245 depends on NETFILTER_ADVANCED
247 SANE is a protocol for remote access to scanners as implemented
248 by the 'saned' daemon. Like FTP, it uses separate control and
251 With this module you can support SANE on a connection tracking
254 To compile it as a module, choose M here. If unsure, say N.
256 config NF_CONNTRACK_SIP
257 tristate "SIP protocol support"
258 depends on NF_CONNTRACK
259 default m if NETFILTER_ADVANCED=n
261 SIP is an application-layer control protocol that can establish,
262 modify, and terminate multimedia sessions (conferences) such as
263 Internet telephony calls. With the ip_conntrack_sip and
264 the nf_nat_sip modules you can support the protocol on a connection
265 tracking/NATing firewall.
267 To compile it as a module, choose M here. If unsure, say N.
269 config NF_CONNTRACK_TFTP
270 tristate "TFTP protocol support"
271 depends on NF_CONNTRACK
272 depends on NETFILTER_ADVANCED
274 TFTP connection tracking helper, this is required depending
275 on how restrictive your ruleset is.
276 If you are using a tftp client behind -j SNAT or -j MASQUERADING
279 To compile it as a module, choose M here. If unsure, say N.
282 tristate 'Connection tracking netlink interface'
283 depends on NF_CONNTRACK
284 select NETFILTER_NETLINK
285 depends on NF_NAT=n || NF_NAT
286 default m if NETFILTER_ADVANCED=n
288 This option enables support for a netlink-based userspace interface
290 # transparent proxy support
291 config NETFILTER_TPROXY
292 tristate "Transparent proxying support (EXPERIMENTAL)"
293 depends on EXPERIMENTAL
294 depends on IP_NF_MANGLE
295 depends on NETFILTER_ADVANCED
297 This option enables transparent proxying support, that is,
298 support for handling non-locally bound IPv4 TCP and UDP sockets.
299 For it to work you will have to configure certain iptables rules
300 and use policy routing. For more information on how to set it up
301 see Documentation/networking/tproxy.txt.
303 To compile it as a module, choose M here. If unsure, say N.
305 config NETFILTER_XTABLES
306 tristate "Netfilter Xtables support (required for ip_tables)"
307 default m if NETFILTER_ADVANCED=n
309 This is required if you intend to use any of ip_tables,
310 ip6_tables or arp_tables.
312 # alphabetically ordered list of targets
314 config NETFILTER_XT_TARGET_CLASSIFY
315 tristate '"CLASSIFY" target support'
316 depends on NETFILTER_XTABLES
317 depends on NETFILTER_ADVANCED
319 This option adds a `CLASSIFY' target, which enables the user to set
320 the priority of a packet. Some qdiscs can use this value for
321 classification, among these are:
323 atm, cbq, dsmark, pfifo_fast, htb, prio
325 To compile it as a module, choose M here. If unsure, say N.
327 config NETFILTER_XT_TARGET_CONNMARK
328 tristate '"CONNMARK" target support'
329 depends on NETFILTER_XTABLES
330 depends on IP_NF_MANGLE || IP6_NF_MANGLE
331 depends on NF_CONNTRACK
332 depends on NETFILTER_ADVANCED
333 select NF_CONNTRACK_MARK
335 This option adds a `CONNMARK' target, which allows one to manipulate
336 the connection mark value. Similar to the MARK target, but
337 affects the connection mark value rather than the packet mark value.
339 If you want to compile it as a module, say M here and read
340 <file:Documentation/kbuild/modules.txt>. The module will be called
341 ipt_CONNMARK.ko. If unsure, say `N'.
343 config NETFILTER_XT_TARGET_DSCP
344 tristate '"DSCP" and "TOS" target support'
345 depends on NETFILTER_XTABLES
346 depends on IP_NF_MANGLE || IP6_NF_MANGLE
347 depends on NETFILTER_ADVANCED
349 This option adds a `DSCP' target, which allows you to manipulate
350 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
352 The DSCP field can have any value between 0x0 and 0x3f inclusive.
354 It also adds the "TOS" target, which allows you to create rules in
355 the "mangle" table which alter the Type Of Service field of an IPv4
356 or the Priority field of an IPv6 packet, prior to routing.
358 To compile it as a module, choose M here. If unsure, say N.
360 config NETFILTER_XT_TARGET_MARK
361 tristate '"MARK" target support'
362 depends on NETFILTER_XTABLES
363 default m if NETFILTER_ADVANCED=n
365 This option adds a `MARK' target, which allows you to create rules
366 in the `mangle' table which alter the netfilter mark (nfmark) field
367 associated with the packet prior to routing. This can change
368 the routing method (see `Use netfilter MARK value as routing
369 key') and can also be used by other subsystems to change their
372 To compile it as a module, choose M here. If unsure, say N.
374 config NETFILTER_XT_TARGET_NFQUEUE
375 tristate '"NFQUEUE" target Support'
376 depends on NETFILTER_XTABLES
377 depends on NETFILTER_ADVANCED
379 This target replaced the old obsolete QUEUE target.
381 As opposed to QUEUE, it supports 65535 different queues,
384 To compile it as a module, choose M here. If unsure, say N.
386 config NETFILTER_XT_TARGET_NFLOG
387 tristate '"NFLOG" target support'
388 depends on NETFILTER_XTABLES
389 default m if NETFILTER_ADVANCED=n
391 This option enables the NFLOG target, which allows to LOG
392 messages through the netfilter logging API, which can use
393 either the old LOG target, the old ULOG target or nfnetlink_log
396 To compile it as a module, choose M here. If unsure, say N.
398 config NETFILTER_XT_TARGET_NOTRACK
399 tristate '"NOTRACK" target support'
400 depends on NETFILTER_XTABLES
401 depends on IP_NF_RAW || IP6_NF_RAW
402 depends on NF_CONNTRACK
403 depends on NETFILTER_ADVANCED
405 The NOTRACK target allows a select rule to specify
406 which packets *not* to enter the conntrack/NAT
407 subsystem with all the consequences (no ICMP error tracking,
408 no protocol helpers for the selected packets).
410 If you want to compile it as a module, say M here and read
411 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
413 config NETFILTER_XT_TARGET_RATEEST
414 tristate '"RATEEST" target support'
415 depends on NETFILTER_XTABLES
416 depends on NETFILTER_ADVANCED
418 This option adds a `RATEEST' target, which allows to measure
419 rates similar to TC estimators. The `rateest' match can be
420 used to match on the measured rates.
422 To compile it as a module, choose M here. If unsure, say N.
424 config NETFILTER_XT_TARGET_TPROXY
425 tristate '"TPROXY" target support (EXPERIMENTAL)'
426 depends on EXPERIMENTAL
427 depends on NETFILTER_TPROXY
428 depends on NETFILTER_XTABLES
429 depends on NETFILTER_ADVANCED
430 select NF_DEFRAG_IPV4
432 This option adds a `TPROXY' target, which is somewhat similar to
433 REDIRECT. It can only be used in the mangle table and is useful
434 to redirect traffic to a transparent proxy. It does _not_ depend
435 on Netfilter connection tracking and NAT, unlike REDIRECT.
437 To compile it as a module, choose M here. If unsure, say N.
439 config NETFILTER_XT_TARGET_TRACE
440 tristate '"TRACE" target support'
441 depends on NETFILTER_XTABLES
442 depends on IP_NF_RAW || IP6_NF_RAW
443 depends on NETFILTER_ADVANCED
445 The TRACE target allows you to mark packets so that the kernel
446 will log every rule which match the packets as those traverse
447 the tables, chains, rules.
449 If you want to compile it as a module, say M here and read
450 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
452 config NETFILTER_XT_TARGET_SECMARK
453 tristate '"SECMARK" target support'
454 depends on NETFILTER_XTABLES && NETWORK_SECMARK
455 default m if NETFILTER_ADVANCED=n
457 The SECMARK target allows security marking of network
458 packets, for use with security subsystems.
460 To compile it as a module, choose M here. If unsure, say N.
462 config NETFILTER_XT_TARGET_CONNSECMARK
463 tristate '"CONNSECMARK" target support'
464 depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK
465 default m if NETFILTER_ADVANCED=n
467 The CONNSECMARK target copies security markings from packets
468 to connections, and restores security markings from connections
469 to packets (if the packets are not already marked). This would
470 normally be used in conjunction with the SECMARK target.
472 To compile it as a module, choose M here. If unsure, say N.
474 config NETFILTER_XT_TARGET_TCPMSS
475 tristate '"TCPMSS" target support'
476 depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)
477 default m if NETFILTER_ADVANCED=n
479 This option adds a `TCPMSS' target, which allows you to alter the
480 MSS value of TCP SYN packets, to control the maximum size for that
481 connection (usually limiting it to your outgoing interface's MTU
484 This is used to overcome criminally braindead ISPs or servers which
485 block ICMP Fragmentation Needed packets. The symptoms of this
486 problem are that everything works fine from your Linux
487 firewall/router, but machines behind it can never exchange large
489 1) Web browsers connect, then hang with no data received.
490 2) Small mail works fine, but large emails hang.
491 3) ssh works fine, but scp hangs after initial handshaking.
493 Workaround: activate this option and add a rule to your firewall
496 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
497 -j TCPMSS --clamp-mss-to-pmtu
499 To compile it as a module, choose M here. If unsure, say N.
501 config NETFILTER_XT_TARGET_TCPOPTSTRIP
502 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
503 depends on EXPERIMENTAL && NETFILTER_XTABLES
504 depends on IP_NF_MANGLE || IP6_NF_MANGLE
505 depends on NETFILTER_ADVANCED
507 This option adds a "TCPOPTSTRIP" target, which allows you to strip
508 TCP options from TCP packets.
510 config NETFILTER_XT_MATCH_COMMENT
511 tristate '"comment" match support'
512 depends on NETFILTER_XTABLES
513 depends on NETFILTER_ADVANCED
515 This option adds a `comment' dummy-match, which allows you to put
516 comments in your iptables ruleset.
518 If you want to compile it as a module, say M here and read
519 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
521 config NETFILTER_XT_MATCH_CONNBYTES
522 tristate '"connbytes" per-connection counter match support'
523 depends on NETFILTER_XTABLES
524 depends on NF_CONNTRACK
525 depends on NETFILTER_ADVANCED
528 This option adds a `connbytes' match, which allows you to match the
529 number of bytes and/or packets for each direction within a connection.
531 If you want to compile it as a module, say M here and read
532 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
534 config NETFILTER_XT_MATCH_CONNLIMIT
535 tristate '"connlimit" match support"'
536 depends on NETFILTER_XTABLES
537 depends on NF_CONNTRACK
538 depends on NETFILTER_ADVANCED
540 This match allows you to match against the number of parallel
541 connections to a server per client IP address (or address block).
543 config NETFILTER_XT_MATCH_CONNMARK
544 tristate '"connmark" connection mark match support'
545 depends on NETFILTER_XTABLES
546 depends on NF_CONNTRACK
547 depends on NETFILTER_ADVANCED
548 select NF_CONNTRACK_MARK
550 This option adds a `connmark' match, which allows you to match the
551 connection mark value previously set for the session by `CONNMARK'.
553 If you want to compile it as a module, say M here and read
554 <file:Documentation/kbuild/modules.txt>. The module will be called
555 ipt_connmark.ko. If unsure, say `N'.
557 config NETFILTER_XT_MATCH_CONNTRACK
558 tristate '"conntrack" connection tracking match support'
559 depends on NETFILTER_XTABLES
560 depends on NF_CONNTRACK
561 default m if NETFILTER_ADVANCED=n
563 This is a general conntrack match module, a superset of the state match.
565 It allows matching on additional conntrack information, which is
566 useful in complex configurations, such as NAT gateways with multiple
567 internet links or tunnels.
569 To compile it as a module, choose M here. If unsure, say N.
571 config NETFILTER_XT_MATCH_DCCP
572 tristate '"dccp" protocol match support'
573 depends on NETFILTER_XTABLES
574 depends on NETFILTER_ADVANCED
577 With this option enabled, you will be able to use the iptables
578 `dccp' match in order to match on DCCP source/destination ports
581 If you want to compile it as a module, say M here and read
582 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
584 config NETFILTER_XT_MATCH_DSCP
585 tristate '"dscp" and "tos" match support'
586 depends on NETFILTER_XTABLES
587 depends on NETFILTER_ADVANCED
589 This option adds a `DSCP' match, which allows you to match against
590 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
592 The DSCP field can have any value between 0x0 and 0x3f inclusive.
594 It will also add a "tos" match, which allows you to match packets
595 based on the Type Of Service fields of the IPv4 packet (which share
596 the same bits as DSCP).
598 To compile it as a module, choose M here. If unsure, say N.
600 config NETFILTER_XT_MATCH_ESP
601 tristate '"esp" match support'
602 depends on NETFILTER_XTABLES
603 depends on NETFILTER_ADVANCED
605 This match extension allows you to match a range of SPIs
606 inside ESP header of IPSec packets.
608 To compile it as a module, choose M here. If unsure, say N.
610 config NETFILTER_XT_MATCH_HELPER
611 tristate '"helper" match support'
612 depends on NETFILTER_XTABLES
613 depends on NF_CONNTRACK
614 depends on NETFILTER_ADVANCED
616 Helper matching allows you to match packets in dynamic connections
617 tracked by a conntrack-helper, ie. ip_conntrack_ftp
619 To compile it as a module, choose M here. If unsure, say Y.
621 config NETFILTER_XT_MATCH_IPRANGE
622 tristate '"iprange" address range match support'
623 depends on NETFILTER_XTABLES
624 depends on NETFILTER_ADVANCED
626 This option adds a "iprange" match, which allows you to match based on
627 an IP address range. (Normal iptables only matches on single addresses
628 with an optional mask.)
632 config NETFILTER_XT_MATCH_LENGTH
633 tristate '"length" match support'
634 depends on NETFILTER_XTABLES
635 depends on NETFILTER_ADVANCED
637 This option allows you to match the length of a packet against a
638 specific value or range of values.
640 To compile it as a module, choose M here. If unsure, say N.
642 config NETFILTER_XT_MATCH_LIMIT
643 tristate '"limit" match support'
644 depends on NETFILTER_XTABLES
645 depends on NETFILTER_ADVANCED
647 limit matching allows you to control the rate at which a rule can be
648 matched: mainly useful in combination with the LOG target ("LOG
649 target support", below) and to avoid some Denial of Service attacks.
651 To compile it as a module, choose M here. If unsure, say N.
653 config NETFILTER_XT_MATCH_MAC
654 tristate '"mac" address match support'
655 depends on NETFILTER_XTABLES
656 depends on NETFILTER_ADVANCED
658 MAC matching allows you to match packets based on the source
659 Ethernet address of the packet.
661 To compile it as a module, choose M here. If unsure, say N.
663 config NETFILTER_XT_MATCH_MARK
664 tristate '"mark" match support'
665 depends on NETFILTER_XTABLES
666 default m if NETFILTER_ADVANCED=n
668 Netfilter mark matching allows you to match packets based on the
669 `nfmark' value in the packet. This can be set by the MARK target
672 To compile it as a module, choose M here. If unsure, say N.
674 config NETFILTER_XT_MATCH_OWNER
675 tristate '"owner" match support'
676 depends on NETFILTER_XTABLES
677 depends on NETFILTER_ADVANCED
679 Socket owner matching allows you to match locally-generated packets
680 based on who created the socket: the user or group. It is also
681 possible to check whether a socket actually exists.
683 config NETFILTER_XT_MATCH_POLICY
684 tristate 'IPsec "policy" match support'
685 depends on NETFILTER_XTABLES && XFRM
686 default m if NETFILTER_ADVANCED=n
688 Policy matching allows you to match packets based on the
689 IPsec policy that was used during decapsulation/will
690 be used during encapsulation.
692 To compile it as a module, choose M here. If unsure, say N.
694 config NETFILTER_XT_MATCH_MULTIPORT
695 tristate '"multiport" Multiple port match support'
696 depends on NETFILTER_XTABLES
697 depends on NETFILTER_ADVANCED
699 Multiport matching allows you to match TCP or UDP packets based on
700 a series of source or destination ports: normally a rule can only
701 match a single range of ports.
703 To compile it as a module, choose M here. If unsure, say N.
705 config NETFILTER_XT_MATCH_PHYSDEV
706 tristate '"physdev" match support'
707 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER
708 depends on NETFILTER_ADVANCED
710 Physdev packet matching matches against the physical bridge ports
711 the IP packet arrived on or will leave by.
713 To compile it as a module, choose M here. If unsure, say N.
715 config NETFILTER_XT_MATCH_PKTTYPE
716 tristate '"pkttype" packet type match support'
717 depends on NETFILTER_XTABLES
718 depends on NETFILTER_ADVANCED
720 Packet type matching allows you to match a packet by
721 its "class", eg. BROADCAST, MULTICAST, ...
724 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
726 To compile it as a module, choose M here. If unsure, say N.
728 config NETFILTER_XT_MATCH_QUOTA
729 tristate '"quota" match support'
730 depends on NETFILTER_XTABLES
731 depends on NETFILTER_ADVANCED
733 This option adds a `quota' match, which allows to match on a
736 If you want to compile it as a module, say M here and read
737 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
739 config NETFILTER_XT_MATCH_RATEEST
740 tristate '"rateest" match support'
741 depends on NETFILTER_XTABLES
742 depends on NETFILTER_ADVANCED
743 select NETFILTER_XT_TARGET_RATEEST
745 This option adds a `rateest' match, which allows to match on the
746 rate estimated by the RATEEST target.
748 To compile it as a module, choose M here. If unsure, say N.
750 config NETFILTER_XT_MATCH_REALM
751 tristate '"realm" match support'
752 depends on NETFILTER_XTABLES
753 depends on NETFILTER_ADVANCED
756 This option adds a `realm' match, which allows you to use the realm
757 key from the routing subsystem inside iptables.
759 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
762 If you want to compile it as a module, say M here and read
763 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
765 config NETFILTER_XT_MATCH_RECENT
766 tristate '"recent" match support'
767 depends on NETFILTER_XTABLES
768 depends on NETFILTER_ADVANCED
770 This match is used for creating one or many lists of recently
771 used addresses and then matching against that/those list(s).
773 Short options are available by using 'iptables -m recent -h'
774 Official Website: <http://snowman.net/projects/ipt_recent/>
776 config NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
777 bool 'Enable obsolete /proc/net/ipt_recent'
778 depends on NETFILTER_XT_MATCH_RECENT && PROC_FS
780 This option enables the old /proc/net/ipt_recent interface,
781 which has been obsoleted by /proc/net/xt_recent.
783 config NETFILTER_XT_MATCH_SCTP
784 tristate '"sctp" protocol match support (EXPERIMENTAL)'
785 depends on NETFILTER_XTABLES && EXPERIMENTAL
786 depends on NETFILTER_ADVANCED
789 With this option enabled, you will be able to use the
790 `sctp' match in order to match on SCTP source/destination ports
791 and SCTP chunk types.
793 If you want to compile it as a module, say M here and read
794 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
796 config NETFILTER_XT_MATCH_SOCKET
797 tristate '"socket" match support (EXPERIMENTAL)'
798 depends on EXPERIMENTAL
799 depends on NETFILTER_TPROXY
800 depends on NETFILTER_XTABLES
801 depends on NETFILTER_ADVANCED
802 select NF_DEFRAG_IPV4
804 This option adds a `socket' match, which can be used to match
805 packets for which a TCP or UDP socket lookup finds a valid socket.
806 It can be used in combination with the MARK target and policy
807 routing to implement full featured non-locally bound sockets.
809 To compile it as a module, choose M here. If unsure, say N.
811 config NETFILTER_XT_MATCH_STATE
812 tristate '"state" match support'
813 depends on NETFILTER_XTABLES
814 depends on NF_CONNTRACK
815 default m if NETFILTER_ADVANCED=n
817 Connection state matching allows you to match packets based on their
818 relationship to a tracked connection (ie. previous packets). This
819 is a powerful tool for packet classification.
821 To compile it as a module, choose M here. If unsure, say N.
823 config NETFILTER_XT_MATCH_STATISTIC
824 tristate '"statistic" match support'
825 depends on NETFILTER_XTABLES
826 depends on NETFILTER_ADVANCED
828 This option adds a `statistic' match, which allows you to match
829 on packets periodically or randomly with a given percentage.
831 To compile it as a module, choose M here. If unsure, say N.
833 config NETFILTER_XT_MATCH_STRING
834 tristate '"string" match support'
835 depends on NETFILTER_XTABLES
836 depends on NETFILTER_ADVANCED
838 select TEXTSEARCH_KMP
840 select TEXTSEARCH_FSM
842 This option adds a `string' match, which allows you to look for
843 pattern matchings in packets.
845 To compile it as a module, choose M here. If unsure, say N.
847 config NETFILTER_XT_MATCH_TCPMSS
848 tristate '"tcpmss" match support'
849 depends on NETFILTER_XTABLES
850 depends on NETFILTER_ADVANCED
852 This option adds a `tcpmss' match, which allows you to examine the
853 MSS value of TCP SYN packets, which control the maximum packet size
856 To compile it as a module, choose M here. If unsure, say N.
858 config NETFILTER_XT_MATCH_TIME
859 tristate '"time" match support'
860 depends on NETFILTER_XTABLES
861 depends on NETFILTER_ADVANCED
863 This option adds a "time" match, which allows you to match based on
864 the packet arrival time (at the machine which netfilter is running)
865 on) or departure time/date (for locally generated packets).
867 If you say Y here, try `iptables -m time --help` for
870 If you want to compile it as a module, say M here.
873 config NETFILTER_XT_MATCH_U32
874 tristate '"u32" match support'
875 depends on NETFILTER_XTABLES
876 depends on NETFILTER_ADVANCED
878 u32 allows you to extract quantities of up to 4 bytes from a packet,
879 AND them with specified masks, shift them by specified amounts and
880 test whether the results are in any of a set of specified ranges.
881 The specification of what to extract is general enough to skip over
882 headers with lengths stored in the packet, as in IP or TCP header
885 Details and examples are in the kernel module source.
887 config NETFILTER_XT_MATCH_HASHLIMIT
888 tristate '"hashlimit" match support'
889 depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
890 depends on NETFILTER_ADVANCED
892 This option adds a `hashlimit' match.
894 As opposed to `limit', this match dynamically creates a hash table
895 of limit buckets, based on your selection of source/destination
896 addresses and/or ports.
898 It enables you to express policies like `10kpps for any given
899 destination address' or `500pps from any given source address'