1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_INGRESS
5 bool "Netfilter ingress support"
9 This allows you to classify packets from ingress using the Netfilter
12 config NETFILTER_NETLINK
15 config NETFILTER_NETLINK_ACCT
16 tristate "Netfilter NFACCT over NFNETLINK interface"
17 depends on NETFILTER_ADVANCED
18 select NETFILTER_NETLINK
20 If this option is enabled, the kernel will include support
21 for extended accounting via NFNETLINK.
23 config NETFILTER_NETLINK_QUEUE
24 tristate "Netfilter NFQUEUE over NFNETLINK interface"
25 depends on NETFILTER_ADVANCED
26 select NETFILTER_NETLINK
28 If this option is enabled, the kernel will include support
29 for queueing packets via NFNETLINK.
31 config NETFILTER_NETLINK_LOG
32 tristate "Netfilter LOG over NFNETLINK interface"
33 default m if NETFILTER_ADVANCED=n
34 select NETFILTER_NETLINK
36 If this option is enabled, the kernel will include support
37 for logging packets via NFNETLINK.
39 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
40 and is also scheduled to replace the old syslog-based ipt_LOG
44 tristate "Netfilter connection tracking support"
45 default m if NETFILTER_ADVANCED=n
47 Connection tracking keeps a record of what packets have passed
48 through your machine, in order to figure out how they are related
51 This is required to do Masquerading or other kinds of Network
52 Address Translation. It can also be used to enhance packet
53 filtering (see `Connection state match support' below).
55 To compile it as a module, choose M here. If unsure, say N.
62 config NF_CONNTRACK_MARK
63 bool 'Connection mark tracking support'
64 depends on NETFILTER_ADVANCED
66 This option enables support for connection marks, used by the
67 `CONNMARK' target and `connmark' match. Similar to the mark value
68 of packets, but this mark value is kept in the conntrack session
69 instead of the individual packets.
71 config NF_CONNTRACK_SECMARK
72 bool 'Connection tracking security mark support'
73 depends on NETWORK_SECMARK
74 default y if NETFILTER_ADVANCED=n
76 This option enables security markings to be applied to
77 connections. Typically they are copied to connections from
78 packets using the CONNSECMARK target and copied back from
79 connections to packets with the same target, with the packets
80 being originally labeled via SECMARK.
84 config NF_CONNTRACK_ZONES
85 bool 'Connection tracking zones'
86 depends on NETFILTER_ADVANCED
87 depends on NETFILTER_XT_TARGET_CT
89 This option enables support for connection tracking zones.
90 Normally, each connection needs to have a unique system wide
91 identity. Connection tracking zones allow to have multiple
92 connections using the same identity, as long as they are
93 contained in different zones.
97 config NF_CONNTRACK_PROCFS
98 bool "Supply CT list in procfs (OBSOLETE)"
101 This option enables for the list of known conntrack entries
102 to be shown in procfs under net/netfilter/nf_conntrack. This
103 is considered obsolete in favor of using the conntrack(8)
104 tool which uses Netlink.
106 config NF_CONNTRACK_EVENTS
107 bool "Connection tracking events"
108 depends on NETFILTER_ADVANCED
110 If this option is enabled, the connection tracking code will
111 provide a notifier chain that can be used by other kernel code
112 to get notified about changes in the connection tracking state.
116 config NF_CONNTRACK_TIMEOUT
117 bool 'Connection tracking timeout'
118 depends on NETFILTER_ADVANCED
120 This option enables support for connection tracking timeout
121 extension. This allows you to attach timeout policies to flow
126 config NF_CONNTRACK_TIMESTAMP
127 bool 'Connection tracking timestamping'
128 depends on NETFILTER_ADVANCED
130 This option enables support for connection tracking timestamping.
131 This allows you to store the flow start-time and to obtain
132 the flow-stop time (once it has been destroyed) via Connection
137 config NF_CONNTRACK_LABELS
140 This option enables support for assigning user-defined flag bits
141 to connection tracking entries. It selected by the connlabel match.
143 config NF_CT_PROTO_DCCP
144 tristate 'DCCP protocol connection tracking support'
145 depends on NETFILTER_ADVANCED
148 With this option enabled, the layer 3 independent connection
149 tracking code will be able to do state tracking on DCCP connections.
153 config NF_CT_PROTO_GRE
156 config NF_CT_PROTO_SCTP
157 tristate 'SCTP protocol connection tracking support'
158 depends on NETFILTER_ADVANCED
161 With this option enabled, the layer 3 independent connection
162 tracking code will be able to do state tracking on SCTP connections.
164 If you want to compile it as a module, say M here and read
165 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
167 config NF_CT_PROTO_UDPLITE
168 tristate 'UDP-Lite protocol connection tracking support'
169 depends on NETFILTER_ADVANCED
171 With this option enabled, the layer 3 independent connection
172 tracking code will be able to do state tracking on UDP-Lite
175 To compile it as a module, choose M here. If unsure, say N.
177 config NF_CONNTRACK_AMANDA
178 tristate "Amanda backup protocol support"
179 depends on NETFILTER_ADVANCED
181 select TEXTSEARCH_KMP
183 If you are running the Amanda backup package <http://www.amanda.org/>
184 on this machine or machines that will be MASQUERADED through this
185 machine, then you may want to enable this feature. This allows the
186 connection tracking and natting code to allow the sub-channels that
187 Amanda requires for communication of the backup data, messages and
190 To compile it as a module, choose M here. If unsure, say N.
192 config NF_CONNTRACK_FTP
193 tristate "FTP protocol support"
194 default m if NETFILTER_ADVANCED=n
196 Tracking FTP connections is problematic: special helpers are
197 required for tracking them, and doing masquerading and other forms
198 of Network Address Translation on them.
200 This is FTP support on Layer 3 independent connection tracking.
201 Layer 3 independent connection tracking is experimental scheme
202 which generalize ip_conntrack to support other layer 3 protocols.
204 To compile it as a module, choose M here. If unsure, say N.
206 config NF_CONNTRACK_H323
207 tristate "H.323 protocol support"
208 depends on IPV6 || IPV6=n
209 depends on NETFILTER_ADVANCED
211 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
212 important VoIP protocols, it is widely used by voice hardware and
213 software including voice gateways, IP phones, Netmeeting, OpenPhone,
216 With this module you can support H.323 on a connection tracking/NAT
219 This module supports RAS, Fast Start, H.245 Tunnelling, Call
220 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
221 whiteboard, file transfer, etc. For more information, please
222 visit http://nath323.sourceforge.net/.
224 To compile it as a module, choose M here. If unsure, say N.
226 config NF_CONNTRACK_IRC
227 tristate "IRC protocol support"
228 default m if NETFILTER_ADVANCED=n
230 There is a commonly-used extension to IRC called
231 Direct Client-to-Client Protocol (DCC). This enables users to send
232 files to each other, and also chat to each other without the need
233 of a server. DCC Sending is used anywhere you send files over IRC,
234 and DCC Chat is most commonly used by Eggdrop bots. If you are
235 using NAT, this extension will enable you to send files and initiate
236 chats. Note that you do NOT need this extension to get files or
237 have others initiate chats, or everything else in IRC.
239 To compile it as a module, choose M here. If unsure, say N.
241 config NF_CONNTRACK_BROADCAST
244 config NF_CONNTRACK_NETBIOS_NS
245 tristate "NetBIOS name service protocol support"
246 select NF_CONNTRACK_BROADCAST
248 NetBIOS name service requests are sent as broadcast messages from an
249 unprivileged port and responded to with unicast messages to the
250 same port. This make them hard to firewall properly because connection
251 tracking doesn't deal with broadcasts. This helper tracks locally
252 originating NetBIOS name service requests and the corresponding
253 responses. It relies on correct IP address configuration, specifically
254 netmask and broadcast address. When properly configured, the output
255 of "ip address show" should look similar to this:
257 $ ip -4 address show eth0
258 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
259 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
261 To compile it as a module, choose M here. If unsure, say N.
263 config NF_CONNTRACK_SNMP
264 tristate "SNMP service protocol support"
265 depends on NETFILTER_ADVANCED
266 select NF_CONNTRACK_BROADCAST
268 SNMP service requests are sent as broadcast messages from an
269 unprivileged port and responded to with unicast messages to the
270 same port. This make them hard to firewall properly because connection
271 tracking doesn't deal with broadcasts. This helper tracks locally
272 originating SNMP service requests and the corresponding
273 responses. It relies on correct IP address configuration, specifically
274 netmask and broadcast address.
276 To compile it as a module, choose M here. If unsure, say N.
278 config NF_CONNTRACK_PPTP
279 tristate "PPtP protocol support"
280 depends on NETFILTER_ADVANCED
281 select NF_CT_PROTO_GRE
283 This module adds support for PPTP (Point to Point Tunnelling
284 Protocol, RFC2637) connection tracking and NAT.
286 If you are running PPTP sessions over a stateful firewall or NAT
287 box, you may want to enable this feature.
289 Please note that not all PPTP modes of operation are supported yet.
290 Specifically these limitations exist:
291 - Blindly assumes that control connections are always established
292 in PNS->PAC direction. This is a violation of RFC2637.
293 - Only supports a single call within each session
295 To compile it as a module, choose M here. If unsure, say N.
297 config NF_CONNTRACK_SANE
298 tristate "SANE protocol support"
299 depends on NETFILTER_ADVANCED
301 SANE is a protocol for remote access to scanners as implemented
302 by the 'saned' daemon. Like FTP, it uses separate control and
305 With this module you can support SANE on a connection tracking
308 To compile it as a module, choose M here. If unsure, say N.
310 config NF_CONNTRACK_SIP
311 tristate "SIP protocol support"
312 default m if NETFILTER_ADVANCED=n
314 SIP is an application-layer control protocol that can establish,
315 modify, and terminate multimedia sessions (conferences) such as
316 Internet telephony calls. With the ip_conntrack_sip and
317 the nf_nat_sip modules you can support the protocol on a connection
318 tracking/NATing firewall.
320 To compile it as a module, choose M here. If unsure, say N.
322 config NF_CONNTRACK_TFTP
323 tristate "TFTP protocol support"
324 depends on NETFILTER_ADVANCED
326 TFTP connection tracking helper, this is required depending
327 on how restrictive your ruleset is.
328 If you are using a tftp client behind -j SNAT or -j MASQUERADING
331 To compile it as a module, choose M here. If unsure, say N.
334 tristate 'Connection tracking netlink interface'
335 select NETFILTER_NETLINK
336 default m if NETFILTER_ADVANCED=n
338 This option enables support for a netlink-based userspace interface
340 config NF_CT_NETLINK_TIMEOUT
341 tristate 'Connection tracking timeout tuning via Netlink'
342 select NETFILTER_NETLINK
343 depends on NETFILTER_ADVANCED
345 This option enables support for connection tracking timeout
346 fine-grain tuning. This allows you to attach specific timeout
347 policies to flows, instead of using the global timeout policy.
351 config NF_CT_NETLINK_HELPER
352 tristate 'Connection tracking helpers in user-space via Netlink'
353 select NETFILTER_NETLINK
354 depends on NF_CT_NETLINK
355 depends on NETFILTER_NETLINK_QUEUE
356 depends on NETFILTER_NETLINK_GLUE_CT
357 depends on NETFILTER_ADVANCED
359 This option enables the user-space connection tracking helpers
364 config NETFILTER_NETLINK_GLUE_CT
365 bool "NFQUEUE and NFLOG integration with Connection Tracking"
367 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
369 If this option is enabled, NFQUEUE and NFLOG can include
370 Connection Tracking information together with the packet is
371 the enqueued via NFNETLINK.
381 config NF_NAT_PROTO_DCCP
383 depends on NF_NAT && NF_CT_PROTO_DCCP
384 default NF_NAT && NF_CT_PROTO_DCCP
386 config NF_NAT_PROTO_UDPLITE
388 depends on NF_NAT && NF_CT_PROTO_UDPLITE
389 default NF_NAT && NF_CT_PROTO_UDPLITE
391 config NF_NAT_PROTO_SCTP
393 default NF_NAT && NF_CT_PROTO_SCTP
394 depends on NF_NAT && NF_CT_PROTO_SCTP
399 depends on NF_CONNTRACK && NF_NAT
400 default NF_NAT && NF_CONNTRACK_AMANDA
404 depends on NF_CONNTRACK && NF_NAT
405 default NF_NAT && NF_CONNTRACK_FTP
409 depends on NF_CONNTRACK && NF_NAT
410 default NF_NAT && NF_CONNTRACK_IRC
414 depends on NF_CONNTRACK && NF_NAT
415 default NF_NAT && NF_CONNTRACK_SIP
419 depends on NF_CONNTRACK && NF_NAT
420 default NF_NAT && NF_CONNTRACK_TFTP
422 config NF_NAT_REDIRECT
423 tristate "IPv4/IPv6 redirect support"
426 This is the kernel functionality to redirect packets to local
429 config NETFILTER_SYNPROXY
435 select NETFILTER_NETLINK
436 tristate "Netfilter nf_tables support"
438 nftables is the new packet classification framework that intends to
439 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
440 provides a pseudo-state machine with an extensible instruction-set
441 (also known as expressions) that the userspace 'nft' utility
442 (http://www.netfilter.org/projects/nftables) uses to build the
443 rule-set. It also comes with the generic set infrastructure that
444 allows you to construct mappings between matchings and actions
445 for performance lookups.
447 To compile it as a module, choose M here.
451 config NF_TABLES_INET
453 select NF_TABLES_IPV4
454 select NF_TABLES_IPV6
455 tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support"
457 This option enables support for a mixed IPv4/IPv6 "inet" table.
459 config NF_TABLES_NETDEV
460 tristate "Netfilter nf_tables netdev tables support"
462 This option enables support for the "netdev" table.
465 tristate "Netfilter nf_tables IPv6 exthdr module"
467 This option adds the "exthdr" expression that you can use to match
468 IPv6 extension headers.
471 tristate "Netfilter nf_tables meta module"
473 This option adds the "meta" expression that you can use to match and
474 to set packet metainformation such as the packet mark.
477 tristate "Netfilter nf_tables number generator module"
479 This option adds the number generator expression used to perform
480 incremental counting and random numbers bound to a upper limit.
483 depends on NF_CONNTRACK
484 tristate "Netfilter nf_tables conntrack module"
486 This option adds the "meta" expression that you can use to match
487 connection tracking information such as the flow state.
489 config NFT_SET_RBTREE
490 tristate "Netfilter nf_tables rbtree set module"
492 This option adds the "rbtree" set type (Red Black tree) that is used
493 to build interval-based sets.
496 tristate "Netfilter nf_tables hash set module"
498 This option adds the "hash" set type that is used to build one-way
499 mappings between matchings and actions.
502 tristate "Netfilter nf_tables counter module"
504 This option adds the "counter" expression that you can use to
505 include packet and byte counters in a rule.
508 tristate "Netfilter nf_tables log module"
510 This option adds the "log" expression that you can use to log
511 packets matching some criteria.
514 tristate "Netfilter nf_tables limit module"
516 This option adds the "limit" expression that you can use to
517 ratelimit rule matchings.
520 depends on NF_CONNTRACK
522 tristate "Netfilter nf_tables masquerade support"
524 This option adds the "masquerade" expression that you can use
525 to perform NAT in the masquerade flavour.
528 depends on NF_CONNTRACK
530 tristate "Netfilter nf_tables redirect support"
532 This options adds the "redirect" expression that you can use
533 to perform NAT in the redirect flavour.
536 depends on NF_CONNTRACK
538 tristate "Netfilter nf_tables nat module"
540 This option adds the "nat" expression that you can use to perform
541 typical Network Address Translation (NAT) packet transformations.
544 depends on NETFILTER_NETLINK_QUEUE
545 tristate "Netfilter nf_tables queue module"
547 This is required if you intend to use the userspace queueing
548 infrastructure (also known as NFQUEUE) from nftables.
551 tristate "Netfilter nf_tables quota module"
553 This option adds the "quota" expression that you can use to match
554 enforce bytes quotas.
557 default m if NETFILTER_ADVANCED=n
558 tristate "Netfilter nf_tables reject support"
560 This option adds the "reject" expression that you can use to
561 explicitly deny and notify via TCP reset/ICMP informational errors
564 config NFT_REJECT_INET
565 depends on NF_TABLES_INET
570 depends on NETFILTER_XTABLES
571 tristate "Netfilter x_tables over nf_tables module"
573 This is required if you intend to use any of existing
574 x_tables match/target extensions over the nf_tables
578 tristate "Netfilter nf_tables hash module"
580 This option adds the "hash" expression that you can use to perform
581 a hash operation on registers.
586 tristate "Netfilter packet duplication support"
588 This option enables the generic packet duplication infrastructure
591 config NFT_DUP_NETDEV
592 tristate "Netfilter nf_tables netdev packet duplication support"
595 This option enables packet duplication for the "netdev" family.
597 config NFT_FWD_NETDEV
598 tristate "Netfilter nf_tables netdev packet forwarding support"
601 This option enables packet forwarding for the "netdev" family.
603 endif # NF_TABLES_NETDEV
607 config NETFILTER_XTABLES
608 tristate "Netfilter Xtables support (required for ip_tables)"
609 default m if NETFILTER_ADVANCED=n
611 This is required if you intend to use any of ip_tables,
612 ip6_tables or arp_tables.
616 comment "Xtables combined modules"
618 config NETFILTER_XT_MARK
619 tristate 'nfmark target and match support'
620 default m if NETFILTER_ADVANCED=n
622 This option adds the "MARK" target and "mark" match.
624 Netfilter mark matching allows you to match packets based on the
625 "nfmark" value in the packet.
626 The target allows you to create rules in the "mangle" table which alter
627 the netfilter mark (nfmark) field associated with the packet.
629 Prior to routing, the nfmark can influence the routing method and can
630 also be used by other subsystems to change their behavior.
632 config NETFILTER_XT_CONNMARK
633 tristate 'ctmark target and match support'
634 depends on NF_CONNTRACK
635 depends on NETFILTER_ADVANCED
636 select NF_CONNTRACK_MARK
638 This option adds the "CONNMARK" target and "connmark" match.
640 Netfilter allows you to store a mark value per connection (a.k.a.
641 ctmark), similarly to the packet mark (nfmark). Using this
642 target and match, you can set and match on this mark.
644 config NETFILTER_XT_SET
645 tristate 'set target and match support'
647 depends on NETFILTER_ADVANCED
649 This option adds the "SET" target and "set" match.
651 Using this target and match, you can add/delete and match
652 elements in the sets created by ipset(8).
654 To compile it as a module, choose M here. If unsure, say N.
656 # alphabetically ordered list of targets
658 comment "Xtables targets"
660 config NETFILTER_XT_TARGET_AUDIT
661 tristate "AUDIT target support"
663 depends on NETFILTER_ADVANCED
665 This option adds a 'AUDIT' target, which can be used to create
666 audit records for packets dropped/accepted.
668 To compileit as a module, choose M here. If unsure, say N.
670 config NETFILTER_XT_TARGET_CHECKSUM
671 tristate "CHECKSUM target support"
672 depends on IP_NF_MANGLE || IP6_NF_MANGLE
673 depends on NETFILTER_ADVANCED
675 This option adds a `CHECKSUM' target, which can be used in the iptables mangle
678 You can use this target to compute and fill in the checksum in
679 a packet that lacks a checksum. This is particularly useful,
680 if you need to work around old applications such as dhcp clients,
681 that do not work well with checksum offloads, but don't want to disable
682 checksum offload in your device.
684 To compile it as a module, choose M here. If unsure, say N.
686 config NETFILTER_XT_TARGET_CLASSIFY
687 tristate '"CLASSIFY" target support'
688 depends on NETFILTER_ADVANCED
690 This option adds a `CLASSIFY' target, which enables the user to set
691 the priority of a packet. Some qdiscs can use this value for
692 classification, among these are:
694 atm, cbq, dsmark, pfifo_fast, htb, prio
696 To compile it as a module, choose M here. If unsure, say N.
698 config NETFILTER_XT_TARGET_CONNMARK
699 tristate '"CONNMARK" target support'
700 depends on NF_CONNTRACK
701 depends on NETFILTER_ADVANCED
702 select NETFILTER_XT_CONNMARK
704 This is a backwards-compat option for the user's convenience
705 (e.g. when running oldconfig). It selects
706 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
708 config NETFILTER_XT_TARGET_CONNSECMARK
709 tristate '"CONNSECMARK" target support'
710 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
711 default m if NETFILTER_ADVANCED=n
713 The CONNSECMARK target copies security markings from packets
714 to connections, and restores security markings from connections
715 to packets (if the packets are not already marked). This would
716 normally be used in conjunction with the SECMARK target.
718 To compile it as a module, choose M here. If unsure, say N.
720 config NETFILTER_XT_TARGET_CT
721 tristate '"CT" target support'
722 depends on NF_CONNTRACK
723 depends on IP_NF_RAW || IP6_NF_RAW
724 depends on NETFILTER_ADVANCED
726 This options adds a `CT' target, which allows to specify initial
727 connection tracking parameters like events to be delivered and
728 the helper to be used.
730 To compile it as a module, choose M here. If unsure, say N.
732 config NETFILTER_XT_TARGET_DSCP
733 tristate '"DSCP" and "TOS" target support'
734 depends on IP_NF_MANGLE || IP6_NF_MANGLE
735 depends on NETFILTER_ADVANCED
737 This option adds a `DSCP' target, which allows you to manipulate
738 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
740 The DSCP field can have any value between 0x0 and 0x3f inclusive.
742 It also adds the "TOS" target, which allows you to create rules in
743 the "mangle" table which alter the Type Of Service field of an IPv4
744 or the Priority field of an IPv6 packet, prior to routing.
746 To compile it as a module, choose M here. If unsure, say N.
748 config NETFILTER_XT_TARGET_HL
749 tristate '"HL" hoplimit target support'
750 depends on IP_NF_MANGLE || IP6_NF_MANGLE
751 depends on NETFILTER_ADVANCED
753 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
754 targets, which enable the user to change the
755 hoplimit/time-to-live value of the IP header.
757 While it is safe to decrement the hoplimit/TTL value, the
758 modules also allow to increment and set the hoplimit value of
759 the header to arbitrary values. This is EXTREMELY DANGEROUS
760 since you can easily create immortal packets that loop
761 forever on the network.
763 config NETFILTER_XT_TARGET_HMARK
764 tristate '"HMARK" target support'
765 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
766 depends on NETFILTER_ADVANCED
768 This option adds the "HMARK" target.
770 The target allows you to create rules in the "raw" and "mangle" tables
771 which set the skbuff mark by means of hash calculation within a given
772 range. The nfmark can influence the routing method and can also be used
773 by other subsystems to change their behaviour.
775 To compile it as a module, choose M here. If unsure, say N.
777 config NETFILTER_XT_TARGET_IDLETIMER
778 tristate "IDLETIMER target support"
779 depends on NETFILTER_ADVANCED
782 This option adds the `IDLETIMER' target. Each matching packet
783 resets the timer associated with label specified when the rule is
784 added. When the timer expires, it triggers a sysfs notification.
785 The remaining time for expiration can be read via sysfs.
787 To compile it as a module, choose M here. If unsure, say N.
789 config NETFILTER_XT_TARGET_LED
790 tristate '"LED" target support'
791 depends on LEDS_CLASS && LEDS_TRIGGERS
792 depends on NETFILTER_ADVANCED
794 This option adds a `LED' target, which allows you to blink LEDs in
795 response to particular packets passing through your machine.
797 This can be used to turn a spare LED into a network activity LED,
798 which only flashes in response to FTP transfers, for example. Or
799 you could have an LED which lights up for a minute or two every time
800 somebody connects to your machine via SSH.
802 You will need support for the "led" class to make this work.
804 To create an LED trigger for incoming SSH traffic:
805 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
807 Then attach the new trigger to an LED on your system:
808 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
810 For more information on the LEDs available on your system, see
811 Documentation/leds/leds-class.txt
813 config NETFILTER_XT_TARGET_LOG
814 tristate "LOG target support"
817 select NF_LOG_IPV6 if IPV6
818 default m if NETFILTER_ADVANCED=n
820 This option adds a `LOG' target, which allows you to create rules in
821 any iptables table which records the packet header to the syslog.
823 To compile it as a module, choose M here. If unsure, say N.
825 config NETFILTER_XT_TARGET_MARK
826 tristate '"MARK" target support'
827 depends on NETFILTER_ADVANCED
828 select NETFILTER_XT_MARK
830 This is a backwards-compat option for the user's convenience
831 (e.g. when running oldconfig). It selects
832 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
834 config NETFILTER_XT_NAT
835 tristate '"SNAT and DNAT" targets support'
838 This option enables the SNAT and DNAT targets.
840 To compile it as a module, choose M here. If unsure, say N.
842 config NETFILTER_XT_TARGET_NETMAP
843 tristate '"NETMAP" target support'
846 NETMAP is an implementation of static 1:1 NAT mapping of network
847 addresses. It maps the network address part, while keeping the host
850 To compile it as a module, choose M here. If unsure, say N.
852 config NETFILTER_XT_TARGET_NFLOG
853 tristate '"NFLOG" target support'
854 default m if NETFILTER_ADVANCED=n
855 select NETFILTER_NETLINK_LOG
857 This option enables the NFLOG target, which allows to LOG
858 messages through nfnetlink_log.
860 To compile it as a module, choose M here. If unsure, say N.
862 config NETFILTER_XT_TARGET_NFQUEUE
863 tristate '"NFQUEUE" target Support'
864 depends on NETFILTER_ADVANCED
865 select NETFILTER_NETLINK_QUEUE
867 This target replaced the old obsolete QUEUE target.
869 As opposed to QUEUE, it supports 65535 different queues,
872 To compile it as a module, choose M here. If unsure, say N.
874 config NETFILTER_XT_TARGET_NOTRACK
875 tristate '"NOTRACK" target support (DEPRECATED)'
876 depends on NF_CONNTRACK
877 depends on IP_NF_RAW || IP6_NF_RAW
878 depends on NETFILTER_ADVANCED
879 select NETFILTER_XT_TARGET_CT
881 config NETFILTER_XT_TARGET_RATEEST
882 tristate '"RATEEST" target support'
883 depends on NETFILTER_ADVANCED
885 This option adds a `RATEEST' target, which allows to measure
886 rates similar to TC estimators. The `rateest' match can be
887 used to match on the measured rates.
889 To compile it as a module, choose M here. If unsure, say N.
891 config NETFILTER_XT_TARGET_REDIRECT
892 tristate "REDIRECT target support"
894 select NF_NAT_REDIRECT
896 REDIRECT is a special case of NAT: all incoming connections are
897 mapped onto the incoming interface's address, causing the packets to
898 come to the local machine instead of passing through. This is
899 useful for transparent proxies.
901 To compile it as a module, choose M here. If unsure, say N.
903 config NETFILTER_XT_TARGET_TEE
904 tristate '"TEE" - packet cloning to alternate destination'
905 depends on NETFILTER_ADVANCED
906 depends on IPV6 || IPV6=n
907 depends on !NF_CONNTRACK || NF_CONNTRACK
909 select NF_DUP_IPV6 if IPV6
911 This option adds a "TEE" target with which a packet can be cloned and
912 this clone be rerouted to another nexthop.
914 config NETFILTER_XT_TARGET_TPROXY
915 tristate '"TPROXY" target transparent proxying support'
916 depends on NETFILTER_XTABLES
917 depends on NETFILTER_ADVANCED
918 depends on IPV6 || IPV6=n
919 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
920 depends on IP_NF_MANGLE
921 select NF_DEFRAG_IPV4
922 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
924 This option adds a `TPROXY' target, which is somewhat similar to
925 REDIRECT. It can only be used in the mangle table and is useful
926 to redirect traffic to a transparent proxy. It does _not_ depend
927 on Netfilter connection tracking and NAT, unlike REDIRECT.
928 For it to work you will have to configure certain iptables rules
929 and use policy routing. For more information on how to set it up
930 see Documentation/networking/tproxy.txt.
932 To compile it as a module, choose M here. If unsure, say N.
934 config NETFILTER_XT_TARGET_TRACE
935 tristate '"TRACE" target support'
936 depends on IP_NF_RAW || IP6_NF_RAW
937 depends on NETFILTER_ADVANCED
939 The TRACE target allows you to mark packets so that the kernel
940 will log every rule which match the packets as those traverse
941 the tables, chains, rules.
943 If you want to compile it as a module, say M here and read
944 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
946 config NETFILTER_XT_TARGET_SECMARK
947 tristate '"SECMARK" target support'
948 depends on NETWORK_SECMARK
949 default m if NETFILTER_ADVANCED=n
951 The SECMARK target allows security marking of network
952 packets, for use with security subsystems.
954 To compile it as a module, choose M here. If unsure, say N.
956 config NETFILTER_XT_TARGET_TCPMSS
957 tristate '"TCPMSS" target support'
958 depends on IPV6 || IPV6=n
959 default m if NETFILTER_ADVANCED=n
961 This option adds a `TCPMSS' target, which allows you to alter the
962 MSS value of TCP SYN packets, to control the maximum size for that
963 connection (usually limiting it to your outgoing interface's MTU
966 This is used to overcome criminally braindead ISPs or servers which
967 block ICMP Fragmentation Needed packets. The symptoms of this
968 problem are that everything works fine from your Linux
969 firewall/router, but machines behind it can never exchange large
971 1) Web browsers connect, then hang with no data received.
972 2) Small mail works fine, but large emails hang.
973 3) ssh works fine, but scp hangs after initial handshaking.
975 Workaround: activate this option and add a rule to your firewall
978 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
979 -j TCPMSS --clamp-mss-to-pmtu
981 To compile it as a module, choose M here. If unsure, say N.
983 config NETFILTER_XT_TARGET_TCPOPTSTRIP
984 tristate '"TCPOPTSTRIP" target support'
985 depends on IP_NF_MANGLE || IP6_NF_MANGLE
986 depends on NETFILTER_ADVANCED
988 This option adds a "TCPOPTSTRIP" target, which allows you to strip
989 TCP options from TCP packets.
991 # alphabetically ordered list of matches
993 comment "Xtables matches"
995 config NETFILTER_XT_MATCH_ADDRTYPE
996 tristate '"addrtype" address type match support'
997 default m if NETFILTER_ADVANCED=n
999 This option allows you to match what routing thinks of an address,
1000 eg. UNICAST, LOCAL, BROADCAST, ...
1002 If you want to compile it as a module, say M here and read
1003 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1005 config NETFILTER_XT_MATCH_BPF
1006 tristate '"bpf" match support'
1007 depends on NETFILTER_ADVANCED
1009 BPF matching applies a linux socket filter to each packet and
1010 accepts those for which the filter returns non-zero.
1012 To compile it as a module, choose M here. If unsure, say N.
1014 config NETFILTER_XT_MATCH_CGROUP
1015 tristate '"control group" match support'
1016 depends on NETFILTER_ADVANCED
1018 select CGROUP_NET_CLASSID
1020 Socket/process control group matching allows you to match locally
1021 generated packets based on which net_cls control group processes
1024 config NETFILTER_XT_MATCH_CLUSTER
1025 tristate '"cluster" match support'
1026 depends on NF_CONNTRACK
1027 depends on NETFILTER_ADVANCED
1029 This option allows you to build work-load-sharing clusters of
1030 network servers/stateful firewalls without having a dedicated
1031 load-balancing router/server/switch. Basically, this match returns
1032 true when the packet must be handled by this cluster node. Thus,
1033 all nodes see all packets and this match decides which node handles
1034 what packets. The work-load sharing algorithm is based on source
1037 If you say Y or M here, try `iptables -m cluster --help` for
1040 config NETFILTER_XT_MATCH_COMMENT
1041 tristate '"comment" match support'
1042 depends on NETFILTER_ADVANCED
1044 This option adds a `comment' dummy-match, which allows you to put
1045 comments in your iptables ruleset.
1047 If you want to compile it as a module, say M here and read
1048 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1050 config NETFILTER_XT_MATCH_CONNBYTES
1051 tristate '"connbytes" per-connection counter match support'
1052 depends on NF_CONNTRACK
1053 depends on NETFILTER_ADVANCED
1055 This option adds a `connbytes' match, which allows you to match the
1056 number of bytes and/or packets for each direction within a connection.
1058 If you want to compile it as a module, say M here and read
1059 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1061 config NETFILTER_XT_MATCH_CONNLABEL
1062 tristate '"connlabel" match support'
1063 select NF_CONNTRACK_LABELS
1064 depends on NF_CONNTRACK
1065 depends on NETFILTER_ADVANCED
1067 This match allows you to test and assign userspace-defined labels names
1068 to a connection. The kernel only stores bit values - mapping
1069 names to bits is done by userspace.
1071 Unlike connmark, more than 32 flag bits may be assigned to a
1072 connection simultaneously.
1074 config NETFILTER_XT_MATCH_CONNLIMIT
1075 tristate '"connlimit" match support'
1076 depends on NF_CONNTRACK
1077 depends on NETFILTER_ADVANCED
1079 This match allows you to match against the number of parallel
1080 connections to a server per client IP address (or address block).
1082 config NETFILTER_XT_MATCH_CONNMARK
1083 tristate '"connmark" connection mark match support'
1084 depends on NF_CONNTRACK
1085 depends on NETFILTER_ADVANCED
1086 select NETFILTER_XT_CONNMARK
1088 This is a backwards-compat option for the user's convenience
1089 (e.g. when running oldconfig). It selects
1090 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1092 config NETFILTER_XT_MATCH_CONNTRACK
1093 tristate '"conntrack" connection tracking match support'
1094 depends on NF_CONNTRACK
1095 default m if NETFILTER_ADVANCED=n
1097 This is a general conntrack match module, a superset of the state match.
1099 It allows matching on additional conntrack information, which is
1100 useful in complex configurations, such as NAT gateways with multiple
1101 internet links or tunnels.
1103 To compile it as a module, choose M here. If unsure, say N.
1105 config NETFILTER_XT_MATCH_CPU
1106 tristate '"cpu" match support'
1107 depends on NETFILTER_ADVANCED
1109 CPU matching allows you to match packets based on the CPU
1110 currently handling the packet.
1112 To compile it as a module, choose M here. If unsure, say N.
1114 config NETFILTER_XT_MATCH_DCCP
1115 tristate '"dccp" protocol match support'
1116 depends on NETFILTER_ADVANCED
1119 With this option enabled, you will be able to use the iptables
1120 `dccp' match in order to match on DCCP source/destination ports
1123 If you want to compile it as a module, say M here and read
1124 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1126 config NETFILTER_XT_MATCH_DEVGROUP
1127 tristate '"devgroup" match support'
1128 depends on NETFILTER_ADVANCED
1130 This options adds a `devgroup' match, which allows to match on the
1131 device group a network device is assigned to.
1133 To compile it as a module, choose M here. If unsure, say N.
1135 config NETFILTER_XT_MATCH_DSCP
1136 tristate '"dscp" and "tos" match support'
1137 depends on NETFILTER_ADVANCED
1139 This option adds a `DSCP' match, which allows you to match against
1140 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1142 The DSCP field can have any value between 0x0 and 0x3f inclusive.
1144 It will also add a "tos" match, which allows you to match packets
1145 based on the Type Of Service fields of the IPv4 packet (which share
1146 the same bits as DSCP).
1148 To compile it as a module, choose M here. If unsure, say N.
1150 config NETFILTER_XT_MATCH_ECN
1151 tristate '"ecn" match support'
1152 depends on NETFILTER_ADVANCED
1154 This option adds an "ECN" match, which allows you to match against
1155 the IPv4 and TCP header ECN fields.
1157 To compile it as a module, choose M here. If unsure, say N.
1159 config NETFILTER_XT_MATCH_ESP
1160 tristate '"esp" match support'
1161 depends on NETFILTER_ADVANCED
1163 This match extension allows you to match a range of SPIs
1164 inside ESP header of IPSec packets.
1166 To compile it as a module, choose M here. If unsure, say N.
1168 config NETFILTER_XT_MATCH_HASHLIMIT
1169 tristate '"hashlimit" match support'
1170 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1171 depends on NETFILTER_ADVANCED
1173 This option adds a `hashlimit' match.
1175 As opposed to `limit', this match dynamically creates a hash table
1176 of limit buckets, based on your selection of source/destination
1177 addresses and/or ports.
1179 It enables you to express policies like `10kpps for any given
1180 destination address' or `500pps from any given source address'
1183 config NETFILTER_XT_MATCH_HELPER
1184 tristate '"helper" match support'
1185 depends on NF_CONNTRACK
1186 depends on NETFILTER_ADVANCED
1188 Helper matching allows you to match packets in dynamic connections
1189 tracked by a conntrack-helper, ie. ip_conntrack_ftp
1191 To compile it as a module, choose M here. If unsure, say Y.
1193 config NETFILTER_XT_MATCH_HL
1194 tristate '"hl" hoplimit/TTL match support'
1195 depends on NETFILTER_ADVANCED
1197 HL matching allows you to match packets based on the hoplimit
1198 in the IPv6 header, or the time-to-live field in the IPv4
1199 header of the packet.
1201 config NETFILTER_XT_MATCH_IPCOMP
1202 tristate '"ipcomp" match support'
1203 depends on NETFILTER_ADVANCED
1205 This match extension allows you to match a range of CPIs(16 bits)
1206 inside IPComp header of IPSec packets.
1208 To compile it as a module, choose M here. If unsure, say N.
1210 config NETFILTER_XT_MATCH_IPRANGE
1211 tristate '"iprange" address range match support'
1212 depends on NETFILTER_ADVANCED
1214 This option adds a "iprange" match, which allows you to match based on
1215 an IP address range. (Normal iptables only matches on single addresses
1216 with an optional mask.)
1220 config NETFILTER_XT_MATCH_IPVS
1221 tristate '"ipvs" match support'
1223 depends on NETFILTER_ADVANCED
1224 depends on NF_CONNTRACK
1226 This option allows you to match against IPVS properties of a packet.
1230 config NETFILTER_XT_MATCH_L2TP
1231 tristate '"l2tp" match support'
1232 depends on NETFILTER_ADVANCED
1235 This option adds an "L2TP" match, which allows you to match against
1236 L2TP protocol header fields.
1238 To compile it as a module, choose M here. If unsure, say N.
1240 config NETFILTER_XT_MATCH_LENGTH
1241 tristate '"length" match support'
1242 depends on NETFILTER_ADVANCED
1244 This option allows you to match the length of a packet against a
1245 specific value or range of values.
1247 To compile it as a module, choose M here. If unsure, say N.
1249 config NETFILTER_XT_MATCH_LIMIT
1250 tristate '"limit" match support'
1251 depends on NETFILTER_ADVANCED
1253 limit matching allows you to control the rate at which a rule can be
1254 matched: mainly useful in combination with the LOG target ("LOG
1255 target support", below) and to avoid some Denial of Service attacks.
1257 To compile it as a module, choose M here. If unsure, say N.
1259 config NETFILTER_XT_MATCH_MAC
1260 tristate '"mac" address match support'
1261 depends on NETFILTER_ADVANCED
1263 MAC matching allows you to match packets based on the source
1264 Ethernet address of the packet.
1266 To compile it as a module, choose M here. If unsure, say N.
1268 config NETFILTER_XT_MATCH_MARK
1269 tristate '"mark" match support'
1270 depends on NETFILTER_ADVANCED
1271 select NETFILTER_XT_MARK
1273 This is a backwards-compat option for the user's convenience
1274 (e.g. when running oldconfig). It selects
1275 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1277 config NETFILTER_XT_MATCH_MULTIPORT
1278 tristate '"multiport" Multiple port match support'
1279 depends on NETFILTER_ADVANCED
1281 Multiport matching allows you to match TCP or UDP packets based on
1282 a series of source or destination ports: normally a rule can only
1283 match a single range of ports.
1285 To compile it as a module, choose M here. If unsure, say N.
1287 config NETFILTER_XT_MATCH_NFACCT
1288 tristate '"nfacct" match support'
1289 depends on NETFILTER_ADVANCED
1290 select NETFILTER_NETLINK_ACCT
1292 This option allows you to use the extended accounting through
1295 To compile it as a module, choose M here. If unsure, say N.
1297 config NETFILTER_XT_MATCH_OSF
1298 tristate '"osf" Passive OS fingerprint match'
1299 depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
1301 This option selects the Passive OS Fingerprinting match module
1302 that allows to passively match the remote operating system by
1303 analyzing incoming TCP SYN packets.
1305 Rules and loading software can be downloaded from
1306 http://www.ioremap.net/projects/osf
1308 To compile it as a module, choose M here. If unsure, say N.
1310 config NETFILTER_XT_MATCH_OWNER
1311 tristate '"owner" match support'
1312 depends on NETFILTER_ADVANCED
1314 Socket owner matching allows you to match locally-generated packets
1315 based on who created the socket: the user or group. It is also
1316 possible to check whether a socket actually exists.
1318 config NETFILTER_XT_MATCH_POLICY
1319 tristate 'IPsec "policy" match support'
1321 default m if NETFILTER_ADVANCED=n
1323 Policy matching allows you to match packets based on the
1324 IPsec policy that was used during decapsulation/will
1325 be used during encapsulation.
1327 To compile it as a module, choose M here. If unsure, say N.
1329 config NETFILTER_XT_MATCH_PHYSDEV
1330 tristate '"physdev" match support'
1331 depends on BRIDGE && BRIDGE_NETFILTER
1332 depends on NETFILTER_ADVANCED
1334 Physdev packet matching matches against the physical bridge ports
1335 the IP packet arrived on or will leave by.
1337 To compile it as a module, choose M here. If unsure, say N.
1339 config NETFILTER_XT_MATCH_PKTTYPE
1340 tristate '"pkttype" packet type match support'
1341 depends on NETFILTER_ADVANCED
1343 Packet type matching allows you to match a packet by
1344 its "class", eg. BROADCAST, MULTICAST, ...
1347 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1349 To compile it as a module, choose M here. If unsure, say N.
1351 config NETFILTER_XT_MATCH_QUOTA
1352 tristate '"quota" match support'
1353 depends on NETFILTER_ADVANCED
1355 This option adds a `quota' match, which allows to match on a
1358 If you want to compile it as a module, say M here and read
1359 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1361 config NETFILTER_XT_MATCH_RATEEST
1362 tristate '"rateest" match support'
1363 depends on NETFILTER_ADVANCED
1364 select NETFILTER_XT_TARGET_RATEEST
1366 This option adds a `rateest' match, which allows to match on the
1367 rate estimated by the RATEEST target.
1369 To compile it as a module, choose M here. If unsure, say N.
1371 config NETFILTER_XT_MATCH_REALM
1372 tristate '"realm" match support'
1373 depends on NETFILTER_ADVANCED
1374 select IP_ROUTE_CLASSID
1376 This option adds a `realm' match, which allows you to use the realm
1377 key from the routing subsystem inside iptables.
1379 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1382 If you want to compile it as a module, say M here and read
1383 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1385 config NETFILTER_XT_MATCH_RECENT
1386 tristate '"recent" match support'
1387 depends on NETFILTER_ADVANCED
1389 This match is used for creating one or many lists of recently
1390 used addresses and then matching against that/those list(s).
1392 Short options are available by using 'iptables -m recent -h'
1393 Official Website: <http://snowman.net/projects/ipt_recent/>
1395 config NETFILTER_XT_MATCH_SCTP
1396 tristate '"sctp" protocol match support'
1397 depends on NETFILTER_ADVANCED
1400 With this option enabled, you will be able to use the
1401 `sctp' match in order to match on SCTP source/destination ports
1402 and SCTP chunk types.
1404 If you want to compile it as a module, say M here and read
1405 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1407 config NETFILTER_XT_MATCH_SOCKET
1408 tristate '"socket" match support'
1409 depends on NETFILTER_XTABLES
1410 depends on NETFILTER_ADVANCED
1411 depends on !NF_CONNTRACK || NF_CONNTRACK
1412 depends on IPV6 || IPV6=n
1413 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1414 select NF_DEFRAG_IPV4
1415 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1417 This option adds a `socket' match, which can be used to match
1418 packets for which a TCP or UDP socket lookup finds a valid socket.
1419 It can be used in combination with the MARK target and policy
1420 routing to implement full featured non-locally bound sockets.
1422 To compile it as a module, choose M here. If unsure, say N.
1424 config NETFILTER_XT_MATCH_STATE
1425 tristate '"state" match support'
1426 depends on NF_CONNTRACK
1427 default m if NETFILTER_ADVANCED=n
1429 Connection state matching allows you to match packets based on their
1430 relationship to a tracked connection (ie. previous packets). This
1431 is a powerful tool for packet classification.
1433 To compile it as a module, choose M here. If unsure, say N.
1435 config NETFILTER_XT_MATCH_STATISTIC
1436 tristate '"statistic" match support'
1437 depends on NETFILTER_ADVANCED
1439 This option adds a `statistic' match, which allows you to match
1440 on packets periodically or randomly with a given percentage.
1442 To compile it as a module, choose M here. If unsure, say N.
1444 config NETFILTER_XT_MATCH_STRING
1445 tristate '"string" match support'
1446 depends on NETFILTER_ADVANCED
1448 select TEXTSEARCH_KMP
1449 select TEXTSEARCH_BM
1450 select TEXTSEARCH_FSM
1452 This option adds a `string' match, which allows you to look for
1453 pattern matchings in packets.
1455 To compile it as a module, choose M here. If unsure, say N.
1457 config NETFILTER_XT_MATCH_TCPMSS
1458 tristate '"tcpmss" match support'
1459 depends on NETFILTER_ADVANCED
1461 This option adds a `tcpmss' match, which allows you to examine the
1462 MSS value of TCP SYN packets, which control the maximum packet size
1463 for that connection.
1465 To compile it as a module, choose M here. If unsure, say N.
1467 config NETFILTER_XT_MATCH_TIME
1468 tristate '"time" match support'
1469 depends on NETFILTER_ADVANCED
1471 This option adds a "time" match, which allows you to match based on
1472 the packet arrival time (at the machine which netfilter is running)
1473 on) or departure time/date (for locally generated packets).
1475 If you say Y here, try `iptables -m time --help` for
1478 If you want to compile it as a module, say M here.
1481 config NETFILTER_XT_MATCH_U32
1482 tristate '"u32" match support'
1483 depends on NETFILTER_ADVANCED
1485 u32 allows you to extract quantities of up to 4 bytes from a packet,
1486 AND them with specified masks, shift them by specified amounts and
1487 test whether the results are in any of a set of specified ranges.
1488 The specification of what to extract is general enough to skip over
1489 headers with lengths stored in the packet, as in IP or TCP header
1492 Details and examples are in the kernel module source.
1494 endif # NETFILTER_XTABLES
1498 source "net/netfilter/ipset/Kconfig"
1500 source "net/netfilter/ipvs/Kconfig"