1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_INGRESS
5 bool "Netfilter ingress support"
9 This allows you to classify packets from ingress using the Netfilter
12 config NETFILTER_NETLINK
15 config NETFILTER_NETLINK_ACCT
16 tristate "Netfilter NFACCT over NFNETLINK interface"
17 depends on NETFILTER_ADVANCED
18 select NETFILTER_NETLINK
20 If this option is enabled, the kernel will include support
21 for extended accounting via NFNETLINK.
23 config NETFILTER_NETLINK_QUEUE
24 tristate "Netfilter NFQUEUE over NFNETLINK interface"
25 depends on NETFILTER_ADVANCED
26 select NETFILTER_NETLINK
28 If this option is enabled, the kernel will include support
29 for queueing packets via NFNETLINK.
31 config NETFILTER_NETLINK_LOG
32 tristate "Netfilter LOG over NFNETLINK interface"
33 default m if NETFILTER_ADVANCED=n
34 select NETFILTER_NETLINK
36 If this option is enabled, the kernel will include support
37 for logging packets via NFNETLINK.
39 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
40 and is also scheduled to replace the old syslog-based ipt_LOG
44 tristate "Netfilter connection tracking support"
45 default m if NETFILTER_ADVANCED=n
47 Connection tracking keeps a record of what packets have passed
48 through your machine, in order to figure out how they are related
51 This is required to do Masquerading or other kinds of Network
52 Address Translation. It can also be used to enhance packet
53 filtering (see `Connection state match support' below).
55 To compile it as a module, choose M here. If unsure, say N.
62 config NF_CONNTRACK_MARK
63 bool 'Connection mark tracking support'
64 depends on NETFILTER_ADVANCED
66 This option enables support for connection marks, used by the
67 `CONNMARK' target and `connmark' match. Similar to the mark value
68 of packets, but this mark value is kept in the conntrack session
69 instead of the individual packets.
71 config NF_CONNTRACK_SECMARK
72 bool 'Connection tracking security mark support'
73 depends on NETWORK_SECMARK
74 default m if NETFILTER_ADVANCED=n
76 This option enables security markings to be applied to
77 connections. Typically they are copied to connections from
78 packets using the CONNSECMARK target and copied back from
79 connections to packets with the same target, with the packets
80 being originally labeled via SECMARK.
84 config NF_CONNTRACK_ZONES
85 bool 'Connection tracking zones'
86 depends on NETFILTER_ADVANCED
87 depends on NETFILTER_XT_TARGET_CT
89 This option enables support for connection tracking zones.
90 Normally, each connection needs to have a unique system wide
91 identity. Connection tracking zones allow to have multiple
92 connections using the same identity, as long as they are
93 contained in different zones.
97 config NF_CONNTRACK_PROCFS
98 bool "Supply CT list in procfs (OBSOLETE)"
102 This option enables for the list of known conntrack entries
103 to be shown in procfs under net/netfilter/nf_conntrack. This
104 is considered obsolete in favor of using the conntrack(8)
105 tool which uses Netlink.
107 config NF_CONNTRACK_EVENTS
108 bool "Connection tracking events"
109 depends on NETFILTER_ADVANCED
111 If this option is enabled, the connection tracking code will
112 provide a notifier chain that can be used by other kernel code
113 to get notified about changes in the connection tracking state.
117 config NF_CONNTRACK_TIMEOUT
118 bool 'Connection tracking timeout'
119 depends on NETFILTER_ADVANCED
121 This option enables support for connection tracking timeout
122 extension. This allows you to attach timeout policies to flow
127 config NF_CONNTRACK_TIMESTAMP
128 bool 'Connection tracking timestamping'
129 depends on NETFILTER_ADVANCED
131 This option enables support for connection tracking timestamping.
132 This allows you to store the flow start-time and to obtain
133 the flow-stop time (once it has been destroyed) via Connection
138 config NF_CONNTRACK_LABELS
141 This option enables support for assigning user-defined flag bits
142 to connection tracking entries. It selected by the connlabel match.
144 config NF_CT_PROTO_DCCP
145 tristate 'DCCP protocol connection tracking support'
146 depends on NETFILTER_ADVANCED
149 With this option enabled, the layer 3 independent connection
150 tracking code will be able to do state tracking on DCCP connections.
154 config NF_CT_PROTO_GRE
157 config NF_CT_PROTO_SCTP
158 tristate 'SCTP protocol connection tracking support'
159 depends on NETFILTER_ADVANCED
162 With this option enabled, the layer 3 independent connection
163 tracking code will be able to do state tracking on SCTP connections.
165 If you want to compile it as a module, say M here and read
166 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
168 config NF_CT_PROTO_UDPLITE
169 tristate 'UDP-Lite protocol connection tracking support'
170 depends on NETFILTER_ADVANCED
172 With this option enabled, the layer 3 independent connection
173 tracking code will be able to do state tracking on UDP-Lite
176 To compile it as a module, choose M here. If unsure, say N.
178 config NF_CONNTRACK_AMANDA
179 tristate "Amanda backup protocol support"
180 depends on NETFILTER_ADVANCED
182 select TEXTSEARCH_KMP
184 If you are running the Amanda backup package <http://www.amanda.org/>
185 on this machine or machines that will be MASQUERADED through this
186 machine, then you may want to enable this feature. This allows the
187 connection tracking and natting code to allow the sub-channels that
188 Amanda requires for communication of the backup data, messages and
191 To compile it as a module, choose M here. If unsure, say N.
193 config NF_CONNTRACK_FTP
194 tristate "FTP protocol support"
195 default m if NETFILTER_ADVANCED=n
197 Tracking FTP connections is problematic: special helpers are
198 required for tracking them, and doing masquerading and other forms
199 of Network Address Translation on them.
201 This is FTP support on Layer 3 independent connection tracking.
202 Layer 3 independent connection tracking is experimental scheme
203 which generalize ip_conntrack to support other layer 3 protocols.
205 To compile it as a module, choose M here. If unsure, say N.
207 config NF_CONNTRACK_H323
208 tristate "H.323 protocol support"
209 depends on IPV6 || IPV6=n
210 depends on NETFILTER_ADVANCED
212 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
213 important VoIP protocols, it is widely used by voice hardware and
214 software including voice gateways, IP phones, Netmeeting, OpenPhone,
217 With this module you can support H.323 on a connection tracking/NAT
220 This module supports RAS, Fast Start, H.245 Tunnelling, Call
221 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
222 whiteboard, file transfer, etc. For more information, please
223 visit http://nath323.sourceforge.net/.
225 To compile it as a module, choose M here. If unsure, say N.
227 config NF_CONNTRACK_IRC
228 tristate "IRC protocol support"
229 default m if NETFILTER_ADVANCED=n
231 There is a commonly-used extension to IRC called
232 Direct Client-to-Client Protocol (DCC). This enables users to send
233 files to each other, and also chat to each other without the need
234 of a server. DCC Sending is used anywhere you send files over IRC,
235 and DCC Chat is most commonly used by Eggdrop bots. If you are
236 using NAT, this extension will enable you to send files and initiate
237 chats. Note that you do NOT need this extension to get files or
238 have others initiate chats, or everything else in IRC.
240 To compile it as a module, choose M here. If unsure, say N.
242 config NF_CONNTRACK_BROADCAST
245 config NF_CONNTRACK_NETBIOS_NS
246 tristate "NetBIOS name service protocol support"
247 select NF_CONNTRACK_BROADCAST
249 NetBIOS name service requests are sent as broadcast messages from an
250 unprivileged port and responded to with unicast messages to the
251 same port. This make them hard to firewall properly because connection
252 tracking doesn't deal with broadcasts. This helper tracks locally
253 originating NetBIOS name service requests and the corresponding
254 responses. It relies on correct IP address configuration, specifically
255 netmask and broadcast address. When properly configured, the output
256 of "ip address show" should look similar to this:
258 $ ip -4 address show eth0
259 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
260 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
262 To compile it as a module, choose M here. If unsure, say N.
264 config NF_CONNTRACK_SNMP
265 tristate "SNMP service protocol support"
266 depends on NETFILTER_ADVANCED
267 select NF_CONNTRACK_BROADCAST
269 SNMP service requests are sent as broadcast messages from an
270 unprivileged port and responded to with unicast messages to the
271 same port. This make them hard to firewall properly because connection
272 tracking doesn't deal with broadcasts. This helper tracks locally
273 originating SNMP service requests and the corresponding
274 responses. It relies on correct IP address configuration, specifically
275 netmask and broadcast address.
277 To compile it as a module, choose M here. If unsure, say N.
279 config NF_CONNTRACK_PPTP
280 tristate "PPtP protocol support"
281 depends on NETFILTER_ADVANCED
282 select NF_CT_PROTO_GRE
284 This module adds support for PPTP (Point to Point Tunnelling
285 Protocol, RFC2637) connection tracking and NAT.
287 If you are running PPTP sessions over a stateful firewall or NAT
288 box, you may want to enable this feature.
290 Please note that not all PPTP modes of operation are supported yet.
291 Specifically these limitations exist:
292 - Blindly assumes that control connections are always established
293 in PNS->PAC direction. This is a violation of RFC2637.
294 - Only supports a single call within each session
296 To compile it as a module, choose M here. If unsure, say N.
298 config NF_CONNTRACK_SANE
299 tristate "SANE protocol support"
300 depends on NETFILTER_ADVANCED
302 SANE is a protocol for remote access to scanners as implemented
303 by the 'saned' daemon. Like FTP, it uses separate control and
306 With this module you can support SANE on a connection tracking
309 To compile it as a module, choose M here. If unsure, say N.
311 config NF_CONNTRACK_SIP
312 tristate "SIP protocol support"
313 default m if NETFILTER_ADVANCED=n
315 SIP is an application-layer control protocol that can establish,
316 modify, and terminate multimedia sessions (conferences) such as
317 Internet telephony calls. With the ip_conntrack_sip and
318 the nf_nat_sip modules you can support the protocol on a connection
319 tracking/NATing firewall.
321 To compile it as a module, choose M here. If unsure, say N.
323 config NF_CONNTRACK_TFTP
324 tristate "TFTP protocol support"
325 depends on NETFILTER_ADVANCED
327 TFTP connection tracking helper, this is required depending
328 on how restrictive your ruleset is.
329 If you are using a tftp client behind -j SNAT or -j MASQUERADING
332 To compile it as a module, choose M here. If unsure, say N.
335 tristate 'Connection tracking netlink interface'
336 select NETFILTER_NETLINK
337 default m if NETFILTER_ADVANCED=n
339 This option enables support for a netlink-based userspace interface
341 config NF_CT_NETLINK_TIMEOUT
342 tristate 'Connection tracking timeout tuning via Netlink'
343 select NETFILTER_NETLINK
344 depends on NETFILTER_ADVANCED
346 This option enables support for connection tracking timeout
347 fine-grain tuning. This allows you to attach specific timeout
348 policies to flows, instead of using the global timeout policy.
352 config NF_CT_NETLINK_HELPER
353 tristate 'Connection tracking helpers in user-space via Netlink'
354 select NETFILTER_NETLINK
355 depends on NF_CT_NETLINK
356 depends on NETFILTER_NETLINK_QUEUE
357 depends on NETFILTER_NETLINK_GLUE_CT
358 depends on NETFILTER_ADVANCED
360 This option enables the user-space connection tracking helpers
365 config NETFILTER_NETLINK_GLUE_CT
366 bool "NFQUEUE and NFLOG integration with Connection Tracking"
368 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
370 If this option is enabled, NFQUEUE and NFLOG can include
371 Connection Tracking information together with the packet is
372 the enqueued via NFNETLINK.
382 config NF_NAT_PROTO_DCCP
384 depends on NF_NAT && NF_CT_PROTO_DCCP
385 default NF_NAT && NF_CT_PROTO_DCCP
387 config NF_NAT_PROTO_UDPLITE
389 depends on NF_NAT && NF_CT_PROTO_UDPLITE
390 default NF_NAT && NF_CT_PROTO_UDPLITE
392 config NF_NAT_PROTO_SCTP
394 default NF_NAT && NF_CT_PROTO_SCTP
395 depends on NF_NAT && NF_CT_PROTO_SCTP
400 depends on NF_CONNTRACK && NF_NAT
401 default NF_NAT && NF_CONNTRACK_AMANDA
405 depends on NF_CONNTRACK && NF_NAT
406 default NF_NAT && NF_CONNTRACK_FTP
410 depends on NF_CONNTRACK && NF_NAT
411 default NF_NAT && NF_CONNTRACK_IRC
415 depends on NF_CONNTRACK && NF_NAT
416 default NF_NAT && NF_CONNTRACK_SIP
420 depends on NF_CONNTRACK && NF_NAT
421 default NF_NAT && NF_CONNTRACK_TFTP
423 config NF_NAT_REDIRECT
424 tristate "IPv4/IPv6 redirect support"
427 This is the kernel functionality to redirect packets to local
430 config NETFILTER_SYNPROXY
436 select NETFILTER_NETLINK
437 tristate "Netfilter nf_tables support"
439 nftables is the new packet classification framework that intends to
440 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
441 provides a pseudo-state machine with an extensible instruction-set
442 (also known as expressions) that the userspace 'nft' utility
443 (http://www.netfilter.org/projects/nftables) uses to build the
444 rule-set. It also comes with the generic set infrastructure that
445 allows you to construct mappings between matchings and actions
446 for performance lookups.
448 To compile it as a module, choose M here.
452 config NF_TABLES_INET
454 select NF_TABLES_IPV4
455 select NF_TABLES_IPV6
456 tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
458 This option enables support for a mixed IPv4/IPv6 "inet" table.
460 config NF_TABLES_NETDEV
461 tristate "Netfilter nf_tables netdev tables support"
463 This option enables support for the "netdev" table.
466 tristate "Netfilter nf_tables IPv6 exthdr module"
468 This option adds the "exthdr" expression that you can use to match
469 IPv6 extension headers.
472 tristate "Netfilter nf_tables meta module"
474 This option adds the "meta" expression that you can use to match and
475 to set packet metainformation such as the packet mark.
478 depends on NF_CONNTRACK
479 tristate "Netfilter nf_tables conntrack module"
481 This option adds the "meta" expression that you can use to match
482 connection tracking information such as the flow state.
484 config NFT_SET_RBTREE
485 tristate "Netfilter nf_tables rbtree set module"
487 This option adds the "rbtree" set type (Red Black tree) that is used
488 to build interval-based sets.
491 tristate "Netfilter nf_tables hash set module"
493 This option adds the "hash" set type that is used to build one-way
494 mappings between matchings and actions.
497 tristate "Netfilter nf_tables counter module"
499 This option adds the "counter" expression that you can use to
500 include packet and byte counters in a rule.
503 tristate "Netfilter nf_tables log module"
505 This option adds the "log" expression that you can use to log
506 packets matching some criteria.
509 tristate "Netfilter nf_tables limit module"
511 This option adds the "limit" expression that you can use to
512 ratelimit rule matchings.
515 depends on NF_CONNTRACK
517 tristate "Netfilter nf_tables masquerade support"
519 This option adds the "masquerade" expression that you can use
520 to perform NAT in the masquerade flavour.
523 depends on NF_CONNTRACK
525 tristate "Netfilter nf_tables redirect support"
527 This options adds the "redirect" expression that you can use
528 to perform NAT in the redirect flavour.
531 depends on NF_CONNTRACK
533 tristate "Netfilter nf_tables nat module"
535 This option adds the "nat" expression that you can use to perform
536 typical Network Address Translation (NAT) packet transformations.
539 depends on NETFILTER_NETLINK_QUEUE
540 tristate "Netfilter nf_tables queue module"
542 This is required if you intend to use the userspace queueing
543 infrastructure (also known as NFQUEUE) from nftables.
546 default m if NETFILTER_ADVANCED=n
547 tristate "Netfilter nf_tables reject support"
549 This option adds the "reject" expression that you can use to
550 explicitly deny and notify via TCP reset/ICMP informational errors
553 config NFT_REJECT_INET
554 depends on NF_TABLES_INET
559 depends on NETFILTER_XTABLES
560 tristate "Netfilter x_tables over nf_tables module"
562 This is required if you intend to use any of existing
563 x_tables match/target extensions over the nf_tables
567 tristate "Netfilter nf_tables hash module"
569 This option adds the "hash" expression that you can use to perform
570 a hash operation on registers.
575 tristate "Netfilter packet duplication support"
577 This option enables the generic packet duplication infrastructure
580 config NFT_DUP_NETDEV
581 tristate "Netfilter nf_tables netdev packet duplication support"
584 This option enables packet duplication for the "netdev" family.
586 config NFT_FWD_NETDEV
587 tristate "Netfilter nf_tables netdev packet forwarding support"
590 This option enables packet forwarding for the "netdev" family.
592 endif # NF_TABLES_NETDEV
596 config NETFILTER_XTABLES
597 tristate "Netfilter Xtables support (required for ip_tables)"
598 default m if NETFILTER_ADVANCED=n
600 This is required if you intend to use any of ip_tables,
601 ip6_tables or arp_tables.
605 comment "Xtables combined modules"
607 config NETFILTER_XT_MARK
608 tristate 'nfmark target and match support'
609 default m if NETFILTER_ADVANCED=n
611 This option adds the "MARK" target and "mark" match.
613 Netfilter mark matching allows you to match packets based on the
614 "nfmark" value in the packet.
615 The target allows you to create rules in the "mangle" table which alter
616 the netfilter mark (nfmark) field associated with the packet.
618 Prior to routing, the nfmark can influence the routing method and can
619 also be used by other subsystems to change their behavior.
621 config NETFILTER_XT_CONNMARK
622 tristate 'ctmark target and match support'
623 depends on NF_CONNTRACK
624 depends on NETFILTER_ADVANCED
625 select NF_CONNTRACK_MARK
627 This option adds the "CONNMARK" target and "connmark" match.
629 Netfilter allows you to store a mark value per connection (a.k.a.
630 ctmark), similarly to the packet mark (nfmark). Using this
631 target and match, you can set and match on this mark.
633 config NETFILTER_XT_SET
634 tristate 'set target and match support'
636 depends on NETFILTER_ADVANCED
638 This option adds the "SET" target and "set" match.
640 Using this target and match, you can add/delete and match
641 elements in the sets created by ipset(8).
643 To compile it as a module, choose M here. If unsure, say N.
645 # alphabetically ordered list of targets
647 comment "Xtables targets"
649 config NETFILTER_XT_TARGET_AUDIT
650 tristate "AUDIT target support"
652 depends on NETFILTER_ADVANCED
654 This option adds a 'AUDIT' target, which can be used to create
655 audit records for packets dropped/accepted.
657 To compileit as a module, choose M here. If unsure, say N.
659 config NETFILTER_XT_TARGET_CHECKSUM
660 tristate "CHECKSUM target support"
661 depends on IP_NF_MANGLE || IP6_NF_MANGLE
662 depends on NETFILTER_ADVANCED
664 This option adds a `CHECKSUM' target, which can be used in the iptables mangle
667 You can use this target to compute and fill in the checksum in
668 a packet that lacks a checksum. This is particularly useful,
669 if you need to work around old applications such as dhcp clients,
670 that do not work well with checksum offloads, but don't want to disable
671 checksum offload in your device.
673 To compile it as a module, choose M here. If unsure, say N.
675 config NETFILTER_XT_TARGET_CLASSIFY
676 tristate '"CLASSIFY" target support'
677 depends on NETFILTER_ADVANCED
679 This option adds a `CLASSIFY' target, which enables the user to set
680 the priority of a packet. Some qdiscs can use this value for
681 classification, among these are:
683 atm, cbq, dsmark, pfifo_fast, htb, prio
685 To compile it as a module, choose M here. If unsure, say N.
687 config NETFILTER_XT_TARGET_CONNMARK
688 tristate '"CONNMARK" target support'
689 depends on NF_CONNTRACK
690 depends on NETFILTER_ADVANCED
691 select NETFILTER_XT_CONNMARK
693 This is a backwards-compat option for the user's convenience
694 (e.g. when running oldconfig). It selects
695 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
697 config NETFILTER_XT_TARGET_CONNSECMARK
698 tristate '"CONNSECMARK" target support'
699 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
700 default m if NETFILTER_ADVANCED=n
702 The CONNSECMARK target copies security markings from packets
703 to connections, and restores security markings from connections
704 to packets (if the packets are not already marked). This would
705 normally be used in conjunction with the SECMARK target.
707 To compile it as a module, choose M here. If unsure, say N.
709 config NETFILTER_XT_TARGET_CT
710 tristate '"CT" target support'
711 depends on NF_CONNTRACK
712 depends on IP_NF_RAW || IP6_NF_RAW
713 depends on NETFILTER_ADVANCED
715 This options adds a `CT' target, which allows to specify initial
716 connection tracking parameters like events to be delivered and
717 the helper to be used.
719 To compile it as a module, choose M here. If unsure, say N.
721 config NETFILTER_XT_TARGET_DSCP
722 tristate '"DSCP" and "TOS" target support'
723 depends on IP_NF_MANGLE || IP6_NF_MANGLE
724 depends on NETFILTER_ADVANCED
726 This option adds a `DSCP' target, which allows you to manipulate
727 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
729 The DSCP field can have any value between 0x0 and 0x3f inclusive.
731 It also adds the "TOS" target, which allows you to create rules in
732 the "mangle" table which alter the Type Of Service field of an IPv4
733 or the Priority field of an IPv6 packet, prior to routing.
735 To compile it as a module, choose M here. If unsure, say N.
737 config NETFILTER_XT_TARGET_HL
738 tristate '"HL" hoplimit target support'
739 depends on IP_NF_MANGLE || IP6_NF_MANGLE
740 depends on NETFILTER_ADVANCED
742 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
743 targets, which enable the user to change the
744 hoplimit/time-to-live value of the IP header.
746 While it is safe to decrement the hoplimit/TTL value, the
747 modules also allow to increment and set the hoplimit value of
748 the header to arbitrary values. This is EXTREMELY DANGEROUS
749 since you can easily create immortal packets that loop
750 forever on the network.
752 config NETFILTER_XT_TARGET_HMARK
753 tristate '"HMARK" target support'
754 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
755 depends on NETFILTER_ADVANCED
757 This option adds the "HMARK" target.
759 The target allows you to create rules in the "raw" and "mangle" tables
760 which set the skbuff mark by means of hash calculation within a given
761 range. The nfmark can influence the routing method and can also be used
762 by other subsystems to change their behaviour.
764 To compile it as a module, choose M here. If unsure, say N.
766 config NETFILTER_XT_TARGET_IDLETIMER
767 tristate "IDLETIMER target support"
768 depends on NETFILTER_ADVANCED
771 This option adds the `IDLETIMER' target. Each matching packet
772 resets the timer associated with label specified when the rule is
773 added. When the timer expires, it triggers a sysfs notification.
774 The remaining time for expiration can be read via sysfs.
776 To compile it as a module, choose M here. If unsure, say N.
778 config NETFILTER_XT_TARGET_LED
779 tristate '"LED" target support'
780 depends on LEDS_CLASS && LEDS_TRIGGERS
781 depends on NETFILTER_ADVANCED
783 This option adds a `LED' target, which allows you to blink LEDs in
784 response to particular packets passing through your machine.
786 This can be used to turn a spare LED into a network activity LED,
787 which only flashes in response to FTP transfers, for example. Or
788 you could have an LED which lights up for a minute or two every time
789 somebody connects to your machine via SSH.
791 You will need support for the "led" class to make this work.
793 To create an LED trigger for incoming SSH traffic:
794 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
796 Then attach the new trigger to an LED on your system:
797 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
799 For more information on the LEDs available on your system, see
800 Documentation/leds/leds-class.txt
802 config NETFILTER_XT_TARGET_LOG
803 tristate "LOG target support"
806 select NF_LOG_IPV6 if IPV6
807 default m if NETFILTER_ADVANCED=n
809 This option adds a `LOG' target, which allows you to create rules in
810 any iptables table which records the packet header to the syslog.
812 To compile it as a module, choose M here. If unsure, say N.
814 config NETFILTER_XT_TARGET_MARK
815 tristate '"MARK" target support'
816 depends on NETFILTER_ADVANCED
817 select NETFILTER_XT_MARK
819 This is a backwards-compat option for the user's convenience
820 (e.g. when running oldconfig). It selects
821 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
823 config NETFILTER_XT_NAT
824 tristate '"SNAT and DNAT" targets support'
827 This option enables the SNAT and DNAT targets.
829 To compile it as a module, choose M here. If unsure, say N.
831 config NETFILTER_XT_TARGET_NETMAP
832 tristate '"NETMAP" target support'
835 NETMAP is an implementation of static 1:1 NAT mapping of network
836 addresses. It maps the network address part, while keeping the host
839 To compile it as a module, choose M here. If unsure, say N.
841 config NETFILTER_XT_TARGET_NFLOG
842 tristate '"NFLOG" target support'
843 default m if NETFILTER_ADVANCED=n
844 select NETFILTER_NETLINK_LOG
846 This option enables the NFLOG target, which allows to LOG
847 messages through nfnetlink_log.
849 To compile it as a module, choose M here. If unsure, say N.
851 config NETFILTER_XT_TARGET_NFQUEUE
852 tristate '"NFQUEUE" target Support'
853 depends on NETFILTER_ADVANCED
854 select NETFILTER_NETLINK_QUEUE
856 This target replaced the old obsolete QUEUE target.
858 As opposed to QUEUE, it supports 65535 different queues,
861 To compile it as a module, choose M here. If unsure, say N.
863 config NETFILTER_XT_TARGET_NOTRACK
864 tristate '"NOTRACK" target support (DEPRECATED)'
865 depends on NF_CONNTRACK
866 depends on IP_NF_RAW || IP6_NF_RAW
867 depends on NETFILTER_ADVANCED
868 select NETFILTER_XT_TARGET_CT
870 config NETFILTER_XT_TARGET_RATEEST
871 tristate '"RATEEST" target support'
872 depends on NETFILTER_ADVANCED
874 This option adds a `RATEEST' target, which allows to measure
875 rates similar to TC estimators. The `rateest' match can be
876 used to match on the measured rates.
878 To compile it as a module, choose M here. If unsure, say N.
880 config NETFILTER_XT_TARGET_REDIRECT
881 tristate "REDIRECT target support"
883 select NF_NAT_REDIRECT
885 REDIRECT is a special case of NAT: all incoming connections are
886 mapped onto the incoming interface's address, causing the packets to
887 come to the local machine instead of passing through. This is
888 useful for transparent proxies.
890 To compile it as a module, choose M here. If unsure, say N.
892 config NETFILTER_XT_TARGET_TEE
893 tristate '"TEE" - packet cloning to alternate destination'
894 depends on NETFILTER_ADVANCED
895 depends on IPV6 || IPV6=n
896 depends on !NF_CONNTRACK || NF_CONNTRACK
898 select NF_DUP_IPV6 if IPV6
900 This option adds a "TEE" target with which a packet can be cloned and
901 this clone be rerouted to another nexthop.
903 config NETFILTER_XT_TARGET_TPROXY
904 tristate '"TPROXY" target transparent proxying support'
905 depends on NETFILTER_XTABLES
906 depends on NETFILTER_ADVANCED
907 depends on IPV6 || IPV6=n
908 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
909 depends on IP_NF_MANGLE
910 select NF_DEFRAG_IPV4
911 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
913 This option adds a `TPROXY' target, which is somewhat similar to
914 REDIRECT. It can only be used in the mangle table and is useful
915 to redirect traffic to a transparent proxy. It does _not_ depend
916 on Netfilter connection tracking and NAT, unlike REDIRECT.
917 For it to work you will have to configure certain iptables rules
918 and use policy routing. For more information on how to set it up
919 see Documentation/networking/tproxy.txt.
921 To compile it as a module, choose M here. If unsure, say N.
923 config NETFILTER_XT_TARGET_TRACE
924 tristate '"TRACE" target support'
925 depends on IP_NF_RAW || IP6_NF_RAW
926 depends on NETFILTER_ADVANCED
928 The TRACE target allows you to mark packets so that the kernel
929 will log every rule which match the packets as those traverse
930 the tables, chains, rules.
932 If you want to compile it as a module, say M here and read
933 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
935 config NETFILTER_XT_TARGET_SECMARK
936 tristate '"SECMARK" target support'
937 depends on NETWORK_SECMARK
938 default m if NETFILTER_ADVANCED=n
940 The SECMARK target allows security marking of network
941 packets, for use with security subsystems.
943 To compile it as a module, choose M here. If unsure, say N.
945 config NETFILTER_XT_TARGET_TCPMSS
946 tristate '"TCPMSS" target support'
947 depends on IPV6 || IPV6=n
948 default m if NETFILTER_ADVANCED=n
950 This option adds a `TCPMSS' target, which allows you to alter the
951 MSS value of TCP SYN packets, to control the maximum size for that
952 connection (usually limiting it to your outgoing interface's MTU
955 This is used to overcome criminally braindead ISPs or servers which
956 block ICMP Fragmentation Needed packets. The symptoms of this
957 problem are that everything works fine from your Linux
958 firewall/router, but machines behind it can never exchange large
960 1) Web browsers connect, then hang with no data received.
961 2) Small mail works fine, but large emails hang.
962 3) ssh works fine, but scp hangs after initial handshaking.
964 Workaround: activate this option and add a rule to your firewall
967 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
968 -j TCPMSS --clamp-mss-to-pmtu
970 To compile it as a module, choose M here. If unsure, say N.
972 config NETFILTER_XT_TARGET_TCPOPTSTRIP
973 tristate '"TCPOPTSTRIP" target support'
974 depends on IP_NF_MANGLE || IP6_NF_MANGLE
975 depends on NETFILTER_ADVANCED
977 This option adds a "TCPOPTSTRIP" target, which allows you to strip
978 TCP options from TCP packets.
980 # alphabetically ordered list of matches
982 comment "Xtables matches"
984 config NETFILTER_XT_MATCH_ADDRTYPE
985 tristate '"addrtype" address type match support'
986 default m if NETFILTER_ADVANCED=n
988 This option allows you to match what routing thinks of an address,
989 eg. UNICAST, LOCAL, BROADCAST, ...
991 If you want to compile it as a module, say M here and read
992 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
994 config NETFILTER_XT_MATCH_BPF
995 tristate '"bpf" match support'
996 depends on NETFILTER_ADVANCED
998 BPF matching applies a linux socket filter to each packet and
999 accepts those for which the filter returns non-zero.
1001 To compile it as a module, choose M here. If unsure, say N.
1003 config NETFILTER_XT_MATCH_CGROUP
1004 tristate '"control group" match support'
1005 depends on NETFILTER_ADVANCED
1007 select CGROUP_NET_CLASSID
1009 Socket/process control group matching allows you to match locally
1010 generated packets based on which net_cls control group processes
1013 config NETFILTER_XT_MATCH_CLUSTER
1014 tristate '"cluster" match support'
1015 depends on NF_CONNTRACK
1016 depends on NETFILTER_ADVANCED
1018 This option allows you to build work-load-sharing clusters of
1019 network servers/stateful firewalls without having a dedicated
1020 load-balancing router/server/switch. Basically, this match returns
1021 true when the packet must be handled by this cluster node. Thus,
1022 all nodes see all packets and this match decides which node handles
1023 what packets. The work-load sharing algorithm is based on source
1026 If you say Y or M here, try `iptables -m cluster --help` for
1029 config NETFILTER_XT_MATCH_COMMENT
1030 tristate '"comment" match support'
1031 depends on NETFILTER_ADVANCED
1033 This option adds a `comment' dummy-match, which allows you to put
1034 comments in your iptables ruleset.
1036 If you want to compile it as a module, say M here and read
1037 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1039 config NETFILTER_XT_MATCH_CONNBYTES
1040 tristate '"connbytes" per-connection counter match support'
1041 depends on NF_CONNTRACK
1042 depends on NETFILTER_ADVANCED
1044 This option adds a `connbytes' match, which allows you to match the
1045 number of bytes and/or packets for each direction within a connection.
1047 If you want to compile it as a module, say M here and read
1048 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1050 config NETFILTER_XT_MATCH_CONNLABEL
1051 tristate '"connlabel" match support'
1052 select NF_CONNTRACK_LABELS
1053 depends on NF_CONNTRACK
1054 depends on NETFILTER_ADVANCED
1056 This match allows you to test and assign userspace-defined labels names
1057 to a connection. The kernel only stores bit values - mapping
1058 names to bits is done by userspace.
1060 Unlike connmark, more than 32 flag bits may be assigned to a
1061 connection simultaneously.
1063 config NETFILTER_XT_MATCH_CONNLIMIT
1064 tristate '"connlimit" match support'
1065 depends on NF_CONNTRACK
1066 depends on NETFILTER_ADVANCED
1068 This match allows you to match against the number of parallel
1069 connections to a server per client IP address (or address block).
1071 config NETFILTER_XT_MATCH_CONNMARK
1072 tristate '"connmark" connection mark match support'
1073 depends on NF_CONNTRACK
1074 depends on NETFILTER_ADVANCED
1075 select NETFILTER_XT_CONNMARK
1077 This is a backwards-compat option for the user's convenience
1078 (e.g. when running oldconfig). It selects
1079 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1081 config NETFILTER_XT_MATCH_CONNTRACK
1082 tristate '"conntrack" connection tracking match support'
1083 depends on NF_CONNTRACK
1084 default m if NETFILTER_ADVANCED=n
1086 This is a general conntrack match module, a superset of the state match.
1088 It allows matching on additional conntrack information, which is
1089 useful in complex configurations, such as NAT gateways with multiple
1090 internet links or tunnels.
1092 To compile it as a module, choose M here. If unsure, say N.
1094 config NETFILTER_XT_MATCH_CPU
1095 tristate '"cpu" match support'
1096 depends on NETFILTER_ADVANCED
1098 CPU matching allows you to match packets based on the CPU
1099 currently handling the packet.
1101 To compile it as a module, choose M here. If unsure, say N.
1103 config NETFILTER_XT_MATCH_DCCP
1104 tristate '"dccp" protocol match support'
1105 depends on NETFILTER_ADVANCED
1108 With this option enabled, you will be able to use the iptables
1109 `dccp' match in order to match on DCCP source/destination ports
1112 If you want to compile it as a module, say M here and read
1113 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1115 config NETFILTER_XT_MATCH_DEVGROUP
1116 tristate '"devgroup" match support'
1117 depends on NETFILTER_ADVANCED
1119 This options adds a `devgroup' match, which allows to match on the
1120 device group a network device is assigned to.
1122 To compile it as a module, choose M here. If unsure, say N.
1124 config NETFILTER_XT_MATCH_DSCP
1125 tristate '"dscp" and "tos" match support'
1126 depends on NETFILTER_ADVANCED
1128 This option adds a `DSCP' match, which allows you to match against
1129 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1131 The DSCP field can have any value between 0x0 and 0x3f inclusive.
1133 It will also add a "tos" match, which allows you to match packets
1134 based on the Type Of Service fields of the IPv4 packet (which share
1135 the same bits as DSCP).
1137 To compile it as a module, choose M here. If unsure, say N.
1139 config NETFILTER_XT_MATCH_ECN
1140 tristate '"ecn" match support'
1141 depends on NETFILTER_ADVANCED
1143 This option adds an "ECN" match, which allows you to match against
1144 the IPv4 and TCP header ECN fields.
1146 To compile it as a module, choose M here. If unsure, say N.
1148 config NETFILTER_XT_MATCH_ESP
1149 tristate '"esp" match support'
1150 depends on NETFILTER_ADVANCED
1152 This match extension allows you to match a range of SPIs
1153 inside ESP header of IPSec packets.
1155 To compile it as a module, choose M here. If unsure, say N.
1157 config NETFILTER_XT_MATCH_HASHLIMIT
1158 tristate '"hashlimit" match support'
1159 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1160 depends on NETFILTER_ADVANCED
1162 This option adds a `hashlimit' match.
1164 As opposed to `limit', this match dynamically creates a hash table
1165 of limit buckets, based on your selection of source/destination
1166 addresses and/or ports.
1168 It enables you to express policies like `10kpps for any given
1169 destination address' or `500pps from any given source address'
1172 config NETFILTER_XT_MATCH_HELPER
1173 tristate '"helper" match support'
1174 depends on NF_CONNTRACK
1175 depends on NETFILTER_ADVANCED
1177 Helper matching allows you to match packets in dynamic connections
1178 tracked by a conntrack-helper, ie. ip_conntrack_ftp
1180 To compile it as a module, choose M here. If unsure, say Y.
1182 config NETFILTER_XT_MATCH_HL
1183 tristate '"hl" hoplimit/TTL match support'
1184 depends on NETFILTER_ADVANCED
1186 HL matching allows you to match packets based on the hoplimit
1187 in the IPv6 header, or the time-to-live field in the IPv4
1188 header of the packet.
1190 config NETFILTER_XT_MATCH_IPCOMP
1191 tristate '"ipcomp" match support'
1192 depends on NETFILTER_ADVANCED
1194 This match extension allows you to match a range of CPIs(16 bits)
1195 inside IPComp header of IPSec packets.
1197 To compile it as a module, choose M here. If unsure, say N.
1199 config NETFILTER_XT_MATCH_IPRANGE
1200 tristate '"iprange" address range match support'
1201 depends on NETFILTER_ADVANCED
1203 This option adds a "iprange" match, which allows you to match based on
1204 an IP address range. (Normal iptables only matches on single addresses
1205 with an optional mask.)
1209 config NETFILTER_XT_MATCH_IPVS
1210 tristate '"ipvs" match support'
1212 depends on NETFILTER_ADVANCED
1213 depends on NF_CONNTRACK
1215 This option allows you to match against IPVS properties of a packet.
1219 config NETFILTER_XT_MATCH_L2TP
1220 tristate '"l2tp" match support'
1221 depends on NETFILTER_ADVANCED
1224 This option adds an "L2TP" match, which allows you to match against
1225 L2TP protocol header fields.
1227 To compile it as a module, choose M here. If unsure, say N.
1229 config NETFILTER_XT_MATCH_LENGTH
1230 tristate '"length" match support'
1231 depends on NETFILTER_ADVANCED
1233 This option allows you to match the length of a packet against a
1234 specific value or range of values.
1236 To compile it as a module, choose M here. If unsure, say N.
1238 config NETFILTER_XT_MATCH_LIMIT
1239 tristate '"limit" match support'
1240 depends on NETFILTER_ADVANCED
1242 limit matching allows you to control the rate at which a rule can be
1243 matched: mainly useful in combination with the LOG target ("LOG
1244 target support", below) and to avoid some Denial of Service attacks.
1246 To compile it as a module, choose M here. If unsure, say N.
1248 config NETFILTER_XT_MATCH_MAC
1249 tristate '"mac" address match support'
1250 depends on NETFILTER_ADVANCED
1252 MAC matching allows you to match packets based on the source
1253 Ethernet address of the packet.
1255 To compile it as a module, choose M here. If unsure, say N.
1257 config NETFILTER_XT_MATCH_MARK
1258 tristate '"mark" match support'
1259 depends on NETFILTER_ADVANCED
1260 select NETFILTER_XT_MARK
1262 This is a backwards-compat option for the user's convenience
1263 (e.g. when running oldconfig). It selects
1264 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1266 config NETFILTER_XT_MATCH_MULTIPORT
1267 tristate '"multiport" Multiple port match support'
1268 depends on NETFILTER_ADVANCED
1270 Multiport matching allows you to match TCP or UDP packets based on
1271 a series of source or destination ports: normally a rule can only
1272 match a single range of ports.
1274 To compile it as a module, choose M here. If unsure, say N.
1276 config NETFILTER_XT_MATCH_NFACCT
1277 tristate '"nfacct" match support'
1278 depends on NETFILTER_ADVANCED
1279 select NETFILTER_NETLINK_ACCT
1281 This option allows you to use the extended accounting through
1284 To compile it as a module, choose M here. If unsure, say N.
1286 config NETFILTER_XT_MATCH_OSF
1287 tristate '"osf" Passive OS fingerprint match'
1288 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1290 This option selects the Passive OS Fingerprinting match module
1291 that allows to passively match the remote operating system by
1292 analyzing incoming TCP SYN packets.
1294 Rules and loading software can be downloaded from
1295 http://www.ioremap.net/projects/osf
1297 To compile it as a module, choose M here. If unsure, say N.
1299 config NETFILTER_XT_MATCH_OWNER
1300 tristate '"owner" match support'
1301 depends on NETFILTER_ADVANCED
1303 Socket owner matching allows you to match locally-generated packets
1304 based on who created the socket: the user or group. It is also
1305 possible to check whether a socket actually exists.
1307 config NETFILTER_XT_MATCH_POLICY
1308 tristate 'IPsec "policy" match support'
1310 default m if NETFILTER_ADVANCED=n
1312 Policy matching allows you to match packets based on the
1313 IPsec policy that was used during decapsulation/will
1314 be used during encapsulation.
1316 To compile it as a module, choose M here. If unsure, say N.
1318 config NETFILTER_XT_MATCH_PHYSDEV
1319 tristate '"physdev" match support'
1320 depends on BRIDGE && BRIDGE_NETFILTER
1321 depends on NETFILTER_ADVANCED
1323 Physdev packet matching matches against the physical bridge ports
1324 the IP packet arrived on or will leave by.
1326 To compile it as a module, choose M here. If unsure, say N.
1328 config NETFILTER_XT_MATCH_PKTTYPE
1329 tristate '"pkttype" packet type match support'
1330 depends on NETFILTER_ADVANCED
1332 Packet type matching allows you to match a packet by
1333 its "class", eg. BROADCAST, MULTICAST, ...
1336 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1338 To compile it as a module, choose M here. If unsure, say N.
1340 config NETFILTER_XT_MATCH_QUOTA
1341 tristate '"quota" match support'
1342 depends on NETFILTER_ADVANCED
1344 This option adds a `quota' match, which allows to match on a
1347 If you want to compile it as a module, say M here and read
1348 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1350 config NETFILTER_XT_MATCH_RATEEST
1351 tristate '"rateest" match support'
1352 depends on NETFILTER_ADVANCED
1353 select NETFILTER_XT_TARGET_RATEEST
1355 This option adds a `rateest' match, which allows to match on the
1356 rate estimated by the RATEEST target.
1358 To compile it as a module, choose M here. If unsure, say N.
1360 config NETFILTER_XT_MATCH_REALM
1361 tristate '"realm" match support'
1362 depends on NETFILTER_ADVANCED
1363 select IP_ROUTE_CLASSID
1365 This option adds a `realm' match, which allows you to use the realm
1366 key from the routing subsystem inside iptables.
1368 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1371 If you want to compile it as a module, say M here and read
1372 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1374 config NETFILTER_XT_MATCH_RECENT
1375 tristate '"recent" match support'
1376 depends on NETFILTER_ADVANCED
1378 This match is used for creating one or many lists of recently
1379 used addresses and then matching against that/those list(s).
1381 Short options are available by using 'iptables -m recent -h'
1382 Official Website: <http://snowman.net/projects/ipt_recent/>
1384 config NETFILTER_XT_MATCH_SCTP
1385 tristate '"sctp" protocol match support'
1386 depends on NETFILTER_ADVANCED
1389 With this option enabled, you will be able to use the
1390 `sctp' match in order to match on SCTP source/destination ports
1391 and SCTP chunk types.
1393 If you want to compile it as a module, say M here and read
1394 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1396 config NETFILTER_XT_MATCH_SOCKET
1397 tristate '"socket" match support'
1398 depends on NETFILTER_XTABLES
1399 depends on NETFILTER_ADVANCED
1400 depends on !NF_CONNTRACK || NF_CONNTRACK
1401 depends on IPV6 || IPV6=n
1402 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1403 select NF_DEFRAG_IPV4
1404 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1406 This option adds a `socket' match, which can be used to match
1407 packets for which a TCP or UDP socket lookup finds a valid socket.
1408 It can be used in combination with the MARK target and policy
1409 routing to implement full featured non-locally bound sockets.
1411 To compile it as a module, choose M here. If unsure, say N.
1413 config NETFILTER_XT_MATCH_STATE
1414 tristate '"state" match support'
1415 depends on NF_CONNTRACK
1416 default m if NETFILTER_ADVANCED=n
1418 Connection state matching allows you to match packets based on their
1419 relationship to a tracked connection (ie. previous packets). This
1420 is a powerful tool for packet classification.
1422 To compile it as a module, choose M here. If unsure, say N.
1424 config NETFILTER_XT_MATCH_STATISTIC
1425 tristate '"statistic" match support'
1426 depends on NETFILTER_ADVANCED
1428 This option adds a `statistic' match, which allows you to match
1429 on packets periodically or randomly with a given percentage.
1431 To compile it as a module, choose M here. If unsure, say N.
1433 config NETFILTER_XT_MATCH_STRING
1434 tristate '"string" match support'
1435 depends on NETFILTER_ADVANCED
1437 select TEXTSEARCH_KMP
1438 select TEXTSEARCH_BM
1439 select TEXTSEARCH_FSM
1441 This option adds a `string' match, which allows you to look for
1442 pattern matchings in packets.
1444 To compile it as a module, choose M here. If unsure, say N.
1446 config NETFILTER_XT_MATCH_TCPMSS
1447 tristate '"tcpmss" match support'
1448 depends on NETFILTER_ADVANCED
1450 This option adds a `tcpmss' match, which allows you to examine the
1451 MSS value of TCP SYN packets, which control the maximum packet size
1452 for that connection.
1454 To compile it as a module, choose M here. If unsure, say N.
1456 config NETFILTER_XT_MATCH_TIME
1457 tristate '"time" match support'
1458 depends on NETFILTER_ADVANCED
1460 This option adds a "time" match, which allows you to match based on
1461 the packet arrival time (at the machine which netfilter is running)
1462 on) or departure time/date (for locally generated packets).
1464 If you say Y here, try `iptables -m time --help` for
1467 If you want to compile it as a module, say M here.
1470 config NETFILTER_XT_MATCH_U32
1471 tristate '"u32" match support'
1472 depends on NETFILTER_ADVANCED
1474 u32 allows you to extract quantities of up to 4 bytes from a packet,
1475 AND them with specified masks, shift them by specified amounts and
1476 test whether the results are in any of a set of specified ranges.
1477 The specification of what to extract is general enough to skip over
1478 headers with lengths stored in the packet, as in IP or TCP header
1481 Details and examples are in the kernel module source.
1483 endif # NETFILTER_XTABLES
1487 source "net/netfilter/ipset/Kconfig"
1489 source "net/netfilter/ipvs/Kconfig"