+++ /dev/null
-config NETFILTER_XT_TARGET_ACCOUNT
- tristate "ACCOUNT target support"
- depends on NETFILTER_XTABLES
- ---help---
- This module implements an ACCOUNT target
-
- The ACCOUNT target is a high performance accounting system for large
- local networks. It allows per-IP accounting in whole prefixes of IPv4
- addresses with size of up to /8 without the need to add individual
- accouting rule for each IP address.
-
- For more information go to:
- http://www.intra2net.com/de/produkte/opensource/ipt_account/
+++ /dev/null
-config NETFILTER_XT_MATCH_PKNOCK
- tristate "Port knocking match support"
- depends on NETFILTER_XTABLES && CONNECTOR
- ---help---
- pknock match implements so-called Port Knocking, a stealthy system
- for network authentication: client sends packets to selected, closed
- ports on target machine in a specific sequence. The target machine
- (which has pknock match rule set up) then decides whether to
- unblock or block (again) its protected port with listening
- service. This can be, for instance, used to avoid brute force attacks
- on ssh or ftp services.
-
- For more informations go to: http://portknocko.berlios.de/
+++ /dev/null
-config NETFILTER_XT_TARGET_CHAOS
- tristate '"CHAOS" target support'
- depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
- depends on NETFILTER_XT_TARGET_DELUDE || NETFILTER_XT_TARGET_TARPIT
- depends on CONFIG_IP_NF_TARGET_REJECT
- ---help---
- The CHAOS target is a module to report back false results to nmap
- scans by randomly switching between DELUDE/TARPIT, REJECT and DROP
- behavior.
+++ /dev/null
-config NETFILTER_XT_TARGET_DELUDE
- tristate '"DELUDE" target support'
- depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
- ---help---
- The DELUDE target acknowledges connection initiations but forcibly
- closes on any other packet, therefore making the port look open.
+++ /dev/null
-config NETFILTER_XT_DHCPMAC
- tristate '"DHCPMAC" DHCP address matching and manipulation support'
- depends on NETFILTER_XTABLES
- depends on IP_NF_MANGLE || IP6_NF_MANGLE
- ---help---
- The DHCPMAC extensions allows to match and change the MAC address in
- a DHCP packet, so as to work around VMware's "inability" to use MAC
- addresses from a vendor different than VMware at boot time.
+++ /dev/null
-config NETFILTER_XT_TARGET_ECHO
- tristate '"ECHO" sample target'
- depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
- ---help---
- The ECHO target provides a demonstrational implementation of an
- Xtables target implementing RFC 862 for UDP.
+++ /dev/null
-config NETFILTER_XT_TARGET_IPMARK
- tristate '"IPMARK" target support'
- depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
- depends on IP_NF_MANGLE || IP6_NF_MANGLE
- ---help---
- This option adds an "IPMARK" target, which allows you to create
- rules in the "mangle" table which alter the netfilter mark field
- basing on the source or destination ip address of the packet.
- This is very useful for very fast massive shaping -- using only one
- rule you can direct packets to houndreds different queues. You
- will probably find it helpful only if your linux machine acts as a
- shaper for many others computers.
+++ /dev/null
-config NETFILTER_XT_TARGET_LOGMARK
- tristate '"LOGMARK" target support'
- depends on NETFILTER_XTABLES
- ---help---
- This option adds a "LOGMARK" target which allows you to look at the
- netfilter marks and secmark of the packet and connection.
+++ /dev/null
-config NETFILTER_XT_TARGET_RAWNAT
- tristate '"RAWNAT" raw address translation w/o conntrack'
- depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
- depends on IP_NF_RAW || IP_NF6_RAW
- ---help---
- This option adds the RAWSNAT and RAWDNAT targets which can do Network
- Address Translation (no port translation) without requiring Netfilter
- connection tracking.
+++ /dev/null
-config NETFILTER_XT_TARGET_SYSRQ
- tristate '"SYSRQ" target support'
- depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
- ---help---
- The SYSRQ target allows to remotely trigger sysrq on the
- local machine over the network. This can be useful when vital
- parts of the machine hang and sysrq cannot be triggered
- through, for example, the shell.
+++ /dev/null
-config NETFILTER_XT_TARGET_TARPIT
- tristate '"TARPIT" target support'
- depends on NETFILTER_XTABLES
- ---help---
- Adds a TARPIT target to iptables, which captures and holds incoming TCP
- connections using no local per-connection resources. Connections are
- accepted, but immediately switched to the persist state (0 byte
- window), in which the remote side stops sending data and asks to
- continue every 60-240 seconds. Attempts to close the connection are
- ignored, forcing the remote side to time out the connection in 12-24
- minutes.
-
- This offers similar functionality to LaBrea
- <http://www.hackbusters.net/LaBrea/>, but does not require dedicated
- hardware or IPs. Any TCP port that you would normally DROP or REJECT
- can instead become a tar pit or honeypot. All 3 modes may be used
- in iptables rules interchangably and simultaneously.
-
- A honeypot option is available which will answer connections normally
- and allow the remote to send data packets that may be captured in a
- pcap for later analysis. A reset mode is also available that will only
- send an inline reset (RST).
+++ /dev/null
-config NETFILTER_XT_TARGET_TEE
- tristate '"TEE" target support'
- depends on NETFILTER_XTABLES
- depends on NETFILTER_ADVANCED
- depends on IP_NF_MANGLE || IP6_NF_MANGLE
- ---help---
- This option adds a "TEE" target, which enables you to duplicate
- packets and route those duplicates to a different gateway.
- The target has to be used inside the mangle table.
+++ /dev/null
-config NETFILTER_XT_MATCH_CONDITION
- tristate '"condition" match support'
- depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
- ---help---
- This option allows you to match firewall rules against condition
- variables stored in the /proc/net/nf_condition directory.
+++ /dev/null
-config NETFILTER_XT_MATCH_FUZZY
- tristate '"fuzzy" match support'
- depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
- ---help---
- This extension allows you to match on packets according to a fuzzy
- logic based law.
+++ /dev/null
-config NETFILTER_XT_MATCH_GEOIP
- tristate '"geoip" match support'
- depends on NETFILTER_XTABLES
- ---help---
- This option allows you to match a packet by its source or destination
- country. Basically, you need a country's database containing all
- subnets and associated countries.
-
- For the complete procedure and understanding, read:
- http://people.netfilter.org/acidfu/geoip/howto/geoip-HOWTO.html
+++ /dev/null
-config NETFILTER_XT_MATCH_IPP2P
- tristate '"ipp2p" match support'
- depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
- ---help---
- This option makes possible to match some P2P packets
- therefore helps controlling such traffic.
+++ /dev/null
-config NETFILTER_XT_MATCH_IPV4OPTIONS
- tristate '"ipv4options" IPv4 option match support'
- depends on NETFILTER_XTABLES
- ---help---
- The ipv4options match can be used to check on the presence or absence
- of one or move IPv4 options.
+++ /dev/null
-config NETFILTER_XT_MATCH_LENGTH2
- tristate '"length2" match support'
- depends on NETFILTER_XTABLES
- ---help---
- This option adds the "length2" match which is an advanced form of
- xt_length that allows unambiguous layer-4/-5/-7 length matching. It is
- useful to detect empty packets or for aiding in packet scheduling.
+++ /dev/null
-config NETFILTER_XT_MATCH_LSCAN
- tristate '"lscan" match support'
- depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
- ---help---
- The LSCAN match allows to match on the basic types of nmap
- scans: Stealth Scan, SYN scan and connect scan. It can also match
- "grab-only" connections, i.e. where data flows in only one
- direction.
+++ /dev/null
-config NETFILTER_XT_MATCH_PSD
- tristate 'psd match support'
- depends on NETFILTER_XTABLES && NETFILTER_ADVANCED
- ---help---
- This option adds a `psd' match, which allows you to create rules in
- any iptables table wich will detect TCP and UDP port scans.
+++ /dev/null
-config NETFILTER_XT_MATCH_QUOTA2
- tristate '"quota2" match support'
- depends on NETFILTER_XTABLES
- ---help---
- This option adds the "quota2" match which is an advanced form of
- xt_quota that also allows counting upwards, and where the counter can
- be set through procfs. This allows for simple interfacing of
- accounting information. It also allows for a test mode without changing
- the quota value.
projects / thirdparty / xtables-addons.git / commitdiff
