kconfig

LINUX 2.6.17.4的源码

#
# IP netfilter configuration
#

menu "IP: Netfilter Configuration"
	depends on INET && NETFILTER

config NF_CONNTRACK_IPV4
	tristate "IPv4 support for new connection tracking (EXPERIMENTAL)"
	depends on EXPERIMENTAL && NF_CONNTRACK
	---help---
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is IPv4 support on Layer 3 independent connection tracking.
	  Layer 3 independent connection tracking is experimental scheme
	  which generalize ip_conntrack to support other layer 3 protocols.

	  To compile it as a module, choose M here.  If unsure, say N.

# connection tracking, helpers and protocols
config IP_NF_CONNTRACK
	tristate "Connection tracking (required for masq/NAT)"
	---help---
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is required to do Masquerading or other kinds of Network
	  Address Translation (except for Fast NAT).  It can also be used to
	  enhance packet filtering (see `Connection state match support'
	  below).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_CT_ACCT
	bool "Connection tracking flow accounting"
	depends on IP_NF_CONNTRACK
	help
	  If this option is enabled, the connection tracking code will
	  keep per-flow packet and byte counters.

	  Those counters can be used for flow-based accounting or the
	  `connbytes' match.

	  If unsure, say `N'.

config IP_NF_CONNTRACK_MARK
	bool  'Connection mark tracking support'
	depends on IP_NF_CONNTRACK
	help
	  This option enables support for connection marks, used by the
	  `CONNMARK' target and `connmark' match. Similar to the mark value
	  of packets, but this mark value is kept in the conntrack session
	  instead of the individual packets.
	
config IP_NF_CONNTRACK_EVENTS
	bool "Connection tracking events (EXPERIMENTAL)"
	depends on EXPERIMENTAL && IP_NF_CONNTRACK
	help
	  If this option is enabled, the connection tracking code will
	  provide a notifier chain that can be used by other kernel code
	  to get notified about changes in the connection tracking state.
	  
	  IF unsure, say `N'.

config IP_NF_CONNTRACK_NETLINK
	tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
	depends on EXPERIMENTAL && IP_NF_CONNTRACK && NETFILTER_NETLINK
	depends on IP_NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
	depends on IP_NF_NAT=n || IP_NF_NAT
	help
	  This option enables support for a netlink-based userspace interface


config IP_NF_CT_PROTO_SCTP
	tristate  'SCTP protocol connection tracking support (EXPERIMENTAL)'
	depends on IP_NF_CONNTRACK && EXPERIMENTAL
	help
	  With this option enabled, the connection tracking code will
	  be able to do state tracking on SCTP connections.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  If unsure, say `N'.

config IP_NF_FTP
	tristate "FTP protocol support"
	depends on IP_NF_CONNTRACK
	help
	  Tracking FTP connections is problematic: special helpers are
	  required for tracking them, and doing masquerading and other forms
	  of Network Address Translation on them.

	  To compile it as a module, choose M here.  If unsure, say Y.

config IP_NF_IRC
	tristate "IRC protocol support"
	depends on IP_NF_CONNTRACK
	---help---
	  There is a commonly-used extension to IRC called
	  Direct Client-to-Client Protocol (DCC).  This enables users to send
	  files to each other, and also chat to each other without the need
	  of a server.  DCC Sending is used anywhere you send files over IRC,
	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
	  using NAT, this extension will enable you to send files and initiate
	  chats.  Note that you do NOT need this extension to get files or
	  have others initiate chats, or everything else in IRC.

	  To compile it as a module, choose M here.  If unsure, say Y.

config IP_NF_NETBIOS_NS
	tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
	depends on IP_NF_CONNTRACK && EXPERIMENTAL
	help
	  NetBIOS name service requests are sent as broadcast messages from an
	  unprivileged port and responded to with unicast messages to the
	  same port. This make them hard to firewall properly because connection
	  tracking doesn't deal with broadcasts. This helper tracks locally
	  originating NetBIOS name service requests and the corresponding
	  responses. It relies on correct IP address configuration, specifically
	  netmask and broadcast address. When properly configured, the output
	  of "ip address show" should look similar to this:

	  $ ip -4 address show eth0
	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
	  
	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TFTP
	tristate "TFTP protocol support"
	depends on IP_NF_CONNTRACK
	help
	  TFTP connection tracking helper, this is required depending
	  on how restrictive your ruleset is.
	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
	  you will need this.

	  To compile it as a module, choose M here.  If unsure, say Y.

config IP_NF_AMANDA
	tristate "Amanda backup protocol support"
	depends on IP_NF_CONNTRACK
	help
	  If you are running the Amanda backup package <http://www.amanda.org/>
	  on this machine or machines that will be MASQUERADED through this
	  machine, then you may want to enable this feature.  This allows the
	  connection tracking and natting code to allow the sub-channels that
	  Amanda requires for communication of the backup data, messages and
	  index.

	  To compile it as a module, choose M here.  If unsure, say Y.

config IP_NF_PPTP
	tristate  'PPTP protocol support'
	depends on IP_NF_CONNTRACK
	help
	  This module adds support for PPTP (Point to Point Tunnelling
	  Protocol, RFC2637) connection tracking and NAT. 
	
	  If you are running PPTP sessions over a stateful firewall or NAT
	  box, you may want to enable this feature.  
	
	  Please note that not all PPTP modes of operation are supported yet.
	  For more info, read top of the file
	  net/ipv4/netfilter/ip_conntrack_pptp.c
	
	  If you want to compile it as a module, say M here and read
	  Documentation/modules.txt.  If unsure, say `N'.

config IP_NF_H323
	tristate  'H.323 protocol support (EXPERIMENTAL)'
	depends on IP_NF_CONNTRACK && EXPERIMENTAL
	help
	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
	  important VoIP protocols, it is widely used by voice hardware and
	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
	  Gnomemeeting, etc.

	  With this module you can support H.323 on a connection tracking/NAT
	  firewall.

	  This module supports RAS, Fast-start, H.245 tunnelling, RTP/RTCP
	  and T.120 based data and applications including audio, video, FAX,
	  chat, whiteboard, file transfer, etc. For more information, please
	  see http://nath323.sourceforge.net/.

	  If you want to compile it as a module, say 'M' here and read
	  Documentation/modules.txt.  If unsure, say 'N'.

config IP_NF_QUEUE
	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
	help
	  Netfilter has the ability to queue packets to user space: the
	  netlink device can be used to access them using this driver.

	  This option enables the old IPv4-only "ip_queue" implementation
	  which has been obsoleted by the new "nfnetlink_queue" code (see
	  CONFIG_NETFILTER_NETLINK_QUEUE).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_IPTABLES
	tristate "IP tables support (required for filtering/masq/NAT)"
	depends on NETFILTER_XTABLES
	help
	  iptables is a general, extensible packet identification framework.
	  The packet filtering and full NAT (masquerading, port forwarding,
	  etc) subsystems now use this: say `Y' or `M' here if you want to use
	  either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

# The matches.
config IP_NF_MATCH_IPRANGE
	tristate "IP range match support"
	depends on IP_NF_IPTABLES
	help
	  This option makes possible to match IP addresses against IP address
	  ranges.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_TOS
	tristate "TOS match support"
	depends on IP_NF_IPTABLES
	help
	  TOS matching allows you to match packets based on the Type Of
	  Service fields of the IP packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_RECENT
	tristate "recent match support"
	depends on IP_NF_IPTABLES
	help
	  This match is used for creating one or many lists of recently
	  used addresses and then matching against that/those list(s).

	  Short options are available by using 'iptables -m recent -h'
	  Official Website: <http://snowman.net/projects/ipt_recent/>

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ECN
	tristate "ECN match support"
	depends on IP_NF_IPTABLES
	help
	  This option adds a `ECN' match, which allows you to match against
	  the IPv4 and TCP header ECN fields.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_DSCP
	tristate "DSCP match support"
	depends on IP_NF_IPTABLES
	help
	  This option adds a `DSCP' match, which allows you to match against
	  the IPv4 header DSCP field (DSCP codepoint).

	  The DSCP codepoint can have any value between 0x0 and 0x4f.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_AH
	tristate "AH match support"
	depends on IP_NF_IPTABLES
	help
	  This match extension allows you to match a range of SPIs
	  inside AH header of IPSec packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_TTL
	tristate "TTL match support"
	depends on IP_NF_IPTABLES
	help
	  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
	  to match packets by their TTL value.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_OWNER
	tristate "Owner match support"
	depends on IP_NF_IPTABLES
	help
	  Packet owner matching allows you to match locally-generated packets
	  based on who created them: the user, group, process or session.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ADDRTYPE
	tristate  'address type match support'
	depends on IP_NF_IPTABLES
	help
	  This option allows you to match what routing thinks of an address,
	  eg. UNICAST, LOCAL, BROADCAST, ...
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  If unsure, say `N'.

config IP_NF_MATCH_HASHLIMIT
	tristate  'hashlimit match support'
	depends on IP_NF_IPTABLES
	help
	  This option adds a new iptables `hashlimit' match.  

	  As opposed to `limit', this match dynamically crates a hash table