| menu "Core Netfilter Configuration" |
| depends on NET && INET && NETFILTER |
| |
| config NETFILTER_NETLINK |
| tristate |
| |
| config NETFILTER_NETLINK_QUEUE |
| tristate "Netfilter NFQUEUE over NFNETLINK interface" |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_NETLINK |
| help |
| If this option is enabled, the kernel will include support |
| for queueing packets via NFNETLINK. |
| |
| config NETFILTER_NETLINK_LOG |
| tristate "Netfilter LOG over NFNETLINK interface" |
| default m if NETFILTER_ADVANCED=n |
| select NETFILTER_NETLINK |
| help |
| If this option is enabled, the kernel will include support |
| for logging packets via NFNETLINK. |
| |
| This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, |
| and is also scheduled to replace the old syslog-based ipt_LOG |
| and ip6t_LOG modules. |
| |
| config NF_CONNTRACK |
| tristate "Netfilter connection tracking support" |
| default m if NETFILTER_ADVANCED=n |
| help |
| Connection tracking keeps a record of what packets have passed |
| through your machine, in order to figure out how they are related |
| into connections. |
| |
| This is required to do Masquerading or other kinds of Network |
| Address Translation. It can also be used to enhance packet |
| filtering (see `Connection state match support' below). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| if NF_CONNTRACK |
| |
| config NF_CT_ACCT |
| bool "Connection tracking flow accounting" |
| depends on NETFILTER_ADVANCED |
| help |
| If this option is enabled, the connection tracking code will |
| keep per-flow packet and byte counters. |
| |
| Those counters can be used for flow-based accounting or the |
| `connbytes' match. |
| |
| Please note that currently this option only sets a default state. |
| You may change it at boot time with nf_conntrack.acct=0/1 kernel |
| parameter or by loading the nf_conntrack module with acct=0/1. |
| |
| You may also disable/enable it on a running system with: |
| sysctl net.netfilter.nf_conntrack_acct=0/1 |
| |
| This option will be removed in 2.6.29. |
| |
| If unsure, say `N'. |
| |
| config NF_CONNTRACK_MARK |
| bool 'Connection mark tracking support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option enables support for connection marks, used by the |
| `CONNMARK' target and `connmark' match. Similar to the mark value |
| of packets, but this mark value is kept in the conntrack session |
| instead of the individual packets. |
| |
| config NF_CONNTRACK_SECMARK |
| bool 'Connection tracking security mark support' |
| depends on NETWORK_SECMARK |
| default m if NETFILTER_ADVANCED=n |
| help |
| This option enables security markings to be applied to |
| connections. Typically they are copied to connections from |
| packets using the CONNSECMARK target and copied back from |
| connections to packets with the same target, with the packets |
| being originally labeled via SECMARK. |
| |
| If unsure, say 'N'. |
| |
| config NF_CONNTRACK_EVENTS |
| bool "Connection tracking events" |
| depends on NETFILTER_ADVANCED |
| help |
| If this option is enabled, the connection tracking code will |
| provide a notifier chain that can be used by other kernel code |
| to get notified about changes in the connection tracking state. |
| |
| If unsure, say `N'. |
| |
| config NF_CT_PROTO_DCCP |
| tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)' |
| depends on EXPERIMENTAL |
| depends on NETFILTER_ADVANCED |
| default IP_DCCP |
| help |
| With this option enabled, the layer 3 independent connection |
| tracking code will be able to do state tracking on DCCP connections. |
| |
| If unsure, say 'N'. |
| |
| config NF_CT_PROTO_GRE |
| tristate |
| |
| config NF_CT_PROTO_SCTP |
| tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' |
| depends on EXPERIMENTAL |
| depends on NETFILTER_ADVANCED |
| default IP_SCTP |
| help |
| With this option enabled, the layer 3 independent connection |
| tracking code will be able to do state tracking on SCTP connections. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| |
| config NF_CT_PROTO_UDPLITE |
| tristate 'UDP-Lite protocol connection tracking support' |
| depends on NETFILTER_ADVANCED |
| help |
| With this option enabled, the layer 3 independent connection |
| tracking code will be able to do state tracking on UDP-Lite |
| connections. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_AMANDA |
| tristate "Amanda backup protocol support" |
| depends on NETFILTER_ADVANCED |
| select TEXTSEARCH |
| select TEXTSEARCH_KMP |
| help |
| If you are running the Amanda backup package <http://www.amanda.org/> |
| on this machine or machines that will be MASQUERADED through this |
| machine, then you may want to enable this feature. This allows the |
| connection tracking and natting code to allow the sub-channels that |
| Amanda requires for communication of the backup data, messages and |
| index. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_FTP |
| tristate "FTP protocol support" |
| default m if NETFILTER_ADVANCED=n |
| help |
| Tracking FTP connections is problematic: special helpers are |
| required for tracking them, and doing masquerading and other forms |
| of Network Address Translation on them. |
| |
| This is FTP support on Layer 3 independent connection tracking. |
| Layer 3 independent connection tracking is experimental scheme |
| which generalize ip_conntrack to support other layer 3 protocols. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_H323 |
| tristate "H.323 protocol support" |
| depends on (IPV6 || IPV6=n) |
| depends on NETFILTER_ADVANCED |
| help |
| H.323 is a VoIP signalling protocol from ITU-T. As one of the most |
| important VoIP protocols, it is widely used by voice hardware and |
| software including voice gateways, IP phones, Netmeeting, OpenPhone, |
| Gnomemeeting, etc. |
| |
| With this module you can support H.323 on a connection tracking/NAT |
| firewall. |
| |
| This module supports RAS, Fast Start, H.245 Tunnelling, Call |
| Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, |
| whiteboard, file transfer, etc. For more information, please |
| visit http://nath323.sourceforge.net/. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_IRC |
| tristate "IRC protocol support" |
| default m if NETFILTER_ADVANCED=n |
| help |
| There is a commonly-used extension to IRC called |
| Direct Client-to-Client Protocol (DCC). This enables users to send |
| files to each other, and also chat to each other without the need |
| of a server. DCC Sending is used anywhere you send files over IRC, |
| and DCC Chat is most commonly used by Eggdrop bots. If you are |
| using NAT, this extension will enable you to send files and initiate |
| chats. Note that you do NOT need this extension to get files or |
| have others initiate chats, or everything else in IRC. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_NETBIOS_NS |
| tristate "NetBIOS name service protocol support" |
| depends on NETFILTER_ADVANCED |
| help |
| NetBIOS name service requests are sent as broadcast messages from an |
| unprivileged port and responded to with unicast messages to the |
| same port. This make them hard to firewall properly because connection |
| tracking doesn't deal with broadcasts. This helper tracks locally |
| originating NetBIOS name service requests and the corresponding |
| responses. It relies on correct IP address configuration, specifically |
| netmask and broadcast address. When properly configured, the output |
| of "ip address show" should look similar to this: |
| |
| $ ip -4 address show eth0 |
| 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 |
| inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_PPTP |
| tristate "PPtP protocol support" |
| depends on NETFILTER_ADVANCED |
| select NF_CT_PROTO_GRE |
| help |
| This module adds support for PPTP (Point to Point Tunnelling |
| Protocol, RFC2637) connection tracking and NAT. |
| |
| If you are running PPTP sessions over a stateful firewall or NAT |
| box, you may want to enable this feature. |
| |
| Please note that not all PPTP modes of operation are supported yet. |
| Specifically these limitations exist: |
| - Blindly assumes that control connections are always established |
| in PNS->PAC direction. This is a violation of RFC2637. |
| - Only supports a single call within each session |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_SANE |
| tristate "SANE protocol support (EXPERIMENTAL)" |
| depends on EXPERIMENTAL |
| depends on NETFILTER_ADVANCED |
| help |
| SANE is a protocol for remote access to scanners as implemented |
| by the 'saned' daemon. Like FTP, it uses separate control and |
| data connections. |
| |
| With this module you can support SANE on a connection tracking |
| firewall. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_SIP |
| tristate "SIP protocol support" |
| default m if NETFILTER_ADVANCED=n |
| help |
| SIP is an application-layer control protocol that can establish, |
| modify, and terminate multimedia sessions (conferences) such as |
| Internet telephony calls. With the ip_conntrack_sip and |
| the nf_nat_sip modules you can support the protocol on a connection |
| tracking/NATing firewall. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_TFTP |
| tristate "TFTP protocol support" |
| depends on NETFILTER_ADVANCED |
| help |
| TFTP connection tracking helper, this is required depending |
| on how restrictive your ruleset is. |
| If you are using a tftp client behind -j SNAT or -j MASQUERADING |
| you will need this. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CT_NETLINK |
| tristate 'Connection tracking netlink interface' |
| select NETFILTER_NETLINK |
| default m if NETFILTER_ADVANCED=n |
| help |
| This option enables support for a netlink-based userspace interface |
| |
| endif # NF_CONNTRACK |
| |
| # transparent proxy support |
| config NETFILTER_TPROXY |
| tristate "Transparent proxying support (EXPERIMENTAL)" |
| depends on EXPERIMENTAL |
| depends on IP_NF_MANGLE |
| depends on NETFILTER_ADVANCED |
| help |
| This option enables transparent proxying support, that is, |
| support for handling non-locally bound IPv4 TCP and UDP sockets. |
| For it to work you will have to configure certain iptables rules |
| and use policy routing. For more information on how to set it up |
| see Documentation/networking/tproxy.txt. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XTABLES |
| tristate "Netfilter Xtables support (required for ip_tables)" |
| default m if NETFILTER_ADVANCED=n |
| help |
| This is required if you intend to use any of ip_tables, |
| ip6_tables or arp_tables. |
| |
| if NETFILTER_XTABLES |
| |
| # alphabetically ordered list of targets |
| |
| config NETFILTER_XT_TARGET_CLASSIFY |
| tristate '"CLASSIFY" target support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `CLASSIFY' target, which enables the user to set |
| the priority of a packet. Some qdiscs can use this value for |
| classification, among these are: |
| |
| atm, cbq, dsmark, pfifo_fast, htb, prio |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_CONNMARK |
| tristate '"CONNMARK" target support' |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| select NF_CONNTRACK_MARK |
| help |
| This option adds a `CONNMARK' target, which allows one to manipulate |
| the connection mark value. Similar to the MARK target, but |
| affects the connection mark value rather than the packet mark value. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.txt>. The module will be called |
| ipt_CONNMARK. If unsure, say `N'. |
| |
| config NETFILTER_XT_TARGET_CONNSECMARK |
| tristate '"CONNSECMARK" target support' |
| depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK |
| default m if NETFILTER_ADVANCED=n |
| help |
| The CONNSECMARK target copies security markings from packets |
| to connections, and restores security markings from connections |
| to packets (if the packets are not already marked). This would |
| normally be used in conjunction with the SECMARK target. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_DSCP |
| tristate '"DSCP" and "TOS" target support' |
| depends on IP_NF_MANGLE || IP6_NF_MANGLE |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `DSCP' target, which allows you to manipulate |
| the IPv4/IPv6 header DSCP field (differentiated services codepoint). |
| |
| The DSCP field can have any value between 0x0 and 0x3f inclusive. |
| |
| It also adds the "TOS" target, which allows you to create rules in |
| the "mangle" table which alter the Type Of Service field of an IPv4 |
| or the Priority field of an IPv6 packet, prior to routing. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_HL |
| tristate '"HL" hoplimit target support' |
| depends on IP_NF_MANGLE || IP6_NF_MANGLE |
| depends on NETFILTER_ADVANCED |
| ---help--- |
| This option adds the "HL" (for IPv6) and "TTL" (for IPv4) |
| targets, which enable the user to change the |
| hoplimit/time-to-live value of the IP header. |
| |
| While it is safe to decrement the hoplimit/TTL value, the |
| modules also allow to increment and set the hoplimit value of |
| the header to arbitrary values. This is EXTREMELY DANGEROUS |
| since you can easily create immortal packets that loop |
| forever on the network. |
| |
| config NETFILTER_XT_TARGET_LED |
| tristate '"LED" target support' |
| depends on LEDS_CLASS && LEDS_TRIGGERS |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `LED' target, which allows you to blink LEDs in |
| response to particular packets passing through your machine. |
| |
| This can be used to turn a spare LED into a network activity LED, |
| which only flashes in response to FTP transfers, for example. Or |
| you could have an LED which lights up for a minute or two every time |
| somebody connects to your machine via SSH. |
| |
| You will need support for the "led" class to make this work. |
| |
| To create an LED trigger for incoming SSH traffic: |
| iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 |
| |
| Then attach the new trigger to an LED on your system: |
| echo netfilter-ssh > /sys/class/leds/<ledname>/trigger |
| |
| For more information on the LEDs available on your system, see |
| Documentation/leds-class.txt |
| |
| config NETFILTER_XT_TARGET_MARK |
| tristate '"MARK" target support' |
| default m if NETFILTER_ADVANCED=n |
| help |
| This option adds a `MARK' target, which allows you to create rules |
| in the `mangle' table which alter the netfilter mark (nfmark) field |
| associated with the packet prior to routing. This can change |
| the routing method (see `Use netfilter MARK value as routing |
| key') and can also be used by other subsystems to change their |
| behavior. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_NFLOG |
| tristate '"NFLOG" target support' |
| default m if NETFILTER_ADVANCED=n |
| select NETFILTER_NETLINK_LOG |
| help |
| This option enables the NFLOG target, which allows to LOG |
| messages through nfnetlink_log. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_NFQUEUE |
| tristate '"NFQUEUE" target Support' |
| depends on NETFILTER_ADVANCED |
| help |
| This target replaced the old obsolete QUEUE target. |
| |
| As opposed to QUEUE, it supports 65535 different queues, |
| not just one. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_NOTRACK |
| tristate '"NOTRACK" target support' |
| depends on IP_NF_RAW || IP6_NF_RAW |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| help |
| The NOTRACK target allows a select rule to specify |
| which packets *not* to enter the conntrack/NAT |
| subsystem with all the consequences (no ICMP error tracking, |
| no protocol helpers for the selected packets). |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_TARGET_RATEEST |
| tristate '"RATEEST" target support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `RATEEST' target, which allows to measure |
| rates similar to TC estimators. The `rateest' match can be |
| used to match on the measured rates. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_TPROXY |
| tristate '"TPROXY" target support (EXPERIMENTAL)' |
| depends on EXPERIMENTAL |
| depends on NETFILTER_TPROXY |
| depends on NETFILTER_XTABLES |
| depends on NETFILTER_ADVANCED |
| select NF_DEFRAG_IPV4 |
| help |
| This option adds a `TPROXY' target, which is somewhat similar to |
| REDIRECT. It can only be used in the mangle table and is useful |
| to redirect traffic to a transparent proxy. It does _not_ depend |
| on Netfilter connection tracking and NAT, unlike REDIRECT. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_TRACE |
| tristate '"TRACE" target support' |
| depends on IP_NF_RAW || IP6_NF_RAW |
| depends on NETFILTER_ADVANCED |
| help |
| The TRACE target allows you to mark packets so that the kernel |
| will log every rule which match the packets as those traverse |
| the tables, chains, rules. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_TARGET_SECMARK |
| tristate '"SECMARK" target support' |
| depends on NETWORK_SECMARK |
| default m if NETFILTER_ADVANCED=n |
| help |
| The SECMARK target allows security marking of network |
| packets, for use with security subsystems. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_TCPMSS |
| tristate '"TCPMSS" target support' |
| depends on (IPV6 || IPV6=n) |
| default m if NETFILTER_ADVANCED=n |
| ---help--- |
| This option adds a `TCPMSS' target, which allows you to alter the |
| MSS value of TCP SYN packets, to control the maximum size for that |
| connection (usually limiting it to your outgoing interface's MTU |
| minus 40). |
| |
| This is used to overcome criminally braindead ISPs or servers which |
| block ICMP Fragmentation Needed packets. The symptoms of this |
| problem are that everything works fine from your Linux |
| firewall/router, but machines behind it can never exchange large |
| packets: |
| 1) Web browsers connect, then hang with no data received. |
| 2) Small mail works fine, but large emails hang. |
| 3) ssh works fine, but scp hangs after initial handshaking. |
| |
| Workaround: activate this option and add a rule to your firewall |
| configuration like: |
| |
| iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ |
| -j TCPMSS --clamp-mss-to-pmtu |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_TCPOPTSTRIP |
| tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' |
| depends on EXPERIMENTAL |
| depends on IP_NF_MANGLE || IP6_NF_MANGLE |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a "TCPOPTSTRIP" target, which allows you to strip |
| TCP options from TCP packets. |
| |
| config NETFILTER_XT_MATCH_CLUSTER |
| tristate '"cluster" match support' |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| ---help--- |
| This option allows you to build work-load-sharing clusters of |
| network servers/stateful firewalls without having a dedicated |
| load-balancing router/server/switch. Basically, this match returns |
| true when the packet must be handled by this cluster node. Thus, |
| all nodes see all packets and this match decides which node handles |
| what packets. The work-load sharing algorithm is based on source |
| address hashing. |
| |
| If you say Y or M here, try `iptables -m cluster --help` for |
| more information. |
| |
| config NETFILTER_XT_MATCH_COMMENT |
| tristate '"comment" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `comment' dummy-match, which allows you to put |
| comments in your iptables ruleset. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_CONNBYTES |
| tristate '"connbytes" per-connection counter match support' |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| select NF_CT_ACCT |
| help |
| This option adds a `connbytes' match, which allows you to match the |
| number of bytes and/or packets for each direction within a connection. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_CONNLIMIT |
| tristate '"connlimit" match support"' |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| ---help--- |
| This match allows you to match against the number of parallel |
| connections to a server per client IP address (or address block). |
| |
| config NETFILTER_XT_MATCH_CONNMARK |
| tristate '"connmark" connection mark match support' |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| select NF_CONNTRACK_MARK |
| help |
| This option adds a `connmark' match, which allows you to match the |
| connection mark value previously set for the session by `CONNMARK'. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.txt>. The module will be called |
| ipt_connmark. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_CONNTRACK |
| tristate '"conntrack" connection tracking match support' |
| depends on NF_CONNTRACK |
| default m if NETFILTER_ADVANCED=n |
| help |
| This is a general conntrack match module, a superset of the state match. |
| |
| It allows matching on additional conntrack information, which is |
| useful in complex configurations, such as NAT gateways with multiple |
| internet links or tunnels. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_DCCP |
| tristate '"dccp" protocol match support' |
| depends on NETFILTER_ADVANCED |
| default IP_DCCP |
| help |
| With this option enabled, you will be able to use the iptables |
| `dccp' match in order to match on DCCP source/destination ports |
| and DCCP flags. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_DSCP |
| tristate '"dscp" and "tos" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `DSCP' match, which allows you to match against |
| the IPv4/IPv6 header DSCP field (differentiated services codepoint). |
| |
| The DSCP field can have any value between 0x0 and 0x3f inclusive. |
| |
| It will also add a "tos" match, which allows you to match packets |
| based on the Type Of Service fields of the IPv4 packet (which share |
| the same bits as DSCP). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_ESP |
| tristate '"esp" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This match extension allows you to match a range of SPIs |
| inside ESP header of IPSec packets. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_HASHLIMIT |
| tristate '"hashlimit" match support' |
| depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `hashlimit' match. |
| |
| As opposed to `limit', this match dynamically creates a hash table |
| of limit buckets, based on your selection of source/destination |
| addresses and/or ports. |
| |
| It enables you to express policies like `10kpps for any given |
| destination address' or `500pps from any given source address' |
| with a single rule. |
| |
| config NETFILTER_XT_MATCH_HELPER |
| tristate '"helper" match support' |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| help |
| Helper matching allows you to match packets in dynamic connections |
| tracked by a conntrack-helper, ie. ip_conntrack_ftp |
| |
| To compile it as a module, choose M here. If unsure, say Y. |
| |
| config NETFILTER_XT_MATCH_HL |
| tristate '"hl" hoplimit/TTL match support' |
| depends on NETFILTER_ADVANCED |
| ---help--- |
| HL matching allows you to match packets based on the hoplimit |
| in the IPv6 header, or the time-to-live field in the IPv4 |
| header of the packet. |
| |
| config NETFILTER_XT_MATCH_IPRANGE |
| tristate '"iprange" address range match support' |
| depends on NETFILTER_ADVANCED |
| ---help--- |
| This option adds a "iprange" match, which allows you to match based on |
| an IP address range. (Normal iptables only matches on single addresses |
| with an optional mask.) |
| |
| If unsure, say M. |
| |
| config NETFILTER_XT_MATCH_LENGTH |
| tristate '"length" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option allows you to match the length of a packet against a |
| specific value or range of values. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_LIMIT |
| tristate '"limit" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| limit matching allows you to control the rate at which a rule can be |
| matched: mainly useful in combination with the LOG target ("LOG |
| target support", below) and to avoid some Denial of Service attacks. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_MAC |
| tristate '"mac" address match support' |
| depends on NETFILTER_ADVANCED |
| help |
| MAC matching allows you to match packets based on the source |
| Ethernet address of the packet. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_MARK |
| tristate '"mark" match support' |
| default m if NETFILTER_ADVANCED=n |
| help |
| Netfilter mark matching allows you to match packets based on the |
| `nfmark' value in the packet. This can be set by the MARK target |
| (see below). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_MULTIPORT |
| tristate '"multiport" Multiple port match support' |
| depends on NETFILTER_ADVANCED |
| help |
| Multiport matching allows you to match TCP or UDP packets based on |
| a series of source or destination ports: normally a rule can only |
| match a single range of ports. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_OWNER |
| tristate '"owner" match support' |
| depends on NETFILTER_ADVANCED |
| ---help--- |
| Socket owner matching allows you to match locally-generated packets |
| based on who created the socket: the user or group. It is also |
| possible to check whether a socket actually exists. |
| |
| config NETFILTER_XT_MATCH_POLICY |
| tristate 'IPsec "policy" match support' |
| depends on XFRM |
| default m if NETFILTER_ADVANCED=n |
| help |
| Policy matching allows you to match packets based on the |
| IPsec policy that was used during decapsulation/will |
| be used during encapsulation. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_PHYSDEV |
| tristate '"physdev" match support' |
| depends on BRIDGE && BRIDGE_NETFILTER |
| depends on NETFILTER_ADVANCED |
| help |
| Physdev packet matching matches against the physical bridge ports |
| the IP packet arrived on or will leave by. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_PKTTYPE |
| tristate '"pkttype" packet type match support' |
| depends on NETFILTER_ADVANCED |
| help |
| Packet type matching allows you to match a packet by |
| its "class", eg. BROADCAST, MULTICAST, ... |
| |
| Typical usage: |
| iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_QUOTA |
| tristate '"quota" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `quota' match, which allows to match on a |
| byte counter. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_RATEEST |
| tristate '"rateest" match support' |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_XT_TARGET_RATEEST |
| help |
| This option adds a `rateest' match, which allows to match on the |
| rate estimated by the RATEEST target. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_REALM |
| tristate '"realm" match support' |
| depends on NETFILTER_ADVANCED |
| select NET_CLS_ROUTE |
| help |
| This option adds a `realm' match, which allows you to use the realm |
| key from the routing subsystem inside iptables. |
| |
| This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option |
| in tc world. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_RECENT |
| tristate '"recent" match support' |
| depends on NETFILTER_ADVANCED |
| ---help--- |
| This match is used for creating one or many lists of recently |
| used addresses and then matching against that/those list(s). |
| |
| Short options are available by using 'iptables -m recent -h' |
| Official Website: <http://snowman.net/projects/ipt_recent/> |
| |
| config NETFILTER_XT_MATCH_RECENT_PROC_COMPAT |
| bool 'Enable obsolete /proc/net/ipt_recent' |
| depends on NETFILTER_XT_MATCH_RECENT && PROC_FS |
| ---help--- |
| This option enables the old /proc/net/ipt_recent interface, |
| which has been obsoleted by /proc/net/xt_recent. |
| |
| config NETFILTER_XT_MATCH_SCTP |
| tristate '"sctp" protocol match support (EXPERIMENTAL)' |
| depends on EXPERIMENTAL |
| depends on NETFILTER_ADVANCED |
| default IP_SCTP |
| help |
| With this option enabled, you will be able to use the |
| `sctp' match in order to match on SCTP source/destination ports |
| and SCTP chunk types. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_SOCKET |
| tristate '"socket" match support (EXPERIMENTAL)' |
| depends on EXPERIMENTAL |
| depends on NETFILTER_TPROXY |
| depends on NETFILTER_XTABLES |
| depends on NETFILTER_ADVANCED |
| depends on !NF_CONNTRACK || NF_CONNTRACK |
| select NF_DEFRAG_IPV4 |
| help |
| This option adds a `socket' match, which can be used to match |
| packets for which a TCP or UDP socket lookup finds a valid socket. |
| It can be used in combination with the MARK target and policy |
| routing to implement full featured non-locally bound sockets. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_STATE |
| tristate '"state" match support' |
| depends on NF_CONNTRACK |
| default m if NETFILTER_ADVANCED=n |
| help |
| Connection state matching allows you to match packets based on their |
| relationship to a tracked connection (ie. previous packets). This |
| is a powerful tool for packet classification. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_STATISTIC |
| tristate '"statistic" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `statistic' match, which allows you to match |
| on packets periodically or randomly with a given percentage. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_STRING |
| tristate '"string" match support' |
| depends on NETFILTER_ADVANCED |
| select TEXTSEARCH |
| select TEXTSEARCH_KMP |
| select TEXTSEARCH_BM |
| select TEXTSEARCH_FSM |
| help |
| This option adds a `string' match, which allows you to look for |
| pattern matchings in packets. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_TCPMSS |
| tristate '"tcpmss" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `tcpmss' match, which allows you to examine the |
| MSS value of TCP SYN packets, which control the maximum packet size |
| for that connection. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_TIME |
| tristate '"time" match support' |
| depends on NETFILTER_ADVANCED |
| ---help--- |
| This option adds a "time" match, which allows you to match based on |
| the packet arrival time (at the machine which netfilter is running) |
| on) or departure time/date (for locally generated packets). |
| |
| If you say Y here, try `iptables -m time --help` for |
| more information. |
| |
| If you want to compile it as a module, say M here. |
| If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_U32 |
| tristate '"u32" match support' |
| depends on NETFILTER_ADVANCED |
| ---help--- |
| u32 allows you to extract quantities of up to 4 bytes from a packet, |
| AND them with specified masks, shift them by specified amounts and |
| test whether the results are in any of a set of specified ranges. |
| The specification of what to extract is general enough to skip over |
| headers with lengths stored in the packet, as in IP or TCP header |
| lengths. |
| |
| Details and examples are in the kernel module source. |
| |
| config NETFILTER_XT_MATCH_OSF |
| tristate '"osf" Passive OS fingerprint match' |
| depends on NETFILTER_ADVANCED && NETFILTER_NETLINK |
| help |
| This option selects the Passive OS Fingerprinting match module |
| that allows to passively match the remote operating system by |
| analyzing incoming TCP SYN packets. |
| |
| Rules and loading software can be downloaded from |
| http://www.ioremap.net/projects/osf |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| endif # NETFILTER_XTABLES |
| |
| endmenu |
| |
| source "net/netfilter/ipvs/Kconfig" |
