1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_INGRESS
5 bool "Netfilter ingress support"
9 This allows you to classify packets from ingress using the Netfilter
12 config NETFILTER_NETLINK
15 config NETFILTER_FAMILY_BRIDGE
18 config NETFILTER_FAMILY_ARP
21 config NETFILTER_NETLINK_ACCT
22 tristate "Netfilter NFACCT over NFNETLINK interface"
23 depends on NETFILTER_ADVANCED
24 select NETFILTER_NETLINK
26 If this option is enabled, the kernel will include support
27 for extended accounting via NFNETLINK.
29 config NETFILTER_NETLINK_QUEUE
30 tristate "Netfilter NFQUEUE over NFNETLINK interface"
31 depends on NETFILTER_ADVANCED
32 select NETFILTER_NETLINK
34 If this option is enabled, the kernel will include support
35 for queueing packets via NFNETLINK.
37 config NETFILTER_NETLINK_LOG
38 tristate "Netfilter LOG over NFNETLINK interface"
39 default m if NETFILTER_ADVANCED=n
40 select NETFILTER_NETLINK
42 If this option is enabled, the kernel will include support
43 for logging packets via NFNETLINK.
45 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
46 and is also scheduled to replace the old syslog-based ipt_LOG
50 tristate "Netfilter connection tracking support"
51 default m if NETFILTER_ADVANCED=n
53 Connection tracking keeps a record of what packets have passed
54 through your machine, in order to figure out how they are related
57 This is required to do Masquerading or other kinds of Network
58 Address Translation. It can also be used to enhance packet
59 filtering (see `Connection state match support' below).
61 To compile it as a module, choose M here. If unsure, say N.
67 tristate "Netdev packet logging"
71 config NETFILTER_CONNCOUNT
74 config NF_CONNTRACK_MARK
75 bool 'Connection mark tracking support'
76 depends on NETFILTER_ADVANCED
78 This option enables support for connection marks, used by the
79 `CONNMARK' target and `connmark' match. Similar to the mark value
80 of packets, but this mark value is kept in the conntrack session
81 instead of the individual packets.
83 config NF_CONNTRACK_SECMARK
84 bool 'Connection tracking security mark support'
85 depends on NETWORK_SECMARK
86 default m if NETFILTER_ADVANCED=n
88 This option enables security markings to be applied to
89 connections. Typically they are copied to connections from
90 packets using the CONNSECMARK target and copied back from
91 connections to packets with the same target, with the packets
92 being originally labeled via SECMARK.
96 config NF_CONNTRACK_ZONES
97 bool 'Connection tracking zones'
98 depends on NETFILTER_ADVANCED
99 depends on NETFILTER_XT_TARGET_CT
101 This option enables support for connection tracking zones.
102 Normally, each connection needs to have a unique system wide
103 identity. Connection tracking zones allow to have multiple
104 connections using the same identity, as long as they are
105 contained in different zones.
109 config NF_CONNTRACK_PROCFS
110 bool "Supply CT list in procfs (OBSOLETE)"
114 This option enables for the list of known conntrack entries
115 to be shown in procfs under net/netfilter/nf_conntrack. This
116 is considered obsolete in favor of using the conntrack(8)
117 tool which uses Netlink.
119 config NF_CONNTRACK_EVENTS
120 bool "Connection tracking events"
121 depends on NETFILTER_ADVANCED
123 If this option is enabled, the connection tracking code will
124 provide a notifier chain that can be used by other kernel code
125 to get notified about changes in the connection tracking state.
129 config NF_CONNTRACK_TIMEOUT
130 bool 'Connection tracking timeout'
131 depends on NETFILTER_ADVANCED
133 This option enables support for connection tracking timeout
134 extension. This allows you to attach timeout policies to flow
139 config NF_CONNTRACK_TIMESTAMP
140 bool 'Connection tracking timestamping'
141 depends on NETFILTER_ADVANCED
143 This option enables support for connection tracking timestamping.
144 This allows you to store the flow start-time and to obtain
145 the flow-stop time (once it has been destroyed) via Connection
150 config NF_CONNTRACK_LABELS
153 This option enables support for assigning user-defined flag bits
154 to connection tracking entries. It selected by the connlabel match.
156 config NF_CT_PROTO_DCCP
157 bool 'DCCP protocol connection tracking support'
158 depends on NETFILTER_ADVANCED
161 With this option enabled, the layer 3 independent connection
162 tracking code will be able to do state tracking on DCCP connections.
166 config NF_CT_PROTO_GRE
169 config NF_CT_PROTO_SCTP
170 bool 'SCTP protocol connection tracking support'
171 depends on NETFILTER_ADVANCED
175 With this option enabled, the layer 3 independent connection
176 tracking code will be able to do state tracking on SCTP connections.
180 config NF_CT_PROTO_UDPLITE
181 bool 'UDP-Lite protocol connection tracking support'
182 depends on NETFILTER_ADVANCED
185 With this option enabled, the layer 3 independent connection
186 tracking code will be able to do state tracking on UDP-Lite
191 config NF_CONNTRACK_AMANDA
192 tristate "Amanda backup protocol support"
193 depends on NETFILTER_ADVANCED
195 select TEXTSEARCH_KMP
197 If you are running the Amanda backup package <http://www.amanda.org/>
198 on this machine or machines that will be MASQUERADED through this
199 machine, then you may want to enable this feature. This allows the
200 connection tracking and natting code to allow the sub-channels that
201 Amanda requires for communication of the backup data, messages and
204 To compile it as a module, choose M here. If unsure, say N.
206 config NF_CONNTRACK_FTP
207 tristate "FTP protocol support"
208 default m if NETFILTER_ADVANCED=n
210 Tracking FTP connections is problematic: special helpers are
211 required for tracking them, and doing masquerading and other forms
212 of Network Address Translation on them.
214 This is FTP support on Layer 3 independent connection tracking.
215 Layer 3 independent connection tracking is experimental scheme
216 which generalize ip_conntrack to support other layer 3 protocols.
218 To compile it as a module, choose M here. If unsure, say N.
220 config NF_CONNTRACK_H323
221 tristate "H.323 protocol support"
222 depends on IPV6 || IPV6=n
223 depends on NETFILTER_ADVANCED
225 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
226 important VoIP protocols, it is widely used by voice hardware and
227 software including voice gateways, IP phones, Netmeeting, OpenPhone,
230 With this module you can support H.323 on a connection tracking/NAT
233 This module supports RAS, Fast Start, H.245 Tunnelling, Call
234 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
235 whiteboard, file transfer, etc. For more information, please
236 visit http://nath323.sourceforge.net/.
238 To compile it as a module, choose M here. If unsure, say N.
240 config NF_CONNTRACK_IRC
241 tristate "IRC protocol support"
242 default m if NETFILTER_ADVANCED=n
244 There is a commonly-used extension to IRC called
245 Direct Client-to-Client Protocol (DCC). This enables users to send
246 files to each other, and also chat to each other without the need
247 of a server. DCC Sending is used anywhere you send files over IRC,
248 and DCC Chat is most commonly used by Eggdrop bots. If you are
249 using NAT, this extension will enable you to send files and initiate
250 chats. Note that you do NOT need this extension to get files or
251 have others initiate chats, or everything else in IRC.
253 To compile it as a module, choose M here. If unsure, say N.
255 config NF_CONNTRACK_BROADCAST
258 config NF_CONNTRACK_NETBIOS_NS
259 tristate "NetBIOS name service protocol support"
260 select NF_CONNTRACK_BROADCAST
262 NetBIOS name service requests are sent as broadcast messages from an
263 unprivileged port and responded to with unicast messages to the
264 same port. This make them hard to firewall properly because connection
265 tracking doesn't deal with broadcasts. This helper tracks locally
266 originating NetBIOS name service requests and the corresponding
267 responses. It relies on correct IP address configuration, specifically
268 netmask and broadcast address. When properly configured, the output
269 of "ip address show" should look similar to this:
271 $ ip -4 address show eth0
272 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
273 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
275 To compile it as a module, choose M here. If unsure, say N.
277 config NF_CONNTRACK_SNMP
278 tristate "SNMP service protocol support"
279 depends on NETFILTER_ADVANCED
280 select NF_CONNTRACK_BROADCAST
282 SNMP service requests are sent as broadcast messages from an
283 unprivileged port and responded to with unicast messages to the
284 same port. This make them hard to firewall properly because connection
285 tracking doesn't deal with broadcasts. This helper tracks locally
286 originating SNMP service requests and the corresponding
287 responses. It relies on correct IP address configuration, specifically
288 netmask and broadcast address.
290 To compile it as a module, choose M here. If unsure, say N.
292 config NF_CONNTRACK_PPTP
293 tristate "PPtP protocol support"
294 depends on NETFILTER_ADVANCED
295 select NF_CT_PROTO_GRE
297 This module adds support for PPTP (Point to Point Tunnelling
298 Protocol, RFC2637) connection tracking and NAT.
300 If you are running PPTP sessions over a stateful firewall or NAT
301 box, you may want to enable this feature.
303 Please note that not all PPTP modes of operation are supported yet.
304 Specifically these limitations exist:
305 - Blindly assumes that control connections are always established
306 in PNS->PAC direction. This is a violation of RFC2637.
307 - Only supports a single call within each session
309 To compile it as a module, choose M here. If unsure, say N.
311 config NF_CONNTRACK_SANE
312 tristate "SANE protocol support"
313 depends on NETFILTER_ADVANCED
315 SANE is a protocol for remote access to scanners as implemented
316 by the 'saned' daemon. Like FTP, it uses separate control and
319 With this module you can support SANE on a connection tracking
322 To compile it as a module, choose M here. If unsure, say N.
324 config NF_CONNTRACK_SIP
325 tristate "SIP protocol support"
326 default m if NETFILTER_ADVANCED=n
328 SIP is an application-layer control protocol that can establish,
329 modify, and terminate multimedia sessions (conferences) such as
330 Internet telephony calls. With the ip_conntrack_sip and
331 the nf_nat_sip modules you can support the protocol on a connection
332 tracking/NATing firewall.
334 To compile it as a module, choose M here. If unsure, say N.
336 config NF_CONNTRACK_TFTP
337 tristate "TFTP protocol support"
338 depends on NETFILTER_ADVANCED
340 TFTP connection tracking helper, this is required depending
341 on how restrictive your ruleset is.
342 If you are using a tftp client behind -j SNAT or -j MASQUERADING
345 To compile it as a module, choose M here. If unsure, say N.
348 tristate 'Connection tracking netlink interface'
349 select NETFILTER_NETLINK
350 default m if NETFILTER_ADVANCED=n
352 This option enables support for a netlink-based userspace interface
354 config NF_CT_NETLINK_TIMEOUT
355 tristate 'Connection tracking timeout tuning via Netlink'
356 select NETFILTER_NETLINK
357 depends on NETFILTER_ADVANCED
359 This option enables support for connection tracking timeout
360 fine-grain tuning. This allows you to attach specific timeout
361 policies to flows, instead of using the global timeout policy.
365 config NF_CT_NETLINK_HELPER
366 tristate 'Connection tracking helpers in user-space via Netlink'
367 select NETFILTER_NETLINK
368 depends on NF_CT_NETLINK
369 depends on NETFILTER_NETLINK_QUEUE
370 depends on NETFILTER_NETLINK_GLUE_CT
371 depends on NETFILTER_ADVANCED
373 This option enables the user-space connection tracking helpers
378 config NETFILTER_NETLINK_GLUE_CT
379 bool "NFQUEUE and NFLOG integration with Connection Tracking"
381 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
383 If this option is enabled, NFQUEUE and NFLOG can include
384 Connection Tracking information together with the packet is
385 the enqueued via NFNETLINK.
395 config NF_NAT_PROTO_DCCP
397 depends on NF_NAT && NF_CT_PROTO_DCCP
398 default NF_NAT && NF_CT_PROTO_DCCP
400 config NF_NAT_PROTO_UDPLITE
402 depends on NF_NAT && NF_CT_PROTO_UDPLITE
403 default NF_NAT && NF_CT_PROTO_UDPLITE
405 config NF_NAT_PROTO_SCTP
407 default NF_NAT && NF_CT_PROTO_SCTP
408 depends on NF_NAT && NF_CT_PROTO_SCTP
412 depends on NF_CONNTRACK && NF_NAT
413 default NF_NAT && NF_CONNTRACK_AMANDA
417 depends on NF_CONNTRACK && NF_NAT
418 default NF_NAT && NF_CONNTRACK_FTP
422 depends on NF_CONNTRACK && NF_NAT
423 default NF_NAT && NF_CONNTRACK_IRC
427 depends on NF_CONNTRACK && NF_NAT
428 default NF_NAT && NF_CONNTRACK_SIP
432 depends on NF_CONNTRACK && NF_NAT
433 default NF_NAT && NF_CONNTRACK_TFTP
435 config NF_NAT_REDIRECT
438 config NETFILTER_SYNPROXY
447 select NETFILTER_NETLINK
448 tristate "Netfilter nf_tables support"
450 nftables is the new packet classification framework that intends to
451 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
452 provides a pseudo-state machine with an extensible instruction-set
453 (also known as expressions) that the userspace 'nft' utility
454 (http://www.netfilter.org/projects/nftables) uses to build the
455 rule-set. It also comes with the generic set infrastructure that
456 allows you to construct mappings between matchings and actions
457 for performance lookups.
459 To compile it as a module, choose M here.
463 config NF_TABLES_INET
465 select NF_TABLES_IPV4
466 select NF_TABLES_IPV6
467 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support"
469 This option enables support for a mixed IPv4/IPv6 "inet" table.
471 config NF_TABLES_NETDEV
472 bool "Netfilter nf_tables netdev tables support"
474 This option enables support for the "netdev" table.
477 tristate "Netfilter nf_tables number generator module"
479 This option adds the number generator expression used to perform
480 incremental counting and random numbers bound to a upper limit.
483 depends on NF_CONNTRACK
484 tristate "Netfilter nf_tables conntrack module"
486 This option adds the "ct" expression that you can use to match
487 connection tracking information such as the flow state.
489 config NFT_FLOW_OFFLOAD
490 depends on NF_CONNTRACK && NF_FLOW_TABLE
491 tristate "Netfilter nf_tables hardware flow offload module"
493 This option adds the "flow_offload" expression that you can use to
494 choose what flows are placed into the hardware.
496 config NFT_SET_RBTREE
497 tristate "Netfilter nf_tables rbtree set module"
499 This option adds the "rbtree" set type (Red Black tree) that is used
500 to build interval-based sets.
503 tristate "Netfilter nf_tables hash set module"
505 This option adds the "hash" set type that is used to build one-way
506 mappings between matchings and actions.
508 config NFT_SET_BITMAP
509 tristate "Netfilter nf_tables bitmap set module"
511 This option adds the "bitmap" set type that is used to build sets
512 whose keys are smaller or equal to 16 bits.
515 tristate "Netfilter nf_tables counter module"
517 This option adds the "counter" expression that you can use to
518 include packet and byte counters in a rule.
521 tristate "Netfilter nf_tables connlimit module"
522 depends on NF_CONNTRACK
523 depends on NETFILTER_ADVANCED
524 select NETFILTER_CONNCOUNT
526 This option adds the "connlimit" expression that you can use to
527 ratelimit rule matchings per connections.
530 tristate "Netfilter nf_tables log module"
532 This option adds the "log" expression that you can use to log
533 packets matching some criteria.
536 tristate "Netfilter nf_tables limit module"
538 This option adds the "limit" expression that you can use to
539 ratelimit rule matchings.
542 depends on NF_CONNTRACK
544 tristate "Netfilter nf_tables masquerade support"
546 This option adds the "masquerade" expression that you can use
547 to perform NAT in the masquerade flavour.
550 depends on NF_CONNTRACK
552 tristate "Netfilter nf_tables redirect support"
554 This options adds the "redirect" expression that you can use
555 to perform NAT in the redirect flavour.
558 depends on NF_CONNTRACK
560 tristate "Netfilter nf_tables nat module"
562 This option adds the "nat" expression that you can use to perform
563 typical Network Address Translation (NAT) packet transformations.
566 tristate "Netfilter nf_tables stateful object reference module"
568 This option adds the "objref" expression that allows you to refer to
569 stateful objects, such as counters and quotas.
572 depends on NETFILTER_NETLINK_QUEUE
573 tristate "Netfilter nf_tables queue module"
575 This is required if you intend to use the userspace queueing
576 infrastructure (also known as NFQUEUE) from nftables.
579 tristate "Netfilter nf_tables quota module"
581 This option adds the "quota" expression that you can use to match
582 enforce bytes quotas.
585 default m if NETFILTER_ADVANCED=n
586 tristate "Netfilter nf_tables reject support"
587 depends on !NF_TABLES_INET || (IPV6!=m || m)
589 This option adds the "reject" expression that you can use to
590 explicitly deny and notify via TCP reset/ICMP informational errors
593 config NFT_REJECT_INET
594 depends on NF_TABLES_INET
599 depends on NETFILTER_XTABLES
600 tristate "Netfilter x_tables over nf_tables module"
602 This is required if you intend to use any of existing
603 x_tables match/target extensions over the nf_tables
607 tristate "Netfilter nf_tables hash module"
609 This option adds the "hash" expression that you can use to perform
610 a hash operation on registers.
616 depends on NF_TABLES_INET
617 depends on NFT_FIB_IPV4
618 depends on NFT_FIB_IPV6
619 tristate "Netfilter nf_tables fib inet support"
621 This option allows using the FIB expression from the inet table.
622 The lookup will be delegated to the IPv4 or IPv6 FIB depending
623 on the protocol of the packet.
626 tristate "Netfilter nf_tables socket match support"
627 depends on IPV6 || IPV6=n
628 select NF_SOCKET_IPV4
629 select NF_SOCKET_IPV6 if IPV6
631 This option allows matching for the presence or absence of a
632 corresponding socket and its attributes.
637 tristate "Netfilter packet duplication support"
639 This option enables the generic packet duplication infrastructure
642 config NFT_DUP_NETDEV
643 tristate "Netfilter nf_tables netdev packet duplication support"
646 This option enables packet duplication for the "netdev" family.
648 config NFT_FWD_NETDEV
649 tristate "Netfilter nf_tables netdev packet forwarding support"
652 This option enables packet forwarding for the "netdev" family.
654 config NFT_FIB_NETDEV
655 depends on NFT_FIB_IPV4
656 depends on NFT_FIB_IPV6
657 tristate "Netfilter nf_tables netdev fib lookups support"
659 This option allows using the FIB expression from the netdev table.
660 The lookup will be delegated to the IPv4 or IPv6 FIB depending
661 on the protocol of the packet.
663 endif # NF_TABLES_NETDEV
667 config NF_FLOW_TABLE_INET
668 tristate "Netfilter flow table mixed IPv4/IPv6 module"
669 depends on NF_FLOW_TABLE
671 This option adds the flow table mixed IPv4/IPv6 support.
673 To compile it as a module, choose M here.
676 tristate "Netfilter flow table module"
677 depends on NETFILTER_INGRESS
678 depends on NF_CONNTRACK
681 This option adds the flow table core infrastructure.
683 To compile it as a module, choose M here.
685 config NETFILTER_XTABLES
686 tristate "Netfilter Xtables support (required for ip_tables)"
687 default m if NETFILTER_ADVANCED=n
689 This is required if you intend to use any of ip_tables,
690 ip6_tables or arp_tables.
694 comment "Xtables combined modules"
696 config NETFILTER_XT_MARK
697 tristate 'nfmark target and match support'
698 default m if NETFILTER_ADVANCED=n
700 This option adds the "MARK" target and "mark" match.
702 Netfilter mark matching allows you to match packets based on the
703 "nfmark" value in the packet.
704 The target allows you to create rules in the "mangle" table which alter
705 the netfilter mark (nfmark) field associated with the packet.
707 Prior to routing, the nfmark can influence the routing method and can
708 also be used by other subsystems to change their behavior.
710 config NETFILTER_XT_CONNMARK
711 tristate 'ctmark target and match support'
712 depends on NF_CONNTRACK
713 depends on NETFILTER_ADVANCED
714 select NF_CONNTRACK_MARK
716 This option adds the "CONNMARK" target and "connmark" match.
718 Netfilter allows you to store a mark value per connection (a.k.a.
719 ctmark), similarly to the packet mark (nfmark). Using this
720 target and match, you can set and match on this mark.
722 config NETFILTER_XT_SET
723 tristate 'set target and match support'
725 depends on NETFILTER_ADVANCED
727 This option adds the "SET" target and "set" match.
729 Using this target and match, you can add/delete and match
730 elements in the sets created by ipset(8).
732 To compile it as a module, choose M here. If unsure, say N.
734 # alphabetically ordered list of targets
736 comment "Xtables targets"
738 config NETFILTER_XT_TARGET_AUDIT
739 tristate "AUDIT target support"
741 depends on NETFILTER_ADVANCED
743 This option adds a 'AUDIT' target, which can be used to create
744 audit records for packets dropped/accepted.
746 To compileit as a module, choose M here. If unsure, say N.
748 config NETFILTER_XT_TARGET_CHECKSUM
749 tristate "CHECKSUM target support"
750 depends on IP_NF_MANGLE || IP6_NF_MANGLE
751 depends on NETFILTER_ADVANCED
753 This option adds a `CHECKSUM' target, which can be used in the iptables mangle
756 You can use this target to compute and fill in the checksum in
757 a packet that lacks a checksum. This is particularly useful,
758 if you need to work around old applications such as dhcp clients,
759 that do not work well with checksum offloads, but don't want to disable
760 checksum offload in your device.
762 To compile it as a module, choose M here. If unsure, say N.
764 config NETFILTER_XT_TARGET_CLASSIFY
765 tristate '"CLASSIFY" target support'
766 depends on NETFILTER_ADVANCED
768 This option adds a `CLASSIFY' target, which enables the user to set
769 the priority of a packet. Some qdiscs can use this value for
770 classification, among these are:
772 atm, cbq, dsmark, pfifo_fast, htb, prio
774 To compile it as a module, choose M here. If unsure, say N.
776 config NETFILTER_XT_TARGET_CONNMARK
777 tristate '"CONNMARK" target support'
778 depends on NF_CONNTRACK
779 depends on NETFILTER_ADVANCED
780 select NETFILTER_XT_CONNMARK
782 This is a backwards-compat option for the user's convenience
783 (e.g. when running oldconfig). It selects
784 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
786 config NETFILTER_XT_TARGET_CONNSECMARK
787 tristate '"CONNSECMARK" target support'
788 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
789 default m if NETFILTER_ADVANCED=n
791 The CONNSECMARK target copies security markings from packets
792 to connections, and restores security markings from connections
793 to packets (if the packets are not already marked). This would
794 normally be used in conjunction with the SECMARK target.
796 To compile it as a module, choose M here. If unsure, say N.
798 config NETFILTER_XT_TARGET_CT
799 tristate '"CT" target support'
800 depends on NF_CONNTRACK
801 depends on IP_NF_RAW || IP6_NF_RAW
802 depends on NETFILTER_ADVANCED
804 This options adds a `CT' target, which allows to specify initial
805 connection tracking parameters like events to be delivered and
806 the helper to be used.
808 To compile it as a module, choose M here. If unsure, say N.
810 config NETFILTER_XT_TARGET_DSCP
811 tristate '"DSCP" and "TOS" target support'
812 depends on IP_NF_MANGLE || IP6_NF_MANGLE
813 depends on NETFILTER_ADVANCED
815 This option adds a `DSCP' target, which allows you to manipulate
816 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
818 The DSCP field can have any value between 0x0 and 0x3f inclusive.
820 It also adds the "TOS" target, which allows you to create rules in
821 the "mangle" table which alter the Type Of Service field of an IPv4
822 or the Priority field of an IPv6 packet, prior to routing.
824 To compile it as a module, choose M here. If unsure, say N.
826 config NETFILTER_XT_TARGET_HL
827 tristate '"HL" hoplimit target support'
828 depends on IP_NF_MANGLE || IP6_NF_MANGLE
829 depends on NETFILTER_ADVANCED
831 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
832 targets, which enable the user to change the
833 hoplimit/time-to-live value of the IP header.
835 While it is safe to decrement the hoplimit/TTL value, the
836 modules also allow to increment and set the hoplimit value of
837 the header to arbitrary values. This is EXTREMELY DANGEROUS
838 since you can easily create immortal packets that loop
839 forever on the network.
841 config NETFILTER_XT_TARGET_HMARK
842 tristate '"HMARK" target support'
843 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
844 depends on NETFILTER_ADVANCED
846 This option adds the "HMARK" target.
848 The target allows you to create rules in the "raw" and "mangle" tables
849 which set the skbuff mark by means of hash calculation within a given
850 range. The nfmark can influence the routing method and can also be used
851 by other subsystems to change their behaviour.
853 To compile it as a module, choose M here. If unsure, say N.
855 config NETFILTER_XT_TARGET_IDLETIMER
856 tristate "IDLETIMER target support"
857 depends on NETFILTER_ADVANCED
860 This option adds the `IDLETIMER' target. Each matching packet
861 resets the timer associated with label specified when the rule is
862 added. When the timer expires, it triggers a sysfs notification.
863 The remaining time for expiration can be read via sysfs.
865 To compile it as a module, choose M here. If unsure, say N.
867 config NETFILTER_XT_TARGET_LED
868 tristate '"LED" target support'
869 depends on LEDS_CLASS && LEDS_TRIGGERS
870 depends on NETFILTER_ADVANCED
872 This option adds a `LED' target, which allows you to blink LEDs in
873 response to particular packets passing through your machine.
875 This can be used to turn a spare LED into a network activity LED,
876 which only flashes in response to FTP transfers, for example. Or
877 you could have an LED which lights up for a minute or two every time
878 somebody connects to your machine via SSH.
880 You will need support for the "led" class to make this work.
882 To create an LED trigger for incoming SSH traffic:
883 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
885 Then attach the new trigger to an LED on your system:
886 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
888 For more information on the LEDs available on your system, see
889 Documentation/leds/leds-class.txt
891 config NETFILTER_XT_TARGET_LOG
892 tristate "LOG target support"
895 select NF_LOG_IPV6 if IPV6
896 default m if NETFILTER_ADVANCED=n
898 This option adds a `LOG' target, which allows you to create rules in
899 any iptables table which records the packet header to the syslog.
901 To compile it as a module, choose M here. If unsure, say N.
903 config NETFILTER_XT_TARGET_MARK
904 tristate '"MARK" target support'
905 depends on NETFILTER_ADVANCED
906 select NETFILTER_XT_MARK
908 This is a backwards-compat option for the user's convenience
909 (e.g. when running oldconfig). It selects
910 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
912 config NETFILTER_XT_NAT
913 tristate '"SNAT and DNAT" targets support'
916 This option enables the SNAT and DNAT targets.
918 To compile it as a module, choose M here. If unsure, say N.
920 config NETFILTER_XT_TARGET_NETMAP
921 tristate '"NETMAP" target support'
924 NETMAP is an implementation of static 1:1 NAT mapping of network
925 addresses. It maps the network address part, while keeping the host
928 To compile it as a module, choose M here. If unsure, say N.
930 config NETFILTER_XT_TARGET_NFLOG
931 tristate '"NFLOG" target support'
932 default m if NETFILTER_ADVANCED=n
933 select NETFILTER_NETLINK_LOG
935 This option enables the NFLOG target, which allows to LOG
936 messages through nfnetlink_log.
938 To compile it as a module, choose M here. If unsure, say N.
940 config NETFILTER_XT_TARGET_NFQUEUE
941 tristate '"NFQUEUE" target Support'
942 depends on NETFILTER_ADVANCED
943 select NETFILTER_NETLINK_QUEUE
945 This target replaced the old obsolete QUEUE target.
947 As opposed to QUEUE, it supports 65535 different queues,
950 To compile it as a module, choose M here. If unsure, say N.
952 config NETFILTER_XT_TARGET_NOTRACK
953 tristate '"NOTRACK" target support (DEPRECATED)'
954 depends on NF_CONNTRACK
955 depends on IP_NF_RAW || IP6_NF_RAW
956 depends on NETFILTER_ADVANCED
957 select NETFILTER_XT_TARGET_CT
959 config NETFILTER_XT_TARGET_RATEEST
960 tristate '"RATEEST" target support'
961 depends on NETFILTER_ADVANCED
963 This option adds a `RATEEST' target, which allows to measure
964 rates similar to TC estimators. The `rateest' match can be
965 used to match on the measured rates.
967 To compile it as a module, choose M here. If unsure, say N.
969 config NETFILTER_XT_TARGET_REDIRECT
970 tristate "REDIRECT target support"
972 select NF_NAT_REDIRECT
974 REDIRECT is a special case of NAT: all incoming connections are
975 mapped onto the incoming interface's address, causing the packets to
976 come to the local machine instead of passing through. This is
977 useful for transparent proxies.
979 To compile it as a module, choose M here. If unsure, say N.
981 config NETFILTER_XT_TARGET_TEE
982 tristate '"TEE" - packet cloning to alternate destination'
983 depends on NETFILTER_ADVANCED
984 depends on IPV6 || IPV6=n
985 depends on !NF_CONNTRACK || NF_CONNTRACK
987 select NF_DUP_IPV6 if IPV6
989 This option adds a "TEE" target with which a packet can be cloned and
990 this clone be rerouted to another nexthop.
992 config NETFILTER_XT_TARGET_TPROXY
993 tristate '"TPROXY" target transparent proxying support'
994 depends on NETFILTER_XTABLES
995 depends on NETFILTER_ADVANCED
996 depends on IPV6 || IPV6=n
997 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
998 depends on IP_NF_MANGLE
999 select NF_DEFRAG_IPV4
1000 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1001 select NF_TPROXY_IPV4
1002 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES
1004 This option adds a `TPROXY' target, which is somewhat similar to
1005 REDIRECT. It can only be used in the mangle table and is useful
1006 to redirect traffic to a transparent proxy. It does _not_ depend
1007 on Netfilter connection tracking and NAT, unlike REDIRECT.
1008 For it to work you will have to configure certain iptables rules
1009 and use policy routing. For more information on how to set it up
1010 see Documentation/networking/tproxy.txt.
1012 To compile it as a module, choose M here. If unsure, say N.
1014 config NETFILTER_XT_TARGET_TRACE
1015 tristate '"TRACE" target support'
1016 depends on IP_NF_RAW || IP6_NF_RAW
1017 depends on NETFILTER_ADVANCED
1019 The TRACE target allows you to mark packets so that the kernel
1020 will log every rule which match the packets as those traverse
1021 the tables, chains, rules.
1023 If you want to compile it as a module, say M here and read
1024 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1026 config NETFILTER_XT_TARGET_SECMARK
1027 tristate '"SECMARK" target support'
1028 depends on NETWORK_SECMARK
1029 default m if NETFILTER_ADVANCED=n
1031 The SECMARK target allows security marking of network
1032 packets, for use with security subsystems.
1034 To compile it as a module, choose M here. If unsure, say N.
1036 config NETFILTER_XT_TARGET_TCPMSS
1037 tristate '"TCPMSS" target support'
1038 depends on IPV6 || IPV6=n
1039 default m if NETFILTER_ADVANCED=n
1041 This option adds a `TCPMSS' target, which allows you to alter the
1042 MSS value of TCP SYN packets, to control the maximum size for that
1043 connection (usually limiting it to your outgoing interface's MTU
1046 This is used to overcome criminally braindead ISPs or servers which
1047 block ICMP Fragmentation Needed packets. The symptoms of this
1048 problem are that everything works fine from your Linux
1049 firewall/router, but machines behind it can never exchange large
1051 1) Web browsers connect, then hang with no data received.
1052 2) Small mail works fine, but large emails hang.
1053 3) ssh works fine, but scp hangs after initial handshaking.
1055 Workaround: activate this option and add a rule to your firewall
1058 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1059 -j TCPMSS --clamp-mss-to-pmtu
1061 To compile it as a module, choose M here. If unsure, say N.
1063 config NETFILTER_XT_TARGET_TCPOPTSTRIP
1064 tristate '"TCPOPTSTRIP" target support'
1065 depends on IP_NF_MANGLE || IP6_NF_MANGLE
1066 depends on NETFILTER_ADVANCED
1068 This option adds a "TCPOPTSTRIP" target, which allows you to strip
1069 TCP options from TCP packets.
1071 # alphabetically ordered list of matches
1073 comment "Xtables matches"
1075 config NETFILTER_XT_MATCH_ADDRTYPE
1076 tristate '"addrtype" address type match support'
1077 default m if NETFILTER_ADVANCED=n
1079 This option allows you to match what routing thinks of an address,
1080 eg. UNICAST, LOCAL, BROADCAST, ...
1082 If you want to compile it as a module, say M here and read
1083 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1085 config NETFILTER_XT_MATCH_BPF
1086 tristate '"bpf" match support'
1087 depends on NETFILTER_ADVANCED
1089 BPF matching applies a linux socket filter to each packet and
1090 accepts those for which the filter returns non-zero.
1092 To compile it as a module, choose M here. If unsure, say N.
1094 config NETFILTER_XT_MATCH_CGROUP
1095 tristate '"control group" match support'
1096 depends on NETFILTER_ADVANCED
1098 select CGROUP_NET_CLASSID
1100 Socket/process control group matching allows you to match locally
1101 generated packets based on which net_cls control group processes
1104 config NETFILTER_XT_MATCH_CLUSTER
1105 tristate '"cluster" match support'
1106 depends on NF_CONNTRACK
1107 depends on NETFILTER_ADVANCED
1109 This option allows you to build work-load-sharing clusters of
1110 network servers/stateful firewalls without having a dedicated
1111 load-balancing router/server/switch. Basically, this match returns
1112 true when the packet must be handled by this cluster node. Thus,
1113 all nodes see all packets and this match decides which node handles
1114 what packets. The work-load sharing algorithm is based on source
1117 If you say Y or M here, try `iptables -m cluster --help` for
1120 config NETFILTER_XT_MATCH_COMMENT
1121 tristate '"comment" match support'
1122 depends on NETFILTER_ADVANCED
1124 This option adds a `comment' dummy-match, which allows you to put
1125 comments in your iptables ruleset.
1127 If you want to compile it as a module, say M here and read
1128 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1130 config NETFILTER_XT_MATCH_CONNBYTES
1131 tristate '"connbytes" per-connection counter match support'
1132 depends on NF_CONNTRACK
1133 depends on NETFILTER_ADVANCED
1135 This option adds a `connbytes' match, which allows you to match the
1136 number of bytes and/or packets for each direction within a connection.
1138 If you want to compile it as a module, say M here and read
1139 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1141 config NETFILTER_XT_MATCH_CONNLABEL
1142 tristate '"connlabel" match support'
1143 select NF_CONNTRACK_LABELS
1144 depends on NF_CONNTRACK
1145 depends on NETFILTER_ADVANCED
1147 This match allows you to test and assign userspace-defined labels names
1148 to a connection. The kernel only stores bit values - mapping
1149 names to bits is done by userspace.
1151 Unlike connmark, more than 32 flag bits may be assigned to a
1152 connection simultaneously.
1154 config NETFILTER_XT_MATCH_CONNLIMIT
1155 tristate '"connlimit" match support'
1156 depends on NF_CONNTRACK
1157 depends on NETFILTER_ADVANCED
1158 select NETFILTER_CONNCOUNT
1160 This match allows you to match against the number of parallel
1161 connections to a server per client IP address (or address block).
1163 config NETFILTER_XT_MATCH_CONNMARK
1164 tristate '"connmark" connection mark match support'
1165 depends on NF_CONNTRACK
1166 depends on NETFILTER_ADVANCED
1167 select NETFILTER_XT_CONNMARK
1169 This is a backwards-compat option for the user's convenience
1170 (e.g. when running oldconfig). It selects
1171 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1173 config NETFILTER_XT_MATCH_CONNTRACK
1174 tristate '"conntrack" connection tracking match support'
1175 depends on NF_CONNTRACK
1176 default m if NETFILTER_ADVANCED=n
1178 This is a general conntrack match module, a superset of the state match.
1180 It allows matching on additional conntrack information, which is
1181 useful in complex configurations, such as NAT gateways with multiple
1182 internet links or tunnels.
1184 To compile it as a module, choose M here. If unsure, say N.
1186 config NETFILTER_XT_MATCH_CPU
1187 tristate '"cpu" match support'
1188 depends on NETFILTER_ADVANCED
1190 CPU matching allows you to match packets based on the CPU
1191 currently handling the packet.
1193 To compile it as a module, choose M here. If unsure, say N.
1195 config NETFILTER_XT_MATCH_DCCP
1196 tristate '"dccp" protocol match support'
1197 depends on NETFILTER_ADVANCED
1200 With this option enabled, you will be able to use the iptables
1201 `dccp' match in order to match on DCCP source/destination ports
1204 If you want to compile it as a module, say M here and read
1205 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1207 config NETFILTER_XT_MATCH_DEVGROUP
1208 tristate '"devgroup" match support'
1209 depends on NETFILTER_ADVANCED
1211 This options adds a `devgroup' match, which allows to match on the
1212 device group a network device is assigned to.
1214 To compile it as a module, choose M here. If unsure, say N.
1216 config NETFILTER_XT_MATCH_DSCP
1217 tristate '"dscp" and "tos" match support'
1218 depends on NETFILTER_ADVANCED
1220 This option adds a `DSCP' match, which allows you to match against
1221 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1223 The DSCP field can have any value between 0x0 and 0x3f inclusive.
1225 It will also add a "tos" match, which allows you to match packets
1226 based on the Type Of Service fields of the IPv4 packet (which share
1227 the same bits as DSCP).
1229 To compile it as a module, choose M here. If unsure, say N.
1231 config NETFILTER_XT_MATCH_ECN
1232 tristate '"ecn" match support'
1233 depends on NETFILTER_ADVANCED
1235 This option adds an "ECN" match, which allows you to match against
1236 the IPv4 and TCP header ECN fields.
1238 To compile it as a module, choose M here. If unsure, say N.
1240 config NETFILTER_XT_MATCH_ESP
1241 tristate '"esp" match support'
1242 depends on NETFILTER_ADVANCED
1244 This match extension allows you to match a range of SPIs
1245 inside ESP header of IPSec packets.
1247 To compile it as a module, choose M here. If unsure, say N.
1249 config NETFILTER_XT_MATCH_HASHLIMIT
1250 tristate '"hashlimit" match support'
1251 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1252 depends on NETFILTER_ADVANCED
1254 This option adds a `hashlimit' match.
1256 As opposed to `limit', this match dynamically creates a hash table
1257 of limit buckets, based on your selection of source/destination
1258 addresses and/or ports.
1260 It enables you to express policies like `10kpps for any given
1261 destination address' or `500pps from any given source address'
1264 config NETFILTER_XT_MATCH_HELPER
1265 tristate '"helper" match support'
1266 depends on NF_CONNTRACK
1267 depends on NETFILTER_ADVANCED
1269 Helper matching allows you to match packets in dynamic connections
1270 tracked by a conntrack-helper, ie. ip_conntrack_ftp
1272 To compile it as a module, choose M here. If unsure, say Y.
1274 config NETFILTER_XT_MATCH_HL
1275 tristate '"hl" hoplimit/TTL match support'
1276 depends on NETFILTER_ADVANCED
1278 HL matching allows you to match packets based on the hoplimit
1279 in the IPv6 header, or the time-to-live field in the IPv4
1280 header of the packet.
1282 config NETFILTER_XT_MATCH_IPCOMP
1283 tristate '"ipcomp" match support'
1284 depends on NETFILTER_ADVANCED
1286 This match extension allows you to match a range of CPIs(16 bits)
1287 inside IPComp header of IPSec packets.
1289 To compile it as a module, choose M here. If unsure, say N.
1291 config NETFILTER_XT_MATCH_IPRANGE
1292 tristate '"iprange" address range match support'
1293 depends on NETFILTER_ADVANCED
1295 This option adds a "iprange" match, which allows you to match based on
1296 an IP address range. (Normal iptables only matches on single addresses
1297 with an optional mask.)
1301 config NETFILTER_XT_MATCH_IPVS
1302 tristate '"ipvs" match support'
1304 depends on NETFILTER_ADVANCED
1305 depends on NF_CONNTRACK
1307 This option allows you to match against IPVS properties of a packet.
1311 config NETFILTER_XT_MATCH_L2TP
1312 tristate '"l2tp" match support'
1313 depends on NETFILTER_ADVANCED
1316 This option adds an "L2TP" match, which allows you to match against
1317 L2TP protocol header fields.
1319 To compile it as a module, choose M here. If unsure, say N.
1321 config NETFILTER_XT_MATCH_LENGTH
1322 tristate '"length" match support'
1323 depends on NETFILTER_ADVANCED
1325 This option allows you to match the length of a packet against a
1326 specific value or range of values.
1328 To compile it as a module, choose M here. If unsure, say N.
1330 config NETFILTER_XT_MATCH_LIMIT
1331 tristate '"limit" match support'
1332 depends on NETFILTER_ADVANCED
1334 limit matching allows you to control the rate at which a rule can be
1335 matched: mainly useful in combination with the LOG target ("LOG
1336 target support", below) and to avoid some Denial of Service attacks.
1338 To compile it as a module, choose M here. If unsure, say N.
1340 config NETFILTER_XT_MATCH_MAC
1341 tristate '"mac" address match support'
1342 depends on NETFILTER_ADVANCED
1344 MAC matching allows you to match packets based on the source
1345 Ethernet address of the packet.
1347 To compile it as a module, choose M here. If unsure, say N.
1349 config NETFILTER_XT_MATCH_MARK
1350 tristate '"mark" match support'
1351 depends on NETFILTER_ADVANCED
1352 select NETFILTER_XT_MARK
1354 This is a backwards-compat option for the user's convenience
1355 (e.g. when running oldconfig). It selects
1356 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1358 config NETFILTER_XT_MATCH_MULTIPORT
1359 tristate '"multiport" Multiple port match support'
1360 depends on NETFILTER_ADVANCED
1362 Multiport matching allows you to match TCP or UDP packets based on
1363 a series of source or destination ports: normally a rule can only
1364 match a single range of ports.
1366 To compile it as a module, choose M here. If unsure, say N.
1368 config NETFILTER_XT_MATCH_NFACCT
1369 tristate '"nfacct" match support'
1370 depends on NETFILTER_ADVANCED
1371 select NETFILTER_NETLINK_ACCT
1373 This option allows you to use the extended accounting through
1376 To compile it as a module, choose M here. If unsure, say N.
1378 config NETFILTER_XT_MATCH_OSF
1379 tristate '"osf" Passive OS fingerprint match'
1380 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1383 This option selects the Passive OS Fingerprinting match module
1384 that allows to passively match the remote operating system by
1385 analyzing incoming TCP SYN packets.
1387 Rules and loading software can be downloaded from
1388 http://www.ioremap.net/projects/osf
1390 To compile it as a module, choose M here. If unsure, say N.
1392 config NETFILTER_XT_MATCH_OWNER
1393 tristate '"owner" match support'
1394 depends on NETFILTER_ADVANCED
1396 Socket owner matching allows you to match locally-generated packets
1397 based on who created the socket: the user or group. It is also
1398 possible to check whether a socket actually exists.
1400 config NETFILTER_XT_MATCH_POLICY
1401 tristate 'IPsec "policy" match support'
1403 default m if NETFILTER_ADVANCED=n
1405 Policy matching allows you to match packets based on the
1406 IPsec policy that was used during decapsulation/will
1407 be used during encapsulation.
1409 To compile it as a module, choose M here. If unsure, say N.
1411 config NETFILTER_XT_MATCH_PHYSDEV
1412 tristate '"physdev" match support'
1413 depends on BRIDGE && BRIDGE_NETFILTER
1414 depends on NETFILTER_ADVANCED
1416 Physdev packet matching matches against the physical bridge ports
1417 the IP packet arrived on or will leave by.
1419 To compile it as a module, choose M here. If unsure, say N.
1421 config NETFILTER_XT_MATCH_PKTTYPE
1422 tristate '"pkttype" packet type match support'
1423 depends on NETFILTER_ADVANCED
1425 Packet type matching allows you to match a packet by
1426 its "class", eg. BROADCAST, MULTICAST, ...
1429 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1431 To compile it as a module, choose M here. If unsure, say N.
1433 config NETFILTER_XT_MATCH_QUOTA
1434 tristate '"quota" match support'
1435 depends on NETFILTER_ADVANCED
1437 This option adds a `quota' match, which allows to match on a
1440 If you want to compile it as a module, say M here and read
1441 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1443 config NETFILTER_XT_MATCH_RATEEST
1444 tristate '"rateest" match support'
1445 depends on NETFILTER_ADVANCED
1446 select NETFILTER_XT_TARGET_RATEEST
1448 This option adds a `rateest' match, which allows to match on the
1449 rate estimated by the RATEEST target.
1451 To compile it as a module, choose M here. If unsure, say N.
1453 config NETFILTER_XT_MATCH_REALM
1454 tristate '"realm" match support'
1455 depends on NETFILTER_ADVANCED
1456 select IP_ROUTE_CLASSID
1458 This option adds a `realm' match, which allows you to use the realm
1459 key from the routing subsystem inside iptables.
1461 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1464 If you want to compile it as a module, say M here and read
1465 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1467 config NETFILTER_XT_MATCH_RECENT
1468 tristate '"recent" match support'
1469 depends on NETFILTER_ADVANCED
1471 This match is used for creating one or many lists of recently
1472 used addresses and then matching against that/those list(s).
1474 Short options are available by using 'iptables -m recent -h'
1475 Official Website: <http://snowman.net/projects/ipt_recent/>
1477 config NETFILTER_XT_MATCH_SCTP
1478 tristate '"sctp" protocol match support'
1479 depends on NETFILTER_ADVANCED
1482 With this option enabled, you will be able to use the
1483 `sctp' match in order to match on SCTP source/destination ports
1484 and SCTP chunk types.
1486 If you want to compile it as a module, say M here and read
1487 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1489 config NETFILTER_XT_MATCH_SOCKET
1490 tristate '"socket" match support'
1491 depends on NETFILTER_XTABLES
1492 depends on NETFILTER_ADVANCED
1493 depends on IPV6 || IPV6=n
1494 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1495 select NF_SOCKET_IPV4
1496 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES
1497 select NF_DEFRAG_IPV4
1498 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1500 This option adds a `socket' match, which can be used to match
1501 packets for which a TCP or UDP socket lookup finds a valid socket.
1502 It can be used in combination with the MARK target and policy
1503 routing to implement full featured non-locally bound sockets.
1505 To compile it as a module, choose M here. If unsure, say N.
1507 config NETFILTER_XT_MATCH_STATE
1508 tristate '"state" match support'
1509 depends on NF_CONNTRACK
1510 default m if NETFILTER_ADVANCED=n
1512 Connection state matching allows you to match packets based on their
1513 relationship to a tracked connection (ie. previous packets). This
1514 is a powerful tool for packet classification.
1516 To compile it as a module, choose M here. If unsure, say N.
1518 config NETFILTER_XT_MATCH_STATISTIC
1519 tristate '"statistic" match support'
1520 depends on NETFILTER_ADVANCED
1522 This option adds a `statistic' match, which allows you to match
1523 on packets periodically or randomly with a given percentage.
1525 To compile it as a module, choose M here. If unsure, say N.
1527 config NETFILTER_XT_MATCH_STRING
1528 tristate '"string" match support'
1529 depends on NETFILTER_ADVANCED
1531 select TEXTSEARCH_KMP
1532 select TEXTSEARCH_BM
1533 select TEXTSEARCH_FSM
1535 This option adds a `string' match, which allows you to look for
1536 pattern matchings in packets.
1538 To compile it as a module, choose M here. If unsure, say N.
1540 config NETFILTER_XT_MATCH_TCPMSS
1541 tristate '"tcpmss" match support'
1542 depends on NETFILTER_ADVANCED
1544 This option adds a `tcpmss' match, which allows you to examine the
1545 MSS value of TCP SYN packets, which control the maximum packet size
1546 for that connection.
1548 To compile it as a module, choose M here. If unsure, say N.
1550 config NETFILTER_XT_MATCH_TIME
1551 tristate '"time" match support'
1552 depends on NETFILTER_ADVANCED
1554 This option adds a "time" match, which allows you to match based on
1555 the packet arrival time (at the machine which netfilter is running)
1556 on) or departure time/date (for locally generated packets).
1558 If you say Y here, try `iptables -m time --help` for
1561 If you want to compile it as a module, say M here.
1564 config NETFILTER_XT_MATCH_U32
1565 tristate '"u32" match support'
1566 depends on NETFILTER_ADVANCED
1568 u32 allows you to extract quantities of up to 4 bytes from a packet,
1569 AND them with specified masks, shift them by specified amounts and
1570 test whether the results are in any of a set of specified ranges.
1571 The specification of what to extract is general enough to skip over
1572 headers with lengths stored in the packet, as in IP or TCP header
1575 Details and examples are in the kernel module source.
1577 endif # NETFILTER_XTABLES
1581 source "net/netfilter/ipset/Kconfig"
1583 source "net/netfilter/ipvs/Kconfig"