xref: /linux/net/netfilter/Kconfig (revision 0fc8f6200d2313278fbf4539bbab74677c685531)

# SPDX-License-Identifier: GPL-2.0-only
menu "Core Netfilter Configuration"
	depends on INET && NETFILTER

config NETFILTER_INGRESS
	bool "Netfilter ingress support"
	default y
	select NET_INGRESS
	help
	  This allows you to classify packets from ingress using the Netfilter
	  infrastructure.

config NETFILTER_EGRESS
	bool "Netfilter egress support"
	default y
	select NET_EGRESS
	help
	  This allows you to classify packets before transmission using the
	  Netfilter infrastructure.

config NETFILTER_SKIP_EGRESS
	def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB)

config NETFILTER_NETLINK
	tristate

config NETFILTER_FAMILY_BRIDGE
	bool

config NETFILTER_FAMILY_ARP
	bool

config NETFILTER_BPF_LINK
	def_bool BPF_SYSCALL

config NETFILTER_NETLINK_HOOK
	tristate "Netfilter base hook dump support"
	depends on NETFILTER_ADVANCED
	depends on NF_TABLES
	select NETFILTER_NETLINK
	help
	  If this option is enabled, the kernel will include support
	  to list the base netfilter hooks via NFNETLINK.
	  This is helpful for debugging.

config NETFILTER_NETLINK_ACCT
	tristate "Netfilter NFACCT over NFNETLINK interface"
	depends on NETFILTER_ADVANCED
	select NETFILTER_NETLINK
	help
	  If this option is enabled, the kernel will include support
	  for extended accounting via NFNETLINK.

config NETFILTER_NETLINK_QUEUE
	tristate "Netfilter NFQUEUE over NFNETLINK interface"
	depends on NETFILTER_ADVANCED
	select NETFILTER_NETLINK
	help
	  If this option is enabled, the kernel will include support
	  for queueing packets via NFNETLINK.

config NETFILTER_NETLINK_LOG
	tristate "Netfilter LOG over NFNETLINK interface"
	default m if NETFILTER_ADVANCED=n
	select NETFILTER_NETLINK
	help
	  If this option is enabled, the kernel will include support
	  for logging packets via NFNETLINK.

	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
	  and is also scheduled to replace the old syslog-based ipt_LOG
	  and ip6t_LOG modules.

config NETFILTER_NETLINK_OSF
	tristate "Netfilter OSF over NFNETLINK interface"
	depends on NETFILTER_ADVANCED
	select NETFILTER_NETLINK
	help
	  If this option is enabled, the kernel will include support
	  for passive OS fingerprint via NFNETLINK.

config NF_CONNTRACK
	tristate "Netfilter connection tracking support"
	default m if NETFILTER_ADVANCED=n
	select NF_DEFRAG_IPV4
	select NF_DEFRAG_IPV6 if IPV6 != n
	help
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is required to do Masquerading or other kinds of Network
	  Address Translation.  It can also be used to enhance packet
	  filtering (see `Connection state match support' below).

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_LOG_SYSLOG
	tristate "Syslog packet logging"
	default m if NETFILTER_ADVANCED=n
	help
	  This option enable support for packet logging via syslog.
	  It supports IPv4, IPV6, ARP and common transport protocols such
	  as TCP and UDP.
	  This is a simpler but less flexible logging method compared to
	  CONFIG_NETFILTER_NETLINK_LOG.
	  If both are enabled the backend to use can be configured at run-time
	  by means of per-address-family sysctl tunables.

if NF_CONNTRACK
config NETFILTER_CONNCOUNT
	tristate

config NF_CONNTRACK_MARK
	bool  'Connection mark tracking support'
	depends on NETFILTER_ADVANCED
	help
	  This option enables support for connection marks, used by the
	  `CONNMARK' target and `connmark' match. Similar to the mark value
	  of packets, but this mark value is kept in the conntrack session
	  instead of the individual packets.

config NF_CONNTRACK_SECMARK
	bool  'Connection tracking security mark support'
	depends on NETWORK_SECMARK
	default y if NETFILTER_ADVANCED=n
	help
	  This option enables security markings to be applied to
	  connections.  Typically they are copied to connections from
	  packets using the CONNSECMARK target and copied back from
	  connections to packets with the same target, with the packets
	  being originally labeled via SECMARK.

	  If unsure, say 'N'.

config NF_CONNTRACK_ZONES
	bool  'Connection tracking zones'
	depends on NETFILTER_ADVANCED
	help
	  This option enables support for connection tracking zones.
	  Normally, each connection needs to have a unique system wide
	  identity. Connection tracking zones allow to have multiple
	  connections using the same identity, as long as they are
	  contained in different zones.

	  If unsure, say `N'.

config NF_CONNTRACK_PROCFS
	bool "Supply CT list in procfs (OBSOLETE)"
	depends on PROC_FS
	help
	This option enables for the list of known conntrack entries
	to be shown in procfs under net/netfilter/nf_conntrack. This
	is considered obsolete in favor of using the conntrack(8)
	tool which uses Netlink.

config NF_CONNTRACK_EVENTS
	bool "Connection tracking events"
	depends on NETFILTER_ADVANCED
	help
	  If this option is enabled, the connection tracking code will
	  provide a notifier chain that can be used by other kernel code
	  to get notified about changes in the connection tracking state.

	  If unsure, say `N'.

config NF_CONNTRACK_TIMEOUT
	bool  'Connection tracking timeout'
	depends on NETFILTER_ADVANCED
	help
	  This option enables support for connection tracking timeout
	  extension. This allows you to attach timeout policies to flow
	  via the CT target.

	  If unsure, say `N'.

config NF_CONNTRACK_TIMESTAMP
	bool  'Connection tracking timestamping'
	depends on NETFILTER_ADVANCED
	help
	  This option enables support for connection tracking timestamping.
	  This allows you to store the flow start-time and to obtain
	  the flow-stop time (once it has been destroyed) via Connection
	  tracking events.

	  If unsure, say `N'.

config NF_CONNTRACK_LABELS
	bool "Connection tracking labels"
	help
	  This option enables support for assigning user-defined flag bits
	  to connection tracking entries.  It can be used with xtables connlabel
	  match and the nftables ct expression.

config NF_CONNTRACK_OVS
	bool

config NF_CT_PROTO_GRE
	bool

config NF_CT_PROTO_SCTP
	bool 'SCTP protocol connection tracking support'
	depends on NETFILTER_ADVANCED
	default y
	select NET_CRC32C
	help
	  With this option enabled, the layer 3 independent connection
	  tracking code will be able to do state tracking on SCTP connections.

	  If unsure, say Y.

config NF_CONNTRACK_AMANDA
	tristate "Amanda backup protocol support"
	depends on NETFILTER_ADVANCED
	select TEXTSEARCH
	select TEXTSEARCH_KMP
	help
	  If you are running the Amanda backup package <http://www.amanda.org/>
	  on this machine or machines that will be MASQUERADED through this
	  machine, then you may want to enable this feature.  This allows the
	  connection tracking and natting code to allow the sub-channels that
	  Amanda requires for communication of the backup data, messages and
	  index.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_FTP
	tristate "FTP protocol support"
	default m if NETFILTER_ADVANCED=n
	help
	  Tracking FTP connections is problematic: special helpers are
	  required for tracking them, and doing masquerading and other forms
	  of Network Address Translation on them.

	  This is FTP support on Layer 3 independent connection tracking.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_H323
	tristate "H.323 protocol support"
	depends on NETFILTER_ADVANCED
	help
	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
	  important VoIP protocols, it is widely used by voice hardware and
	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
	  Gnomemeeting, etc.

	  With this module you can support H.323 on a connection tracking/NAT
	  firewall.

	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
	  whiteboard, file transfer, etc. For more information, please
	  visit http://nath323.sourceforge.net/.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_IRC
	tristate "IRC protocol support"
	default m if NETFILTER_ADVANCED=n
	help
	  There is a commonly-used extension to IRC called
	  Direct Client-to-Client Protocol (DCC).  This enables users to send
	  files to each other, and also chat to each other without the need
	  of a server.  DCC Sending is used anywhere you send files over IRC,
	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
	  using NAT, this extension will enable you to send files and initiate
	  chats.  Note that you do NOT need this extension to get files or
	  have others initiate chats, or everything else in IRC.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_BROADCAST
	tristate

config NF_CONNTRACK_NETBIOS_NS
	tristate "NetBIOS name service protocol support"
	select NF_CONNTRACK_BROADCAST
	help
	  NetBIOS name service requests are sent as broadcast messages from an
	  unprivileged port and responded to with unicast messages to the
	  same port. This make them hard to firewall properly because connection
	  tracking doesn't deal with broadcasts. This helper tracks locally
	  originating NetBIOS name service requests and the corresponding
	  responses. It relies on correct IP address configuration, specifically
	  netmask and broadcast address. When properly configured, the output
	  of "ip address show" should look similar to this:

	  $ ip -4 address show eth0
	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_SNMP
	tristate "SNMP service protocol support"
	depends on NETFILTER_ADVANCED
	select NF_CONNTRACK_BROADCAST
	help
	  SNMP service requests are sent as broadcast messages from an
	  unprivileged port and responded to with unicast messages to the
	  same port. This make them hard to firewall properly because connection
	  tracking doesn't deal with broadcasts. This helper tracks locally
	  originating SNMP service requests and the corresponding
	  responses. It relies on correct IP address configuration, specifically
	  netmask and broadcast address.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_PPTP
	tristate "PPtP protocol support"
	depends on NETFILTER_ADVANCED
	select NF_CT_PROTO_GRE
	help
	  This module adds support for PPTP (Point to Point Tunnelling
	  Protocol, RFC2637) connection tracking and NAT.

	  If you are running PPTP sessions over a stateful firewall or NAT
	  box, you may want to enable this feature.

	  Please note that not all PPTP modes of operation are supported yet.
	  Specifically these limitations exist:
	    - Blindly assumes that control connections are always established
	      in PNS->PAC direction. This is a violation of RFC2637.
	    - Only supports a single call within each session

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_SANE
	tristate "SANE protocol support"
	depends on NETFILTER_ADVANCED
	help
	  SANE is a protocol for remote access to scanners as implemented
	  by the 'saned' daemon. Like FTP, it uses separate control and
	  data connections.

	  With this module you can support SANE on a connection tracking
	  firewall.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_SIP
	tristate "SIP protocol support"
	default m if NETFILTER_ADVANCED=n
	help
	  SIP is an application-layer control protocol that can establish,
	  modify, and terminate multimedia sessions (conferences) such as
	  Internet telephony calls. With the nf_conntrack_sip and
	  the nf_nat_sip modules you can support the protocol on a connection
	  tracking/NATing firewall.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_TFTP
	tristate "TFTP protocol support"
	depends on NETFILTER_ADVANCED
	help
	  TFTP connection tracking helper, this is required depending
	  on how restrictive your ruleset is.
	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
	  you will need this.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CT_NETLINK
	tristate 'Connection tracking netlink interface'
	select NETFILTER_NETLINK
	default m if NETFILTER_ADVANCED=n
	help
	  This option enables support for a netlink-based userspace interface

config NF_CT_NETLINK_TIMEOUT
	tristate  'Connection tracking timeout tuning via Netlink'
	select NETFILTER_NETLINK
	depends on NETFILTER_ADVANCED
	depends on NF_CONNTRACK_TIMEOUT
	help
	  This option enables support for connection tracking timeout
	  fine-grain tuning. This allows you to attach specific timeout
	  policies to flows, instead of using the global timeout policy.

	  If unsure, say `N'.

config NF_CT_NETLINK_HELPER
	tristate 'Connection tracking helpers in user-space via Netlink'
	select NETFILTER_NETLINK
	depends on NF_CT_NETLINK
	depends on NETFILTER_NETLINK_QUEUE
	depends on NETFILTER_NETLINK_GLUE_CT
	depends on NETFILTER_ADVANCED
	help
	  This option enables the user-space connection tracking helpers
	  infrastructure.

	  If unsure, say `N'.

config NETFILTER_NETLINK_GLUE_CT
	bool "NFQUEUE and NFLOG integration with Connection Tracking"
	default n
	depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
	help
	  If this option is enabled, NFQUEUE and NFLOG can include
	  Connection Tracking information together with the packet is
	  the enqueued via NFNETLINK.

config NF_NAT
	tristate "Network Address Translation support"
	depends on NF_CONNTRACK
	default m if NETFILTER_ADVANCED=n
	help
	  The NAT option allows masquerading, port forwarding and other
	  forms of full Network Address Port Translation. This can be
	  controlled by iptables, ip6tables or nft.

config NF_NAT_AMANDA
	tristate
	depends on NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_AMANDA

config NF_NAT_FTP
	tristate
	depends on NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_FTP

config NF_NAT_IRC
	tristate
	depends on NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_IRC

config NF_NAT_SIP
	tristate
	depends on NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_SIP

config NF_NAT_TFTP
	tristate
	depends on NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_TFTP

config NF_NAT_REDIRECT
	bool

config NF_NAT_MASQUERADE
	bool

config NF_NAT_OVS
	bool

config NETFILTER_SYNPROXY
	tristate

endif # NF_CONNTRACK

config NF_TABLES
	select NETFILTER_NETLINK
	select NET_CRC32C
	tristate "Netfilter nf_tables support"
	help
	  nftables is the new packet classification framework that intends to
	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
	  provides a pseudo-state machine with an extensible instruction-set
	  (also known as expressions) that the userspace 'nft' utility
	  (https://www.netfilter.org/projects/nftables) uses to build the
	  rule-set. It also comes with the generic set infrastructure that
	  allows you to construct mappings between matchings and actions
	  for performance lookups.

	  To compile it as a module, choose M here.

if NF_TABLES
config NF_TABLES_INET
	depends on IPV6
	select NF_TABLES_IPV4
	select NF_TABLES_IPV6
	bool "Netfilter nf_tables mixed IPv4/IPv6 tables support"
	help
	  This option enables support for a mixed IPv4/IPv6 "inet" table.

config NF_TABLES_NETDEV
	bool "Netfilter nf_tables netdev tables support"
	help
	  This option enables support for the "netdev" table.

config NFT_NUMGEN
	tristate "Netfilter nf_tables number generator module"
	help
	  This option adds the number generator expression used to perform
	  incremental counting and random numbers bound to a upper limit.

config NFT_CT
	depends on NF_CONNTRACK
	tristate "Netfilter nf_tables conntrack module"
	help
	  This option adds the "ct" expression that you can use to match
	  connection tracking information such as the flow state.

config NFT_EXTHDR_DCCP
	bool "Netfilter nf_tables exthdr DCCP support (DEPRECATED)"
	default n
	help
	  This option adds support for matching on DCCP extension headers.

config NFT_FLOW_OFFLOAD
	depends on NF_CONNTRACK && NF_FLOW_TABLE
	tristate "Netfilter nf_tables hardware flow offload module"
	help
	  This option adds the "flow_offload" expression that you can use to
	  choose what flows are placed into the hardware.

config NFT_CONNLIMIT
	tristate "Netfilter nf_tables connlimit module"
	depends on NF_CONNTRACK
	depends on NETFILTER_ADVANCED
	select NETFILTER_CONNCOUNT
	help
	  This option adds the "connlimit" expression that you can use to
	  ratelimit rule matchings per connections.

config NFT_LOG
	tristate "Netfilter nf_tables log module"
	help
	  This option adds the "log" expression that you can use to log
	  packets matching some criteria.

config NFT_LIMIT
	tristate "Netfilter nf_tables limit module"
	help
	  This option adds the "limit" expression that you can use to
	  ratelimit rule matchings.

config NFT_MASQ
	depends on NF_CONNTRACK
	depends on NF_NAT
	select NF_NAT_MASQUERADE
	tristate "Netfilter nf_tables masquerade support"
	help
	  This option adds the "masquerade" expression that you can use
	  to perform NAT in the masquerade flavour.

config NFT_REDIR
	depends on NF_CONNTRACK
	depends on NF_NAT
	tristate "Netfilter nf_tables redirect support"
	select NF_NAT_REDIRECT
	help
	  This options adds the "redirect" expression that you can use
	  to perform NAT in the redirect flavour.

config NFT_NAT
	depends on NF_CONNTRACK
	select NF_NAT
	depends on NF_TABLES_IPV4 || NF_TABLES_IPV6
	tristate "Netfilter nf_tables nat module"
	help
	  This option adds the "nat" expression that you can use to perform
	  typical Network Address Translation (NAT) packet transformations.

config NFT_TUNNEL
	tristate "Netfilter nf_tables tunnel module"
	help
	  This option adds the "tunnel" expression that you can use to set
	  tunneling policies.

config NFT_QUEUE
	depends on NETFILTER_NETLINK_QUEUE
	tristate "Netfilter nf_tables queue module"
	help
	  This is required if you intend to use the userspace queueing
	  infrastructure (also known as NFQUEUE) from nftables.

config NFT_QUOTA
	tristate "Netfilter nf_tables quota module"
	help
	  This option adds the "quota" expression that you can use to match
	  enforce bytes quotas.

config NFT_REJECT
	default m if NETFILTER_ADVANCED=n
	tristate "Netfilter nf_tables reject support"
	help
	  This option adds the "reject" expression that you can use to
	  explicitly deny and notify via TCP reset/ICMP informational errors
	  unallowed traffic.

config NFT_REJECT_INET
	depends on NF_TABLES_INET
	default NFT_REJECT
	tristate

config NFT_COMPAT
	depends on NETFILTER_XTABLES
	tristate "Netfilter x_tables over nf_tables module"
	help
	  This is required if you intend to use any of existing
	  x_tables match/target extensions over the nf_tables
	  framework.

config NFT_HASH
	tristate "Netfilter nf_tables hash module"
	help
	  This option adds the "hash" expression that you can use to perform
	  a hash operation on registers.

config NFT_FIB
	tristate

config NFT_FIB_INET
	depends on NF_TABLES_INET
	depends on NFT_FIB_IPV4
	depends on NFT_FIB_IPV6
	tristate "Netfilter nf_tables fib inet support"
	help
	  This option allows using the FIB expression from the inet table.
	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
	  on the protocol of the packet.

config NFT_XFRM
	tristate "Netfilter nf_tables xfrm/IPSec security association matching"
	depends on XFRM
	help
	  This option adds an expression that you can use to extract properties
	  of a packets security association.

config NFT_SOCKET
	tristate "Netfilter nf_tables socket match support"
	select NF_SOCKET_IPV4
	select NF_SOCKET_IPV6 if NF_TABLES_IPV6
	help
	  This option allows matching for the presence or absence of a
	  corresponding socket and its attributes.

config NFT_OSF
	tristate "Netfilter nf_tables passive OS fingerprint support"
	depends on NETFILTER_ADVANCED
	select NETFILTER_NETLINK_OSF
	help
	  This option allows matching packets from an specific OS.

config NFT_TPROXY
	tristate "Netfilter nf_tables tproxy support"
	select NF_DEFRAG_IPV4
	select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
	select NF_TPROXY_IPV4
	select NF_TPROXY_IPV6 if NF_TABLES_IPV6
	help
	  This makes transparent proxy support available in nftables.

config NFT_SYNPROXY
	tristate "Netfilter nf_tables SYNPROXY expression support"
	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	select NETFILTER_SYNPROXY
	select SYN_COOKIES
	help
	  The SYNPROXY expression allows you to intercept TCP connections and
	  establish them using syncookies before they are passed on to the
	  server. This allows to avoid conntrack and server resource usage
	  during SYN-flood attacks.

if NF_TABLES_NETDEV

config NF_DUP_NETDEV
	tristate "Netfilter packet duplication support"
	help
	  This option enables the generic packet duplication infrastructure
	  for Netfilter.

config NFT_DUP_NETDEV
	tristate "Netfilter nf_tables netdev packet duplication support"
	select NF_DUP_NETDEV
	help
	  This option enables packet duplication for the "netdev" family.

config NFT_FWD_NETDEV
	tristate "Netfilter nf_tables netdev packet forwarding support"
	select NF_DUP_NETDEV
	help
	  This option enables packet forwarding for the "netdev" family.

config NFT_FIB_NETDEV
	depends on NFT_FIB_IPV4
	depends on NFT_FIB_IPV6
	tristate "Netfilter nf_tables netdev fib lookups support"
	help
	  This option allows using the FIB expression from the netdev table.
	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
	  on the protocol of the packet.

config NFT_REJECT_NETDEV
	depends on NFT_REJECT_IPV4
	depends on NFT_REJECT_IPV6
	tristate "Netfilter nf_tables netdev REJECT support"
	help
	  This option enables the REJECT support from the netdev table.
	  The return packet generation will be delegated to the IPv4
	  or IPv6 ICMP or TCP RST implementation depending on the
	  protocol of the packet.

endif # NF_TABLES_NETDEV

endif # NF_TABLES

config NF_FLOW_TABLE_INET
	tristate "Netfilter flow table mixed IPv4/IPv6 module"
	depends on NF_FLOW_TABLE
	help
	  This option adds the flow table mixed IPv4/IPv6 support.

	  To compile it as a module, choose M here.

config NF_FLOW_TABLE
	tristate "Netfilter flow table module"
	depends on NETFILTER_INGRESS
	depends on NF_CONNTRACK
	depends on NF_TABLES
	help
	  This option adds the flow table core infrastructure.

	  To compile it as a module, choose M here.

config NF_FLOW_TABLE_PROCFS
	bool "Supply flow table statistics in procfs"
	depends on NF_FLOW_TABLE
	depends on PROC_FS
	help
	  This option enables for the flow table offload statistics
	  to be shown in procfs under net/netfilter/nf_flowtable.

config NETFILTER_XTABLES
	tristate "Netfilter Xtables support (required for ip_tables)"
	default m if NETFILTER_ADVANCED=n
	help
	  This is required if you intend to use any of ip_tables,
	  ip6_tables or arp_tables.

if NETFILTER_XTABLES

config NETFILTER_XTABLES_COMPAT
	bool "Netfilter Xtables 32bit support"
	depends on COMPAT
	help
	   This option provides a translation layer to run 32bit arp,ip(6),ebtables
	   binaries on 64bit kernels.

	   If unsure, say N.

config NETFILTER_XTABLES_LEGACY
	bool "Netfilter legacy tables support"
	depends on !PREEMPT_RT
	help
	  Say Y here if you still require support for legacy tables. This is
	  required by the legacy tools (iptables-legacy) and is not needed if
	  you use iptables over nftables (iptables-nft).
	  Legacy support is not limited to IP, it also includes EBTABLES and
	  ARPTABLES.

comment "Xtables combined modules"

config NETFILTER_XT_MARK
	tristate 'nfmark target and match support'
	default m if NETFILTER_ADVANCED=n
	help
	This option adds the "MARK" target and "mark" match.

	Netfilter mark matching allows you to match packets based on the
	"nfmark" value in the packet.
	The target allows you to create rules in the "mangle" table which alter
	the netfilter mark (nfmark) field associated with the packet.

	Prior to routing, the nfmark can influence the routing method and can
	also be used by other subsystems to change their behavior.

config NETFILTER_XT_CONNMARK
	tristate 'ctmark target and match support'
	depends on NF_CONNTRACK
	depends on NETFILTER_ADVANCED
	select NF_CONNTRACK_MARK
	help
	This option adds the "CONNMARK" target and "connmark" match.

	Netfilter allows you to store a mark value per connection (a.k.a.
	ctmark), similarly to the packet mark (nfmark). Using this
	target and match, you can set and match on this mark.

config NETFILTER_XT_SET
	tristate 'set target and match support'
	depends on IP_SET
	depends on NETFILTER_ADVANCED
	help
	  This option adds the "SET" target and "set" match.

	  Using this target and match, you can add/delete and match
	  elements in the sets created by ipset(8).

	  To compile it as a module, choose M here.  If unsure, say N.

# alphabetically ordered list of targets

comment "Xtables targets"

config NETFILTER_XT_TARGET_AUDIT
	tristate "AUDIT target support"
	depends on AUDIT
	depends on NETFILTER_ADVANCED
	help
	  This option adds a 'AUDIT' target, which can be used to create
	  audit records for packets dropped/accepted.

	  To compileit as a module, choose M here. If unsure, say N.

config NETFILTER_XT_TARGET_CHECKSUM
	tristate "CHECKSUM target support"
	depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle
	  table to work around buggy DHCP clients in virtualized environments.

	  Some old DHCP clients drop packets because they are not aware
	  that the checksum would normally be offloaded to hardware and
	  thus should be considered valid.
	  This target can be used to fill in the checksum using iptables
	  when such packets are sent via a virtual network device.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_CLASSIFY
	tristate '"CLASSIFY" target support'
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `CLASSIFY' target, which enables the user to set
	  the priority of a packet. Some qdiscs can use this value for
	  classification, among these are:

	  atm, cbq, dsmark, pfifo_fast, htb, prio

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_CONNMARK
	tristate  '"CONNMARK" target support'
	depends on NF_CONNTRACK
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_CONNMARK
	help
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).

config NETFILTER_XT_TARGET_CONNSECMARK
	tristate '"CONNSECMARK" target support'
	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
	default m if NETFILTER_ADVANCED=n
	help
	  The CONNSECMARK target copies security markings from packets
	  to connections, and restores security markings from connections
	  to packets (if the packets are not already marked).  This would
	  normally be used in conjunction with the SECMARK target.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_CT
	tristate '"CT" target support'
	depends on NF_CONNTRACK
	depends on IP_NF_RAW || IP6_NF_RAW || NFT_COMPAT
	depends on NETFILTER_ADVANCED
	help
	  This options adds a `CT' target, which allows to specify initial
	  connection tracking parameters like events to be delivered and
	  the helper to be used.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_DSCP
	tristate '"DSCP" and "TOS" target support'
	depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `DSCP' target, which allows you to manipulate
	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).

	  The DSCP field can have any value between 0x0 and 0x3f inclusive.

	  It also adds the "TOS" target, which allows you to create rules in
	  the "mangle" table which alter the Type Of Service field of an IPv4
	  or the Priority field of an IPv6 packet, prior to routing.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_HL
	tristate '"HL" hoplimit target support'
	depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
	depends on NETFILTER_ADVANCED
	help
	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
	targets, which enable the user to change the
	hoplimit/time-to-live value of the IP header.

	While it is safe to decrement the hoplimit/TTL value, the
	modules also allow to increment and set the hoplimit value of
	the header to arbitrary values. This is EXTREMELY DANGEROUS
	since you can easily create immortal packets that loop
	forever on the network.

config NETFILTER_XT_TARGET_HMARK
	tristate '"HMARK" target support'
	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
	depends on NETFILTER_ADVANCED
	help
	This option adds the "HMARK" target.

	The target allows you to create rules in the "raw" and "mangle" tables
	which set the skbuff mark by means of hash calculation within a given
	range. The nfmark can influence the routing method and can also be used
	by other subsystems to change their behaviour.

	To compile it as a module, choose M here. If unsure, say N.

config NETFILTER_XT_TARGET_IDLETIMER
	tristate  "IDLETIMER target support"
	depends on NETFILTER_ADVANCED
	help

	  This option adds the `IDLETIMER' target.  Each matching packet
	  resets the timer associated with label specified when the rule is
	  added.  When the timer expires, it triggers a sysfs notification.
	  The remaining time for expiration can be read via sysfs.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_LED
	tristate '"LED" target support'
	depends on LEDS_CLASS && LEDS_TRIGGERS
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `LED' target, which allows you to blink LEDs in
	  response to particular packets passing through your machine.

	  This can be used to turn a spare LED into a network activity LED,
	  which only flashes in response to FTP transfers, for example.  Or
	  you could have an LED which lights up for a minute or two every time
	  somebody connects to your machine via SSH.

	  You will need support for the "led" class to make this work.

	  To create an LED trigger for incoming SSH traffic:
	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000

	  Then attach the new trigger to an LED on your system:
	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger

	  For more information on the LEDs available on your system, see
	  Documentation/leds/leds-class.rst

config NETFILTER_XT_TARGET_LOG
	tristate "LOG target support"
	select NF_LOG_SYSLOG
	select NF_LOG_IPV6 if IP6_NF_IPTABLES
	default m if NETFILTER_ADVANCED=n
	help
	  This option adds a `LOG' target, which allows you to create rules in
	  any iptables table which records the packet header to the syslog.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_MARK
	tristate '"MARK" target support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MARK
	help
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).

config NETFILTER_XT_NAT
	tristate '"SNAT and DNAT" targets support'
	depends on NF_NAT
	help
	This option enables the SNAT and DNAT targets.

	To compile it as a module, choose M here. If unsure, say N.

config NETFILTER_XT_TARGET_NETMAP
	tristate '"NETMAP" target support'
	depends on NF_NAT
	help
	NETMAP is an implementation of static 1:1 NAT mapping of network
	addresses. It maps the network address part, while keeping the host
	address part intact.

	To compile it as a module, choose M here. If unsure, say N.

config NETFILTER_XT_TARGET_NFLOG
	tristate '"NFLOG" target support'
	default m if NETFILTER_ADVANCED=n
	select NETFILTER_NETLINK_LOG
	help
	  This option enables the NFLOG target, which allows to LOG
	  messages through nfnetlink_log.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_NFQUEUE
	tristate '"NFQUEUE" target Support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_NETLINK_QUEUE
	help
	  This target replaced the old obsolete QUEUE target.

	  As opposed to QUEUE, it supports 65535 different queues,
	  not just one.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_NOTRACK
	tristate  '"NOTRACK" target support (DEPRECATED)'
	depends on NF_CONNTRACK
	depends on IP_NF_RAW || IP6_NF_RAW
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_TARGET_CT

config NETFILTER_XT_TARGET_RATEEST
	tristate '"RATEEST" target support'
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `RATEEST' target, which allows to measure
	  rates similar to TC estimators. The `rateest' match can be
	  used to match on the measured rates.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_REDIRECT
	tristate "REDIRECT target support"
	depends on NF_NAT
	select NF_NAT_REDIRECT
	help
	REDIRECT is a special case of NAT: all incoming connections are
	mapped onto the incoming interface's address, causing the packets to
	come to the local machine instead of passing through. This is
	useful for transparent proxies.

	To compile it as a module, choose M here. If unsure, say N.

config NETFILTER_XT_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	depends on NF_NAT
	default m if NETFILTER_ADVANCED=n
	select NF_NAT_MASQUERADE
	help
	  Masquerading is a special case of NAT: all outgoing connections are
	  changed to seem to come from a particular interface's address, and
	  if the interface goes down, those connections are lost.  This is
	  only useful for dialup accounts with dynamic IP address (ie. your IP
	  address will be different on next dialup).

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_TEE
	tristate '"TEE" - packet cloning to alternate destination'
	depends on NETFILTER_ADVANCED
	depends on !NF_CONNTRACK || NF_CONNTRACK
	depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES
	select NF_DUP_IPV4
	select NF_DUP_IPV6 if IP6_NF_IPTABLES
	help
	This option adds a "TEE" target with which a packet can be cloned and
	this clone be rerouted to another nexthop.

config NETFILTER_XT_TARGET_TPROXY
	tristate '"TPROXY" target transparent proxying support'
	depends on NETFILTER_XTABLES
	depends on NETFILTER_ADVANCED
	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
	depends on IP_NF_MANGLE || NFT_COMPAT
	select NF_DEFRAG_IPV4
	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
	select NF_TPROXY_IPV4
	select NF_TPROXY_IPV6 if IP6_NF_IPTABLES
	help
	  This option adds a `TPROXY' target, which is somewhat similar to
	  REDIRECT.  It can only be used in the mangle table and is useful
	  to redirect traffic to a transparent proxy.  It does _not_ depend
	  on Netfilter connection tracking and NAT, unlike REDIRECT.
	  For it to work you will have to configure certain iptables rules
	  and use policy routing. For more information on how to set it up
	  see Documentation/networking/tproxy.rst.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_TRACE
	tristate  '"TRACE" target support'
	depends on IP_NF_RAW || IP6_NF_RAW
	depends on NETFILTER_ADVANCED
	help
	  The TRACE target allows you to mark packets so that the kernel
	  will log every rule which match the packets as those traverse
	  the tables, chains, rules.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.

config NETFILTER_XT_TARGET_SECMARK
	tristate '"SECMARK" target support'
	depends on NETWORK_SECMARK
	default m if NETFILTER_ADVANCED=n
	help
	  The SECMARK target allows security marking of network
	  packets, for use with security subsystems.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_TCPMSS
	tristate '"TCPMSS" target support'
	default m if NETFILTER_ADVANCED=n
	help
	  This option adds a `TCPMSS' target, which allows you to alter the
	  MSS value of TCP SYN packets, to control the maximum size for that
	  connection (usually limiting it to your outgoing interface's MTU
	  minus 40).

	  This is used to overcome criminally braindead ISPs or servers which
	  block ICMP Fragmentation Needed packets.  The symptoms of this
	  problem are that everything works fine from your Linux
	  firewall/router, but machines behind it can never exchange large
	  packets:
	        1) Web browsers connect, then hang with no data received.
	        2) Small mail works fine, but large emails hang.
	        3) ssh works fine, but scp hangs after initial handshaking.

	  Workaround: activate this option and add a rule to your firewall
	  configuration like:

	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
	                 -j TCPMSS --clamp-mss-to-pmtu

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_TARGET_TCPOPTSTRIP
	tristate '"TCPOPTSTRIP" target support'
	depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT
	depends on NETFILTER_ADVANCED
	help
	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
	  TCP options from TCP packets.

# alphabetically ordered list of matches

comment "Xtables matches"

config NETFILTER_XT_MATCH_ADDRTYPE
	tristate '"addrtype" address type match support'
	default m if NETFILTER_ADVANCED=n
	help
	  This option allows you to match what routing thinks of an address,
	  eg. UNICAST, LOCAL, BROADCAST, ...

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_BPF
	tristate '"bpf" match support'
	depends on NETFILTER_ADVANCED
	help
	  BPF matching applies a linux socket filter to each packet and
	  accepts those for which the filter returns non-zero.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_CGROUP
	tristate '"control group" match support'
	depends on NETFILTER_ADVANCED
	depends on CGROUPS
	select SOCK_CGROUP_DATA
	help
	Socket/process control group matching allows you to match locally
	generated packets based on which net_cls control group processes
	belong to.

config NETFILTER_XT_MATCH_CLUSTER
	tristate '"cluster" match support'
	depends on NF_CONNTRACK
	depends on NETFILTER_ADVANCED
	help
	  This option allows you to build work-load-sharing clusters of
	  network servers/stateful firewalls without having a dedicated
	  load-balancing router/server/switch. Basically, this match returns
	  true when the packet must be handled by this cluster node. Thus,
	  all nodes see all packets and this match decides which node handles
	  what packets. The work-load sharing algorithm is based on source
	  address hashing.

	  If you say Y or M here, try `iptables -m cluster --help` for
	  more information.

config NETFILTER_XT_MATCH_COMMENT
	tristate  '"comment" match support'
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `comment' dummy-match, which allows you to put
	  comments in your iptables ruleset.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_CONNBYTES
	tristate  '"connbytes" per-connection counter match support'
	depends on NF_CONNTRACK
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `connbytes' match, which allows you to match the
	  number of bytes and/or packets for each direction within a connection.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_CONNLABEL
	tristate '"connlabel" match support'
	select NF_CONNTRACK_LABELS
	depends on NF_CONNTRACK
	depends on NETFILTER_ADVANCED
	help
	  This match allows you to test and assign userspace-defined labels names
	  to a connection.  The kernel only stores bit values - mapping
	  names to bits is done by userspace.

	  Unlike connmark, more than 32 flag bits may be assigned to a
	  connection simultaneously.

config NETFILTER_XT_MATCH_CONNLIMIT
	tristate '"connlimit" match support'
	depends on NF_CONNTRACK
	depends on NETFILTER_ADVANCED
	select NETFILTER_CONNCOUNT
	help
	  This match allows you to match against the number of parallel
	  connections to a server per client IP address (or address block).

config NETFILTER_XT_MATCH_CONNMARK
	tristate  '"connmark" connection mark match support'
	depends on NF_CONNTRACK
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_CONNMARK
	help
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).

config NETFILTER_XT_MATCH_CONNTRACK
	tristate '"conntrack" connection tracking match support'
	depends on NF_CONNTRACK
	default m if NETFILTER_ADVANCED=n
	help
	  This is a general conntrack match module, a superset of the state match.

	  It allows matching on additional conntrack information, which is
	  useful in complex configurations, such as NAT gateways with multiple
	  internet links or tunnels.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_CPU
	tristate '"cpu" match support'
	depends on NETFILTER_ADVANCED
	help
	  CPU matching allows you to match packets based on the CPU
	  currently handling the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_DCCP
	tristate '"dccp" protocol match support (DEPRECATED)'
	depends on NETFILTER_ADVANCED
	default n
	help
	  With this option enabled, you will be able to use the iptables
	  `dccp' match in order to match on DCCP source/destination ports
	  and DCCP flags.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_DEVGROUP
	tristate '"devgroup" match support'
	depends on NETFILTER_ADVANCED
	help
	  This options adds a `devgroup' match, which allows to match on the
	  device group a network device is assigned to.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_DSCP
	tristate '"dscp" and "tos" match support'
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `DSCP' match, which allows you to match against
	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).

	  The DSCP field can have any value between 0x0 and 0x3f inclusive.

	  It will also add a "tos" match, which allows you to match packets
	  based on the Type Of Service fields of the IPv4 packet (which share
	  the same bits as DSCP).

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_ECN
	tristate '"ecn" match support'
	depends on NETFILTER_ADVANCED
	help
	This option adds an "ECN" match, which allows you to match against
	the IPv4 and TCP header ECN fields.

	To compile it as a module, choose M here. If unsure, say N.

config NETFILTER_XT_MATCH_ESP
	tristate '"esp" match support'
	depends on NETFILTER_ADVANCED
	help
	  This match extension allows you to match a range of SPIs
	  inside ESP header of IPSec packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_HASHLIMIT
	tristate '"hashlimit" match support'
	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `hashlimit' match.

	  As opposed to `limit', this match dynamically creates a hash table
	  of limit buckets, based on your selection of source/destination
	  addresses and/or ports.

	  It enables you to express policies like `10kpps for any given
	  destination address' or `500pps from any given source address'
	  with a single rule.

config NETFILTER_XT_MATCH_HELPER
	tristate '"helper" match support'
	depends on NF_CONNTRACK
	depends on NETFILTER_ADVANCED
	help
	  Helper matching allows you to match packets in dynamic connections
	  tracked by a conntrack-helper, ie. nf_conntrack_ftp

	  To compile it as a module, choose M here.  If unsure, say Y.

config NETFILTER_XT_MATCH_HL
	tristate '"hl" hoplimit/TTL match support'
	depends on NETFILTER_ADVANCED
	help
	HL matching allows you to match packets based on the hoplimit
	in the IPv6 header, or the time-to-live field in the IPv4
	header of the packet.

config NETFILTER_XT_MATCH_IPCOMP
	tristate '"ipcomp" match support'
	depends on NETFILTER_ADVANCED
	help
	  This match extension allows you to match a range of CPIs(16 bits)
	  inside IPComp header of IPSec packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_IPRANGE
	tristate '"iprange" address range match support'
	depends on NETFILTER_ADVANCED
	help
	This option adds a "iprange" match, which allows you to match based on
	an IP address range. (Normal iptables only matches on single addresses
	with an optional mask.)

	If unsure, say M.

config NETFILTER_XT_MATCH_IPVS
	tristate '"ipvs" match support'
	depends on IP_VS
	depends on NETFILTER_ADVANCED
	depends on NF_CONNTRACK
	help
	  This option allows you to match against IPVS properties of a packet.

	  If unsure, say N.

config NETFILTER_XT_MATCH_L2TP
	tristate '"l2tp" match support'
	depends on NETFILTER_ADVANCED
	default L2TP
	help
	This option adds an "L2TP" match, which allows you to match against
	L2TP protocol header fields.

	To compile it as a module, choose M here. If unsure, say N.

config NETFILTER_XT_MATCH_LENGTH
	tristate '"length" match support'
	depends on NETFILTER_ADVANCED
	help
	  This option allows you to match the length of a packet against a
	  specific value or range of values.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_LIMIT
	tristate '"limit" match support'
	depends on NETFILTER_ADVANCED
	help
	  limit matching allows you to control the rate at which a rule can be
	  matched: mainly useful in combination with the LOG target ("LOG
	  target support", below) and to avoid some Denial of Service attacks.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_MAC
	tristate '"mac" address match support'
	depends on NETFILTER_ADVANCED
	help
	  MAC matching allows you to match packets based on the source
	  Ethernet address of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_MARK
	tristate '"mark" match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MARK
	help
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).

config NETFILTER_XT_MATCH_MULTIPORT
	tristate '"multiport" Multiple port match support'
	depends on NETFILTER_ADVANCED
	help
	  Multiport matching allows you to match TCP or UDP packets based on
	  a series of source or destination ports: normally a rule can only
	  match a single range of ports.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_NFACCT
	tristate '"nfacct" match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_NETLINK_ACCT
	help
	  This option allows you to use the extended accounting through
	  nfnetlink_acct.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_OSF
	tristate '"osf" Passive OS fingerprint match'
	depends on NETFILTER_ADVANCED
	select NETFILTER_NETLINK_OSF
	help
	  This option selects the Passive OS Fingerprinting match module
	  that allows to passively match the remote operating system by
	  analyzing incoming TCP SYN packets.

	  Rules and loading software can be downloaded from
	  http://www.ioremap.net/projects/osf

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_OWNER
	tristate '"owner" match support'
	depends on NETFILTER_ADVANCED
	help
	Socket owner matching allows you to match locally-generated packets
	based on who created the socket: the user or group. It is also
	possible to check whether a socket actually exists.

config NETFILTER_XT_MATCH_POLICY
	tristate 'IPsec "policy" match support'
	depends on XFRM
	default m if NETFILTER_ADVANCED=n
	help
	  Policy matching allows you to match packets based on the
	  IPsec policy that was used during decapsulation/will
	  be used during encapsulation.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_PHYSDEV
	tristate '"physdev" match support'
	depends on BRIDGE && BRIDGE_NETFILTER
	depends on NETFILTER_ADVANCED
	help
	  Physdev packet matching matches against the physical bridge ports
	  the IP packet arrived on or will leave by.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_PKTTYPE
	tristate '"pkttype" packet type match support'
	depends on NETFILTER_ADVANCED
	help
	  Packet type matching allows you to match a packet by
	  its "class", eg. BROADCAST, MULTICAST, ...

	  Typical usage:
	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_QUOTA
	tristate '"quota" match support'
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `quota' match, which allows to match on a
	  byte counter.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_RATEEST
	tristate '"rateest" match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_TARGET_RATEEST
	help
	  This option adds a `rateest' match, which allows to match on the
	  rate estimated by the RATEEST target.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_REALM
	tristate  '"realm" match support'
	depends on NETFILTER_ADVANCED
	select IP_ROUTE_CLASSID
	help
	  This option adds a `realm' match, which allows you to use the realm
	  key from the routing subsystem inside iptables.

	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
	  in tc world.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_RECENT
	tristate '"recent" match support'
	depends on NETFILTER_ADVANCED
	help
	This match is used for creating one or many lists of recently
	used addresses and then matching against that/those list(s).

	Short options are available by using 'iptables -m recent -h'
	Official Website: <http://snowman.net/projects/ipt_recent/>

config NETFILTER_XT_MATCH_SCTP
	tristate  '"sctp" protocol match support'
	depends on NETFILTER_ADVANCED
	default IP_SCTP
	help
	  With this option enabled, you will be able to use the
	  `sctp' match in order to match on SCTP source/destination ports
	  and SCTP chunk types.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.

config NETFILTER_XT_MATCH_SOCKET
	tristate '"socket" match support'
	depends on NETFILTER_XTABLES
	depends on NETFILTER_ADVANCED
	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
	select NF_SOCKET_IPV4
	select NF_SOCKET_IPV6 if IP6_NF_IPTABLES
	select NF_DEFRAG_IPV4
	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
	help
	  This option adds a `socket' match, which can be used to match
	  packets for which a TCP or UDP socket lookup finds a valid socket.
	  It can be used in combination with the MARK target and policy
	  routing to implement full featured non-locally bound sockets.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_STATE
	tristate '"state" match support'
	depends on NF_CONNTRACK
	default m if NETFILTER_ADVANCED=n
	help
	  Connection state matching allows you to match packets based on their
	  relationship to a tracked connection (ie. previous packets).  This
	  is a powerful tool for packet classification.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_STATISTIC
	tristate '"statistic" match support'
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `statistic' match, which allows you to match
	  on packets periodically or randomly with a given percentage.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_STRING
	tristate  '"string" match support'
	depends on NETFILTER_ADVANCED
	select TEXTSEARCH
	select TEXTSEARCH_KMP
	select TEXTSEARCH_BM
	select TEXTSEARCH_FSM
	help
	  This option adds a `string' match, which allows you to look for
	  pattern matchings in packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_TCPMSS
	tristate '"tcpmss" match support'
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `tcpmss' match, which allows you to examine the
	  MSS value of TCP SYN packets, which control the maximum packet size
	  for that connection.

	  To compile it as a module, choose M here.  If unsure, say N.

config NETFILTER_XT_MATCH_TIME
	tristate '"time" match support'
	depends on NETFILTER_ADVANCED
	help
	  This option adds a "time" match, which allows you to match based on
	  the packet arrival time (at the machine which netfilter is running)
	  on) or departure time/date (for locally generated packets).

	  If you say Y here, try `iptables -m time --help` for
	  more information.

	  If you want to compile it as a module, say M here.
	  If unsure, say N.

config NETFILTER_XT_MATCH_U32
	tristate '"u32" match support'
	depends on NETFILTER_ADVANCED
	help
	  u32 allows you to extract quantities of up to 4 bytes from a packet,
	  AND them with specified masks, shift them by specified amounts and
	  test whether the results are in any of a set of specified ranges.
	  The specification of what to extract is general enough to skip over
	  headers with lengths stored in the packet, as in IP or TCP header
	  lengths.

	  Details and examples are in the kernel module source.

endif # NETFILTER_XTABLES

endmenu

source "net/netfilter/ipset/Kconfig"

source "net/netfilter/ipvs/Kconfig"