1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_INGRESS
5 bool "Netfilter ingress support"
9 This allows you to classify packets from ingress using the Netfilter
12 config NETFILTER_NETLINK
15 config NETFILTER_FAMILY_BRIDGE
18 config NETFILTER_FAMILY_ARP
21 config NETFILTER_NETLINK_ACCT
22 tristate "Netfilter NFACCT over NFNETLINK interface"
23 depends on NETFILTER_ADVANCED
24 select NETFILTER_NETLINK
26 If this option is enabled, the kernel will include support
27 for extended accounting via NFNETLINK.
29 config NETFILTER_NETLINK_QUEUE
30 tristate "Netfilter NFQUEUE over NFNETLINK interface"
31 depends on NETFILTER_ADVANCED
32 select NETFILTER_NETLINK
34 If this option is enabled, the kernel will include support
35 for queueing packets via NFNETLINK.
37 config NETFILTER_NETLINK_LOG
38 tristate "Netfilter LOG over NFNETLINK interface"
39 default m if NETFILTER_ADVANCED=n
40 select NETFILTER_NETLINK
42 If this option is enabled, the kernel will include support
43 for logging packets via NFNETLINK.
45 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
46 and is also scheduled to replace the old syslog-based ipt_LOG
50 tristate "Netfilter connection tracking support"
51 default m if NETFILTER_ADVANCED=n
53 Connection tracking keeps a record of what packets have passed
54 through your machine, in order to figure out how they are related
57 This is required to do Masquerading or other kinds of Network
58 Address Translation. It can also be used to enhance packet
59 filtering (see `Connection state match support' below).
61 To compile it as a module, choose M here. If unsure, say N.
67 tristate "Netdev packet logging"
71 config NETFILTER_CONNCOUNT
74 config NF_CONNTRACK_MARK
75 bool 'Connection mark tracking support'
76 depends on NETFILTER_ADVANCED
78 This option enables support for connection marks, used by the
79 `CONNMARK' target and `connmark' match. Similar to the mark value
80 of packets, but this mark value is kept in the conntrack session
81 instead of the individual packets.
83 config NF_CONNTRACK_SECMARK
84 bool 'Connection tracking security mark support'
85 depends on NETWORK_SECMARK
86 default m if NETFILTER_ADVANCED=n
88 This option enables security markings to be applied to
89 connections. Typically they are copied to connections from
90 packets using the CONNSECMARK target and copied back from
91 connections to packets with the same target, with the packets
92 being originally labeled via SECMARK.
96 config NF_CONNTRACK_ZONES
97 bool 'Connection tracking zones'
98 depends on NETFILTER_ADVANCED
99 depends on NETFILTER_XT_TARGET_CT
101 This option enables support for connection tracking zones.
102 Normally, each connection needs to have a unique system wide
103 identity. Connection tracking zones allow to have multiple
104 connections using the same identity, as long as they are
105 contained in different zones.
109 config NF_CONNTRACK_PROCFS
110 bool "Supply CT list in procfs (OBSOLETE)"
114 This option enables for the list of known conntrack entries
115 to be shown in procfs under net/netfilter/nf_conntrack. This
116 is considered obsolete in favor of using the conntrack(8)
117 tool which uses Netlink.
119 config NF_CONNTRACK_EVENTS
120 bool "Connection tracking events"
121 depends on NETFILTER_ADVANCED
123 If this option is enabled, the connection tracking code will
124 provide a notifier chain that can be used by other kernel code
125 to get notified about changes in the connection tracking state.
129 config NF_CONNTRACK_TIMEOUT
130 bool 'Connection tracking timeout'
131 depends on NETFILTER_ADVANCED
133 This option enables support for connection tracking timeout
134 extension. This allows you to attach timeout policies to flow
139 config NF_CONNTRACK_TIMESTAMP
140 bool 'Connection tracking timestamping'
141 depends on NETFILTER_ADVANCED
143 This option enables support for connection tracking timestamping.
144 This allows you to store the flow start-time and to obtain
145 the flow-stop time (once it has been destroyed) via Connection
150 config NF_CONNTRACK_LABELS
153 This option enables support for assigning user-defined flag bits
154 to connection tracking entries. It selected by the connlabel match.
156 config NF_CT_PROTO_DCCP
157 bool 'DCCP protocol connection tracking support'
158 depends on NETFILTER_ADVANCED
161 With this option enabled, the layer 3 independent connection
162 tracking code will be able to do state tracking on DCCP connections.
166 config NF_CT_PROTO_GRE
169 config NF_CT_PROTO_SCTP
170 bool 'SCTP protocol connection tracking support'
171 depends on NETFILTER_ADVANCED
175 With this option enabled, the layer 3 independent connection
176 tracking code will be able to do state tracking on SCTP connections.
180 config NF_CT_PROTO_UDPLITE
181 bool 'UDP-Lite protocol connection tracking support'
182 depends on NETFILTER_ADVANCED
185 With this option enabled, the layer 3 independent connection
186 tracking code will be able to do state tracking on UDP-Lite
191 config NF_CONNTRACK_AMANDA
192 tristate "Amanda backup protocol support"
193 depends on NETFILTER_ADVANCED
195 select TEXTSEARCH_KMP
197 If you are running the Amanda backup package <http://www.amanda.org/>
198 on this machine or machines that will be MASQUERADED through this
199 machine, then you may want to enable this feature. This allows the
200 connection tracking and natting code to allow the sub-channels that
201 Amanda requires for communication of the backup data, messages and
204 To compile it as a module, choose M here. If unsure, say N.
206 config NF_CONNTRACK_FTP
207 tristate "FTP protocol support"
208 default m if NETFILTER_ADVANCED=n
210 Tracking FTP connections is problematic: special helpers are
211 required for tracking them, and doing masquerading and other forms
212 of Network Address Translation on them.
214 This is FTP support on Layer 3 independent connection tracking.
215 Layer 3 independent connection tracking is experimental scheme
216 which generalize ip_conntrack to support other layer 3 protocols.
218 To compile it as a module, choose M here. If unsure, say N.
220 config NF_CONNTRACK_H323
221 tristate "H.323 protocol support"
222 depends on IPV6 || IPV6=n
223 depends on NETFILTER_ADVANCED
225 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
226 important VoIP protocols, it is widely used by voice hardware and
227 software including voice gateways, IP phones, Netmeeting, OpenPhone,
230 With this module you can support H.323 on a connection tracking/NAT
233 This module supports RAS, Fast Start, H.245 Tunnelling, Call
234 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
235 whiteboard, file transfer, etc. For more information, please
236 visit http://nath323.sourceforge.net/.
238 To compile it as a module, choose M here. If unsure, say N.
240 config NF_CONNTRACK_IRC
241 tristate "IRC protocol support"
242 default m if NETFILTER_ADVANCED=n
244 There is a commonly-used extension to IRC called
245 Direct Client-to-Client Protocol (DCC). This enables users to send
246 files to each other, and also chat to each other without the need
247 of a server. DCC Sending is used anywhere you send files over IRC,
248 and DCC Chat is most commonly used by Eggdrop bots. If you are
249 using NAT, this extension will enable you to send files and initiate
250 chats. Note that you do NOT need this extension to get files or
251 have others initiate chats, or everything else in IRC.
253 To compile it as a module, choose M here. If unsure, say N.
255 config NF_CONNTRACK_BROADCAST
258 config NF_CONNTRACK_NETBIOS_NS
259 tristate "NetBIOS name service protocol support"
260 select NF_CONNTRACK_BROADCAST
262 NetBIOS name service requests are sent as broadcast messages from an
263 unprivileged port and responded to with unicast messages to the
264 same port. This make them hard to firewall properly because connection
265 tracking doesn't deal with broadcasts. This helper tracks locally
266 originating NetBIOS name service requests and the corresponding
267 responses. It relies on correct IP address configuration, specifically
268 netmask and broadcast address. When properly configured, the output
269 of "ip address show" should look similar to this:
271 $ ip -4 address show eth0
272 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
273 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
275 To compile it as a module, choose M here. If unsure, say N.
277 config NF_CONNTRACK_SNMP
278 tristate "SNMP service protocol support"
279 depends on NETFILTER_ADVANCED
280 select NF_CONNTRACK_BROADCAST
282 SNMP service requests are sent as broadcast messages from an
283 unprivileged port and responded to with unicast messages to the
284 same port. This make them hard to firewall properly because connection
285 tracking doesn't deal with broadcasts. This helper tracks locally
286 originating SNMP service requests and the corresponding
287 responses. It relies on correct IP address configuration, specifically
288 netmask and broadcast address.
290 To compile it as a module, choose M here. If unsure, say N.
292 config NF_CONNTRACK_PPTP
293 tristate "PPtP protocol support"
294 depends on NETFILTER_ADVANCED
295 select NF_CT_PROTO_GRE
297 This module adds support for PPTP (Point to Point Tunnelling
298 Protocol, RFC2637) connection tracking and NAT.
300 If you are running PPTP sessions over a stateful firewall or NAT
301 box, you may want to enable this feature.
303 Please note that not all PPTP modes of operation are supported yet.
304 Specifically these limitations exist:
305 - Blindly assumes that control connections are always established
306 in PNS->PAC direction. This is a violation of RFC2637.
307 - Only supports a single call within each session
309 To compile it as a module, choose M here. If unsure, say N.
311 config NF_CONNTRACK_SANE
312 tristate "SANE protocol support"
313 depends on NETFILTER_ADVANCED
315 SANE is a protocol for remote access to scanners as implemented
316 by the 'saned' daemon. Like FTP, it uses separate control and
319 With this module you can support SANE on a connection tracking
322 To compile it as a module, choose M here. If unsure, say N.
324 config NF_CONNTRACK_SIP
325 tristate "SIP protocol support"
326 default m if NETFILTER_ADVANCED=n
328 SIP is an application-layer control protocol that can establish,
329 modify, and terminate multimedia sessions (conferences) such as
330 Internet telephony calls. With the ip_conntrack_sip and
331 the nf_nat_sip modules you can support the protocol on a connection
332 tracking/NATing firewall.
334 To compile it as a module, choose M here. If unsure, say N.
336 config NF_CONNTRACK_TFTP
337 tristate "TFTP protocol support"
338 depends on NETFILTER_ADVANCED
340 TFTP connection tracking helper, this is required depending
341 on how restrictive your ruleset is.
342 If you are using a tftp client behind -j SNAT or -j MASQUERADING
345 To compile it as a module, choose M here. If unsure, say N.
348 tristate 'Connection tracking netlink interface'
349 select NETFILTER_NETLINK
350 default m if NETFILTER_ADVANCED=n
352 This option enables support for a netlink-based userspace interface
354 config NF_CT_NETLINK_TIMEOUT
355 tristate 'Connection tracking timeout tuning via Netlink'
356 select NETFILTER_NETLINK
357 depends on NETFILTER_ADVANCED
359 This option enables support for connection tracking timeout
360 fine-grain tuning. This allows you to attach specific timeout
361 policies to flows, instead of using the global timeout policy.
365 config NF_CT_NETLINK_HELPER
366 tristate 'Connection tracking helpers in user-space via Netlink'
367 select NETFILTER_NETLINK
368 depends on NF_CT_NETLINK
369 depends on NETFILTER_NETLINK_QUEUE
370 depends on NETFILTER_NETLINK_GLUE_CT
371 depends on NETFILTER_ADVANCED
373 This option enables the user-space connection tracking helpers
378 config NETFILTER_NETLINK_GLUE_CT
379 bool "NFQUEUE and NFLOG integration with Connection Tracking"
381 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
383 If this option is enabled, NFQUEUE and NFLOG can include
384 Connection Tracking information together with the packet is
385 the enqueued via NFNETLINK.
395 config NF_NAT_PROTO_DCCP
397 depends on NF_NAT && NF_CT_PROTO_DCCP
398 default NF_NAT && NF_CT_PROTO_DCCP
400 config NF_NAT_PROTO_UDPLITE
402 depends on NF_NAT && NF_CT_PROTO_UDPLITE
403 default NF_NAT && NF_CT_PROTO_UDPLITE
405 config NF_NAT_PROTO_SCTP
407 default NF_NAT && NF_CT_PROTO_SCTP
408 depends on NF_NAT && NF_CT_PROTO_SCTP
412 depends on NF_CONNTRACK && NF_NAT
413 default NF_NAT && NF_CONNTRACK_AMANDA
417 depends on NF_CONNTRACK && NF_NAT
418 default NF_NAT && NF_CONNTRACK_FTP
422 depends on NF_CONNTRACK && NF_NAT
423 default NF_NAT && NF_CONNTRACK_IRC
427 depends on NF_CONNTRACK && NF_NAT
428 default NF_NAT && NF_CONNTRACK_SIP
432 depends on NF_CONNTRACK && NF_NAT
433 default NF_NAT && NF_CONNTRACK_TFTP
435 config NF_NAT_REDIRECT
436 tristate "IPv4/IPv6 redirect support"
439 This is the kernel functionality to redirect packets to local
442 config NETFILTER_SYNPROXY
448 select NETFILTER_NETLINK
449 tristate "Netfilter nf_tables support"
451 nftables is the new packet classification framework that intends to
452 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
453 provides a pseudo-state machine with an extensible instruction-set
454 (also known as expressions) that the userspace 'nft' utility
455 (http://www.netfilter.org/projects/nftables) uses to build the
456 rule-set. It also comes with the generic set infrastructure that
457 allows you to construct mappings between matchings and actions
458 for performance lookups.
460 To compile it as a module, choose M here.
464 config NF_TABLES_INET
466 select NF_TABLES_IPV4
467 select NF_TABLES_IPV6
468 tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
470 This option enables support for a mixed IPv4/IPv6 "inet" table.
472 config NF_TABLES_NETDEV
473 tristate "Netfilter nf_tables netdev tables support"
475 This option enables support for the "netdev" table.
478 tristate "Netfilter nf_tables exthdr module"
480 This option adds the "exthdr" expression that you can use to match
481 IPv6 extension headers and tcp options.
484 tristate "Netfilter nf_tables meta module"
486 This option adds the "meta" expression that you can use to match and
487 to set packet metainformation such as the packet mark.
490 tristate "Netfilter nf_tables routing module"
492 This option adds the "rt" expression that you can use to match
493 packet routing information such as the packet nexthop.
496 tristate "Netfilter nf_tables number generator module"
498 This option adds the number generator expression used to perform
499 incremental counting and random numbers bound to a upper limit.
502 depends on NF_CONNTRACK
503 tristate "Netfilter nf_tables conntrack module"
505 This option adds the "ct" expression that you can use to match
506 connection tracking information such as the flow state.
508 config NFT_FLOW_OFFLOAD
509 depends on NF_CONNTRACK
510 tristate "Netfilter nf_tables hardware flow offload module"
512 This option adds the "flow_offload" expression that you can use to
513 choose what flows are placed into the hardware.
515 config NFT_SET_RBTREE
516 tristate "Netfilter nf_tables rbtree set module"
518 This option adds the "rbtree" set type (Red Black tree) that is used
519 to build interval-based sets.
522 tristate "Netfilter nf_tables hash set module"
524 This option adds the "hash" set type that is used to build one-way
525 mappings between matchings and actions.
527 config NFT_SET_BITMAP
528 tristate "Netfilter nf_tables bitmap set module"
530 This option adds the "bitmap" set type that is used to build sets
531 whose keys are smaller or equal to 16 bits.
534 tristate "Netfilter nf_tables counter module"
536 This option adds the "counter" expression that you can use to
537 include packet and byte counters in a rule.
540 tristate "Netfilter nf_tables log module"
542 This option adds the "log" expression that you can use to log
543 packets matching some criteria.
546 tristate "Netfilter nf_tables limit module"
548 This option adds the "limit" expression that you can use to
549 ratelimit rule matchings.
552 depends on NF_CONNTRACK
554 tristate "Netfilter nf_tables masquerade support"
556 This option adds the "masquerade" expression that you can use
557 to perform NAT in the masquerade flavour.
560 depends on NF_CONNTRACK
562 tristate "Netfilter nf_tables redirect support"
564 This options adds the "redirect" expression that you can use
565 to perform NAT in the redirect flavour.
568 depends on NF_CONNTRACK
570 tristate "Netfilter nf_tables nat module"
572 This option adds the "nat" expression that you can use to perform
573 typical Network Address Translation (NAT) packet transformations.
576 tristate "Netfilter nf_tables stateful object reference module"
578 This option adds the "objref" expression that allows you to refer to
579 stateful objects, such as counters and quotas.
582 depends on NETFILTER_NETLINK_QUEUE
583 tristate "Netfilter nf_tables queue module"
585 This is required if you intend to use the userspace queueing
586 infrastructure (also known as NFQUEUE) from nftables.
589 tristate "Netfilter nf_tables quota module"
591 This option adds the "quota" expression that you can use to match
592 enforce bytes quotas.
595 default m if NETFILTER_ADVANCED=n
596 tristate "Netfilter nf_tables reject support"
598 This option adds the "reject" expression that you can use to
599 explicitly deny and notify via TCP reset/ICMP informational errors
602 config NFT_REJECT_INET
603 depends on NF_TABLES_INET
608 depends on NETFILTER_XTABLES
609 tristate "Netfilter x_tables over nf_tables module"
611 This is required if you intend to use any of existing
612 x_tables match/target extensions over the nf_tables
616 tristate "Netfilter nf_tables hash module"
618 This option adds the "hash" expression that you can use to perform
619 a hash operation on registers.
625 depends on NF_TABLES_INET
626 depends on NFT_FIB_IPV4
627 depends on NFT_FIB_IPV6
628 tristate "Netfilter nf_tables fib inet support"
630 This option allows using the FIB expression from the inet table.
631 The lookup will be delegated to the IPv4 or IPv6 FIB depending
632 on the protocol of the packet.
637 tristate "Netfilter packet duplication support"
639 This option enables the generic packet duplication infrastructure
642 config NFT_DUP_NETDEV
643 tristate "Netfilter nf_tables netdev packet duplication support"
646 This option enables packet duplication for the "netdev" family.
648 config NFT_FWD_NETDEV
649 tristate "Netfilter nf_tables netdev packet forwarding support"
652 This option enables packet forwarding for the "netdev" family.
654 config NFT_FIB_NETDEV
655 depends on NFT_FIB_IPV4
656 depends on NFT_FIB_IPV6
657 tristate "Netfilter nf_tables netdev fib lookups support"
659 This option allows using the FIB expression from the netdev table.
660 The lookup will be delegated to the IPv4 or IPv6 FIB depending
661 on the protocol of the packet.
663 endif # NF_TABLES_NETDEV
667 config NF_FLOW_TABLE_INET
668 tristate "Netfilter flow table mixed IPv4/IPv6 module"
669 depends on NF_FLOW_TABLE_IPV4 && NF_FLOW_TABLE_IPV6
672 This option adds the flow table mixed IPv4/IPv6 support.
674 To compile it as a module, choose M here.
677 tristate "Netfilter flow table module"
678 depends on NF_CONNTRACK && NF_TABLES
680 This option adds the flow table core infrastructure.
682 To compile it as a module, choose M here.
684 config NETFILTER_XTABLES
685 tristate "Netfilter Xtables support (required for ip_tables)"
686 default m if NETFILTER_ADVANCED=n
688 This is required if you intend to use any of ip_tables,
689 ip6_tables or arp_tables.
693 comment "Xtables combined modules"
695 config NETFILTER_XT_MARK
696 tristate 'nfmark target and match support'
697 default m if NETFILTER_ADVANCED=n
699 This option adds the "MARK" target and "mark" match.
701 Netfilter mark matching allows you to match packets based on the
702 "nfmark" value in the packet.
703 The target allows you to create rules in the "mangle" table which alter
704 the netfilter mark (nfmark) field associated with the packet.
706 Prior to routing, the nfmark can influence the routing method and can
707 also be used by other subsystems to change their behavior.
709 config NETFILTER_XT_CONNMARK
710 tristate 'ctmark target and match support'
711 depends on NF_CONNTRACK
712 depends on NETFILTER_ADVANCED
713 select NF_CONNTRACK_MARK
715 This option adds the "CONNMARK" target and "connmark" match.
717 Netfilter allows you to store a mark value per connection (a.k.a.
718 ctmark), similarly to the packet mark (nfmark). Using this
719 target and match, you can set and match on this mark.
721 config NETFILTER_XT_SET
722 tristate 'set target and match support'
724 depends on NETFILTER_ADVANCED
726 This option adds the "SET" target and "set" match.
728 Using this target and match, you can add/delete and match
729 elements in the sets created by ipset(8).
731 To compile it as a module, choose M here. If unsure, say N.
733 # alphabetically ordered list of targets
735 comment "Xtables targets"
737 config NETFILTER_XT_TARGET_AUDIT
738 tristate "AUDIT target support"
740 depends on NETFILTER_ADVANCED
742 This option adds a 'AUDIT' target, which can be used to create
743 audit records for packets dropped/accepted.
745 To compileit as a module, choose M here. If unsure, say N.
747 config NETFILTER_XT_TARGET_CHECKSUM
748 tristate "CHECKSUM target support"
749 depends on IP_NF_MANGLE || IP6_NF_MANGLE
750 depends on NETFILTER_ADVANCED
752 This option adds a `CHECKSUM' target, which can be used in the iptables mangle
755 You can use this target to compute and fill in the checksum in
756 a packet that lacks a checksum. This is particularly useful,
757 if you need to work around old applications such as dhcp clients,
758 that do not work well with checksum offloads, but don't want to disable
759 checksum offload in your device.
761 To compile it as a module, choose M here. If unsure, say N.
763 config NETFILTER_XT_TARGET_CLASSIFY
764 tristate '"CLASSIFY" target support'
765 depends on NETFILTER_ADVANCED
767 This option adds a `CLASSIFY' target, which enables the user to set
768 the priority of a packet. Some qdiscs can use this value for
769 classification, among these are:
771 atm, cbq, dsmark, pfifo_fast, htb, prio
773 To compile it as a module, choose M here. If unsure, say N.
775 config NETFILTER_XT_TARGET_CONNMARK
776 tristate '"CONNMARK" target support'
777 depends on NF_CONNTRACK
778 depends on NETFILTER_ADVANCED
779 select NETFILTER_XT_CONNMARK
781 This is a backwards-compat option for the user's convenience
782 (e.g. when running oldconfig). It selects
783 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
785 config NETFILTER_XT_TARGET_CONNSECMARK
786 tristate '"CONNSECMARK" target support'
787 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
788 default m if NETFILTER_ADVANCED=n
790 The CONNSECMARK target copies security markings from packets
791 to connections, and restores security markings from connections
792 to packets (if the packets are not already marked). This would
793 normally be used in conjunction with the SECMARK target.
795 To compile it as a module, choose M here. If unsure, say N.
797 config NETFILTER_XT_TARGET_CT
798 tristate '"CT" target support'
799 depends on NF_CONNTRACK
800 depends on IP_NF_RAW || IP6_NF_RAW
801 depends on NETFILTER_ADVANCED
803 This options adds a `CT' target, which allows to specify initial
804 connection tracking parameters like events to be delivered and
805 the helper to be used.
807 To compile it as a module, choose M here. If unsure, say N.
809 config NETFILTER_XT_TARGET_DSCP
810 tristate '"DSCP" and "TOS" target support'
811 depends on IP_NF_MANGLE || IP6_NF_MANGLE
812 depends on NETFILTER_ADVANCED
814 This option adds a `DSCP' target, which allows you to manipulate
815 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
817 The DSCP field can have any value between 0x0 and 0x3f inclusive.
819 It also adds the "TOS" target, which allows you to create rules in
820 the "mangle" table which alter the Type Of Service field of an IPv4
821 or the Priority field of an IPv6 packet, prior to routing.
823 To compile it as a module, choose M here. If unsure, say N.
825 config NETFILTER_XT_TARGET_HL
826 tristate '"HL" hoplimit target support'
827 depends on IP_NF_MANGLE || IP6_NF_MANGLE
828 depends on NETFILTER_ADVANCED
830 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
831 targets, which enable the user to change the
832 hoplimit/time-to-live value of the IP header.
834 While it is safe to decrement the hoplimit/TTL value, the
835 modules also allow to increment and set the hoplimit value of
836 the header to arbitrary values. This is EXTREMELY DANGEROUS
837 since you can easily create immortal packets that loop
838 forever on the network.
840 config NETFILTER_XT_TARGET_HMARK
841 tristate '"HMARK" target support'
842 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
843 depends on NETFILTER_ADVANCED
845 This option adds the "HMARK" target.
847 The target allows you to create rules in the "raw" and "mangle" tables
848 which set the skbuff mark by means of hash calculation within a given
849 range. The nfmark can influence the routing method and can also be used
850 by other subsystems to change their behaviour.
852 To compile it as a module, choose M here. If unsure, say N.
854 config NETFILTER_XT_TARGET_IDLETIMER
855 tristate "IDLETIMER target support"
856 depends on NETFILTER_ADVANCED
859 This option adds the `IDLETIMER' target. Each matching packet
860 resets the timer associated with label specified when the rule is
861 added. When the timer expires, it triggers a sysfs notification.
862 The remaining time for expiration can be read via sysfs.
864 To compile it as a module, choose M here. If unsure, say N.
866 config NETFILTER_XT_TARGET_LED
867 tristate '"LED" target support'
868 depends on LEDS_CLASS && LEDS_TRIGGERS
869 depends on NETFILTER_ADVANCED
871 This option adds a `LED' target, which allows you to blink LEDs in
872 response to particular packets passing through your machine.
874 This can be used to turn a spare LED into a network activity LED,
875 which only flashes in response to FTP transfers, for example. Or
876 you could have an LED which lights up for a minute or two every time
877 somebody connects to your machine via SSH.
879 You will need support for the "led" class to make this work.
881 To create an LED trigger for incoming SSH traffic:
882 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
884 Then attach the new trigger to an LED on your system:
885 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
887 For more information on the LEDs available on your system, see
888 Documentation/leds/leds-class.txt
890 config NETFILTER_XT_TARGET_LOG
891 tristate "LOG target support"
894 select NF_LOG_IPV6 if IPV6
895 default m if NETFILTER_ADVANCED=n
897 This option adds a `LOG' target, which allows you to create rules in
898 any iptables table which records the packet header to the syslog.
900 To compile it as a module, choose M here. If unsure, say N.
902 config NETFILTER_XT_TARGET_MARK
903 tristate '"MARK" target support'
904 depends on NETFILTER_ADVANCED
905 select NETFILTER_XT_MARK
907 This is a backwards-compat option for the user's convenience
908 (e.g. when running oldconfig). It selects
909 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
911 config NETFILTER_XT_NAT
912 tristate '"SNAT and DNAT" targets support'
915 This option enables the SNAT and DNAT targets.
917 To compile it as a module, choose M here. If unsure, say N.
919 config NETFILTER_XT_TARGET_NETMAP
920 tristate '"NETMAP" target support'
923 NETMAP is an implementation of static 1:1 NAT mapping of network
924 addresses. It maps the network address part, while keeping the host
927 To compile it as a module, choose M here. If unsure, say N.
929 config NETFILTER_XT_TARGET_NFLOG
930 tristate '"NFLOG" target support'
931 default m if NETFILTER_ADVANCED=n
932 select NETFILTER_NETLINK_LOG
934 This option enables the NFLOG target, which allows to LOG
935 messages through nfnetlink_log.
937 To compile it as a module, choose M here. If unsure, say N.
939 config NETFILTER_XT_TARGET_NFQUEUE
940 tristate '"NFQUEUE" target Support'
941 depends on NETFILTER_ADVANCED
942 select NETFILTER_NETLINK_QUEUE
944 This target replaced the old obsolete QUEUE target.
946 As opposed to QUEUE, it supports 65535 different queues,
949 To compile it as a module, choose M here. If unsure, say N.
951 config NETFILTER_XT_TARGET_NOTRACK
952 tristate '"NOTRACK" target support (DEPRECATED)'
953 depends on NF_CONNTRACK
954 depends on IP_NF_RAW || IP6_NF_RAW
955 depends on NETFILTER_ADVANCED
956 select NETFILTER_XT_TARGET_CT
958 config NETFILTER_XT_TARGET_RATEEST
959 tristate '"RATEEST" target support'
960 depends on NETFILTER_ADVANCED
962 This option adds a `RATEEST' target, which allows to measure
963 rates similar to TC estimators. The `rateest' match can be
964 used to match on the measured rates.
966 To compile it as a module, choose M here. If unsure, say N.
968 config NETFILTER_XT_TARGET_REDIRECT
969 tristate "REDIRECT target support"
971 select NF_NAT_REDIRECT
973 REDIRECT is a special case of NAT: all incoming connections are
974 mapped onto the incoming interface's address, causing the packets to
975 come to the local machine instead of passing through. This is
976 useful for transparent proxies.
978 To compile it as a module, choose M here. If unsure, say N.
980 config NETFILTER_XT_TARGET_TEE
981 tristate '"TEE" - packet cloning to alternate destination'
982 depends on NETFILTER_ADVANCED
983 depends on IPV6 || IPV6=n
984 depends on !NF_CONNTRACK || NF_CONNTRACK
986 select NF_DUP_IPV6 if IPV6
988 This option adds a "TEE" target with which a packet can be cloned and
989 this clone be rerouted to another nexthop.
991 config NETFILTER_XT_TARGET_TPROXY
992 tristate '"TPROXY" target transparent proxying support'
993 depends on NETFILTER_XTABLES
994 depends on NETFILTER_ADVANCED
995 depends on IPV6 || IPV6=n
996 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
997 depends on IP_NF_MANGLE
998 select NF_DEFRAG_IPV4
999 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1001 This option adds a `TPROXY' target, which is somewhat similar to
1002 REDIRECT. It can only be used in the mangle table and is useful
1003 to redirect traffic to a transparent proxy. It does _not_ depend
1004 on Netfilter connection tracking and NAT, unlike REDIRECT.
1005 For it to work you will have to configure certain iptables rules
1006 and use policy routing. For more information on how to set it up
1007 see Documentation/networking/tproxy.txt.
1009 To compile it as a module, choose M here. If unsure, say N.
1011 config NETFILTER_XT_TARGET_TRACE
1012 tristate '"TRACE" target support'
1013 depends on IP_NF_RAW || IP6_NF_RAW
1014 depends on NETFILTER_ADVANCED
1016 The TRACE target allows you to mark packets so that the kernel
1017 will log every rule which match the packets as those traverse
1018 the tables, chains, rules.
1020 If you want to compile it as a module, say M here and read
1021 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1023 config NETFILTER_XT_TARGET_SECMARK
1024 tristate '"SECMARK" target support'
1025 depends on NETWORK_SECMARK
1026 default m if NETFILTER_ADVANCED=n
1028 The SECMARK target allows security marking of network
1029 packets, for use with security subsystems.
1031 To compile it as a module, choose M here. If unsure, say N.
1033 config NETFILTER_XT_TARGET_TCPMSS
1034 tristate '"TCPMSS" target support'
1035 depends on IPV6 || IPV6=n
1036 default m if NETFILTER_ADVANCED=n
1038 This option adds a `TCPMSS' target, which allows you to alter the
1039 MSS value of TCP SYN packets, to control the maximum size for that
1040 connection (usually limiting it to your outgoing interface's MTU
1043 This is used to overcome criminally braindead ISPs or servers which
1044 block ICMP Fragmentation Needed packets. The symptoms of this
1045 problem are that everything works fine from your Linux
1046 firewall/router, but machines behind it can never exchange large
1048 1) Web browsers connect, then hang with no data received.
1049 2) Small mail works fine, but large emails hang.
1050 3) ssh works fine, but scp hangs after initial handshaking.
1052 Workaround: activate this option and add a rule to your firewall
1055 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1056 -j TCPMSS --clamp-mss-to-pmtu
1058 To compile it as a module, choose M here. If unsure, say N.
1060 config NETFILTER_XT_TARGET_TCPOPTSTRIP
1061 tristate '"TCPOPTSTRIP" target support'
1062 depends on IP_NF_MANGLE || IP6_NF_MANGLE
1063 depends on NETFILTER_ADVANCED
1065 This option adds a "TCPOPTSTRIP" target, which allows you to strip
1066 TCP options from TCP packets.
1068 # alphabetically ordered list of matches
1070 comment "Xtables matches"
1072 config NETFILTER_XT_MATCH_ADDRTYPE
1073 tristate '"addrtype" address type match support'
1074 default m if NETFILTER_ADVANCED=n
1076 This option allows you to match what routing thinks of an address,
1077 eg. UNICAST, LOCAL, BROADCAST, ...
1079 If you want to compile it as a module, say M here and read
1080 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1082 config NETFILTER_XT_MATCH_BPF
1083 tristate '"bpf" match support'
1084 depends on NETFILTER_ADVANCED
1086 BPF matching applies a linux socket filter to each packet and
1087 accepts those for which the filter returns non-zero.
1089 To compile it as a module, choose M here. If unsure, say N.
1091 config NETFILTER_XT_MATCH_CGROUP
1092 tristate '"control group" match support'
1093 depends on NETFILTER_ADVANCED
1095 select CGROUP_NET_CLASSID
1097 Socket/process control group matching allows you to match locally
1098 generated packets based on which net_cls control group processes
1101 config NETFILTER_XT_MATCH_CLUSTER
1102 tristate '"cluster" match support'
1103 depends on NF_CONNTRACK
1104 depends on NETFILTER_ADVANCED
1106 This option allows you to build work-load-sharing clusters of
1107 network servers/stateful firewalls without having a dedicated
1108 load-balancing router/server/switch. Basically, this match returns
1109 true when the packet must be handled by this cluster node. Thus,
1110 all nodes see all packets and this match decides which node handles
1111 what packets. The work-load sharing algorithm is based on source
1114 If you say Y or M here, try `iptables -m cluster --help` for
1117 config NETFILTER_XT_MATCH_COMMENT
1118 tristate '"comment" match support'
1119 depends on NETFILTER_ADVANCED
1121 This option adds a `comment' dummy-match, which allows you to put
1122 comments in your iptables ruleset.
1124 If you want to compile it as a module, say M here and read
1125 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1127 config NETFILTER_XT_MATCH_CONNBYTES
1128 tristate '"connbytes" per-connection counter match support'
1129 depends on NF_CONNTRACK
1130 depends on NETFILTER_ADVANCED
1132 This option adds a `connbytes' match, which allows you to match the
1133 number of bytes and/or packets for each direction within a connection.
1135 If you want to compile it as a module, say M here and read
1136 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1138 config NETFILTER_XT_MATCH_CONNLABEL
1139 tristate '"connlabel" match support'
1140 select NF_CONNTRACK_LABELS
1141 depends on NF_CONNTRACK
1142 depends on NETFILTER_ADVANCED
1144 This match allows you to test and assign userspace-defined labels names
1145 to a connection. The kernel only stores bit values - mapping
1146 names to bits is done by userspace.
1148 Unlike connmark, more than 32 flag bits may be assigned to a
1149 connection simultaneously.
1151 config NETFILTER_XT_MATCH_CONNLIMIT
1152 tristate '"connlimit" match support'
1153 depends on NF_CONNTRACK
1154 depends on NETFILTER_ADVANCED
1155 select NETFILTER_CONNCOUNT
1157 This match allows you to match against the number of parallel
1158 connections to a server per client IP address (or address block).
1160 config NETFILTER_XT_MATCH_CONNMARK
1161 tristate '"connmark" connection mark match support'
1162 depends on NF_CONNTRACK
1163 depends on NETFILTER_ADVANCED
1164 select NETFILTER_XT_CONNMARK
1166 This is a backwards-compat option for the user's convenience
1167 (e.g. when running oldconfig). It selects
1168 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1170 config NETFILTER_XT_MATCH_CONNTRACK
1171 tristate '"conntrack" connection tracking match support'
1172 depends on NF_CONNTRACK
1173 default m if NETFILTER_ADVANCED=n
1175 This is a general conntrack match module, a superset of the state match.
1177 It allows matching on additional conntrack information, which is
1178 useful in complex configurations, such as NAT gateways with multiple
1179 internet links or tunnels.
1181 To compile it as a module, choose M here. If unsure, say N.
1183 config NETFILTER_XT_MATCH_CPU
1184 tristate '"cpu" match support'
1185 depends on NETFILTER_ADVANCED
1187 CPU matching allows you to match packets based on the CPU
1188 currently handling the packet.
1190 To compile it as a module, choose M here. If unsure, say N.
1192 config NETFILTER_XT_MATCH_DCCP
1193 tristate '"dccp" protocol match support'
1194 depends on NETFILTER_ADVANCED
1197 With this option enabled, you will be able to use the iptables
1198 `dccp' match in order to match on DCCP source/destination ports
1201 If you want to compile it as a module, say M here and read
1202 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1204 config NETFILTER_XT_MATCH_DEVGROUP
1205 tristate '"devgroup" match support'
1206 depends on NETFILTER_ADVANCED
1208 This options adds a `devgroup' match, which allows to match on the
1209 device group a network device is assigned to.
1211 To compile it as a module, choose M here. If unsure, say N.
1213 config NETFILTER_XT_MATCH_DSCP
1214 tristate '"dscp" and "tos" match support'
1215 depends on NETFILTER_ADVANCED
1217 This option adds a `DSCP' match, which allows you to match against
1218 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1220 The DSCP field can have any value between 0x0 and 0x3f inclusive.
1222 It will also add a "tos" match, which allows you to match packets
1223 based on the Type Of Service fields of the IPv4 packet (which share
1224 the same bits as DSCP).
1226 To compile it as a module, choose M here. If unsure, say N.
1228 config NETFILTER_XT_MATCH_ECN
1229 tristate '"ecn" match support'
1230 depends on NETFILTER_ADVANCED
1232 This option adds an "ECN" match, which allows you to match against
1233 the IPv4 and TCP header ECN fields.
1235 To compile it as a module, choose M here. If unsure, say N.
1237 config NETFILTER_XT_MATCH_ESP
1238 tristate '"esp" match support'
1239 depends on NETFILTER_ADVANCED
1241 This match extension allows you to match a range of SPIs
1242 inside ESP header of IPSec packets.
1244 To compile it as a module, choose M here. If unsure, say N.
1246 config NETFILTER_XT_MATCH_HASHLIMIT
1247 tristate '"hashlimit" match support'
1248 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1249 depends on NETFILTER_ADVANCED
1251 This option adds a `hashlimit' match.
1253 As opposed to `limit', this match dynamically creates a hash table
1254 of limit buckets, based on your selection of source/destination
1255 addresses and/or ports.
1257 It enables you to express policies like `10kpps for any given
1258 destination address' or `500pps from any given source address'
1261 config NETFILTER_XT_MATCH_HELPER
1262 tristate '"helper" match support'
1263 depends on NF_CONNTRACK
1264 depends on NETFILTER_ADVANCED
1266 Helper matching allows you to match packets in dynamic connections
1267 tracked by a conntrack-helper, ie. ip_conntrack_ftp
1269 To compile it as a module, choose M here. If unsure, say Y.
1271 config NETFILTER_XT_MATCH_HL
1272 tristate '"hl" hoplimit/TTL match support'
1273 depends on NETFILTER_ADVANCED
1275 HL matching allows you to match packets based on the hoplimit
1276 in the IPv6 header, or the time-to-live field in the IPv4
1277 header of the packet.
1279 config NETFILTER_XT_MATCH_IPCOMP
1280 tristate '"ipcomp" match support'
1281 depends on NETFILTER_ADVANCED
1283 This match extension allows you to match a range of CPIs(16 bits)
1284 inside IPComp header of IPSec packets.
1286 To compile it as a module, choose M here. If unsure, say N.
1288 config NETFILTER_XT_MATCH_IPRANGE
1289 tristate '"iprange" address range match support'
1290 depends on NETFILTER_ADVANCED
1292 This option adds a "iprange" match, which allows you to match based on
1293 an IP address range. (Normal iptables only matches on single addresses
1294 with an optional mask.)
1298 config NETFILTER_XT_MATCH_IPVS
1299 tristate '"ipvs" match support'
1301 depends on NETFILTER_ADVANCED
1302 depends on NF_CONNTRACK
1304 This option allows you to match against IPVS properties of a packet.
1308 config NETFILTER_XT_MATCH_L2TP
1309 tristate '"l2tp" match support'
1310 depends on NETFILTER_ADVANCED
1313 This option adds an "L2TP" match, which allows you to match against
1314 L2TP protocol header fields.
1316 To compile it as a module, choose M here. If unsure, say N.
1318 config NETFILTER_XT_MATCH_LENGTH
1319 tristate '"length" match support'
1320 depends on NETFILTER_ADVANCED
1322 This option allows you to match the length of a packet against a
1323 specific value or range of values.
1325 To compile it as a module, choose M here. If unsure, say N.
1327 config NETFILTER_XT_MATCH_LIMIT
1328 tristate '"limit" match support'
1329 depends on NETFILTER_ADVANCED
1331 limit matching allows you to control the rate at which a rule can be
1332 matched: mainly useful in combination with the LOG target ("LOG
1333 target support", below) and to avoid some Denial of Service attacks.
1335 To compile it as a module, choose M here. If unsure, say N.
1337 config NETFILTER_XT_MATCH_MAC
1338 tristate '"mac" address match support'
1339 depends on NETFILTER_ADVANCED
1341 MAC matching allows you to match packets based on the source
1342 Ethernet address of the packet.
1344 To compile it as a module, choose M here. If unsure, say N.
1346 config NETFILTER_XT_MATCH_MARK
1347 tristate '"mark" match support'
1348 depends on NETFILTER_ADVANCED
1349 select NETFILTER_XT_MARK
1351 This is a backwards-compat option for the user's convenience
1352 (e.g. when running oldconfig). It selects
1353 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1355 config NETFILTER_XT_MATCH_MULTIPORT
1356 tristate '"multiport" Multiple port match support'
1357 depends on NETFILTER_ADVANCED
1359 Multiport matching allows you to match TCP or UDP packets based on
1360 a series of source or destination ports: normally a rule can only
1361 match a single range of ports.
1363 To compile it as a module, choose M here. If unsure, say N.
1365 config NETFILTER_XT_MATCH_NFACCT
1366 tristate '"nfacct" match support'
1367 depends on NETFILTER_ADVANCED
1368 select NETFILTER_NETLINK_ACCT
1370 This option allows you to use the extended accounting through
1373 To compile it as a module, choose M here. If unsure, say N.
1375 config NETFILTER_XT_MATCH_OSF
1376 tristate '"osf" Passive OS fingerprint match'
1377 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1379 This option selects the Passive OS Fingerprinting match module
1380 that allows to passively match the remote operating system by
1381 analyzing incoming TCP SYN packets.
1383 Rules and loading software can be downloaded from
1384 http://www.ioremap.net/projects/osf
1386 To compile it as a module, choose M here. If unsure, say N.
1388 config NETFILTER_XT_MATCH_OWNER
1389 tristate '"owner" match support'
1390 depends on NETFILTER_ADVANCED
1392 Socket owner matching allows you to match locally-generated packets
1393 based on who created the socket: the user or group. It is also
1394 possible to check whether a socket actually exists.
1396 config NETFILTER_XT_MATCH_POLICY
1397 tristate 'IPsec "policy" match support'
1399 default m if NETFILTER_ADVANCED=n
1401 Policy matching allows you to match packets based on the
1402 IPsec policy that was used during decapsulation/will
1403 be used during encapsulation.
1405 To compile it as a module, choose M here. If unsure, say N.
1407 config NETFILTER_XT_MATCH_PHYSDEV
1408 tristate '"physdev" match support'
1409 depends on BRIDGE && BRIDGE_NETFILTER
1410 depends on NETFILTER_ADVANCED
1412 Physdev packet matching matches against the physical bridge ports
1413 the IP packet arrived on or will leave by.
1415 To compile it as a module, choose M here. If unsure, say N.
1417 config NETFILTER_XT_MATCH_PKTTYPE
1418 tristate '"pkttype" packet type match support'
1419 depends on NETFILTER_ADVANCED
1421 Packet type matching allows you to match a packet by
1422 its "class", eg. BROADCAST, MULTICAST, ...
1425 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1427 To compile it as a module, choose M here. If unsure, say N.
1429 config NETFILTER_XT_MATCH_QUOTA
1430 tristate '"quota" match support'
1431 depends on NETFILTER_ADVANCED
1433 This option adds a `quota' match, which allows to match on a
1436 If you want to compile it as a module, say M here and read
1437 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1439 config NETFILTER_XT_MATCH_RATEEST
1440 tristate '"rateest" match support'
1441 depends on NETFILTER_ADVANCED
1442 select NETFILTER_XT_TARGET_RATEEST
1444 This option adds a `rateest' match, which allows to match on the
1445 rate estimated by the RATEEST target.
1447 To compile it as a module, choose M here. If unsure, say N.
1449 config NETFILTER_XT_MATCH_REALM
1450 tristate '"realm" match support'
1451 depends on NETFILTER_ADVANCED
1452 select IP_ROUTE_CLASSID
1454 This option adds a `realm' match, which allows you to use the realm
1455 key from the routing subsystem inside iptables.
1457 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1460 If you want to compile it as a module, say M here and read
1461 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1463 config NETFILTER_XT_MATCH_RECENT
1464 tristate '"recent" match support'
1465 depends on NETFILTER_ADVANCED
1467 This match is used for creating one or many lists of recently
1468 used addresses and then matching against that/those list(s).
1470 Short options are available by using 'iptables -m recent -h'
1471 Official Website: <http://snowman.net/projects/ipt_recent/>
1473 config NETFILTER_XT_MATCH_SCTP
1474 tristate '"sctp" protocol match support'
1475 depends on NETFILTER_ADVANCED
1478 With this option enabled, you will be able to use the
1479 `sctp' match in order to match on SCTP source/destination ports
1480 and SCTP chunk types.
1482 If you want to compile it as a module, say M here and read
1483 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1485 config NETFILTER_XT_MATCH_SOCKET
1486 tristate '"socket" match support'
1487 depends on NETFILTER_XTABLES
1488 depends on NETFILTER_ADVANCED
1489 depends on IPV6 || IPV6=n
1490 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1491 depends on NF_SOCKET_IPV4
1492 depends on NF_SOCKET_IPV6
1493 select NF_DEFRAG_IPV4
1494 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1496 This option adds a `socket' match, which can be used to match
1497 packets for which a TCP or UDP socket lookup finds a valid socket.
1498 It can be used in combination with the MARK target and policy
1499 routing to implement full featured non-locally bound sockets.
1501 To compile it as a module, choose M here. If unsure, say N.
1503 config NETFILTER_XT_MATCH_STATE
1504 tristate '"state" match support'
1505 depends on NF_CONNTRACK
1506 default m if NETFILTER_ADVANCED=n
1508 Connection state matching allows you to match packets based on their
1509 relationship to a tracked connection (ie. previous packets). This
1510 is a powerful tool for packet classification.
1512 To compile it as a module, choose M here. If unsure, say N.
1514 config NETFILTER_XT_MATCH_STATISTIC
1515 tristate '"statistic" match support'
1516 depends on NETFILTER_ADVANCED
1518 This option adds a `statistic' match, which allows you to match
1519 on packets periodically or randomly with a given percentage.
1521 To compile it as a module, choose M here. If unsure, say N.
1523 config NETFILTER_XT_MATCH_STRING
1524 tristate '"string" match support'
1525 depends on NETFILTER_ADVANCED
1527 select TEXTSEARCH_KMP
1528 select TEXTSEARCH_BM
1529 select TEXTSEARCH_FSM
1531 This option adds a `string' match, which allows you to look for
1532 pattern matchings in packets.
1534 To compile it as a module, choose M here. If unsure, say N.
1536 config NETFILTER_XT_MATCH_TCPMSS
1537 tristate '"tcpmss" match support'
1538 depends on NETFILTER_ADVANCED
1540 This option adds a `tcpmss' match, which allows you to examine the
1541 MSS value of TCP SYN packets, which control the maximum packet size
1542 for that connection.
1544 To compile it as a module, choose M here. If unsure, say N.
1546 config NETFILTER_XT_MATCH_TIME
1547 tristate '"time" match support'
1548 depends on NETFILTER_ADVANCED
1550 This option adds a "time" match, which allows you to match based on
1551 the packet arrival time (at the machine which netfilter is running)
1552 on) or departure time/date (for locally generated packets).
1554 If you say Y here, try `iptables -m time --help` for
1557 If you want to compile it as a module, say M here.
1560 config NETFILTER_XT_MATCH_U32
1561 tristate '"u32" match support'
1562 depends on NETFILTER_ADVANCED
1564 u32 allows you to extract quantities of up to 4 bytes from a packet,
1565 AND them with specified masks, shift them by specified amounts and
1566 test whether the results are in any of a set of specified ranges.
1567 The specification of what to extract is general enough to skip over
1568 headers with lengths stored in the packet, as in IP or TCP header
1571 Details and examples are in the kernel module source.
1573 endif # NETFILTER_XTABLES
1577 source "net/netfilter/ipset/Kconfig"
1579 source "net/netfilter/ipvs/Kconfig"