kconfig
来自「优龙2410linux2.6.8内核源代码」· 代码 · 共 633 行 · 第 1/2 页
TXT
633 行
## IP netfilter configuration#menu "IP: Netfilter Configuration" depends on INET && NETFILTERconfig IP_NF_CONNTRACK tristate "Connection tracking (required for masq/NAT)" ---help--- Connection tracking keeps a record of what packets have passed through your machine, in order to figure out how they are related into connections. This is required to do Masquerading or other kinds of Network Address Translation (except for Fast NAT). It can also be used to enhance packet filtering (see `Connection state match support' below). To compile it as a module, choose M here. If unsure, say N.config IP_NF_FTP tristate "FTP protocol support" depends on IP_NF_CONNTRACK help Tracking FTP connections is problematic: special helpers are required for tracking them, and doing masquerading and other forms of Network Address Translation on them. To compile it as a module, choose M here. If unsure, say Y.config IP_NF_IRC tristate "IRC protocol support" depends on IP_NF_CONNTRACK ---help--- There is a commonly-used extension to IRC called Direct Client-to-Client Protocol (DCC). This enables users to send files to each other, and also chat to each other without the need of a server. DCC Sending is used anywhere you send files over IRC, and DCC Chat is most commonly used by Eggdrop bots. If you are using NAT, this extension will enable you to send files and initiate chats. Note that you do NOT need this extension to get files or have others initiate chats, or everything else in IRC. To compile it as a module, choose M here. If unsure, say Y.config IP_NF_TFTP tristate "TFTP protocol support" depends on IP_NF_CONNTRACK help TFTP connection tracking helper, this is required depending on how restrictive your ruleset is. If you are using a tftp client behind -j SNAT or -j MASQUERADING you will need this. To compile it as a module, choose M here. If unsure, say Y.config IP_NF_AMANDA tristate "Amanda backup protocol support" depends on IP_NF_CONNTRACK help If you are running the Amanda backup package <http://www.amanda.org/> on this machine or machines that will be MASQUERADED through this machine, then you may want to enable this feature. This allows the connection tracking and natting code to allow the sub-channels that Amanda requires for communication of the backup data, messages and index. To compile it as a module, choose M here. If unsure, say Y.config IP_NF_QUEUE tristate "Userspace queueing via NETLINK" help Netfilter has the ability to queue packets to user space: the netlink device can be used to access them using this driver. To compile it as a module, choose M here. If unsure, say N.config IP_NF_IPTABLES tristate "IP tables support (required for filtering/masq/NAT)" help iptables is a general, extensible packet identification framework. The packet filtering and full NAT (masquerading, port forwarding, etc) subsystems now use this: say `Y' or `M' here if you want to use either of those. To compile it as a module, choose M here. If unsure, say N.# The simple matches.config IP_NF_MATCH_LIMIT tristate "limit match support" depends on IP_NF_IPTABLES help limit matching allows you to control the rate at which a rule can be matched: mainly useful in combination with the LOG target ("LOG target support", below) and to avoid some Denial of Service attacks. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_IPRANGE tristate "IP range match support" depends on IP_NF_IPTABLES help This option makes possible to match IP addresses against IP address ranges. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_MAC tristate "MAC address match support" depends on IP_NF_IPTABLES help MAC matching allows you to match packets based on the source Ethernet address of the packet. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_PKTTYPE tristate "Packet type match support" depends on IP_NF_IPTABLES help Packet type matching allows you to match a packet by its "class", eg. BROADCAST, MULTICAST, ... Typical usage: iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_MARK tristate "netfilter MARK match support" depends on IP_NF_IPTABLES help Netfilter mark matching allows you to match packets based on the `nfmark' value in the packet. This can be set by the MARK target (see below). To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_MULTIPORT tristate "Multiple port match support" depends on IP_NF_IPTABLES help Multiport matching allows you to match TCP or UDP packets based on a series of source or destination ports: normally a rule can only match a single range of ports. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_TOS tristate "TOS match support" depends on IP_NF_IPTABLES help TOS matching allows you to match packets based on the Type Of Service fields of the IP packet. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_RECENT tristate "recent match support" depends on IP_NF_IPTABLES help This match is used for creating one or many lists of recently used addresses and then matching against that/those list(s). Short options are available by using 'iptables -m recent -h' Official Website: <http://snowman.net/projects/ipt_recent/> To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_ECN tristate "ECN match support" depends on IP_NF_IPTABLES help This option adds a `ECN' match, which allows you to match against the IPv4 and TCP header ECN fields. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_DSCP tristate "DSCP match support" depends on IP_NF_IPTABLES help This option adds a `DSCP' match, which allows you to match against the IPv4 header DSCP field (DSCP codepoint). The DSCP codepoint can have any value between 0x0 and 0x4f. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_AH_ESP tristate "AH/ESP match support" depends on IP_NF_IPTABLES help These two match extensions (`ah' and `esp') allow you to match a range of SPIs inside AH or ESP headers of IPSec packets. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_LENGTH tristate "LENGTH match support" depends on IP_NF_IPTABLES help This option allows you to match the length of a packet against a specific value or range of values. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_TTL tristate "TTL match support" depends on IP_NF_IPTABLES help This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user to match packets by their TTL value. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_TCPMSS tristate "tcpmss match support" depends on IP_NF_IPTABLES help This option adds a `tcpmss' match, which allows you to examine the MSS value of TCP SYN packets, which control the maximum packet size for that connection. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_HELPER tristate "Helper match support" depends on IP_NF_CONNTRACK && IP_NF_IPTABLES help Helper matching allows you to match packets in dynamic connections tracked by a conntrack-helper, ie. ip_conntrack_ftp To compile it as a module, choose M here. If unsure, say Y.config IP_NF_MATCH_STATE tristate "Connection state match support" depends on IP_NF_CONNTRACK && IP_NF_IPTABLES help Connection state matching allows you to match packets based on their relationship to a tracked connection (ie. previous packets). This is a powerful tool for packet classification. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_CONNTRACK tristate "Connection tracking match support" depends on IP_NF_CONNTRACK && IP_NF_IPTABLES help This is a general conntrack match module, a superset of the state match. It allows matching on additional conntrack information, which is useful in complex configurations, such as NAT gateways with multiple internet links or tunnels. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_OWNER tristate "Owner match support" depends on IP_NF_IPTABLES help Packet owner matching allows you to match locally-generated packets based on who created them: the user, group, process or session. To compile it as a module, choose M here. If unsure, say N.config IP_NF_MATCH_PHYSDEV tristate "Physdev match support" depends on IP_NF_IPTABLES && BRIDGE_NETFILTER help Physdev packet matching matches against the physical bridge ports the IP packet arrived on or will leave by. To compile it as a module, choose M here. If unsure, say N.# The targetsconfig IP_NF_FILTER tristate "Packet filtering" depends on IP_NF_IPTABLES help Packet filtering defines a table `filter', which has a series of rules for simple packet filtering at local input, forwarding and local output. See the man page for iptables(8). To compile it as a module, choose M here. If unsure, say N.config IP_NF_TARGET_REJECT tristate "REJECT target support" depends on IP_NF_FILTER help The REJECT target allows a filtering rule to specify that an ICMP error should be issued in response to an incoming packet, rather than silently being dropped. To compile it as a module, choose M here. If unsure, say N.config IP_NF_NAT tristate "Full NAT" depends on IP_NF_IPTABLES && IP_NF_CONNTRACK help The Full NAT option allows masquerading, port forwarding and other forms of full Network Address Port Translation. It is controlled by the `nat' table in iptables: see the man page for iptables(8). To compile it as a module, choose M here. If unsure, say N.config IP_NF_NAT_NEEDED bool depends on IP_NF_CONNTRACK!=y && IP_NF_IPTABLES!=y && (IP_NF_COMPAT_IPCHAINS!=y && IP_NF_COMPAT_IPFWADM || IP_NF_COMPAT_IPCHAINS) || IP_NF_IPTABLES && IP_NF_CONNTRACK && IP_NF_NAT default yconfig IP_NF_TARGET_MASQUERADE tristate "MASQUERADE target support" depends on IP_NF_NAT help Masquerading is a special case of NAT: all outgoing connections are⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?