xref: /linux/net/netfilter/Kconfig (revision 805185b7c7a1069e407b6f7b3bc98e44d415f484)
1# SPDX-License-Identifier: GPL-2.0-only
2menu "Core Netfilter Configuration"
3	depends on INET && NETFILTER
4
5config NETFILTER_INGRESS
6	bool "Netfilter ingress support"
7	default y
8	select NET_INGRESS
9	help
10	  This allows you to classify packets from ingress using the Netfilter
11	  infrastructure.
12
13config NETFILTER_EGRESS
14	bool "Netfilter egress support"
15	default y
16	select NET_EGRESS
17	help
18	  This allows you to classify packets before transmission using the
19	  Netfilter infrastructure.
20
21config NETFILTER_SKIP_EGRESS
22	def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB)
23
24config NETFILTER_NETLINK
25	bool
26
27config NETFILTER_FAMILY_BRIDGE
28	bool
29
30config NETFILTER_FAMILY_ARP
31	bool
32
33config NETFILTER_BPF_LINK
34	def_bool BPF_SYSCALL
35
36config NETFILTER_NETLINK_HOOK
37	tristate "Netfilter base hook dump support"
38	depends on NETFILTER_ADVANCED
39	depends on NF_TABLES
40	select NETFILTER_NETLINK
41	help
42	  If this option is enabled, the kernel will include support
43	  to list the base netfilter hooks via NFNETLINK.
44	  This is helpful for debugging.
45
46config NETFILTER_NETLINK_ACCT
47	tristate "Netfilter NFACCT over NFNETLINK interface"
48	depends on NETFILTER_ADVANCED
49	select NETFILTER_NETLINK
50	help
51	  If this option is enabled, the kernel will include support
52	  for extended accounting via NFNETLINK.
53
54config NETFILTER_NETLINK_QUEUE
55	tristate "Netfilter NFQUEUE over NFNETLINK interface"
56	depends on NETFILTER_ADVANCED
57	select NETFILTER_NETLINK
58	help
59	  If this option is enabled, the kernel will include support
60	  for queueing packets via NFNETLINK.
61
62config NETFILTER_NETLINK_LOG
63	tristate "Netfilter LOG over NFNETLINK interface"
64	default m if NETFILTER_ADVANCED=n
65	select NETFILTER_NETLINK
66	help
67	  If this option is enabled, the kernel will include support
68	  for logging packets via NFNETLINK.
69
70	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
71	  and is also scheduled to replace the old syslog-based ipt_LOG
72	  and ip6t_LOG modules.
73
74config NETFILTER_NETLINK_OSF
75	tristate "Netfilter OSF over NFNETLINK interface"
76	depends on NETFILTER_ADVANCED
77	select NETFILTER_NETLINK
78	help
79	  If this option is enabled, the kernel will include support
80	  for passive OS fingerprint via NFNETLINK.
81
82config NF_CONNTRACK
83	tristate "Netfilter connection tracking support"
84	default m if NETFILTER_ADVANCED=n
85	select NF_DEFRAG_IPV4
86	select NF_DEFRAG_IPV6 if IPV6 != n
87	help
88	  Connection tracking keeps a record of what packets have passed
89	  through your machine, in order to figure out how they are related
90	  into connections.
91
92	  This is required to do Masquerading or other kinds of Network
93	  Address Translation.  It can also be used to enhance packet
94	  filtering (see `Connection state match support' below).
95
96	  To compile it as a module, choose M here.  If unsure, say N.
97
98config NF_LOG_SYSLOG
99	tristate "Syslog packet logging"
100	default m if NETFILTER_ADVANCED=n
101	help
102	  This option enable support for packet logging via syslog.
103	  It supports IPv4, IPV6, ARP and common transport protocols such
104	  as TCP and UDP.
105	  This is a simpler but less flexible logging method compared to
106	  CONFIG_NETFILTER_NETLINK_LOG.
107	  If both are enabled the backend to use can be configured at run-time
108	  by means of per-address-family sysctl tunables.
109
110if NF_CONNTRACK
111config NETFILTER_CONNCOUNT
112	tristate
113
114config NF_CONNTRACK_MARK
115	bool  'Connection mark tracking support'
116	depends on NETFILTER_ADVANCED
117	help
118	  This option enables support for connection marks, used by the
119	  `CONNMARK' target and `connmark' match. Similar to the mark value
120	  of packets, but this mark value is kept in the conntrack session
121	  instead of the individual packets.
122
123config NF_CONNTRACK_SECMARK
124	bool  'Connection tracking security mark support'
125	depends on NETWORK_SECMARK
126	default y if NETFILTER_ADVANCED=n
127	help
128	  This option enables security markings to be applied to
129	  connections.  Typically they are copied to connections from
130	  packets using the CONNSECMARK target and copied back from
131	  connections to packets with the same target, with the packets
132	  being originally labeled via SECMARK.
133
134	  If unsure, say 'N'.
135
136config NF_CONNTRACK_ZONES
137	bool  'Connection tracking zones'
138	depends on NETFILTER_ADVANCED
139	help
140	  This option enables support for connection tracking zones.
141	  Normally, each connection needs to have a unique system wide
142	  identity. Connection tracking zones allow to have multiple
143	  connections using the same identity, as long as they are
144	  contained in different zones.
145
146	  If unsure, say `N'.
147
148config NF_CONNTRACK_PROCFS
149	bool "Supply CT list in procfs (OBSOLETE)"
150	depends on PROC_FS
151	help
152	This option enables for the list of known conntrack entries
153	to be shown in procfs under net/netfilter/nf_conntrack. This
154	is considered obsolete in favor of using the conntrack(8)
155	tool which uses Netlink.
156
157config NF_CONNTRACK_EVENTS
158	bool "Connection tracking events"
159	depends on NETFILTER_ADVANCED
160	help
161	  If this option is enabled, the connection tracking code will
162	  provide a notifier chain that can be used by other kernel code
163	  to get notified about changes in the connection tracking state.
164
165	  If unsure, say `N'.
166
167config NF_CONNTRACK_TIMEOUT
168	bool  'Connection tracking timeout'
169	depends on NETFILTER_ADVANCED
170	help
171	  This option enables support for connection tracking timeout
172	  extension. This allows you to attach timeout policies to flow
173	  via the CT target.
174
175	  If unsure, say `N'.
176
177config NF_CONNTRACK_TIMESTAMP
178	bool  'Connection tracking timestamping'
179	depends on NETFILTER_ADVANCED
180	help
181	  This option enables support for connection tracking timestamping.
182	  This allows you to store the flow start-time and to obtain
183	  the flow-stop time (once it has been destroyed) via Connection
184	  tracking events.
185
186	  If unsure, say `N'.
187
188config NF_CONNTRACK_LABELS
189	bool "Connection tracking labels"
190	help
191	  This option enables support for assigning user-defined flag bits
192	  to connection tracking entries.  It can be used with xtables connlabel
193	  match and the nftables ct expression.
194
195config NF_CONNTRACK_OVS
196	bool
197
198config NF_CT_PROTO_GRE
199	bool
200
201config NF_CT_PROTO_SCTP
202	bool 'SCTP protocol connection tracking support'
203	depends on NETFILTER_ADVANCED
204	default y
205	select NET_CRC32C
206	help
207	  With this option enabled, the layer 3 independent connection
208	  tracking code will be able to do state tracking on SCTP connections.
209
210	  If unsure, say Y.
211
212config NF_CONNTRACK_AMANDA
213	tristate "Amanda backup protocol support"
214	depends on NETFILTER_ADVANCED
215	select TEXTSEARCH
216	select TEXTSEARCH_KMP
217	help
218	  If you are running the Amanda backup package <http://www.amanda.org/>
219	  on this machine or machines that will be MASQUERADED through this
220	  machine, then you may want to enable this feature.  This allows the
221	  connection tracking and natting code to allow the sub-channels that
222	  Amanda requires for communication of the backup data, messages and
223	  index.
224
225	  To compile it as a module, choose M here.  If unsure, say N.
226
227config NF_CONNTRACK_FTP
228	tristate "FTP protocol support"
229	default m if NETFILTER_ADVANCED=n
230	help
231	  Tracking FTP connections is problematic: special helpers are
232	  required for tracking them, and doing masquerading and other forms
233	  of Network Address Translation on them.
234
235	  This is FTP support on Layer 3 independent connection tracking.
236
237	  To compile it as a module, choose M here.  If unsure, say N.
238
239config NF_CONNTRACK_H323
240	tristate "H.323 protocol support"
241	depends on NETFILTER_ADVANCED
242	help
243	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
244	  important VoIP protocols, it is widely used by voice hardware and
245	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
246	  Gnomemeeting, etc.
247
248	  With this module you can support H.323 on a connection tracking/NAT
249	  firewall.
250
251	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
252	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
253	  whiteboard, file transfer, etc. For more information, please
254	  visit http://nath323.sourceforge.net/.
255
256	  To compile it as a module, choose M here.  If unsure, say N.
257
258config NF_CONNTRACK_IRC
259	tristate "IRC DCC protocol support (obsolete)"
260	help
261	  There is a commonly-used extension to IRC called
262	  Direct Client-to-Client Protocol (DCC).  This enables users to send
263	  files to each other, and also chat to each other without the need
264	  of a server.  DCC Sending is used anywhere you send files over IRC,
265	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
266	  using NAT, this extension will enable you to send files and initiate
267	  chats.  Note that you do NOT need this extension to get files or
268	  have others initiate chats, or everything else in IRC.
269	  DCC tracking behind NAT requires plaintext (unencrypted) IRC, so
270	  this helper is of limited use these days.
271
272	  To compile it as a module, choose M here.  If unsure, say N.
273
274config NF_CONNTRACK_BROADCAST
275	tristate
276
277config NF_CONNTRACK_NETBIOS_NS
278	tristate "NetBIOS name service protocol support"
279	select NF_CONNTRACK_BROADCAST
280	help
281	  NetBIOS name service requests are sent as broadcast messages from an
282	  unprivileged port and responded to with unicast messages to the
283	  same port. This make them hard to firewall properly because connection
284	  tracking doesn't deal with broadcasts. This helper tracks locally
285	  originating NetBIOS name service requests and the corresponding
286	  responses. It relies on correct IP address configuration, specifically
287	  netmask and broadcast address. When properly configured, the output
288	  of "ip address show" should look similar to this:
289
290	  $ ip -4 address show eth0
291	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
292	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
293
294	  To compile it as a module, choose M here.  If unsure, say N.
295
296config NF_CONNTRACK_SNMP
297	tristate "SNMP service protocol support"
298	depends on NETFILTER_ADVANCED
299	select NF_CONNTRACK_BROADCAST
300	help
301	  SNMP service requests are sent as broadcast messages from an
302	  unprivileged port and responded to with unicast messages to the
303	  same port. This make them hard to firewall properly because connection
304	  tracking doesn't deal with broadcasts. This helper tracks locally
305	  originating SNMP service requests and the corresponding
306	  responses. It relies on correct IP address configuration, specifically
307	  netmask and broadcast address.
308
309	  To compile it as a module, choose M here.  If unsure, say N.
310
311config NF_CONNTRACK_PPTP
312	tristate "PPtP protocol support (deprecated)"
313	depends on NETFILTER_ADVANCED
314	select NF_CT_PROTO_GRE
315	help
316	  This module adds support for PPTP (Point to Point Tunnelling
317	  Protocol, RFC2637) connection tracking and NAT.
318
319	  If you are still running PPTP sessions over a stateful firewall or NAT
320	  box, you may want to enable this feature.
321
322	  Please note that not all PPTP modes of operation are supported.
323	  Specifically these limitations exist:
324	    - Blindly assumes that control connections are always established
325	      in PNS->PAC direction. This is a violation of RFC2637.
326	    - Only supports a single call within each session
327
328	  To compile it as a module, choose M here.  If unsure, say N.
329
330config NF_CONNTRACK_SANE
331	tristate "SANE protocol support"
332	depends on NETFILTER_ADVANCED
333	help
334	  SANE is a protocol for remote access to scanners as implemented
335	  by the 'saned' daemon. Like FTP, it uses separate control and
336	  data connections.
337
338	  With this module you can support SANE on a connection tracking
339	  firewall.
340
341	  To compile it as a module, choose M here.  If unsure, say N.
342
343config NF_CONNTRACK_SIP
344	tristate "SIP protocol support"
345	default m if NETFILTER_ADVANCED=n
346	help
347	  SIP is an application-layer control protocol that can establish,
348	  modify, and terminate multimedia sessions (conferences) such as
349	  Internet telephony calls. With the nf_conntrack_sip and
350	  the nf_nat_sip modules you can support the protocol on a connection
351	  tracking/NATing firewall.
352
353	  To compile it as a module, choose M here.  If unsure, say N.
354
355config NF_CONNTRACK_TFTP
356	tristate "TFTP protocol support"
357	depends on NETFILTER_ADVANCED
358	help
359	  TFTP connection tracking helper, this is required depending
360	  on how restrictive your ruleset is.
361	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
362	  you will need this.
363
364	  To compile it as a module, choose M here.  If unsure, say N.
365
366config NF_CT_NETLINK
367	tristate 'Connection tracking netlink interface'
368	select NETFILTER_NETLINK
369	default m if NETFILTER_ADVANCED=n
370	help
371	  This option enables support for a netlink-based userspace interface
372
373config NF_CT_NETLINK_TIMEOUT
374	tristate  'Connection tracking timeout tuning via Netlink'
375	select NETFILTER_NETLINK
376	depends on NETFILTER_ADVANCED
377	depends on NF_CONNTRACK_TIMEOUT
378	help
379	  This option enables support for connection tracking timeout
380	  fine-grain tuning. This allows you to attach specific timeout
381	  policies to flows, instead of using the global timeout policy.
382
383	  If unsure, say `N'.
384
385config NF_CT_NETLINK_HELPER
386	tristate 'Connection tracking helpers in user-space via Netlink'
387	select NETFILTER_NETLINK
388	depends on NF_CT_NETLINK
389	depends on NETFILTER_NETLINK_QUEUE
390	depends on NETFILTER_NETLINK_GLUE_CT
391	depends on NETFILTER_ADVANCED
392	help
393	  This option enables the user-space connection tracking helpers
394	  infrastructure.
395
396	  If unsure, say `N'.
397
398config NETFILTER_NETLINK_GLUE_CT
399	bool "NFQUEUE and NFLOG integration with Connection Tracking"
400	default n
401	depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
402	help
403	  If this option is enabled, NFQUEUE and NFLOG can include
404	  Connection Tracking information together with the packet is
405	  the enqueued via NFNETLINK.
406
407config NF_NAT
408	tristate "Network Address Translation support"
409	depends on NF_CONNTRACK
410	default m if NETFILTER_ADVANCED=n
411	help
412	  The NAT option allows masquerading, port forwarding and other
413	  forms of full Network Address Port Translation. This can be
414	  controlled by iptables, ip6tables or nft.
415
416config NF_NAT_AMANDA
417	tristate
418	depends on NF_CONNTRACK && NF_NAT
419	default NF_NAT && NF_CONNTRACK_AMANDA
420
421config NF_NAT_FTP
422	tristate
423	depends on NF_CONNTRACK && NF_NAT
424	default NF_NAT && NF_CONNTRACK_FTP
425
426config NF_NAT_IRC
427	tristate
428	depends on NF_CONNTRACK && NF_NAT
429	default NF_NAT && NF_CONNTRACK_IRC
430
431config NF_NAT_SIP
432	tristate
433	depends on NF_CONNTRACK && NF_NAT
434	default NF_NAT && NF_CONNTRACK_SIP
435
436config NF_NAT_TFTP
437	tristate
438	depends on NF_CONNTRACK && NF_NAT
439	default NF_NAT && NF_CONNTRACK_TFTP
440
441config NF_NAT_REDIRECT
442	bool
443
444config NF_NAT_MASQUERADE
445	bool
446
447config NF_NAT_OVS
448	bool
449
450config NETFILTER_SYNPROXY
451	tristate
452
453endif # NF_CONNTRACK
454
455config NF_TABLES
456	select NETFILTER_NETLINK
457	select NET_CRC32C
458	tristate "Netfilter nf_tables support"
459	help
460	  nftables is the new packet classification framework that intends to
461	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
462	  provides a pseudo-state machine with an extensible instruction-set
463	  (also known as expressions) that the userspace 'nft' utility
464	  (https://www.netfilter.org/projects/nftables) uses to build the
465	  rule-set. It also comes with the generic set infrastructure that
466	  allows you to construct mappings between matchings and actions
467	  for performance lookups.
468
469	  To compile it as a module, choose M here.
470
471if NF_TABLES
472config NF_TABLES_INET
473	depends on IPV6
474	select NF_TABLES_IPV4
475	select NF_TABLES_IPV6
476	bool "Netfilter nf_tables mixed IPv4/IPv6 tables support"
477	help
478	  This option enables support for a mixed IPv4/IPv6 "inet" table.
479
480config NF_TABLES_NETDEV
481	bool "Netfilter nf_tables netdev tables support"
482	help
483	  This option enables support for the "netdev" table.
484
485config NFT_NUMGEN
486	tristate "Netfilter nf_tables number generator module"
487	help
488	  This option adds the number generator expression used to perform
489	  incremental counting and random numbers bound to a upper limit.
490
491config NFT_CT
492	depends on NF_CONNTRACK
493	tristate "Netfilter nf_tables conntrack module"
494	help
495	  This option adds the "ct" expression that you can use to match
496	  connection tracking information such as the flow state.
497
498config NFT_EXTHDR_DCCP
499	bool "Netfilter nf_tables exthdr DCCP support (DEPRECATED)"
500	default n
501	help
502	  This option adds support for matching on DCCP extension headers.
503
504config NFT_FLOW_OFFLOAD
505	depends on NF_CONNTRACK && NF_FLOW_TABLE
506	tristate "Netfilter nf_tables hardware flow offload module"
507	help
508	  This option adds the "flow_offload" expression that you can use to
509	  choose what flows are placed into the hardware.
510
511config NFT_CONNLIMIT
512	tristate "Netfilter nf_tables connlimit module"
513	depends on NF_CONNTRACK
514	depends on NETFILTER_ADVANCED
515	select NETFILTER_CONNCOUNT
516	help
517	  This option adds the "connlimit" expression that you can use to
518	  ratelimit rule matchings per connections.
519
520config NFT_LOG
521	tristate "Netfilter nf_tables log module"
522	help
523	  This option adds the "log" expression that you can use to log
524	  packets matching some criteria.
525
526config NFT_LIMIT
527	tristate "Netfilter nf_tables limit module"
528	help
529	  This option adds the "limit" expression that you can use to
530	  ratelimit rule matchings.
531
532config NFT_MASQ
533	depends on NF_CONNTRACK
534	depends on NF_NAT
535	select NF_NAT_MASQUERADE
536	tristate "Netfilter nf_tables masquerade support"
537	help
538	  This option adds the "masquerade" expression that you can use
539	  to perform NAT in the masquerade flavour.
540
541config NFT_REDIR
542	depends on NF_CONNTRACK
543	depends on NF_NAT
544	tristate "Netfilter nf_tables redirect support"
545	select NF_NAT_REDIRECT
546	help
547	  This options adds the "redirect" expression that you can use
548	  to perform NAT in the redirect flavour.
549
550config NFT_NAT
551	depends on NF_CONNTRACK
552	select NF_NAT
553	depends on NF_TABLES_IPV4 || NF_TABLES_IPV6
554	tristate "Netfilter nf_tables nat module"
555	help
556	  This option adds the "nat" expression that you can use to perform
557	  typical Network Address Translation (NAT) packet transformations.
558
559config NFT_TUNNEL
560	tristate "Netfilter nf_tables tunnel module"
561	help
562	  This option adds the "tunnel" expression that you can use to set
563	  tunneling policies.
564
565config NFT_QUEUE
566	depends on NETFILTER_NETLINK_QUEUE
567	tristate "Netfilter nf_tables queue module"
568	help
569	  This is required if you intend to use the userspace queueing
570	  infrastructure (also known as NFQUEUE) from nftables.
571
572config NFT_QUOTA
573	tristate "Netfilter nf_tables quota module"
574	help
575	  This option adds the "quota" expression that you can use to match
576	  enforce bytes quotas.
577
578config NFT_REJECT
579	default m if NETFILTER_ADVANCED=n
580	tristate "Netfilter nf_tables reject support"
581	help
582	  This option adds the "reject" expression that you can use to
583	  explicitly deny and notify via TCP reset/ICMP informational errors
584	  unallowed traffic.
585
586config NFT_REJECT_INET
587	depends on NF_TABLES_INET
588	default NFT_REJECT
589	tristate
590
591config NFT_COMPAT
592	depends on NETFILTER_XTABLES
593	tristate "Netfilter x_tables over nf_tables module"
594	help
595	  This is required if you intend to use any of existing
596	  x_tables match/target extensions over the nf_tables
597	  framework.
598
599config NFT_HASH
600	tristate "Netfilter nf_tables hash module"
601	help
602	  This option adds the "hash" expression that you can use to perform
603	  a hash operation on registers.
604
605config NFT_FIB
606	tristate
607
608config NFT_FIB_INET
609	depends on NF_TABLES_INET
610	depends on NFT_FIB_IPV4
611	depends on NFT_FIB_IPV6
612	tristate "Netfilter nf_tables fib inet support"
613	help
614	  This option allows using the FIB expression from the inet table.
615	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
616	  on the protocol of the packet.
617
618config NFT_XFRM
619	tristate "Netfilter nf_tables xfrm/IPSec security association matching"
620	depends on XFRM
621	help
622	  This option adds an expression that you can use to extract properties
623	  of a packets security association.
624
625config NFT_SOCKET
626	tristate "Netfilter nf_tables socket match support"
627	select NF_SOCKET_IPV4
628	select NF_SOCKET_IPV6 if NF_TABLES_IPV6
629	help
630	  This option allows matching for the presence or absence of a
631	  corresponding socket and its attributes.
632
633config NFT_OSF
634	tristate "Netfilter nf_tables passive OS fingerprint support"
635	depends on NETFILTER_ADVANCED
636	select NETFILTER_NETLINK_OSF
637	help
638	  This option allows matching packets from an specific OS.
639
640config NFT_TPROXY
641	tristate "Netfilter nf_tables tproxy support"
642	select NF_DEFRAG_IPV4
643	select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
644	select NF_TPROXY_IPV4
645	select NF_TPROXY_IPV6 if NF_TABLES_IPV6
646	help
647	  This makes transparent proxy support available in nftables.
648
649config NFT_SYNPROXY
650	tristate "Netfilter nf_tables SYNPROXY expression support"
651	depends on NF_CONNTRACK && NETFILTER_ADVANCED
652	select NETFILTER_SYNPROXY
653	select SYN_COOKIES
654	help
655	  The SYNPROXY expression allows you to intercept TCP connections and
656	  establish them using syncookies before they are passed on to the
657	  server. This allows to avoid conntrack and server resource usage
658	  during SYN-flood attacks.
659
660if NF_TABLES_NETDEV
661
662config NF_DUP_NETDEV
663	tristate "Netfilter packet duplication support"
664	help
665	  This option enables the generic packet duplication infrastructure
666	  for Netfilter.
667
668config NFT_DUP_NETDEV
669	tristate "Netfilter nf_tables netdev packet duplication support"
670	select NF_DUP_NETDEV
671	help
672	  This option enables packet duplication for the "netdev" family.
673
674config NFT_FWD_NETDEV
675	tristate "Netfilter nf_tables netdev packet forwarding support"
676	select NF_DUP_NETDEV
677	help
678	  This option enables packet forwarding for the "netdev" family.
679
680config NFT_FIB_NETDEV
681	depends on NFT_FIB_IPV4
682	depends on NFT_FIB_IPV6
683	tristate "Netfilter nf_tables netdev fib lookups support"
684	help
685	  This option allows using the FIB expression from the netdev table.
686	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
687	  on the protocol of the packet.
688
689config NFT_REJECT_NETDEV
690	depends on NFT_REJECT_IPV4
691	depends on NFT_REJECT_IPV6
692	tristate "Netfilter nf_tables netdev REJECT support"
693	help
694	  This option enables the REJECT support from the netdev table.
695	  The return packet generation will be delegated to the IPv4
696	  or IPv6 ICMP or TCP RST implementation depending on the
697	  protocol of the packet.
698
699endif # NF_TABLES_NETDEV
700
701endif # NF_TABLES
702
703config NF_FLOW_TABLE_INET
704	tristate "Netfilter flow table mixed IPv4/IPv6 module"
705	depends on NF_FLOW_TABLE
706	help
707	  This option adds the flow table mixed IPv4/IPv6 support.
708
709	  To compile it as a module, choose M here.
710
711config NF_FLOW_TABLE
712	tristate "Netfilter flow table module"
713	depends on NETFILTER_INGRESS
714	depends on NF_CONNTRACK
715	depends on NF_TABLES
716	help
717	  This option adds the flow table core infrastructure.
718
719	  To compile it as a module, choose M here.
720
721config NF_FLOW_TABLE_PROCFS
722	bool "Supply flow table statistics in procfs"
723	depends on NF_FLOW_TABLE
724	depends on PROC_FS
725	help
726	  This option enables for the flow table offload statistics
727	  to be shown in procfs under net/netfilter/nf_flowtable.
728
729config NETFILTER_XTABLES
730	tristate "Netfilter Xtables support (required for ip_tables)"
731	default m if NETFILTER_ADVANCED=n
732	help
733	  This is required if you intend to use any of ip_tables,
734	  ip6_tables or arp_tables.
735
736if NETFILTER_XTABLES
737
738config NETFILTER_XTABLES_COMPAT
739	bool "Netfilter Xtables 32bit support"
740	depends on COMPAT
741	help
742	   This option provides a translation layer to run 32bit arp,ip(6),ebtables
743	   binaries on 64bit kernels.
744
745	   If unsure, say N.
746
747config NETFILTER_XTABLES_LEGACY
748	bool "Netfilter legacy tables support"
749	depends on !PREEMPT_RT
750	help
751	  Say Y here if you still require support for legacy tables. This is
752	  required by the legacy tools (iptables-legacy) and is not needed if
753	  you use iptables over nftables (iptables-nft).
754	  Legacy support is not limited to IP, it also includes EBTABLES and
755	  ARPTABLES.
756
757comment "Xtables combined modules"
758
759config NETFILTER_XT_MARK
760	tristate 'nfmark target and match support'
761	default m if NETFILTER_ADVANCED=n
762	help
763	This option adds the "MARK" target and "mark" match.
764
765	Netfilter mark matching allows you to match packets based on the
766	"nfmark" value in the packet.
767	The target allows you to create rules in the "mangle" table which alter
768	the netfilter mark (nfmark) field associated with the packet.
769
770	Prior to routing, the nfmark can influence the routing method and can
771	also be used by other subsystems to change their behavior.
772
773config NETFILTER_XT_CONNMARK
774	tristate 'ctmark target and match support'
775	depends on NF_CONNTRACK
776	depends on NETFILTER_ADVANCED
777	select NF_CONNTRACK_MARK
778	help
779	This option adds the "CONNMARK" target and "connmark" match.
780
781	Netfilter allows you to store a mark value per connection (a.k.a.
782	ctmark), similarly to the packet mark (nfmark). Using this
783	target and match, you can set and match on this mark.
784
785config NETFILTER_XT_SET
786	tristate 'set target and match support'
787	depends on IP_SET
788	depends on NETFILTER_ADVANCED
789	help
790	  This option adds the "SET" target and "set" match.
791
792	  Using this target and match, you can add/delete and match
793	  elements in the sets created by ipset(8).
794
795	  To compile it as a module, choose M here.  If unsure, say N.
796
797# alphabetically ordered list of targets
798
799comment "Xtables targets"
800
801config NETFILTER_XT_TARGET_AUDIT
802	tristate "AUDIT target support"
803	depends on AUDIT
804	depends on NETFILTER_ADVANCED
805	help
806	  This option adds a 'AUDIT' target, which can be used to create
807	  audit records for packets dropped/accepted.
808
809	  To compileit as a module, choose M here. If unsure, say N.
810
811config NETFILTER_XT_TARGET_CHECKSUM
812	tristate "CHECKSUM target support"
813	depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
814	depends on NETFILTER_ADVANCED
815	help
816	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle
817	  table to work around buggy DHCP clients in virtualized environments.
818
819	  Some old DHCP clients drop packets because they are not aware
820	  that the checksum would normally be offloaded to hardware and
821	  thus should be considered valid.
822	  This target can be used to fill in the checksum using iptables
823	  when such packets are sent via a virtual network device.
824
825	  To compile it as a module, choose M here.  If unsure, say N.
826
827config NETFILTER_XT_TARGET_CLASSIFY
828	tristate '"CLASSIFY" target support'
829	depends on NETFILTER_ADVANCED
830	help
831	  This option adds a `CLASSIFY' target, which enables the user to set
832	  the priority of a packet. Some qdiscs can use this value for
833	  classification, among these are:
834
835	  atm, cbq, dsmark, pfifo_fast, htb, prio
836
837	  To compile it as a module, choose M here.  If unsure, say N.
838
839config NETFILTER_XT_TARGET_CONNMARK
840	tristate  '"CONNMARK" target support'
841	depends on NF_CONNTRACK
842	depends on NETFILTER_ADVANCED
843	select NETFILTER_XT_CONNMARK
844	help
845	This is a backwards-compat option for the user's convenience
846	(e.g. when running oldconfig). It selects
847	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
848
849config NETFILTER_XT_TARGET_CONNSECMARK
850	tristate '"CONNSECMARK" target support'
851	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
852	default m if NETFILTER_ADVANCED=n
853	help
854	  The CONNSECMARK target copies security markings from packets
855	  to connections, and restores security markings from connections
856	  to packets (if the packets are not already marked).  This would
857	  normally be used in conjunction with the SECMARK target.
858
859	  To compile it as a module, choose M here.  If unsure, say N.
860
861config NETFILTER_XT_TARGET_CT
862	tristate '"CT" target support'
863	depends on NF_CONNTRACK
864	depends on IP_NF_RAW || IP6_NF_RAW || NFT_COMPAT
865	depends on NETFILTER_ADVANCED
866	help
867	  This options adds a `CT' target, which allows to specify initial
868	  connection tracking parameters like events to be delivered and
869	  the helper to be used.
870
871	  To compile it as a module, choose M here.  If unsure, say N.
872
873config NETFILTER_XT_TARGET_DSCP
874	tristate '"DSCP" and "TOS" target support'
875	depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
876	depends on NETFILTER_ADVANCED
877	help
878	  This option adds a `DSCP' target, which allows you to manipulate
879	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
880
881	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
882
883	  It also adds the "TOS" target, which allows you to create rules in
884	  the "mangle" table which alter the Type Of Service field of an IPv4
885	  or the Priority field of an IPv6 packet, prior to routing.
886
887	  To compile it as a module, choose M here.  If unsure, say N.
888
889config NETFILTER_XT_TARGET_HL
890	tristate '"HL" hoplimit target support'
891	depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
892	depends on NETFILTER_ADVANCED
893	help
894	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
895	targets, which enable the user to change the
896	hoplimit/time-to-live value of the IP header.
897
898	While it is safe to decrement the hoplimit/TTL value, the
899	modules also allow to increment and set the hoplimit value of
900	the header to arbitrary values. This is EXTREMELY DANGEROUS
901	since you can easily create immortal packets that loop
902	forever on the network.
903
904config NETFILTER_XT_TARGET_HMARK
905	tristate '"HMARK" target support'
906	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
907	depends on NETFILTER_ADVANCED
908	help
909	This option adds the "HMARK" target.
910
911	The target allows you to create rules in the "raw" and "mangle" tables
912	which set the skbuff mark by means of hash calculation within a given
913	range. The nfmark can influence the routing method and can also be used
914	by other subsystems to change their behaviour.
915
916	To compile it as a module, choose M here. If unsure, say N.
917
918config NETFILTER_XT_TARGET_IDLETIMER
919	tristate  "IDLETIMER target support"
920	depends on NETFILTER_ADVANCED
921	help
922
923	  This option adds the `IDLETIMER' target.  Each matching packet
924	  resets the timer associated with label specified when the rule is
925	  added.  When the timer expires, it triggers a sysfs notification.
926	  The remaining time for expiration can be read via sysfs.
927
928	  To compile it as a module, choose M here.  If unsure, say N.
929
930config NETFILTER_XT_TARGET_LED
931	tristate '"LED" target support'
932	depends on LEDS_CLASS && LEDS_TRIGGERS
933	depends on NETFILTER_ADVANCED
934	help
935	  This option adds a `LED' target, which allows you to blink LEDs in
936	  response to particular packets passing through your machine.
937
938	  This can be used to turn a spare LED into a network activity LED,
939	  which only flashes in response to FTP transfers, for example.  Or
940	  you could have an LED which lights up for a minute or two every time
941	  somebody connects to your machine via SSH.
942
943	  You will need support for the "led" class to make this work.
944
945	  To create an LED trigger for incoming SSH traffic:
946	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
947
948	  Then attach the new trigger to an LED on your system:
949	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
950
951	  For more information on the LEDs available on your system, see
952	  Documentation/leds/leds-class.rst
953
954config NETFILTER_XT_TARGET_LOG
955	tristate "LOG target support"
956	select NF_LOG_SYSLOG
957	select NF_LOG_IPV6 if IP6_NF_IPTABLES
958	default m if NETFILTER_ADVANCED=n
959	help
960	  This option adds a `LOG' target, which allows you to create rules in
961	  any iptables table which records the packet header to the syslog.
962
963	  To compile it as a module, choose M here.  If unsure, say N.
964
965config NETFILTER_XT_TARGET_MARK
966	tristate '"MARK" target support'
967	depends on NETFILTER_ADVANCED
968	select NETFILTER_XT_MARK
969	help
970	This is a backwards-compat option for the user's convenience
971	(e.g. when running oldconfig). It selects
972	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
973
974config NETFILTER_XT_NAT
975	tristate '"SNAT and DNAT" targets support'
976	depends on NF_NAT
977	help
978	This option enables the SNAT and DNAT targets.
979
980	To compile it as a module, choose M here. If unsure, say N.
981
982config NETFILTER_XT_TARGET_NETMAP
983	tristate '"NETMAP" target support'
984	depends on NF_NAT
985	help
986	NETMAP is an implementation of static 1:1 NAT mapping of network
987	addresses. It maps the network address part, while keeping the host
988	address part intact.
989
990	To compile it as a module, choose M here. If unsure, say N.
991
992config NETFILTER_XT_TARGET_NFLOG
993	tristate '"NFLOG" target support'
994	default m if NETFILTER_ADVANCED=n
995	select NETFILTER_NETLINK_LOG
996	help
997	  This option enables the NFLOG target, which allows to LOG
998	  messages through nfnetlink_log.
999
1000	  To compile it as a module, choose M here.  If unsure, say N.
1001
1002config NETFILTER_XT_TARGET_NFQUEUE
1003	tristate '"NFQUEUE" target Support'
1004	depends on NETFILTER_ADVANCED
1005	select NETFILTER_NETLINK_QUEUE
1006	help
1007	  This target replaced the old obsolete QUEUE target.
1008
1009	  As opposed to QUEUE, it supports 65535 different queues,
1010	  not just one.
1011
1012	  To compile it as a module, choose M here.  If unsure, say N.
1013
1014config NETFILTER_XT_TARGET_NOTRACK
1015	tristate  '"NOTRACK" target support (DEPRECATED)'
1016	depends on NF_CONNTRACK
1017	depends on IP_NF_RAW || IP6_NF_RAW
1018	depends on NETFILTER_ADVANCED
1019	select NETFILTER_XT_TARGET_CT
1020
1021config NETFILTER_XT_TARGET_RATEEST
1022	tristate '"RATEEST" target support'
1023	depends on NETFILTER_ADVANCED
1024	help
1025	  This option adds a `RATEEST' target, which allows to measure
1026	  rates similar to TC estimators. The `rateest' match can be
1027	  used to match on the measured rates.
1028
1029	  To compile it as a module, choose M here.  If unsure, say N.
1030
1031config NETFILTER_XT_TARGET_REDIRECT
1032	tristate "REDIRECT target support"
1033	depends on NF_NAT
1034	select NF_NAT_REDIRECT
1035	help
1036	REDIRECT is a special case of NAT: all incoming connections are
1037	mapped onto the incoming interface's address, causing the packets to
1038	come to the local machine instead of passing through. This is
1039	useful for transparent proxies.
1040
1041	To compile it as a module, choose M here. If unsure, say N.
1042
1043config NETFILTER_XT_TARGET_MASQUERADE
1044	tristate "MASQUERADE target support"
1045	depends on NF_NAT
1046	default m if NETFILTER_ADVANCED=n
1047	select NF_NAT_MASQUERADE
1048	help
1049	  Masquerading is a special case of NAT: all outgoing connections are
1050	  changed to seem to come from a particular interface's address, and
1051	  if the interface goes down, those connections are lost.  This is
1052	  only useful for dialup accounts with dynamic IP address (ie. your IP
1053	  address will be different on next dialup).
1054
1055	  To compile it as a module, choose M here.  If unsure, say N.
1056
1057config NETFILTER_XT_TARGET_TEE
1058	tristate '"TEE" - packet cloning to alternate destination'
1059	depends on NETFILTER_ADVANCED
1060	depends on !NF_CONNTRACK || NF_CONNTRACK
1061	depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES
1062	select NF_DUP_IPV4
1063	select NF_DUP_IPV6 if IP6_NF_IPTABLES
1064	help
1065	This option adds a "TEE" target with which a packet can be cloned and
1066	this clone be rerouted to another nexthop.
1067
1068config NETFILTER_XT_TARGET_TPROXY
1069	tristate '"TPROXY" target transparent proxying support'
1070	depends on NETFILTER_XTABLES
1071	depends on NETFILTER_ADVANCED
1072	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1073	depends on IP_NF_MANGLE || NFT_COMPAT
1074	select NF_DEFRAG_IPV4
1075	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1076	select NF_TPROXY_IPV4
1077	select NF_TPROXY_IPV6 if IP6_NF_IPTABLES
1078	help
1079	  This option adds a `TPROXY' target, which is somewhat similar to
1080	  REDIRECT.  It can only be used in the mangle table and is useful
1081	  to redirect traffic to a transparent proxy.  It does _not_ depend
1082	  on Netfilter connection tracking and NAT, unlike REDIRECT.
1083	  For it to work you will have to configure certain iptables rules
1084	  and use policy routing. For more information on how to set it up
1085	  see Documentation/networking/tproxy.rst.
1086
1087	  To compile it as a module, choose M here.  If unsure, say N.
1088
1089config NETFILTER_XT_TARGET_TRACE
1090	tristate  '"TRACE" target support'
1091	depends on IP_NF_RAW || IP6_NF_RAW
1092	depends on NETFILTER_ADVANCED
1093	help
1094	  The TRACE target allows you to mark packets so that the kernel
1095	  will log every rule which match the packets as those traverse
1096	  the tables, chains, rules.
1097
1098	  If you want to compile it as a module, say M here and read
1099	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1100
1101config NETFILTER_XT_TARGET_SECMARK
1102	tristate '"SECMARK" target support'
1103	depends on NETWORK_SECMARK
1104	default m if NETFILTER_ADVANCED=n
1105	help
1106	  The SECMARK target allows security marking of network
1107	  packets, for use with security subsystems.
1108
1109	  To compile it as a module, choose M here.  If unsure, say N.
1110
1111config NETFILTER_XT_TARGET_TCPMSS
1112	tristate '"TCPMSS" target support'
1113	default m if NETFILTER_ADVANCED=n
1114	help
1115	  This option adds a `TCPMSS' target, which allows you to alter the
1116	  MSS value of TCP SYN packets, to control the maximum size for that
1117	  connection (usually limiting it to your outgoing interface's MTU
1118	  minus 40).
1119
1120	  This is used to overcome criminally braindead ISPs or servers which
1121	  block ICMP Fragmentation Needed packets.  The symptoms of this
1122	  problem are that everything works fine from your Linux
1123	  firewall/router, but machines behind it can never exchange large
1124	  packets:
1125	        1) Web browsers connect, then hang with no data received.
1126	        2) Small mail works fine, but large emails hang.
1127	        3) ssh works fine, but scp hangs after initial handshaking.
1128
1129	  Workaround: activate this option and add a rule to your firewall
1130	  configuration like:
1131
1132	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1133	                 -j TCPMSS --clamp-mss-to-pmtu
1134
1135	  To compile it as a module, choose M here.  If unsure, say N.
1136
1137config NETFILTER_XT_TARGET_TCPOPTSTRIP
1138	tristate '"TCPOPTSTRIP" target support'
1139	depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
1140	depends on NETFILTER_ADVANCED
1141	help
1142	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
1143	  TCP options from TCP packets.
1144
1145# alphabetically ordered list of matches
1146
1147comment "Xtables matches"
1148
1149config NETFILTER_XT_MATCH_ADDRTYPE
1150	tristate '"addrtype" address type match support'
1151	default m if NETFILTER_ADVANCED=n
1152	help
1153	  This option allows you to match what routing thinks of an address,
1154	  eg. UNICAST, LOCAL, BROADCAST, ...
1155
1156	  If you want to compile it as a module, say M here and read
1157	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1158
1159config NETFILTER_XT_MATCH_BPF
1160	tristate '"bpf" match support'
1161	depends on NETFILTER_ADVANCED
1162	help
1163	  BPF matching applies a linux socket filter to each packet and
1164	  accepts those for which the filter returns non-zero.
1165
1166	  To compile it as a module, choose M here.  If unsure, say N.
1167
1168config NETFILTER_XT_MATCH_CGROUP
1169	tristate '"control group" match support'
1170	depends on NETFILTER_ADVANCED
1171	depends on CGROUPS
1172	select SOCK_CGROUP_DATA
1173	help
1174	Socket/process control group matching allows you to match locally
1175	generated packets based on which net_cls control group processes
1176	belong to.
1177
1178config NETFILTER_XT_MATCH_CLUSTER
1179	tristate '"cluster" match support'
1180	depends on NF_CONNTRACK
1181	depends on NETFILTER_ADVANCED
1182	help
1183	  This option allows you to build work-load-sharing clusters of
1184	  network servers/stateful firewalls without having a dedicated
1185	  load-balancing router/server/switch. Basically, this match returns
1186	  true when the packet must be handled by this cluster node. Thus,
1187	  all nodes see all packets and this match decides which node handles
1188	  what packets. The work-load sharing algorithm is based on source
1189	  address hashing.
1190
1191	  If you say Y or M here, try `iptables -m cluster --help` for
1192	  more information.
1193
1194config NETFILTER_XT_MATCH_COMMENT
1195	tristate  '"comment" match support'
1196	depends on NETFILTER_ADVANCED
1197	help
1198	  This option adds a `comment' dummy-match, which allows you to put
1199	  comments in your iptables ruleset.
1200
1201	  If you want to compile it as a module, say M here and read
1202	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1203
1204config NETFILTER_XT_MATCH_CONNBYTES
1205	tristate  '"connbytes" per-connection counter match support'
1206	depends on NF_CONNTRACK
1207	depends on NETFILTER_ADVANCED
1208	help
1209	  This option adds a `connbytes' match, which allows you to match the
1210	  number of bytes and/or packets for each direction within a connection.
1211
1212	  If you want to compile it as a module, say M here and read
1213	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1214
1215config NETFILTER_XT_MATCH_CONNLABEL
1216	tristate '"connlabel" match support'
1217	select NF_CONNTRACK_LABELS
1218	depends on NF_CONNTRACK
1219	depends on NETFILTER_ADVANCED
1220	help
1221	  This match allows you to test and assign userspace-defined labels names
1222	  to a connection.  The kernel only stores bit values - mapping
1223	  names to bits is done by userspace.
1224
1225	  Unlike connmark, more than 32 flag bits may be assigned to a
1226	  connection simultaneously.
1227
1228config NETFILTER_XT_MATCH_CONNLIMIT
1229	tristate '"connlimit" match support'
1230	depends on NF_CONNTRACK
1231	depends on NETFILTER_ADVANCED
1232	select NETFILTER_CONNCOUNT
1233	help
1234	  This match allows you to match against the number of parallel
1235	  connections to a server per client IP address (or address block).
1236
1237config NETFILTER_XT_MATCH_CONNMARK
1238	tristate  '"connmark" connection mark match support'
1239	depends on NF_CONNTRACK
1240	depends on NETFILTER_ADVANCED
1241	select NETFILTER_XT_CONNMARK
1242	help
1243	This is a backwards-compat option for the user's convenience
1244	(e.g. when running oldconfig). It selects
1245	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1246
1247config NETFILTER_XT_MATCH_CONNTRACK
1248	tristate '"conntrack" connection tracking match support'
1249	depends on NF_CONNTRACK
1250	default m if NETFILTER_ADVANCED=n
1251	help
1252	  This is a general conntrack match module, a superset of the state match.
1253
1254	  It allows matching on additional conntrack information, which is
1255	  useful in complex configurations, such as NAT gateways with multiple
1256	  internet links or tunnels.
1257
1258	  To compile it as a module, choose M here.  If unsure, say N.
1259
1260config NETFILTER_XT_MATCH_CPU
1261	tristate '"cpu" match support'
1262	depends on NETFILTER_ADVANCED
1263	help
1264	  CPU matching allows you to match packets based on the CPU
1265	  currently handling the packet.
1266
1267	  To compile it as a module, choose M here.  If unsure, say N.
1268
1269config NETFILTER_XT_MATCH_DCCP
1270	tristate '"dccp" protocol match support (DEPRECATED)'
1271	depends on NETFILTER_ADVANCED
1272	default n
1273	help
1274	  With this option enabled, you will be able to use the iptables
1275	  `dccp' match in order to match on DCCP source/destination ports
1276	  and DCCP flags.
1277
1278	  If you want to compile it as a module, say M here and read
1279	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1280
1281config NETFILTER_XT_MATCH_DEVGROUP
1282	tristate '"devgroup" match support'
1283	depends on NETFILTER_ADVANCED
1284	help
1285	  This options adds a `devgroup' match, which allows to match on the
1286	  device group a network device is assigned to.
1287
1288	  To compile it as a module, choose M here.  If unsure, say N.
1289
1290config NETFILTER_XT_MATCH_DSCP
1291	tristate '"dscp" and "tos" match support'
1292	depends on NETFILTER_ADVANCED
1293	help
1294	  This option adds a `DSCP' match, which allows you to match against
1295	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1296
1297	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
1298
1299	  It will also add a "tos" match, which allows you to match packets
1300	  based on the Type Of Service fields of the IPv4 packet (which share
1301	  the same bits as DSCP).
1302
1303	  To compile it as a module, choose M here.  If unsure, say N.
1304
1305config NETFILTER_XT_MATCH_ECN
1306	tristate '"ecn" match support'
1307	depends on NETFILTER_ADVANCED
1308	help
1309	This option adds an "ECN" match, which allows you to match against
1310	the IPv4 and TCP header ECN fields.
1311
1312	To compile it as a module, choose M here. If unsure, say N.
1313
1314config NETFILTER_XT_MATCH_ESP
1315	tristate '"esp" match support'
1316	depends on NETFILTER_ADVANCED
1317	help
1318	  This match extension allows you to match a range of SPIs
1319	  inside ESP header of IPSec packets.
1320
1321	  To compile it as a module, choose M here.  If unsure, say N.
1322
1323config NETFILTER_XT_MATCH_HASHLIMIT
1324	tristate '"hashlimit" match support'
1325	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1326	depends on NETFILTER_ADVANCED
1327	help
1328	  This option adds a `hashlimit' match.
1329
1330	  As opposed to `limit', this match dynamically creates a hash table
1331	  of limit buckets, based on your selection of source/destination
1332	  addresses and/or ports.
1333
1334	  It enables you to express policies like `10kpps for any given
1335	  destination address' or `500pps from any given source address'
1336	  with a single rule.
1337
1338config NETFILTER_XT_MATCH_HELPER
1339	tristate '"helper" match support'
1340	depends on NF_CONNTRACK
1341	depends on NETFILTER_ADVANCED
1342	help
1343	  Helper matching allows you to match packets in dynamic connections
1344	  tracked by a conntrack-helper, ie. nf_conntrack_ftp
1345
1346	  To compile it as a module, choose M here.  If unsure, say Y.
1347
1348config NETFILTER_XT_MATCH_HL
1349	tristate '"hl" hoplimit/TTL match support'
1350	depends on NETFILTER_ADVANCED
1351	help
1352	HL matching allows you to match packets based on the hoplimit
1353	in the IPv6 header, or the time-to-live field in the IPv4
1354	header of the packet.
1355
1356config NETFILTER_XT_MATCH_IPCOMP
1357	tristate '"ipcomp" match support'
1358	depends on NETFILTER_ADVANCED
1359	help
1360	  This match extension allows you to match a range of CPIs(16 bits)
1361	  inside IPComp header of IPSec packets.
1362
1363	  To compile it as a module, choose M here.  If unsure, say N.
1364
1365config NETFILTER_XT_MATCH_IPRANGE
1366	tristate '"iprange" address range match support'
1367	depends on NETFILTER_ADVANCED
1368	help
1369	This option adds a "iprange" match, which allows you to match based on
1370	an IP address range. (Normal iptables only matches on single addresses
1371	with an optional mask.)
1372
1373	If unsure, say M.
1374
1375config NETFILTER_XT_MATCH_IPVS
1376	tristate '"ipvs" match support'
1377	depends on IP_VS
1378	depends on NETFILTER_ADVANCED
1379	depends on NF_CONNTRACK
1380	help
1381	  This option allows you to match against IPVS properties of a packet.
1382
1383	  If unsure, say N.
1384
1385config NETFILTER_XT_MATCH_L2TP
1386	tristate '"l2tp" match support'
1387	depends on NETFILTER_ADVANCED
1388	default L2TP
1389	help
1390	This option adds an "L2TP" match, which allows you to match against
1391	L2TP protocol header fields.
1392
1393	To compile it as a module, choose M here. If unsure, say N.
1394
1395config NETFILTER_XT_MATCH_LENGTH
1396	tristate '"length" match support'
1397	depends on NETFILTER_ADVANCED
1398	help
1399	  This option allows you to match the length of a packet against a
1400	  specific value or range of values.
1401
1402	  To compile it as a module, choose M here.  If unsure, say N.
1403
1404config NETFILTER_XT_MATCH_LIMIT
1405	tristate '"limit" match support'
1406	depends on NETFILTER_ADVANCED
1407	help
1408	  limit matching allows you to control the rate at which a rule can be
1409	  matched: mainly useful in combination with the LOG target ("LOG
1410	  target support", below) and to avoid some Denial of Service attacks.
1411
1412	  To compile it as a module, choose M here.  If unsure, say N.
1413
1414config NETFILTER_XT_MATCH_MAC
1415	tristate '"mac" address match support'
1416	depends on NETFILTER_ADVANCED
1417	help
1418	  MAC matching allows you to match packets based on the source
1419	  Ethernet address of the packet.
1420
1421	  To compile it as a module, choose M here.  If unsure, say N.
1422
1423config NETFILTER_XT_MATCH_MARK
1424	tristate '"mark" match support'
1425	depends on NETFILTER_ADVANCED
1426	select NETFILTER_XT_MARK
1427	help
1428	This is a backwards-compat option for the user's convenience
1429	(e.g. when running oldconfig). It selects
1430	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1431
1432config NETFILTER_XT_MATCH_MULTIPORT
1433	tristate '"multiport" Multiple port match support'
1434	depends on NETFILTER_ADVANCED
1435	help
1436	  Multiport matching allows you to match TCP or UDP packets based on
1437	  a series of source or destination ports: normally a rule can only
1438	  match a single range of ports.
1439
1440	  To compile it as a module, choose M here.  If unsure, say N.
1441
1442config NETFILTER_XT_MATCH_NFACCT
1443	tristate '"nfacct" match support'
1444	depends on NETFILTER_ADVANCED
1445	select NETFILTER_NETLINK_ACCT
1446	help
1447	  This option allows you to use the extended accounting through
1448	  nfnetlink_acct.
1449
1450	  To compile it as a module, choose M here.  If unsure, say N.
1451
1452config NETFILTER_XT_MATCH_OSF
1453	tristate '"osf" Passive OS fingerprint match'
1454	depends on NETFILTER_ADVANCED
1455	select NETFILTER_NETLINK_OSF
1456	help
1457	  This option selects the Passive OS Fingerprinting match module
1458	  that allows to passively match the remote operating system by
1459	  analyzing incoming TCP SYN packets.
1460
1461	  Rules and loading software can be downloaded from
1462	  http://www.ioremap.net/projects/osf
1463
1464	  To compile it as a module, choose M here.  If unsure, say N.
1465
1466config NETFILTER_XT_MATCH_OWNER
1467	tristate '"owner" match support'
1468	depends on NETFILTER_ADVANCED
1469	help
1470	Socket owner matching allows you to match locally-generated packets
1471	based on who created the socket: the user or group. It is also
1472	possible to check whether a socket actually exists.
1473
1474config NETFILTER_XT_MATCH_POLICY
1475	tristate 'IPsec "policy" match support'
1476	depends on XFRM
1477	default m if NETFILTER_ADVANCED=n
1478	help
1479	  Policy matching allows you to match packets based on the
1480	  IPsec policy that was used during decapsulation/will
1481	  be used during encapsulation.
1482
1483	  To compile it as a module, choose M here.  If unsure, say N.
1484
1485config NETFILTER_XT_MATCH_PHYSDEV
1486	tristate '"physdev" match support'
1487	depends on BRIDGE && BRIDGE_NETFILTER
1488	depends on NETFILTER_ADVANCED
1489	help
1490	  Physdev packet matching matches against the physical bridge ports
1491	  the IP packet arrived on or will leave by.
1492
1493	  To compile it as a module, choose M here.  If unsure, say N.
1494
1495config NETFILTER_XT_MATCH_PKTTYPE
1496	tristate '"pkttype" packet type match support'
1497	depends on NETFILTER_ADVANCED
1498	help
1499	  Packet type matching allows you to match a packet by
1500	  its "class", eg. BROADCAST, MULTICAST, ...
1501
1502	  Typical usage:
1503	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1504
1505	  To compile it as a module, choose M here.  If unsure, say N.
1506
1507config NETFILTER_XT_MATCH_QUOTA
1508	tristate '"quota" match support'
1509	depends on NETFILTER_ADVANCED
1510	help
1511	  This option adds a `quota' match, which allows to match on a
1512	  byte counter.
1513
1514	  If you want to compile it as a module, say M here and read
1515	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1516
1517config NETFILTER_XT_MATCH_RATEEST
1518	tristate '"rateest" match support'
1519	depends on NETFILTER_ADVANCED
1520	select NETFILTER_XT_TARGET_RATEEST
1521	help
1522	  This option adds a `rateest' match, which allows to match on the
1523	  rate estimated by the RATEEST target.
1524
1525	  To compile it as a module, choose M here.  If unsure, say N.
1526
1527config NETFILTER_XT_MATCH_REALM
1528	tristate  '"realm" match support'
1529	depends on NETFILTER_ADVANCED
1530	select IP_ROUTE_CLASSID
1531	help
1532	  This option adds a `realm' match, which allows you to use the realm
1533	  key from the routing subsystem inside iptables.
1534
1535	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1536	  in tc world.
1537
1538	  If you want to compile it as a module, say M here and read
1539	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1540
1541config NETFILTER_XT_MATCH_RECENT
1542	tristate '"recent" match support'
1543	depends on NETFILTER_ADVANCED
1544	help
1545	This match is used for creating one or many lists of recently
1546	used addresses and then matching against that/those list(s).
1547
1548	Short options are available by using 'iptables -m recent -h'
1549	Official Website: <http://snowman.net/projects/ipt_recent/>
1550
1551config NETFILTER_XT_MATCH_SCTP
1552	tristate  '"sctp" protocol match support'
1553	depends on NETFILTER_ADVANCED
1554	default IP_SCTP
1555	help
1556	  With this option enabled, you will be able to use the
1557	  `sctp' match in order to match on SCTP source/destination ports
1558	  and SCTP chunk types.
1559
1560	  If you want to compile it as a module, say M here and read
1561	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1562
1563config NETFILTER_XT_MATCH_SOCKET
1564	tristate '"socket" match support'
1565	depends on NETFILTER_XTABLES
1566	depends on NETFILTER_ADVANCED
1567	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1568	select NF_SOCKET_IPV4
1569	select NF_SOCKET_IPV6 if IP6_NF_IPTABLES
1570	select NF_DEFRAG_IPV4
1571	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1572	help
1573	  This option adds a `socket' match, which can be used to match
1574	  packets for which a TCP or UDP socket lookup finds a valid socket.
1575	  It can be used in combination with the MARK target and policy
1576	  routing to implement full featured non-locally bound sockets.
1577
1578	  To compile it as a module, choose M here.  If unsure, say N.
1579
1580config NETFILTER_XT_MATCH_STATE
1581	tristate '"state" match support'
1582	depends on NF_CONNTRACK
1583	default m if NETFILTER_ADVANCED=n
1584	help
1585	  Connection state matching allows you to match packets based on their
1586	  relationship to a tracked connection (ie. previous packets).  This
1587	  is a powerful tool for packet classification.
1588
1589	  To compile it as a module, choose M here.  If unsure, say N.
1590
1591config NETFILTER_XT_MATCH_STATISTIC
1592	tristate '"statistic" match support'
1593	depends on NETFILTER_ADVANCED
1594	help
1595	  This option adds a `statistic' match, which allows you to match
1596	  on packets periodically or randomly with a given percentage.
1597
1598	  To compile it as a module, choose M here.  If unsure, say N.
1599
1600config NETFILTER_XT_MATCH_STRING
1601	tristate  '"string" match support'
1602	depends on NETFILTER_ADVANCED
1603	select TEXTSEARCH
1604	select TEXTSEARCH_KMP
1605	select TEXTSEARCH_BM
1606	select TEXTSEARCH_FSM
1607	help
1608	  This option adds a `string' match, which allows you to look for
1609	  pattern matchings in packets.
1610
1611	  To compile it as a module, choose M here.  If unsure, say N.
1612
1613config NETFILTER_XT_MATCH_TCPMSS
1614	tristate '"tcpmss" match support'
1615	depends on NETFILTER_ADVANCED
1616	help
1617	  This option adds a `tcpmss' match, which allows you to examine the
1618	  MSS value of TCP SYN packets, which control the maximum packet size
1619	  for that connection.
1620
1621	  To compile it as a module, choose M here.  If unsure, say N.
1622
1623config NETFILTER_XT_MATCH_TIME
1624	tristate '"time" match support'
1625	depends on NETFILTER_ADVANCED
1626	help
1627	  This option adds a "time" match, which allows you to match based on
1628	  the packet arrival time (at the machine which netfilter is running)
1629	  on) or departure time/date (for locally generated packets).
1630
1631	  If you say Y here, try `iptables -m time --help` for
1632	  more information.
1633
1634	  If you want to compile it as a module, say M here.
1635	  If unsure, say N.
1636
1637config NETFILTER_XT_MATCH_U32
1638	tristate '"u32" match support'
1639	depends on NETFILTER_ADVANCED
1640	help
1641	  u32 allows you to extract quantities of up to 4 bytes from a packet,
1642	  AND them with specified masks, shift them by specified amounts and
1643	  test whether the results are in any of a set of specified ranges.
1644	  The specification of what to extract is general enough to skip over
1645	  headers with lengths stored in the packet, as in IP or TCP header
1646	  lengths.
1647
1648	  Details and examples are in the kernel module source.
1649
1650endif # NETFILTER_XTABLES
1651
1652config GCOV_PROFILE_NETFILTER
1653	bool "Enable GCOV profiling for netfilter"
1654	depends on GCOV_KERNEL
1655	help
1656	  Enable GCOV profiling for netfilter to check which functions/lines
1657	  are executed.
1658
1659	  If unsure, say N.
1660endmenu
1661
1662source "net/netfilter/ipset/Kconfig"
1663
1664source "net/netfilter/ipvs/Kconfig"
1665