menu "Core Netfilter Configuration"

  	depends on NET && INET && NETFILTER

  config NETFILTER_INGRESS
  	bool "Netfilter ingress support"

  	default y

  	select NET_INGRESS
  	help
  	  This allows you to classify packets from ingress using the Netfilter
  	  infrastructure.

  config NETFILTER_NETLINK

  	tristate

  config NETFILTER_NETLINK_ACCT
  tristate "Netfilter NFACCT over NFNETLINK interface"
  	depends on NETFILTER_ADVANCED
  	select NETFILTER_NETLINK
  	help
  	  If this option is enabled, the kernel will include support
  	  for extended accounting via NFNETLINK.

  config NETFILTER_NETLINK_QUEUE
  	tristate "Netfilter NFQUEUE over NFNETLINK interface"

  	depends on NETFILTER_ADVANCED

  	select NETFILTER_NETLINK

  	help

  	  If this option is enabled, the kernel will include support

  	  for queueing packets via NFNETLINK.
  	  

  config NETFILTER_NETLINK_LOG
  	tristate "Netfilter LOG over NFNETLINK interface"

  	default m if NETFILTER_ADVANCED=n

  	select NETFILTER_NETLINK

  	help
  	  If this option is enabled, the kernel will include support
  	  for logging packets via NFNETLINK.
  
  	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
  	  and is also scheduled to replace the old syslog-based ipt_LOG
  	  and ip6t_LOG modules.

  config NF_CONNTRACK

  	tristate "Netfilter connection tracking support"

  	default m if NETFILTER_ADVANCED=n

  	help

  	  Connection tracking keeps a record of what packets have passed
  	  through your machine, in order to figure out how they are related
  	  into connections.

  	  This is required to do Masquerading or other kinds of Network

  	  Address Translation.  It can also be used to enhance packet
  	  filtering (see `Connection state match support' below).

  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NF_LOG_COMMON
  	tristate

  config NF_LOG_NETDEV
  	tristate "Netdev packet logging"
  	select NF_LOG_COMMON

  if NF_CONNTRACK

  config NF_CONNTRACK_MARK
  	bool  'Connection mark tracking support'

  	depends on NETFILTER_ADVANCED

  	help
  	  This option enables support for connection marks, used by the
  	  `CONNMARK' target and `connmark' match. Similar to the mark value
  	  of packets, but this mark value is kept in the conntrack session
  	  instead of the individual packets.

  config NF_CONNTRACK_SECMARK
  	bool  'Connection tracking security mark support'

  	depends on NETWORK_SECMARK

  	default m if NETFILTER_ADVANCED=n

  	help
  	  This option enables security markings to be applied to
  	  connections.  Typically they are copied to connections from
  	  packets using the CONNSECMARK target and copied back from
  	  connections to packets with the same target, with the packets
  	  being originally labeled via SECMARK.
  
  	  If unsure, say 'N'.

  config NF_CONNTRACK_ZONES
  	bool  'Connection tracking zones'
  	depends on NETFILTER_ADVANCED
  	depends on NETFILTER_XT_TARGET_CT
  	help
  	  This option enables support for connection tracking zones.
  	  Normally, each connection needs to have a unique system wide
  	  identity. Connection tracking zones allow to have multiple
  	  connections using the same identity, as long as they are
  	  contained in different zones.
  
  	  If unsure, say `N'.

  config NF_CONNTRACK_PROCFS
  	bool "Supply CT list in procfs (OBSOLETE)"
  	default y
  	depends on PROC_FS
  	---help---
  	This option enables for the list of known conntrack entries
  	to be shown in procfs under net/netfilter/nf_conntrack. This
  	is considered obsolete in favor of using the conntrack(8)
  	tool which uses Netlink.

  config NF_CONNTRACK_EVENTS

  	bool "Connection tracking events"

  	depends on NETFILTER_ADVANCED

  	help
  	  If this option is enabled, the connection tracking code will
  	  provide a notifier chain that can be used by other kernel code

  	  to get notified about changes in the connection tracking state.

  
  	  If unsure, say `N'.

  config NF_CONNTRACK_TIMEOUT
  	bool  'Connection tracking timeout'
  	depends on NETFILTER_ADVANCED
  	help
  	  This option enables support for connection tracking timeout
  	  extension. This allows you to attach timeout policies to flow
  	  via the CT target.
  
  	  If unsure, say `N'.

  config NF_CONNTRACK_TIMESTAMP
  	bool  'Connection tracking timestamping'
  	depends on NETFILTER_ADVANCED
  	help
  	  This option enables support for connection tracking timestamping.
  	  This allows you to store the flow start-time and to obtain
  	  the flow-stop time (once it has been destroyed) via Connection
  	  tracking events.
  
  	  If unsure, say `N'.

  config NF_CONNTRACK_LABELS
  	bool
  	help
  	  This option enables support for assigning user-defined flag bits
  	  to connection tracking entries.  It selected by the connlabel match.

  config NF_CT_PROTO_DCCP

  	bool 'DCCP protocol connection tracking support'

  	depends on NETFILTER_ADVANCED

  	default y

  	help
  	  With this option enabled, the layer 3 independent connection
  	  tracking code will be able to do state tracking on DCCP connections.

  	  If unsure, say Y.

  config NF_CT_PROTO_GRE
  	tristate

  config NF_CT_PROTO_SCTP

  	bool 'SCTP protocol connection tracking support'

  	depends on NETFILTER_ADVANCED

  	default y

  	select LIBCRC32C

  	help
  	  With this option enabled, the layer 3 independent connection
  	  tracking code will be able to do state tracking on SCTP connections.

  	  If unsure, say Y.

  config NF_CT_PROTO_UDPLITE

  	bool 'UDP-Lite protocol connection tracking support'

  	depends on NETFILTER_ADVANCED

  	default y

  	help
  	  With this option enabled, the layer 3 independent connection
  	  tracking code will be able to do state tracking on UDP-Lite
  	  connections.

  	  If unsure, say Y.

  config NF_CONNTRACK_AMANDA

  	tristate "Amanda backup protocol support"

  	depends on NETFILTER_ADVANCED

  	select TEXTSEARCH
  	select TEXTSEARCH_KMP
  	help
  	  If you are running the Amanda backup package <http://www.amanda.org/>
  	  on this machine or machines that will be MASQUERADED through this
  	  machine, then you may want to enable this feature.  This allows the
  	  connection tracking and natting code to allow the sub-channels that
  	  Amanda requires for communication of the backup data, messages and
  	  index.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NF_CONNTRACK_FTP

  	tristate "FTP protocol support"

  	default m if NETFILTER_ADVANCED=n

  	help
  	  Tracking FTP connections is problematic: special helpers are
  	  required for tracking them, and doing masquerading and other forms
  	  of Network Address Translation on them.
  
  	  This is FTP support on Layer 3 independent connection tracking.
  	  Layer 3 independent connection tracking is experimental scheme
  	  which generalize ip_conntrack to support other layer 3 protocols.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NF_CONNTRACK_H323

  	tristate "H.323 protocol support"

  	depends on IPV6 || IPV6=n

  	depends on NETFILTER_ADVANCED

  	help
  	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
  	  important VoIP protocols, it is widely used by voice hardware and
  	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
  	  Gnomemeeting, etc.
  
  	  With this module you can support H.323 on a connection tracking/NAT
  	  firewall.
  
  	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
  	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
  	  whiteboard, file transfer, etc. For more information, please
  	  visit http://nath323.sourceforge.net/.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NF_CONNTRACK_IRC

  	tristate "IRC protocol support"

  	default m if NETFILTER_ADVANCED=n

  	help
  	  There is a commonly-used extension to IRC called
  	  Direct Client-to-Client Protocol (DCC).  This enables users to send
  	  files to each other, and also chat to each other without the need
  	  of a server.  DCC Sending is used anywhere you send files over IRC,
  	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
  	  using NAT, this extension will enable you to send files and initiate
  	  chats.  Note that you do NOT need this extension to get files or
  	  have others initiate chats, or everything else in IRC.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NF_CONNTRACK_BROADCAST
  	tristate

  config NF_CONNTRACK_NETBIOS_NS

  	tristate "NetBIOS name service protocol support"

  	select NF_CONNTRACK_BROADCAST

  	help
  	  NetBIOS name service requests are sent as broadcast messages from an
  	  unprivileged port and responded to with unicast messages to the
  	  same port. This make them hard to firewall properly because connection
  	  tracking doesn't deal with broadcasts. This helper tracks locally
  	  originating NetBIOS name service requests and the corresponding
  	  responses. It relies on correct IP address configuration, specifically
  	  netmask and broadcast address. When properly configured, the output
  	  of "ip address show" should look similar to this:
  
  	  $ ip -4 address show eth0
  	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
  	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NF_CONNTRACK_SNMP
  	tristate "SNMP service protocol support"
  	depends on NETFILTER_ADVANCED
  	select NF_CONNTRACK_BROADCAST
  	help
  	  SNMP service requests are sent as broadcast messages from an
  	  unprivileged port and responded to with unicast messages to the
  	  same port. This make them hard to firewall properly because connection
  	  tracking doesn't deal with broadcasts. This helper tracks locally
  	  originating SNMP service requests and the corresponding
  	  responses. It relies on correct IP address configuration, specifically
  	  netmask and broadcast address.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NF_CONNTRACK_PPTP

  	tristate "PPtP protocol support"

  	depends on NETFILTER_ADVANCED

  	select NF_CT_PROTO_GRE
  	help
  	  This module adds support for PPTP (Point to Point Tunnelling
  	  Protocol, RFC2637) connection tracking and NAT.
  
  	  If you are running PPTP sessions over a stateful firewall or NAT
  	  box, you may want to enable this feature.
  
  	  Please note that not all PPTP modes of operation are supported yet.
  	  Specifically these limitations exist:

  	    - Blindly assumes that control connections are always established

  	      in PNS->PAC direction. This is a violation of RFC2637.
  	    - Only supports a single call within each session
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NF_CONNTRACK_SANE

  	tristate "SANE protocol support"

  	depends on NETFILTER_ADVANCED

  	help
  	  SANE is a protocol for remote access to scanners as implemented
  	  by the 'saned' daemon. Like FTP, it uses separate control and
  	  data connections.
  
  	  With this module you can support SANE on a connection tracking
  	  firewall.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NF_CONNTRACK_SIP

  	tristate "SIP protocol support"

  	default m if NETFILTER_ADVANCED=n

  	help
  	  SIP is an application-layer control protocol that can establish,
  	  modify, and terminate multimedia sessions (conferences) such as
  	  Internet telephony calls. With the ip_conntrack_sip and
  	  the nf_nat_sip modules you can support the protocol on a connection
  	  tracking/NATing firewall.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NF_CONNTRACK_TFTP

  	tristate "TFTP protocol support"

  	depends on NETFILTER_ADVANCED

  	help
  	  TFTP connection tracking helper, this is required depending
  	  on how restrictive your ruleset is.
  	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
  	  you will need this.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NF_CT_NETLINK

  	tristate 'Connection tracking netlink interface'

  	select NETFILTER_NETLINK

  	default m if NETFILTER_ADVANCED=n

  	help
  	  This option enables support for a netlink-based userspace interface

  config NF_CT_NETLINK_TIMEOUT
  	tristate  'Connection tracking timeout tuning via Netlink'
  	select NETFILTER_NETLINK
  	depends on NETFILTER_ADVANCED
  	help
  	  This option enables support for connection tracking timeout
  	  fine-grain tuning. This allows you to attach specific timeout
  	  policies to flows, instead of using the global timeout policy.
  
  	  If unsure, say `N'.

  config NF_CT_NETLINK_HELPER
  	tristate 'Connection tracking helpers in user-space via Netlink'
  	select NETFILTER_NETLINK
  	depends on NF_CT_NETLINK
  	depends on NETFILTER_NETLINK_QUEUE

  	depends on NETFILTER_NETLINK_GLUE_CT

  	depends on NETFILTER_ADVANCED
  	help
  	  This option enables the user-space connection tracking helpers
  	  infrastructure.
  
  	  If unsure, say `N'.

  config NETFILTER_NETLINK_GLUE_CT

  	bool "NFQUEUE and NFLOG integration with Connection Tracking"

  	default n

  	depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK

  	help

  	  If this option is enabled, NFQUEUE and NFLOG can include
  	  Connection Tracking information together with the packet is
  	  the enqueued via NFNETLINK.

  config NF_NAT
  	tristate
  
  config NF_NAT_NEEDED
  	bool
  	depends on NF_NAT
  	default y
  
  config NF_NAT_PROTO_DCCP

  	bool

  	depends on NF_NAT && NF_CT_PROTO_DCCP
  	default NF_NAT && NF_CT_PROTO_DCCP
  
  config NF_NAT_PROTO_UDPLITE

  	bool

  	depends on NF_NAT && NF_CT_PROTO_UDPLITE
  	default NF_NAT && NF_CT_PROTO_UDPLITE
  
  config NF_NAT_PROTO_SCTP

  	bool

  	default NF_NAT && NF_CT_PROTO_SCTP
  	depends on NF_NAT && NF_CT_PROTO_SCTP

  config NF_NAT_AMANDA
  	tristate
  	depends on NF_CONNTRACK && NF_NAT
  	default NF_NAT && NF_CONNTRACK_AMANDA

  config NF_NAT_FTP
  	tristate
  	depends on NF_CONNTRACK && NF_NAT
  	default NF_NAT && NF_CONNTRACK_FTP

  config NF_NAT_IRC
  	tristate
  	depends on NF_CONNTRACK && NF_NAT
  	default NF_NAT && NF_CONNTRACK_IRC

  config NF_NAT_SIP
  	tristate
  	depends on NF_CONNTRACK && NF_NAT
  	default NF_NAT && NF_CONNTRACK_SIP

  config NF_NAT_TFTP
  	tristate
  	depends on NF_CONNTRACK && NF_NAT
  	default NF_NAT && NF_CONNTRACK_TFTP

  config NF_NAT_REDIRECT
          tristate "IPv4/IPv6 redirect support"
  	depends on NF_NAT
          help
            This is the kernel functionality to redirect packets to local
            machine through NAT.

  config NETFILTER_SYNPROXY
  	tristate

  endif # NF_CONNTRACK

  config NF_TABLES

  	select NETFILTER_NETLINK

  	tristate "Netfilter nf_tables support"

  	help
  	  nftables is the new packet classification framework that intends to
  	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
  	  provides a pseudo-state machine with an extensible instruction-set
  	  (also known as expressions) that the userspace 'nft' utility
  	  (http://www.netfilter.org/projects/nftables) uses to build the
  	  rule-set. It also comes with the generic set infrastructure that
  	  allows you to construct mappings between matchings and actions
  	  for performance lookups.
  
  	  To compile it as a module, choose M here.

  if NF_TABLES

  config NF_TABLES_INET

  	depends on IPV6

  	select NF_TABLES_IPV4
  	select NF_TABLES_IPV6
  	tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
  	help
  	  This option enables support for a mixed IPv4/IPv6 "inet" table.

  config NF_TABLES_NETDEV
  	tristate "Netfilter nf_tables netdev tables support"
  	help
  	  This option enables support for the "netdev" table.

  config NFT_EXTHDR

  	tristate "Netfilter nf_tables exthdr module"

  	help
  	  This option adds the "exthdr" expression that you can use to match

  	  IPv6 extension headers and tcp options.

  
  config NFT_META

  	tristate "Netfilter nf_tables meta module"

  	help
  	  This option adds the "meta" expression that you can use to match and
  	  to set packet metainformation such as the packet mark.

  config NFT_RT
  	tristate "Netfilter nf_tables routing module"
  	help
  	  This option adds the "rt" expression that you can use to match
  	  packet routing information such as the packet nexthop.

  config NFT_NUMGEN
  	tristate "Netfilter nf_tables number generator module"
  	help
  	  This option adds the number generator expression used to perform
  	  incremental counting and random numbers bound to a upper limit.

  config NFT_CT

  	depends on NF_CONNTRACK
  	tristate "Netfilter nf_tables conntrack module"

  	help

  	  This option adds the "ct" expression that you can use to match

  	  connection tracking information such as the flow state.

  config NFT_SET_RBTREE

  	tristate "Netfilter nf_tables rbtree set module"

  	help
  	  This option adds the "rbtree" set type (Red Black tree) that is used
  	  to build interval-based sets.

  config NFT_SET_HASH

  	tristate "Netfilter nf_tables hash set module"

  	help
  	  This option adds the "hash" set type that is used to build one-way
  	  mappings between matchings and actions.

  config NFT_SET_BITMAP
  	tristate "Netfilter nf_tables bitmap set module"
  	help
  	  This option adds the "bitmap" set type that is used to build sets
  	  whose keys are smaller or equal to 16 bits.

  config NFT_COUNTER

  	tristate "Netfilter nf_tables counter module"

  	help
  	  This option adds the "counter" expression that you can use to
  	  include packet and byte counters in a rule.

  
  config NFT_LOG

  	tristate "Netfilter nf_tables log module"

  	help
  	  This option adds the "log" expression that you can use to log
  	  packets matching some criteria.

  
  config NFT_LIMIT

  	tristate "Netfilter nf_tables limit module"

  	help
  	  This option adds the "limit" expression that you can use to
  	  ratelimit rule matchings.

  config NFT_MASQ

  	depends on NF_CONNTRACK
  	depends on NF_NAT
  	tristate "Netfilter nf_tables masquerade support"
  	help
  	  This option adds the "masquerade" expression that you can use
  	  to perform NAT in the masquerade flavour.

  config NFT_REDIR

  	depends on NF_CONNTRACK
  	depends on NF_NAT
  	tristate "Netfilter nf_tables redirect support"
  	help
  	  This options adds the "redirect" expression that you can use
  	  to perform NAT in the redirect flavour.

  config NFT_NAT

  	depends on NF_CONNTRACK

  	select NF_NAT

  	tristate "Netfilter nf_tables nat module"

  	help
  	  This option adds the "nat" expression that you can use to perform
  	  typical Network Address Translation (NAT) packet transformations.

  config NFT_OBJREF
  	tristate "Netfilter nf_tables stateful object reference module"
  	help
  	  This option adds the "objref" expression that allows you to refer to
  	  stateful objects, such as counters and quotas.

  config NFT_QUEUE

  	depends on NETFILTER_NETLINK_QUEUE
  	tristate "Netfilter nf_tables queue module"
  	help
  	  This is required if you intend to use the userspace queueing
  	  infrastructure (also known as NFQUEUE) from nftables.

  config NFT_QUOTA
  	tristate "Netfilter nf_tables quota module"
  	help
  	  This option adds the "quota" expression that you can use to match
  	  enforce bytes quotas.

  config NFT_REJECT

  	default m if NETFILTER_ADVANCED=n
  	tristate "Netfilter nf_tables reject support"

  	help
  	  This option adds the "reject" expression that you can use to
  	  explicitly deny and notify via TCP reset/ICMP informational errors
  	  unallowed traffic.

  config NFT_REJECT_INET
  	depends on NF_TABLES_INET
  	default NFT_REJECT
  	tristate

  config NFT_COMPAT

  	depends on NETFILTER_XTABLES
  	tristate "Netfilter x_tables over nf_tables module"
  	help
  	  This is required if you intend to use any of existing
  	  x_tables match/target extensions over the nf_tables
  	  framework.

  config NFT_HASH
  	tristate "Netfilter nf_tables hash module"
  	help
  	  This option adds the "hash" expression that you can use to perform
  	  a hash operation on registers.

  config NFT_FIB
  	tristate
  
  config NFT_FIB_INET
  	depends on NF_TABLES_INET
  	depends on NFT_FIB_IPV4
  	depends on NFT_FIB_IPV6
  	tristate "Netfilter nf_tables fib inet support"
  	help
  	  This option allows using the FIB expression from the inet table.
  	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
  	  on the protocol of the packet.

  if NF_TABLES_NETDEV
  
  config NF_DUP_NETDEV
  	tristate "Netfilter packet duplication support"
  	help
  	  This option enables the generic packet duplication infrastructure
  	  for Netfilter.
  
  config NFT_DUP_NETDEV
  	tristate "Netfilter nf_tables netdev packet duplication support"
  	select NF_DUP_NETDEV
  	help
  	  This option enables packet duplication for the "netdev" family.

  config NFT_FWD_NETDEV
  	tristate "Netfilter nf_tables netdev packet forwarding support"
  	select NF_DUP_NETDEV
  	help
  	  This option enables packet forwarding for the "netdev" family.

  config NFT_FIB_NETDEV
  	depends on NFT_FIB_IPV4
  	depends on NFT_FIB_IPV6
  	tristate "Netfilter nf_tables netdev fib lookups support"
  	help
  	  This option allows using the FIB expression from the netdev table.
  	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
  	  on the protocol of the packet.

  endif # NF_TABLES_NETDEV

  endif # NF_TABLES

  config NETFILTER_XTABLES
  	tristate "Netfilter Xtables support (required for ip_tables)"

  	default m if NETFILTER_ADVANCED=n

  	help
  	  This is required if you intend to use any of ip_tables,
  	  ip6_tables or arp_tables.

  if NETFILTER_XTABLES

  comment "Xtables combined modules"
  
  config NETFILTER_XT_MARK
  	tristate 'nfmark target and match support'
  	default m if NETFILTER_ADVANCED=n
  	---help---
  	This option adds the "MARK" target and "mark" match.
  
  	Netfilter mark matching allows you to match packets based on the
  	"nfmark" value in the packet.
  	The target allows you to create rules in the "mangle" table which alter
  	the netfilter mark (nfmark) field associated with the packet.

  	Prior to routing, the nfmark can influence the routing method and can
  	also be used by other subsystems to change their behavior.

  config NETFILTER_XT_CONNMARK
  	tristate 'ctmark target and match support'
  	depends on NF_CONNTRACK
  	depends on NETFILTER_ADVANCED
  	select NF_CONNTRACK_MARK
  	---help---
  	This option adds the "CONNMARK" target and "connmark" match.
  
  	Netfilter allows you to store a mark value per connection (a.k.a.
  	ctmark), similarly to the packet mark (nfmark). Using this
  	target and match, you can set and match on this mark.

  config NETFILTER_XT_SET
  	tristate 'set target and match support'
  	depends on IP_SET
  	depends on NETFILTER_ADVANCED
  	help
  	  This option adds the "SET" target and "set" match.
  
  	  Using this target and match, you can add/delete and match
  	  elements in the sets created by ipset(8).
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  # alphabetically ordered list of targets

  comment "Xtables targets"

  config NETFILTER_XT_TARGET_AUDIT
  	tristate "AUDIT target support"
  	depends on AUDIT
  	depends on NETFILTER_ADVANCED
  	---help---
  	  This option adds a 'AUDIT' target, which can be used to create
  	  audit records for packets dropped/accepted.
  
  	  To compileit as a module, choose M here. If unsure, say N.

  config NETFILTER_XT_TARGET_CHECKSUM
  	tristate "CHECKSUM target support"
  	depends on IP_NF_MANGLE || IP6_NF_MANGLE
  	depends on NETFILTER_ADVANCED
  	---help---
  	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle
  	  table.
  
  	  You can use this target to compute and fill in the checksum in
  	  a packet that lacks a checksum.  This is particularly useful,
  	  if you need to work around old applications such as dhcp clients,
  	  that do not work well with checksum offloads, but don't want to disable
  	  checksum offload in your device.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_TARGET_CLASSIFY
  	tristate '"CLASSIFY" target support'

  	depends on NETFILTER_ADVANCED

  	help
  	  This option adds a `CLASSIFY' target, which enables the user to set
  	  the priority of a packet. Some qdiscs can use this value for
  	  classification, among these are:
  
    	  atm, cbq, dsmark, pfifo_fast, htb, prio
  
  	  To compile it as a module, choose M here.  If unsure, say N.
  
  config NETFILTER_XT_TARGET_CONNMARK
  	tristate  '"CONNMARK" target support'

  	depends on NF_CONNTRACK

  	depends on NETFILTER_ADVANCED

  	select NETFILTER_XT_CONNMARK
  	---help---
  	This is a backwards-compat option for the user's convenience
  	(e.g. when running oldconfig). It selects
  	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).

  config NETFILTER_XT_TARGET_CONNSECMARK
  	tristate '"CONNSECMARK" target support'

  	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK

  	default m if NETFILTER_ADVANCED=n
  	help
  	  The CONNSECMARK target copies security markings from packets
  	  to connections, and restores security markings from connections
  	  to packets (if the packets are not already marked).  This would
  	  normally be used in conjunction with the SECMARK target.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_TARGET_CT
  	tristate '"CT" target support'
  	depends on NF_CONNTRACK
  	depends on IP_NF_RAW || IP6_NF_RAW
  	depends on NETFILTER_ADVANCED
  	help
  	  This options adds a `CT' target, which allows to specify initial
  	  connection tracking parameters like events to be delivered and
  	  the helper to be used.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_TARGET_DSCP

  	tristate '"DSCP" and "TOS" target support'

  	depends on IP_NF_MANGLE || IP6_NF_MANGLE

  	depends on NETFILTER_ADVANCED

  	help
  	  This option adds a `DSCP' target, which allows you to manipulate
  	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
  
  	  The DSCP field can have any value between 0x0 and 0x3f inclusive.

  	  It also adds the "TOS" target, which allows you to create rules in
  	  the "mangle" table which alter the Type Of Service field of an IPv4

  	  or the Priority field of an IPv6 packet, prior to routing.

  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_TARGET_HL
  	tristate '"HL" hoplimit target support'
  	depends on IP_NF_MANGLE || IP6_NF_MANGLE
  	depends on NETFILTER_ADVANCED
  	---help---
  	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
  	targets, which enable the user to change the
  	hoplimit/time-to-live value of the IP header.
  
  	While it is safe to decrement the hoplimit/TTL value, the
  	modules also allow to increment and set the hoplimit value of
  	the header to arbitrary values. This is EXTREMELY DANGEROUS
  	since you can easily create immortal packets that loop
  	forever on the network.

  config NETFILTER_XT_TARGET_HMARK
  	tristate '"HMARK" target support'

  	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n

  	depends on NETFILTER_ADVANCED
  	---help---
  	This option adds the "HMARK" target.
  
  	The target allows you to create rules in the "raw" and "mangle" tables
  	which set the skbuff mark by means of hash calculation within a given

  	range. The nfmark can influence the routing method and can also be used
  	by other subsystems to change their behaviour.

  
  	To compile it as a module, choose M here. If unsure, say N.

  config NETFILTER_XT_TARGET_IDLETIMER
  	tristate  "IDLETIMER target support"
  	depends on NETFILTER_ADVANCED
  	help
  
  	  This option adds the `IDLETIMER' target.  Each matching packet
  	  resets the timer associated with label specified when the rule is
  	  added.  When the timer expires, it triggers a sysfs notification.
  	  The remaining time for expiration can be read via sysfs.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_TARGET_LED
  	tristate '"LED" target support'

  	depends on LEDS_CLASS && LEDS_TRIGGERS

  	depends on NETFILTER_ADVANCED
  	help
  	  This option adds a `LED' target, which allows you to blink LEDs in
  	  response to particular packets passing through your machine.
  
  	  This can be used to turn a spare LED into a network activity LED,
  	  which only flashes in response to FTP transfers, for example.  Or
  	  you could have an LED which lights up for a minute or two every time
  	  somebody connects to your machine via SSH.
  
  	  You will need support for the "led" class to make this work.
  
  	  To create an LED trigger for incoming SSH traffic:
  	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
  
  	  Then attach the new trigger to an LED on your system:
  	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
  
  	  For more information on the LEDs available on your system, see

  	  Documentation/leds/leds-class.txt

  config NETFILTER_XT_TARGET_LOG
  	tristate "LOG target support"

  	select NF_LOG_COMMON
  	select NF_LOG_IPV4
  	select NF_LOG_IPV6 if IPV6

  	default m if NETFILTER_ADVANCED=n
  	help
  	  This option adds a `LOG' target, which allows you to create rules in
  	  any iptables table which records the packet header to the syslog.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_TARGET_MARK
  	tristate '"MARK" target support'

  	depends on NETFILTER_ADVANCED
  	select NETFILTER_XT_MARK
  	---help---
  	This is a backwards-compat option for the user's convenience
  	(e.g. when running oldconfig). It selects
  	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).

  config NETFILTER_XT_NAT
  	tristate '"SNAT and DNAT" targets support'
  	depends on NF_NAT
  	---help---
  	This option enables the SNAT and DNAT targets.
  
  	To compile it as a module, choose M here. If unsure, say N.

  config NETFILTER_XT_TARGET_NETMAP
  	tristate '"NETMAP" target support'
  	depends on NF_NAT
  	---help---
  	NETMAP is an implementation of static 1:1 NAT mapping of network
  	addresses. It maps the network address part, while keeping the host
  	address part intact.
  
  	To compile it as a module, choose M here. If unsure, say N.

  config NETFILTER_XT_TARGET_NFLOG
  	tristate '"NFLOG" target support'

  	default m if NETFILTER_ADVANCED=n

  	select NETFILTER_NETLINK_LOG

  	help
  	  This option enables the NFLOG target, which allows to LOG

  	  messages through nfnetlink_log.

  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_TARGET_NFQUEUE
  	tristate '"NFQUEUE" target Support'

  	depends on NETFILTER_ADVANCED

  	select NETFILTER_NETLINK_QUEUE

  	help
  	  This target replaced the old obsolete QUEUE target.
  
  	  As opposed to QUEUE, it supports 65535 different queues,
  	  not just one.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_TARGET_NOTRACK
  	tristate  '"NOTRACK" target support (DEPRECATED)'

  	depends on NF_CONNTRACK
  	depends on IP_NF_RAW || IP6_NF_RAW
  	depends on NETFILTER_ADVANCED

  	select NETFILTER_XT_TARGET_CT

  config NETFILTER_XT_TARGET_RATEEST
  	tristate '"RATEEST" target support'

  	depends on NETFILTER_ADVANCED

  	help
  	  This option adds a `RATEEST' target, which allows to measure
  	  rates similar to TC estimators. The `rateest' match can be
  	  used to match on the measured rates.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_TARGET_REDIRECT
  	tristate "REDIRECT target support"
  	depends on NF_NAT

  	select NF_NAT_REDIRECT

  	---help---
  	REDIRECT is a special case of NAT: all incoming connections are
  	mapped onto the incoming interface's address, causing the packets to
  	come to the local machine instead of passing through. This is
  	useful for transparent proxies.
  
  	To compile it as a module, choose M here. If unsure, say N.

  config NETFILTER_XT_TARGET_TEE

  	tristate '"TEE" - packet cloning to alternate destination'

  	depends on NETFILTER_ADVANCED

  	depends on IPV6 || IPV6=n

  	depends on !NF_CONNTRACK || NF_CONNTRACK

  	select NF_DUP_IPV4

  	select NF_DUP_IPV6 if IPV6

  	---help---
  	This option adds a "TEE" target with which a packet can be cloned and
  	this clone be rerouted to another nexthop.

  config NETFILTER_XT_TARGET_TPROXY

  	tristate '"TPROXY" target transparent proxying support'

  	depends on NETFILTER_XTABLES
  	depends on NETFILTER_ADVANCED

  	depends on IPV6 || IPV6=n
  	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n

  	depends on IP_NF_MANGLE

  	select NF_DEFRAG_IPV4

  	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n

  	help
  	  This option adds a `TPROXY' target, which is somewhat similar to
  	  REDIRECT.  It can only be used in the mangle table and is useful
  	  to redirect traffic to a transparent proxy.  It does _not_ depend
  	  on Netfilter connection tracking and NAT, unlike REDIRECT.

  	  For it to work you will have to configure certain iptables rules
  	  and use policy routing. For more information on how to set it up
  	  see Documentation/networking/tproxy.txt.

  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_TARGET_TRACE
  	tristate  '"TRACE" target support'

  	depends on IP_NF_RAW || IP6_NF_RAW

  	depends on NETFILTER_ADVANCED

  	help
  	  The TRACE target allows you to mark packets so that the kernel
  	  will log every rule which match the packets as those traverse
  	  the tables, chains, rules.
  
  	  If you want to compile it as a module, say M here and read

  	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

  config NETFILTER_XT_TARGET_SECMARK
  	tristate '"SECMARK" target support'

  	depends on NETWORK_SECMARK

  	default m if NETFILTER_ADVANCED=n

  	help
  	  The SECMARK target allows security marking of network
  	  packets, for use with security subsystems.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_TARGET_TCPMSS
  	tristate '"TCPMSS" target support'

  	depends on IPV6 || IPV6=n

  	default m if NETFILTER_ADVANCED=n

  	---help---
  	  This option adds a `TCPMSS' target, which allows you to alter the
  	  MSS value of TCP SYN packets, to control the maximum size for that
  	  connection (usually limiting it to your outgoing interface's MTU
  	  minus 40).
  
  	  This is used to overcome criminally braindead ISPs or servers which
  	  block ICMP Fragmentation Needed packets.  The symptoms of this
  	  problem are that everything works fine from your Linux
  	  firewall/router, but machines behind it can never exchange large
  	  packets:
  	        1) Web browsers connect, then hang with no data received.
  	        2) Small mail works fine, but large emails hang.
  	        3) ssh works fine, but scp hangs after initial handshaking.
  
  	  Workaround: activate this option and add a rule to your firewall
  	  configuration like:
  
  	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
  	                 -j TCPMSS --clamp-mss-to-pmtu
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_TARGET_TCPOPTSTRIP

  	tristate '"TCPOPTSTRIP" target support'

  	depends on IP_NF_MANGLE || IP6_NF_MANGLE

  	depends on NETFILTER_ADVANCED

  	help
  	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
  	  TCP options from TCP packets.

  # alphabetically ordered list of matches
  
  comment "Xtables matches"

  config NETFILTER_XT_MATCH_ADDRTYPE
  	tristate '"addrtype" address type match support'

  	default m if NETFILTER_ADVANCED=n

  	---help---
  	  This option allows you to match what routing thinks of an address,
  	  eg. UNICAST, LOCAL, BROADCAST, ...
  
  	  If you want to compile it as a module, say M here and read
  	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

  config NETFILTER_XT_MATCH_BPF
  	tristate '"bpf" match support'
  	depends on NETFILTER_ADVANCED
  	help
  	  BPF matching applies a linux socket filter to each packet and
  	  accepts those for which the filter returns non-zero.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_CGROUP
  	tristate '"control group" match support'
  	depends on NETFILTER_ADVANCED
  	depends on CGROUPS
  	select CGROUP_NET_CLASSID
  	---help---
  	Socket/process control group matching allows you to match locally
  	generated packets based on which net_cls control group processes
  	belong to.

  config NETFILTER_XT_MATCH_CLUSTER
  	tristate '"cluster" match support'
  	depends on NF_CONNTRACK
  	depends on NETFILTER_ADVANCED
  	---help---
  	  This option allows you to build work-load-sharing clusters of
  	  network servers/stateful firewalls without having a dedicated
  	  load-balancing router/server/switch. Basically, this match returns
  	  true when the packet must be handled by this cluster node. Thus,
  	  all nodes see all packets and this match decides which node handles
  	  what packets. The work-load sharing algorithm is based on source
  	  address hashing.
  
  	  If you say Y or M here, try `iptables -m cluster --help` for
  	  more information.

  config NETFILTER_XT_MATCH_COMMENT
  	tristate  '"comment" match support'

  	depends on NETFILTER_ADVANCED

  	help
  	  This option adds a `comment' dummy-match, which allows you to put
  	  comments in your iptables ruleset.
  
  	  If you want to compile it as a module, say M here and read

  	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

  
  config NETFILTER_XT_MATCH_CONNBYTES
  	tristate  '"connbytes" per-connection counter match support'

  	depends on NF_CONNTRACK

  	depends on NETFILTER_ADVANCED

  	help
  	  This option adds a `connbytes' match, which allows you to match the
  	  number of bytes and/or packets for each direction within a connection.
  
  	  If you want to compile it as a module, say M here and read

  	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

  config NETFILTER_XT_MATCH_CONNLABEL
  	tristate '"connlabel" match support'
  	select NF_CONNTRACK_LABELS

  	depends on NF_CONNTRACK

  	depends on NETFILTER_ADVANCED
  	---help---
  	  This match allows you to test and assign userspace-defined labels names
  	  to a connection.  The kernel only stores bit values - mapping
  	  names to bits is done by userspace.
  
  	  Unlike connmark, more than 32 flag bits may be assigned to a
  	  connection simultaneously.

  config NETFILTER_XT_MATCH_CONNLIMIT

  	tristate '"connlimit" match support'

  	depends on NF_CONNTRACK

  	depends on NETFILTER_ADVANCED

  	---help---
  	  This match allows you to match against the number of parallel
  	  connections to a server per client IP address (or address block).

  config NETFILTER_XT_MATCH_CONNMARK
  	tristate  '"connmark" connection mark match support'

  	depends on NF_CONNTRACK

  	depends on NETFILTER_ADVANCED

  	select NETFILTER_XT_CONNMARK
  	---help---
  	This is a backwards-compat option for the user's convenience
  	(e.g. when running oldconfig). It selects
  	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).

  
  config NETFILTER_XT_MATCH_CONNTRACK
  	tristate '"conntrack" connection tracking match support'

  	depends on NF_CONNTRACK

  	default m if NETFILTER_ADVANCED=n

  	help
  	  This is a general conntrack match module, a superset of the state match.
  
  	  It allows matching on additional conntrack information, which is
  	  useful in complex configurations, such as NAT gateways with multiple
  	  internet links or tunnels.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  
  config NETFILTER_XT_MATCH_CPU
  	tristate '"cpu" match support'
  	depends on NETFILTER_ADVANCED
  	help
  	  CPU matching allows you to match packets based on the CPU
  	  currently handling the packet.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  
  config NETFILTER_XT_MATCH_DCCP

  	tristate '"dccp" protocol match support'

  	depends on NETFILTER_ADVANCED

  	default IP_DCCP

  	help
  	  With this option enabled, you will be able to use the iptables
  	  `dccp' match in order to match on DCCP source/destination ports
  	  and DCCP flags.
  
  	  If you want to compile it as a module, say M here and read

  	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

  config NETFILTER_XT_MATCH_DEVGROUP
  	tristate '"devgroup" match support'
  	depends on NETFILTER_ADVANCED
  	help
  	  This options adds a `devgroup' match, which allows to match on the
  	  device group a network device is assigned to.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_DSCP

  	tristate '"dscp" and "tos" match support'

  	depends on NETFILTER_ADVANCED

  	help
  	  This option adds a `DSCP' match, which allows you to match against
  	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
  
  	  The DSCP field can have any value between 0x0 and 0x3f inclusive.

  	  It will also add a "tos" match, which allows you to match packets
  	  based on the Type Of Service fields of the IPv4 packet (which share
  	  the same bits as DSCP).

  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_ECN
  	tristate '"ecn" match support'
  	depends on NETFILTER_ADVANCED
  	---help---
  	This option adds an "ECN" match, which allows you to match against
  	the IPv4 and TCP header ECN fields.
  
  	To compile it as a module, choose M here. If unsure, say N.

  config NETFILTER_XT_MATCH_ESP

  	tristate '"esp" match support'

  	depends on NETFILTER_ADVANCED

  	help
  	  This match extension allows you to match a range of SPIs
  	  inside ESP header of IPSec packets.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_HASHLIMIT
  	tristate '"hashlimit" match support'

  	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n

  	depends on NETFILTER_ADVANCED
  	help
  	  This option adds a `hashlimit' match.
  
  	  As opposed to `limit', this match dynamically creates a hash table
  	  of limit buckets, based on your selection of source/destination
  	  addresses and/or ports.
  
  	  It enables you to express policies like `10kpps for any given
  	  destination address' or `500pps from any given source address'
  	  with a single rule.

  config NETFILTER_XT_MATCH_HELPER
  	tristate '"helper" match support'

  	depends on NF_CONNTRACK

  	depends on NETFILTER_ADVANCED

  	help
  	  Helper matching allows you to match packets in dynamic connections
  	  tracked by a conntrack-helper, ie. ip_conntrack_ftp
  
  	  To compile it as a module, choose M here.  If unsure, say Y.

  config NETFILTER_XT_MATCH_HL
  	tristate '"hl" hoplimit/TTL match support'
  	depends on NETFILTER_ADVANCED
  	---help---
  	HL matching allows you to match packets based on the hoplimit
  	in the IPv6 header, or the time-to-live field in the IPv4
  	header of the packet.

  config NETFILTER_XT_MATCH_IPCOMP
  	tristate '"ipcomp" match support'
  	depends on NETFILTER_ADVANCED
  	help
  	  This match extension allows you to match a range of CPIs(16 bits)
  	  inside IPComp header of IPSec packets.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_IPRANGE
  	tristate '"iprange" address range match support'

  	depends on NETFILTER_ADVANCED
  	---help---
  	This option adds a "iprange" match, which allows you to match based on
  	an IP address range. (Normal iptables only matches on single addresses
  	with an optional mask.)
  
  	If unsure, say M.

  config NETFILTER_XT_MATCH_IPVS
  	tristate '"ipvs" match support'
  	depends on IP_VS
  	depends on NETFILTER_ADVANCED
  	depends on NF_CONNTRACK
  	help
  	  This option allows you to match against IPVS properties of a packet.
  
  	  If unsure, say N.

  config NETFILTER_XT_MATCH_L2TP
  	tristate '"l2tp" match support'
  	depends on NETFILTER_ADVANCED
  	default L2TP
  	---help---
  	This option adds an "L2TP" match, which allows you to match against
  	L2TP protocol header fields.
  
  	To compile it as a module, choose M here. If unsure, say N.

  config NETFILTER_XT_MATCH_LENGTH
  	tristate '"length" match support'

  	depends on NETFILTER_ADVANCED

  	help
  	  This option allows you to match the length of a packet against a
  	  specific value or range of values.
  
  	  To compile it as a module, choose M here.  If unsure, say N.
  
  config NETFILTER_XT_MATCH_LIMIT
  	tristate '"limit" match support'

  	depends on NETFILTER_ADVANCED

  	help
  	  limit matching allows you to control the rate at which a rule can be
  	  matched: mainly useful in combination with the LOG target ("LOG
  	  target support", below) and to avoid some Denial of Service attacks.
  
  	  To compile it as a module, choose M here.  If unsure, say N.
  
  config NETFILTER_XT_MATCH_MAC
  	tristate '"mac" address match support'

  	depends on NETFILTER_ADVANCED

  	help
  	  MAC matching allows you to match packets based on the source
  	  Ethernet address of the packet.
  
  	  To compile it as a module, choose M here.  If unsure, say N.
  
  config NETFILTER_XT_MATCH_MARK
  	tristate '"mark" match support'

  	depends on NETFILTER_ADVANCED
  	select NETFILTER_XT_MARK
  	---help---
  	This is a backwards-compat option for the user's convenience
  	(e.g. when running oldconfig). It selects
  	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).

  config NETFILTER_XT_MATCH_MULTIPORT
  	tristate '"multiport" Multiple port match support'

  	depends on NETFILTER_ADVANCED
  	help
  	  Multiport matching allows you to match TCP or UDP packets based on
  	  a series of source or destination ports: normally a rule can only
  	  match a single range of ports.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_NFACCT
  	tristate '"nfacct" match support'

  	depends on NETFILTER_ADVANCED

  	select NETFILTER_NETLINK_ACCT
  	help
  	  This option allows you to use the extended accounting through
  	  nfnetlink_acct.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_OSF
  	tristate '"osf" Passive OS fingerprint match'
  	depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
  	help
  	  This option selects the Passive OS Fingerprinting match module
  	  that allows to passively match the remote operating system by
  	  analyzing incoming TCP SYN packets.
  
  	  Rules and loading software can be downloaded from
  	  http://www.ioremap.net/projects/osf
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_OWNER
  	tristate '"owner" match support'

  	depends on NETFILTER_ADVANCED

  	---help---
  	Socket owner matching allows you to match locally-generated packets
  	based on who created the socket: the user or group. It is also
  	possible to check whether a socket actually exists.

  config NETFILTER_XT_MATCH_POLICY
  	tristate 'IPsec "policy" match support'

  	depends on XFRM

  	default m if NETFILTER_ADVANCED=n

  	help
  	  Policy matching allows you to match packets based on the
  	  IPsec policy that was used during decapsulation/will
  	  be used during encapsulation.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_PHYSDEV
  	tristate '"physdev" match support'

  	depends on BRIDGE && BRIDGE_NETFILTER

  	depends on NETFILTER_ADVANCED

  	help
  	  Physdev packet matching matches against the physical bridge ports
  	  the IP packet arrived on or will leave by.
  
  	  To compile it as a module, choose M here.  If unsure, say N.
  
  config NETFILTER_XT_MATCH_PKTTYPE
  	tristate '"pkttype" packet type match support'

  	depends on NETFILTER_ADVANCED

  	help
  	  Packet type matching allows you to match a packet by
  	  its "class", eg. BROADCAST, MULTICAST, ...
  
  	  Typical usage:
  	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_QUOTA
  	tristate '"quota" match support'

  	depends on NETFILTER_ADVANCED

  	help
  	  This option adds a `quota' match, which allows to match on a
  	  byte counter.
  
  	  If you want to compile it as a module, say M here and read

  	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

  config NETFILTER_XT_MATCH_RATEEST
  	tristate '"rateest" match support'

  	depends on NETFILTER_ADVANCED

  	select NETFILTER_XT_TARGET_RATEEST
  	help
  	  This option adds a `rateest' match, which allows to match on the
  	  rate estimated by the RATEEST target.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_REALM
  	tristate  '"realm" match support'

  	depends on NETFILTER_ADVANCED

  	select IP_ROUTE_CLASSID

  	help
  	  This option adds a `realm' match, which allows you to use the realm
  	  key from the routing subsystem inside iptables.

  	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
  	  in tc world.

  	  If you want to compile it as a module, say M here and read

  	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

  config NETFILTER_XT_MATCH_RECENT
  	tristate '"recent" match support'

  	depends on NETFILTER_ADVANCED
  	---help---
  	This match is used for creating one or many lists of recently
  	used addresses and then matching against that/those list(s).
  
  	Short options are available by using 'iptables -m recent -h'
  	Official Website: <http://snowman.net/projects/ipt_recent/>

  config NETFILTER_XT_MATCH_SCTP

  	tristate  '"sctp" protocol match support'

  	depends on NETFILTER_ADVANCED

  	default IP_SCTP

  	help
  	  With this option enabled, you will be able to use the 
  	  `sctp' match in order to match on SCTP source/destination ports
  	  and SCTP chunk types.
  
  	  If you want to compile it as a module, say M here and read

  	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

  config NETFILTER_XT_MATCH_SOCKET

  	tristate '"socket" match support'

  	depends on NETFILTER_XTABLES
  	depends on NETFILTER_ADVANCED

  	depends on IPV6 || IPV6=n
  	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n

  	depends on NF_SOCKET_IPV4
  	depends on NF_SOCKET_IPV6

  	select NF_DEFRAG_IPV4

  	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n

  	help
  	  This option adds a `socket' match, which can be used to match
  	  packets for which a TCP or UDP socket lookup finds a valid socket.
  	  It can be used in combination with the MARK target and policy
  	  routing to implement full featured non-locally bound sockets.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_STATE
  	tristate '"state" match support'

  	depends on NF_CONNTRACK

  	default m if NETFILTER_ADVANCED=n

  	help
  	  Connection state matching allows you to match packets based on their
  	  relationship to a tracked connection (ie. previous packets).  This
  	  is a powerful tool for packet classification.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_STATISTIC
  	tristate '"statistic" match support'

  	depends on NETFILTER_ADVANCED

  	help

  	  This option adds a `statistic' match, which allows you to match
  	  on packets periodically or randomly with a given percentage.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_STRING
  	tristate  '"string" match support'

  	depends on NETFILTER_ADVANCED

  	select TEXTSEARCH
  	select TEXTSEARCH_KMP
  	select TEXTSEARCH_BM
  	select TEXTSEARCH_FSM
  	help
  	  This option adds a `string' match, which allows you to look for
  	  pattern matchings in packets.
  
  	  To compile it as a module, choose M here.  If unsure, say N.
  
  config NETFILTER_XT_MATCH_TCPMSS
  	tristate '"tcpmss" match support'

  	depends on NETFILTER_ADVANCED

  	help
  	  This option adds a `tcpmss' match, which allows you to examine the
  	  MSS value of TCP SYN packets, which control the maximum packet size
  	  for that connection.
  
  	  To compile it as a module, choose M here.  If unsure, say N.

  config NETFILTER_XT_MATCH_TIME
  	tristate '"time" match support'

  	depends on NETFILTER_ADVANCED

  	---help---
  	  This option adds a "time" match, which allows you to match based on
  	  the packet arrival time (at the machine which netfilter is running)
  	  on) or departure time/date (for locally generated packets).
  
  	  If you say Y here, try `iptables -m time --help` for
  	  more information.
  
  	  If you want to compile it as a module, say M here.
  	  If unsure, say N.

  config NETFILTER_XT_MATCH_U32
  	tristate '"u32" match support'

  	depends on NETFILTER_ADVANCED

  	---help---
  	  u32 allows you to extract quantities of up to 4 bytes from a packet,
  	  AND them with specified masks, shift them by specified amounts and
  	  test whether the results are in any of a set of specified ranges.
  	  The specification of what to extract is general enough to skip over
  	  headers with lengths stored in the packet, as in IP or TCP header
  	  lengths.
  
  	  Details and examples are in the kernel module source.

  endif # NETFILTER_XTABLES

  endmenu

  source "net/netfilter/ipset/Kconfig"

  source "net/netfilter/ipvs/Kconfig"