Blame view
net/netfilter/Kconfig
49.7 KB
9fb9cbb10 [NETFILTER]: Add ... |
1 |
menu "Core Netfilter Configuration" |
3a411355b [NETFILTER]: Fix ... |
2 |
depends on NET && INET && NETFILTER |
9fb9cbb10 [NETFILTER]: Add ... |
3 |
|
e687ad60a netfilter: add ne... |
4 5 |
config NETFILTER_INGRESS bool "Netfilter ingress support" |
529985de2 netfilter: defaul... |
6 |
default y |
e687ad60a netfilter: add ne... |
7 8 9 10 |
select NET_INGRESS help This allows you to classify packets from ingress using the Netfilter infrastructure. |
f9e815b37 [NETFITLER]: Add ... |
11 |
config NETFILTER_NETLINK |
2eeeba390 [NETFILTER]: Sele... |
12 |
tristate |
7af4cc3fa [NETFILTER]: Add ... |
13 |
|
941390279 netfilter: add ex... |
14 15 16 17 18 19 20 |
config NETFILTER_NETLINK_ACCT tristate "Netfilter NFACCT over NFNETLINK interface" depends on NETFILTER_ADVANCED select NETFILTER_NETLINK help If this option is enabled, the kernel will include support for extended accounting via NFNETLINK. |
7af4cc3fa [NETFILTER]: Add ... |
21 22 |
config NETFILTER_NETLINK_QUEUE tristate "Netfilter NFQUEUE over NFNETLINK interface" |
33b8e7760 [NETFILTER]: Add ... |
23 |
depends on NETFILTER_ADVANCED |
2eeeba390 [NETFILTER]: Sele... |
24 |
select NETFILTER_NETLINK |
7af4cc3fa [NETFILTER]: Add ... |
25 |
help |
50b521aa5 [NETFILTER]: Fix ... |
26 |
If this option is enabled, the kernel will include support |
7af4cc3fa [NETFILTER]: Add ... |
27 28 |
for queueing packets via NFNETLINK. |
0597f2680 [NETFILTER]: Add ... |
29 30 |
config NETFILTER_NETLINK_LOG tristate "Netfilter LOG over NFNETLINK interface" |
33b8e7760 [NETFILTER]: Add ... |
31 |
default m if NETFILTER_ADVANCED=n |
2eeeba390 [NETFILTER]: Sele... |
32 |
select NETFILTER_NETLINK |
0597f2680 [NETFILTER]: Add ... |
33 34 35 36 37 38 39 |
help If this option is enabled, the kernel will include support for logging packets via NFNETLINK. This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, and is also scheduled to replace the old syslog-based ipt_LOG and ip6t_LOG modules. |
ab4f58c77 [NETFILTER]: remo... |
40 |
config NF_CONNTRACK |
b321e1442 [NETFILTER]: Kcon... |
41 |
tristate "Netfilter connection tracking support" |
33b8e7760 [NETFILTER]: Add ... |
42 |
default m if NETFILTER_ADVANCED=n |
b321e1442 [NETFILTER]: Kcon... |
43 |
help |
9fb9cbb10 [NETFILTER]: Add ... |
44 45 46 |
Connection tracking keeps a record of what packets have passed through your machine, in order to figure out how they are related into connections. |
b321e1442 [NETFILTER]: Kcon... |
47 |
This is required to do Masquerading or other kinds of Network |
b11c16beb netfilter: Get ri... |
48 49 |
Address Translation. It can also be used to enhance packet filtering (see `Connection state match support' below). |
b321e1442 [NETFILTER]: Kcon... |
50 51 |
To compile it as a module, choose M here. If unsure, say N. |
c1878869c netfilter: fix se... |
52 53 |
config NF_LOG_COMMON tristate |
1fddf4bad netfilter: nf_log... |
54 55 56 |
config NF_LOG_NETDEV tristate "Netdev packet logging" select NF_LOG_COMMON |
c2df73de2 netfilter: xtable... |
57 |
if NF_CONNTRACK |
9fb9cbb10 [NETFILTER]: Add ... |
58 59 |
config NF_CONNTRACK_MARK bool 'Connection mark tracking support' |
33b8e7760 [NETFILTER]: Add ... |
60 |
depends on NETFILTER_ADVANCED |
9fb9cbb10 [NETFILTER]: Add ... |
61 62 63 64 65 |
help This option enables support for connection marks, used by the `CONNMARK' target and `connmark' match. Similar to the mark value of packets, but this mark value is kept in the conntrack session instead of the individual packets. |
7c9728c39 [SECMARK]: Add se... |
66 67 |
config NF_CONNTRACK_SECMARK bool 'Connection tracking security mark support' |
c2df73de2 netfilter: xtable... |
68 |
depends on NETWORK_SECMARK |
33b8e7760 [NETFILTER]: Add ... |
69 |
default m if NETFILTER_ADVANCED=n |
7c9728c39 [SECMARK]: Add se... |
70 71 72 73 74 75 76 77 |
help This option enables security markings to be applied to connections. Typically they are copied to connections from packets using the CONNSECMARK target and copied back from connections to packets with the same target, with the packets being originally labeled via SECMARK. If unsure, say 'N'. |
5d0aa2ccd netfilter: nf_con... |
78 79 80 81 82 83 84 85 86 87 88 89 |
config NF_CONNTRACK_ZONES bool 'Connection tracking zones' depends on NETFILTER_ADVANCED depends on NETFILTER_XT_TARGET_CT help This option enables support for connection tracking zones. Normally, each connection needs to have a unique system wide identity. Connection tracking zones allow to have multiple connections using the same identity, as long as they are contained in different zones. If unsure, say `N'. |
54b07dca6 netfilter: provid... |
90 91 92 93 94 95 96 97 98 |
config NF_CONNTRACK_PROCFS bool "Supply CT list in procfs (OBSOLETE)" default y depends on PROC_FS ---help--- This option enables for the list of known conntrack entries to be shown in procfs under net/netfilter/nf_conntrack. This is considered obsolete in favor of using the conntrack(8) tool which uses Netlink. |
9fb9cbb10 [NETFILTER]: Add ... |
99 |
config NF_CONNTRACK_EVENTS |
8ce22fcab [NETFILTER]: Remo... |
100 |
bool "Connection tracking events" |
33b8e7760 [NETFILTER]: Add ... |
101 |
depends on NETFILTER_ADVANCED |
9fb9cbb10 [NETFILTER]: Add ... |
102 103 104 |
help If this option is enabled, the connection tracking code will provide a notifier chain that can be used by other kernel code |
50b521aa5 [NETFILTER]: Fix ... |
105 |
to get notified about changes in the connection tracking state. |
9fb9cbb10 [NETFILTER]: Add ... |
106 107 |
If unsure, say `N'. |
dd7050724 netfilter: nf_ct_... |
108 109 110 111 112 113 114 115 116 |
config NF_CONNTRACK_TIMEOUT bool 'Connection tracking timeout' depends on NETFILTER_ADVANCED help This option enables support for connection tracking timeout extension. This allows you to attach timeout policies to flow via the CT target. If unsure, say `N'. |
a992ca2a0 netfilter: nf_con... |
117 118 119 120 121 122 123 124 125 126 |
config NF_CONNTRACK_TIMESTAMP bool 'Connection tracking timestamping' depends on NETFILTER_ADVANCED help This option enables support for connection tracking timestamping. This allows you to store the flow start-time and to obtain the flow-stop time (once it has been destroyed) via Connection tracking events. If unsure, say `N'. |
c539f0171 netfilter: add co... |
127 128 129 130 131 |
config NF_CONNTRACK_LABELS bool help This option enables support for assigning user-defined flag bits to connection tracking entries. It selected by the connlabel match. |
2bc780499 [NETFILTER]: nf_c... |
132 |
config NF_CT_PROTO_DCCP |
c51d39010 netfilter: conntr... |
133 |
bool 'DCCP protocol connection tracking support' |
2bc780499 [NETFILTER]: nf_c... |
134 |
depends on NETFILTER_ADVANCED |
c51d39010 netfilter: conntr... |
135 |
default y |
2bc780499 [NETFILTER]: nf_c... |
136 137 138 |
help With this option enabled, the layer 3 independent connection tracking code will be able to do state tracking on DCCP connections. |
c51d39010 netfilter: conntr... |
139 |
If unsure, say Y. |
2bc780499 [NETFILTER]: nf_c... |
140 |
|
f09943fef [NETFILTER]: nf_c... |
141 142 |
config NF_CT_PROTO_GRE tristate |
f09943fef [NETFILTER]: nf_c... |
143 |
|
9fb9cbb10 [NETFILTER]: Add ... |
144 |
config NF_CT_PROTO_SCTP |
a85406afe netfilter: conntr... |
145 |
bool 'SCTP protocol connection tracking support' |
33b8e7760 [NETFILTER]: Add ... |
146 |
depends on NETFILTER_ADVANCED |
a85406afe netfilter: conntr... |
147 |
default y |
300ae1494 netfilter: select... |
148 |
select LIBCRC32C |
9fb9cbb10 [NETFILTER]: Add ... |
149 150 151 |
help With this option enabled, the layer 3 independent connection tracking code will be able to do state tracking on SCTP connections. |
a85406afe netfilter: conntr... |
152 |
If unsure, say Y. |
9fb9cbb10 [NETFILTER]: Add ... |
153 |
|
59eecdfb1 [NETFILTER]: nf_c... |
154 |
config NF_CT_PROTO_UDPLITE |
9b91c96c5 netfilter: conntr... |
155 |
bool 'UDP-Lite protocol connection tracking support' |
33b8e7760 [NETFILTER]: Add ... |
156 |
depends on NETFILTER_ADVANCED |
9b91c96c5 netfilter: conntr... |
157 |
default y |
59eecdfb1 [NETFILTER]: nf_c... |
158 159 160 161 |
help With this option enabled, the layer 3 independent connection tracking code will be able to do state tracking on UDP-Lite connections. |
9b91c96c5 netfilter: conntr... |
162 |
If unsure, say Y. |
59eecdfb1 [NETFILTER]: nf_c... |
163 |
|
169589005 [NETFILTER]: nf_c... |
164 |
config NF_CONNTRACK_AMANDA |
c9386cfdd [NETFILTER]: New ... |
165 |
tristate "Amanda backup protocol support" |
33b8e7760 [NETFILTER]: Add ... |
166 |
depends on NETFILTER_ADVANCED |
169589005 [NETFILTER]: nf_c... |
167 168 169 170 171 172 173 174 175 176 177 |
select TEXTSEARCH select TEXTSEARCH_KMP help If you are running the Amanda backup package <http://www.amanda.org/> on this machine or machines that will be MASQUERADED through this machine, then you may want to enable this feature. This allows the connection tracking and natting code to allow the sub-channels that Amanda requires for communication of the backup data, messages and index. To compile it as a module, choose M here. If unsure, say N. |
9fb9cbb10 [NETFILTER]: Add ... |
178 |
config NF_CONNTRACK_FTP |
c9386cfdd [NETFILTER]: New ... |
179 |
tristate "FTP protocol support" |
33b8e7760 [NETFILTER]: Add ... |
180 |
default m if NETFILTER_ADVANCED=n |
9fb9cbb10 [NETFILTER]: Add ... |
181 182 183 184 185 186 187 188 189 190 |
help Tracking FTP connections is problematic: special helpers are required for tracking them, and doing masquerading and other forms of Network Address Translation on them. This is FTP support on Layer 3 independent connection tracking. Layer 3 independent connection tracking is experimental scheme which generalize ip_conntrack to support other layer 3 protocols. To compile it as a module, choose M here. If unsure, say N. |
f587de0e2 [NETFILTER]: nf_c... |
191 |
config NF_CONNTRACK_H323 |
8ce22fcab [NETFILTER]: Remo... |
192 |
tristate "H.323 protocol support" |
f09becc79 netfilter: Kconfi... |
193 |
depends on IPV6 || IPV6=n |
33b8e7760 [NETFILTER]: Add ... |
194 |
depends on NETFILTER_ADVANCED |
f587de0e2 [NETFILTER]: nf_c... |
195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 |
help H.323 is a VoIP signalling protocol from ITU-T. As one of the most important VoIP protocols, it is widely used by voice hardware and software including voice gateways, IP phones, Netmeeting, OpenPhone, Gnomemeeting, etc. With this module you can support H.323 on a connection tracking/NAT firewall. This module supports RAS, Fast Start, H.245 Tunnelling, Call Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, whiteboard, file transfer, etc. For more information, please visit http://nath323.sourceforge.net/. To compile it as a module, choose M here. If unsure, say N. |
869f37d8e [NETFILTER]: nf_c... |
210 |
config NF_CONNTRACK_IRC |
c9386cfdd [NETFILTER]: New ... |
211 |
tristate "IRC protocol support" |
33b8e7760 [NETFILTER]: Add ... |
212 |
default m if NETFILTER_ADVANCED=n |
869f37d8e [NETFILTER]: nf_c... |
213 214 215 216 217 218 219 220 221 222 223 |
help There is a commonly-used extension to IRC called Direct Client-to-Client Protocol (DCC). This enables users to send files to each other, and also chat to each other without the need of a server. DCC Sending is used anywhere you send files over IRC, and DCC Chat is most commonly used by Eggdrop bots. If you are using NAT, this extension will enable you to send files and initiate chats. Note that you do NOT need this extension to get files or have others initiate chats, or everything else in IRC. To compile it as a module, choose M here. If unsure, say N. |
93557f53e netfilter: nf_con... |
224 225 |
config NF_CONNTRACK_BROADCAST tristate |
92703eee4 [NETFILTER]: nf_c... |
226 |
config NF_CONNTRACK_NETBIOS_NS |
8ce22fcab [NETFILTER]: Remo... |
227 |
tristate "NetBIOS name service protocol support" |
93557f53e netfilter: nf_con... |
228 |
select NF_CONNTRACK_BROADCAST |
92703eee4 [NETFILTER]: nf_c... |
229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 |
help NetBIOS name service requests are sent as broadcast messages from an unprivileged port and responded to with unicast messages to the same port. This make them hard to firewall properly because connection tracking doesn't deal with broadcasts. This helper tracks locally originating NetBIOS name service requests and the corresponding responses. It relies on correct IP address configuration, specifically netmask and broadcast address. When properly configured, the output of "ip address show" should look similar to this: $ ip -4 address show eth0 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 To compile it as a module, choose M here. If unsure, say N. |
93557f53e netfilter: nf_con... |
244 245 246 247 248 249 250 251 252 253 254 255 256 257 |
config NF_CONNTRACK_SNMP tristate "SNMP service protocol support" depends on NETFILTER_ADVANCED select NF_CONNTRACK_BROADCAST help SNMP service requests are sent as broadcast messages from an unprivileged port and responded to with unicast messages to the same port. This make them hard to firewall properly because connection tracking doesn't deal with broadcasts. This helper tracks locally originating SNMP service requests and the corresponding responses. It relies on correct IP address configuration, specifically netmask and broadcast address. To compile it as a module, choose M here. If unsure, say N. |
f09943fef [NETFILTER]: nf_c... |
258 |
config NF_CONNTRACK_PPTP |
c9386cfdd [NETFILTER]: New ... |
259 |
tristate "PPtP protocol support" |
33b8e7760 [NETFILTER]: Add ... |
260 |
depends on NETFILTER_ADVANCED |
f09943fef [NETFILTER]: nf_c... |
261 262 263 264 265 266 267 268 269 270 |
select NF_CT_PROTO_GRE help This module adds support for PPTP (Point to Point Tunnelling Protocol, RFC2637) connection tracking and NAT. If you are running PPTP sessions over a stateful firewall or NAT box, you may want to enable this feature. Please note that not all PPTP modes of operation are supported yet. Specifically these limitations exist: |
3dde6ad8f Fix trivial typos... |
271 |
- Blindly assumes that control connections are always established |
f09943fef [NETFILTER]: nf_c... |
272 273 274 275 |
in PNS->PAC direction. This is a violation of RFC2637. - Only supports a single call within each session To compile it as a module, choose M here. If unsure, say N. |
6fecd1985 [NETFILTER]: Add ... |
276 |
config NF_CONNTRACK_SANE |
663ef0d18 net/netfilter: re... |
277 |
tristate "SANE protocol support" |
33b8e7760 [NETFILTER]: Add ... |
278 |
depends on NETFILTER_ADVANCED |
6fecd1985 [NETFILTER]: Add ... |
279 280 281 282 283 284 285 286 287 |
help SANE is a protocol for remote access to scanners as implemented by the 'saned' daemon. Like FTP, it uses separate control and data connections. With this module you can support SANE on a connection tracking firewall. To compile it as a module, choose M here. If unsure, say N. |
9fafcd7b2 [NETFILTER]: nf_c... |
288 |
config NF_CONNTRACK_SIP |
8ce22fcab [NETFILTER]: Remo... |
289 |
tristate "SIP protocol support" |
33b8e7760 [NETFILTER]: Add ... |
290 |
default m if NETFILTER_ADVANCED=n |
9fafcd7b2 [NETFILTER]: nf_c... |
291 292 293 294 295 296 297 298 |
help SIP is an application-layer control protocol that can establish, modify, and terminate multimedia sessions (conferences) such as Internet telephony calls. With the ip_conntrack_sip and the nf_nat_sip modules you can support the protocol on a connection tracking/NATing firewall. To compile it as a module, choose M here. If unsure, say N. |
a536df35b [NETFILTER]: nf_c... |
299 |
config NF_CONNTRACK_TFTP |
c9386cfdd [NETFILTER]: New ... |
300 |
tristate "TFTP protocol support" |
33b8e7760 [NETFILTER]: Add ... |
301 |
depends on NETFILTER_ADVANCED |
a536df35b [NETFILTER]: nf_c... |
302 303 304 305 306 307 308 |
help TFTP connection tracking helper, this is required depending on how restrictive your ruleset is. If you are using a tftp client behind -j SNAT or -j MASQUERADING you will need this. To compile it as a module, choose M here. If unsure, say N. |
c1d10adb4 [NETFILTER]: Add ... |
309 |
config NF_CT_NETLINK |
8ce22fcab [NETFILTER]: Remo... |
310 |
tristate 'Connection tracking netlink interface' |
2eeeba390 [NETFILTER]: Sele... |
311 |
select NETFILTER_NETLINK |
33b8e7760 [NETFILTER]: Add ... |
312 |
default m if NETFILTER_ADVANCED=n |
c1d10adb4 [NETFILTER]: Add ... |
313 314 |
help This option enables support for a netlink-based userspace interface |
509784623 netfilter: add ct... |
315 316 317 318 319 320 321 322 323 324 |
config NF_CT_NETLINK_TIMEOUT tristate 'Connection tracking timeout tuning via Netlink' select NETFILTER_NETLINK depends on NETFILTER_ADVANCED help This option enables support for connection tracking timeout fine-grain tuning. This allows you to attach specific timeout policies to flows, instead of using the global timeout policy. If unsure, say `N'. |
6e9c2db3a netfilter: fix co... |
325 326 327 328 329 |
config NF_CT_NETLINK_HELPER tristate 'Connection tracking helpers in user-space via Netlink' select NETFILTER_NETLINK depends on NF_CT_NETLINK depends on NETFILTER_NETLINK_QUEUE |
83f3e94d3 netfilter: Kconfi... |
330 |
depends on NETFILTER_NETLINK_GLUE_CT |
6e9c2db3a netfilter: fix co... |
331 332 333 334 335 336 |
depends on NETFILTER_ADVANCED help This option enables the user-space connection tracking helpers infrastructure. If unsure, say `N'. |
83f3e94d3 netfilter: Kconfi... |
337 |
config NETFILTER_NETLINK_GLUE_CT |
a29a9a585 netfilter: nfnetl... |
338 |
bool "NFQUEUE and NFLOG integration with Connection Tracking" |
83f3e94d3 netfilter: Kconfi... |
339 |
default n |
a29a9a585 netfilter: nfnetl... |
340 |
depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK |
7c6223454 netfilter: nfnetl... |
341 |
help |
a29a9a585 netfilter: nfnetl... |
342 343 344 |
If this option is enabled, NFQUEUE and NFLOG can include Connection Tracking information together with the packet is the enqueued via NFNETLINK. |
7c6223454 netfilter: nfnetl... |
345 |
|
c7232c997 netfilter: add pr... |
346 347 348 349 350 351 352 353 354 |
config NF_NAT tristate config NF_NAT_NEEDED bool depends on NF_NAT default y config NF_NAT_PROTO_DCCP |
0c4e966ea netfilter: built-... |
355 |
bool |
c7232c997 netfilter: add pr... |
356 357 358 359 |
depends on NF_NAT && NF_CT_PROTO_DCCP default NF_NAT && NF_CT_PROTO_DCCP config NF_NAT_PROTO_UDPLITE |
b8ad652f9 netfilter: built-... |
360 |
bool |
c7232c997 netfilter: add pr... |
361 362 363 364 |
depends on NF_NAT && NF_CT_PROTO_UDPLITE default NF_NAT && NF_CT_PROTO_UDPLITE config NF_NAT_PROTO_SCTP |
7a2dd28c7 netfilter: built-... |
365 |
bool |
c7232c997 netfilter: add pr... |
366 367 |
default NF_NAT && NF_CT_PROTO_SCTP depends on NF_NAT && NF_CT_PROTO_SCTP |
c7232c997 netfilter: add pr... |
368 |
|
ee6eb9667 netfilter: nf_nat... |
369 370 371 372 |
config NF_NAT_AMANDA tristate depends on NF_CONNTRACK && NF_NAT default NF_NAT && NF_CONNTRACK_AMANDA |
d33cbeeb1 netfilter: nf_nat... |
373 374 375 376 |
config NF_NAT_FTP tristate depends on NF_CONNTRACK && NF_NAT default NF_NAT && NF_CONNTRACK_FTP |
5901b6be8 netfilter: nf_nat... |
377 378 379 380 |
config NF_NAT_IRC tristate depends on NF_CONNTRACK && NF_NAT default NF_NAT && NF_CONNTRACK_IRC |
9a6648210 netfilter: nf_nat... |
381 382 383 384 |
config NF_NAT_SIP tristate depends on NF_CONNTRACK && NF_NAT default NF_NAT && NF_CONNTRACK_SIP |
320ff567f netfilter: nf_nat... |
385 386 387 388 |
config NF_NAT_TFTP tristate depends on NF_CONNTRACK && NF_NAT default NF_NAT && NF_CONNTRACK_TFTP |
b59eaf9e2 netfilter: combin... |
389 390 391 392 393 394 |
config NF_NAT_REDIRECT tristate "IPv4/IPv6 redirect support" depends on NF_NAT help This is the kernel functionality to redirect packets to local machine through NAT. |
48b1de4c1 netfilter: add SY... |
395 396 |
config NETFILTER_SYNPROXY tristate |
4b0706624 netfilter: Kconfi... |
397 |
endif # NF_CONNTRACK |
96518518c netfilter: add nf... |
398 |
config NF_TABLES |
5f291c286 netfilter: select... |
399 |
select NETFILTER_NETLINK |
96518518c netfilter: add nf... |
400 |
tristate "Netfilter nf_tables support" |
d497c6352 netfilter: add he... |
401 402 403 404 405 406 407 408 409 410 411 |
help nftables is the new packet classification framework that intends to replace the existing {ip,ip6,arp,eb}_tables infrastructure. It provides a pseudo-state machine with an extensible instruction-set (also known as expressions) that the userspace 'nft' utility (http://www.netfilter.org/projects/nftables) uses to build the rule-set. It also comes with the generic set infrastructure that allows you to construct mappings between matchings and actions for performance lookups. To compile it as a module, choose M here. |
96518518c netfilter: add nf... |
412 |
|
f04e599e2 netfilter: nf_tab... |
413 |
if NF_TABLES |
1d49144c0 netfilter: nf_tab... |
414 |
config NF_TABLES_INET |
f04e599e2 netfilter: nf_tab... |
415 |
depends on IPV6 |
1d49144c0 netfilter: nf_tab... |
416 417 418 419 420 |
select NF_TABLES_IPV4 select NF_TABLES_IPV6 tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support" help This option enables support for a mixed IPv4/IPv6 "inet" table. |
ed6c4136f netfilter: nf_tab... |
421 422 423 424 |
config NF_TABLES_NETDEV tristate "Netfilter nf_tables netdev tables support" help This option enables support for the "netdev" table. |
96518518c netfilter: add nf... |
425 |
config NFT_EXTHDR |
935b7f643 netfilter: nft_ex... |
426 |
tristate "Netfilter nf_tables exthdr module" |
d497c6352 netfilter: add he... |
427 428 |
help This option adds the "exthdr" expression that you can use to match |
935b7f643 netfilter: nft_ex... |
429 |
IPv6 extension headers and tcp options. |
96518518c netfilter: add nf... |
430 431 |
config NFT_META |
96518518c netfilter: add nf... |
432 |
tristate "Netfilter nf_tables meta module" |
d497c6352 netfilter: add he... |
433 434 435 |
help This option adds the "meta" expression that you can use to match and to set packet metainformation such as the packet mark. |
96518518c netfilter: add nf... |
436 |
|
2fa841938 netfilter: nf_tab... |
437 438 439 440 441 |
config NFT_RT tristate "Netfilter nf_tables routing module" help This option adds the "rt" expression that you can use to match packet routing information such as the packet nexthop. |
91dbc6be0 netfilter: nf_tab... |
442 443 444 445 446 |
config NFT_NUMGEN tristate "Netfilter nf_tables number generator module" help This option adds the number generator expression used to perform incremental counting and random numbers bound to a upper limit. |
96518518c netfilter: add nf... |
447 |
config NFT_CT |
96518518c netfilter: add nf... |
448 449 |
depends on NF_CONNTRACK tristate "Netfilter nf_tables conntrack module" |
d497c6352 netfilter: add he... |
450 |
help |
e4670b058 netfilter: Fix ty... |
451 |
This option adds the "ct" expression that you can use to match |
d497c6352 netfilter: add he... |
452 |
connection tracking information such as the flow state. |
96518518c netfilter: add nf... |
453 |
|
0ed6389c4 netfilter: nf_tab... |
454 |
config NFT_SET_RBTREE |
20a69341f netfilter: nf_tab... |
455 |
tristate "Netfilter nf_tables rbtree set module" |
d497c6352 netfilter: add he... |
456 457 458 |
help This option adds the "rbtree" set type (Red Black tree) that is used to build interval-based sets. |
96518518c netfilter: add nf... |
459 |
|
0ed6389c4 netfilter: nf_tab... |
460 |
config NFT_SET_HASH |
20a69341f netfilter: nf_tab... |
461 |
tristate "Netfilter nf_tables hash set module" |
d497c6352 netfilter: add he... |
462 463 464 |
help This option adds the "hash" set type that is used to build one-way mappings between matchings and actions. |
96518518c netfilter: add nf... |
465 |
|
665153ff5 netfilter: nf_tab... |
466 467 468 469 470 |
config NFT_SET_BITMAP tristate "Netfilter nf_tables bitmap set module" help This option adds the "bitmap" set type that is used to build sets whose keys are smaller or equal to 16 bits. |
96518518c netfilter: add nf... |
471 |
config NFT_COUNTER |
96518518c netfilter: add nf... |
472 |
tristate "Netfilter nf_tables counter module" |
d497c6352 netfilter: add he... |
473 474 475 |
help This option adds the "counter" expression that you can use to include packet and byte counters in a rule. |
96518518c netfilter: add nf... |
476 477 |
config NFT_LOG |
96518518c netfilter: add nf... |
478 |
tristate "Netfilter nf_tables log module" |
d497c6352 netfilter: add he... |
479 480 481 |
help This option adds the "log" expression that you can use to log packets matching some criteria. |
96518518c netfilter: add nf... |
482 483 |
config NFT_LIMIT |
96518518c netfilter: add nf... |
484 |
tristate "Netfilter nf_tables limit module" |
d497c6352 netfilter: add he... |
485 486 487 |
help This option adds the "limit" expression that you can use to ratelimit rule matchings. |
96518518c netfilter: add nf... |
488 |
|
9ba1f726b netfilter: nf_tab... |
489 |
config NFT_MASQ |
9ba1f726b netfilter: nf_tab... |
490 491 492 493 494 495 |
depends on NF_CONNTRACK depends on NF_NAT tristate "Netfilter nf_tables masquerade support" help This option adds the "masquerade" expression that you can use to perform NAT in the masquerade flavour. |
e9105f1be netfilter: nf_tab... |
496 |
config NFT_REDIR |
e9105f1be netfilter: nf_tab... |
497 498 499 500 501 502 |
depends on NF_CONNTRACK depends on NF_NAT tristate "Netfilter nf_tables redirect support" help This options adds the "redirect" expression that you can use to perform NAT in the redirect flavour. |
eb31628e3 netfilter: nf_tab... |
503 |
config NFT_NAT |
eb31628e3 netfilter: nf_tab... |
504 |
depends on NF_CONNTRACK |
1e8430f30 netfilter: nf_tab... |
505 |
select NF_NAT |
eb31628e3 netfilter: nf_tab... |
506 |
tristate "Netfilter nf_tables nat module" |
d497c6352 netfilter: add he... |
507 508 509 |
help This option adds the "nat" expression that you can use to perform typical Network Address Translation (NAT) packet transformations. |
eb31628e3 netfilter: nf_tab... |
510 |
|
c97d22e68 netfilter: nf_tab... |
511 512 513 514 515 |
config NFT_OBJREF tristate "Netfilter nf_tables stateful object reference module" help This option adds the "objref" expression that allows you to refer to stateful objects, such as counters and quotas. |
0aff078d5 netfilter: nft: a... |
516 |
config NFT_QUEUE |
0aff078d5 netfilter: nft: a... |
517 518 519 520 521 |
depends on NETFILTER_NETLINK_QUEUE tristate "Netfilter nf_tables queue module" help This is required if you intend to use the userspace queueing infrastructure (also known as NFQUEUE) from nftables. |
3d2f30a1d netfilter: nf_tab... |
522 523 524 525 526 |
config NFT_QUOTA tristate "Netfilter nf_tables quota module" help This option adds the "quota" expression that you can use to match enforce bytes quotas. |
bee11dc78 netfilter: nft_re... |
527 |
config NFT_REJECT |
bee11dc78 netfilter: nft_re... |
528 529 |
default m if NETFILTER_ADVANCED=n tristate "Netfilter nf_tables reject support" |
d497c6352 netfilter: add he... |
530 531 532 533 |
help This option adds the "reject" expression that you can use to explicitly deny and notify via TCP reset/ICMP informational errors unallowed traffic. |
eb31628e3 netfilter: nf_tab... |
534 |
|
05513e9e3 netfilter: nf_tab... |
535 536 537 538 |
config NFT_REJECT_INET depends on NF_TABLES_INET default NFT_REJECT tristate |
0ca743a55 netfilter: nf_tab... |
539 |
config NFT_COMPAT |
0ca743a55 netfilter: nf_tab... |
540 541 542 543 544 545 |
depends on NETFILTER_XTABLES tristate "Netfilter x_tables over nf_tables module" help This is required if you intend to use any of existing x_tables match/target extensions over the nf_tables framework. |
cb1b69b0b netfilter: nf_tab... |
546 547 548 549 550 |
config NFT_HASH tristate "Netfilter nf_tables hash module" help This option adds the "hash" expression that you can use to perform a hash operation on registers. |
f6d0cbcf0 netfilter: nf_tab... |
551 552 553 554 555 556 557 558 559 560 561 562 |
config NFT_FIB tristate config NFT_FIB_INET depends on NF_TABLES_INET depends on NFT_FIB_IPV4 depends on NFT_FIB_IPV6 tristate "Netfilter nf_tables fib inet support" help This option allows using the FIB expression from the inet table. The lookup will be delegated to the IPv4 or IPv6 FIB depending on the protocol of the packet. |
502061f81 netfilter: nf_tab... |
563 564 565 566 567 568 569 570 571 572 573 574 575 |
if NF_TABLES_NETDEV config NF_DUP_NETDEV tristate "Netfilter packet duplication support" help This option enables the generic packet duplication infrastructure for Netfilter. config NFT_DUP_NETDEV tristate "Netfilter nf_tables netdev packet duplication support" select NF_DUP_NETDEV help This option enables packet duplication for the "netdev" family. |
39e6dea28 netfilter: nf_tab... |
576 577 578 579 580 |
config NFT_FWD_NETDEV tristate "Netfilter nf_tables netdev packet forwarding support" select NF_DUP_NETDEV help This option enables packet forwarding for the "netdev" family. |
6392c2260 netfilter: nf_tab... |
581 582 583 584 585 586 587 588 |
config NFT_FIB_NETDEV depends on NFT_FIB_IPV4 depends on NFT_FIB_IPV6 tristate "Netfilter nf_tables netdev fib lookups support" help This option allows using the FIB expression from the netdev table. The lookup will be delegated to the IPv4 or IPv6 FIB depending on the protocol of the packet. |
502061f81 netfilter: nf_tab... |
589 |
endif # NF_TABLES_NETDEV |
f04e599e2 netfilter: nf_tab... |
590 |
endif # NF_TABLES |
2e4e6a17a [NETFILTER] x_tab... |
591 592 |
config NETFILTER_XTABLES tristate "Netfilter Xtables support (required for ip_tables)" |
33b8e7760 [NETFILTER]: Add ... |
593 |
default m if NETFILTER_ADVANCED=n |
2e4e6a17a [NETFILTER] x_tab... |
594 595 596 |
help This is required if you intend to use any of ip_tables, ip6_tables or arp_tables. |
c2df73de2 netfilter: xtable... |
597 |
if NETFILTER_XTABLES |
28b949885 netfilter: xtable... |
598 599 600 601 602 603 604 605 606 607 608 609 |
comment "Xtables combined modules" config NETFILTER_XT_MARK tristate 'nfmark target and match support' default m if NETFILTER_ADVANCED=n ---help--- This option adds the "MARK" target and "mark" match. Netfilter mark matching allows you to match packets based on the "nfmark" value in the packet. The target allows you to create rules in the "mangle" table which alter the netfilter mark (nfmark) field associated with the packet. |
f1504307b netfilter: Remove... |
610 611 |
Prior to routing, the nfmark can influence the routing method and can also be used by other subsystems to change their behavior. |
28b949885 netfilter: xtable... |
612 |
|
b8f00ba27 netfilter: xtable... |
613 614 615 616 617 618 619 620 621 622 623 |
config NETFILTER_XT_CONNMARK tristate 'ctmark target and match support' depends on NF_CONNTRACK depends on NETFILTER_ADVANCED select NF_CONNTRACK_MARK ---help--- This option adds the "CONNMARK" target and "connmark" match. Netfilter allows you to store a mark value per connection (a.k.a. ctmark), similarly to the packet mark (nfmark). Using this target and match, you can set and match on this mark. |
d956798d8 netfilter: xtable... |
624 625 626 627 628 629 630 631 632 633 634 |
config NETFILTER_XT_SET tristate 'set target and match support' depends on IP_SET depends on NETFILTER_ADVANCED help This option adds the "SET" target and "set" match. Using this target and match, you can add/delete and match elements in the sets created by ipset(8). To compile it as a module, choose M here. If unsure, say N. |
2e4e6a17a [NETFILTER] x_tab... |
635 |
# alphabetically ordered list of targets |
44c587319 netfilter: xtable... |
636 |
comment "Xtables targets" |
43f393cae netfilter: audit ... |
637 638 639 640 641 642 643 644 645 |
config NETFILTER_XT_TARGET_AUDIT tristate "AUDIT target support" depends on AUDIT depends on NETFILTER_ADVANCED ---help--- This option adds a 'AUDIT' target, which can be used to create audit records for packets dropped/accepted. To compileit as a module, choose M here. If unsure, say N. |
edf0e1fb0 netfilter: add CH... |
646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 |
config NETFILTER_XT_TARGET_CHECKSUM tristate "CHECKSUM target support" depends on IP_NF_MANGLE || IP6_NF_MANGLE depends on NETFILTER_ADVANCED ---help--- This option adds a `CHECKSUM' target, which can be used in the iptables mangle table. You can use this target to compute and fill in the checksum in a packet that lacks a checksum. This is particularly useful, if you need to work around old applications such as dhcp clients, that do not work well with checksum offloads, but don't want to disable checksum offload in your device. To compile it as a module, choose M here. If unsure, say N. |
2e4e6a17a [NETFILTER] x_tab... |
661 662 |
config NETFILTER_XT_TARGET_CLASSIFY tristate '"CLASSIFY" target support' |
33b8e7760 [NETFILTER]: Add ... |
663 |
depends on NETFILTER_ADVANCED |
2e4e6a17a [NETFILTER] x_tab... |
664 665 666 667 668 669 670 671 672 673 674 |
help This option adds a `CLASSIFY' target, which enables the user to set the priority of a packet. Some qdiscs can use this value for classification, among these are: atm, cbq, dsmark, pfifo_fast, htb, prio To compile it as a module, choose M here. If unsure, say N. config NETFILTER_XT_TARGET_CONNMARK tristate '"CONNMARK" target support' |
587aa6416 [NETFILTER]: Remo... |
675 |
depends on NF_CONNTRACK |
33b8e7760 [NETFILTER]: Add ... |
676 |
depends on NETFILTER_ADVANCED |
b8f00ba27 netfilter: xtable... |
677 678 679 680 681 |
select NETFILTER_XT_CONNMARK ---help--- This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). |
2e4e6a17a [NETFILTER] x_tab... |
682 |
|
aba0d3480 netfilter: xtable... |
683 684 |
config NETFILTER_XT_TARGET_CONNSECMARK tristate '"CONNSECMARK" target support' |
c2df73de2 netfilter: xtable... |
685 |
depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK |
aba0d3480 netfilter: xtable... |
686 687 688 689 690 691 692 693 |
default m if NETFILTER_ADVANCED=n help The CONNSECMARK target copies security markings from packets to connections, and restores security markings from connections to packets (if the packets are not already marked). This would normally be used in conjunction with the SECMARK target. To compile it as a module, choose M here. If unsure, say N. |
84f3bb9ae netfilter: xtable... |
694 695 696 697 698 699 700 701 702 703 704 |
config NETFILTER_XT_TARGET_CT tristate '"CT" target support' depends on NF_CONNTRACK depends on IP_NF_RAW || IP6_NF_RAW depends on NETFILTER_ADVANCED help This options adds a `CT' target, which allows to specify initial connection tracking parameters like events to be delivered and the helper to be used. To compile it as a module, choose M here. If unsure, say N. |
a468701db [NETFILTER]: x_ta... |
705 |
config NETFILTER_XT_TARGET_DSCP |
c9fd49680 [NETFILTER]: Merg... |
706 |
tristate '"DSCP" and "TOS" target support' |
a468701db [NETFILTER]: x_ta... |
707 |
depends on IP_NF_MANGLE || IP6_NF_MANGLE |
33b8e7760 [NETFILTER]: Add ... |
708 |
depends on NETFILTER_ADVANCED |
a468701db [NETFILTER]: x_ta... |
709 710 711 712 713 |
help This option adds a `DSCP' target, which allows you to manipulate the IPv4/IPv6 header DSCP field (differentiated services codepoint). The DSCP field can have any value between 0x0 and 0x3f inclusive. |
c9fd49680 [NETFILTER]: Merg... |
714 715 |
It also adds the "TOS" target, which allows you to create rules in the "mangle" table which alter the Type Of Service field of an IPv4 |
5c350e5a3 [NETFILTER]: IPv6... |
716 |
or the Priority field of an IPv6 packet, prior to routing. |
c9fd49680 [NETFILTER]: Merg... |
717 |
|
a468701db [NETFILTER]: x_ta... |
718 |
To compile it as a module, choose M here. If unsure, say N. |
563d36eb3 netfilter: Combin... |
719 720 721 722 723 724 725 726 727 728 729 730 731 732 |
config NETFILTER_XT_TARGET_HL tristate '"HL" hoplimit target support' depends on IP_NF_MANGLE || IP6_NF_MANGLE depends on NETFILTER_ADVANCED ---help--- This option adds the "HL" (for IPv6) and "TTL" (for IPv4) targets, which enable the user to change the hoplimit/time-to-live value of the IP header. While it is safe to decrement the hoplimit/TTL value, the modules also allow to increment and set the hoplimit value of the header to arbitrary values. This is EXTREMELY DANGEROUS since you can easily create immortal packets that loop forever on the network. |
cf308a1fa netfilter: add xt... |
733 734 |
config NETFILTER_XT_TARGET_HMARK tristate '"HMARK" target support' |
f09becc79 netfilter: Kconfi... |
735 |
depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n |
cf308a1fa netfilter: add xt... |
736 737 738 739 740 741 |
depends on NETFILTER_ADVANCED ---help--- This option adds the "HMARK" target. The target allows you to create rules in the "raw" and "mangle" tables which set the skbuff mark by means of hash calculation within a given |
f1504307b netfilter: Remove... |
742 743 |
range. The nfmark can influence the routing method and can also be used by other subsystems to change their behaviour. |
cf308a1fa netfilter: add xt... |
744 745 |
To compile it as a module, choose M here. If unsure, say N. |
0902b469b netfilter: xtable... |
746 747 748 749 750 751 752 753 754 755 756 |
config NETFILTER_XT_TARGET_IDLETIMER tristate "IDLETIMER target support" depends on NETFILTER_ADVANCED help This option adds the `IDLETIMER' target. Each matching packet resets the timer associated with label specified when the rule is added. When the timer expires, it triggers a sysfs notification. The remaining time for expiration can be read via sysfs. To compile it as a module, choose M here. If unsure, say N. |
268cb38e1 netfilter: x_tabl... |
757 758 |
config NETFILTER_XT_TARGET_LED tristate '"LED" target support' |
3ae16f130 netfilter: fix se... |
759 |
depends on LEDS_CLASS && LEDS_TRIGGERS |
268cb38e1 netfilter: x_tabl... |
760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 |
depends on NETFILTER_ADVANCED help This option adds a `LED' target, which allows you to blink LEDs in response to particular packets passing through your machine. This can be used to turn a spare LED into a network activity LED, which only flashes in response to FTP transfers, for example. Or you could have an LED which lights up for a minute or two every time somebody connects to your machine via SSH. You will need support for the "led" class to make this work. To create an LED trigger for incoming SSH traffic: iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 Then attach the new trigger to an LED on your system: echo netfilter-ssh > /sys/class/leds/<ledname>/trigger For more information on the LEDs available on your system, see |
395cf9691 doc: fix broken r... |
779 |
Documentation/leds/leds-class.txt |
268cb38e1 netfilter: x_tabl... |
780 |
|
6939c33a7 netfilter: merge ... |
781 782 |
config NETFILTER_XT_TARGET_LOG tristate "LOG target support" |
d79a61d64 netfilter: NETFIL... |
783 784 785 |
select NF_LOG_COMMON select NF_LOG_IPV4 select NF_LOG_IPV6 if IPV6 |
6939c33a7 netfilter: merge ... |
786 787 788 789 790 791 |
default m if NETFILTER_ADVANCED=n help This option adds a `LOG' target, which allows you to create rules in any iptables table which records the packet header to the syslog. To compile it as a module, choose M here. If unsure, say N. |
2e4e6a17a [NETFILTER] x_tab... |
792 793 |
config NETFILTER_XT_TARGET_MARK tristate '"MARK" target support' |
28b949885 netfilter: xtable... |
794 795 796 797 798 799 |
depends on NETFILTER_ADVANCED select NETFILTER_XT_MARK ---help--- This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). |
2e4e6a17a [NETFILTER] x_tab... |
800 |
|
84a59ca55 netfilter: add ex... |
801 802 803 804 805 806 807 |
config NETFILTER_XT_NAT tristate '"SNAT and DNAT" targets support' depends on NF_NAT ---help--- This option enables the SNAT and DNAT targets. To compile it as a module, choose M here. If unsure, say N. |
b3d54b3e4 netfilter: combin... |
808 809 810 811 812 813 814 815 816 |
config NETFILTER_XT_TARGET_NETMAP tristate '"NETMAP" target support' depends on NF_NAT ---help--- NETMAP is an implementation of static 1:1 NAT mapping of network addresses. It maps the network address part, while keeping the host address part intact. To compile it as a module, choose M here. If unsure, say N. |
baf7b1e11 [NETFILTER]: x_ta... |
817 818 |
config NETFILTER_XT_TARGET_NFLOG tristate '"NFLOG" target support' |
33b8e7760 [NETFILTER]: Add ... |
819 |
default m if NETFILTER_ADVANCED=n |
293a4f283 netfilter: xt_NFL... |
820 |
select NETFILTER_NETLINK_LOG |
baf7b1e11 [NETFILTER]: x_ta... |
821 822 |
help This option enables the NFLOG target, which allows to LOG |
293a4f283 netfilter: xt_NFL... |
823 |
messages through nfnetlink_log. |
baf7b1e11 [NETFILTER]: x_ta... |
824 825 |
To compile it as a module, choose M here. If unsure, say N. |
aba0d3480 netfilter: xtable... |
826 827 |
config NETFILTER_XT_TARGET_NFQUEUE tristate '"NFQUEUE" target Support' |
aba0d3480 netfilter: xtable... |
828 |
depends on NETFILTER_ADVANCED |
5f2cafe73 netfilter: Kconfi... |
829 |
select NETFILTER_NETLINK_QUEUE |
aba0d3480 netfilter: xtable... |
830 831 832 833 834 835 836 |
help This target replaced the old obsolete QUEUE target. As opposed to QUEUE, it supports 65535 different queues, not just one. To compile it as a module, choose M here. If unsure, say N. |
10db9069e netfilter: xt_CT:... |
837 838 |
config NETFILTER_XT_TARGET_NOTRACK tristate '"NOTRACK" target support (DEPRECATED)' |
757ae316f netfilter: fix mi... |
839 840 841 |
depends on NF_CONNTRACK depends on IP_NF_RAW || IP6_NF_RAW depends on NETFILTER_ADVANCED |
10db9069e netfilter: xt_CT:... |
842 |
select NETFILTER_XT_TARGET_CT |
5859034d7 [NETFILTER]: x_ta... |
843 844 |
config NETFILTER_XT_TARGET_RATEEST tristate '"RATEEST" target support' |
b26e76b7c [NETFILTER]: Hide... |
845 |
depends on NETFILTER_ADVANCED |
5859034d7 [NETFILTER]: x_ta... |
846 847 848 849 850 851 |
help This option adds a `RATEEST' target, which allows to measure rates similar to TC estimators. The `rateest' match can be used to match on the measured rates. To compile it as a module, choose M here. If unsure, say N. |
2cbc78a29 netfilter: combin... |
852 853 854 |
config NETFILTER_XT_TARGET_REDIRECT tristate "REDIRECT target support" depends on NF_NAT |
b59eaf9e2 netfilter: combin... |
855 |
select NF_NAT_REDIRECT |
2cbc78a29 netfilter: combin... |
856 857 858 859 860 861 862 |
---help--- REDIRECT is a special case of NAT: all incoming connections are mapped onto the incoming interface's address, causing the packets to come to the local machine instead of passing through. This is useful for transparent proxies. To compile it as a module, choose M here. If unsure, say N. |
e281b1989 netfilter: xtable... |
863 |
config NETFILTER_XT_TARGET_TEE |
fe6fb5528 netfilter: fix si... |
864 |
tristate '"TEE" - packet cloning to alternate destination' |
e281b1989 netfilter: xtable... |
865 |
depends on NETFILTER_ADVANCED |
f09becc79 netfilter: Kconfi... |
866 |
depends on IPV6 || IPV6=n |
83827f6a8 netfilter: xt_TEE... |
867 |
depends on !NF_CONNTRACK || NF_CONNTRACK |
bbde9fc18 netfilter: factor... |
868 |
select NF_DUP_IPV4 |
08a7f5d3f netfilter: tee: s... |
869 |
select NF_DUP_IPV6 if IPV6 |
e281b1989 netfilter: xtable... |
870 871 872 |
---help--- This option adds a "TEE" target with which a packet can be cloned and this clone be rerouted to another nexthop. |
e84392707 netfilter: iptabl... |
873 |
config NETFILTER_XT_TARGET_TPROXY |
fd158d79d netfilter: tproxy... |
874 |
tristate '"TPROXY" target transparent proxying support' |
e84392707 netfilter: iptabl... |
875 876 |
depends on NETFILTER_XTABLES depends on NETFILTER_ADVANCED |
f09becc79 netfilter: Kconfi... |
877 878 |
depends on IPV6 || IPV6=n depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n |
fd158d79d netfilter: tproxy... |
879 |
depends on IP_NF_MANGLE |
e84392707 netfilter: iptabl... |
880 |
select NF_DEFRAG_IPV4 |
74ec4d55c netfilter: fix xt... |
881 |
select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n |
e84392707 netfilter: iptabl... |
882 883 884 885 886 |
help This option adds a `TPROXY' target, which is somewhat similar to REDIRECT. It can only be used in the mangle table and is useful to redirect traffic to a transparent proxy. It does _not_ depend on Netfilter connection tracking and NAT, unlike REDIRECT. |
fd158d79d netfilter: tproxy... |
887 888 889 |
For it to work you will have to configure certain iptables rules and use policy routing. For more information on how to set it up see Documentation/networking/tproxy.txt. |
e84392707 netfilter: iptabl... |
890 891 |
To compile it as a module, choose M here. If unsure, say N. |
ba9dda3ab [NETFILTER]: x_ta... |
892 893 |
config NETFILTER_XT_TARGET_TRACE tristate '"TRACE" target support' |
ba9dda3ab [NETFILTER]: x_ta... |
894 |
depends on IP_NF_RAW || IP6_NF_RAW |
33b8e7760 [NETFILTER]: Add ... |
895 |
depends on NETFILTER_ADVANCED |
ba9dda3ab [NETFILTER]: x_ta... |
896 897 898 899 900 901 |
help The TRACE target allows you to mark packets so that the kernel will log every rule which match the packets as those traverse the tables, chains, rules. If you want to compile it as a module, say M here and read |
e403149c9 Kbuild/doc: fix l... |
902 |
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
ba9dda3ab [NETFILTER]: x_ta... |
903 |
|
5e6874cdb [SECMARK]: Add xt... |
904 905 |
config NETFILTER_XT_TARGET_SECMARK tristate '"SECMARK" target support' |
c2df73de2 netfilter: xtable... |
906 |
depends on NETWORK_SECMARK |
33b8e7760 [NETFILTER]: Add ... |
907 |
default m if NETFILTER_ADVANCED=n |
5e6874cdb [SECMARK]: Add xt... |
908 909 910 911 912 |
help The SECMARK target allows security marking of network packets, for use with security subsystems. To compile it as a module, choose M here. If unsure, say N. |
cdd289a2f [NETFILTER]: add ... |
913 914 |
config NETFILTER_XT_TARGET_TCPMSS tristate '"TCPMSS" target support' |
f09becc79 netfilter: Kconfi... |
915 |
depends on IPV6 || IPV6=n |
33b8e7760 [NETFILTER]: Add ... |
916 |
default m if NETFILTER_ADVANCED=n |
cdd289a2f [NETFILTER]: add ... |
917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 |
---help--- This option adds a `TCPMSS' target, which allows you to alter the MSS value of TCP SYN packets, to control the maximum size for that connection (usually limiting it to your outgoing interface's MTU minus 40). This is used to overcome criminally braindead ISPs or servers which block ICMP Fragmentation Needed packets. The symptoms of this problem are that everything works fine from your Linux firewall/router, but machines behind it can never exchange large packets: 1) Web browsers connect, then hang with no data received. 2) Small mail works fine, but large emails hang. 3) ssh works fine, but scp hangs after initial handshaking. Workaround: activate this option and add a rule to your firewall configuration like: iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ -j TCPMSS --clamp-mss-to-pmtu To compile it as a module, choose M here. If unsure, say N. |
338e8a792 [NETFILTER]: x_ta... |
939 |
config NETFILTER_XT_TARGET_TCPOPTSTRIP |
663ef0d18 net/netfilter: re... |
940 |
tristate '"TCPOPTSTRIP" target support' |
338e8a792 [NETFILTER]: x_ta... |
941 |
depends on IP_NF_MANGLE || IP6_NF_MANGLE |
33b8e7760 [NETFILTER]: Add ... |
942 |
depends on NETFILTER_ADVANCED |
338e8a792 [NETFILTER]: x_ta... |
943 944 945 |
help This option adds a "TCPOPTSTRIP" target, which allows you to strip TCP options from TCP packets. |
44c587319 netfilter: xtable... |
946 947 948 |
# alphabetically ordered list of matches comment "Xtables matches" |
de81bbea1 netfilter: ipt_ad... |
949 950 |
config NETFILTER_XT_MATCH_ADDRTYPE tristate '"addrtype" address type match support' |
5cca4ace0 netfilter: Don't ... |
951 |
default m if NETFILTER_ADVANCED=n |
de81bbea1 netfilter: ipt_ad... |
952 953 954 955 956 957 |
---help--- This option allows you to match what routing thinks of an address, eg. UNICAST, LOCAL, BROADCAST, ... If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
e6f30c731 netfilter: x_tabl... |
958 959 960 961 962 963 964 965 |
config NETFILTER_XT_MATCH_BPF tristate '"bpf" match support' depends on NETFILTER_ADVANCED help BPF matching applies a linux socket filter to each packet and accepts those for which the filter returns non-zero. To compile it as a module, choose M here. If unsure, say N. |
82a37132f netfilter: x_tabl... |
966 967 968 969 970 971 972 973 974 |
config NETFILTER_XT_MATCH_CGROUP tristate '"control group" match support' depends on NETFILTER_ADVANCED depends on CGROUPS select CGROUP_NET_CLASSID ---help--- Socket/process control group matching allows you to match locally generated packets based on which net_cls control group processes belong to. |
0269ea493 netfilter: xtable... |
975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 |
config NETFILTER_XT_MATCH_CLUSTER tristate '"cluster" match support' depends on NF_CONNTRACK depends on NETFILTER_ADVANCED ---help--- This option allows you to build work-load-sharing clusters of network servers/stateful firewalls without having a dedicated load-balancing router/server/switch. Basically, this match returns true when the packet must be handled by this cluster node. Thus, all nodes see all packets and this match decides which node handles what packets. The work-load sharing algorithm is based on source address hashing. If you say Y or M here, try `iptables -m cluster --help` for more information. |
2e4e6a17a [NETFILTER] x_tab... |
990 991 |
config NETFILTER_XT_MATCH_COMMENT tristate '"comment" match support' |
33b8e7760 [NETFILTER]: Add ... |
992 |
depends on NETFILTER_ADVANCED |
2e4e6a17a [NETFILTER] x_tab... |
993 994 995 996 997 |
help This option adds a `comment' dummy-match, which allows you to put comments in your iptables ruleset. If you want to compile it as a module, say M here and read |
39f5fb303 kconfig: fix path... |
998 |
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
2e4e6a17a [NETFILTER] x_tab... |
999 1000 1001 |
config NETFILTER_XT_MATCH_CONNBYTES tristate '"connbytes" per-connection counter match support' |
587aa6416 [NETFILTER]: Remo... |
1002 |
depends on NF_CONNTRACK |
33b8e7760 [NETFILTER]: Add ... |
1003 |
depends on NETFILTER_ADVANCED |
2e4e6a17a [NETFILTER] x_tab... |
1004 1005 1006 1007 1008 |
help This option adds a `connbytes' match, which allows you to match the number of bytes and/or packets for each direction within a connection. If you want to compile it as a module, say M here and read |
39f5fb303 kconfig: fix path... |
1009 |
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
2e4e6a17a [NETFILTER] x_tab... |
1010 |
|
c539f0171 netfilter: add co... |
1011 1012 1013 |
config NETFILTER_XT_MATCH_CONNLABEL tristate '"connlabel" match support' select NF_CONNTRACK_LABELS |
35612a229 netfilter: fix mi... |
1014 |
depends on NF_CONNTRACK |
c539f0171 netfilter: add co... |
1015 1016 1017 1018 1019 1020 1021 1022 |
depends on NETFILTER_ADVANCED ---help--- This match allows you to test and assign userspace-defined labels names to a connection. The kernel only stores bit values - mapping names to bits is done by userspace. Unlike connmark, more than 32 flag bits may be assigned to a connection simultaneously. |
370786f9c [NETFILTER]: x_ta... |
1023 |
config NETFILTER_XT_MATCH_CONNLIMIT |
481922485 netfilter: fix co... |
1024 |
tristate '"connlimit" match support' |
3fd8f9e4b [NETFILTER]: xt_c... |
1025 |
depends on NF_CONNTRACK |
33b8e7760 [NETFILTER]: Add ... |
1026 |
depends on NETFILTER_ADVANCED |
370786f9c [NETFILTER]: x_ta... |
1027 1028 1029 |
---help--- This match allows you to match against the number of parallel connections to a server per client IP address (or address block). |
2e4e6a17a [NETFILTER] x_tab... |
1030 1031 |
config NETFILTER_XT_MATCH_CONNMARK tristate '"connmark" connection mark match support' |
587aa6416 [NETFILTER]: Remo... |
1032 |
depends on NF_CONNTRACK |
33b8e7760 [NETFILTER]: Add ... |
1033 |
depends on NETFILTER_ADVANCED |
b8f00ba27 netfilter: xtable... |
1034 1035 1036 1037 1038 |
select NETFILTER_XT_CONNMARK ---help--- This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). |
2e4e6a17a [NETFILTER] x_tab... |
1039 1040 1041 |
config NETFILTER_XT_MATCH_CONNTRACK tristate '"conntrack" connection tracking match support' |
587aa6416 [NETFILTER]: Remo... |
1042 |
depends on NF_CONNTRACK |
33b8e7760 [NETFILTER]: Add ... |
1043 |
default m if NETFILTER_ADVANCED=n |
2e4e6a17a [NETFILTER] x_tab... |
1044 1045 1046 1047 1048 1049 1050 1051 |
help This is a general conntrack match module, a superset of the state match. It allows matching on additional conntrack information, which is useful in complex configurations, such as NAT gateways with multiple internet links or tunnels. To compile it as a module, choose M here. If unsure, say N. |
e8648a1fd netfilter: add xt... |
1052 1053 1054 1055 1056 1057 1058 1059 1060 |
config NETFILTER_XT_MATCH_CPU tristate '"cpu" match support' depends on NETFILTER_ADVANCED help CPU matching allows you to match packets based on the CPU currently handling the packet. To compile it as a module, choose M here. If unsure, say N. |
2e4e6a17a [NETFILTER] x_tab... |
1061 1062 |
config NETFILTER_XT_MATCH_DCCP |
4c37799cc [NETFILTER]: Use ... |
1063 |
tristate '"dccp" protocol match support' |
33b8e7760 [NETFILTER]: Add ... |
1064 |
depends on NETFILTER_ADVANCED |
f3261aff3 netfilter: Kconfi... |
1065 |
default IP_DCCP |
2e4e6a17a [NETFILTER] x_tab... |
1066 1067 1068 1069 1070 1071 |
help With this option enabled, you will be able to use the iptables `dccp' match in order to match on DCCP source/destination ports and DCCP flags. If you want to compile it as a module, say M here and read |
39f5fb303 kconfig: fix path... |
1072 |
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
2e4e6a17a [NETFILTER] x_tab... |
1073 |
|
9291747f1 netfilter: xtable... |
1074 1075 1076 1077 1078 1079 1080 1081 |
config NETFILTER_XT_MATCH_DEVGROUP tristate '"devgroup" match support' depends on NETFILTER_ADVANCED help This options adds a `devgroup' match, which allows to match on the device group a network device is assigned to. To compile it as a module, choose M here. If unsure, say N. |
9ba162761 [NETFILTER]: x_ta... |
1082 |
config NETFILTER_XT_MATCH_DSCP |
c3b33e6a2 [NETFILTER]: Merg... |
1083 |
tristate '"dscp" and "tos" match support' |
33b8e7760 [NETFILTER]: Add ... |
1084 |
depends on NETFILTER_ADVANCED |
9ba162761 [NETFILTER]: x_ta... |
1085 1086 1087 1088 1089 |
help This option adds a `DSCP' match, which allows you to match against the IPv4/IPv6 header DSCP field (differentiated services codepoint). The DSCP field can have any value between 0x0 and 0x3f inclusive. |
c3b33e6a2 [NETFILTER]: Merg... |
1090 1091 1092 |
It will also add a "tos" match, which allows you to match packets based on the Type Of Service fields of the IPv4 packet (which share the same bits as DSCP). |
9ba162761 [NETFILTER]: x_ta... |
1093 |
To compile it as a module, choose M here. If unsure, say N. |
d446a8202 netfilter: xtable... |
1094 1095 1096 1097 1098 1099 1100 1101 |
config NETFILTER_XT_MATCH_ECN tristate '"ecn" match support' depends on NETFILTER_ADVANCED ---help--- This option adds an "ECN" match, which allows you to match against the IPv4 and TCP header ECN fields. To compile it as a module, choose M here. If unsure, say N. |
dc5ab2fae [NETFILTER]: x_ta... |
1102 |
config NETFILTER_XT_MATCH_ESP |
4c37799cc [NETFILTER]: Use ... |
1103 |
tristate '"esp" match support' |
33b8e7760 [NETFILTER]: Add ... |
1104 |
depends on NETFILTER_ADVANCED |
dc5ab2fae [NETFILTER]: x_ta... |
1105 1106 1107 1108 1109 |
help This match extension allows you to match a range of SPIs inside ESP header of IPSec packets. To compile it as a module, choose M here. If unsure, say N. |
aba0d3480 netfilter: xtable... |
1110 1111 |
config NETFILTER_XT_MATCH_HASHLIMIT tristate '"hashlimit" match support' |
f09becc79 netfilter: Kconfi... |
1112 |
depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n |
aba0d3480 netfilter: xtable... |
1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 |
depends on NETFILTER_ADVANCED help This option adds a `hashlimit' match. As opposed to `limit', this match dynamically creates a hash table of limit buckets, based on your selection of source/destination addresses and/or ports. It enables you to express policies like `10kpps for any given destination address' or `500pps from any given source address' with a single rule. |
2e4e6a17a [NETFILTER] x_tab... |
1124 1125 |
config NETFILTER_XT_MATCH_HELPER tristate '"helper" match support' |
587aa6416 [NETFILTER]: Remo... |
1126 |
depends on NF_CONNTRACK |
33b8e7760 [NETFILTER]: Add ... |
1127 |
depends on NETFILTER_ADVANCED |
2e4e6a17a [NETFILTER] x_tab... |
1128 1129 1130 1131 1132 |
help Helper matching allows you to match packets in dynamic connections tracked by a conntrack-helper, ie. ip_conntrack_ftp To compile it as a module, choose M here. If unsure, say Y. |
cfac5ef7b netfilter: Combin... |
1133 1134 1135 1136 1137 1138 1139 |
config NETFILTER_XT_MATCH_HL tristate '"hl" hoplimit/TTL match support' depends on NETFILTER_ADVANCED ---help--- HL matching allows you to match packets based on the hoplimit in the IPv6 header, or the time-to-live field in the IPv4 header of the packet. |
6a649f339 netfilter: add IP... |
1140 1141 1142 1143 1144 1145 1146 1147 |
config NETFILTER_XT_MATCH_IPCOMP tristate '"ipcomp" match support' depends on NETFILTER_ADVANCED help This match extension allows you to match a range of CPIs(16 bits) inside IPComp header of IPSec packets. To compile it as a module, choose M here. If unsure, say N. |
f72e25a89 [NETFILTER]: Rena... |
1148 1149 |
config NETFILTER_XT_MATCH_IPRANGE tristate '"iprange" address range match support' |
f72e25a89 [NETFILTER]: Rena... |
1150 1151 1152 1153 1154 1155 1156 |
depends on NETFILTER_ADVANCED ---help--- This option adds a "iprange" match, which allows you to match based on an IP address range. (Normal iptables only matches on single addresses with an optional mask.) If unsure, say M. |
9c3e1c396 netfilter: xt_ipv... |
1157 1158 1159 1160 1161 1162 1163 1164 1165 |
config NETFILTER_XT_MATCH_IPVS tristate '"ipvs" match support' depends on IP_VS depends on NETFILTER_ADVANCED depends on NF_CONNTRACK help This option allows you to match against IPVS properties of a packet. If unsure, say N. |
74f77a6b2 netfilter: introd... |
1166 1167 1168 1169 1170 1171 1172 1173 1174 |
config NETFILTER_XT_MATCH_L2TP tristate '"l2tp" match support' depends on NETFILTER_ADVANCED default L2TP ---help--- This option adds an "L2TP" match, which allows you to match against L2TP protocol header fields. To compile it as a module, choose M here. If unsure, say N. |
2e4e6a17a [NETFILTER] x_tab... |
1175 1176 |
config NETFILTER_XT_MATCH_LENGTH tristate '"length" match support' |
33b8e7760 [NETFILTER]: Add ... |
1177 |
depends on NETFILTER_ADVANCED |
2e4e6a17a [NETFILTER] x_tab... |
1178 1179 1180 1181 1182 1183 1184 1185 |
help This option allows you to match the length of a packet against a specific value or range of values. To compile it as a module, choose M here. If unsure, say N. config NETFILTER_XT_MATCH_LIMIT tristate '"limit" match support' |
33b8e7760 [NETFILTER]: Add ... |
1186 |
depends on NETFILTER_ADVANCED |
2e4e6a17a [NETFILTER] x_tab... |
1187 1188 1189 1190 1191 1192 1193 1194 1195 |
help limit matching allows you to control the rate at which a rule can be matched: mainly useful in combination with the LOG target ("LOG target support", below) and to avoid some Denial of Service attacks. To compile it as a module, choose M here. If unsure, say N. config NETFILTER_XT_MATCH_MAC tristate '"mac" address match support' |
33b8e7760 [NETFILTER]: Add ... |
1196 |
depends on NETFILTER_ADVANCED |
2e4e6a17a [NETFILTER] x_tab... |
1197 1198 1199 1200 1201 1202 1203 1204 |
help MAC matching allows you to match packets based on the source Ethernet address of the packet. To compile it as a module, choose M here. If unsure, say N. config NETFILTER_XT_MATCH_MARK tristate '"mark" match support' |
28b949885 netfilter: xtable... |
1205 1206 1207 1208 1209 1210 |
depends on NETFILTER_ADVANCED select NETFILTER_XT_MARK ---help--- This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). |
2e4e6a17a [NETFILTER] x_tab... |
1211 |
|
aba0d3480 netfilter: xtable... |
1212 1213 |
config NETFILTER_XT_MATCH_MULTIPORT tristate '"multiport" Multiple port match support' |
aba0d3480 netfilter: xtable... |
1214 1215 1216 1217 1218 1219 1220 |
depends on NETFILTER_ADVANCED help Multiport matching allows you to match TCP or UDP packets based on a series of source or destination ports: normally a rule can only match a single range of ports. To compile it as a module, choose M here. If unsure, say N. |
ceb98d03e netfilter: xtable... |
1221 1222 |
config NETFILTER_XT_MATCH_NFACCT tristate '"nfacct" match support' |
bc94b5216 netfilter: Kconfi... |
1223 |
depends on NETFILTER_ADVANCED |
ceb98d03e netfilter: xtable... |
1224 1225 1226 1227 1228 1229 |
select NETFILTER_NETLINK_ACCT help This option allows you to use the extended accounting through nfnetlink_acct. To compile it as a module, choose M here. If unsure, say N. |
115bc8f28 netfilter: xtable... |
1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 |
config NETFILTER_XT_MATCH_OSF tristate '"osf" Passive OS fingerprint match' depends on NETFILTER_ADVANCED && NETFILTER_NETLINK help This option selects the Passive OS Fingerprinting match module that allows to passively match the remote operating system by analyzing incoming TCP SYN packets. Rules and loading software can be downloaded from http://www.ioremap.net/projects/osf To compile it as a module, choose M here. If unsure, say N. |
0265ab44b [NETFILTER]: merg... |
1242 1243 |
config NETFILTER_XT_MATCH_OWNER tristate '"owner" match support' |
33b8e7760 [NETFILTER]: Add ... |
1244 |
depends on NETFILTER_ADVANCED |
0265ab44b [NETFILTER]: merg... |
1245 1246 1247 1248 |
---help--- Socket owner matching allows you to match locally-generated packets based on who created the socket: the user or group. It is also possible to check whether a socket actually exists. |
c4b885139 [NETFILTER]: x_ta... |
1249 1250 |
config NETFILTER_XT_MATCH_POLICY tristate 'IPsec "policy" match support' |
c2df73de2 netfilter: xtable... |
1251 |
depends on XFRM |
33b8e7760 [NETFILTER]: Add ... |
1252 |
default m if NETFILTER_ADVANCED=n |
c4b885139 [NETFILTER]: x_ta... |
1253 1254 1255 1256 1257 1258 |
help Policy matching allows you to match packets based on the IPsec policy that was used during decapsulation/will be used during encapsulation. To compile it as a module, choose M here. If unsure, say N. |
2e4e6a17a [NETFILTER] x_tab... |
1259 1260 |
config NETFILTER_XT_MATCH_PHYSDEV tristate '"physdev" match support' |
c2df73de2 netfilter: xtable... |
1261 |
depends on BRIDGE && BRIDGE_NETFILTER |
33b8e7760 [NETFILTER]: Add ... |
1262 |
depends on NETFILTER_ADVANCED |
2e4e6a17a [NETFILTER] x_tab... |
1263 1264 1265 1266 1267 1268 1269 1270 |
help Physdev packet matching matches against the physical bridge ports the IP packet arrived on or will leave by. To compile it as a module, choose M here. If unsure, say N. config NETFILTER_XT_MATCH_PKTTYPE tristate '"pkttype" packet type match support' |
33b8e7760 [NETFILTER]: Add ... |
1271 |
depends on NETFILTER_ADVANCED |
2e4e6a17a [NETFILTER] x_tab... |
1272 1273 1274 1275 1276 1277 1278 1279 |
help Packet type matching allows you to match a packet by its "class", eg. BROADCAST, MULTICAST, ... Typical usage: iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG To compile it as a module, choose M here. If unsure, say N. |
62b774348 [NETFILTER]: x_ta... |
1280 1281 |
config NETFILTER_XT_MATCH_QUOTA tristate '"quota" match support' |
33b8e7760 [NETFILTER]: Add ... |
1282 |
depends on NETFILTER_ADVANCED |
62b774348 [NETFILTER]: x_ta... |
1283 1284 1285 1286 1287 |
help This option adds a `quota' match, which allows to match on a byte counter. If you want to compile it as a module, say M here and read |
39f5fb303 kconfig: fix path... |
1288 |
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
62b774348 [NETFILTER]: x_ta... |
1289 |
|
50c164a81 [NETFILTER]: x_ta... |
1290 1291 |
config NETFILTER_XT_MATCH_RATEEST tristate '"rateest" match support' |
b26e76b7c [NETFILTER]: Hide... |
1292 |
depends on NETFILTER_ADVANCED |
50c164a81 [NETFILTER]: x_ta... |
1293 1294 1295 1296 1297 1298 |
select NETFILTER_XT_TARGET_RATEEST help This option adds a `rateest' match, which allows to match on the rate estimated by the RATEEST target. To compile it as a module, choose M here. If unsure, say N. |
2e4e6a17a [NETFILTER] x_tab... |
1299 1300 |
config NETFILTER_XT_MATCH_REALM tristate '"realm" match support' |
33b8e7760 [NETFILTER]: Add ... |
1301 |
depends on NETFILTER_ADVANCED |
c7066f70d netfilter: fix Kc... |
1302 |
select IP_ROUTE_CLASSID |
2e4e6a17a [NETFILTER] x_tab... |
1303 1304 1305 |
help This option adds a `realm' match, which allows you to use the realm key from the routing subsystem inside iptables. |
33b8e7760 [NETFILTER]: Add ... |
1306 |
|
2e4e6a17a [NETFILTER] x_tab... |
1307 1308 |
This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option in tc world. |
33b8e7760 [NETFILTER]: Add ... |
1309 |
|
2e4e6a17a [NETFILTER] x_tab... |
1310 |
If you want to compile it as a module, say M here and read |
39f5fb303 kconfig: fix path... |
1311 |
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
2e4e6a17a [NETFILTER] x_tab... |
1312 |
|
e948b20a7 netfilter: rename... |
1313 1314 |
config NETFILTER_XT_MATCH_RECENT tristate '"recent" match support' |
e948b20a7 netfilter: rename... |
1315 1316 1317 1318 1319 1320 1321 |
depends on NETFILTER_ADVANCED ---help--- This match is used for creating one or many lists of recently used addresses and then matching against that/those list(s). Short options are available by using 'iptables -m recent -h' Official Website: <http://snowman.net/projects/ipt_recent/> |
2e4e6a17a [NETFILTER] x_tab... |
1322 |
config NETFILTER_XT_MATCH_SCTP |
663ef0d18 net/netfilter: re... |
1323 |
tristate '"sctp" protocol match support' |
33b8e7760 [NETFILTER]: Add ... |
1324 |
depends on NETFILTER_ADVANCED |
f3261aff3 netfilter: Kconfi... |
1325 |
default IP_SCTP |
2e4e6a17a [NETFILTER] x_tab... |
1326 1327 1328 1329 1330 1331 |
help With this option enabled, you will be able to use the `sctp' match in order to match on SCTP source/destination ports and SCTP chunk types. If you want to compile it as a module, say M here and read |
39f5fb303 kconfig: fix path... |
1332 |
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
2e4e6a17a [NETFILTER] x_tab... |
1333 |
|
136cdc71f netfilter: iptabl... |
1334 |
config NETFILTER_XT_MATCH_SOCKET |
663ef0d18 net/netfilter: re... |
1335 |
tristate '"socket" match support' |
136cdc71f netfilter: iptabl... |
1336 1337 |
depends on NETFILTER_XTABLES depends on NETFILTER_ADVANCED |
f09becc79 netfilter: Kconfi... |
1338 1339 |
depends on IPV6 || IPV6=n depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n |
8db4c5be8 netfilter: move s... |
1340 1341 |
depends on NF_SOCKET_IPV4 depends on NF_SOCKET_IPV6 |
136cdc71f netfilter: iptabl... |
1342 |
select NF_DEFRAG_IPV4 |
74ec4d55c netfilter: fix xt... |
1343 |
select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n |
136cdc71f netfilter: iptabl... |
1344 1345 1346 1347 1348 1349 1350 |
help This option adds a `socket' match, which can be used to match packets for which a TCP or UDP socket lookup finds a valid socket. It can be used in combination with the MARK target and policy routing to implement full featured non-locally bound sockets. To compile it as a module, choose M here. If unsure, say N. |
2e4e6a17a [NETFILTER] x_tab... |
1351 1352 |
config NETFILTER_XT_MATCH_STATE tristate '"state" match support' |
587aa6416 [NETFILTER]: Remo... |
1353 |
depends on NF_CONNTRACK |
33b8e7760 [NETFILTER]: Add ... |
1354 |
default m if NETFILTER_ADVANCED=n |
2e4e6a17a [NETFILTER] x_tab... |
1355 1356 1357 1358 1359 1360 |
help Connection state matching allows you to match packets based on their relationship to a tracked connection (ie. previous packets). This is a powerful tool for packet classification. To compile it as a module, choose M here. If unsure, say N. |
f3389805e [NETFILTER]: x_ta... |
1361 1362 |
config NETFILTER_XT_MATCH_STATISTIC tristate '"statistic" match support' |
33b8e7760 [NETFILTER]: Add ... |
1363 |
depends on NETFILTER_ADVANCED |
f3389805e [NETFILTER]: x_ta... |
1364 |
help |
68c1692e3 [NETFILTER]: stat... |
1365 1366 1367 1368 |
This option adds a `statistic' match, which allows you to match on packets periodically or randomly with a given percentage. To compile it as a module, choose M here. If unsure, say N. |
f3389805e [NETFILTER]: x_ta... |
1369 |
|
2e4e6a17a [NETFILTER] x_tab... |
1370 1371 |
config NETFILTER_XT_MATCH_STRING tristate '"string" match support' |
33b8e7760 [NETFILTER]: Add ... |
1372 |
depends on NETFILTER_ADVANCED |
2e4e6a17a [NETFILTER] x_tab... |
1373 1374 1375 1376 1377 1378 1379 1380 1381 1382 1383 1384 |
select TEXTSEARCH select TEXTSEARCH_KMP select TEXTSEARCH_BM select TEXTSEARCH_FSM help This option adds a `string' match, which allows you to look for pattern matchings in packets. To compile it as a module, choose M here. If unsure, say N. config NETFILTER_XT_MATCH_TCPMSS tristate '"tcpmss" match support' |
33b8e7760 [NETFILTER]: Add ... |
1385 |
depends on NETFILTER_ADVANCED |
2e4e6a17a [NETFILTER] x_tab... |
1386 1387 1388 1389 1390 1391 |
help This option adds a `tcpmss' match, which allows you to examine the MSS value of TCP SYN packets, which control the maximum packet size for that connection. To compile it as a module, choose M here. If unsure, say N. |
ee4411a1b [NETFILTER]: x_ta... |
1392 1393 |
config NETFILTER_XT_MATCH_TIME tristate '"time" match support' |
33b8e7760 [NETFILTER]: Add ... |
1394 |
depends on NETFILTER_ADVANCED |
ee4411a1b [NETFILTER]: x_ta... |
1395 1396 1397 1398 1399 1400 1401 1402 1403 1404 |
---help--- This option adds a "time" match, which allows you to match based on the packet arrival time (at the machine which netfilter is running) on) or departure time/date (for locally generated packets). If you say Y here, try `iptables -m time --help` for more information. If you want to compile it as a module, say M here. If unsure, say N. |
1b50b8a37 [NETFILTER]: Add ... |
1405 1406 |
config NETFILTER_XT_MATCH_U32 tristate '"u32" match support' |
33b8e7760 [NETFILTER]: Add ... |
1407 |
depends on NETFILTER_ADVANCED |
1b50b8a37 [NETFILTER]: Add ... |
1408 1409 1410 1411 1412 1413 1414 1415 1416 |
---help--- u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. The specification of what to extract is general enough to skip over headers with lengths stored in the packet, as in IP or TCP header lengths. Details and examples are in the kernel module source. |
c2df73de2 netfilter: xtable... |
1417 |
endif # NETFILTER_XTABLES |
a6c1cd572 [NETFILTER] Fix K... |
1418 |
|
c2df73de2 netfilter: xtable... |
1419 |
endmenu |
a6c1cd572 [NETFILTER] Fix K... |
1420 |
|
a7b4f989a netfilter: ipset:... |
1421 |
source "net/netfilter/ipset/Kconfig" |
cb7f6a7b7 IPVS: Move IPVS t... |
1422 |
source "net/netfilter/ipvs/Kconfig" |