[deliverable/linux.git] / net / netfilter / Kconfig

menu "Core Netfilter Configuration"
	depends on NET && INET && NETFILTER

config NETFILTER_NETLINK
       tristate "Netfilter netlink interface"
       help
         If this option is enabled, the kernel will include support
         for the new netfilter netlink interface.

config NETFILTER_NETLINK_QUEUE
	tristate "Netfilter NFQUEUE over NFNETLINK interface"
	depends on NETFILTER_NETLINK
	help
	  If this option is enabled, the kernel will include support
	  for queueing packets via NFNETLINK.
	  
config NETFILTER_NETLINK_LOG
	tristate "Netfilter LOG over NFNETLINK interface"
	depends on NETFILTER_NETLINK
	help
	  If this option is enabled, the kernel will include support
	  for logging packets via NFNETLINK.

	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
	  and is also scheduled to replace the old syslog-based ipt_LOG
	  and ip6t_LOG modules.

config NF_CONNTRACK
	tristate "Netfilter connection tracking support"
	help
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is required to do Masquerading or other kinds of Network
	  Address Translation (except for Fast NAT).  It can also be used to
	  enhance packet filtering (see `Connection state match support'
	  below).

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CT_ACCT
	bool "Connection tracking flow accounting"
	depends on NF_CONNTRACK
	help
	  If this option is enabled, the connection tracking code will
	  keep per-flow packet and byte counters.

	  Those counters can be used for flow-based accounting or the
	  `connbytes' match.

	  If unsure, say `N'.

config NF_CONNTRACK_MARK
	bool  'Connection mark tracking support'
	depends on NF_CONNTRACK
	help
	  This option enables support for connection marks, used by the
	  `CONNMARK' target and `connmark' match. Similar to the mark value
	  of packets, but this mark value is kept in the conntrack session
	  instead of the individual packets.

config NF_CONNTRACK_SECMARK
	bool  'Connection tracking security mark support'
	depends on NF_CONNTRACK && NETWORK_SECMARK
	help
	  This option enables security markings to be applied to
	  connections.  Typically they are copied to connections from
	  packets using the CONNSECMARK target and copied back from
	  connections to packets with the same target, with the packets
	  being originally labeled via SECMARK.

	  If unsure, say 'N'.

config NF_CONNTRACK_EVENTS
	bool "Connection tracking events (EXPERIMENTAL)"
	depends on EXPERIMENTAL && NF_CONNTRACK
	help
	  If this option is enabled, the connection tracking code will
	  provide a notifier chain that can be used by other kernel code
	  to get notified about changes in the connection tracking state.

	  If unsure, say `N'.

config NF_CT_PROTO_GRE
	tristate
	depends on NF_CONNTRACK

config NF_CT_PROTO_SCTP
	tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
	depends on EXPERIMENTAL && NF_CONNTRACK
	default n
	help
	  With this option enabled, the layer 3 independent connection
	  tracking code will be able to do state tracking on SCTP connections.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

config NF_CT_PROTO_UDPLITE
	tristate 'UDP-Lite protocol connection tracking support (EXPERIMENTAL)'
	depends on EXPERIMENTAL && NF_CONNTRACK
	help
	  With this option enabled, the layer 3 independent connection
	  tracking code will be able to do state tracking on UDP-Lite
	  connections.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_AMANDA
	tristate "Amanda backup protocol support"
	depends on NF_CONNTRACK
	select TEXTSEARCH
	select TEXTSEARCH_KMP
	help
	  If you are running the Amanda backup package <http://www.amanda.org/>
	  on this machine or machines that will be MASQUERADED through this
	  machine, then you may want to enable this feature.  This allows the
	  connection tracking and natting code to allow the sub-channels that
	  Amanda requires for communication of the backup data, messages and
	  index.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_FTP
	tristate "FTP protocol support"
	depends on NF_CONNTRACK
	help
	  Tracking FTP connections is problematic: special helpers are
	  required for tracking them, and doing masquerading and other forms
	  of Network Address Translation on them.

	  This is FTP support on Layer 3 independent connection tracking.
	  Layer 3 independent connection tracking is experimental scheme
	  which generalize ip_conntrack to support other layer 3 protocols.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_H323
	tristate "H.323 protocol support (EXPERIMENTAL)"
	depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n)
	help
	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
	  important VoIP protocols, it is widely used by voice hardware and
	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
	  Gnomemeeting, etc.

	  With this module you can support H.323 on a connection tracking/NAT
	  firewall.

	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
	  whiteboard, file transfer, etc. For more information, please
	  visit http://nath323.sourceforge.net/.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_IRC
	tristate "IRC protocol support"
	depends on NF_CONNTRACK
	help
	  There is a commonly-used extension to IRC called
	  Direct Client-to-Client Protocol (DCC).  This enables users to send
	  files to each other, and also chat to each other without the need
	  of a server.  DCC Sending is used anywhere you send files over IRC,
	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
	  using NAT, this extension will enable you to send files and initiate
	  chats.  Note that you do NOT need this extension to get files or
	  have others initiate chats, or everything else in IRC.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_NETBIOS_NS
	tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
	depends on EXPERIMENTAL && NF_CONNTRACK
	help
	  NetBIOS name service requests are sent as broadcast messages from an
	  unprivileged port and responded to with unicast messages to the
	  same port. This make them hard to firewall properly because connection
	  tracking doesn't deal with broadcasts. This helper tracks locally
	  originating NetBIOS name service requests and the corresponding
	  responses. It relies on correct IP address configuration, specifically
	  netmask and broadcast address. When properly configured, the output
	  of "ip address show" should look similar to this:

	  $ ip -4 address show eth0
	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_PPTP
	tristate "PPtP protocol support"
	depends on NF_CONNTRACK
	select NF_CT_PROTO_GRE
	help
	  This module adds support for PPTP (Point to Point Tunnelling
	  Protocol, RFC2637) connection tracking and NAT.

	  If you are running PPTP sessions over a stateful firewall or NAT
	  box, you may want to enable this feature.

	  Please note that not all PPTP modes of operation are supported yet.
	  Specifically these limitations exist:
	    - Blindly assumes that control connections are always established
	      in PNS->PAC direction. This is a violation of RFC2637.
	    - Only supports a single call within each session

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_SANE
	tristate "SANE protocol support (EXPERIMENTAL)"
	depends on EXPERIMENTAL && NF_CONNTRACK
	help
	  SANE is a protocol for remote access to scanners as implemented
	  by the 'saned' daemon. Like FTP, it uses separate control and
	  data connections.

	  With this module you can support SANE on a connection tracking
	  firewall.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_SIP
	tristate "SIP protocol support (EXPERIMENTAL)"
	depends on EXPERIMENTAL && NF_CONNTRACK
	help
	  SIP is an application-layer control protocol that can establish,
	  modify, and terminate multimedia sessions (conferences) such as
	  Internet telephony calls. With the ip_conntrack_sip and
	  the nf_nat_sip modules you can support the protocol on a connection
	  tracking/NATing firewall.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_TFTP
	tristate "TFTP protocol support"
	depends on NF_CONNTRACK
	help
	  TFTP connection tracking helper, this is required depending
	  on how restrictive your ruleset is.
	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
	  you will need this.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CT_NETLINK
	tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
	depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK
	depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
	depends on NF_NAT=n || NF_NAT
	help
	  This option enables support for a netlink-based userspace interface

config NETFILTER_XTABLES
	tristate "Netfilter Xtables support (required for ip_tables)"
	help
	  This is required if you intend to use any of ip_tables,
	  ip6_tables or arp_tables.

# alphabetically ordered list of targets

config NETFILTER_XT_TARGET_CLASSIFY
	tristate '"CLASSIFY" target support'
	depends on NETFILTER_XTABLES
	help
	  This option adds a `CLASSIFY' target, which enables the user to set
	  the priority of a packet. Some qdiscs can use this value for
	  classification, among these are:

  	  atm, cbq, dsmark, pfifo_fast, htb, prio

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_CONNMARK
	tristate  '"CONNMARK" target support'
	depends on NETFILTER_XTABLES
	depends on IP_NF_MANGLE || IP6_NF_MANGLE
	depends on NF_CONNTRACK
	select NF_CONNTRACK_MARK
	help
	  This option adds a `CONNMARK' target, which allows one to manipulate
	  the connection mark value.  Similar to the MARK target, but
	  affects the connection mark value rather than the packet mark value.
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  The module will be called
	  ipt_CONNMARK.ko.  If unsure, say `N'.

config NETFILTER_XT_TARGET_DSCP
	tristate '"DSCP" and "TOS" target support'
	depends on NETFILTER_XTABLES
	depends on IP_NF_MANGLE || IP6_NF_MANGLE
	help
	  This option adds a `DSCP' target, which allows you to manipulate
	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).

	  The DSCP field can have any value between 0x0 and 0x3f inclusive.

	  It also adds the "TOS" target, which allows you to create rules in
	  the "mangle" table which alter the Type Of Service field of an IPv4
	  or the Priority field of an IPv6 packet, prior to routing.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_MARK
	tristate '"MARK" target support'
	depends on NETFILTER_XTABLES
	help
	  This option adds a `MARK' target, which allows you to create rules
	  in the `mangle' table which alter the netfilter mark (nfmark) field
	  associated with the packet prior to routing. This can change
	  the routing method (see `Use netfilter MARK value as routing
	  key') and can also be used by other subsystems to change their
	  behavior.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_NFQUEUE
	tristate '"NFQUEUE" target Support'
	depends on NETFILTER_XTABLES
	help
	  This target replaced the old obsolete QUEUE target.

	  As opposed to QUEUE, it supports 65535 different queues,
	  not just one.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_NFLOG
	tristate '"NFLOG" target support'
	depends on NETFILTER_XTABLES
	help
	  This option enables the NFLOG target, which allows to LOG
	  messages through the netfilter logging API, which can use
	  either the old LOG target, the old ULOG target or nfnetlink_log
	  as backend.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_NOTRACK
	tristate  '"NOTRACK" target support'
	depends on NETFILTER_XTABLES
	depends on IP_NF_RAW || IP6_NF_RAW
	depends on NF_CONNTRACK
	help
	  The NOTRACK target allows a select rule to specify
	  which packets *not* to enter the conntrack/NAT
	  subsystem with all the consequences (no ICMP error tracking,
	  no protocol helpers for the selected packets).
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_TARGET_RATEEST
	tristate '"RATEEST" target support'
	depends on NETFILTER_XTABLES
	help
	  This option adds a `RATEEST' target, which allows to measure
	  rates similar to TC estimators. The `rateest' match can be
	  used to match on the measured rates.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_TRACE
	tristate  '"TRACE" target support'
	depends on NETFILTER_XTABLES
	depends on IP_NF_RAW || IP6_NF_RAW
	help
	  The TRACE target allows you to mark packets so that the kernel
	  will log every rule which match the packets as those traverse
	  the tables, chains, rules.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_TARGET_SECMARK
	tristate '"SECMARK" target support'
	depends on NETFILTER_XTABLES && NETWORK_SECMARK
	help
	  The SECMARK target allows security marking of network
	  packets, for use with security subsystems.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_CONNSECMARK
	tristate '"CONNSECMARK" target support'
	depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK
	help
	  The CONNSECMARK target copies security markings from packets
	  to connections, and restores security markings from connections
	  to packets (if the packets are not already marked).  This would
	  normally be used in conjunction with the SECMARK target.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_TCPMSS
	tristate '"TCPMSS" target support'
	depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)
	---help---
	  This option adds a `TCPMSS' target, which allows you to alter the
	  MSS value of TCP SYN packets, to control the maximum size for that
	  connection (usually limiting it to your outgoing interface's MTU
	  minus 40).

	  This is used to overcome criminally braindead ISPs or servers which
	  block ICMP Fragmentation Needed packets.  The symptoms of this
	  problem are that everything works fine from your Linux
	  firewall/router, but machines behind it can never exchange large
	  packets:
	        1) Web browsers connect, then hang with no data received.
	        2) Small mail works fine, but large emails hang.
	        3) ssh works fine, but scp hangs after initial handshaking.

	  Workaround: activate this option and add a rule to your firewall
	  configuration like:

	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
	                 -j TCPMSS --clamp-mss-to-pmtu

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_TCPOPTSTRIP
	tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
	depends on EXPERIMENTAL && NETFILTER_XTABLES
	depends on IP_NF_MANGLE || IP6_NF_MANGLE
	help
	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
	  TCP options from TCP packets.

config NETFILTER_XT_MATCH_COMMENT
	tristate  '"comment" match support'
	depends on NETFILTER_XTABLES
	help
	  This option adds a `comment' dummy-match, which allows you to put
	  comments in your iptables ruleset.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_CONNBYTES
	tristate  '"connbytes" per-connection counter match support'
	depends on NETFILTER_XTABLES
	depends on NF_CONNTRACK
	select NF_CT_ACCT
	help
	  This option adds a `connbytes' match, which allows you to match the
	  number of bytes and/or packets for each direction within a connection.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_CONNLIMIT
	tristate '"connlimit" match support"'
	depends on NETFILTER_XTABLES
	depends on NF_CONNTRACK
	---help---
	  This match allows you to match against the number of parallel
	  connections to a server per client IP address (or address block).

config NETFILTER_XT_MATCH_CONNMARK
	tristate  '"connmark" connection mark match support'
	depends on NETFILTER_XTABLES
	depends on NF_CONNTRACK
	select NF_CONNTRACK_MARK
	help
	  This option adds a `connmark' match, which allows you to match the
	  connection mark value previously set for the session by `CONNMARK'. 
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  The module will be called
	  ipt_connmark.ko.  If unsure, say `N'.

config NETFILTER_XT_MATCH_CONNTRACK
	tristate '"conntrack" connection tracking match support'
	depends on NETFILTER_XTABLES
	depends on NF_CONNTRACK
	help
	  This is a general conntrack match module, a superset of the state match.

	  It allows matching on additional conntrack information, which is
	  useful in complex configurations, such as NAT gateways with multiple
	  internet links or tunnels.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_DCCP
	tristate '"dccp" protocol match support'
	depends on NETFILTER_XTABLES
	help
	  With this option enabled, you will be able to use the iptables
	  `dccp' match in order to match on DCCP source/destination ports
	  and DCCP flags.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_DSCP
	tristate '"dscp" and "tos" match support'
	depends on NETFILTER_XTABLES
	help
	  This option adds a `DSCP' match, which allows you to match against
	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).

	  The DSCP field can have any value between 0x0 and 0x3f inclusive.

	  It will also add a "tos" match, which allows you to match packets
	  based on the Type Of Service fields of the IPv4 packet (which share
	  the same bits as DSCP).

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_ESP
	tristate '"esp" match support'
	depends on NETFILTER_XTABLES
	help
	  This match extension allows you to match a range of SPIs
	  inside ESP header of IPSec packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_HELPER
	tristate '"helper" match support'
	depends on NETFILTER_XTABLES
	depends on NF_CONNTRACK
	help
	  Helper matching allows you to match packets in dynamic connections
	  tracked by a conntrack-helper, ie. ip_conntrack_ftp

	  To compile it as a module, choose M here.  If unsure, say Y.

config NETFILTER_XT_MATCH_LENGTH
	tristate '"length" match support'
	depends on NETFILTER_XTABLES
	help
	  This option allows you to match the length of a packet against a
	  specific value or range of values.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_LIMIT
	tristate '"limit" match support'
	depends on NETFILTER_XTABLES
	help
	  limit matching allows you to control the rate at which a rule can be
	  matched: mainly useful in combination with the LOG target ("LOG
	  target support", below) and to avoid some Denial of Service attacks.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_MAC
	tristate '"mac" address match support'
	depends on NETFILTER_XTABLES
	help
	  MAC matching allows you to match packets based on the source
	  Ethernet address of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_MARK
	tristate '"mark" match support'
	depends on NETFILTER_XTABLES
	help
	  Netfilter mark matching allows you to match packets based on the
	  `nfmark' value in the packet.  This can be set by the MARK target
	  (see below).

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_OWNER
	tristate '"owner" match support'
	depends on NETFILTER_XTABLES
	---help---
	Socket owner matching allows you to match locally-generated packets
	based on who created the socket: the user or group. It is also
	possible to check whether a socket actually exists.

config NETFILTER_XT_MATCH_POLICY
	tristate 'IPsec "policy" match support'
	depends on NETFILTER_XTABLES && XFRM
	help
	  Policy matching allows you to match packets based on the
	  IPsec policy that was used during decapsulation/will
	  be used during encapsulation.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_MULTIPORT
	tristate '"multiport" Multiple port match support'
	depends on NETFILTER_XTABLES
	help
	  Multiport matching allows you to match TCP or UDP packets based on
	  a series of source or destination ports: normally a rule can only
	  match a single range of ports.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_PHYSDEV
	tristate '"physdev" match support'
	depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER
	help
	  Physdev packet matching matches against the physical bridge ports
	  the IP packet arrived on or will leave by.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_PKTTYPE
	tristate '"pkttype" packet type match support'
	depends on NETFILTER_XTABLES
	help
	  Packet type matching allows you to match a packet by
	  its "class", eg. BROADCAST, MULTICAST, ...

	  Typical usage:
	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_QUOTA
	tristate '"quota" match support'
	depends on NETFILTER_XTABLES
	help
	  This option adds a `quota' match, which allows to match on a
	  byte counter.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_RATEEST
	tristate '"rateest" match support'
	depends on NETFILTER_XTABLES
	select NETFILTER_XT_TARGET_RATEEST
	help
	  This option adds a `rateest' match, which allows to match on the
	  rate estimated by the RATEEST target.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_REALM
	tristate  '"realm" match support'
	depends on NETFILTER_XTABLES
	select NET_CLS_ROUTE
	help
	  This option adds a `realm' match, which allows you to use the realm
	  key from the routing subsystem inside iptables.
	
	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
	  in tc world.
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_SCTP
	tristate  '"sctp" protocol match support (EXPERIMENTAL)'
	depends on NETFILTER_XTABLES && EXPERIMENTAL
	help
	  With this option enabled, you will be able to use the 
	  `sctp' match in order to match on SCTP source/destination ports
	  and SCTP chunk types.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_STATE
	tristate '"state" match support'
	depends on NETFILTER_XTABLES
	depends on NF_CONNTRACK
	help
	  Connection state matching allows you to match packets based on their
	  relationship to a tracked connection (ie. previous packets).  This
	  is a powerful tool for packet classification.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_STATISTIC
	tristate '"statistic" match support'
	depends on NETFILTER_XTABLES
	help
	  This option adds a `statistic' match, which allows you to match
	  on packets periodically or randomly with a given percentage.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_STRING
	tristate  '"string" match support'
	depends on NETFILTER_XTABLES
	select TEXTSEARCH
	select TEXTSEARCH_KMP
	select TEXTSEARCH_BM
	select TEXTSEARCH_FSM
	help
	  This option adds a `string' match, which allows you to look for
	  pattern matchings in packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_TCPMSS
	tristate '"tcpmss" match support'
	depends on NETFILTER_XTABLES
	help
	  This option adds a `tcpmss' match, which allows you to examine the
	  MSS value of TCP SYN packets, which control the maximum packet size
	  for that connection.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_TIME
	tristate '"time" match support'
	depends on NETFILTER_XTABLES
	---help---
	  This option adds a "time" match, which allows you to match based on
	  the packet arrival time (at the machine which netfilter is running)
	  on) or departure time/date (for locally generated packets).

	  If you say Y here, try `iptables -m time --help` for
	  more information.

	  If you want to compile it as a module, say M here.
	  If unsure, say N.

config NETFILTER_XT_MATCH_U32
	tristate '"u32" match support'
	depends on NETFILTER_XTABLES
	---help---
	  u32 allows you to extract quantities of up to 4 bytes from a packet,
	  AND them with specified masks, shift them by specified amounts and
	  test whether the results are in any of a set of specified ranges.
	  The specification of what to extract is general enough to skip over
	  headers with lengths stored in the packet, as in IP or TCP header
	  lengths.

	  Details and examples are in the kernel module source.

config NETFILTER_XT_MATCH_HASHLIMIT
	tristate '"hashlimit" match support'
	depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
	help
	  This option adds a `hashlimit' match.

	  As opposed to `limit', this match dynamically creates a hash table
	  of limit buckets, based on your selection of source/destination
	  addresses and/or ports.

	  It enables you to express policies like `10kpps for any given
	  destination address' or `500pps from any given source address'
	  with a single rule.

endmenu