1# SPDX-License-Identifier: GPL-2.0-only 2menu "Core Netfilter Configuration" 3 depends on INET && NETFILTER 4 5config NETFILTER_INGRESS 6 bool "Netfilter ingress support" 7 default y 8 select NET_INGRESS 9 help 10 This allows you to classify packets from ingress using the Netfilter 11 infrastructure. 12 13config NETFILTER_EGRESS 14 bool "Netfilter egress support" 15 default y 16 select NET_EGRESS 17 help 18 This allows you to classify packets before transmission using the 19 Netfilter infrastructure. 20 21config NETFILTER_SKIP_EGRESS 22 def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB) 23 24config NETFILTER_NETLINK 25 bool 26 27config NETFILTER_FAMILY_BRIDGE 28 bool 29 30config NETFILTER_FAMILY_ARP 31 bool 32 33config NETFILTER_BPF_LINK 34 def_bool BPF_SYSCALL 35 36config NETFILTER_NETLINK_HOOK 37 tristate "Netfilter base hook dump support" 38 depends on NETFILTER_ADVANCED 39 depends on NF_TABLES 40 select NETFILTER_NETLINK 41 help 42 If this option is enabled, the kernel will include support 43 to list the base netfilter hooks via NFNETLINK. 44 This is helpful for debugging. 45 46config NETFILTER_NETLINK_ACCT 47 tristate "Netfilter NFACCT over NFNETLINK interface" 48 depends on NETFILTER_ADVANCED 49 select NETFILTER_NETLINK 50 help 51 If this option is enabled, the kernel will include support 52 for extended accounting via NFNETLINK. 53 54config NETFILTER_NETLINK_QUEUE 55 tristate "Netfilter NFQUEUE over NFNETLINK interface" 56 depends on NETFILTER_ADVANCED 57 select NETFILTER_NETLINK 58 help 59 If this option is enabled, the kernel will include support 60 for queueing packets via NFNETLINK. 61 62config NETFILTER_NETLINK_LOG 63 tristate "Netfilter LOG over NFNETLINK interface" 64 default m if NETFILTER_ADVANCED=n 65 select NETFILTER_NETLINK 66 help 67 If this option is enabled, the kernel will include support 68 for logging packets via NFNETLINK. 69 70 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 71 and is also scheduled to replace the old syslog-based ipt_LOG 72 and ip6t_LOG modules. 73 74config NETFILTER_NETLINK_OSF 75 tristate "Netfilter OSF over NFNETLINK interface" 76 depends on NETFILTER_ADVANCED 77 select NETFILTER_NETLINK 78 help 79 If this option is enabled, the kernel will include support 80 for passive OS fingerprint via NFNETLINK. 81 82config NF_CONNTRACK 83 tristate "Netfilter connection tracking support" 84 default m if NETFILTER_ADVANCED=n 85 select NF_DEFRAG_IPV4 86 select NF_DEFRAG_IPV6 if IPV6 != n 87 help 88 Connection tracking keeps a record of what packets have passed 89 through your machine, in order to figure out how they are related 90 into connections. 91 92 This is required to do Masquerading or other kinds of Network 93 Address Translation. It can also be used to enhance packet 94 filtering (see `Connection state match support' below). 95 96 To compile it as a module, choose M here. If unsure, say N. 97 98config NF_LOG_SYSLOG 99 tristate "Syslog packet logging" 100 default m if NETFILTER_ADVANCED=n 101 help 102 This option enable support for packet logging via syslog. 103 It supports IPv4, IPV6, ARP and common transport protocols such 104 as TCP and UDP. 105 This is a simpler but less flexible logging method compared to 106 CONFIG_NETFILTER_NETLINK_LOG. 107 If both are enabled the backend to use can be configured at run-time 108 by means of per-address-family sysctl tunables. 109 110if NF_CONNTRACK 111config NETFILTER_CONNCOUNT 112 tristate 113 114config NF_CONNTRACK_MARK 115 bool 'Connection mark tracking support' 116 depends on NETFILTER_ADVANCED 117 help 118 This option enables support for connection marks, used by the 119 `CONNMARK' target and `connmark' match. Similar to the mark value 120 of packets, but this mark value is kept in the conntrack session 121 instead of the individual packets. 122 123config NF_CONNTRACK_SECMARK 124 bool 'Connection tracking security mark support' 125 depends on NETWORK_SECMARK 126 default y if NETFILTER_ADVANCED=n 127 help 128 This option enables security markings to be applied to 129 connections. Typically they are copied to connections from 130 packets using the CONNSECMARK target and copied back from 131 connections to packets with the same target, with the packets 132 being originally labeled via SECMARK. 133 134 If unsure, say 'N'. 135 136config NF_CONNTRACK_ZONES 137 bool 'Connection tracking zones' 138 depends on NETFILTER_ADVANCED 139 help 140 This option enables support for connection tracking zones. 141 Normally, each connection needs to have a unique system wide 142 identity. Connection tracking zones allow to have multiple 143 connections using the same identity, as long as they are 144 contained in different zones. 145 146 If unsure, say `N'. 147 148config NF_CONNTRACK_PROCFS 149 bool "Supply CT list in procfs (OBSOLETE)" 150 depends on PROC_FS 151 help 152 This option enables for the list of known conntrack entries 153 to be shown in procfs under net/netfilter/nf_conntrack. This 154 is considered obsolete in favor of using the conntrack(8) 155 tool which uses Netlink. 156 157config NF_CONNTRACK_EVENTS 158 bool "Connection tracking events" 159 depends on NETFILTER_ADVANCED 160 help 161 If this option is enabled, the connection tracking code will 162 provide a notifier chain that can be used by other kernel code 163 to get notified about changes in the connection tracking state. 164 165 If unsure, say `N'. 166 167config NF_CONNTRACK_TIMEOUT 168 bool 'Connection tracking timeout' 169 depends on NETFILTER_ADVANCED 170 help 171 This option enables support for connection tracking timeout 172 extension. This allows you to attach timeout policies to flow 173 via the CT target. 174 175 If unsure, say `N'. 176 177config NF_CONNTRACK_TIMESTAMP 178 bool 'Connection tracking timestamping' 179 depends on NETFILTER_ADVANCED 180 help 181 This option enables support for connection tracking timestamping. 182 This allows you to store the flow start-time and to obtain 183 the flow-stop time (once it has been destroyed) via Connection 184 tracking events. 185 186 If unsure, say `N'. 187 188config NF_CONNTRACK_LABELS 189 bool "Connection tracking labels" 190 help 191 This option enables support for assigning user-defined flag bits 192 to connection tracking entries. It can be used with xtables connlabel 193 match and the nftables ct expression. 194 195config NF_CONNTRACK_OVS 196 bool 197 198config NF_CT_PROTO_GRE 199 bool 200 201config NF_CT_PROTO_SCTP 202 bool 'SCTP protocol connection tracking support' 203 depends on NETFILTER_ADVANCED 204 default y 205 select NET_CRC32C 206 help 207 With this option enabled, the layer 3 independent connection 208 tracking code will be able to do state tracking on SCTP connections. 209 210 If unsure, say Y. 211 212config NF_CONNTRACK_AMANDA 213 tristate "Amanda backup protocol support" 214 depends on NETFILTER_ADVANCED 215 select TEXTSEARCH 216 select TEXTSEARCH_KMP 217 help 218 If you are running the Amanda backup package <http://www.amanda.org/> 219 on this machine or machines that will be MASQUERADED through this 220 machine, then you may want to enable this feature. This allows the 221 connection tracking and natting code to allow the sub-channels that 222 Amanda requires for communication of the backup data, messages and 223 index. 224 225 To compile it as a module, choose M here. If unsure, say N. 226 227config NF_CONNTRACK_FTP 228 tristate "FTP protocol support" 229 default m if NETFILTER_ADVANCED=n 230 help 231 Tracking FTP connections is problematic: special helpers are 232 required for tracking them, and doing masquerading and other forms 233 of Network Address Translation on them. 234 235 This is FTP support on Layer 3 independent connection tracking. 236 237 To compile it as a module, choose M here. If unsure, say N. 238 239config NF_CONNTRACK_H323 240 tristate "H.323 protocol support" 241 depends on NETFILTER_ADVANCED 242 help 243 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 244 important VoIP protocols, it is widely used by voice hardware and 245 software including voice gateways, IP phones, Netmeeting, OpenPhone, 246 Gnomemeeting, etc. 247 248 With this module you can support H.323 on a connection tracking/NAT 249 firewall. 250 251 This module supports RAS, Fast Start, H.245 Tunnelling, Call 252 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 253 whiteboard, file transfer, etc. For more information, please 254 visit http://nath323.sourceforge.net/. 255 256 To compile it as a module, choose M here. If unsure, say N. 257 258config NF_CONNTRACK_IRC 259 tristate "IRC DCC protocol support (obsolete)" 260 help 261 There is a commonly-used extension to IRC called 262 Direct Client-to-Client Protocol (DCC). This enables users to send 263 files to each other, and also chat to each other without the need 264 of a server. DCC Sending is used anywhere you send files over IRC, 265 and DCC Chat is most commonly used by Eggdrop bots. If you are 266 using NAT, this extension will enable you to send files and initiate 267 chats. Note that you do NOT need this extension to get files or 268 have others initiate chats, or everything else in IRC. 269 DCC tracking behind NAT requires plaintext (unencrypted) IRC, so 270 this helper is of limited use these days. 271 272 To compile it as a module, choose M here. If unsure, say N. 273 274config NF_CONNTRACK_BROADCAST 275 tristate 276 277config NF_CONNTRACK_NETBIOS_NS 278 tristate "NetBIOS name service protocol support" 279 select NF_CONNTRACK_BROADCAST 280 help 281 NetBIOS name service requests are sent as broadcast messages from an 282 unprivileged port and responded to with unicast messages to the 283 same port. This make them hard to firewall properly because connection 284 tracking doesn't deal with broadcasts. This helper tracks locally 285 originating NetBIOS name service requests and the corresponding 286 responses. It relies on correct IP address configuration, specifically 287 netmask and broadcast address. When properly configured, the output 288 of "ip address show" should look similar to this: 289 290 $ ip -4 address show eth0 291 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 292 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 293 294 To compile it as a module, choose M here. If unsure, say N. 295 296config NF_CONNTRACK_SNMP 297 tristate "SNMP service protocol support" 298 depends on NETFILTER_ADVANCED 299 select NF_CONNTRACK_BROADCAST 300 help 301 SNMP service requests are sent as broadcast messages from an 302 unprivileged port and responded to with unicast messages to the 303 same port. This make them hard to firewall properly because connection 304 tracking doesn't deal with broadcasts. This helper tracks locally 305 originating SNMP service requests and the corresponding 306 responses. It relies on correct IP address configuration, specifically 307 netmask and broadcast address. 308 309 To compile it as a module, choose M here. If unsure, say N. 310 311config NF_CONNTRACK_PPTP 312 tristate "PPtP protocol support (deprecated)" 313 depends on NETFILTER_ADVANCED 314 select NF_CT_PROTO_GRE 315 help 316 This module adds support for PPTP (Point to Point Tunnelling 317 Protocol, RFC2637) connection tracking and NAT. 318 319 If you are still running PPTP sessions over a stateful firewall or NAT 320 box, you may want to enable this feature. 321 322 Please note that not all PPTP modes of operation are supported. 323 Specifically these limitations exist: 324 - Blindly assumes that control connections are always established 325 in PNS->PAC direction. This is a violation of RFC2637. 326 - Only supports a single call within each session 327 328 To compile it as a module, choose M here. If unsure, say N. 329 330config NF_CONNTRACK_SANE 331 tristate "SANE protocol support" 332 depends on NETFILTER_ADVANCED 333 help 334 SANE is a protocol for remote access to scanners as implemented 335 by the 'saned' daemon. Like FTP, it uses separate control and 336 data connections. 337 338 With this module you can support SANE on a connection tracking 339 firewall. 340 341 To compile it as a module, choose M here. If unsure, say N. 342 343config NF_CONNTRACK_SIP 344 tristate "SIP protocol support" 345 default m if NETFILTER_ADVANCED=n 346 help 347 SIP is an application-layer control protocol that can establish, 348 modify, and terminate multimedia sessions (conferences) such as 349 Internet telephony calls. With the nf_conntrack_sip and 350 the nf_nat_sip modules you can support the protocol on a connection 351 tracking/NATing firewall. 352 353 To compile it as a module, choose M here. If unsure, say N. 354 355config NF_CONNTRACK_TFTP 356 tristate "TFTP protocol support" 357 depends on NETFILTER_ADVANCED 358 help 359 TFTP connection tracking helper, this is required depending 360 on how restrictive your ruleset is. 361 If you are using a tftp client behind -j SNAT or -j MASQUERADING 362 you will need this. 363 364 To compile it as a module, choose M here. If unsure, say N. 365 366config NF_CT_NETLINK 367 tristate 'Connection tracking netlink interface' 368 select NETFILTER_NETLINK 369 default m if NETFILTER_ADVANCED=n 370 help 371 This option enables support for a netlink-based userspace interface 372 373config NF_CT_NETLINK_TIMEOUT 374 tristate 'Connection tracking timeout tuning via Netlink' 375 select NETFILTER_NETLINK 376 depends on NETFILTER_ADVANCED 377 depends on NF_CONNTRACK_TIMEOUT 378 help 379 This option enables support for connection tracking timeout 380 fine-grain tuning. This allows you to attach specific timeout 381 policies to flows, instead of using the global timeout policy. 382 383 If unsure, say `N'. 384 385config NF_CT_NETLINK_HELPER 386 tristate 'Connection tracking helpers in user-space via Netlink' 387 select NETFILTER_NETLINK 388 depends on NF_CT_NETLINK 389 depends on NETFILTER_NETLINK_QUEUE 390 depends on NETFILTER_NETLINK_GLUE_CT 391 depends on NETFILTER_ADVANCED 392 help 393 This option enables the user-space connection tracking helpers 394 infrastructure. 395 396 If unsure, say `N'. 397 398config NETFILTER_NETLINK_GLUE_CT 399 bool "NFQUEUE and NFLOG integration with Connection Tracking" 400 default n 401 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 402 help 403 If this option is enabled, NFQUEUE and NFLOG can include 404 Connection Tracking information together with the packet is 405 the enqueued via NFNETLINK. 406 407config NF_NAT 408 tristate "Network Address Translation support" 409 depends on NF_CONNTRACK 410 default m if NETFILTER_ADVANCED=n 411 help 412 The NAT option allows masquerading, port forwarding and other 413 forms of full Network Address Port Translation. This can be 414 controlled by iptables, ip6tables or nft. 415 416config NF_NAT_AMANDA 417 tristate 418 depends on NF_CONNTRACK && NF_NAT 419 default NF_NAT && NF_CONNTRACK_AMANDA 420 421config NF_NAT_FTP 422 tristate 423 depends on NF_CONNTRACK && NF_NAT 424 default NF_NAT && NF_CONNTRACK_FTP 425 426config NF_NAT_IRC 427 tristate 428 depends on NF_CONNTRACK && NF_NAT 429 default NF_NAT && NF_CONNTRACK_IRC 430 431config NF_NAT_SIP 432 tristate 433 depends on NF_CONNTRACK && NF_NAT 434 default NF_NAT && NF_CONNTRACK_SIP 435 436config NF_NAT_TFTP 437 tristate 438 depends on NF_CONNTRACK && NF_NAT 439 default NF_NAT && NF_CONNTRACK_TFTP 440 441config NF_NAT_REDIRECT 442 bool 443 444config NF_NAT_MASQUERADE 445 bool 446 447config NF_NAT_OVS 448 bool 449 450config NETFILTER_SYNPROXY 451 tristate 452 453endif # NF_CONNTRACK 454 455config NF_TABLES 456 select NETFILTER_NETLINK 457 select NET_CRC32C 458 tristate "Netfilter nf_tables support" 459 help 460 nftables is the new packet classification framework that intends to 461 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 462 provides a pseudo-state machine with an extensible instruction-set 463 (also known as expressions) that the userspace 'nft' utility 464 (https://www.netfilter.org/projects/nftables) uses to build the 465 rule-set. It also comes with the generic set infrastructure that 466 allows you to construct mappings between matchings and actions 467 for performance lookups. 468 469 To compile it as a module, choose M here. 470 471if NF_TABLES 472config NF_TABLES_INET 473 depends on IPV6 474 select NF_TABLES_IPV4 475 select NF_TABLES_IPV6 476 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 477 help 478 This option enables support for a mixed IPv4/IPv6 "inet" table. 479 480config NF_TABLES_NETDEV 481 bool "Netfilter nf_tables netdev tables support" 482 help 483 This option enables support for the "netdev" table. 484 485config NFT_NUMGEN 486 tristate "Netfilter nf_tables number generator module" 487 help 488 This option adds the number generator expression used to perform 489 incremental counting and random numbers bound to a upper limit. 490 491config NFT_CT 492 depends on NF_CONNTRACK 493 tristate "Netfilter nf_tables conntrack module" 494 help 495 This option adds the "ct" expression that you can use to match 496 connection tracking information such as the flow state. 497 498config NFT_EXTHDR_DCCP 499 bool "Netfilter nf_tables exthdr DCCP support (DEPRECATED)" 500 default n 501 help 502 This option adds support for matching on DCCP extension headers. 503 504config NFT_FLOW_OFFLOAD 505 depends on NF_CONNTRACK && NF_FLOW_TABLE 506 tristate "Netfilter nf_tables hardware flow offload module" 507 help 508 This option adds the "flow_offload" expression that you can use to 509 choose what flows are placed into the hardware. 510 511config NFT_CONNLIMIT 512 tristate "Netfilter nf_tables connlimit module" 513 depends on NF_CONNTRACK 514 depends on NETFILTER_ADVANCED 515 select NETFILTER_CONNCOUNT 516 help 517 This option adds the "connlimit" expression that you can use to 518 ratelimit rule matchings per connections. 519 520config NFT_LOG 521 tristate "Netfilter nf_tables log module" 522 help 523 This option adds the "log" expression that you can use to log 524 packets matching some criteria. 525 526config NFT_LIMIT 527 tristate "Netfilter nf_tables limit module" 528 help 529 This option adds the "limit" expression that you can use to 530 ratelimit rule matchings. 531 532config NFT_MASQ 533 depends on NF_CONNTRACK 534 depends on NF_NAT 535 select NF_NAT_MASQUERADE 536 tristate "Netfilter nf_tables masquerade support" 537 help 538 This option adds the "masquerade" expression that you can use 539 to perform NAT in the masquerade flavour. 540 541config NFT_REDIR 542 depends on NF_CONNTRACK 543 depends on NF_NAT 544 tristate "Netfilter nf_tables redirect support" 545 select NF_NAT_REDIRECT 546 help 547 This options adds the "redirect" expression that you can use 548 to perform NAT in the redirect flavour. 549 550config NFT_NAT 551 depends on NF_CONNTRACK 552 select NF_NAT 553 depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 554 tristate "Netfilter nf_tables nat module" 555 help 556 This option adds the "nat" expression that you can use to perform 557 typical Network Address Translation (NAT) packet transformations. 558 559config NFT_TUNNEL 560 tristate "Netfilter nf_tables tunnel module" 561 help 562 This option adds the "tunnel" expression that you can use to set 563 tunneling policies. 564 565config NFT_QUEUE 566 depends on NETFILTER_NETLINK_QUEUE 567 tristate "Netfilter nf_tables queue module" 568 help 569 This is required if you intend to use the userspace queueing 570 infrastructure (also known as NFQUEUE) from nftables. 571 572config NFT_QUOTA 573 tristate "Netfilter nf_tables quota module" 574 help 575 This option adds the "quota" expression that you can use to match 576 enforce bytes quotas. 577 578config NFT_REJECT 579 default m if NETFILTER_ADVANCED=n 580 tristate "Netfilter nf_tables reject support" 581 help 582 This option adds the "reject" expression that you can use to 583 explicitly deny and notify via TCP reset/ICMP informational errors 584 unallowed traffic. 585 586config NFT_REJECT_INET 587 depends on NF_TABLES_INET 588 default NFT_REJECT 589 tristate 590 591config NFT_COMPAT 592 depends on NETFILTER_XTABLES 593 tristate "Netfilter x_tables over nf_tables module" 594 help 595 This is required if you intend to use any of existing 596 x_tables match/target extensions over the nf_tables 597 framework. 598 599config NFT_HASH 600 tristate "Netfilter nf_tables hash module" 601 help 602 This option adds the "hash" expression that you can use to perform 603 a hash operation on registers. 604 605config NFT_FIB 606 tristate 607 608config NFT_FIB_INET 609 depends on NF_TABLES_INET 610 depends on NFT_FIB_IPV4 611 depends on NFT_FIB_IPV6 612 tristate "Netfilter nf_tables fib inet support" 613 help 614 This option allows using the FIB expression from the inet table. 615 The lookup will be delegated to the IPv4 or IPv6 FIB depending 616 on the protocol of the packet. 617 618config NFT_XFRM 619 tristate "Netfilter nf_tables xfrm/IPSec security association matching" 620 depends on XFRM 621 help 622 This option adds an expression that you can use to extract properties 623 of a packets security association. 624 625config NFT_SOCKET 626 tristate "Netfilter nf_tables socket match support" 627 select NF_SOCKET_IPV4 628 select NF_SOCKET_IPV6 if NF_TABLES_IPV6 629 help 630 This option allows matching for the presence or absence of a 631 corresponding socket and its attributes. 632 633config NFT_OSF 634 tristate "Netfilter nf_tables passive OS fingerprint support" 635 depends on NETFILTER_ADVANCED 636 select NETFILTER_NETLINK_OSF 637 help 638 This option allows matching packets from an specific OS. 639 640config NFT_TPROXY 641 tristate "Netfilter nf_tables tproxy support" 642 select NF_DEFRAG_IPV4 643 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 644 select NF_TPROXY_IPV4 645 select NF_TPROXY_IPV6 if NF_TABLES_IPV6 646 help 647 This makes transparent proxy support available in nftables. 648 649config NFT_SYNPROXY 650 tristate "Netfilter nf_tables SYNPROXY expression support" 651 depends on NF_CONNTRACK && NETFILTER_ADVANCED 652 select NETFILTER_SYNPROXY 653 select SYN_COOKIES 654 help 655 The SYNPROXY expression allows you to intercept TCP connections and 656 establish them using syncookies before they are passed on to the 657 server. This allows to avoid conntrack and server resource usage 658 during SYN-flood attacks. 659 660if NF_TABLES_NETDEV 661 662config NF_DUP_NETDEV 663 tristate "Netfilter packet duplication support" 664 help 665 This option enables the generic packet duplication infrastructure 666 for Netfilter. 667 668config NFT_DUP_NETDEV 669 tristate "Netfilter nf_tables netdev packet duplication support" 670 select NF_DUP_NETDEV 671 help 672 This option enables packet duplication for the "netdev" family. 673 674config NFT_FWD_NETDEV 675 tristate "Netfilter nf_tables netdev packet forwarding support" 676 select NF_DUP_NETDEV 677 help 678 This option enables packet forwarding for the "netdev" family. 679 680config NFT_FIB_NETDEV 681 depends on NFT_FIB_IPV4 682 depends on NFT_FIB_IPV6 683 tristate "Netfilter nf_tables netdev fib lookups support" 684 help 685 This option allows using the FIB expression from the netdev table. 686 The lookup will be delegated to the IPv4 or IPv6 FIB depending 687 on the protocol of the packet. 688 689config NFT_REJECT_NETDEV 690 depends on NFT_REJECT_IPV4 691 depends on NFT_REJECT_IPV6 692 tristate "Netfilter nf_tables netdev REJECT support" 693 help 694 This option enables the REJECT support from the netdev table. 695 The return packet generation will be delegated to the IPv4 696 or IPv6 ICMP or TCP RST implementation depending on the 697 protocol of the packet. 698 699endif # NF_TABLES_NETDEV 700 701endif # NF_TABLES 702 703config NF_FLOW_TABLE_INET 704 tristate "Netfilter flow table mixed IPv4/IPv6 module" 705 depends on NF_FLOW_TABLE 706 help 707 This option adds the flow table mixed IPv4/IPv6 support. 708 709 To compile it as a module, choose M here. 710 711config NF_FLOW_TABLE 712 tristate "Netfilter flow table module" 713 depends on NETFILTER_INGRESS 714 depends on NF_CONNTRACK 715 depends on NF_TABLES 716 help 717 This option adds the flow table core infrastructure. 718 719 To compile it as a module, choose M here. 720 721config NF_FLOW_TABLE_PROCFS 722 bool "Supply flow table statistics in procfs" 723 depends on NF_FLOW_TABLE 724 depends on PROC_FS 725 help 726 This option enables for the flow table offload statistics 727 to be shown in procfs under net/netfilter/nf_flowtable. 728 729config NETFILTER_XTABLES 730 tristate "Netfilter Xtables support (required for ip_tables)" 731 default m if NETFILTER_ADVANCED=n 732 help 733 This is required if you intend to use any of ip_tables, 734 ip6_tables or arp_tables. 735 736if NETFILTER_XTABLES 737 738config NETFILTER_XTABLES_COMPAT 739 bool "Netfilter Xtables 32bit support" 740 depends on COMPAT 741 help 742 This option provides a translation layer to run 32bit arp,ip(6),ebtables 743 binaries on 64bit kernels. 744 745 If unsure, say N. 746 747config NETFILTER_XTABLES_LEGACY 748 bool "Netfilter legacy tables support" 749 depends on !PREEMPT_RT 750 help 751 Say Y here if you still require support for legacy tables. This is 752 required by the legacy tools (iptables-legacy) and is not needed if 753 you use iptables over nftables (iptables-nft). 754 Legacy support is not limited to IP, it also includes EBTABLES and 755 ARPTABLES. 756 757comment "Xtables combined modules" 758 759config NETFILTER_XT_MARK 760 tristate 'nfmark target and match support' 761 default m if NETFILTER_ADVANCED=n 762 help 763 This option adds the "MARK" target and "mark" match. 764 765 Netfilter mark matching allows you to match packets based on the 766 "nfmark" value in the packet. 767 The target allows you to create rules in the "mangle" table which alter 768 the netfilter mark (nfmark) field associated with the packet. 769 770 Prior to routing, the nfmark can influence the routing method and can 771 also be used by other subsystems to change their behavior. 772 773config NETFILTER_XT_CONNMARK 774 tristate 'ctmark target and match support' 775 depends on NF_CONNTRACK 776 depends on NETFILTER_ADVANCED 777 select NF_CONNTRACK_MARK 778 help 779 This option adds the "CONNMARK" target and "connmark" match. 780 781 Netfilter allows you to store a mark value per connection (a.k.a. 782 ctmark), similarly to the packet mark (nfmark). Using this 783 target and match, you can set and match on this mark. 784 785config NETFILTER_XT_SET 786 tristate 'set target and match support' 787 depends on IP_SET 788 depends on NETFILTER_ADVANCED 789 help 790 This option adds the "SET" target and "set" match. 791 792 Using this target and match, you can add/delete and match 793 elements in the sets created by ipset(8). 794 795 To compile it as a module, choose M here. If unsure, say N. 796 797# alphabetically ordered list of targets 798 799comment "Xtables targets" 800 801config NETFILTER_XT_TARGET_AUDIT 802 tristate "AUDIT target support" 803 depends on AUDIT 804 depends on NETFILTER_ADVANCED 805 help 806 This option adds a 'AUDIT' target, which can be used to create 807 audit records for packets dropped/accepted. 808 809 To compileit as a module, choose M here. If unsure, say N. 810 811config NETFILTER_XT_TARGET_CHECKSUM 812 tristate "CHECKSUM target support" 813 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 814 depends on NETFILTER_ADVANCED 815 help 816 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 817 table to work around buggy DHCP clients in virtualized environments. 818 819 Some old DHCP clients drop packets because they are not aware 820 that the checksum would normally be offloaded to hardware and 821 thus should be considered valid. 822 This target can be used to fill in the checksum using iptables 823 when such packets are sent via a virtual network device. 824 825 To compile it as a module, choose M here. If unsure, say N. 826 827config NETFILTER_XT_TARGET_CLASSIFY 828 tristate '"CLASSIFY" target support' 829 depends on NETFILTER_ADVANCED 830 help 831 This option adds a `CLASSIFY' target, which enables the user to set 832 the priority of a packet. Some qdiscs can use this value for 833 classification, among these are: 834 835 atm, cbq, dsmark, pfifo_fast, htb, prio 836 837 To compile it as a module, choose M here. If unsure, say N. 838 839config NETFILTER_XT_TARGET_CONNMARK 840 tristate '"CONNMARK" target support' 841 depends on NF_CONNTRACK 842 depends on NETFILTER_ADVANCED 843 select NETFILTER_XT_CONNMARK 844 help 845 This is a backwards-compat option for the user's convenience 846 (e.g. when running oldconfig). It selects 847 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 848 849config NETFILTER_XT_TARGET_CONNSECMARK 850 tristate '"CONNSECMARK" target support' 851 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 852 default m if NETFILTER_ADVANCED=n 853 help 854 The CONNSECMARK target copies security markings from packets 855 to connections, and restores security markings from connections 856 to packets (if the packets are not already marked). This would 857 normally be used in conjunction with the SECMARK target. 858 859 To compile it as a module, choose M here. If unsure, say N. 860 861config NETFILTER_XT_TARGET_CT 862 tristate '"CT" target support' 863 depends on NF_CONNTRACK 864 depends on IP_NF_RAW || IP6_NF_RAW || NFT_COMPAT 865 depends on NETFILTER_ADVANCED 866 help 867 This options adds a `CT' target, which allows to specify initial 868 connection tracking parameters like events to be delivered and 869 the helper to be used. 870 871 To compile it as a module, choose M here. If unsure, say N. 872 873config NETFILTER_XT_TARGET_DSCP 874 tristate '"DSCP" and "TOS" target support' 875 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 876 depends on NETFILTER_ADVANCED 877 help 878 This option adds a `DSCP' target, which allows you to manipulate 879 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 880 881 The DSCP field can have any value between 0x0 and 0x3f inclusive. 882 883 It also adds the "TOS" target, which allows you to create rules in 884 the "mangle" table which alter the Type Of Service field of an IPv4 885 or the Priority field of an IPv6 packet, prior to routing. 886 887 To compile it as a module, choose M here. If unsure, say N. 888 889config NETFILTER_XT_TARGET_HL 890 tristate '"HL" hoplimit target support' 891 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 892 depends on NETFILTER_ADVANCED 893 help 894 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 895 targets, which enable the user to change the 896 hoplimit/time-to-live value of the IP header. 897 898 While it is safe to decrement the hoplimit/TTL value, the 899 modules also allow to increment and set the hoplimit value of 900 the header to arbitrary values. This is EXTREMELY DANGEROUS 901 since you can easily create immortal packets that loop 902 forever on the network. 903 904config NETFILTER_XT_TARGET_HMARK 905 tristate '"HMARK" target support' 906 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 907 depends on NETFILTER_ADVANCED 908 help 909 This option adds the "HMARK" target. 910 911 The target allows you to create rules in the "raw" and "mangle" tables 912 which set the skbuff mark by means of hash calculation within a given 913 range. The nfmark can influence the routing method and can also be used 914 by other subsystems to change their behaviour. 915 916 To compile it as a module, choose M here. If unsure, say N. 917 918config NETFILTER_XT_TARGET_IDLETIMER 919 tristate "IDLETIMER target support" 920 depends on NETFILTER_ADVANCED 921 help 922 923 This option adds the `IDLETIMER' target. Each matching packet 924 resets the timer associated with label specified when the rule is 925 added. When the timer expires, it triggers a sysfs notification. 926 The remaining time for expiration can be read via sysfs. 927 928 To compile it as a module, choose M here. If unsure, say N. 929 930config NETFILTER_XT_TARGET_LED 931 tristate '"LED" target support' 932 depends on LEDS_CLASS && LEDS_TRIGGERS 933 depends on NETFILTER_ADVANCED 934 help 935 This option adds a `LED' target, which allows you to blink LEDs in 936 response to particular packets passing through your machine. 937 938 This can be used to turn a spare LED into a network activity LED, 939 which only flashes in response to FTP transfers, for example. Or 940 you could have an LED which lights up for a minute or two every time 941 somebody connects to your machine via SSH. 942 943 You will need support for the "led" class to make this work. 944 945 To create an LED trigger for incoming SSH traffic: 946 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 947 948 Then attach the new trigger to an LED on your system: 949 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 950 951 For more information on the LEDs available on your system, see 952 Documentation/leds/leds-class.rst 953 954config NETFILTER_XT_TARGET_LOG 955 tristate "LOG target support" 956 select NF_LOG_SYSLOG 957 select NF_LOG_IPV6 if IP6_NF_IPTABLES 958 default m if NETFILTER_ADVANCED=n 959 help 960 This option adds a `LOG' target, which allows you to create rules in 961 any iptables table which records the packet header to the syslog. 962 963 To compile it as a module, choose M here. If unsure, say N. 964 965config NETFILTER_XT_TARGET_MARK 966 tristate '"MARK" target support' 967 depends on NETFILTER_ADVANCED 968 select NETFILTER_XT_MARK 969 help 970 This is a backwards-compat option for the user's convenience 971 (e.g. when running oldconfig). It selects 972 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 973 974config NETFILTER_XT_NAT 975 tristate '"SNAT and DNAT" targets support' 976 depends on NF_NAT 977 help 978 This option enables the SNAT and DNAT targets. 979 980 To compile it as a module, choose M here. If unsure, say N. 981 982config NETFILTER_XT_TARGET_NETMAP 983 tristate '"NETMAP" target support' 984 depends on NF_NAT 985 help 986 NETMAP is an implementation of static 1:1 NAT mapping of network 987 addresses. It maps the network address part, while keeping the host 988 address part intact. 989 990 To compile it as a module, choose M here. If unsure, say N. 991 992config NETFILTER_XT_TARGET_NFLOG 993 tristate '"NFLOG" target support' 994 default m if NETFILTER_ADVANCED=n 995 select NETFILTER_NETLINK_LOG 996 help 997 This option enables the NFLOG target, which allows to LOG 998 messages through nfnetlink_log. 999 1000 To compile it as a module, choose M here. If unsure, say N. 1001 1002config NETFILTER_XT_TARGET_NFQUEUE 1003 tristate '"NFQUEUE" target Support' 1004 depends on NETFILTER_ADVANCED 1005 select NETFILTER_NETLINK_QUEUE 1006 help 1007 This target replaced the old obsolete QUEUE target. 1008 1009 As opposed to QUEUE, it supports 65535 different queues, 1010 not just one. 1011 1012 To compile it as a module, choose M here. If unsure, say N. 1013 1014config NETFILTER_XT_TARGET_NOTRACK 1015 tristate '"NOTRACK" target support (DEPRECATED)' 1016 depends on NF_CONNTRACK 1017 depends on IP_NF_RAW || IP6_NF_RAW 1018 depends on NETFILTER_ADVANCED 1019 select NETFILTER_XT_TARGET_CT 1020 1021config NETFILTER_XT_TARGET_RATEEST 1022 tristate '"RATEEST" target support' 1023 depends on NETFILTER_ADVANCED 1024 help 1025 This option adds a `RATEEST' target, which allows to measure 1026 rates similar to TC estimators. The `rateest' match can be 1027 used to match on the measured rates. 1028 1029 To compile it as a module, choose M here. If unsure, say N. 1030 1031config NETFILTER_XT_TARGET_REDIRECT 1032 tristate "REDIRECT target support" 1033 depends on NF_NAT 1034 select NF_NAT_REDIRECT 1035 help 1036 REDIRECT is a special case of NAT: all incoming connections are 1037 mapped onto the incoming interface's address, causing the packets to 1038 come to the local machine instead of passing through. This is 1039 useful for transparent proxies. 1040 1041 To compile it as a module, choose M here. If unsure, say N. 1042 1043config NETFILTER_XT_TARGET_MASQUERADE 1044 tristate "MASQUERADE target support" 1045 depends on NF_NAT 1046 default m if NETFILTER_ADVANCED=n 1047 select NF_NAT_MASQUERADE 1048 help 1049 Masquerading is a special case of NAT: all outgoing connections are 1050 changed to seem to come from a particular interface's address, and 1051 if the interface goes down, those connections are lost. This is 1052 only useful for dialup accounts with dynamic IP address (ie. your IP 1053 address will be different on next dialup). 1054 1055 To compile it as a module, choose M here. If unsure, say N. 1056 1057config NETFILTER_XT_TARGET_TEE 1058 tristate '"TEE" - packet cloning to alternate destination' 1059 depends on NETFILTER_ADVANCED 1060 depends on !NF_CONNTRACK || NF_CONNTRACK 1061 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES 1062 select NF_DUP_IPV4 1063 select NF_DUP_IPV6 if IP6_NF_IPTABLES 1064 help 1065 This option adds a "TEE" target with which a packet can be cloned and 1066 this clone be rerouted to another nexthop. 1067 1068config NETFILTER_XT_TARGET_TPROXY 1069 tristate '"TPROXY" target transparent proxying support' 1070 depends on NETFILTER_XTABLES 1071 depends on NETFILTER_ADVANCED 1072 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1073 depends on IP_NF_MANGLE || NFT_COMPAT 1074 select NF_DEFRAG_IPV4 1075 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1076 select NF_TPROXY_IPV4 1077 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 1078 help 1079 This option adds a `TPROXY' target, which is somewhat similar to 1080 REDIRECT. It can only be used in the mangle table and is useful 1081 to redirect traffic to a transparent proxy. It does _not_ depend 1082 on Netfilter connection tracking and NAT, unlike REDIRECT. 1083 For it to work you will have to configure certain iptables rules 1084 and use policy routing. For more information on how to set it up 1085 see Documentation/networking/tproxy.rst. 1086 1087 To compile it as a module, choose M here. If unsure, say N. 1088 1089config NETFILTER_XT_TARGET_TRACE 1090 tristate '"TRACE" target support' 1091 depends on IP_NF_RAW || IP6_NF_RAW 1092 depends on NETFILTER_ADVANCED 1093 help 1094 The TRACE target allows you to mark packets so that the kernel 1095 will log every rule which match the packets as those traverse 1096 the tables, chains, rules. 1097 1098 If you want to compile it as a module, say M here and read 1099 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1100 1101config NETFILTER_XT_TARGET_SECMARK 1102 tristate '"SECMARK" target support' 1103 depends on NETWORK_SECMARK 1104 default m if NETFILTER_ADVANCED=n 1105 help 1106 The SECMARK target allows security marking of network 1107 packets, for use with security subsystems. 1108 1109 To compile it as a module, choose M here. If unsure, say N. 1110 1111config NETFILTER_XT_TARGET_TCPMSS 1112 tristate '"TCPMSS" target support' 1113 default m if NETFILTER_ADVANCED=n 1114 help 1115 This option adds a `TCPMSS' target, which allows you to alter the 1116 MSS value of TCP SYN packets, to control the maximum size for that 1117 connection (usually limiting it to your outgoing interface's MTU 1118 minus 40). 1119 1120 This is used to overcome criminally braindead ISPs or servers which 1121 block ICMP Fragmentation Needed packets. The symptoms of this 1122 problem are that everything works fine from your Linux 1123 firewall/router, but machines behind it can never exchange large 1124 packets: 1125 1) Web browsers connect, then hang with no data received. 1126 2) Small mail works fine, but large emails hang. 1127 3) ssh works fine, but scp hangs after initial handshaking. 1128 1129 Workaround: activate this option and add a rule to your firewall 1130 configuration like: 1131 1132 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1133 -j TCPMSS --clamp-mss-to-pmtu 1134 1135 To compile it as a module, choose M here. If unsure, say N. 1136 1137config NETFILTER_XT_TARGET_TCPOPTSTRIP 1138 tristate '"TCPOPTSTRIP" target support' 1139 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 1140 depends on NETFILTER_ADVANCED 1141 help 1142 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1143 TCP options from TCP packets. 1144 1145# alphabetically ordered list of matches 1146 1147comment "Xtables matches" 1148 1149config NETFILTER_XT_MATCH_ADDRTYPE 1150 tristate '"addrtype" address type match support' 1151 default m if NETFILTER_ADVANCED=n 1152 help 1153 This option allows you to match what routing thinks of an address, 1154 eg. UNICAST, LOCAL, BROADCAST, ... 1155 1156 If you want to compile it as a module, say M here and read 1157 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1158 1159config NETFILTER_XT_MATCH_BPF 1160 tristate '"bpf" match support' 1161 depends on NETFILTER_ADVANCED 1162 help 1163 BPF matching applies a linux socket filter to each packet and 1164 accepts those for which the filter returns non-zero. 1165 1166 To compile it as a module, choose M here. If unsure, say N. 1167 1168config NETFILTER_XT_MATCH_CGROUP 1169 tristate '"control group" match support' 1170 depends on NETFILTER_ADVANCED 1171 depends on CGROUPS 1172 select SOCK_CGROUP_DATA 1173 help 1174 Socket/process control group matching allows you to match locally 1175 generated packets based on which net_cls control group processes 1176 belong to. 1177 1178config NETFILTER_XT_MATCH_CLUSTER 1179 tristate '"cluster" match support' 1180 depends on NF_CONNTRACK 1181 depends on NETFILTER_ADVANCED 1182 help 1183 This option allows you to build work-load-sharing clusters of 1184 network servers/stateful firewalls without having a dedicated 1185 load-balancing router/server/switch. Basically, this match returns 1186 true when the packet must be handled by this cluster node. Thus, 1187 all nodes see all packets and this match decides which node handles 1188 what packets. The work-load sharing algorithm is based on source 1189 address hashing. 1190 1191 If you say Y or M here, try `iptables -m cluster --help` for 1192 more information. 1193 1194config NETFILTER_XT_MATCH_COMMENT 1195 tristate '"comment" match support' 1196 depends on NETFILTER_ADVANCED 1197 help 1198 This option adds a `comment' dummy-match, which allows you to put 1199 comments in your iptables ruleset. 1200 1201 If you want to compile it as a module, say M here and read 1202 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1203 1204config NETFILTER_XT_MATCH_CONNBYTES 1205 tristate '"connbytes" per-connection counter match support' 1206 depends on NF_CONNTRACK 1207 depends on NETFILTER_ADVANCED 1208 help 1209 This option adds a `connbytes' match, which allows you to match the 1210 number of bytes and/or packets for each direction within a connection. 1211 1212 If you want to compile it as a module, say M here and read 1213 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1214 1215config NETFILTER_XT_MATCH_CONNLABEL 1216 tristate '"connlabel" match support' 1217 select NF_CONNTRACK_LABELS 1218 depends on NF_CONNTRACK 1219 depends on NETFILTER_ADVANCED 1220 help 1221 This match allows you to test and assign userspace-defined labels names 1222 to a connection. The kernel only stores bit values - mapping 1223 names to bits is done by userspace. 1224 1225 Unlike connmark, more than 32 flag bits may be assigned to a 1226 connection simultaneously. 1227 1228config NETFILTER_XT_MATCH_CONNLIMIT 1229 tristate '"connlimit" match support' 1230 depends on NF_CONNTRACK 1231 depends on NETFILTER_ADVANCED 1232 select NETFILTER_CONNCOUNT 1233 help 1234 This match allows you to match against the number of parallel 1235 connections to a server per client IP address (or address block). 1236 1237config NETFILTER_XT_MATCH_CONNMARK 1238 tristate '"connmark" connection mark match support' 1239 depends on NF_CONNTRACK 1240 depends on NETFILTER_ADVANCED 1241 select NETFILTER_XT_CONNMARK 1242 help 1243 This is a backwards-compat option for the user's convenience 1244 (e.g. when running oldconfig). It selects 1245 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1246 1247config NETFILTER_XT_MATCH_CONNTRACK 1248 tristate '"conntrack" connection tracking match support' 1249 depends on NF_CONNTRACK 1250 default m if NETFILTER_ADVANCED=n 1251 help 1252 This is a general conntrack match module, a superset of the state match. 1253 1254 It allows matching on additional conntrack information, which is 1255 useful in complex configurations, such as NAT gateways with multiple 1256 internet links or tunnels. 1257 1258 To compile it as a module, choose M here. If unsure, say N. 1259 1260config NETFILTER_XT_MATCH_CPU 1261 tristate '"cpu" match support' 1262 depends on NETFILTER_ADVANCED 1263 help 1264 CPU matching allows you to match packets based on the CPU 1265 currently handling the packet. 1266 1267 To compile it as a module, choose M here. If unsure, say N. 1268 1269config NETFILTER_XT_MATCH_DCCP 1270 tristate '"dccp" protocol match support (DEPRECATED)' 1271 depends on NETFILTER_ADVANCED 1272 default n 1273 help 1274 With this option enabled, you will be able to use the iptables 1275 `dccp' match in order to match on DCCP source/destination ports 1276 and DCCP flags. 1277 1278 If you want to compile it as a module, say M here and read 1279 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1280 1281config NETFILTER_XT_MATCH_DEVGROUP 1282 tristate '"devgroup" match support' 1283 depends on NETFILTER_ADVANCED 1284 help 1285 This options adds a `devgroup' match, which allows to match on the 1286 device group a network device is assigned to. 1287 1288 To compile it as a module, choose M here. If unsure, say N. 1289 1290config NETFILTER_XT_MATCH_DSCP 1291 tristate '"dscp" and "tos" match support' 1292 depends on NETFILTER_ADVANCED 1293 help 1294 This option adds a `DSCP' match, which allows you to match against 1295 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1296 1297 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1298 1299 It will also add a "tos" match, which allows you to match packets 1300 based on the Type Of Service fields of the IPv4 packet (which share 1301 the same bits as DSCP). 1302 1303 To compile it as a module, choose M here. If unsure, say N. 1304 1305config NETFILTER_XT_MATCH_ECN 1306 tristate '"ecn" match support' 1307 depends on NETFILTER_ADVANCED 1308 help 1309 This option adds an "ECN" match, which allows you to match against 1310 the IPv4 and TCP header ECN fields. 1311 1312 To compile it as a module, choose M here. If unsure, say N. 1313 1314config NETFILTER_XT_MATCH_ESP 1315 tristate '"esp" match support' 1316 depends on NETFILTER_ADVANCED 1317 help 1318 This match extension allows you to match a range of SPIs 1319 inside ESP header of IPSec packets. 1320 1321 To compile it as a module, choose M here. If unsure, say N. 1322 1323config NETFILTER_XT_MATCH_HASHLIMIT 1324 tristate '"hashlimit" match support' 1325 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1326 depends on NETFILTER_ADVANCED 1327 help 1328 This option adds a `hashlimit' match. 1329 1330 As opposed to `limit', this match dynamically creates a hash table 1331 of limit buckets, based on your selection of source/destination 1332 addresses and/or ports. 1333 1334 It enables you to express policies like `10kpps for any given 1335 destination address' or `500pps from any given source address' 1336 with a single rule. 1337 1338config NETFILTER_XT_MATCH_HELPER 1339 tristate '"helper" match support' 1340 depends on NF_CONNTRACK 1341 depends on NETFILTER_ADVANCED 1342 help 1343 Helper matching allows you to match packets in dynamic connections 1344 tracked by a conntrack-helper, ie. nf_conntrack_ftp 1345 1346 To compile it as a module, choose M here. If unsure, say Y. 1347 1348config NETFILTER_XT_MATCH_HL 1349 tristate '"hl" hoplimit/TTL match support' 1350 depends on NETFILTER_ADVANCED 1351 help 1352 HL matching allows you to match packets based on the hoplimit 1353 in the IPv6 header, or the time-to-live field in the IPv4 1354 header of the packet. 1355 1356config NETFILTER_XT_MATCH_IPCOMP 1357 tristate '"ipcomp" match support' 1358 depends on NETFILTER_ADVANCED 1359 help 1360 This match extension allows you to match a range of CPIs(16 bits) 1361 inside IPComp header of IPSec packets. 1362 1363 To compile it as a module, choose M here. If unsure, say N. 1364 1365config NETFILTER_XT_MATCH_IPRANGE 1366 tristate '"iprange" address range match support' 1367 depends on NETFILTER_ADVANCED 1368 help 1369 This option adds a "iprange" match, which allows you to match based on 1370 an IP address range. (Normal iptables only matches on single addresses 1371 with an optional mask.) 1372 1373 If unsure, say M. 1374 1375config NETFILTER_XT_MATCH_IPVS 1376 tristate '"ipvs" match support' 1377 depends on IP_VS 1378 depends on NETFILTER_ADVANCED 1379 depends on NF_CONNTRACK 1380 help 1381 This option allows you to match against IPVS properties of a packet. 1382 1383 If unsure, say N. 1384 1385config NETFILTER_XT_MATCH_L2TP 1386 tristate '"l2tp" match support' 1387 depends on NETFILTER_ADVANCED 1388 default L2TP 1389 help 1390 This option adds an "L2TP" match, which allows you to match against 1391 L2TP protocol header fields. 1392 1393 To compile it as a module, choose M here. If unsure, say N. 1394 1395config NETFILTER_XT_MATCH_LENGTH 1396 tristate '"length" match support' 1397 depends on NETFILTER_ADVANCED 1398 help 1399 This option allows you to match the length of a packet against a 1400 specific value or range of values. 1401 1402 To compile it as a module, choose M here. If unsure, say N. 1403 1404config NETFILTER_XT_MATCH_LIMIT 1405 tristate '"limit" match support' 1406 depends on NETFILTER_ADVANCED 1407 help 1408 limit matching allows you to control the rate at which a rule can be 1409 matched: mainly useful in combination with the LOG target ("LOG 1410 target support", below) and to avoid some Denial of Service attacks. 1411 1412 To compile it as a module, choose M here. If unsure, say N. 1413 1414config NETFILTER_XT_MATCH_MAC 1415 tristate '"mac" address match support' 1416 depends on NETFILTER_ADVANCED 1417 help 1418 MAC matching allows you to match packets based on the source 1419 Ethernet address of the packet. 1420 1421 To compile it as a module, choose M here. If unsure, say N. 1422 1423config NETFILTER_XT_MATCH_MARK 1424 tristate '"mark" match support' 1425 depends on NETFILTER_ADVANCED 1426 select NETFILTER_XT_MARK 1427 help 1428 This is a backwards-compat option for the user's convenience 1429 (e.g. when running oldconfig). It selects 1430 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1431 1432config NETFILTER_XT_MATCH_MULTIPORT 1433 tristate '"multiport" Multiple port match support' 1434 depends on NETFILTER_ADVANCED 1435 help 1436 Multiport matching allows you to match TCP or UDP packets based on 1437 a series of source or destination ports: normally a rule can only 1438 match a single range of ports. 1439 1440 To compile it as a module, choose M here. If unsure, say N. 1441 1442config NETFILTER_XT_MATCH_NFACCT 1443 tristate '"nfacct" match support' 1444 depends on NETFILTER_ADVANCED 1445 select NETFILTER_NETLINK_ACCT 1446 help 1447 This option allows you to use the extended accounting through 1448 nfnetlink_acct. 1449 1450 To compile it as a module, choose M here. If unsure, say N. 1451 1452config NETFILTER_XT_MATCH_OSF 1453 tristate '"osf" Passive OS fingerprint match' 1454 depends on NETFILTER_ADVANCED 1455 select NETFILTER_NETLINK_OSF 1456 help 1457 This option selects the Passive OS Fingerprinting match module 1458 that allows to passively match the remote operating system by 1459 analyzing incoming TCP SYN packets. 1460 1461 Rules and loading software can be downloaded from 1462 http://www.ioremap.net/projects/osf 1463 1464 To compile it as a module, choose M here. If unsure, say N. 1465 1466config NETFILTER_XT_MATCH_OWNER 1467 tristate '"owner" match support' 1468 depends on NETFILTER_ADVANCED 1469 help 1470 Socket owner matching allows you to match locally-generated packets 1471 based on who created the socket: the user or group. It is also 1472 possible to check whether a socket actually exists. 1473 1474config NETFILTER_XT_MATCH_POLICY 1475 tristate 'IPsec "policy" match support' 1476 depends on XFRM 1477 default m if NETFILTER_ADVANCED=n 1478 help 1479 Policy matching allows you to match packets based on the 1480 IPsec policy that was used during decapsulation/will 1481 be used during encapsulation. 1482 1483 To compile it as a module, choose M here. If unsure, say N. 1484 1485config NETFILTER_XT_MATCH_PHYSDEV 1486 tristate '"physdev" match support' 1487 depends on BRIDGE && BRIDGE_NETFILTER 1488 depends on NETFILTER_ADVANCED 1489 help 1490 Physdev packet matching matches against the physical bridge ports 1491 the IP packet arrived on or will leave by. 1492 1493 To compile it as a module, choose M here. If unsure, say N. 1494 1495config NETFILTER_XT_MATCH_PKTTYPE 1496 tristate '"pkttype" packet type match support' 1497 depends on NETFILTER_ADVANCED 1498 help 1499 Packet type matching allows you to match a packet by 1500 its "class", eg. BROADCAST, MULTICAST, ... 1501 1502 Typical usage: 1503 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1504 1505 To compile it as a module, choose M here. If unsure, say N. 1506 1507config NETFILTER_XT_MATCH_QUOTA 1508 tristate '"quota" match support' 1509 depends on NETFILTER_ADVANCED 1510 help 1511 This option adds a `quota' match, which allows to match on a 1512 byte counter. 1513 1514 If you want to compile it as a module, say M here and read 1515 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1516 1517config NETFILTER_XT_MATCH_RATEEST 1518 tristate '"rateest" match support' 1519 depends on NETFILTER_ADVANCED 1520 select NETFILTER_XT_TARGET_RATEEST 1521 help 1522 This option adds a `rateest' match, which allows to match on the 1523 rate estimated by the RATEEST target. 1524 1525 To compile it as a module, choose M here. If unsure, say N. 1526 1527config NETFILTER_XT_MATCH_REALM 1528 tristate '"realm" match support' 1529 depends on NETFILTER_ADVANCED 1530 select IP_ROUTE_CLASSID 1531 help 1532 This option adds a `realm' match, which allows you to use the realm 1533 key from the routing subsystem inside iptables. 1534 1535 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1536 in tc world. 1537 1538 If you want to compile it as a module, say M here and read 1539 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1540 1541config NETFILTER_XT_MATCH_RECENT 1542 tristate '"recent" match support' 1543 depends on NETFILTER_ADVANCED 1544 help 1545 This match is used for creating one or many lists of recently 1546 used addresses and then matching against that/those list(s). 1547 1548 Short options are available by using 'iptables -m recent -h' 1549 Official Website: <http://snowman.net/projects/ipt_recent/> 1550 1551config NETFILTER_XT_MATCH_SCTP 1552 tristate '"sctp" protocol match support' 1553 depends on NETFILTER_ADVANCED 1554 default IP_SCTP 1555 help 1556 With this option enabled, you will be able to use the 1557 `sctp' match in order to match on SCTP source/destination ports 1558 and SCTP chunk types. 1559 1560 If you want to compile it as a module, say M here and read 1561 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1562 1563config NETFILTER_XT_MATCH_SOCKET 1564 tristate '"socket" match support' 1565 depends on NETFILTER_XTABLES 1566 depends on NETFILTER_ADVANCED 1567 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1568 select NF_SOCKET_IPV4 1569 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES 1570 select NF_DEFRAG_IPV4 1571 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1572 help 1573 This option adds a `socket' match, which can be used to match 1574 packets for which a TCP or UDP socket lookup finds a valid socket. 1575 It can be used in combination with the MARK target and policy 1576 routing to implement full featured non-locally bound sockets. 1577 1578 To compile it as a module, choose M here. If unsure, say N. 1579 1580config NETFILTER_XT_MATCH_STATE 1581 tristate '"state" match support' 1582 depends on NF_CONNTRACK 1583 default m if NETFILTER_ADVANCED=n 1584 help 1585 Connection state matching allows you to match packets based on their 1586 relationship to a tracked connection (ie. previous packets). This 1587 is a powerful tool for packet classification. 1588 1589 To compile it as a module, choose M here. If unsure, say N. 1590 1591config NETFILTER_XT_MATCH_STATISTIC 1592 tristate '"statistic" match support' 1593 depends on NETFILTER_ADVANCED 1594 help 1595 This option adds a `statistic' match, which allows you to match 1596 on packets periodically or randomly with a given percentage. 1597 1598 To compile it as a module, choose M here. If unsure, say N. 1599 1600config NETFILTER_XT_MATCH_STRING 1601 tristate '"string" match support' 1602 depends on NETFILTER_ADVANCED 1603 select TEXTSEARCH 1604 select TEXTSEARCH_KMP 1605 select TEXTSEARCH_BM 1606 select TEXTSEARCH_FSM 1607 help 1608 This option adds a `string' match, which allows you to look for 1609 pattern matchings in packets. 1610 1611 To compile it as a module, choose M here. If unsure, say N. 1612 1613config NETFILTER_XT_MATCH_TCPMSS 1614 tristate '"tcpmss" match support' 1615 depends on NETFILTER_ADVANCED 1616 help 1617 This option adds a `tcpmss' match, which allows you to examine the 1618 MSS value of TCP SYN packets, which control the maximum packet size 1619 for that connection. 1620 1621 To compile it as a module, choose M here. If unsure, say N. 1622 1623config NETFILTER_XT_MATCH_TIME 1624 tristate '"time" match support' 1625 depends on NETFILTER_ADVANCED 1626 help 1627 This option adds a "time" match, which allows you to match based on 1628 the packet arrival time (at the machine which netfilter is running) 1629 on) or departure time/date (for locally generated packets). 1630 1631 If you say Y here, try `iptables -m time --help` for 1632 more information. 1633 1634 If you want to compile it as a module, say M here. 1635 If unsure, say N. 1636 1637config NETFILTER_XT_MATCH_U32 1638 tristate '"u32" match support' 1639 depends on NETFILTER_ADVANCED 1640 help 1641 u32 allows you to extract quantities of up to 4 bytes from a packet, 1642 AND them with specified masks, shift them by specified amounts and 1643 test whether the results are in any of a set of specified ranges. 1644 The specification of what to extract is general enough to skip over 1645 headers with lengths stored in the packet, as in IP or TCP header 1646 lengths. 1647 1648 Details and examples are in the kernel module source. 1649 1650endif # NETFILTER_XTABLES 1651 1652config GCOV_PROFILE_NETFILTER 1653 bool "Enable GCOV profiling for netfilter" 1654 depends on GCOV_KERNEL 1655 help 1656 Enable GCOV profiling for netfilter to check which functions/lines 1657 are executed. 1658 1659 If unsure, say N. 1660endmenu 1661 1662source "net/netfilter/ipset/Kconfig" 1663 1664source "net/netfilter/ipvs/Kconfig" 1665