| menu "Core Netfilter Configuration" |
| depends on NET && NETFILTER |
| |
| config NETFILTER_NETLINK |
| tristate "Netfilter netlink interface" |
| help |
| If this option is enabled, the kernel will include support |
| for the new netfilter netlink interface. |
| |
| config NETFILTER_NETLINK_QUEUE |
| tristate "Netfilter NFQUEUE over NFNETLINK interface" |
| depends on NETFILTER_NETLINK |
| help |
| If this option is enabled, the kernel will include support |
| for queueing packets via NFNETLINK. |
| |
| config NETFILTER_NETLINK_LOG |
| tristate "Netfilter LOG over NFNETLINK interface" |
| depends on NETFILTER_NETLINK |
| help |
| If this option is enabled, the kernel will include support |
| for logging packets via NFNETLINK. |
| |
| This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, |
| and is also scheduled to replace the old syslog-based ipt_LOG |
| and ip6t_LOG modules. |
| |
| config NF_CONNTRACK |
| tristate "Layer 3 Independent Connection tracking (EXPERIMENTAL)" |
| depends on EXPERIMENTAL && IP_NF_CONNTRACK=n |
| default n |
| ---help--- |
| Connection tracking keeps a record of what packets have passed |
| through your machine, in order to figure out how they are related |
| into connections. |
| |
| Layer 3 independent connection tracking is experimental scheme |
| which generalize ip_conntrack to support other layer 3 protocols. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CT_ACCT |
| bool "Connection tracking flow accounting" |
| depends on NF_CONNTRACK |
| help |
| If this option is enabled, the connection tracking code will |
| keep per-flow packet and byte counters. |
| |
| Those counters can be used for flow-based accounting or the |
| `connbytes' match. |
| |
| If unsure, say `N'. |
| |
| config NF_CONNTRACK_MARK |
| bool 'Connection mark tracking support' |
| depends on NF_CONNTRACK |
| help |
| This option enables support for connection marks, used by the |
| `CONNMARK' target and `connmark' match. Similar to the mark value |
| of packets, but this mark value is kept in the conntrack session |
| instead of the individual packets. |
| |
| config NF_CONNTRACK_SECMARK |
| bool 'Connection tracking security mark support' |
| depends on NF_CONNTRACK && NETWORK_SECMARK |
| help |
| This option enables security markings to be applied to |
| connections. Typically they are copied to connections from |
| packets using the CONNSECMARK target and copied back from |
| connections to packets with the same target, with the packets |
| being originally labeled via SECMARK. |
| |
| If unsure, say 'N'. |
| |
| config NF_CONNTRACK_EVENTS |
| bool "Connection tracking events (EXPERIMENTAL)" |
| depends on EXPERIMENTAL && NF_CONNTRACK |
| help |
| If this option is enabled, the connection tracking code will |
| provide a notifier chain that can be used by other kernel code |
| to get notified about changes in the connection tracking state. |
| |
| If unsure, say `N'. |
| |
| config NF_CT_PROTO_SCTP |
| tristate 'SCTP protocol on new connection tracking support (EXPERIMENTAL)' |
| depends on EXPERIMENTAL && NF_CONNTRACK |
| default n |
| help |
| With this option enabled, the layer 3 independent connection |
| tracking code will be able to do state tracking on SCTP connections. |
| |
| If you want to compile it as a module, say M here and read |
| Documentation/modules.txt. If unsure, say `N'. |
| |
| config NF_CONNTRACK_FTP |
| tristate "FTP support on new connection tracking (EXPERIMENTAL)" |
| depends on EXPERIMENTAL && NF_CONNTRACK |
| help |
| Tracking FTP connections is problematic: special helpers are |
| required for tracking them, and doing masquerading and other forms |
| of Network Address Translation on them. |
| |
| This is FTP support on Layer 3 independent connection tracking. |
| Layer 3 independent connection tracking is experimental scheme |
| which generalize ip_conntrack to support other layer 3 protocols. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CT_NETLINK |
| tristate 'Connection tracking netlink interface (EXPERIMENTAL)' |
| depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK |
| depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m |
| help |
| This option enables support for a netlink-based userspace interface |
| |
| config NETFILTER_XTABLES |
| tristate "Netfilter Xtables support (required for ip_tables)" |
| help |
| This is required if you intend to use any of ip_tables, |
| ip6_tables or arp_tables. |
| |
| # alphabetically ordered list of targets |
| |
| config NETFILTER_XT_TARGET_CLASSIFY |
| tristate '"CLASSIFY" target support' |
| depends on NETFILTER_XTABLES |
| help |
| This option adds a `CLASSIFY' target, which enables the user to set |
| the priority of a packet. Some qdiscs can use this value for |
| classification, among these are: |
| |
| atm, cbq, dsmark, pfifo_fast, htb, prio |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_CONNMARK |
| tristate '"CONNMARK" target support' |
| depends on NETFILTER_XTABLES |
| depends on IP_NF_MANGLE || IP6_NF_MANGLE |
| depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) |
| help |
| This option adds a `CONNMARK' target, which allows one to manipulate |
| the connection mark value. Similar to the MARK target, but |
| affects the connection mark value rather than the packet mark value. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/modules.txt>. The module will be called |
| ipt_CONNMARK.o. If unsure, say `N'. |
| |
| config NETFILTER_XT_TARGET_MARK |
| tristate '"MARK" target support' |
| depends on NETFILTER_XTABLES |
| help |
| This option adds a `MARK' target, which allows you to create rules |
| in the `mangle' table which alter the netfilter mark (nfmark) field |
| associated with the packet prior to routing. This can change |
| the routing method (see `Use netfilter MARK value as routing |
| key') and can also be used by other subsystems to change their |
| behavior. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_NFQUEUE |
| tristate '"NFQUEUE" target Support' |
| depends on NETFILTER_XTABLES |
| help |
| This target replaced the old obsolete QUEUE target. |
| |
| As opposed to QUEUE, it supports 65535 different queues, |
| not just one. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_NOTRACK |
| tristate '"NOTRACK" target support' |
| depends on NETFILTER_XTABLES |
| depends on IP_NF_RAW || IP6_NF_RAW |
| depends on IP_NF_CONNTRACK || NF_CONNTRACK |
| help |
| The NOTRACK target allows a select rule to specify |
| which packets *not* to enter the conntrack/NAT |
| subsystem with all the consequences (no ICMP error tracking, |
| no protocol helpers for the selected packets). |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_TARGET_SECMARK |
| tristate '"SECMARK" target support' |
| depends on NETFILTER_XTABLES && NETWORK_SECMARK |
| help |
| The SECMARK target allows security marking of network |
| packets, for use with security subsystems. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_CONNSECMARK |
| tristate '"CONNSECMARK" target support' |
| depends on NETFILTER_XTABLES && (NF_CONNTRACK_SECMARK || IP_NF_CONNTRACK_SECMARK) |
| help |
| The CONNSECMARK target copies security markings from packets |
| to connections, and restores security markings from connections |
| to packets (if the packets are not already marked). This would |
| normally be used in conjunction with the SECMARK target. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_COMMENT |
| tristate '"comment" match support' |
| depends on NETFILTER_XTABLES |
| help |
| This option adds a `comment' dummy-match, which allows you to put |
| comments in your iptables ruleset. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_CONNBYTES |
| tristate '"connbytes" per-connection counter match support' |
| depends on NETFILTER_XTABLES |
| depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK) |
| help |
| This option adds a `connbytes' match, which allows you to match the |
| number of bytes and/or packets for each direction within a connection. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_CONNMARK |
| tristate '"connmark" connection mark match support' |
| depends on NETFILTER_XTABLES |
| depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK) |
| help |
| This option adds a `connmark' match, which allows you to match the |
| connection mark value previously set for the session by `CONNMARK'. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/modules.txt>. The module will be called |
| ipt_connmark.o. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_CONNTRACK |
| tristate '"conntrack" connection tracking match support' |
| depends on NETFILTER_XTABLES |
| depends on IP_NF_CONNTRACK || NF_CONNTRACK |
| help |
| This is a general conntrack match module, a superset of the state match. |
| |
| It allows matching on additional conntrack information, which is |
| useful in complex configurations, such as NAT gateways with multiple |
| internet links or tunnels. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_DCCP |
| tristate '"DCCP" protocol match support' |
| depends on NETFILTER_XTABLES |
| help |
| With this option enabled, you will be able to use the iptables |
| `dccp' match in order to match on DCCP source/destination ports |
| and DCCP flags. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_ESP |
| tristate '"ESP" match support' |
| depends on NETFILTER_XTABLES |
| help |
| This match extension allows you to match a range of SPIs |
| inside ESP header of IPSec packets. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_HELPER |
| tristate '"helper" match support' |
| depends on NETFILTER_XTABLES |
| depends on IP_NF_CONNTRACK || NF_CONNTRACK |
| help |
| Helper matching allows you to match packets in dynamic connections |
| tracked by a conntrack-helper, ie. ip_conntrack_ftp |
| |
| To compile it as a module, choose M here. If unsure, say Y. |
| |
| config NETFILTER_XT_MATCH_LENGTH |
| tristate '"length" match support' |
| depends on NETFILTER_XTABLES |
| help |
| This option allows you to match the length of a packet against a |
| specific value or range of values. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_LIMIT |
| tristate '"limit" match support' |
| depends on NETFILTER_XTABLES |
| help |
| limit matching allows you to control the rate at which a rule can be |
| matched: mainly useful in combination with the LOG target ("LOG |
| target support", below) and to avoid some Denial of Service attacks. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_MAC |
| tristate '"mac" address match support' |
| depends on NETFILTER_XTABLES |
| help |
| MAC matching allows you to match packets based on the source |
| Ethernet address of the packet. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_MARK |
| tristate '"mark" match support' |
| depends on NETFILTER_XTABLES |
| help |
| Netfilter mark matching allows you to match packets based on the |
| `nfmark' value in the packet. This can be set by the MARK target |
| (see below). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_POLICY |
| tristate 'IPsec "policy" match support' |
| depends on NETFILTER_XTABLES && XFRM |
| help |
| Policy matching allows you to match packets based on the |
| IPsec policy that was used during decapsulation/will |
| be used during encapsulation. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_MULTIPORT |
| tristate "Multiple port match support" |
| depends on NETFILTER_XTABLES |
| help |
| Multiport matching allows you to match TCP or UDP packets based on |
| a series of source or destination ports: normally a rule can only |
| match a single range of ports. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_PHYSDEV |
| tristate '"physdev" match support' |
| depends on NETFILTER_XTABLES && BRIDGE_NETFILTER |
| help |
| Physdev packet matching matches against the physical bridge ports |
| the IP packet arrived on or will leave by. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_PKTTYPE |
| tristate '"pkttype" packet type match support' |
| depends on NETFILTER_XTABLES |
| help |
| Packet type matching allows you to match a packet by |
| its "class", eg. BROADCAST, MULTICAST, ... |
| |
| Typical usage: |
| iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_QUOTA |
| tristate '"quota" match support' |
| depends on NETFILTER_XTABLES |
| help |
| This option adds a `quota' match, which allows to match on a |
| byte counter. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_REALM |
| tristate '"realm" match support' |
| depends on NETFILTER_XTABLES |
| select NET_CLS_ROUTE |
| help |
| This option adds a `realm' match, which allows you to use the realm |
| key from the routing subsystem inside iptables. |
| |
| This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option |
| in tc world. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_SCTP |
| tristate '"sctp" protocol match support' |
| depends on NETFILTER_XTABLES |
| help |
| With this option enabled, you will be able to use the |
| `sctp' match in order to match on SCTP source/destination ports |
| and SCTP chunk types. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/modules.txt>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_STATE |
| tristate '"state" match support' |
| depends on NETFILTER_XTABLES |
| depends on IP_NF_CONNTRACK || NF_CONNTRACK |
| help |
| Connection state matching allows you to match packets based on their |
| relationship to a tracked connection (ie. previous packets). This |
| is a powerful tool for packet classification. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_STATISTIC |
| tristate '"statistic" match support' |
| depends on NETFILTER_XTABLES |
| help |
| statistic module |
| |
| config NETFILTER_XT_MATCH_STRING |
| tristate '"string" match support' |
| depends on NETFILTER_XTABLES |
| select TEXTSEARCH |
| select TEXTSEARCH_KMP |
| select TEXTSEARCH_BM |
| select TEXTSEARCH_FSM |
| help |
| This option adds a `string' match, which allows you to look for |
| pattern matchings in packets. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_TCPMSS |
| tristate '"tcpmss" match support' |
| depends on NETFILTER_XTABLES |
| help |
| This option adds a `tcpmss' match, which allows you to examine the |
| MSS value of TCP SYN packets, which control the maximum packet size |
| for that connection. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| endmenu |
| |
