[NETFILTER]: Kconfig: improve conntrack selection

[linux-2.6] / net / netfilter / Kconfig

menu "Core Netfilter Configuration"
        depends on NET && NETFILTER

config NETFILTER_NETLINK
       tristate "Netfilter netlink interface"
       help
         If this option is enabled, the kernel will include support
         for the new netfilter netlink interface.

config NETFILTER_NETLINK_QUEUE
        tristate "Netfilter NFQUEUE over NFNETLINK interface"
        depends on NETFILTER_NETLINK
        help
          If this option is enabled, the kernel will include support
          for queueing packets via NFNETLINK.
          
config NETFILTER_NETLINK_LOG
        tristate "Netfilter LOG over NFNETLINK interface"
        depends on NETFILTER_NETLINK
        help
          If this option is enabled, the kernel will include support
          for logging packets via NFNETLINK.

          This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
          and is also scheduled to replace the old syslog-based ipt_LOG
          and ip6t_LOG modules.

config NF_CONNTRACK_ENABLED
        tristate "Netfilter connection tracking support"
        help
          Connection tracking keeps a record of what packets have passed
          through your machine, in order to figure out how they are related
          into connections.

          This is required to do Masquerading or other kinds of Network
          Address Translation (except for Fast NAT).  It can also be used to
          enhance packet filtering (see `Connection state match support'
          below).

          To compile it as a module, choose M here.  If unsure, say N.

choice
        prompt "Netfilter connection tracking support"
        depends on NF_CONNTRACK_ENABLED

config NF_CONNTRACK_SUPPORT
        bool "Layer 3 Independent Connection tracking (EXPERIMENTAL)"
        depends on EXPERIMENTAL
        help
          Layer 3 independent connection tracking is experimental scheme
          which generalize ip_conntrack to support other layer 3 protocols.

          This is required to do Masquerading or other kinds of Network
          Address Translation (except for Fast NAT).  It can also be used to
          enhance packet filtering (see `Connection state match support'
          below).

config IP_NF_CONNTRACK_SUPPORT
        bool "Layer 3 Dependent Connection tracking"
        help
          The old, Layer 3 dependent ip_conntrack subsystem of netfilter.

          This is required to do Masquerading or other kinds of Network
          Address Translation (except for Fast NAT).  It can also be used to
          enhance packet filtering (see `Connection state match support'
          below).

endchoice

config NF_CONNTRACK
        tristate
        default m if NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=m
        default y if NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=y

config IP_NF_CONNTRACK
        tristate
        default m if IP_NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=m
        default y if IP_NF_CONNTRACK_SUPPORT && NF_CONNTRACK_ENABLED=y

config NF_CT_ACCT
        bool "Connection tracking flow accounting"
        depends on NF_CONNTRACK
        help
          If this option is enabled, the connection tracking code will
          keep per-flow packet and byte counters.

          Those counters can be used for flow-based accounting or the
          `connbytes' match.

          If unsure, say `N'.

config NF_CONNTRACK_MARK
        bool  'Connection mark tracking support'
        depends on NF_CONNTRACK
        help
          This option enables support for connection marks, used by the
          `CONNMARK' target and `connmark' match. Similar to the mark value
          of packets, but this mark value is kept in the conntrack session
          instead of the individual packets.

config NF_CONNTRACK_SECMARK
        bool  'Connection tracking security mark support'
        depends on NF_CONNTRACK && NETWORK_SECMARK
        help
          This option enables security markings to be applied to
          connections.  Typically they are copied to connections from
          packets using the CONNSECMARK target and copied back from
          connections to packets with the same target, with the packets
          being originally labeled via SECMARK.

          If unsure, say 'N'.

config NF_CONNTRACK_EVENTS
        bool "Connection tracking events (EXPERIMENTAL)"
        depends on EXPERIMENTAL && NF_CONNTRACK
        help
          If this option is enabled, the connection tracking code will
          provide a notifier chain that can be used by other kernel code
          to get notified about changes in the connection tracking state.

          If unsure, say `N'.

config NF_CT_PROTO_SCTP
        tristate 'SCTP protocol on new connection tracking support (EXPERIMENTAL)'
        depends on EXPERIMENTAL && NF_CONNTRACK
        default n
        help
          With this option enabled, the layer 3 independent connection
          tracking code will be able to do state tracking on SCTP connections.

          If you want to compile it as a module, say M here and read
          Documentation/modules.txt.  If unsure, say `N'.

config NF_CONNTRACK_FTP
        tristate "FTP support on new connection tracking (EXPERIMENTAL)"
        depends on EXPERIMENTAL && NF_CONNTRACK
        help
          Tracking FTP connections is problematic: special helpers are
          required for tracking them, and doing masquerading and other forms
          of Network Address Translation on them.

          This is FTP support on Layer 3 independent connection tracking.
          Layer 3 independent connection tracking is experimental scheme
          which generalize ip_conntrack to support other layer 3 protocols.

          To compile it as a module, choose M here.  If unsure, say N.

config NF_CT_NETLINK
        tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
        depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK
        depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
        help
          This option enables support for a netlink-based userspace interface

config NETFILTER_XTABLES
        tristate "Netfilter Xtables support (required for ip_tables)"
        help
          This is required if you intend to use any of ip_tables,
          ip6_tables or arp_tables.

# alphabetically ordered list of targets

config NETFILTER_XT_TARGET_CLASSIFY
        tristate '"CLASSIFY" target support'
        depends on NETFILTER_XTABLES
        help
          This option adds a `CLASSIFY' target, which enables the user to set
          the priority of a packet. Some qdiscs can use this value for
          classification, among these are:

          atm, cbq, dsmark, pfifo_fast, htb, prio

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_CONNMARK
        tristate  '"CONNMARK" target support'
        depends on NETFILTER_XTABLES
        depends on IP_NF_MANGLE || IP6_NF_MANGLE
        depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK)
        help
          This option adds a `CONNMARK' target, which allows one to manipulate
          the connection mark value.  Similar to the MARK target, but
          affects the connection mark value rather than the packet mark value.
        
          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  The module will be called
          ipt_CONNMARK.o.  If unsure, say `N'.

config NETFILTER_XT_TARGET_DSCP
        tristate '"DSCP" target support'
        depends on NETFILTER_XTABLES
        depends on IP_NF_MANGLE || IP6_NF_MANGLE
        help
          This option adds a `DSCP' target, which allows you to manipulate
          the IPv4/IPv6 header DSCP field (differentiated services codepoint).

          The DSCP field can have any value between 0x0 and 0x3f inclusive.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_MARK
        tristate '"MARK" target support'
        depends on NETFILTER_XTABLES
        help
          This option adds a `MARK' target, which allows you to create rules
          in the `mangle' table which alter the netfilter mark (nfmark) field
          associated with the packet prior to routing. This can change
          the routing method (see `Use netfilter MARK value as routing
          key') and can also be used by other subsystems to change their
          behavior.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_NFQUEUE
        tristate '"NFQUEUE" target Support'
        depends on NETFILTER_XTABLES
        help
          This target replaced the old obsolete QUEUE target.

          As opposed to QUEUE, it supports 65535 different queues,
          not just one.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_NFLOG
        tristate '"NFLOG" target support'
        depends on NETFILTER_XTABLES
        help
          This option enables the NFLOG target, which allows to LOG
          messages through the netfilter logging API, which can use
          either the old LOG target, the old ULOG target or nfnetlink_log
          as backend.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_NOTRACK
        tristate  '"NOTRACK" target support'
        depends on NETFILTER_XTABLES
        depends on IP_NF_RAW || IP6_NF_RAW
        depends on IP_NF_CONNTRACK || NF_CONNTRACK
        help
          The NOTRACK target allows a select rule to specify
          which packets *not* to enter the conntrack/NAT
          subsystem with all the consequences (no ICMP error tracking,
          no protocol helpers for the selected packets).
        
          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_TARGET_SECMARK
        tristate '"SECMARK" target support'
        depends on NETFILTER_XTABLES && NETWORK_SECMARK
        help
          The SECMARK target allows security marking of network
          packets, for use with security subsystems.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_CONNSECMARK
        tristate '"CONNSECMARK" target support'
        depends on NETFILTER_XTABLES && \
                   ((NF_CONNTRACK && NF_CONNTRACK_SECMARK) || \
                    (IP_NF_CONNTRACK && IP_NF_CONNTRACK_SECMARK))
        help
          The CONNSECMARK target copies security markings from packets
          to connections, and restores security markings from connections
          to packets (if the packets are not already marked).  This would
          normally be used in conjunction with the SECMARK target.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_COMMENT
        tristate  '"comment" match support'
        depends on NETFILTER_XTABLES
        help
          This option adds a `comment' dummy-match, which allows you to put
          comments in your iptables ruleset.

          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_CONNBYTES
        tristate  '"connbytes" per-connection counter match support'
        depends on NETFILTER_XTABLES
        depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK)
        help
          This option adds a `connbytes' match, which allows you to match the
          number of bytes and/or packets for each direction within a connection.

          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_CONNMARK
        tristate  '"connmark" connection mark match support'
        depends on NETFILTER_XTABLES
        depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK)
        help
          This option adds a `connmark' match, which allows you to match the
          connection mark value previously set for the session by `CONNMARK'. 
        
          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  The module will be called
          ipt_connmark.o.  If unsure, say `N'.

config NETFILTER_XT_MATCH_CONNTRACK
        tristate '"conntrack" connection tracking match support'
        depends on NETFILTER_XTABLES
        depends on IP_NF_CONNTRACK || NF_CONNTRACK
        help
          This is a general conntrack match module, a superset of the state match.

          It allows matching on additional conntrack information, which is
          useful in complex configurations, such as NAT gateways with multiple
          internet links or tunnels.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_DCCP
        tristate  '"DCCP" protocol match support'
        depends on NETFILTER_XTABLES
        help
          With this option enabled, you will be able to use the iptables
          `dccp' match in order to match on DCCP source/destination ports
          and DCCP flags.

          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_DSCP
        tristate '"DSCP" match support'
        depends on NETFILTER_XTABLES
        help
          This option adds a `DSCP' match, which allows you to match against
          the IPv4/IPv6 header DSCP field (differentiated services codepoint).

          The DSCP field can have any value between 0x0 and 0x3f inclusive.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_ESP
        tristate '"ESP" match support'
        depends on NETFILTER_XTABLES
        help
          This match extension allows you to match a range of SPIs
          inside ESP header of IPSec packets.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_HELPER
        tristate '"helper" match support'
        depends on NETFILTER_XTABLES
        depends on IP_NF_CONNTRACK || NF_CONNTRACK
        help
          Helper matching allows you to match packets in dynamic connections
          tracked by a conntrack-helper, ie. ip_conntrack_ftp

          To compile it as a module, choose M here.  If unsure, say Y.

config NETFILTER_XT_MATCH_LENGTH
        tristate '"length" match support'
        depends on NETFILTER_XTABLES
        help
          This option allows you to match the length of a packet against a
          specific value or range of values.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_LIMIT
        tristate '"limit" match support'
        depends on NETFILTER_XTABLES
        help
          limit matching allows you to control the rate at which a rule can be
          matched: mainly useful in combination with the LOG target ("LOG
          target support", below) and to avoid some Denial of Service attacks.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_MAC
        tristate '"mac" address match support'
        depends on NETFILTER_XTABLES
        help
          MAC matching allows you to match packets based on the source
          Ethernet address of the packet.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_MARK
        tristate '"mark" match support'
        depends on NETFILTER_XTABLES
        help
          Netfilter mark matching allows you to match packets based on the
          `nfmark' value in the packet.  This can be set by the MARK target
          (see below).

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_POLICY
        tristate 'IPsec "policy" match support'
        depends on NETFILTER_XTABLES && XFRM
        help
          Policy matching allows you to match packets based on the
          IPsec policy that was used during decapsulation/will
          be used during encapsulation.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_MULTIPORT
        tristate "Multiple port match support"
        depends on NETFILTER_XTABLES
        help
          Multiport matching allows you to match TCP or UDP packets based on
          a series of source or destination ports: normally a rule can only
          match a single range of ports.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_PHYSDEV
        tristate '"physdev" match support'
        depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER
        help
          Physdev packet matching matches against the physical bridge ports
          the IP packet arrived on or will leave by.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_PKTTYPE
        tristate '"pkttype" packet type match support'
        depends on NETFILTER_XTABLES
        help
          Packet type matching allows you to match a packet by
          its "class", eg. BROADCAST, MULTICAST, ...

          Typical usage:
          iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_QUOTA
        tristate '"quota" match support'
        depends on NETFILTER_XTABLES
        help
          This option adds a `quota' match, which allows to match on a
          byte counter.

          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_REALM
        tristate  '"realm" match support'
        depends on NETFILTER_XTABLES
        select NET_CLS_ROUTE
        help
          This option adds a `realm' match, which allows you to use the realm
          key from the routing subsystem inside iptables.
        
          This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
          in tc world.
        
          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_SCTP
        tristate  '"sctp" protocol match support (EXPERIMENTAL)'
        depends on NETFILTER_XTABLES && EXPERIMENTAL
        help
          With this option enabled, you will be able to use the 
          `sctp' match in order to match on SCTP source/destination ports
          and SCTP chunk types.

          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_STATE
        tristate '"state" match support'
        depends on NETFILTER_XTABLES
        depends on IP_NF_CONNTRACK || NF_CONNTRACK
        help
          Connection state matching allows you to match packets based on their
          relationship to a tracked connection (ie. previous packets).  This
          is a powerful tool for packet classification.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_STATISTIC
        tristate '"statistic" match support'
        depends on NETFILTER_XTABLES
        help
          This option adds a `statistic' match, which allows you to match
          on packets periodically or randomly with a given percentage.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_STRING
        tristate  '"string" match support'
        depends on NETFILTER_XTABLES
        select TEXTSEARCH
        select TEXTSEARCH_KMP
        select TEXTSEARCH_BM
        select TEXTSEARCH_FSM
        help
          This option adds a `string' match, which allows you to look for
          pattern matchings in packets.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_TCPMSS
        tristate '"tcpmss" match support'
        depends on NETFILTER_XTABLES
        help
          This option adds a `tcpmss' match, which allows you to examine the
          MSS value of TCP SYN packets, which control the maximum packet size
          for that connection.

          To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_HASHLIMIT
        tristate '"hashlimit" match support'
        depends on NETFILTER_XTABLES
        help
          This option adds a `hashlimit' match.

          As opposed to `limit', this match dynamically creates a hash table
          of limit buckets, based on your selection of source/destination
          addresses and/or ports.

          It enables you to express policies like `10kpps for any given
          destination address' or `500pps from any given source address'
          with a single rule.

endmenu