1# SPDX-License-Identifier: GPL-2.0-only 2menu "Core Netfilter Configuration" 3 depends on INET && NETFILTER 4 5config NETFILTER_INGRESS 6 bool "Netfilter ingress support" 7 default y 8 select NET_INGRESS 9 help 10 This allows you to classify packets from ingress using the Netfilter 11 infrastructure. 12 13config NETFILTER_EGRESS 14 bool "Netfilter egress support" 15 default y 16 select NET_EGRESS 17 help 18 This allows you to classify packets before transmission using the 19 Netfilter infrastructure. 20 21config NETFILTER_SKIP_EGRESS 22 def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB) 23 24config NETFILTER_NETLINK 25 tristate 26 27config NETFILTER_FAMILY_BRIDGE 28 bool 29 30config NETFILTER_FAMILY_ARP 31 bool 32 33config NETFILTER_BPF_LINK 34 def_bool BPF_SYSCALL 35 36config NETFILTER_NETLINK_HOOK 37 tristate "Netfilter base hook dump support" 38 depends on NETFILTER_ADVANCED 39 depends on NF_TABLES 40 select NETFILTER_NETLINK 41 help 42 If this option is enabled, the kernel will include support 43 to list the base netfilter hooks via NFNETLINK. 44 This is helpful for debugging. 45 46config NETFILTER_NETLINK_ACCT 47 tristate "Netfilter NFACCT over NFNETLINK interface" 48 depends on NETFILTER_ADVANCED 49 select NETFILTER_NETLINK 50 help 51 If this option is enabled, the kernel will include support 52 for extended accounting via NFNETLINK. 53 54config NETFILTER_NETLINK_QUEUE 55 tristate "Netfilter NFQUEUE over NFNETLINK interface" 56 depends on NETFILTER_ADVANCED 57 select NETFILTER_NETLINK 58 help 59 If this option is enabled, the kernel will include support 60 for queueing packets via NFNETLINK. 61 62config NETFILTER_NETLINK_LOG 63 tristate "Netfilter LOG over NFNETLINK interface" 64 default m if NETFILTER_ADVANCED=n 65 select NETFILTER_NETLINK 66 help 67 If this option is enabled, the kernel will include support 68 for logging packets via NFNETLINK. 69 70 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 71 and is also scheduled to replace the old syslog-based ipt_LOG 72 and ip6t_LOG modules. 73 74config NETFILTER_NETLINK_OSF 75 tristate "Netfilter OSF over NFNETLINK interface" 76 depends on NETFILTER_ADVANCED 77 select NETFILTER_NETLINK 78 help 79 If this option is enabled, the kernel will include support 80 for passive OS fingerprint via NFNETLINK. 81 82config NF_CONNTRACK 83 tristate "Netfilter connection tracking support" 84 default m if NETFILTER_ADVANCED=n 85 select NF_DEFRAG_IPV4 86 select NF_DEFRAG_IPV6 if IPV6 != n 87 help 88 Connection tracking keeps a record of what packets have passed 89 through your machine, in order to figure out how they are related 90 into connections. 91 92 This is required to do Masquerading or other kinds of Network 93 Address Translation. It can also be used to enhance packet 94 filtering (see `Connection state match support' below). 95 96 To compile it as a module, choose M here. If unsure, say N. 97 98config NF_LOG_SYSLOG 99 tristate "Syslog packet logging" 100 default m if NETFILTER_ADVANCED=n 101 help 102 This option enable support for packet logging via syslog. 103 It supports IPv4, IPV6, ARP and common transport protocols such 104 as TCP and UDP. 105 This is a simpler but less flexible logging method compared to 106 CONFIG_NETFILTER_NETLINK_LOG. 107 If both are enabled the backend to use can be configured at run-time 108 by means of per-address-family sysctl tunables. 109 110if NF_CONNTRACK 111config NETFILTER_CONNCOUNT 112 tristate 113 114config NF_CONNTRACK_MARK 115 bool 'Connection mark tracking support' 116 depends on NETFILTER_ADVANCED 117 help 118 This option enables support for connection marks, used by the 119 `CONNMARK' target and `connmark' match. Similar to the mark value 120 of packets, but this mark value is kept in the conntrack session 121 instead of the individual packets. 122 123config NF_CONNTRACK_SECMARK 124 bool 'Connection tracking security mark support' 125 depends on NETWORK_SECMARK 126 default y if NETFILTER_ADVANCED=n 127 help 128 This option enables security markings to be applied to 129 connections. Typically they are copied to connections from 130 packets using the CONNSECMARK target and copied back from 131 connections to packets with the same target, with the packets 132 being originally labeled via SECMARK. 133 134 If unsure, say 'N'. 135 136config NF_CONNTRACK_ZONES 137 bool 'Connection tracking zones' 138 depends on NETFILTER_ADVANCED 139 help 140 This option enables support for connection tracking zones. 141 Normally, each connection needs to have a unique system wide 142 identity. Connection tracking zones allow to have multiple 143 connections using the same identity, as long as they are 144 contained in different zones. 145 146 If unsure, say `N'. 147 148config NF_CONNTRACK_PROCFS 149 bool "Supply CT list in procfs (OBSOLETE)" 150 depends on PROC_FS 151 help 152 This option enables for the list of known conntrack entries 153 to be shown in procfs under net/netfilter/nf_conntrack. This 154 is considered obsolete in favor of using the conntrack(8) 155 tool which uses Netlink. 156 157config NF_CONNTRACK_EVENTS 158 bool "Connection tracking events" 159 depends on NETFILTER_ADVANCED 160 help 161 If this option is enabled, the connection tracking code will 162 provide a notifier chain that can be used by other kernel code 163 to get notified about changes in the connection tracking state. 164 165 If unsure, say `N'. 166 167config NF_CONNTRACK_TIMEOUT 168 bool 'Connection tracking timeout' 169 depends on NETFILTER_ADVANCED 170 help 171 This option enables support for connection tracking timeout 172 extension. This allows you to attach timeout policies to flow 173 via the CT target. 174 175 If unsure, say `N'. 176 177config NF_CONNTRACK_TIMESTAMP 178 bool 'Connection tracking timestamping' 179 depends on NETFILTER_ADVANCED 180 help 181 This option enables support for connection tracking timestamping. 182 This allows you to store the flow start-time and to obtain 183 the flow-stop time (once it has been destroyed) via Connection 184 tracking events. 185 186 If unsure, say `N'. 187 188config NF_CONNTRACK_LABELS 189 bool "Connection tracking labels" 190 help 191 This option enables support for assigning user-defined flag bits 192 to connection tracking entries. It can be used with xtables connlabel 193 match and the nftables ct expression. 194 195config NF_CONNTRACK_OVS 196 bool 197 198config NF_CT_PROTO_GRE 199 bool 200 201config NF_CT_PROTO_SCTP 202 bool 'SCTP protocol connection tracking support' 203 depends on NETFILTER_ADVANCED 204 default y 205 select NET_CRC32C 206 help 207 With this option enabled, the layer 3 independent connection 208 tracking code will be able to do state tracking on SCTP connections. 209 210 If unsure, say Y. 211 212config NF_CT_PROTO_UDPLITE 213 bool 'UDP-Lite protocol connection tracking support' 214 depends on NETFILTER_ADVANCED 215 default y 216 help 217 With this option enabled, the layer 3 independent connection 218 tracking code will be able to do state tracking on UDP-Lite 219 connections. 220 221 If unsure, say Y. 222 223config NF_CONNTRACK_AMANDA 224 tristate "Amanda backup protocol support" 225 depends on NETFILTER_ADVANCED 226 select TEXTSEARCH 227 select TEXTSEARCH_KMP 228 help 229 If you are running the Amanda backup package <http://www.amanda.org/> 230 on this machine or machines that will be MASQUERADED through this 231 machine, then you may want to enable this feature. This allows the 232 connection tracking and natting code to allow the sub-channels that 233 Amanda requires for communication of the backup data, messages and 234 index. 235 236 To compile it as a module, choose M here. If unsure, say N. 237 238config NF_CONNTRACK_FTP 239 tristate "FTP protocol support" 240 default m if NETFILTER_ADVANCED=n 241 help 242 Tracking FTP connections is problematic: special helpers are 243 required for tracking them, and doing masquerading and other forms 244 of Network Address Translation on them. 245 246 This is FTP support on Layer 3 independent connection tracking. 247 248 To compile it as a module, choose M here. If unsure, say N. 249 250config NF_CONNTRACK_H323 251 tristate "H.323 protocol support" 252 depends on IPV6 || IPV6=n 253 depends on NETFILTER_ADVANCED 254 help 255 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 256 important VoIP protocols, it is widely used by voice hardware and 257 software including voice gateways, IP phones, Netmeeting, OpenPhone, 258 Gnomemeeting, etc. 259 260 With this module you can support H.323 on a connection tracking/NAT 261 firewall. 262 263 This module supports RAS, Fast Start, H.245 Tunnelling, Call 264 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 265 whiteboard, file transfer, etc. For more information, please 266 visit http://nath323.sourceforge.net/. 267 268 To compile it as a module, choose M here. If unsure, say N. 269 270config NF_CONNTRACK_IRC 271 tristate "IRC protocol support" 272 default m if NETFILTER_ADVANCED=n 273 help 274 There is a commonly-used extension to IRC called 275 Direct Client-to-Client Protocol (DCC). This enables users to send 276 files to each other, and also chat to each other without the need 277 of a server. DCC Sending is used anywhere you send files over IRC, 278 and DCC Chat is most commonly used by Eggdrop bots. If you are 279 using NAT, this extension will enable you to send files and initiate 280 chats. Note that you do NOT need this extension to get files or 281 have others initiate chats, or everything else in IRC. 282 283 To compile it as a module, choose M here. If unsure, say N. 284 285config NF_CONNTRACK_BROADCAST 286 tristate 287 288config NF_CONNTRACK_NETBIOS_NS 289 tristate "NetBIOS name service protocol support" 290 select NF_CONNTRACK_BROADCAST 291 help 292 NetBIOS name service requests are sent as broadcast messages from an 293 unprivileged port and responded to with unicast messages to the 294 same port. This make them hard to firewall properly because connection 295 tracking doesn't deal with broadcasts. This helper tracks locally 296 originating NetBIOS name service requests and the corresponding 297 responses. It relies on correct IP address configuration, specifically 298 netmask and broadcast address. When properly configured, the output 299 of "ip address show" should look similar to this: 300 301 $ ip -4 address show eth0 302 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 303 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 304 305 To compile it as a module, choose M here. If unsure, say N. 306 307config NF_CONNTRACK_SNMP 308 tristate "SNMP service protocol support" 309 depends on NETFILTER_ADVANCED 310 select NF_CONNTRACK_BROADCAST 311 help 312 SNMP service requests are sent as broadcast messages from an 313 unprivileged port and responded to with unicast messages to the 314 same port. This make them hard to firewall properly because connection 315 tracking doesn't deal with broadcasts. This helper tracks locally 316 originating SNMP service requests and the corresponding 317 responses. It relies on correct IP address configuration, specifically 318 netmask and broadcast address. 319 320 To compile it as a module, choose M here. If unsure, say N. 321 322config NF_CONNTRACK_PPTP 323 tristate "PPtP protocol support" 324 depends on NETFILTER_ADVANCED 325 select NF_CT_PROTO_GRE 326 help 327 This module adds support for PPTP (Point to Point Tunnelling 328 Protocol, RFC2637) connection tracking and NAT. 329 330 If you are running PPTP sessions over a stateful firewall or NAT 331 box, you may want to enable this feature. 332 333 Please note that not all PPTP modes of operation are supported yet. 334 Specifically these limitations exist: 335 - Blindly assumes that control connections are always established 336 in PNS->PAC direction. This is a violation of RFC2637. 337 - Only supports a single call within each session 338 339 To compile it as a module, choose M here. If unsure, say N. 340 341config NF_CONNTRACK_SANE 342 tristate "SANE protocol support" 343 depends on NETFILTER_ADVANCED 344 help 345 SANE is a protocol for remote access to scanners as implemented 346 by the 'saned' daemon. Like FTP, it uses separate control and 347 data connections. 348 349 With this module you can support SANE on a connection tracking 350 firewall. 351 352 To compile it as a module, choose M here. If unsure, say N. 353 354config NF_CONNTRACK_SIP 355 tristate "SIP protocol support" 356 default m if NETFILTER_ADVANCED=n 357 help 358 SIP is an application-layer control protocol that can establish, 359 modify, and terminate multimedia sessions (conferences) such as 360 Internet telephony calls. With the nf_conntrack_sip and 361 the nf_nat_sip modules you can support the protocol on a connection 362 tracking/NATing firewall. 363 364 To compile it as a module, choose M here. If unsure, say N. 365 366config NF_CONNTRACK_TFTP 367 tristate "TFTP protocol support" 368 depends on NETFILTER_ADVANCED 369 help 370 TFTP connection tracking helper, this is required depending 371 on how restrictive your ruleset is. 372 If you are using a tftp client behind -j SNAT or -j MASQUERADING 373 you will need this. 374 375 To compile it as a module, choose M here. If unsure, say N. 376 377config NF_CT_NETLINK 378 tristate 'Connection tracking netlink interface' 379 select NETFILTER_NETLINK 380 default m if NETFILTER_ADVANCED=n 381 help 382 This option enables support for a netlink-based userspace interface 383 384config NF_CT_NETLINK_TIMEOUT 385 tristate 'Connection tracking timeout tuning via Netlink' 386 select NETFILTER_NETLINK 387 depends on NETFILTER_ADVANCED 388 depends on NF_CONNTRACK_TIMEOUT 389 help 390 This option enables support for connection tracking timeout 391 fine-grain tuning. This allows you to attach specific timeout 392 policies to flows, instead of using the global timeout policy. 393 394 If unsure, say `N'. 395 396config NF_CT_NETLINK_HELPER 397 tristate 'Connection tracking helpers in user-space via Netlink' 398 select NETFILTER_NETLINK 399 depends on NF_CT_NETLINK 400 depends on NETFILTER_NETLINK_QUEUE 401 depends on NETFILTER_NETLINK_GLUE_CT 402 depends on NETFILTER_ADVANCED 403 help 404 This option enables the user-space connection tracking helpers 405 infrastructure. 406 407 If unsure, say `N'. 408 409config NETFILTER_NETLINK_GLUE_CT 410 bool "NFQUEUE and NFLOG integration with Connection Tracking" 411 default n 412 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 413 help 414 If this option is enabled, NFQUEUE and NFLOG can include 415 Connection Tracking information together with the packet is 416 the enqueued via NFNETLINK. 417 418config NF_NAT 419 tristate "Network Address Translation support" 420 depends on NF_CONNTRACK 421 default m if NETFILTER_ADVANCED=n 422 help 423 The NAT option allows masquerading, port forwarding and other 424 forms of full Network Address Port Translation. This can be 425 controlled by iptables, ip6tables or nft. 426 427config NF_NAT_AMANDA 428 tristate 429 depends on NF_CONNTRACK && NF_NAT 430 default NF_NAT && NF_CONNTRACK_AMANDA 431 432config NF_NAT_FTP 433 tristate 434 depends on NF_CONNTRACK && NF_NAT 435 default NF_NAT && NF_CONNTRACK_FTP 436 437config NF_NAT_IRC 438 tristate 439 depends on NF_CONNTRACK && NF_NAT 440 default NF_NAT && NF_CONNTRACK_IRC 441 442config NF_NAT_SIP 443 tristate 444 depends on NF_CONNTRACK && NF_NAT 445 default NF_NAT && NF_CONNTRACK_SIP 446 447config NF_NAT_TFTP 448 tristate 449 depends on NF_CONNTRACK && NF_NAT 450 default NF_NAT && NF_CONNTRACK_TFTP 451 452config NF_NAT_REDIRECT 453 bool 454 455config NF_NAT_MASQUERADE 456 bool 457 458config NF_NAT_OVS 459 bool 460 461config NETFILTER_SYNPROXY 462 tristate 463 464endif # NF_CONNTRACK 465 466config NF_TABLES 467 select NETFILTER_NETLINK 468 select NET_CRC32C 469 tristate "Netfilter nf_tables support" 470 help 471 nftables is the new packet classification framework that intends to 472 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 473 provides a pseudo-state machine with an extensible instruction-set 474 (also known as expressions) that the userspace 'nft' utility 475 (https://www.netfilter.org/projects/nftables) uses to build the 476 rule-set. It also comes with the generic set infrastructure that 477 allows you to construct mappings between matchings and actions 478 for performance lookups. 479 480 To compile it as a module, choose M here. 481 482if NF_TABLES 483config NF_TABLES_INET 484 depends on IPV6 485 select NF_TABLES_IPV4 486 select NF_TABLES_IPV6 487 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 488 help 489 This option enables support for a mixed IPv4/IPv6 "inet" table. 490 491config NF_TABLES_NETDEV 492 bool "Netfilter nf_tables netdev tables support" 493 help 494 This option enables support for the "netdev" table. 495 496config NFT_NUMGEN 497 tristate "Netfilter nf_tables number generator module" 498 help 499 This option adds the number generator expression used to perform 500 incremental counting and random numbers bound to a upper limit. 501 502config NFT_CT 503 depends on NF_CONNTRACK 504 tristate "Netfilter nf_tables conntrack module" 505 help 506 This option adds the "ct" expression that you can use to match 507 connection tracking information such as the flow state. 508 509config NFT_EXTHDR_DCCP 510 bool "Netfilter nf_tables exthdr DCCP support (DEPRECATED)" 511 default n 512 help 513 This option adds support for matching on DCCP extension headers. 514 515config NFT_FLOW_OFFLOAD 516 depends on NF_CONNTRACK && NF_FLOW_TABLE 517 tristate "Netfilter nf_tables hardware flow offload module" 518 help 519 This option adds the "flow_offload" expression that you can use to 520 choose what flows are placed into the hardware. 521 522config NFT_CONNLIMIT 523 tristate "Netfilter nf_tables connlimit module" 524 depends on NF_CONNTRACK 525 depends on NETFILTER_ADVANCED 526 select NETFILTER_CONNCOUNT 527 help 528 This option adds the "connlimit" expression that you can use to 529 ratelimit rule matchings per connections. 530 531config NFT_LOG 532 tristate "Netfilter nf_tables log module" 533 help 534 This option adds the "log" expression that you can use to log 535 packets matching some criteria. 536 537config NFT_LIMIT 538 tristate "Netfilter nf_tables limit module" 539 help 540 This option adds the "limit" expression that you can use to 541 ratelimit rule matchings. 542 543config NFT_MASQ 544 depends on NF_CONNTRACK 545 depends on NF_NAT 546 select NF_NAT_MASQUERADE 547 tristate "Netfilter nf_tables masquerade support" 548 help 549 This option adds the "masquerade" expression that you can use 550 to perform NAT in the masquerade flavour. 551 552config NFT_REDIR 553 depends on NF_CONNTRACK 554 depends on NF_NAT 555 tristate "Netfilter nf_tables redirect support" 556 select NF_NAT_REDIRECT 557 help 558 This options adds the "redirect" expression that you can use 559 to perform NAT in the redirect flavour. 560 561config NFT_NAT 562 depends on NF_CONNTRACK 563 select NF_NAT 564 depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 565 tristate "Netfilter nf_tables nat module" 566 help 567 This option adds the "nat" expression that you can use to perform 568 typical Network Address Translation (NAT) packet transformations. 569 570config NFT_TUNNEL 571 tristate "Netfilter nf_tables tunnel module" 572 help 573 This option adds the "tunnel" expression that you can use to set 574 tunneling policies. 575 576config NFT_QUEUE 577 depends on NETFILTER_NETLINK_QUEUE 578 tristate "Netfilter nf_tables queue module" 579 help 580 This is required if you intend to use the userspace queueing 581 infrastructure (also known as NFQUEUE) from nftables. 582 583config NFT_QUOTA 584 tristate "Netfilter nf_tables quota module" 585 help 586 This option adds the "quota" expression that you can use to match 587 enforce bytes quotas. 588 589config NFT_REJECT 590 default m if NETFILTER_ADVANCED=n 591 tristate "Netfilter nf_tables reject support" 592 depends on !NF_TABLES_INET || (IPV6!=m || m) 593 help 594 This option adds the "reject" expression that you can use to 595 explicitly deny and notify via TCP reset/ICMP informational errors 596 unallowed traffic. 597 598config NFT_REJECT_INET 599 depends on NF_TABLES_INET 600 default NFT_REJECT 601 tristate 602 603config NFT_COMPAT 604 depends on NETFILTER_XTABLES 605 tristate "Netfilter x_tables over nf_tables module" 606 help 607 This is required if you intend to use any of existing 608 x_tables match/target extensions over the nf_tables 609 framework. 610 611config NFT_HASH 612 tristate "Netfilter nf_tables hash module" 613 help 614 This option adds the "hash" expression that you can use to perform 615 a hash operation on registers. 616 617config NFT_FIB 618 tristate 619 620config NFT_FIB_INET 621 depends on NF_TABLES_INET 622 depends on NFT_FIB_IPV4 623 depends on NFT_FIB_IPV6 624 tristate "Netfilter nf_tables fib inet support" 625 help 626 This option allows using the FIB expression from the inet table. 627 The lookup will be delegated to the IPv4 or IPv6 FIB depending 628 on the protocol of the packet. 629 630config NFT_XFRM 631 tristate "Netfilter nf_tables xfrm/IPSec security association matching" 632 depends on XFRM 633 help 634 This option adds an expression that you can use to extract properties 635 of a packets security association. 636 637config NFT_SOCKET 638 tristate "Netfilter nf_tables socket match support" 639 depends on IPV6 || IPV6=n 640 select NF_SOCKET_IPV4 641 select NF_SOCKET_IPV6 if NF_TABLES_IPV6 642 help 643 This option allows matching for the presence or absence of a 644 corresponding socket and its attributes. 645 646config NFT_OSF 647 tristate "Netfilter nf_tables passive OS fingerprint support" 648 depends on NETFILTER_ADVANCED 649 select NETFILTER_NETLINK_OSF 650 help 651 This option allows matching packets from an specific OS. 652 653config NFT_TPROXY 654 tristate "Netfilter nf_tables tproxy support" 655 depends on IPV6 || IPV6=n 656 select NF_DEFRAG_IPV4 657 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 658 select NF_TPROXY_IPV4 659 select NF_TPROXY_IPV6 if NF_TABLES_IPV6 660 help 661 This makes transparent proxy support available in nftables. 662 663config NFT_SYNPROXY 664 tristate "Netfilter nf_tables SYNPROXY expression support" 665 depends on NF_CONNTRACK && NETFILTER_ADVANCED 666 select NETFILTER_SYNPROXY 667 select SYN_COOKIES 668 help 669 The SYNPROXY expression allows you to intercept TCP connections and 670 establish them using syncookies before they are passed on to the 671 server. This allows to avoid conntrack and server resource usage 672 during SYN-flood attacks. 673 674if NF_TABLES_NETDEV 675 676config NF_DUP_NETDEV 677 tristate "Netfilter packet duplication support" 678 help 679 This option enables the generic packet duplication infrastructure 680 for Netfilter. 681 682config NFT_DUP_NETDEV 683 tristate "Netfilter nf_tables netdev packet duplication support" 684 select NF_DUP_NETDEV 685 help 686 This option enables packet duplication for the "netdev" family. 687 688config NFT_FWD_NETDEV 689 tristate "Netfilter nf_tables netdev packet forwarding support" 690 select NF_DUP_NETDEV 691 help 692 This option enables packet forwarding for the "netdev" family. 693 694config NFT_FIB_NETDEV 695 depends on NFT_FIB_IPV4 696 depends on NFT_FIB_IPV6 697 tristate "Netfilter nf_tables netdev fib lookups support" 698 help 699 This option allows using the FIB expression from the netdev table. 700 The lookup will be delegated to the IPv4 or IPv6 FIB depending 701 on the protocol of the packet. 702 703config NFT_REJECT_NETDEV 704 depends on NFT_REJECT_IPV4 705 depends on NFT_REJECT_IPV6 706 tristate "Netfilter nf_tables netdev REJECT support" 707 help 708 This option enables the REJECT support from the netdev table. 709 The return packet generation will be delegated to the IPv4 710 or IPv6 ICMP or TCP RST implementation depending on the 711 protocol of the packet. 712 713endif # NF_TABLES_NETDEV 714 715endif # NF_TABLES 716 717config NF_FLOW_TABLE_INET 718 tristate "Netfilter flow table mixed IPv4/IPv6 module" 719 depends on NF_FLOW_TABLE 720 help 721 This option adds the flow table mixed IPv4/IPv6 support. 722 723 To compile it as a module, choose M here. 724 725config NF_FLOW_TABLE 726 tristate "Netfilter flow table module" 727 depends on NETFILTER_INGRESS 728 depends on NF_CONNTRACK 729 depends on NF_TABLES 730 help 731 This option adds the flow table core infrastructure. 732 733 To compile it as a module, choose M here. 734 735config NF_FLOW_TABLE_PROCFS 736 bool "Supply flow table statistics in procfs" 737 depends on NF_FLOW_TABLE 738 depends on PROC_FS 739 help 740 This option enables for the flow table offload statistics 741 to be shown in procfs under net/netfilter/nf_flowtable. 742 743config NETFILTER_XTABLES 744 tristate "Netfilter Xtables support (required for ip_tables)" 745 default m if NETFILTER_ADVANCED=n 746 help 747 This is required if you intend to use any of ip_tables, 748 ip6_tables or arp_tables. 749 750if NETFILTER_XTABLES 751 752config NETFILTER_XTABLES_COMPAT 753 bool "Netfilter Xtables 32bit support" 754 depends on COMPAT 755 help 756 This option provides a translation layer to run 32bit arp,ip(6),ebtables 757 binaries on 64bit kernels. 758 759 If unsure, say N. 760 761config NETFILTER_XTABLES_LEGACY 762 bool "Netfilter legacy tables support" 763 depends on !PREEMPT_RT 764 help 765 Say Y here if you still require support for legacy tables. This is 766 required by the legacy tools (iptables-legacy) and is not needed if 767 you use iptables over nftables (iptables-nft). 768 Legacy support is not limited to IP, it also includes EBTABLES and 769 ARPTABLES. 770 771comment "Xtables combined modules" 772 773config NETFILTER_XT_MARK 774 tristate 'nfmark target and match support' 775 default m if NETFILTER_ADVANCED=n 776 help 777 This option adds the "MARK" target and "mark" match. 778 779 Netfilter mark matching allows you to match packets based on the 780 "nfmark" value in the packet. 781 The target allows you to create rules in the "mangle" table which alter 782 the netfilter mark (nfmark) field associated with the packet. 783 784 Prior to routing, the nfmark can influence the routing method and can 785 also be used by other subsystems to change their behavior. 786 787config NETFILTER_XT_CONNMARK 788 tristate 'ctmark target and match support' 789 depends on NF_CONNTRACK 790 depends on NETFILTER_ADVANCED 791 select NF_CONNTRACK_MARK 792 help 793 This option adds the "CONNMARK" target and "connmark" match. 794 795 Netfilter allows you to store a mark value per connection (a.k.a. 796 ctmark), similarly to the packet mark (nfmark). Using this 797 target and match, you can set and match on this mark. 798 799config NETFILTER_XT_SET 800 tristate 'set target and match support' 801 depends on IP_SET 802 depends on NETFILTER_ADVANCED 803 help 804 This option adds the "SET" target and "set" match. 805 806 Using this target and match, you can add/delete and match 807 elements in the sets created by ipset(8). 808 809 To compile it as a module, choose M here. If unsure, say N. 810 811# alphabetically ordered list of targets 812 813comment "Xtables targets" 814 815config NETFILTER_XT_TARGET_AUDIT 816 tristate "AUDIT target support" 817 depends on AUDIT 818 depends on NETFILTER_ADVANCED 819 help 820 This option adds a 'AUDIT' target, which can be used to create 821 audit records for packets dropped/accepted. 822 823 To compileit as a module, choose M here. If unsure, say N. 824 825config NETFILTER_XT_TARGET_CHECKSUM 826 tristate "CHECKSUM target support" 827 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 828 depends on NETFILTER_ADVANCED 829 help 830 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 831 table to work around buggy DHCP clients in virtualized environments. 832 833 Some old DHCP clients drop packets because they are not aware 834 that the checksum would normally be offloaded to hardware and 835 thus should be considered valid. 836 This target can be used to fill in the checksum using iptables 837 when such packets are sent via a virtual network device. 838 839 To compile it as a module, choose M here. If unsure, say N. 840 841config NETFILTER_XT_TARGET_CLASSIFY 842 tristate '"CLASSIFY" target support' 843 depends on NETFILTER_ADVANCED 844 help 845 This option adds a `CLASSIFY' target, which enables the user to set 846 the priority of a packet. Some qdiscs can use this value for 847 classification, among these are: 848 849 atm, cbq, dsmark, pfifo_fast, htb, prio 850 851 To compile it as a module, choose M here. If unsure, say N. 852 853config NETFILTER_XT_TARGET_CONNMARK 854 tristate '"CONNMARK" target support' 855 depends on NF_CONNTRACK 856 depends on NETFILTER_ADVANCED 857 select NETFILTER_XT_CONNMARK 858 help 859 This is a backwards-compat option for the user's convenience 860 (e.g. when running oldconfig). It selects 861 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 862 863config NETFILTER_XT_TARGET_CONNSECMARK 864 tristate '"CONNSECMARK" target support' 865 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 866 default m if NETFILTER_ADVANCED=n 867 help 868 The CONNSECMARK target copies security markings from packets 869 to connections, and restores security markings from connections 870 to packets (if the packets are not already marked). This would 871 normally be used in conjunction with the SECMARK target. 872 873 To compile it as a module, choose M here. If unsure, say N. 874 875config NETFILTER_XT_TARGET_CT 876 tristate '"CT" target support' 877 depends on NF_CONNTRACK 878 depends on IP_NF_RAW || IP6_NF_RAW || NFT_COMPAT 879 depends on NETFILTER_ADVANCED 880 help 881 This options adds a `CT' target, which allows to specify initial 882 connection tracking parameters like events to be delivered and 883 the helper to be used. 884 885 To compile it as a module, choose M here. If unsure, say N. 886 887config NETFILTER_XT_TARGET_DSCP 888 tristate '"DSCP" and "TOS" target support' 889 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 890 depends on NETFILTER_ADVANCED 891 help 892 This option adds a `DSCP' target, which allows you to manipulate 893 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 894 895 The DSCP field can have any value between 0x0 and 0x3f inclusive. 896 897 It also adds the "TOS" target, which allows you to create rules in 898 the "mangle" table which alter the Type Of Service field of an IPv4 899 or the Priority field of an IPv6 packet, prior to routing. 900 901 To compile it as a module, choose M here. If unsure, say N. 902 903config NETFILTER_XT_TARGET_HL 904 tristate '"HL" hoplimit target support' 905 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 906 depends on NETFILTER_ADVANCED 907 help 908 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 909 targets, which enable the user to change the 910 hoplimit/time-to-live value of the IP header. 911 912 While it is safe to decrement the hoplimit/TTL value, the 913 modules also allow to increment and set the hoplimit value of 914 the header to arbitrary values. This is EXTREMELY DANGEROUS 915 since you can easily create immortal packets that loop 916 forever on the network. 917 918config NETFILTER_XT_TARGET_HMARK 919 tristate '"HMARK" target support' 920 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 921 depends on NETFILTER_ADVANCED 922 help 923 This option adds the "HMARK" target. 924 925 The target allows you to create rules in the "raw" and "mangle" tables 926 which set the skbuff mark by means of hash calculation within a given 927 range. The nfmark can influence the routing method and can also be used 928 by other subsystems to change their behaviour. 929 930 To compile it as a module, choose M here. If unsure, say N. 931 932config NETFILTER_XT_TARGET_IDLETIMER 933 tristate "IDLETIMER target support" 934 depends on NETFILTER_ADVANCED 935 help 936 937 This option adds the `IDLETIMER' target. Each matching packet 938 resets the timer associated with label specified when the rule is 939 added. When the timer expires, it triggers a sysfs notification. 940 The remaining time for expiration can be read via sysfs. 941 942 To compile it as a module, choose M here. If unsure, say N. 943 944config NETFILTER_XT_TARGET_LED 945 tristate '"LED" target support' 946 depends on LEDS_CLASS && LEDS_TRIGGERS 947 depends on NETFILTER_ADVANCED 948 help 949 This option adds a `LED' target, which allows you to blink LEDs in 950 response to particular packets passing through your machine. 951 952 This can be used to turn a spare LED into a network activity LED, 953 which only flashes in response to FTP transfers, for example. Or 954 you could have an LED which lights up for a minute or two every time 955 somebody connects to your machine via SSH. 956 957 You will need support for the "led" class to make this work. 958 959 To create an LED trigger for incoming SSH traffic: 960 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 961 962 Then attach the new trigger to an LED on your system: 963 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 964 965 For more information on the LEDs available on your system, see 966 Documentation/leds/leds-class.rst 967 968config NETFILTER_XT_TARGET_LOG 969 tristate "LOG target support" 970 select NF_LOG_SYSLOG 971 select NF_LOG_IPV6 if IP6_NF_IPTABLES 972 default m if NETFILTER_ADVANCED=n 973 help 974 This option adds a `LOG' target, which allows you to create rules in 975 any iptables table which records the packet header to the syslog. 976 977 To compile it as a module, choose M here. If unsure, say N. 978 979config NETFILTER_XT_TARGET_MARK 980 tristate '"MARK" target support' 981 depends on NETFILTER_ADVANCED 982 select NETFILTER_XT_MARK 983 help 984 This is a backwards-compat option for the user's convenience 985 (e.g. when running oldconfig). It selects 986 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 987 988config NETFILTER_XT_NAT 989 tristate '"SNAT and DNAT" targets support' 990 depends on NF_NAT 991 help 992 This option enables the SNAT and DNAT targets. 993 994 To compile it as a module, choose M here. If unsure, say N. 995 996config NETFILTER_XT_TARGET_NETMAP 997 tristate '"NETMAP" target support' 998 depends on NF_NAT 999 help 1000 NETMAP is an implementation of static 1:1 NAT mapping of network 1001 addresses. It maps the network address part, while keeping the host 1002 address part intact. 1003 1004 To compile it as a module, choose M here. If unsure, say N. 1005 1006config NETFILTER_XT_TARGET_NFLOG 1007 tristate '"NFLOG" target support' 1008 default m if NETFILTER_ADVANCED=n 1009 select NETFILTER_NETLINK_LOG 1010 help 1011 This option enables the NFLOG target, which allows to LOG 1012 messages through nfnetlink_log. 1013 1014 To compile it as a module, choose M here. If unsure, say N. 1015 1016config NETFILTER_XT_TARGET_NFQUEUE 1017 tristate '"NFQUEUE" target Support' 1018 depends on NETFILTER_ADVANCED 1019 select NETFILTER_NETLINK_QUEUE 1020 help 1021 This target replaced the old obsolete QUEUE target. 1022 1023 As opposed to QUEUE, it supports 65535 different queues, 1024 not just one. 1025 1026 To compile it as a module, choose M here. If unsure, say N. 1027 1028config NETFILTER_XT_TARGET_NOTRACK 1029 tristate '"NOTRACK" target support (DEPRECATED)' 1030 depends on NF_CONNTRACK 1031 depends on IP_NF_RAW || IP6_NF_RAW 1032 depends on NETFILTER_ADVANCED 1033 select NETFILTER_XT_TARGET_CT 1034 1035config NETFILTER_XT_TARGET_RATEEST 1036 tristate '"RATEEST" target support' 1037 depends on NETFILTER_ADVANCED 1038 help 1039 This option adds a `RATEEST' target, which allows to measure 1040 rates similar to TC estimators. The `rateest' match can be 1041 used to match on the measured rates. 1042 1043 To compile it as a module, choose M here. If unsure, say N. 1044 1045config NETFILTER_XT_TARGET_REDIRECT 1046 tristate "REDIRECT target support" 1047 depends on NF_NAT 1048 select NF_NAT_REDIRECT 1049 help 1050 REDIRECT is a special case of NAT: all incoming connections are 1051 mapped onto the incoming interface's address, causing the packets to 1052 come to the local machine instead of passing through. This is 1053 useful for transparent proxies. 1054 1055 To compile it as a module, choose M here. If unsure, say N. 1056 1057config NETFILTER_XT_TARGET_MASQUERADE 1058 tristate "MASQUERADE target support" 1059 depends on NF_NAT 1060 default m if NETFILTER_ADVANCED=n 1061 select NF_NAT_MASQUERADE 1062 help 1063 Masquerading is a special case of NAT: all outgoing connections are 1064 changed to seem to come from a particular interface's address, and 1065 if the interface goes down, those connections are lost. This is 1066 only useful for dialup accounts with dynamic IP address (ie. your IP 1067 address will be different on next dialup). 1068 1069 To compile it as a module, choose M here. If unsure, say N. 1070 1071config NETFILTER_XT_TARGET_TEE 1072 tristate '"TEE" - packet cloning to alternate destination' 1073 depends on NETFILTER_ADVANCED 1074 depends on IPV6 || IPV6=n 1075 depends on !NF_CONNTRACK || NF_CONNTRACK 1076 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES 1077 select NF_DUP_IPV4 1078 select NF_DUP_IPV6 if IP6_NF_IPTABLES 1079 help 1080 This option adds a "TEE" target with which a packet can be cloned and 1081 this clone be rerouted to another nexthop. 1082 1083config NETFILTER_XT_TARGET_TPROXY 1084 tristate '"TPROXY" target transparent proxying support' 1085 depends on NETFILTER_XTABLES 1086 depends on NETFILTER_ADVANCED 1087 depends on IPV6 || IPV6=n 1088 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1089 depends on IP_NF_MANGLE || NFT_COMPAT 1090 select NF_DEFRAG_IPV4 1091 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1092 select NF_TPROXY_IPV4 1093 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 1094 help 1095 This option adds a `TPROXY' target, which is somewhat similar to 1096 REDIRECT. It can only be used in the mangle table and is useful 1097 to redirect traffic to a transparent proxy. It does _not_ depend 1098 on Netfilter connection tracking and NAT, unlike REDIRECT. 1099 For it to work you will have to configure certain iptables rules 1100 and use policy routing. For more information on how to set it up 1101 see Documentation/networking/tproxy.rst. 1102 1103 To compile it as a module, choose M here. If unsure, say N. 1104 1105config NETFILTER_XT_TARGET_TRACE 1106 tristate '"TRACE" target support' 1107 depends on IP_NF_RAW || IP6_NF_RAW 1108 depends on NETFILTER_ADVANCED 1109 help 1110 The TRACE target allows you to mark packets so that the kernel 1111 will log every rule which match the packets as those traverse 1112 the tables, chains, rules. 1113 1114 If you want to compile it as a module, say M here and read 1115 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1116 1117config NETFILTER_XT_TARGET_SECMARK 1118 tristate '"SECMARK" target support' 1119 depends on NETWORK_SECMARK 1120 default m if NETFILTER_ADVANCED=n 1121 help 1122 The SECMARK target allows security marking of network 1123 packets, for use with security subsystems. 1124 1125 To compile it as a module, choose M here. If unsure, say N. 1126 1127config NETFILTER_XT_TARGET_TCPMSS 1128 tristate '"TCPMSS" target support' 1129 depends on IPV6 || IPV6=n 1130 default m if NETFILTER_ADVANCED=n 1131 help 1132 This option adds a `TCPMSS' target, which allows you to alter the 1133 MSS value of TCP SYN packets, to control the maximum size for that 1134 connection (usually limiting it to your outgoing interface's MTU 1135 minus 40). 1136 1137 This is used to overcome criminally braindead ISPs or servers which 1138 block ICMP Fragmentation Needed packets. The symptoms of this 1139 problem are that everything works fine from your Linux 1140 firewall/router, but machines behind it can never exchange large 1141 packets: 1142 1) Web browsers connect, then hang with no data received. 1143 2) Small mail works fine, but large emails hang. 1144 3) ssh works fine, but scp hangs after initial handshaking. 1145 1146 Workaround: activate this option and add a rule to your firewall 1147 configuration like: 1148 1149 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1150 -j TCPMSS --clamp-mss-to-pmtu 1151 1152 To compile it as a module, choose M here. If unsure, say N. 1153 1154config NETFILTER_XT_TARGET_TCPOPTSTRIP 1155 tristate '"TCPOPTSTRIP" target support' 1156 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 1157 depends on NETFILTER_ADVANCED 1158 help 1159 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1160 TCP options from TCP packets. 1161 1162# alphabetically ordered list of matches 1163 1164comment "Xtables matches" 1165 1166config NETFILTER_XT_MATCH_ADDRTYPE 1167 tristate '"addrtype" address type match support' 1168 default m if NETFILTER_ADVANCED=n 1169 help 1170 This option allows you to match what routing thinks of an address, 1171 eg. UNICAST, LOCAL, BROADCAST, ... 1172 1173 If you want to compile it as a module, say M here and read 1174 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1175 1176config NETFILTER_XT_MATCH_BPF 1177 tristate '"bpf" match support' 1178 depends on NETFILTER_ADVANCED 1179 help 1180 BPF matching applies a linux socket filter to each packet and 1181 accepts those for which the filter returns non-zero. 1182 1183 To compile it as a module, choose M here. If unsure, say N. 1184 1185config NETFILTER_XT_MATCH_CGROUP 1186 tristate '"control group" match support' 1187 depends on NETFILTER_ADVANCED 1188 depends on CGROUPS 1189 select SOCK_CGROUP_DATA 1190 help 1191 Socket/process control group matching allows you to match locally 1192 generated packets based on which net_cls control group processes 1193 belong to. 1194 1195config NETFILTER_XT_MATCH_CLUSTER 1196 tristate '"cluster" match support' 1197 depends on NF_CONNTRACK 1198 depends on NETFILTER_ADVANCED 1199 help 1200 This option allows you to build work-load-sharing clusters of 1201 network servers/stateful firewalls without having a dedicated 1202 load-balancing router/server/switch. Basically, this match returns 1203 true when the packet must be handled by this cluster node. Thus, 1204 all nodes see all packets and this match decides which node handles 1205 what packets. The work-load sharing algorithm is based on source 1206 address hashing. 1207 1208 If you say Y or M here, try `iptables -m cluster --help` for 1209 more information. 1210 1211config NETFILTER_XT_MATCH_COMMENT 1212 tristate '"comment" match support' 1213 depends on NETFILTER_ADVANCED 1214 help 1215 This option adds a `comment' dummy-match, which allows you to put 1216 comments in your iptables ruleset. 1217 1218 If you want to compile it as a module, say M here and read 1219 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1220 1221config NETFILTER_XT_MATCH_CONNBYTES 1222 tristate '"connbytes" per-connection counter match support' 1223 depends on NF_CONNTRACK 1224 depends on NETFILTER_ADVANCED 1225 help 1226 This option adds a `connbytes' match, which allows you to match the 1227 number of bytes and/or packets for each direction within a connection. 1228 1229 If you want to compile it as a module, say M here and read 1230 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1231 1232config NETFILTER_XT_MATCH_CONNLABEL 1233 tristate '"connlabel" match support' 1234 select NF_CONNTRACK_LABELS 1235 depends on NF_CONNTRACK 1236 depends on NETFILTER_ADVANCED 1237 help 1238 This match allows you to test and assign userspace-defined labels names 1239 to a connection. The kernel only stores bit values - mapping 1240 names to bits is done by userspace. 1241 1242 Unlike connmark, more than 32 flag bits may be assigned to a 1243 connection simultaneously. 1244 1245config NETFILTER_XT_MATCH_CONNLIMIT 1246 tristate '"connlimit" match support' 1247 depends on NF_CONNTRACK 1248 depends on NETFILTER_ADVANCED 1249 select NETFILTER_CONNCOUNT 1250 help 1251 This match allows you to match against the number of parallel 1252 connections to a server per client IP address (or address block). 1253 1254config NETFILTER_XT_MATCH_CONNMARK 1255 tristate '"connmark" connection mark match support' 1256 depends on NF_CONNTRACK 1257 depends on NETFILTER_ADVANCED 1258 select NETFILTER_XT_CONNMARK 1259 help 1260 This is a backwards-compat option for the user's convenience 1261 (e.g. when running oldconfig). It selects 1262 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1263 1264config NETFILTER_XT_MATCH_CONNTRACK 1265 tristate '"conntrack" connection tracking match support' 1266 depends on NF_CONNTRACK 1267 default m if NETFILTER_ADVANCED=n 1268 help 1269 This is a general conntrack match module, a superset of the state match. 1270 1271 It allows matching on additional conntrack information, which is 1272 useful in complex configurations, such as NAT gateways with multiple 1273 internet links or tunnels. 1274 1275 To compile it as a module, choose M here. If unsure, say N. 1276 1277config NETFILTER_XT_MATCH_CPU 1278 tristate '"cpu" match support' 1279 depends on NETFILTER_ADVANCED 1280 help 1281 CPU matching allows you to match packets based on the CPU 1282 currently handling the packet. 1283 1284 To compile it as a module, choose M here. If unsure, say N. 1285 1286config NETFILTER_XT_MATCH_DCCP 1287 tristate '"dccp" protocol match support (DEPRECATED)' 1288 depends on NETFILTER_ADVANCED 1289 default n 1290 help 1291 With this option enabled, you will be able to use the iptables 1292 `dccp' match in order to match on DCCP source/destination ports 1293 and DCCP flags. 1294 1295 If you want to compile it as a module, say M here and read 1296 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1297 1298config NETFILTER_XT_MATCH_DEVGROUP 1299 tristate '"devgroup" match support' 1300 depends on NETFILTER_ADVANCED 1301 help 1302 This options adds a `devgroup' match, which allows to match on the 1303 device group a network device is assigned to. 1304 1305 To compile it as a module, choose M here. If unsure, say N. 1306 1307config NETFILTER_XT_MATCH_DSCP 1308 tristate '"dscp" and "tos" match support' 1309 depends on NETFILTER_ADVANCED 1310 help 1311 This option adds a `DSCP' match, which allows you to match against 1312 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1313 1314 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1315 1316 It will also add a "tos" match, which allows you to match packets 1317 based on the Type Of Service fields of the IPv4 packet (which share 1318 the same bits as DSCP). 1319 1320 To compile it as a module, choose M here. If unsure, say N. 1321 1322config NETFILTER_XT_MATCH_ECN 1323 tristate '"ecn" match support' 1324 depends on NETFILTER_ADVANCED 1325 help 1326 This option adds an "ECN" match, which allows you to match against 1327 the IPv4 and TCP header ECN fields. 1328 1329 To compile it as a module, choose M here. If unsure, say N. 1330 1331config NETFILTER_XT_MATCH_ESP 1332 tristate '"esp" match support' 1333 depends on NETFILTER_ADVANCED 1334 help 1335 This match extension allows you to match a range of SPIs 1336 inside ESP header of IPSec packets. 1337 1338 To compile it as a module, choose M here. If unsure, say N. 1339 1340config NETFILTER_XT_MATCH_HASHLIMIT 1341 tristate '"hashlimit" match support' 1342 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1343 depends on NETFILTER_ADVANCED 1344 help 1345 This option adds a `hashlimit' match. 1346 1347 As opposed to `limit', this match dynamically creates a hash table 1348 of limit buckets, based on your selection of source/destination 1349 addresses and/or ports. 1350 1351 It enables you to express policies like `10kpps for any given 1352 destination address' or `500pps from any given source address' 1353 with a single rule. 1354 1355config NETFILTER_XT_MATCH_HELPER 1356 tristate '"helper" match support' 1357 depends on NF_CONNTRACK 1358 depends on NETFILTER_ADVANCED 1359 help 1360 Helper matching allows you to match packets in dynamic connections 1361 tracked by a conntrack-helper, ie. nf_conntrack_ftp 1362 1363 To compile it as a module, choose M here. If unsure, say Y. 1364 1365config NETFILTER_XT_MATCH_HL 1366 tristate '"hl" hoplimit/TTL match support' 1367 depends on NETFILTER_ADVANCED 1368 help 1369 HL matching allows you to match packets based on the hoplimit 1370 in the IPv6 header, or the time-to-live field in the IPv4 1371 header of the packet. 1372 1373config NETFILTER_XT_MATCH_IPCOMP 1374 tristate '"ipcomp" match support' 1375 depends on NETFILTER_ADVANCED 1376 help 1377 This match extension allows you to match a range of CPIs(16 bits) 1378 inside IPComp header of IPSec packets. 1379 1380 To compile it as a module, choose M here. If unsure, say N. 1381 1382config NETFILTER_XT_MATCH_IPRANGE 1383 tristate '"iprange" address range match support' 1384 depends on NETFILTER_ADVANCED 1385 help 1386 This option adds a "iprange" match, which allows you to match based on 1387 an IP address range. (Normal iptables only matches on single addresses 1388 with an optional mask.) 1389 1390 If unsure, say M. 1391 1392config NETFILTER_XT_MATCH_IPVS 1393 tristate '"ipvs" match support' 1394 depends on IP_VS 1395 depends on NETFILTER_ADVANCED 1396 depends on NF_CONNTRACK 1397 help 1398 This option allows you to match against IPVS properties of a packet. 1399 1400 If unsure, say N. 1401 1402config NETFILTER_XT_MATCH_L2TP 1403 tristate '"l2tp" match support' 1404 depends on NETFILTER_ADVANCED 1405 default L2TP 1406 help 1407 This option adds an "L2TP" match, which allows you to match against 1408 L2TP protocol header fields. 1409 1410 To compile it as a module, choose M here. If unsure, say N. 1411 1412config NETFILTER_XT_MATCH_LENGTH 1413 tristate '"length" match support' 1414 depends on NETFILTER_ADVANCED 1415 help 1416 This option allows you to match the length of a packet against a 1417 specific value or range of values. 1418 1419 To compile it as a module, choose M here. If unsure, say N. 1420 1421config NETFILTER_XT_MATCH_LIMIT 1422 tristate '"limit" match support' 1423 depends on NETFILTER_ADVANCED 1424 help 1425 limit matching allows you to control the rate at which a rule can be 1426 matched: mainly useful in combination with the LOG target ("LOG 1427 target support", below) and to avoid some Denial of Service attacks. 1428 1429 To compile it as a module, choose M here. If unsure, say N. 1430 1431config NETFILTER_XT_MATCH_MAC 1432 tristate '"mac" address match support' 1433 depends on NETFILTER_ADVANCED 1434 help 1435 MAC matching allows you to match packets based on the source 1436 Ethernet address of the packet. 1437 1438 To compile it as a module, choose M here. If unsure, say N. 1439 1440config NETFILTER_XT_MATCH_MARK 1441 tristate '"mark" match support' 1442 depends on NETFILTER_ADVANCED 1443 select NETFILTER_XT_MARK 1444 help 1445 This is a backwards-compat option for the user's convenience 1446 (e.g. when running oldconfig). It selects 1447 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1448 1449config NETFILTER_XT_MATCH_MULTIPORT 1450 tristate '"multiport" Multiple port match support' 1451 depends on NETFILTER_ADVANCED 1452 help 1453 Multiport matching allows you to match TCP or UDP packets based on 1454 a series of source or destination ports: normally a rule can only 1455 match a single range of ports. 1456 1457 To compile it as a module, choose M here. If unsure, say N. 1458 1459config NETFILTER_XT_MATCH_NFACCT 1460 tristate '"nfacct" match support' 1461 depends on NETFILTER_ADVANCED 1462 select NETFILTER_NETLINK_ACCT 1463 help 1464 This option allows you to use the extended accounting through 1465 nfnetlink_acct. 1466 1467 To compile it as a module, choose M here. If unsure, say N. 1468 1469config NETFILTER_XT_MATCH_OSF 1470 tristate '"osf" Passive OS fingerprint match' 1471 depends on NETFILTER_ADVANCED 1472 select NETFILTER_NETLINK_OSF 1473 help 1474 This option selects the Passive OS Fingerprinting match module 1475 that allows to passively match the remote operating system by 1476 analyzing incoming TCP SYN packets. 1477 1478 Rules and loading software can be downloaded from 1479 http://www.ioremap.net/projects/osf 1480 1481 To compile it as a module, choose M here. If unsure, say N. 1482 1483config NETFILTER_XT_MATCH_OWNER 1484 tristate '"owner" match support' 1485 depends on NETFILTER_ADVANCED 1486 help 1487 Socket owner matching allows you to match locally-generated packets 1488 based on who created the socket: the user or group. It is also 1489 possible to check whether a socket actually exists. 1490 1491config NETFILTER_XT_MATCH_POLICY 1492 tristate 'IPsec "policy" match support' 1493 depends on XFRM 1494 default m if NETFILTER_ADVANCED=n 1495 help 1496 Policy matching allows you to match packets based on the 1497 IPsec policy that was used during decapsulation/will 1498 be used during encapsulation. 1499 1500 To compile it as a module, choose M here. If unsure, say N. 1501 1502config NETFILTER_XT_MATCH_PHYSDEV 1503 tristate '"physdev" match support' 1504 depends on BRIDGE && BRIDGE_NETFILTER 1505 depends on NETFILTER_ADVANCED 1506 help 1507 Physdev packet matching matches against the physical bridge ports 1508 the IP packet arrived on or will leave by. 1509 1510 To compile it as a module, choose M here. If unsure, say N. 1511 1512config NETFILTER_XT_MATCH_PKTTYPE 1513 tristate '"pkttype" packet type match support' 1514 depends on NETFILTER_ADVANCED 1515 help 1516 Packet type matching allows you to match a packet by 1517 its "class", eg. BROADCAST, MULTICAST, ... 1518 1519 Typical usage: 1520 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1521 1522 To compile it as a module, choose M here. If unsure, say N. 1523 1524config NETFILTER_XT_MATCH_QUOTA 1525 tristate '"quota" match support' 1526 depends on NETFILTER_ADVANCED 1527 help 1528 This option adds a `quota' match, which allows to match on a 1529 byte counter. 1530 1531 If you want to compile it as a module, say M here and read 1532 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1533 1534config NETFILTER_XT_MATCH_RATEEST 1535 tristate '"rateest" match support' 1536 depends on NETFILTER_ADVANCED 1537 select NETFILTER_XT_TARGET_RATEEST 1538 help 1539 This option adds a `rateest' match, which allows to match on the 1540 rate estimated by the RATEEST target. 1541 1542 To compile it as a module, choose M here. If unsure, say N. 1543 1544config NETFILTER_XT_MATCH_REALM 1545 tristate '"realm" match support' 1546 depends on NETFILTER_ADVANCED 1547 select IP_ROUTE_CLASSID 1548 help 1549 This option adds a `realm' match, which allows you to use the realm 1550 key from the routing subsystem inside iptables. 1551 1552 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1553 in tc world. 1554 1555 If you want to compile it as a module, say M here and read 1556 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1557 1558config NETFILTER_XT_MATCH_RECENT 1559 tristate '"recent" match support' 1560 depends on NETFILTER_ADVANCED 1561 help 1562 This match is used for creating one or many lists of recently 1563 used addresses and then matching against that/those list(s). 1564 1565 Short options are available by using 'iptables -m recent -h' 1566 Official Website: <http://snowman.net/projects/ipt_recent/> 1567 1568config NETFILTER_XT_MATCH_SCTP 1569 tristate '"sctp" protocol match support' 1570 depends on NETFILTER_ADVANCED 1571 default IP_SCTP 1572 help 1573 With this option enabled, you will be able to use the 1574 `sctp' match in order to match on SCTP source/destination ports 1575 and SCTP chunk types. 1576 1577 If you want to compile it as a module, say M here and read 1578 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1579 1580config NETFILTER_XT_MATCH_SOCKET 1581 tristate '"socket" match support' 1582 depends on NETFILTER_XTABLES 1583 depends on NETFILTER_ADVANCED 1584 depends on IPV6 || IPV6=n 1585 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1586 select NF_SOCKET_IPV4 1587 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES 1588 select NF_DEFRAG_IPV4 1589 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1590 help 1591 This option adds a `socket' match, which can be used to match 1592 packets for which a TCP or UDP socket lookup finds a valid socket. 1593 It can be used in combination with the MARK target and policy 1594 routing to implement full featured non-locally bound sockets. 1595 1596 To compile it as a module, choose M here. If unsure, say N. 1597 1598config NETFILTER_XT_MATCH_STATE 1599 tristate '"state" match support' 1600 depends on NF_CONNTRACK 1601 default m if NETFILTER_ADVANCED=n 1602 help 1603 Connection state matching allows you to match packets based on their 1604 relationship to a tracked connection (ie. previous packets). This 1605 is a powerful tool for packet classification. 1606 1607 To compile it as a module, choose M here. If unsure, say N. 1608 1609config NETFILTER_XT_MATCH_STATISTIC 1610 tristate '"statistic" match support' 1611 depends on NETFILTER_ADVANCED 1612 help 1613 This option adds a `statistic' match, which allows you to match 1614 on packets periodically or randomly with a given percentage. 1615 1616 To compile it as a module, choose M here. If unsure, say N. 1617 1618config NETFILTER_XT_MATCH_STRING 1619 tristate '"string" match support' 1620 depends on NETFILTER_ADVANCED 1621 select TEXTSEARCH 1622 select TEXTSEARCH_KMP 1623 select TEXTSEARCH_BM 1624 select TEXTSEARCH_FSM 1625 help 1626 This option adds a `string' match, which allows you to look for 1627 pattern matchings in packets. 1628 1629 To compile it as a module, choose M here. If unsure, say N. 1630 1631config NETFILTER_XT_MATCH_TCPMSS 1632 tristate '"tcpmss" match support' 1633 depends on NETFILTER_ADVANCED 1634 help 1635 This option adds a `tcpmss' match, which allows you to examine the 1636 MSS value of TCP SYN packets, which control the maximum packet size 1637 for that connection. 1638 1639 To compile it as a module, choose M here. If unsure, say N. 1640 1641config NETFILTER_XT_MATCH_TIME 1642 tristate '"time" match support' 1643 depends on NETFILTER_ADVANCED 1644 help 1645 This option adds a "time" match, which allows you to match based on 1646 the packet arrival time (at the machine which netfilter is running) 1647 on) or departure time/date (for locally generated packets). 1648 1649 If you say Y here, try `iptables -m time --help` for 1650 more information. 1651 1652 If you want to compile it as a module, say M here. 1653 If unsure, say N. 1654 1655config NETFILTER_XT_MATCH_U32 1656 tristate '"u32" match support' 1657 depends on NETFILTER_ADVANCED 1658 help 1659 u32 allows you to extract quantities of up to 4 bytes from a packet, 1660 AND them with specified masks, shift them by specified amounts and 1661 test whether the results are in any of a set of specified ranges. 1662 The specification of what to extract is general enough to skip over 1663 headers with lengths stored in the packet, as in IP or TCP header 1664 lengths. 1665 1666 Details and examples are in the kernel module source. 1667 1668endif # NETFILTER_XTABLES 1669 1670endmenu 1671 1672source "net/netfilter/ipset/Kconfig" 1673 1674source "net/netfilter/ipvs/Kconfig" 1675