kconfig

鼎力推荐！本程序是基于嵌入式LUNUX系统开发的源程序代码

#
# IP netfilter configuration
#

menu "IP: Netfilter Configuration"
	depends on INET && NETFILTER

# connection tracking, helpers and protocols
config IP_NF_CONNTRACK
	tristate "Connection tracking (required for masq/NAT)"
	---help---
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is required to do Masquerading or other kinds of Network
	  Address Translation (except for Fast NAT).  It can also be used to
	  enhance packet filtering (see `Connection state match support'
	  below).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_CT_ACCT
	bool "Connection tracking flow accounting"
	depends on IP_NF_CONNTRACK
	help
	  If this option is enabled, the connection tracking code will
	  keep per-flow packet and byte counters.

	  Those counters can be used for flow-based accounting or the
	  `connbytes' match.

	  If unsure, say `N'.

config IP_NF_CONNTRACK_MARK
	bool  'Connection mark tracking support'
	help
	  This option enables support for connection marks, used by the
	  `CONNMARK' target and `connmark' match. Similar to the mark value
	  of packets, but this mark value is kept in the conntrack session
	  instead of the individual packets.
	
config IP_NF_CT_PROTO_SCTP
	tristate  'SCTP protocol connection tracking support (EXPERIMENTAL)'
	depends on IP_NF_CONNTRACK && EXPERIMENTAL
	help
	  With this option enabled, the connection tracking code will
	  be able to do state tracking on SCTP connections.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  If unsure, say `N'.

config IP_NF_FTP
	tristate "FTP protocol support"
	depends on IP_NF_CONNTRACK
	help
	  Tracking FTP connections is problematic: special helpers are
	  required for tracking them, and doing masquerading and other forms
	  of Network Address Translation on them.

	  To compile it as a module, choose M here.  If unsure, say Y.

config IP_NF_IRC
	tristate "IRC protocol support"
	depends on IP_NF_CONNTRACK
	---help---
	  There is a commonly-used extension to IRC called
	  Direct Client-to-Client Protocol (DCC).  This enables users to send
	  files to each other, and also chat to each other without the need
	  of a server.  DCC Sending is used anywhere you send files over IRC,
	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
	  using NAT, this extension will enable you to send files and initiate
	  chats.  Note that you do NOT need this extension to get files or
	  have others initiate chats, or everything else in IRC.

	  To compile it as a module, choose M here.  If unsure, say Y.

config IP_NF_TFTP
	tristate "TFTP protocol support"
	depends on IP_NF_CONNTRACK
	help
	  TFTP connection tracking helper, this is required depending
	  on how restrictive your ruleset is.
	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
	  you will need this.

	  To compile it as a module, choose M here.  If unsure, say Y.

config IP_NF_AMANDA
	tristate "Amanda backup protocol support"
	depends on IP_NF_CONNTRACK
	help
	  If you are running the Amanda backup package <http://www.amanda.org/>
	  on this machine or machines that will be MASQUERADED through this
	  machine, then you may want to enable this feature.  This allows the
	  connection tracking and natting code to allow the sub-channels that
	  Amanda requires for communication of the backup data, messages and
	  index.

	  To compile it as a module, choose M here.  If unsure, say Y.

config IP_NF_QUEUE
	tristate "Userspace queueing via NETLINK"
	help
	  Netfilter has the ability to queue packets to user space: the
	  netlink device can be used to access them using this driver.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_IPTABLES
	tristate "IP tables support (required for filtering/masq/NAT)"
	help
	  iptables is a general, extensible packet identification framework.
	  The packet filtering and full NAT (masquerading, port forwarding,
	  etc) subsystems now use this: say `Y' or `M' here if you want to use
	  either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

# The matches.
config IP_NF_MATCH_LIMIT
	tristate "limit match support"
	depends on IP_NF_IPTABLES
	help
	  limit matching allows you to control the rate at which a rule can be
	  matched: mainly useful in combination with the LOG target ("LOG
	  target support", below) and to avoid some Denial of Service attacks.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_IPRANGE
	tristate "IP range match support"
	depends on IP_NF_IPTABLES
	help
	  This option makes possible to match IP addresses against IP address
	  ranges.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_MAC
	tristate "MAC address match support"
	depends on IP_NF_IPTABLES
	help
	  MAC matching allows you to match packets based on the source
	  Ethernet address of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_PKTTYPE
	tristate "Packet type match support"
	depends on IP_NF_IPTABLES
	help
         Packet type matching allows you to match a packet by
         its "class", eg. BROADCAST, MULTICAST, ...

	  Typical usage:
	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_MARK
	tristate "netfilter MARK match support"
	depends on IP_NF_IPTABLES
	help
	  Netfilter mark matching allows you to match packets based on the
	  `nfmark' value in the packet.  This can be set by the MARK target
	  (see below).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_MULTIPORT
	tristate "Multiple port match support"
	depends on IP_NF_IPTABLES
	help
	  Multiport matching allows you to match TCP or UDP packets based on
	  a series of source or destination ports: normally a rule can only
	  match a single range of ports.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_TOS
	tristate "TOS match support"
	depends on IP_NF_IPTABLES
	help
	  TOS matching allows you to match packets based on the Type Of
	  Service fields of the IP packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_RECENT
	tristate "recent match support"
	depends on IP_NF_IPTABLES
	help
	  This match is used for creating one or many lists of recently
	  used addresses and then matching against that/those list(s).

	  Short options are available by using 'iptables -m recent -h'
	  Official Website: <http://snowman.net/projects/ipt_recent/>

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ECN
	tristate "ECN match support"
	depends on IP_NF_IPTABLES
	help
	  This option adds a `ECN' match, which allows you to match against
	  the IPv4 and TCP header ECN fields.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_DSCP
	tristate "DSCP match support"
	depends on IP_NF_IPTABLES
	help
	  This option adds a `DSCP' match, which allows you to match against
	  the IPv4 header DSCP field (DSCP codepoint).

	  The DSCP codepoint can have any value between 0x0 and 0x4f.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_AH_ESP
	tristate "AH/ESP match support"
	depends on IP_NF_IPTABLES
	help
	  These two match extensions (`ah' and `esp') allow you to match a
	  range of SPIs inside AH or ESP headers of IPSec packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_LENGTH
	tristate "LENGTH match support"
	depends on IP_NF_IPTABLES
	help
	  This option allows you to match the length of a packet against a
	  specific value or range of values.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_TTL
	tristate "TTL match support"
	depends on IP_NF_IPTABLES
	help
	  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
	  to match packets by their TTL value.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_TCPMSS
	tristate "tcpmss match support"
	depends on IP_NF_IPTABLES
	help
	  This option adds a `tcpmss' match, which allows you to examine the
	  MSS value of TCP SYN packets, which control the maximum packet size
	  for that connection.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_HELPER
	tristate "Helper match support"
	depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
	help
	  Helper matching allows you to match packets in dynamic connections
	  tracked by a conntrack-helper, ie. ip_conntrack_ftp

	  To compile it as a module, choose M here.  If unsure, say Y.

config IP_NF_MATCH_STATE
	tristate "Connection state match support"
	depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
	help
	  Connection state matching allows you to match packets based on their
	  relationship to a tracked connection (ie. previous packets).  This
	  is a powerful tool for packet classification.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_CONNTRACK
	tristate "Connection tracking match support"
	depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
	help
	  This is a general conntrack match module, a superset of the state match.

	  It allows matching on additional conntrack information, which is
	  useful in complex configurations, such as NAT gateways with multiple
	  internet links or tunnels.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_OWNER
	tristate "Owner match support"
	depends on IP_NF_IPTABLES
	help
	  Packet owner matching allows you to match locally-generated packets
	  based on who created them: the user, group, process or session.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_PHYSDEV
	tristate "Physdev match support"
	depends on IP_NF_IPTABLES && BRIDGE_NETFILTER
	help
	  Physdev packet matching matches against the physical bridge ports
	  the IP packet arrived on or will leave by.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ADDRTYPE
	tristate  'address type match support'
	depends on IP_NF_IPTABLES
	help
	  This option allows you to match what routing thinks of an address,
	  eg. UNICAST, LOCAL, BROADCAST, ...
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  If unsure, say `N'.

config IP_NF_MATCH_REALM
	tristate  'realm match support'
	depends on IP_NF_IPTABLES
	select NET_CLS_ROUTE
	help
	  This option adds a `realm' match, which allows you to use the realm
	  key from the routing subsystem inside iptables.
	
	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
	  in tc world.
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  If unsure, say `N'.

config IP_NF_MATCH_SCTP
	tristate  'SCTP protocol match support'
	depends on IP_NF_IPTABLES
	help
	  With this option enabled, you will be able to use the iptables
	  `sctp' match in order to match on SCTP source/destination ports
	  and SCTP chunk types.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  If unsure, say `N'.

config IP_NF_MATCH_COMMENT
	tristate  'comment match support'
	depends on IP_NF_IPTABLES
	help
	  This option adds a `comment' dummy-match, which allows you to put
	  comments in your iptables ruleset.