| blob | e2893effdfaae040cf514d79a958847aaa170339 |
1 menu "Core Netfilter Configuration"
2 depends on NET && NETFILTER
4 config NETFILTER_NETLINK
5 tristate "Netfilter netlink interface"
6 help
7 If this option is enabled, the kernel will include support
8 for the new netfilter netlink interface.
10 config NETFILTER_NETLINK_QUEUE
11 tristate "Netfilter NFQUEUE over NFNETLINK interface"
12 depends on NETFILTER_NETLINK
13 help
14 If this option is enabled, the kernel will include support
15 for queueing packets via NFNETLINK.
17 config NETFILTER_NETLINK_LOG
18 tristate "Netfilter LOG over NFNETLINK interface"
19 depends on NETFILTER_NETLINK
20 help
21 If this option is enabled, the kernel will include support
22 for logging packets via NFNETLINK.
24 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
25 and is also scheduled to replace the old syslog-based ipt_LOG
26 and ip6t_LOG modules.
28 config NF_CONNTRACK
29 tristate "Layer 3 Independent Connection tracking (EXPERIMENTAL)"
30 depends on EXPERIMENTAL && IP_NF_CONNTRACK=n
31 default n
32 ---help---
33 Connection tracking keeps a record of what packets have passed
34 through your machine, in order to figure out how they are related
35 into connections.
37 Layer 3 independent connection tracking is experimental scheme
38 which generalize ip_conntrack to support other layer 3 protocols.
40 To compile it as a module, choose M here. If unsure, say N.
42 config NF_CT_ACCT
43 bool "Connection tracking flow accounting"
44 depends on NF_CONNTRACK
45 help
46 If this option is enabled, the connection tracking code will
47 keep per-flow packet and byte counters.
49 Those counters can be used for flow-based accounting or the
50 `connbytes' match.
52 If unsure, say `N'.
54 config NF_CONNTRACK_MARK
55 bool 'Connection mark tracking support'
56 depends on NF_CONNTRACK
57 help
58 This option enables support for connection marks, used by the
59 `CONNMARK' target and `connmark' match. Similar to the mark value
60 of packets, but this mark value is kept in the conntrack session
61 instead of the individual packets.
63 config NF_CONNTRACK_EVENTS
64 bool "Connection tracking events (EXPERIMENTAL)"
65 depends on EXPERIMENTAL && NF_CONNTRACK
66 help
67 If this option is enabled, the connection tracking code will
68 provide a notifier chain that can be used by other kernel code
69 to get notified about changes in the connection tracking state.
71 If unsure, say `N'.
73 config NF_CT_PROTO_SCTP
74 tristate 'SCTP protocol on new connection tracking support (EXPERIMENTAL)'
75 depends on EXPERIMENTAL && NF_CONNTRACK
76 default n
77 help
78 With this option enabled, the layer 3 independent connection
79 tracking code will be able to do state tracking on SCTP connections.
81 If you want to compile it as a module, say M here and read
82 Documentation/modules.txt. If unsure, say `N'.
84 config NF_CONNTRACK_FTP
85 tristate "FTP support on new connection tracking (EXPERIMENTAL)"
86 depends on EXPERIMENTAL && NF_CONNTRACK
87 help
88 Tracking FTP connections is problematic: special helpers are
89 required for tracking them, and doing masquerading and other forms
90 of Network Address Translation on them.
92 This is FTP support on Layer 3 independent connection tracking.
93 Layer 3 independent connection tracking is experimental scheme
94 which generalize ip_conntrack to support other layer 3 protocols.
96 To compile it as a module, choose M here. If unsure, say N.
98 config NF_CT_NETLINK
99 tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
100 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK
101 depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
102 help
103 This option enables support for a netlink-based userspace interface
105 config NETFILTER_XTABLES
106 tristate "Netfilter Xtables support (required for ip_tables)"
107 help
108 This is required if you intend to use any of ip_tables,
109 ip6_tables or arp_tables.
111 # alphabetically ordered list of targets
113 config NETFILTER_XT_TARGET_CLASSIFY
114 tristate '"CLASSIFY" target support'
115 depends on NETFILTER_XTABLES
116 help
117 This option adds a `CLASSIFY' target, which enables the user to set
118 the priority of a packet. Some qdiscs can use this value for
119 classification, among these are:
121 atm, cbq, dsmark, pfifo_fast, htb, prio
123 To compile it as a module, choose M here. If unsure, say N.
125 config NETFILTER_XT_TARGET_CONNMARK
126 tristate '"CONNMARK" target support'
127 depends on NETFILTER_XTABLES
128 depends on IP_NF_MANGLE || IP6_NF_MANGLE
129 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK)
130 help
131 This option adds a `CONNMARK' target, which allows one to manipulate
132 the connection mark value. Similar to the MARK target, but
133 affects the connection mark value rather than the packet mark value.
135 If you want to compile it as a module, say M here and read
136 <file:Documentation/modules.txt>. The module will be called
137 ipt_CONNMARK.o. If unsure, say `N'.
139 config NETFILTER_XT_TARGET_MARK
140 tristate '"MARK" target support'
141 depends on NETFILTER_XTABLES
142 help
143 This option adds a `MARK' target, which allows you to create rules
144 in the `mangle' table which alter the netfilter mark (nfmark) field
145 associated with the packet prior to routing. This can change
146 the routing method (see `Use netfilter MARK value as routing
147 key') and can also be used by other subsystems to change their
148 behavior.
150 To compile it as a module, choose M here. If unsure, say N.
152 config NETFILTER_XT_TARGET_NFQUEUE
153 tristate '"NFQUEUE" target Support'
154 depends on NETFILTER_XTABLES
155 help
156 This target replaced the old obsolete QUEUE target.
158 As opposed to QUEUE, it supports 65535 different queues,
159 not just one.
161 To compile it as a module, choose M here. If unsure, say N.
163 config NETFILTER_XT_TARGET_NOTRACK
164 tristate '"NOTRACK" target support'
165 depends on NETFILTER_XTABLES
166 depends on IP_NF_RAW || IP6_NF_RAW
167 depends on IP_NF_CONNTRACK || NF_CONNTRACK
168 help
169 The NOTRACK target allows a select rule to specify
170 which packets *not* to enter the conntrack/NAT
171 subsystem with all the consequences (no ICMP error tracking,
172 no protocol helpers for the selected packets).
174 If you want to compile it as a module, say M here and read
175 <file:Documentation/modules.txt>. If unsure, say `N'.
177 config NETFILTER_XT_MATCH_COMMENT
178 tristate '"comment" match support'
179 depends on NETFILTER_XTABLES
180 help
181 This option adds a `comment' dummy-match, which allows you to put
182 comments in your iptables ruleset.
184 If you want to compile it as a module, say M here and read
185 <file:Documentation/modules.txt>. If unsure, say `N'.
187 config NETFILTER_XT_MATCH_CONNBYTES
188 tristate '"connbytes" per-connection counter match support'
189 depends on NETFILTER_XTABLES
190 depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK)
191 help
192 This option adds a `connbytes' match, which allows you to match the
193 number of bytes and/or packets for each direction within a connection.
195 If you want to compile it as a module, say M here and read
196 <file:Documentation/modules.txt>. If unsure, say `N'.
198 config NETFILTER_XT_MATCH_CONNMARK
199 tristate '"connmark" connection mark match support'
200 depends on NETFILTER_XTABLES
201 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK)
202 help
203 This option adds a `connmark' match, which allows you to match the
204 connection mark value previously set for the session by `CONNMARK'.
206 If you want to compile it as a module, say M here and read
207 <file:Documentation/modules.txt>. The module will be called
208 ipt_connmark.o. If unsure, say `N'.
210 config NETFILTER_XT_MATCH_CONNTRACK
211 tristate '"conntrack" connection tracking match support'
212 depends on NETFILTER_XTABLES
213 depends on IP_NF_CONNTRACK || NF_CONNTRACK
214 help
215 This is a general conntrack match module, a superset of the state match.
217 It allows matching on additional conntrack information, which is
218 useful in complex configurations, such as NAT gateways with multiple
219 internet links or tunnels.
221 To compile it as a module, choose M here. If unsure, say N.
223 config NETFILTER_XT_MATCH_DCCP
224 tristate '"DCCP" protocol match support'
225 depends on NETFILTER_XTABLES
226 help
227 With this option enabled, you will be able to use the iptables
228 `dccp' match in order to match on DCCP source/destination ports
229 and DCCP flags.
231 If you want to compile it as a module, say M here and read
232 <file:Documentation/modules.txt>. If unsure, say `N'.
234 config NETFILTER_XT_MATCH_ESP
235 tristate '"ESP" match support'
236 depends on NETFILTER_XTABLES
237 help
238 This match extension allows you to match a range of SPIs
239 inside ESP header of IPSec packets.
241 To compile it as a module, choose M here. If unsure, say N.
243 config NETFILTER_XT_MATCH_HELPER
244 tristate '"helper" match support'
245 depends on NETFILTER_XTABLES
246 depends on IP_NF_CONNTRACK || NF_CONNTRACK
247 help
248 Helper matching allows you to match packets in dynamic connections
249 tracked by a conntrack-helper, ie. ip_conntrack_ftp
251 To compile it as a module, choose M here. If unsure, say Y.
253 config NETFILTER_XT_MATCH_LENGTH
254 tristate '"length" match support'
255 depends on NETFILTER_XTABLES
256 help
257 This option allows you to match the length of a packet against a
258 specific value or range of values.
260 To compile it as a module, choose M here. If unsure, say N.
262 config NETFILTER_XT_MATCH_LIMIT
263 tristate '"limit" match support'
264 depends on NETFILTER_XTABLES
265 help
266 limit matching allows you to control the rate at which a rule can be
267 matched: mainly useful in combination with the LOG target ("LOG
268 target support", below) and to avoid some Denial of Service attacks.
270 To compile it as a module, choose M here. If unsure, say N.
272 config NETFILTER_XT_MATCH_MAC
273 tristate '"mac" address match support'
274 depends on NETFILTER_XTABLES
275 help
276 MAC matching allows you to match packets based on the source
277 Ethernet address of the packet.
279 To compile it as a module, choose M here. If unsure, say N.
281 config NETFILTER_XT_MATCH_MARK
282 tristate '"mark" match support'
283 depends on NETFILTER_XTABLES
284 help
285 Netfilter mark matching allows you to match packets based on the
286 `nfmark' value in the packet. This can be set by the MARK target
287 (see below).
289 To compile it as a module, choose M here. If unsure, say N.
291 config NETFILTER_XT_MATCH_POLICY
292 tristate 'IPsec "policy" match support'
293 depends on NETFILTER_XTABLES && XFRM
294 help
295 Policy matching allows you to match packets based on the
296 IPsec policy that was used during decapsulation/will
297 be used during encapsulation.
299 To compile it as a module, choose M here. If unsure, say N.
301 config NETFILTER_XT_MATCH_MULTIPORT
302 tristate "Multiple port match support"
303 depends on NETFILTER_XTABLES
304 help
305 Multiport matching allows you to match TCP or UDP packets based on
306 a series of source or destination ports: normally a rule can only
307 match a single range of ports.
309 To compile it as a module, choose M here. If unsure, say N.
311 config NETFILTER_XT_MATCH_PHYSDEV
312 tristate '"physdev" match support'
313 depends on NETFILTER_XTABLES && BRIDGE_NETFILTER
314 help
315 Physdev packet matching matches against the physical bridge ports
316 the IP packet arrived on or will leave by.
318 To compile it as a module, choose M here. If unsure, say N.
320 config NETFILTER_XT_MATCH_PKTTYPE
321 tristate '"pkttype" packet type match support'
322 depends on NETFILTER_XTABLES
323 help
324 Packet type matching allows you to match a packet by
325 its "class", eg. BROADCAST, MULTICAST, ...
327 Typical usage:
328 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
330 To compile it as a module, choose M here. If unsure, say N.
332 config NETFILTER_XT_MATCH_REALM
333 tristate '"realm" match support'
334 depends on NETFILTER_XTABLES
335 select NET_CLS_ROUTE
336 help
337 This option adds a `realm' match, which allows you to use the realm
338 key from the routing subsystem inside iptables.
340 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
341 in tc world.
343 If you want to compile it as a module, say M here and read
344 <file:Documentation/modules.txt>. If unsure, say `N'.
346 config NETFILTER_XT_MATCH_SCTP
347 tristate '"sctp" protocol match support'
348 depends on NETFILTER_XTABLES
349 help
350 With this option enabled, you will be able to use the
351 `sctp' match in order to match on SCTP source/destination ports
352 and SCTP chunk types.
354 If you want to compile it as a module, say M here and read
355 <file:Documentation/modules.txt>. If unsure, say `N'.
357 config NETFILTER_XT_MATCH_STATE
358 tristate '"state" match support'
359 depends on NETFILTER_XTABLES
360 depends on IP_NF_CONNTRACK || NF_CONNTRACK
361 help
362 Connection state matching allows you to match packets based on their
363 relationship to a tracked connection (ie. previous packets). This
364 is a powerful tool for packet classification.
366 To compile it as a module, choose M here. If unsure, say N.
368 config NETFILTER_XT_MATCH_STRING
369 tristate '"string" match support'
370 depends on NETFILTER_XTABLES
371 select TEXTSEARCH
372 select TEXTSEARCH_KMP
373 select TEXTSEARCH_BM
374 select TEXTSEARCH_FSM
375 help
376 This option adds a `string' match, which allows you to look for
377 pattern matchings in packets.
379 To compile it as a module, choose M here. If unsure, say N.
381 config NETFILTER_XT_MATCH_TCPMSS
382 tristate '"tcpmss" match support'
383 depends on NETFILTER_XTABLES
384 help
385 This option adds a `tcpmss' match, which allows you to examine the
386 MSS value of TCP SYN packets, which control the maximum packet size
387 for that connection.
389 To compile it as a module, choose M here. If unsure, say N.
391 endmenu