1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_NETLINK
7 config NETFILTER_NETLINK_ACCT
8 tristate "Netfilter NFACCT over NFNETLINK interface"
9 depends on NETFILTER_ADVANCED
10 select NETFILTER_NETLINK
12 If this option is enabled, the kernel will include support
13 for extended accounting via NFNETLINK.
15 config NETFILTER_NETLINK_QUEUE
16 tristate "Netfilter NFQUEUE over NFNETLINK interface"
17 depends on NETFILTER_ADVANCED
18 select NETFILTER_NETLINK
20 If this option is enabled, the kernel will include support
21 for queueing packets via NFNETLINK.
23 config NETFILTER_NETLINK_LOG
24 tristate "Netfilter LOG over NFNETLINK interface"
25 default m if NETFILTER_ADVANCED=n
26 select NETFILTER_NETLINK
28 If this option is enabled, the kernel will include support
29 for logging packets via NFNETLINK.
31 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
32 and is also scheduled to replace the old syslog-based ipt_LOG
36 tristate "Netfilter connection tracking support"
37 default m if NETFILTER_ADVANCED=n
39 Connection tracking keeps a record of what packets have passed
40 through your machine, in order to figure out how they are related
43 This is required to do Masquerading or other kinds of Network
44 Address Translation. It can also be used to enhance packet
45 filtering (see `Connection state match support' below).
47 To compile it as a module, choose M here. If unsure, say N.
51 config NF_CONNTRACK_MARK
52 bool 'Connection mark tracking support'
53 depends on NETFILTER_ADVANCED
55 This option enables support for connection marks, used by the
56 `CONNMARK' target and `connmark' match. Similar to the mark value
57 of packets, but this mark value is kept in the conntrack session
58 instead of the individual packets.
60 config NF_CONNTRACK_SECMARK
61 bool 'Connection tracking security mark support'
62 depends on NETWORK_SECMARK
63 default m if NETFILTER_ADVANCED=n
65 This option enables security markings to be applied to
66 connections. Typically they are copied to connections from
67 packets using the CONNSECMARK target and copied back from
68 connections to packets with the same target, with the packets
69 being originally labeled via SECMARK.
73 config NF_CONNTRACK_ZONES
74 bool 'Connection tracking zones'
75 depends on NETFILTER_ADVANCED
76 depends on NETFILTER_XT_TARGET_CT
78 This option enables support for connection tracking zones.
79 Normally, each connection needs to have a unique system wide
80 identity. Connection tracking zones allow to have multiple
81 connections using the same identity, as long as they are
82 contained in different zones.
86 config NF_CONNTRACK_PROCFS
87 bool "Supply CT list in procfs (OBSOLETE)"
91 This option enables for the list of known conntrack entries
92 to be shown in procfs under net/netfilter/nf_conntrack. This
93 is considered obsolete in favor of using the conntrack(8)
94 tool which uses Netlink.
96 config NF_CONNTRACK_EVENTS
97 bool "Connection tracking events"
98 depends on NETFILTER_ADVANCED
100 If this option is enabled, the connection tracking code will
101 provide a notifier chain that can be used by other kernel code
102 to get notified about changes in the connection tracking state.
106 config NF_CONNTRACK_TIMEOUT
107 bool 'Connection tracking timeout'
108 depends on NETFILTER_ADVANCED
110 This option enables support for connection tracking timeout
111 extension. This allows you to attach timeout policies to flow
116 config NF_CONNTRACK_TIMESTAMP
117 bool 'Connection tracking timestamping'
118 depends on NETFILTER_ADVANCED
120 This option enables support for connection tracking timestamping.
121 This allows you to store the flow start-time and to obtain
122 the flow-stop time (once it has been destroyed) via Connection
127 config NF_CT_PROTO_DCCP
128 tristate 'DCCP protocol connection tracking support'
129 depends on NETFILTER_ADVANCED
132 With this option enabled, the layer 3 independent connection
133 tracking code will be able to do state tracking on DCCP connections.
137 config NF_CT_PROTO_GRE
140 config NF_CT_PROTO_SCTP
141 tristate 'SCTP protocol connection tracking support'
142 depends on NETFILTER_ADVANCED
145 With this option enabled, the layer 3 independent connection
146 tracking code will be able to do state tracking on SCTP connections.
148 If you want to compile it as a module, say M here and read
149 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
151 config NF_CT_PROTO_UDPLITE
152 tristate 'UDP-Lite protocol connection tracking support'
153 depends on NETFILTER_ADVANCED
155 With this option enabled, the layer 3 independent connection
156 tracking code will be able to do state tracking on UDP-Lite
159 To compile it as a module, choose M here. If unsure, say N.
161 config NF_CONNTRACK_AMANDA
162 tristate "Amanda backup protocol support"
163 depends on NETFILTER_ADVANCED
165 select TEXTSEARCH_KMP
167 If you are running the Amanda backup package <http://www.amanda.org/>
168 on this machine or machines that will be MASQUERADED through this
169 machine, then you may want to enable this feature. This allows the
170 connection tracking and natting code to allow the sub-channels that
171 Amanda requires for communication of the backup data, messages and
174 To compile it as a module, choose M here. If unsure, say N.
176 config NF_CONNTRACK_FTP
177 tristate "FTP protocol support"
178 default m if NETFILTER_ADVANCED=n
180 Tracking FTP connections is problematic: special helpers are
181 required for tracking them, and doing masquerading and other forms
182 of Network Address Translation on them.
184 This is FTP support on Layer 3 independent connection tracking.
185 Layer 3 independent connection tracking is experimental scheme
186 which generalize ip_conntrack to support other layer 3 protocols.
188 To compile it as a module, choose M here. If unsure, say N.
190 config NF_CONNTRACK_H323
191 tristate "H.323 protocol support"
192 depends on (IPV6 || IPV6=n)
193 depends on NETFILTER_ADVANCED
195 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
196 important VoIP protocols, it is widely used by voice hardware and
197 software including voice gateways, IP phones, Netmeeting, OpenPhone,
200 With this module you can support H.323 on a connection tracking/NAT
203 This module supports RAS, Fast Start, H.245 Tunnelling, Call
204 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
205 whiteboard, file transfer, etc. For more information, please
206 visit http://nath323.sourceforge.net/.
208 To compile it as a module, choose M here. If unsure, say N.
210 config NF_CONNTRACK_IRC
211 tristate "IRC protocol support"
212 default m if NETFILTER_ADVANCED=n
214 There is a commonly-used extension to IRC called
215 Direct Client-to-Client Protocol (DCC). This enables users to send
216 files to each other, and also chat to each other without the need
217 of a server. DCC Sending is used anywhere you send files over IRC,
218 and DCC Chat is most commonly used by Eggdrop bots. If you are
219 using NAT, this extension will enable you to send files and initiate
220 chats. Note that you do NOT need this extension to get files or
221 have others initiate chats, or everything else in IRC.
223 To compile it as a module, choose M here. If unsure, say N.
225 config NF_CONNTRACK_BROADCAST
228 config NF_CONNTRACK_NETBIOS_NS
229 tristate "NetBIOS name service protocol support"
230 select NF_CONNTRACK_BROADCAST
232 NetBIOS name service requests are sent as broadcast messages from an
233 unprivileged port and responded to with unicast messages to the
234 same port. This make them hard to firewall properly because connection
235 tracking doesn't deal with broadcasts. This helper tracks locally
236 originating NetBIOS name service requests and the corresponding
237 responses. It relies on correct IP address configuration, specifically
238 netmask and broadcast address. When properly configured, the output
239 of "ip address show" should look similar to this:
241 $ ip -4 address show eth0
242 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
243 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
245 To compile it as a module, choose M here. If unsure, say N.
247 config NF_CONNTRACK_SNMP
248 tristate "SNMP service protocol support"
249 depends on NETFILTER_ADVANCED
250 select NF_CONNTRACK_BROADCAST
252 SNMP service requests are sent as broadcast messages from an
253 unprivileged port and responded to with unicast messages to the
254 same port. This make them hard to firewall properly because connection
255 tracking doesn't deal with broadcasts. This helper tracks locally
256 originating SNMP service requests and the corresponding
257 responses. It relies on correct IP address configuration, specifically
258 netmask and broadcast address.
260 To compile it as a module, choose M here. If unsure, say N.
262 config NF_CONNTRACK_PPTP
263 tristate "PPtP protocol support"
264 depends on NETFILTER_ADVANCED
265 select NF_CT_PROTO_GRE
267 This module adds support for PPTP (Point to Point Tunnelling
268 Protocol, RFC2637) connection tracking and NAT.
270 If you are running PPTP sessions over a stateful firewall or NAT
271 box, you may want to enable this feature.
273 Please note that not all PPTP modes of operation are supported yet.
274 Specifically these limitations exist:
275 - Blindly assumes that control connections are always established
276 in PNS->PAC direction. This is a violation of RFC2637.
277 - Only supports a single call within each session
279 To compile it as a module, choose M here. If unsure, say N.
281 config NF_CONNTRACK_SANE
282 tristate "SANE protocol support"
283 depends on NETFILTER_ADVANCED
285 SANE is a protocol for remote access to scanners as implemented
286 by the 'saned' daemon. Like FTP, it uses separate control and
289 With this module you can support SANE on a connection tracking
292 To compile it as a module, choose M here. If unsure, say N.
294 config NF_CONNTRACK_SIP
295 tristate "SIP protocol support"
296 default m if NETFILTER_ADVANCED=n
298 SIP is an application-layer control protocol that can establish,
299 modify, and terminate multimedia sessions (conferences) such as
300 Internet telephony calls. With the ip_conntrack_sip and
301 the nf_nat_sip modules you can support the protocol on a connection
302 tracking/NATing firewall.
304 To compile it as a module, choose M here. If unsure, say N.
306 config NF_CONNTRACK_TFTP
307 tristate "TFTP protocol support"
308 depends on NETFILTER_ADVANCED
310 TFTP connection tracking helper, this is required depending
311 on how restrictive your ruleset is.
312 If you are using a tftp client behind -j SNAT or -j MASQUERADING
315 To compile it as a module, choose M here. If unsure, say N.
318 tristate 'Connection tracking netlink interface'
319 select NETFILTER_NETLINK
320 default m if NETFILTER_ADVANCED=n
322 This option enables support for a netlink-based userspace interface
324 config NF_CT_NETLINK_TIMEOUT
325 tristate 'Connection tracking timeout tuning via Netlink'
326 select NETFILTER_NETLINK
327 depends on NETFILTER_ADVANCED
329 This option enables support for connection tracking timeout
330 fine-grain tuning. This allows you to attach specific timeout
331 policies to flows, instead of using the global timeout policy.
335 config NF_CT_NETLINK_HELPER
336 tristate 'Connection tracking helpers in user-space via Netlink'
337 select NETFILTER_NETLINK
338 depends on NF_CT_NETLINK
339 depends on NETFILTER_NETLINK_QUEUE
340 depends on NETFILTER_NETLINK_QUEUE_CT
341 depends on NETFILTER_ADVANCED
343 This option enables the user-space connection tracking helpers
348 config NETFILTER_NETLINK_QUEUE_CT
349 bool "NFQUEUE integration with Connection Tracking"
351 depends on NETFILTER_NETLINK_QUEUE
353 If this option is enabled, NFQUEUE can include Connection Tracking
354 information together with the packet is the enqueued via NFNETLINK.
364 config NF_NAT_PROTO_DCCP
366 depends on NF_NAT && NF_CT_PROTO_DCCP
367 default NF_NAT && NF_CT_PROTO_DCCP
369 config NF_NAT_PROTO_UDPLITE
371 depends on NF_NAT && NF_CT_PROTO_UDPLITE
372 default NF_NAT && NF_CT_PROTO_UDPLITE
374 config NF_NAT_PROTO_SCTP
376 default NF_NAT && NF_CT_PROTO_SCTP
377 depends on NF_NAT && NF_CT_PROTO_SCTP
382 depends on NF_CONNTRACK && NF_NAT
383 default NF_NAT && NF_CONNTRACK_AMANDA
387 depends on NF_CONNTRACK && NF_NAT
388 default NF_NAT && NF_CONNTRACK_FTP
392 depends on NF_CONNTRACK && NF_NAT
393 default NF_NAT && NF_CONNTRACK_IRC
397 depends on NF_CONNTRACK && NF_NAT
398 default NF_NAT && NF_CONNTRACK_SIP
402 depends on NF_CONNTRACK && NF_NAT
403 default NF_NAT && NF_CONNTRACK_TFTP
407 # transparent proxy support
408 config NETFILTER_TPROXY
409 tristate "Transparent proxying support"
410 depends on IP_NF_MANGLE
411 depends on NETFILTER_ADVANCED
413 This option enables transparent proxying support, that is,
414 support for handling non-locally bound IPv4 TCP and UDP sockets.
415 For it to work you will have to configure certain iptables rules
416 and use policy routing. For more information on how to set it up
417 see Documentation/networking/tproxy.txt.
419 To compile it as a module, choose M here. If unsure, say N.
421 config NETFILTER_XTABLES
422 tristate "Netfilter Xtables support (required for ip_tables)"
423 default m if NETFILTER_ADVANCED=n
425 This is required if you intend to use any of ip_tables,
426 ip6_tables or arp_tables.
430 comment "Xtables combined modules"
432 config NETFILTER_XT_MARK
433 tristate 'nfmark target and match support'
434 default m if NETFILTER_ADVANCED=n
436 This option adds the "MARK" target and "mark" match.
438 Netfilter mark matching allows you to match packets based on the
439 "nfmark" value in the packet.
440 The target allows you to create rules in the "mangle" table which alter
441 the netfilter mark (nfmark) field associated with the packet.
443 Prior to routing, the nfmark can influence the routing method (see
444 "Use netfilter MARK value as routing key") and can also be used by
445 other subsystems to change their behavior.
447 config NETFILTER_XT_CONNMARK
448 tristate 'ctmark target and match support'
449 depends on NF_CONNTRACK
450 depends on NETFILTER_ADVANCED
451 select NF_CONNTRACK_MARK
453 This option adds the "CONNMARK" target and "connmark" match.
455 Netfilter allows you to store a mark value per connection (a.k.a.
456 ctmark), similarly to the packet mark (nfmark). Using this
457 target and match, you can set and match on this mark.
459 config NETFILTER_XT_SET
460 tristate 'set target and match support'
462 depends on NETFILTER_ADVANCED
464 This option adds the "SET" target and "set" match.
466 Using this target and match, you can add/delete and match
467 elements in the sets created by ipset(8).
469 To compile it as a module, choose M here. If unsure, say N.
471 # alphabetically ordered list of targets
473 comment "Xtables targets"
475 config NETFILTER_XT_TARGET_AUDIT
476 tristate "AUDIT target support"
478 depends on NETFILTER_ADVANCED
480 This option adds a 'AUDIT' target, which can be used to create
481 audit records for packets dropped/accepted.
483 To compileit as a module, choose M here. If unsure, say N.
485 config NETFILTER_XT_TARGET_CHECKSUM
486 tristate "CHECKSUM target support"
487 depends on IP_NF_MANGLE || IP6_NF_MANGLE
488 depends on NETFILTER_ADVANCED
490 This option adds a `CHECKSUM' target, which can be used in the iptables mangle
493 You can use this target to compute and fill in the checksum in
494 a packet that lacks a checksum. This is particularly useful,
495 if you need to work around old applications such as dhcp clients,
496 that do not work well with checksum offloads, but don't want to disable
497 checksum offload in your device.
499 To compile it as a module, choose M here. If unsure, say N.
501 config NETFILTER_XT_TARGET_CLASSIFY
502 tristate '"CLASSIFY" target support'
503 depends on NETFILTER_ADVANCED
505 This option adds a `CLASSIFY' target, which enables the user to set
506 the priority of a packet. Some qdiscs can use this value for
507 classification, among these are:
509 atm, cbq, dsmark, pfifo_fast, htb, prio
511 To compile it as a module, choose M here. If unsure, say N.
513 config NETFILTER_XT_TARGET_CONNMARK
514 tristate '"CONNMARK" target support'
515 depends on NF_CONNTRACK
516 depends on NETFILTER_ADVANCED
517 select NETFILTER_XT_CONNMARK
519 This is a backwards-compat option for the user's convenience
520 (e.g. when running oldconfig). It selects
521 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
523 config NETFILTER_XT_TARGET_CONNSECMARK
524 tristate '"CONNSECMARK" target support'
525 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
526 default m if NETFILTER_ADVANCED=n
528 The CONNSECMARK target copies security markings from packets
529 to connections, and restores security markings from connections
530 to packets (if the packets are not already marked). This would
531 normally be used in conjunction with the SECMARK target.
533 To compile it as a module, choose M here. If unsure, say N.
535 config NETFILTER_XT_TARGET_CT
536 tristate '"CT" target support'
537 depends on NF_CONNTRACK
538 depends on IP_NF_RAW || IP6_NF_RAW
539 depends on NETFILTER_ADVANCED
541 This options adds a `CT' target, which allows to specify initial
542 connection tracking parameters like events to be delivered and
543 the helper to be used.
545 To compile it as a module, choose M here. If unsure, say N.
547 config NETFILTER_XT_TARGET_DSCP
548 tristate '"DSCP" and "TOS" target support'
549 depends on IP_NF_MANGLE || IP6_NF_MANGLE
550 depends on NETFILTER_ADVANCED
552 This option adds a `DSCP' target, which allows you to manipulate
553 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
555 The DSCP field can have any value between 0x0 and 0x3f inclusive.
557 It also adds the "TOS" target, which allows you to create rules in
558 the "mangle" table which alter the Type Of Service field of an IPv4
559 or the Priority field of an IPv6 packet, prior to routing.
561 To compile it as a module, choose M here. If unsure, say N.
563 config NETFILTER_XT_TARGET_HL
564 tristate '"HL" hoplimit target support'
565 depends on IP_NF_MANGLE || IP6_NF_MANGLE
566 depends on NETFILTER_ADVANCED
568 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
569 targets, which enable the user to change the
570 hoplimit/time-to-live value of the IP header.
572 While it is safe to decrement the hoplimit/TTL value, the
573 modules also allow to increment and set the hoplimit value of
574 the header to arbitrary values. This is EXTREMELY DANGEROUS
575 since you can easily create immortal packets that loop
576 forever on the network.
578 config NETFILTER_XT_TARGET_HMARK
579 tristate '"HMARK" target support'
580 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
581 depends on NETFILTER_ADVANCED
583 This option adds the "HMARK" target.
585 The target allows you to create rules in the "raw" and "mangle" tables
586 which set the skbuff mark by means of hash calculation within a given
587 range. The nfmark can influence the routing method (see "Use netfilter
588 MARK value as routing key") and can also be used by other subsystems to
589 change their behaviour.
591 To compile it as a module, choose M here. If unsure, say N.
593 config NETFILTER_XT_TARGET_IDLETIMER
594 tristate "IDLETIMER target support"
595 depends on NETFILTER_ADVANCED
598 This option adds the `IDLETIMER' target. Each matching packet
599 resets the timer associated with label specified when the rule is
600 added. When the timer expires, it triggers a sysfs notification.
601 The remaining time for expiration can be read via sysfs.
603 To compile it as a module, choose M here. If unsure, say N.
605 config NETFILTER_XT_TARGET_LED
606 tristate '"LED" target support'
607 depends on LEDS_CLASS && LEDS_TRIGGERS
608 depends on NETFILTER_ADVANCED
610 This option adds a `LED' target, which allows you to blink LEDs in
611 response to particular packets passing through your machine.
613 This can be used to turn a spare LED into a network activity LED,
614 which only flashes in response to FTP transfers, for example. Or
615 you could have an LED which lights up for a minute or two every time
616 somebody connects to your machine via SSH.
618 You will need support for the "led" class to make this work.
620 To create an LED trigger for incoming SSH traffic:
621 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
623 Then attach the new trigger to an LED on your system:
624 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
626 For more information on the LEDs available on your system, see
627 Documentation/leds/leds-class.txt
629 config NETFILTER_XT_TARGET_LOG
630 tristate "LOG target support"
631 default m if NETFILTER_ADVANCED=n
633 This option adds a `LOG' target, which allows you to create rules in
634 any iptables table which records the packet header to the syslog.
636 To compile it as a module, choose M here. If unsure, say N.
638 config NETFILTER_XT_TARGET_MARK
639 tristate '"MARK" target support'
640 depends on NETFILTER_ADVANCED
641 select NETFILTER_XT_MARK
643 This is a backwards-compat option for the user's convenience
644 (e.g. when running oldconfig). It selects
645 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
647 config NETFILTER_XT_TARGET_NETMAP
648 tristate '"NETMAP" target support'
651 NETMAP is an implementation of static 1:1 NAT mapping of network
652 addresses. It maps the network address part, while keeping the host
655 To compile it as a module, choose M here. If unsure, say N.
657 config NETFILTER_XT_TARGET_NFLOG
658 tristate '"NFLOG" target support'
659 default m if NETFILTER_ADVANCED=n
660 select NETFILTER_NETLINK_LOG
662 This option enables the NFLOG target, which allows to LOG
663 messages through nfnetlink_log.
665 To compile it as a module, choose M here. If unsure, say N.
667 config NETFILTER_XT_TARGET_NFQUEUE
668 tristate '"NFQUEUE" target Support'
669 depends on NETFILTER_ADVANCED
670 select NETFILTER_NETLINK_QUEUE
672 This target replaced the old obsolete QUEUE target.
674 As opposed to QUEUE, it supports 65535 different queues,
677 To compile it as a module, choose M here. If unsure, say N.
679 config NETFILTER_XT_TARGET_NOTRACK
680 tristate '"NOTRACK" target support (DEPRECATED)'
681 depends on NF_CONNTRACK
682 depends on IP_NF_RAW || IP6_NF_RAW
683 depends on NETFILTER_ADVANCED
684 select NETFILTER_XT_TARGET_CT
686 config NETFILTER_XT_TARGET_RATEEST
687 tristate '"RATEEST" target support'
688 depends on NETFILTER_ADVANCED
690 This option adds a `RATEEST' target, which allows to measure
691 rates similar to TC estimators. The `rateest' match can be
692 used to match on the measured rates.
694 To compile it as a module, choose M here. If unsure, say N.
696 config NETFILTER_XT_TARGET_REDIRECT
697 tristate "REDIRECT target support"
700 REDIRECT is a special case of NAT: all incoming connections are
701 mapped onto the incoming interface's address, causing the packets to
702 come to the local machine instead of passing through. This is
703 useful for transparent proxies.
705 To compile it as a module, choose M here. If unsure, say N.
707 config NETFILTER_XT_TARGET_TEE
708 tristate '"TEE" - packet cloning to alternate destination'
709 depends on NETFILTER_ADVANCED
710 depends on (IPV6 || IPV6=n)
711 depends on !NF_CONNTRACK || NF_CONNTRACK
713 This option adds a "TEE" target with which a packet can be cloned and
714 this clone be rerouted to another nexthop.
716 config NETFILTER_XT_TARGET_TPROXY
717 tristate '"TPROXY" target support'
718 depends on NETFILTER_TPROXY
719 depends on NETFILTER_XTABLES
720 depends on NETFILTER_ADVANCED
721 select NF_DEFRAG_IPV4
722 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
724 This option adds a `TPROXY' target, which is somewhat similar to
725 REDIRECT. It can only be used in the mangle table and is useful
726 to redirect traffic to a transparent proxy. It does _not_ depend
727 on Netfilter connection tracking and NAT, unlike REDIRECT.
729 To compile it as a module, choose M here. If unsure, say N.
731 config NETFILTER_XT_TARGET_TRACE
732 tristate '"TRACE" target support'
733 depends on IP_NF_RAW || IP6_NF_RAW
734 depends on NETFILTER_ADVANCED
736 The TRACE target allows you to mark packets so that the kernel
737 will log every rule which match the packets as those traverse
738 the tables, chains, rules.
740 If you want to compile it as a module, say M here and read
741 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
743 config NETFILTER_XT_TARGET_SECMARK
744 tristate '"SECMARK" target support'
745 depends on NETWORK_SECMARK
746 default m if NETFILTER_ADVANCED=n
748 The SECMARK target allows security marking of network
749 packets, for use with security subsystems.
751 To compile it as a module, choose M here. If unsure, say N.
753 config NETFILTER_XT_TARGET_TCPMSS
754 tristate '"TCPMSS" target support'
755 depends on (IPV6 || IPV6=n)
756 default m if NETFILTER_ADVANCED=n
758 This option adds a `TCPMSS' target, which allows you to alter the
759 MSS value of TCP SYN packets, to control the maximum size for that
760 connection (usually limiting it to your outgoing interface's MTU
763 This is used to overcome criminally braindead ISPs or servers which
764 block ICMP Fragmentation Needed packets. The symptoms of this
765 problem are that everything works fine from your Linux
766 firewall/router, but machines behind it can never exchange large
768 1) Web browsers connect, then hang with no data received.
769 2) Small mail works fine, but large emails hang.
770 3) ssh works fine, but scp hangs after initial handshaking.
772 Workaround: activate this option and add a rule to your firewall
775 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
776 -j TCPMSS --clamp-mss-to-pmtu
778 To compile it as a module, choose M here. If unsure, say N.
780 config NETFILTER_XT_TARGET_TCPOPTSTRIP
781 tristate '"TCPOPTSTRIP" target support'
782 depends on IP_NF_MANGLE || IP6_NF_MANGLE
783 depends on NETFILTER_ADVANCED
785 This option adds a "TCPOPTSTRIP" target, which allows you to strip
786 TCP options from TCP packets.
788 # alphabetically ordered list of matches
790 comment "Xtables matches"
792 config NETFILTER_XT_MATCH_ADDRTYPE
793 tristate '"addrtype" address type match support'
794 depends on NETFILTER_ADVANCED
796 This option allows you to match what routing thinks of an address,
797 eg. UNICAST, LOCAL, BROADCAST, ...
799 If you want to compile it as a module, say M here and read
800 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
802 config NETFILTER_XT_MATCH_CLUSTER
803 tristate '"cluster" match support'
804 depends on NF_CONNTRACK
805 depends on NETFILTER_ADVANCED
807 This option allows you to build work-load-sharing clusters of
808 network servers/stateful firewalls without having a dedicated
809 load-balancing router/server/switch. Basically, this match returns
810 true when the packet must be handled by this cluster node. Thus,
811 all nodes see all packets and this match decides which node handles
812 what packets. The work-load sharing algorithm is based on source
815 If you say Y or M here, try `iptables -m cluster --help` for
818 config NETFILTER_XT_MATCH_COMMENT
819 tristate '"comment" match support'
820 depends on NETFILTER_ADVANCED
822 This option adds a `comment' dummy-match, which allows you to put
823 comments in your iptables ruleset.
825 If you want to compile it as a module, say M here and read
826 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
828 config NETFILTER_XT_MATCH_CONNBYTES
829 tristate '"connbytes" per-connection counter match support'
830 depends on NF_CONNTRACK
831 depends on NETFILTER_ADVANCED
833 This option adds a `connbytes' match, which allows you to match the
834 number of bytes and/or packets for each direction within a connection.
836 If you want to compile it as a module, say M here and read
837 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
839 config NETFILTER_XT_MATCH_CONNLIMIT
840 tristate '"connlimit" match support"'
841 depends on NF_CONNTRACK
842 depends on NETFILTER_ADVANCED
844 This match allows you to match against the number of parallel
845 connections to a server per client IP address (or address block).
847 config NETFILTER_XT_MATCH_CONNMARK
848 tristate '"connmark" connection mark match support'
849 depends on NF_CONNTRACK
850 depends on NETFILTER_ADVANCED
851 select NETFILTER_XT_CONNMARK
853 This is a backwards-compat option for the user's convenience
854 (e.g. when running oldconfig). It selects
855 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
857 config NETFILTER_XT_MATCH_CONNTRACK
858 tristate '"conntrack" connection tracking match support'
859 depends on NF_CONNTRACK
860 default m if NETFILTER_ADVANCED=n
862 This is a general conntrack match module, a superset of the state match.
864 It allows matching on additional conntrack information, which is
865 useful in complex configurations, such as NAT gateways with multiple
866 internet links or tunnels.
868 To compile it as a module, choose M here. If unsure, say N.
870 config NETFILTER_XT_MATCH_CPU
871 tristate '"cpu" match support'
872 depends on NETFILTER_ADVANCED
874 CPU matching allows you to match packets based on the CPU
875 currently handling the packet.
877 To compile it as a module, choose M here. If unsure, say N.
879 config NETFILTER_XT_MATCH_DCCP
880 tristate '"dccp" protocol match support'
881 depends on NETFILTER_ADVANCED
884 With this option enabled, you will be able to use the iptables
885 `dccp' match in order to match on DCCP source/destination ports
888 If you want to compile it as a module, say M here and read
889 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
891 config NETFILTER_XT_MATCH_DEVGROUP
892 tristate '"devgroup" match support'
893 depends on NETFILTER_ADVANCED
895 This options adds a `devgroup' match, which allows to match on the
896 device group a network device is assigned to.
898 To compile it as a module, choose M here. If unsure, say N.
900 config NETFILTER_XT_MATCH_DSCP
901 tristate '"dscp" and "tos" match support'
902 depends on NETFILTER_ADVANCED
904 This option adds a `DSCP' match, which allows you to match against
905 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
907 The DSCP field can have any value between 0x0 and 0x3f inclusive.
909 It will also add a "tos" match, which allows you to match packets
910 based on the Type Of Service fields of the IPv4 packet (which share
911 the same bits as DSCP).
913 To compile it as a module, choose M here. If unsure, say N.
915 config NETFILTER_XT_MATCH_ECN
916 tristate '"ecn" match support'
917 depends on NETFILTER_ADVANCED
919 This option adds an "ECN" match, which allows you to match against
920 the IPv4 and TCP header ECN fields.
922 To compile it as a module, choose M here. If unsure, say N.
924 config NETFILTER_XT_MATCH_ESP
925 tristate '"esp" match support'
926 depends on NETFILTER_ADVANCED
928 This match extension allows you to match a range of SPIs
929 inside ESP header of IPSec packets.
931 To compile it as a module, choose M here. If unsure, say N.
933 config NETFILTER_XT_MATCH_HASHLIMIT
934 tristate '"hashlimit" match support'
935 depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
936 depends on NETFILTER_ADVANCED
938 This option adds a `hashlimit' match.
940 As opposed to `limit', this match dynamically creates a hash table
941 of limit buckets, based on your selection of source/destination
942 addresses and/or ports.
944 It enables you to express policies like `10kpps for any given
945 destination address' or `500pps from any given source address'
948 config NETFILTER_XT_MATCH_HELPER
949 tristate '"helper" match support'
950 depends on NF_CONNTRACK
951 depends on NETFILTER_ADVANCED
953 Helper matching allows you to match packets in dynamic connections
954 tracked by a conntrack-helper, ie. ip_conntrack_ftp
956 To compile it as a module, choose M here. If unsure, say Y.
958 config NETFILTER_XT_MATCH_HL
959 tristate '"hl" hoplimit/TTL match support'
960 depends on NETFILTER_ADVANCED
962 HL matching allows you to match packets based on the hoplimit
963 in the IPv6 header, or the time-to-live field in the IPv4
964 header of the packet.
966 config NETFILTER_XT_MATCH_IPRANGE
967 tristate '"iprange" address range match support'
968 depends on NETFILTER_ADVANCED
970 This option adds a "iprange" match, which allows you to match based on
971 an IP address range. (Normal iptables only matches on single addresses
972 with an optional mask.)
976 config NETFILTER_XT_MATCH_IPVS
977 tristate '"ipvs" match support'
979 depends on NETFILTER_ADVANCED
980 depends on NF_CONNTRACK
982 This option allows you to match against IPVS properties of a packet.
986 config NETFILTER_XT_MATCH_LENGTH
987 tristate '"length" match support'
988 depends on NETFILTER_ADVANCED
990 This option allows you to match the length of a packet against a
991 specific value or range of values.
993 To compile it as a module, choose M here. If unsure, say N.
995 config NETFILTER_XT_MATCH_LIMIT
996 tristate '"limit" match support'
997 depends on NETFILTER_ADVANCED
999 limit matching allows you to control the rate at which a rule can be
1000 matched: mainly useful in combination with the LOG target ("LOG
1001 target support", below) and to avoid some Denial of Service attacks.
1003 To compile it as a module, choose M here. If unsure, say N.
1005 config NETFILTER_XT_MATCH_MAC
1006 tristate '"mac" address match support'
1007 depends on NETFILTER_ADVANCED
1009 MAC matching allows you to match packets based on the source
1010 Ethernet address of the packet.
1012 To compile it as a module, choose M here. If unsure, say N.
1014 config NETFILTER_XT_MATCH_MARK
1015 tristate '"mark" match support'
1016 depends on NETFILTER_ADVANCED
1017 select NETFILTER_XT_MARK
1019 This is a backwards-compat option for the user's convenience
1020 (e.g. when running oldconfig). It selects
1021 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1023 config NETFILTER_XT_MATCH_MULTIPORT
1024 tristate '"multiport" Multiple port match support'
1025 depends on NETFILTER_ADVANCED
1027 Multiport matching allows you to match TCP or UDP packets based on
1028 a series of source or destination ports: normally a rule can only
1029 match a single range of ports.
1031 To compile it as a module, choose M here. If unsure, say N.
1033 config NETFILTER_XT_MATCH_NFACCT
1034 tristate '"nfacct" match support'
1035 depends on NETFILTER_ADVANCED
1036 select NETFILTER_NETLINK_ACCT
1038 This option allows you to use the extended accounting through
1041 To compile it as a module, choose M here. If unsure, say N.
1043 config NETFILTER_XT_MATCH_OSF
1044 tristate '"osf" Passive OS fingerprint match'
1045 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1047 This option selects the Passive OS Fingerprinting match module
1048 that allows to passively match the remote operating system by
1049 analyzing incoming TCP SYN packets.
1051 Rules and loading software can be downloaded from
1052 http://www.ioremap.net/projects/osf
1054 To compile it as a module, choose M here. If unsure, say N.
1056 config NETFILTER_XT_MATCH_OWNER
1057 tristate '"owner" match support'
1058 depends on NETFILTER_ADVANCED
1060 Socket owner matching allows you to match locally-generated packets
1061 based on who created the socket: the user or group. It is also
1062 possible to check whether a socket actually exists.
1064 config NETFILTER_XT_MATCH_POLICY
1065 tristate 'IPsec "policy" match support'
1067 default m if NETFILTER_ADVANCED=n
1069 Policy matching allows you to match packets based on the
1070 IPsec policy that was used during decapsulation/will
1071 be used during encapsulation.
1073 To compile it as a module, choose M here. If unsure, say N.
1075 config NETFILTER_XT_MATCH_PHYSDEV
1076 tristate '"physdev" match support'
1077 depends on BRIDGE && BRIDGE_NETFILTER
1078 depends on NETFILTER_ADVANCED
1080 Physdev packet matching matches against the physical bridge ports
1081 the IP packet arrived on or will leave by.
1083 To compile it as a module, choose M here. If unsure, say N.
1085 config NETFILTER_XT_MATCH_PKTTYPE
1086 tristate '"pkttype" packet type match support'
1087 depends on NETFILTER_ADVANCED
1089 Packet type matching allows you to match a packet by
1090 its "class", eg. BROADCAST, MULTICAST, ...
1093 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1095 To compile it as a module, choose M here. If unsure, say N.
1097 config NETFILTER_XT_MATCH_QUOTA
1098 tristate '"quota" match support'
1099 depends on NETFILTER_ADVANCED
1101 This option adds a `quota' match, which allows to match on a
1104 If you want to compile it as a module, say M here and read
1105 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1107 config NETFILTER_XT_MATCH_RATEEST
1108 tristate '"rateest" match support'
1109 depends on NETFILTER_ADVANCED
1110 select NETFILTER_XT_TARGET_RATEEST
1112 This option adds a `rateest' match, which allows to match on the
1113 rate estimated by the RATEEST target.
1115 To compile it as a module, choose M here. If unsure, say N.
1117 config NETFILTER_XT_MATCH_REALM
1118 tristate '"realm" match support'
1119 depends on NETFILTER_ADVANCED
1120 select IP_ROUTE_CLASSID
1122 This option adds a `realm' match, which allows you to use the realm
1123 key from the routing subsystem inside iptables.
1125 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1128 If you want to compile it as a module, say M here and read
1129 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1131 config NETFILTER_XT_MATCH_RECENT
1132 tristate '"recent" match support'
1133 depends on NETFILTER_ADVANCED
1135 This match is used for creating one or many lists of recently
1136 used addresses and then matching against that/those list(s).
1138 Short options are available by using 'iptables -m recent -h'
1139 Official Website: <http://snowman.net/projects/ipt_recent/>
1141 config NETFILTER_XT_MATCH_SCTP
1142 tristate '"sctp" protocol match support'
1143 depends on NETFILTER_ADVANCED
1146 With this option enabled, you will be able to use the
1147 `sctp' match in order to match on SCTP source/destination ports
1148 and SCTP chunk types.
1150 If you want to compile it as a module, say M here and read
1151 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1153 config NETFILTER_XT_MATCH_SOCKET
1154 tristate '"socket" match support'
1155 depends on NETFILTER_TPROXY
1156 depends on NETFILTER_XTABLES
1157 depends on NETFILTER_ADVANCED
1158 depends on !NF_CONNTRACK || NF_CONNTRACK
1159 select NF_DEFRAG_IPV4
1160 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
1162 This option adds a `socket' match, which can be used to match
1163 packets for which a TCP or UDP socket lookup finds a valid socket.
1164 It can be used in combination with the MARK target and policy
1165 routing to implement full featured non-locally bound sockets.
1167 To compile it as a module, choose M here. If unsure, say N.
1169 config NETFILTER_XT_MATCH_STATE
1170 tristate '"state" match support'
1171 depends on NF_CONNTRACK
1172 default m if NETFILTER_ADVANCED=n
1174 Connection state matching allows you to match packets based on their
1175 relationship to a tracked connection (ie. previous packets). This
1176 is a powerful tool for packet classification.
1178 To compile it as a module, choose M here. If unsure, say N.
1180 config NETFILTER_XT_MATCH_STATISTIC
1181 tristate '"statistic" match support'
1182 depends on NETFILTER_ADVANCED
1184 This option adds a `statistic' match, which allows you to match
1185 on packets periodically or randomly with a given percentage.
1187 To compile it as a module, choose M here. If unsure, say N.
1189 config NETFILTER_XT_MATCH_STRING
1190 tristate '"string" match support'
1191 depends on NETFILTER_ADVANCED
1193 select TEXTSEARCH_KMP
1194 select TEXTSEARCH_BM
1195 select TEXTSEARCH_FSM
1197 This option adds a `string' match, which allows you to look for
1198 pattern matchings in packets.
1200 To compile it as a module, choose M here. If unsure, say N.
1202 config NETFILTER_XT_MATCH_TCPMSS
1203 tristate '"tcpmss" match support'
1204 depends on NETFILTER_ADVANCED
1206 This option adds a `tcpmss' match, which allows you to examine the
1207 MSS value of TCP SYN packets, which control the maximum packet size
1208 for that connection.
1210 To compile it as a module, choose M here. If unsure, say N.
1212 config NETFILTER_XT_MATCH_TIME
1213 tristate '"time" match support'
1214 depends on NETFILTER_ADVANCED
1216 This option adds a "time" match, which allows you to match based on
1217 the packet arrival time (at the machine which netfilter is running)
1218 on) or departure time/date (for locally generated packets).
1220 If you say Y here, try `iptables -m time --help` for
1223 If you want to compile it as a module, say M here.
1226 config NETFILTER_XT_MATCH_U32
1227 tristate '"u32" match support'
1228 depends on NETFILTER_ADVANCED
1230 u32 allows you to extract quantities of up to 4 bytes from a packet,
1231 AND them with specified masks, shift them by specified amounts and
1232 test whether the results are in any of a set of specified ranges.
1233 The specification of what to extract is general enough to skip over
1234 headers with lengths stored in the packet, as in IP or TCP header
1237 Details and examples are in the kernel module source.
1239 endif # NETFILTER_XTABLES
1243 source "net/netfilter/ipset/Kconfig"
1245 source "net/netfilter/ipvs/Kconfig"