1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_NETLINK
7 config NETFILTER_NETLINK_ACCT
8 tristate "Netfilter NFACCT over NFNETLINK interface"
9 depends on NETFILTER_ADVANCED
10 select NETFILTER_NETLINK
12 If this option is enabled, the kernel will include support
13 for extended accounting via NFNETLINK.
15 config NETFILTER_NETLINK_QUEUE
16 tristate "Netfilter NFQUEUE over NFNETLINK interface"
17 depends on NETFILTER_ADVANCED
18 select NETFILTER_NETLINK
20 If this option is enabled, the kernel will include support
21 for queueing packets via NFNETLINK.
23 config NETFILTER_NETLINK_LOG
24 tristate "Netfilter LOG over NFNETLINK interface"
25 default m if NETFILTER_ADVANCED=n
26 select NETFILTER_NETLINK
28 If this option is enabled, the kernel will include support
29 for logging packets via NFNETLINK.
31 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
32 and is also scheduled to replace the old syslog-based ipt_LOG
36 tristate "Netfilter connection tracking support"
37 default m if NETFILTER_ADVANCED=n
39 Connection tracking keeps a record of what packets have passed
40 through your machine, in order to figure out how they are related
43 This is required to do Masquerading or other kinds of Network
44 Address Translation. It can also be used to enhance packet
45 filtering (see `Connection state match support' below).
47 To compile it as a module, choose M here. If unsure, say N.
51 config NF_CONNTRACK_MARK
52 bool 'Connection mark tracking support'
53 depends on NETFILTER_ADVANCED
55 This option enables support for connection marks, used by the
56 `CONNMARK' target and `connmark' match. Similar to the mark value
57 of packets, but this mark value is kept in the conntrack session
58 instead of the individual packets.
60 config NF_CONNTRACK_SECMARK
61 bool 'Connection tracking security mark support'
62 depends on NETWORK_SECMARK
63 default m if NETFILTER_ADVANCED=n
65 This option enables security markings to be applied to
66 connections. Typically they are copied to connections from
67 packets using the CONNSECMARK target and copied back from
68 connections to packets with the same target, with the packets
69 being originally labeled via SECMARK.
73 config NF_CONNTRACK_ZONES
74 bool 'Connection tracking zones'
75 depends on NETFILTER_ADVANCED
76 depends on NETFILTER_XT_TARGET_CT
78 This option enables support for connection tracking zones.
79 Normally, each connection needs to have a unique system wide
80 identity. Connection tracking zones allow to have multiple
81 connections using the same identity, as long as they are
82 contained in different zones.
86 config NF_CONNTRACK_PROCFS
87 bool "Supply CT list in procfs (OBSOLETE)"
91 This option enables for the list of known conntrack entries
92 to be shown in procfs under net/netfilter/nf_conntrack. This
93 is considered obsolete in favor of using the conntrack(8)
94 tool which uses Netlink.
96 config NF_CONNTRACK_EVENTS
97 bool "Connection tracking events"
98 depends on NETFILTER_ADVANCED
100 If this option is enabled, the connection tracking code will
101 provide a notifier chain that can be used by other kernel code
102 to get notified about changes in the connection tracking state.
106 config NF_CONNTRACK_TIMEOUT
107 bool 'Connection tracking timeout'
108 depends on NETFILTER_ADVANCED
110 This option enables support for connection tracking timeout
111 extension. This allows you to attach timeout policies to flow
116 config NF_CONNTRACK_TIMESTAMP
117 bool 'Connection tracking timestamping'
118 depends on NETFILTER_ADVANCED
120 This option enables support for connection tracking timestamping.
121 This allows you to store the flow start-time and to obtain
122 the flow-stop time (once it has been destroyed) via Connection
127 config NF_CONNTRACK_LABELS
130 This option enables support for assigning user-defined flag bits
131 to connection tracking entries. It selected by the connlabel match.
133 config NF_CT_PROTO_DCCP
134 tristate 'DCCP protocol connection tracking support'
135 depends on NETFILTER_ADVANCED
138 With this option enabled, the layer 3 independent connection
139 tracking code will be able to do state tracking on DCCP connections.
143 config NF_CT_PROTO_GRE
146 config NF_CT_PROTO_SCTP
147 tristate 'SCTP protocol connection tracking support'
148 depends on NETFILTER_ADVANCED
151 With this option enabled, the layer 3 independent connection
152 tracking code will be able to do state tracking on SCTP connections.
154 If you want to compile it as a module, say M here and read
155 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
157 config NF_CT_PROTO_UDPLITE
158 tristate 'UDP-Lite protocol connection tracking support'
159 depends on NETFILTER_ADVANCED
161 With this option enabled, the layer 3 independent connection
162 tracking code will be able to do state tracking on UDP-Lite
165 To compile it as a module, choose M here. If unsure, say N.
167 config NF_CONNTRACK_AMANDA
168 tristate "Amanda backup protocol support"
169 depends on NETFILTER_ADVANCED
171 select TEXTSEARCH_KMP
173 If you are running the Amanda backup package <http://www.amanda.org/>
174 on this machine or machines that will be MASQUERADED through this
175 machine, then you may want to enable this feature. This allows the
176 connection tracking and natting code to allow the sub-channels that
177 Amanda requires for communication of the backup data, messages and
180 To compile it as a module, choose M here. If unsure, say N.
182 config NF_CONNTRACK_FTP
183 tristate "FTP protocol support"
184 default m if NETFILTER_ADVANCED=n
186 Tracking FTP connections is problematic: special helpers are
187 required for tracking them, and doing masquerading and other forms
188 of Network Address Translation on them.
190 This is FTP support on Layer 3 independent connection tracking.
191 Layer 3 independent connection tracking is experimental scheme
192 which generalize ip_conntrack to support other layer 3 protocols.
194 To compile it as a module, choose M here. If unsure, say N.
196 config NF_CONNTRACK_H323
197 tristate "H.323 protocol support"
198 depends on (IPV6 || IPV6=n)
199 depends on NETFILTER_ADVANCED
201 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
202 important VoIP protocols, it is widely used by voice hardware and
203 software including voice gateways, IP phones, Netmeeting, OpenPhone,
206 With this module you can support H.323 on a connection tracking/NAT
209 This module supports RAS, Fast Start, H.245 Tunnelling, Call
210 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
211 whiteboard, file transfer, etc. For more information, please
212 visit http://nath323.sourceforge.net/.
214 To compile it as a module, choose M here. If unsure, say N.
216 config NF_CONNTRACK_IRC
217 tristate "IRC protocol support"
218 default m if NETFILTER_ADVANCED=n
220 There is a commonly-used extension to IRC called
221 Direct Client-to-Client Protocol (DCC). This enables users to send
222 files to each other, and also chat to each other without the need
223 of a server. DCC Sending is used anywhere you send files over IRC,
224 and DCC Chat is most commonly used by Eggdrop bots. If you are
225 using NAT, this extension will enable you to send files and initiate
226 chats. Note that you do NOT need this extension to get files or
227 have others initiate chats, or everything else in IRC.
229 To compile it as a module, choose M here. If unsure, say N.
231 config NF_CONNTRACK_BROADCAST
234 config NF_CONNTRACK_NETBIOS_NS
235 tristate "NetBIOS name service protocol support"
236 select NF_CONNTRACK_BROADCAST
238 NetBIOS name service requests are sent as broadcast messages from an
239 unprivileged port and responded to with unicast messages to the
240 same port. This make them hard to firewall properly because connection
241 tracking doesn't deal with broadcasts. This helper tracks locally
242 originating NetBIOS name service requests and the corresponding
243 responses. It relies on correct IP address configuration, specifically
244 netmask and broadcast address. When properly configured, the output
245 of "ip address show" should look similar to this:
247 $ ip -4 address show eth0
248 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
249 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
251 To compile it as a module, choose M here. If unsure, say N.
253 config NF_CONNTRACK_SNMP
254 tristate "SNMP service protocol support"
255 depends on NETFILTER_ADVANCED
256 select NF_CONNTRACK_BROADCAST
258 SNMP service requests are sent as broadcast messages from an
259 unprivileged port and responded to with unicast messages to the
260 same port. This make them hard to firewall properly because connection
261 tracking doesn't deal with broadcasts. This helper tracks locally
262 originating SNMP service requests and the corresponding
263 responses. It relies on correct IP address configuration, specifically
264 netmask and broadcast address.
266 To compile it as a module, choose M here. If unsure, say N.
268 config NF_CONNTRACK_PPTP
269 tristate "PPtP protocol support"
270 depends on NETFILTER_ADVANCED
271 select NF_CT_PROTO_GRE
273 This module adds support for PPTP (Point to Point Tunnelling
274 Protocol, RFC2637) connection tracking and NAT.
276 If you are running PPTP sessions over a stateful firewall or NAT
277 box, you may want to enable this feature.
279 Please note that not all PPTP modes of operation are supported yet.
280 Specifically these limitations exist:
281 - Blindly assumes that control connections are always established
282 in PNS->PAC direction. This is a violation of RFC2637.
283 - Only supports a single call within each session
285 To compile it as a module, choose M here. If unsure, say N.
287 config NF_CONNTRACK_SANE
288 tristate "SANE protocol support"
289 depends on NETFILTER_ADVANCED
291 SANE is a protocol for remote access to scanners as implemented
292 by the 'saned' daemon. Like FTP, it uses separate control and
295 With this module you can support SANE on a connection tracking
298 To compile it as a module, choose M here. If unsure, say N.
300 config NF_CONNTRACK_SIP
301 tristate "SIP protocol support"
302 default m if NETFILTER_ADVANCED=n
304 SIP is an application-layer control protocol that can establish,
305 modify, and terminate multimedia sessions (conferences) such as
306 Internet telephony calls. With the ip_conntrack_sip and
307 the nf_nat_sip modules you can support the protocol on a connection
308 tracking/NATing firewall.
310 To compile it as a module, choose M here. If unsure, say N.
312 config NF_CONNTRACK_TFTP
313 tristate "TFTP protocol support"
314 depends on NETFILTER_ADVANCED
316 TFTP connection tracking helper, this is required depending
317 on how restrictive your ruleset is.
318 If you are using a tftp client behind -j SNAT or -j MASQUERADING
321 To compile it as a module, choose M here. If unsure, say N.
324 tristate 'Connection tracking netlink interface'
325 select NETFILTER_NETLINK
326 default m if NETFILTER_ADVANCED=n
328 This option enables support for a netlink-based userspace interface
330 config NF_CT_NETLINK_TIMEOUT
331 tristate 'Connection tracking timeout tuning via Netlink'
332 select NETFILTER_NETLINK
333 depends on NETFILTER_ADVANCED
335 This option enables support for connection tracking timeout
336 fine-grain tuning. This allows you to attach specific timeout
337 policies to flows, instead of using the global timeout policy.
341 config NF_CT_NETLINK_HELPER
342 tristate 'Connection tracking helpers in user-space via Netlink'
343 select NETFILTER_NETLINK
344 depends on NF_CT_NETLINK
345 depends on NETFILTER_NETLINK_QUEUE
346 depends on NETFILTER_NETLINK_QUEUE_CT
347 depends on NETFILTER_ADVANCED
349 This option enables the user-space connection tracking helpers
354 config NETFILTER_NETLINK_QUEUE_CT
355 bool "NFQUEUE integration with Connection Tracking"
357 depends on NETFILTER_NETLINK_QUEUE
359 If this option is enabled, NFQUEUE can include Connection Tracking
360 information together with the packet is the enqueued via NFNETLINK.
370 config NF_NAT_PROTO_DCCP
372 depends on NF_NAT && NF_CT_PROTO_DCCP
373 default NF_NAT && NF_CT_PROTO_DCCP
375 config NF_NAT_PROTO_UDPLITE
377 depends on NF_NAT && NF_CT_PROTO_UDPLITE
378 default NF_NAT && NF_CT_PROTO_UDPLITE
380 config NF_NAT_PROTO_SCTP
382 default NF_NAT && NF_CT_PROTO_SCTP
383 depends on NF_NAT && NF_CT_PROTO_SCTP
388 depends on NF_CONNTRACK && NF_NAT
389 default NF_NAT && NF_CONNTRACK_AMANDA
393 depends on NF_CONNTRACK && NF_NAT
394 default NF_NAT && NF_CONNTRACK_FTP
398 depends on NF_CONNTRACK && NF_NAT
399 default NF_NAT && NF_CONNTRACK_IRC
403 depends on NF_CONNTRACK && NF_NAT
404 default NF_NAT && NF_CONNTRACK_SIP
408 depends on NF_CONNTRACK && NF_NAT
409 default NF_NAT && NF_CONNTRACK_TFTP
411 config NETFILTER_SYNPROXY
417 depends on NETFILTER_NETLINK
418 tristate "Netfilter nf_tables support"
422 tristate "Netfilter nf_tables IPv6 exthdr module"
426 tristate "Netfilter nf_tables meta module"
430 depends on NF_CONNTRACK
431 tristate "Netfilter nf_tables conntrack module"
435 tristate "Netfilter nf_tables set module"
439 tristate "Netfilter nf_tables hash module"
443 tristate "Netfilter nf_tables counter module"
447 tristate "Netfilter nf_tables log module"
451 tristate "Netfilter nf_tables limit module"
453 config NETFILTER_XTABLES
454 tristate "Netfilter Xtables support (required for ip_tables)"
455 default m if NETFILTER_ADVANCED=n
457 This is required if you intend to use any of ip_tables,
458 ip6_tables or arp_tables.
462 comment "Xtables combined modules"
464 config NETFILTER_XT_MARK
465 tristate 'nfmark target and match support'
466 default m if NETFILTER_ADVANCED=n
468 This option adds the "MARK" target and "mark" match.
470 Netfilter mark matching allows you to match packets based on the
471 "nfmark" value in the packet.
472 The target allows you to create rules in the "mangle" table which alter
473 the netfilter mark (nfmark) field associated with the packet.
475 Prior to routing, the nfmark can influence the routing method (see
476 "Use netfilter MARK value as routing key") and can also be used by
477 other subsystems to change their behavior.
479 config NETFILTER_XT_CONNMARK
480 tristate 'ctmark target and match support'
481 depends on NF_CONNTRACK
482 depends on NETFILTER_ADVANCED
483 select NF_CONNTRACK_MARK
485 This option adds the "CONNMARK" target and "connmark" match.
487 Netfilter allows you to store a mark value per connection (a.k.a.
488 ctmark), similarly to the packet mark (nfmark). Using this
489 target and match, you can set and match on this mark.
491 config NETFILTER_XT_SET
492 tristate 'set target and match support'
494 depends on NETFILTER_ADVANCED
496 This option adds the "SET" target and "set" match.
498 Using this target and match, you can add/delete and match
499 elements in the sets created by ipset(8).
501 To compile it as a module, choose M here. If unsure, say N.
503 # alphabetically ordered list of targets
505 comment "Xtables targets"
507 config NETFILTER_XT_TARGET_AUDIT
508 tristate "AUDIT target support"
510 depends on NETFILTER_ADVANCED
512 This option adds a 'AUDIT' target, which can be used to create
513 audit records for packets dropped/accepted.
515 To compileit as a module, choose M here. If unsure, say N.
517 config NETFILTER_XT_TARGET_CHECKSUM
518 tristate "CHECKSUM target support"
519 depends on IP_NF_MANGLE || IP6_NF_MANGLE
520 depends on NETFILTER_ADVANCED
522 This option adds a `CHECKSUM' target, which can be used in the iptables mangle
525 You can use this target to compute and fill in the checksum in
526 a packet that lacks a checksum. This is particularly useful,
527 if you need to work around old applications such as dhcp clients,
528 that do not work well with checksum offloads, but don't want to disable
529 checksum offload in your device.
531 To compile it as a module, choose M here. If unsure, say N.
533 config NETFILTER_XT_TARGET_CLASSIFY
534 tristate '"CLASSIFY" target support'
535 depends on NETFILTER_ADVANCED
537 This option adds a `CLASSIFY' target, which enables the user to set
538 the priority of a packet. Some qdiscs can use this value for
539 classification, among these are:
541 atm, cbq, dsmark, pfifo_fast, htb, prio
543 To compile it as a module, choose M here. If unsure, say N.
545 config NETFILTER_XT_TARGET_CONNMARK
546 tristate '"CONNMARK" target support'
547 depends on NF_CONNTRACK
548 depends on NETFILTER_ADVANCED
549 select NETFILTER_XT_CONNMARK
551 This is a backwards-compat option for the user's convenience
552 (e.g. when running oldconfig). It selects
553 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
555 config NETFILTER_XT_TARGET_CONNSECMARK
556 tristate '"CONNSECMARK" target support'
557 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
558 default m if NETFILTER_ADVANCED=n
560 The CONNSECMARK target copies security markings from packets
561 to connections, and restores security markings from connections
562 to packets (if the packets are not already marked). This would
563 normally be used in conjunction with the SECMARK target.
565 To compile it as a module, choose M here. If unsure, say N.
567 config NETFILTER_XT_TARGET_CT
568 tristate '"CT" target support'
569 depends on NF_CONNTRACK
570 depends on IP_NF_RAW || IP6_NF_RAW
571 depends on NETFILTER_ADVANCED
573 This options adds a `CT' target, which allows to specify initial
574 connection tracking parameters like events to be delivered and
575 the helper to be used.
577 To compile it as a module, choose M here. If unsure, say N.
579 config NETFILTER_XT_TARGET_DSCP
580 tristate '"DSCP" and "TOS" target support'
581 depends on IP_NF_MANGLE || IP6_NF_MANGLE
582 depends on NETFILTER_ADVANCED
584 This option adds a `DSCP' target, which allows you to manipulate
585 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
587 The DSCP field can have any value between 0x0 and 0x3f inclusive.
589 It also adds the "TOS" target, which allows you to create rules in
590 the "mangle" table which alter the Type Of Service field of an IPv4
591 or the Priority field of an IPv6 packet, prior to routing.
593 To compile it as a module, choose M here. If unsure, say N.
595 config NETFILTER_XT_TARGET_HL
596 tristate '"HL" hoplimit target support'
597 depends on IP_NF_MANGLE || IP6_NF_MANGLE
598 depends on NETFILTER_ADVANCED
600 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
601 targets, which enable the user to change the
602 hoplimit/time-to-live value of the IP header.
604 While it is safe to decrement the hoplimit/TTL value, the
605 modules also allow to increment and set the hoplimit value of
606 the header to arbitrary values. This is EXTREMELY DANGEROUS
607 since you can easily create immortal packets that loop
608 forever on the network.
610 config NETFILTER_XT_TARGET_HMARK
611 tristate '"HMARK" target support'
612 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
613 depends on NETFILTER_ADVANCED
615 This option adds the "HMARK" target.
617 The target allows you to create rules in the "raw" and "mangle" tables
618 which set the skbuff mark by means of hash calculation within a given
619 range. The nfmark can influence the routing method (see "Use netfilter
620 MARK value as routing key") and can also be used by other subsystems to
621 change their behaviour.
623 To compile it as a module, choose M here. If unsure, say N.
625 config NETFILTER_XT_TARGET_IDLETIMER
626 tristate "IDLETIMER target support"
627 depends on NETFILTER_ADVANCED
630 This option adds the `IDLETIMER' target. Each matching packet
631 resets the timer associated with label specified when the rule is
632 added. When the timer expires, it triggers a sysfs notification.
633 The remaining time for expiration can be read via sysfs.
635 To compile it as a module, choose M here. If unsure, say N.
637 config NETFILTER_XT_TARGET_LED
638 tristate '"LED" target support'
639 depends on LEDS_CLASS && LEDS_TRIGGERS
640 depends on NETFILTER_ADVANCED
642 This option adds a `LED' target, which allows you to blink LEDs in
643 response to particular packets passing through your machine.
645 This can be used to turn a spare LED into a network activity LED,
646 which only flashes in response to FTP transfers, for example. Or
647 you could have an LED which lights up for a minute or two every time
648 somebody connects to your machine via SSH.
650 You will need support for the "led" class to make this work.
652 To create an LED trigger for incoming SSH traffic:
653 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
655 Then attach the new trigger to an LED on your system:
656 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
658 For more information on the LEDs available on your system, see
659 Documentation/leds/leds-class.txt
661 config NETFILTER_XT_TARGET_LOG
662 tristate "LOG target support"
663 default m if NETFILTER_ADVANCED=n
665 This option adds a `LOG' target, which allows you to create rules in
666 any iptables table which records the packet header to the syslog.
668 To compile it as a module, choose M here. If unsure, say N.
670 config NETFILTER_XT_TARGET_MARK
671 tristate '"MARK" target support'
672 depends on NETFILTER_ADVANCED
673 select NETFILTER_XT_MARK
675 This is a backwards-compat option for the user's convenience
676 (e.g. when running oldconfig). It selects
677 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
679 config NETFILTER_XT_TARGET_NETMAP
680 tristate '"NETMAP" target support'
683 NETMAP is an implementation of static 1:1 NAT mapping of network
684 addresses. It maps the network address part, while keeping the host
687 To compile it as a module, choose M here. If unsure, say N.
689 config NETFILTER_XT_TARGET_NFLOG
690 tristate '"NFLOG" target support'
691 default m if NETFILTER_ADVANCED=n
692 select NETFILTER_NETLINK_LOG
694 This option enables the NFLOG target, which allows to LOG
695 messages through nfnetlink_log.
697 To compile it as a module, choose M here. If unsure, say N.
699 config NETFILTER_XT_TARGET_NFQUEUE
700 tristate '"NFQUEUE" target Support'
701 depends on NETFILTER_ADVANCED
702 select NETFILTER_NETLINK_QUEUE
704 This target replaced the old obsolete QUEUE target.
706 As opposed to QUEUE, it supports 65535 different queues,
709 To compile it as a module, choose M here. If unsure, say N.
711 config NETFILTER_XT_TARGET_NOTRACK
712 tristate '"NOTRACK" target support (DEPRECATED)'
713 depends on NF_CONNTRACK
714 depends on IP_NF_RAW || IP6_NF_RAW
715 depends on NETFILTER_ADVANCED
716 select NETFILTER_XT_TARGET_CT
718 config NETFILTER_XT_TARGET_RATEEST
719 tristate '"RATEEST" target support'
720 depends on NETFILTER_ADVANCED
722 This option adds a `RATEEST' target, which allows to measure
723 rates similar to TC estimators. The `rateest' match can be
724 used to match on the measured rates.
726 To compile it as a module, choose M here. If unsure, say N.
728 config NETFILTER_XT_TARGET_REDIRECT
729 tristate "REDIRECT target support"
732 REDIRECT is a special case of NAT: all incoming connections are
733 mapped onto the incoming interface's address, causing the packets to
734 come to the local machine instead of passing through. This is
735 useful for transparent proxies.
737 To compile it as a module, choose M here. If unsure, say N.
739 config NETFILTER_XT_TARGET_TEE
740 tristate '"TEE" - packet cloning to alternate destination'
741 depends on NETFILTER_ADVANCED
742 depends on (IPV6 || IPV6=n)
743 depends on !NF_CONNTRACK || NF_CONNTRACK
745 This option adds a "TEE" target with which a packet can be cloned and
746 this clone be rerouted to another nexthop.
748 config NETFILTER_XT_TARGET_TPROXY
749 tristate '"TPROXY" target transparent proxying support'
750 depends on NETFILTER_XTABLES
751 depends on NETFILTER_ADVANCED
752 depends on IP_NF_MANGLE
753 select NF_DEFRAG_IPV4
754 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
756 This option adds a `TPROXY' target, which is somewhat similar to
757 REDIRECT. It can only be used in the mangle table and is useful
758 to redirect traffic to a transparent proxy. It does _not_ depend
759 on Netfilter connection tracking and NAT, unlike REDIRECT.
760 For it to work you will have to configure certain iptables rules
761 and use policy routing. For more information on how to set it up
762 see Documentation/networking/tproxy.txt.
764 To compile it as a module, choose M here. If unsure, say N.
766 config NETFILTER_XT_TARGET_TRACE
767 tristate '"TRACE" target support'
768 depends on IP_NF_RAW || IP6_NF_RAW
769 depends on NETFILTER_ADVANCED
771 The TRACE target allows you to mark packets so that the kernel
772 will log every rule which match the packets as those traverse
773 the tables, chains, rules.
775 If you want to compile it as a module, say M here and read
776 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
778 config NETFILTER_XT_TARGET_SECMARK
779 tristate '"SECMARK" target support'
780 depends on NETWORK_SECMARK
781 default m if NETFILTER_ADVANCED=n
783 The SECMARK target allows security marking of network
784 packets, for use with security subsystems.
786 To compile it as a module, choose M here. If unsure, say N.
788 config NETFILTER_XT_TARGET_TCPMSS
789 tristate '"TCPMSS" target support'
790 depends on (IPV6 || IPV6=n)
791 default m if NETFILTER_ADVANCED=n
793 This option adds a `TCPMSS' target, which allows you to alter the
794 MSS value of TCP SYN packets, to control the maximum size for that
795 connection (usually limiting it to your outgoing interface's MTU
798 This is used to overcome criminally braindead ISPs or servers which
799 block ICMP Fragmentation Needed packets. The symptoms of this
800 problem are that everything works fine from your Linux
801 firewall/router, but machines behind it can never exchange large
803 1) Web browsers connect, then hang with no data received.
804 2) Small mail works fine, but large emails hang.
805 3) ssh works fine, but scp hangs after initial handshaking.
807 Workaround: activate this option and add a rule to your firewall
810 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
811 -j TCPMSS --clamp-mss-to-pmtu
813 To compile it as a module, choose M here. If unsure, say N.
815 config NETFILTER_XT_TARGET_TCPOPTSTRIP
816 tristate '"TCPOPTSTRIP" target support'
817 depends on IP_NF_MANGLE || IP6_NF_MANGLE
818 depends on NETFILTER_ADVANCED
820 This option adds a "TCPOPTSTRIP" target, which allows you to strip
821 TCP options from TCP packets.
823 # alphabetically ordered list of matches
825 comment "Xtables matches"
827 config NETFILTER_XT_MATCH_ADDRTYPE
828 tristate '"addrtype" address type match support'
829 depends on NETFILTER_ADVANCED
831 This option allows you to match what routing thinks of an address,
832 eg. UNICAST, LOCAL, BROADCAST, ...
834 If you want to compile it as a module, say M here and read
835 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
837 config NETFILTER_XT_MATCH_BPF
838 tristate '"bpf" match support'
839 depends on NETFILTER_ADVANCED
841 BPF matching applies a linux socket filter to each packet and
842 accepts those for which the filter returns non-zero.
844 To compile it as a module, choose M here. If unsure, say N.
846 config NETFILTER_XT_MATCH_CLUSTER
847 tristate '"cluster" match support'
848 depends on NF_CONNTRACK
849 depends on NETFILTER_ADVANCED
851 This option allows you to build work-load-sharing clusters of
852 network servers/stateful firewalls without having a dedicated
853 load-balancing router/server/switch. Basically, this match returns
854 true when the packet must be handled by this cluster node. Thus,
855 all nodes see all packets and this match decides which node handles
856 what packets. The work-load sharing algorithm is based on source
859 If you say Y or M here, try `iptables -m cluster --help` for
862 config NETFILTER_XT_MATCH_COMMENT
863 tristate '"comment" match support'
864 depends on NETFILTER_ADVANCED
866 This option adds a `comment' dummy-match, which allows you to put
867 comments in your iptables ruleset.
869 If you want to compile it as a module, say M here and read
870 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
872 config NETFILTER_XT_MATCH_CONNBYTES
873 tristate '"connbytes" per-connection counter match support'
874 depends on NF_CONNTRACK
875 depends on NETFILTER_ADVANCED
877 This option adds a `connbytes' match, which allows you to match the
878 number of bytes and/or packets for each direction within a connection.
880 If you want to compile it as a module, say M here and read
881 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
883 config NETFILTER_XT_MATCH_CONNLABEL
884 tristate '"connlabel" match support'
885 select NF_CONNTRACK_LABELS
886 depends on NF_CONNTRACK
887 depends on NETFILTER_ADVANCED
889 This match allows you to test and assign userspace-defined labels names
890 to a connection. The kernel only stores bit values - mapping
891 names to bits is done by userspace.
893 Unlike connmark, more than 32 flag bits may be assigned to a
894 connection simultaneously.
896 config NETFILTER_XT_MATCH_CONNLIMIT
897 tristate '"connlimit" match support"'
898 depends on NF_CONNTRACK
899 depends on NETFILTER_ADVANCED
901 This match allows you to match against the number of parallel
902 connections to a server per client IP address (or address block).
904 config NETFILTER_XT_MATCH_CONNMARK
905 tristate '"connmark" connection mark match support'
906 depends on NF_CONNTRACK
907 depends on NETFILTER_ADVANCED
908 select NETFILTER_XT_CONNMARK
910 This is a backwards-compat option for the user's convenience
911 (e.g. when running oldconfig). It selects
912 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
914 config NETFILTER_XT_MATCH_CONNTRACK
915 tristate '"conntrack" connection tracking match support'
916 depends on NF_CONNTRACK
917 default m if NETFILTER_ADVANCED=n
919 This is a general conntrack match module, a superset of the state match.
921 It allows matching on additional conntrack information, which is
922 useful in complex configurations, such as NAT gateways with multiple
923 internet links or tunnels.
925 To compile it as a module, choose M here. If unsure, say N.
927 config NETFILTER_XT_MATCH_CPU
928 tristate '"cpu" match support'
929 depends on NETFILTER_ADVANCED
931 CPU matching allows you to match packets based on the CPU
932 currently handling the packet.
934 To compile it as a module, choose M here. If unsure, say N.
936 config NETFILTER_XT_MATCH_DCCP
937 tristate '"dccp" protocol match support'
938 depends on NETFILTER_ADVANCED
941 With this option enabled, you will be able to use the iptables
942 `dccp' match in order to match on DCCP source/destination ports
945 If you want to compile it as a module, say M here and read
946 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
948 config NETFILTER_XT_MATCH_DEVGROUP
949 tristate '"devgroup" match support'
950 depends on NETFILTER_ADVANCED
952 This options adds a `devgroup' match, which allows to match on the
953 device group a network device is assigned to.
955 To compile it as a module, choose M here. If unsure, say N.
957 config NETFILTER_XT_MATCH_DSCP
958 tristate '"dscp" and "tos" match support'
959 depends on NETFILTER_ADVANCED
961 This option adds a `DSCP' match, which allows you to match against
962 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
964 The DSCP field can have any value between 0x0 and 0x3f inclusive.
966 It will also add a "tos" match, which allows you to match packets
967 based on the Type Of Service fields of the IPv4 packet (which share
968 the same bits as DSCP).
970 To compile it as a module, choose M here. If unsure, say N.
972 config NETFILTER_XT_MATCH_ECN
973 tristate '"ecn" match support'
974 depends on NETFILTER_ADVANCED
976 This option adds an "ECN" match, which allows you to match against
977 the IPv4 and TCP header ECN fields.
979 To compile it as a module, choose M here. If unsure, say N.
981 config NETFILTER_XT_MATCH_ESP
982 tristate '"esp" match support'
983 depends on NETFILTER_ADVANCED
985 This match extension allows you to match a range of SPIs
986 inside ESP header of IPSec packets.
988 To compile it as a module, choose M here. If unsure, say N.
990 config NETFILTER_XT_MATCH_HASHLIMIT
991 tristate '"hashlimit" match support'
992 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
993 depends on NETFILTER_ADVANCED
995 This option adds a `hashlimit' match.
997 As opposed to `limit', this match dynamically creates a hash table
998 of limit buckets, based on your selection of source/destination
999 addresses and/or ports.
1001 It enables you to express policies like `10kpps for any given
1002 destination address' or `500pps from any given source address'
1005 config NETFILTER_XT_MATCH_HELPER
1006 tristate '"helper" match support'
1007 depends on NF_CONNTRACK
1008 depends on NETFILTER_ADVANCED
1010 Helper matching allows you to match packets in dynamic connections
1011 tracked by a conntrack-helper, ie. ip_conntrack_ftp
1013 To compile it as a module, choose M here. If unsure, say Y.
1015 config NETFILTER_XT_MATCH_HL
1016 tristate '"hl" hoplimit/TTL match support'
1017 depends on NETFILTER_ADVANCED
1019 HL matching allows you to match packets based on the hoplimit
1020 in the IPv6 header, or the time-to-live field in the IPv4
1021 header of the packet.
1023 config NETFILTER_XT_MATCH_IPRANGE
1024 tristate '"iprange" address range match support'
1025 depends on NETFILTER_ADVANCED
1027 This option adds a "iprange" match, which allows you to match based on
1028 an IP address range. (Normal iptables only matches on single addresses
1029 with an optional mask.)
1033 config NETFILTER_XT_MATCH_IPVS
1034 tristate '"ipvs" match support'
1036 depends on NETFILTER_ADVANCED
1037 depends on NF_CONNTRACK
1039 This option allows you to match against IPVS properties of a packet.
1043 config NETFILTER_XT_MATCH_LENGTH
1044 tristate '"length" match support'
1045 depends on NETFILTER_ADVANCED
1047 This option allows you to match the length of a packet against a
1048 specific value or range of values.
1050 To compile it as a module, choose M here. If unsure, say N.
1052 config NETFILTER_XT_MATCH_LIMIT
1053 tristate '"limit" match support'
1054 depends on NETFILTER_ADVANCED
1056 limit matching allows you to control the rate at which a rule can be
1057 matched: mainly useful in combination with the LOG target ("LOG
1058 target support", below) and to avoid some Denial of Service attacks.
1060 To compile it as a module, choose M here. If unsure, say N.
1062 config NETFILTER_XT_MATCH_MAC
1063 tristate '"mac" address match support'
1064 depends on NETFILTER_ADVANCED
1066 MAC matching allows you to match packets based on the source
1067 Ethernet address of the packet.
1069 To compile it as a module, choose M here. If unsure, say N.
1071 config NETFILTER_XT_MATCH_MARK
1072 tristate '"mark" match support'
1073 depends on NETFILTER_ADVANCED
1074 select NETFILTER_XT_MARK
1076 This is a backwards-compat option for the user's convenience
1077 (e.g. when running oldconfig). It selects
1078 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1080 config NETFILTER_XT_MATCH_MULTIPORT
1081 tristate '"multiport" Multiple port match support'
1082 depends on NETFILTER_ADVANCED
1084 Multiport matching allows you to match TCP or UDP packets based on
1085 a series of source or destination ports: normally a rule can only
1086 match a single range of ports.
1088 To compile it as a module, choose M here. If unsure, say N.
1090 config NETFILTER_XT_MATCH_NFACCT
1091 tristate '"nfacct" match support'
1092 depends on NETFILTER_ADVANCED
1093 select NETFILTER_NETLINK_ACCT
1095 This option allows you to use the extended accounting through
1098 To compile it as a module, choose M here. If unsure, say N.
1100 config NETFILTER_XT_MATCH_OSF
1101 tristate '"osf" Passive OS fingerprint match'
1102 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1104 This option selects the Passive OS Fingerprinting match module
1105 that allows to passively match the remote operating system by
1106 analyzing incoming TCP SYN packets.
1108 Rules and loading software can be downloaded from
1109 http://www.ioremap.net/projects/osf
1111 To compile it as a module, choose M here. If unsure, say N.
1113 config NETFILTER_XT_MATCH_OWNER
1114 tristate '"owner" match support'
1115 depends on NETFILTER_ADVANCED
1117 Socket owner matching allows you to match locally-generated packets
1118 based on who created the socket: the user or group. It is also
1119 possible to check whether a socket actually exists.
1121 config NETFILTER_XT_MATCH_POLICY
1122 tristate 'IPsec "policy" match support'
1124 default m if NETFILTER_ADVANCED=n
1126 Policy matching allows you to match packets based on the
1127 IPsec policy that was used during decapsulation/will
1128 be used during encapsulation.
1130 To compile it as a module, choose M here. If unsure, say N.
1132 config NETFILTER_XT_MATCH_PHYSDEV
1133 tristate '"physdev" match support'
1134 depends on BRIDGE && BRIDGE_NETFILTER
1135 depends on NETFILTER_ADVANCED
1137 Physdev packet matching matches against the physical bridge ports
1138 the IP packet arrived on or will leave by.
1140 To compile it as a module, choose M here. If unsure, say N.
1142 config NETFILTER_XT_MATCH_PKTTYPE
1143 tristate '"pkttype" packet type match support'
1144 depends on NETFILTER_ADVANCED
1146 Packet type matching allows you to match a packet by
1147 its "class", eg. BROADCAST, MULTICAST, ...
1150 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1152 To compile it as a module, choose M here. If unsure, say N.
1154 config NETFILTER_XT_MATCH_QUOTA
1155 tristate '"quota" match support'
1156 depends on NETFILTER_ADVANCED
1158 This option adds a `quota' match, which allows to match on a
1161 If you want to compile it as a module, say M here and read
1162 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1164 config NETFILTER_XT_MATCH_RATEEST
1165 tristate '"rateest" match support'
1166 depends on NETFILTER_ADVANCED
1167 select NETFILTER_XT_TARGET_RATEEST
1169 This option adds a `rateest' match, which allows to match on the
1170 rate estimated by the RATEEST target.
1172 To compile it as a module, choose M here. If unsure, say N.
1174 config NETFILTER_XT_MATCH_REALM
1175 tristate '"realm" match support'
1176 depends on NETFILTER_ADVANCED
1177 select IP_ROUTE_CLASSID
1179 This option adds a `realm' match, which allows you to use the realm
1180 key from the routing subsystem inside iptables.
1182 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1185 If you want to compile it as a module, say M here and read
1186 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1188 config NETFILTER_XT_MATCH_RECENT
1189 tristate '"recent" match support'
1190 depends on NETFILTER_ADVANCED
1192 This match is used for creating one or many lists of recently
1193 used addresses and then matching against that/those list(s).
1195 Short options are available by using 'iptables -m recent -h'
1196 Official Website: <http://snowman.net/projects/ipt_recent/>
1198 config NETFILTER_XT_MATCH_SCTP
1199 tristate '"sctp" protocol match support'
1200 depends on NETFILTER_ADVANCED
1203 With this option enabled, you will be able to use the
1204 `sctp' match in order to match on SCTP source/destination ports
1205 and SCTP chunk types.
1207 If you want to compile it as a module, say M here and read
1208 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1210 config NETFILTER_XT_MATCH_SOCKET
1211 tristate '"socket" match support'
1212 depends on NETFILTER_XTABLES
1213 depends on NETFILTER_ADVANCED
1214 depends on !NF_CONNTRACK || NF_CONNTRACK
1215 depends on (IPV6 || IPV6=n)
1216 select NF_DEFRAG_IPV4
1217 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1219 This option adds a `socket' match, which can be used to match
1220 packets for which a TCP or UDP socket lookup finds a valid socket.
1221 It can be used in combination with the MARK target and policy
1222 routing to implement full featured non-locally bound sockets.
1224 To compile it as a module, choose M here. If unsure, say N.
1226 config NETFILTER_XT_MATCH_STATE
1227 tristate '"state" match support'
1228 depends on NF_CONNTRACK
1229 default m if NETFILTER_ADVANCED=n
1231 Connection state matching allows you to match packets based on their
1232 relationship to a tracked connection (ie. previous packets). This
1233 is a powerful tool for packet classification.
1235 To compile it as a module, choose M here. If unsure, say N.
1237 config NETFILTER_XT_MATCH_STATISTIC
1238 tristate '"statistic" match support'
1239 depends on NETFILTER_ADVANCED
1241 This option adds a `statistic' match, which allows you to match
1242 on packets periodically or randomly with a given percentage.
1244 To compile it as a module, choose M here. If unsure, say N.
1246 config NETFILTER_XT_MATCH_STRING
1247 tristate '"string" match support'
1248 depends on NETFILTER_ADVANCED
1250 select TEXTSEARCH_KMP
1251 select TEXTSEARCH_BM
1252 select TEXTSEARCH_FSM
1254 This option adds a `string' match, which allows you to look for
1255 pattern matchings in packets.
1257 To compile it as a module, choose M here. If unsure, say N.
1259 config NETFILTER_XT_MATCH_TCPMSS
1260 tristate '"tcpmss" match support'
1261 depends on NETFILTER_ADVANCED
1263 This option adds a `tcpmss' match, which allows you to examine the
1264 MSS value of TCP SYN packets, which control the maximum packet size
1265 for that connection.
1267 To compile it as a module, choose M here. If unsure, say N.
1269 config NETFILTER_XT_MATCH_TIME
1270 tristate '"time" match support'
1271 depends on NETFILTER_ADVANCED
1273 This option adds a "time" match, which allows you to match based on
1274 the packet arrival time (at the machine which netfilter is running)
1275 on) or departure time/date (for locally generated packets).
1277 If you say Y here, try `iptables -m time --help` for
1280 If you want to compile it as a module, say M here.
1283 config NETFILTER_XT_MATCH_U32
1284 tristate '"u32" match support'
1285 depends on NETFILTER_ADVANCED
1287 u32 allows you to extract quantities of up to 4 bytes from a packet,
1288 AND them with specified masks, shift them by specified amounts and
1289 test whether the results are in any of a set of specified ranges.
1290 The specification of what to extract is general enough to skip over
1291 headers with lengths stored in the packet, as in IP or TCP header
1294 Details and examples are in the kernel module source.
1296 endif # NETFILTER_XTABLES
1300 source "net/netfilter/ipset/Kconfig"
1302 source "net/netfilter/ipvs/Kconfig"