1# SPDX-License-Identifier: GPL-2.0-only 2menu "Core Netfilter Configuration" 3 depends on INET && NETFILTER 4 5config NETFILTER_INGRESS 6 bool "Netfilter ingress support" 7 default y 8 select NET_INGRESS 9 help 10 This allows you to classify packets from ingress using the Netfilter 11 infrastructure. 12 13config NETFILTER_EGRESS 14 bool "Netfilter egress support" 15 default y 16 select NET_EGRESS 17 help 18 This allows you to classify packets before transmission using the 19 Netfilter infrastructure. 20 21config NETFILTER_SKIP_EGRESS 22 def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB) 23 24config NETFILTER_NETLINK 25 tristate 26 27config NETFILTER_FAMILY_BRIDGE 28 bool 29 30config NETFILTER_FAMILY_ARP 31 bool 32 33config NETFILTER_BPF_LINK 34 def_bool BPF_SYSCALL 35 36config NETFILTER_NETLINK_HOOK 37 tristate "Netfilter base hook dump support" 38 depends on NETFILTER_ADVANCED 39 depends on NF_TABLES 40 select NETFILTER_NETLINK 41 help 42 If this option is enabled, the kernel will include support 43 to list the base netfilter hooks via NFNETLINK. 44 This is helpful for debugging. 45 46config NETFILTER_NETLINK_ACCT 47 tristate "Netfilter NFACCT over NFNETLINK interface" 48 depends on NETFILTER_ADVANCED 49 select NETFILTER_NETLINK 50 help 51 If this option is enabled, the kernel will include support 52 for extended accounting via NFNETLINK. 53 54config NETFILTER_NETLINK_QUEUE 55 tristate "Netfilter NFQUEUE over NFNETLINK interface" 56 depends on NETFILTER_ADVANCED 57 select NETFILTER_NETLINK 58 help 59 If this option is enabled, the kernel will include support 60 for queueing packets via NFNETLINK. 61 62config NETFILTER_NETLINK_LOG 63 tristate "Netfilter LOG over NFNETLINK interface" 64 default m if NETFILTER_ADVANCED=n 65 select NETFILTER_NETLINK 66 help 67 If this option is enabled, the kernel will include support 68 for logging packets via NFNETLINK. 69 70 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 71 and is also scheduled to replace the old syslog-based ipt_LOG 72 and ip6t_LOG modules. 73 74config NETFILTER_NETLINK_OSF 75 tristate "Netfilter OSF over NFNETLINK interface" 76 depends on NETFILTER_ADVANCED 77 select NETFILTER_NETLINK 78 help 79 If this option is enabled, the kernel will include support 80 for passive OS fingerprint via NFNETLINK. 81 82config NF_CONNTRACK 83 tristate "Netfilter connection tracking support" 84 default m if NETFILTER_ADVANCED=n 85 select NF_DEFRAG_IPV4 86 select NF_DEFRAG_IPV6 if IPV6 != n 87 help 88 Connection tracking keeps a record of what packets have passed 89 through your machine, in order to figure out how they are related 90 into connections. 91 92 This is required to do Masquerading or other kinds of Network 93 Address Translation. It can also be used to enhance packet 94 filtering (see `Connection state match support' below). 95 96 To compile it as a module, choose M here. If unsure, say N. 97 98config NF_LOG_SYSLOG 99 tristate "Syslog packet logging" 100 default m if NETFILTER_ADVANCED=n 101 help 102 This option enable support for packet logging via syslog. 103 It supports IPv4, IPV6, ARP and common transport protocols such 104 as TCP and UDP. 105 This is a simpler but less flexible logging method compared to 106 CONFIG_NETFILTER_NETLINK_LOG. 107 If both are enabled the backend to use can be configured at run-time 108 by means of per-address-family sysctl tunables. 109 110if NF_CONNTRACK 111config NETFILTER_CONNCOUNT 112 tristate 113 114config NF_CONNTRACK_MARK 115 bool 'Connection mark tracking support' 116 depends on NETFILTER_ADVANCED 117 help 118 This option enables support for connection marks, used by the 119 `CONNMARK' target and `connmark' match. Similar to the mark value 120 of packets, but this mark value is kept in the conntrack session 121 instead of the individual packets. 122 123config NF_CONNTRACK_SECMARK 124 bool 'Connection tracking security mark support' 125 depends on NETWORK_SECMARK 126 default y if NETFILTER_ADVANCED=n 127 help 128 This option enables security markings to be applied to 129 connections. Typically they are copied to connections from 130 packets using the CONNSECMARK target and copied back from 131 connections to packets with the same target, with the packets 132 being originally labeled via SECMARK. 133 134 If unsure, say 'N'. 135 136config NF_CONNTRACK_ZONES 137 bool 'Connection tracking zones' 138 depends on NETFILTER_ADVANCED 139 help 140 This option enables support for connection tracking zones. 141 Normally, each connection needs to have a unique system wide 142 identity. Connection tracking zones allow to have multiple 143 connections using the same identity, as long as they are 144 contained in different zones. 145 146 If unsure, say `N'. 147 148config NF_CONNTRACK_PROCFS 149 bool "Supply CT list in procfs (OBSOLETE)" 150 depends on PROC_FS 151 help 152 This option enables for the list of known conntrack entries 153 to be shown in procfs under net/netfilter/nf_conntrack. This 154 is considered obsolete in favor of using the conntrack(8) 155 tool which uses Netlink. 156 157config NF_CONNTRACK_EVENTS 158 bool "Connection tracking events" 159 depends on NETFILTER_ADVANCED 160 help 161 If this option is enabled, the connection tracking code will 162 provide a notifier chain that can be used by other kernel code 163 to get notified about changes in the connection tracking state. 164 165 If unsure, say `N'. 166 167config NF_CONNTRACK_TIMEOUT 168 bool 'Connection tracking timeout' 169 depends on NETFILTER_ADVANCED 170 help 171 This option enables support for connection tracking timeout 172 extension. This allows you to attach timeout policies to flow 173 via the CT target. 174 175 If unsure, say `N'. 176 177config NF_CONNTRACK_TIMESTAMP 178 bool 'Connection tracking timestamping' 179 depends on NETFILTER_ADVANCED 180 help 181 This option enables support for connection tracking timestamping. 182 This allows you to store the flow start-time and to obtain 183 the flow-stop time (once it has been destroyed) via Connection 184 tracking events. 185 186 If unsure, say `N'. 187 188config NF_CONNTRACK_LABELS 189 bool "Connection tracking labels" 190 help 191 This option enables support for assigning user-defined flag bits 192 to connection tracking entries. It can be used with xtables connlabel 193 match and the nftables ct expression. 194 195config NF_CONNTRACK_OVS 196 bool 197 198config NF_CT_PROTO_GRE 199 bool 200 201config NF_CT_PROTO_SCTP 202 bool 'SCTP protocol connection tracking support' 203 depends on NETFILTER_ADVANCED 204 default y 205 select NET_CRC32C 206 help 207 With this option enabled, the layer 3 independent connection 208 tracking code will be able to do state tracking on SCTP connections. 209 210 If unsure, say Y. 211 212config NF_CT_PROTO_UDPLITE 213 bool 'UDP-Lite protocol connection tracking support' 214 depends on NETFILTER_ADVANCED 215 default y 216 help 217 With this option enabled, the layer 3 independent connection 218 tracking code will be able to do state tracking on UDP-Lite 219 connections. 220 221 If unsure, say Y. 222 223config NF_CONNTRACK_AMANDA 224 tristate "Amanda backup protocol support" 225 depends on NETFILTER_ADVANCED 226 select TEXTSEARCH 227 select TEXTSEARCH_KMP 228 help 229 If you are running the Amanda backup package <http://www.amanda.org/> 230 on this machine or machines that will be MASQUERADED through this 231 machine, then you may want to enable this feature. This allows the 232 connection tracking and natting code to allow the sub-channels that 233 Amanda requires for communication of the backup data, messages and 234 index. 235 236 To compile it as a module, choose M here. If unsure, say N. 237 238config NF_CONNTRACK_FTP 239 tristate "FTP protocol support" 240 default m if NETFILTER_ADVANCED=n 241 help 242 Tracking FTP connections is problematic: special helpers are 243 required for tracking them, and doing masquerading and other forms 244 of Network Address Translation on them. 245 246 This is FTP support on Layer 3 independent connection tracking. 247 248 To compile it as a module, choose M here. If unsure, say N. 249 250config NF_CONNTRACK_H323 251 tristate "H.323 protocol support" 252 depends on IPV6 || IPV6=n 253 depends on NETFILTER_ADVANCED 254 help 255 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 256 important VoIP protocols, it is widely used by voice hardware and 257 software including voice gateways, IP phones, Netmeeting, OpenPhone, 258 Gnomemeeting, etc. 259 260 With this module you can support H.323 on a connection tracking/NAT 261 firewall. 262 263 This module supports RAS, Fast Start, H.245 Tunnelling, Call 264 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 265 whiteboard, file transfer, etc. For more information, please 266 visit http://nath323.sourceforge.net/. 267 268 To compile it as a module, choose M here. If unsure, say N. 269 270config NF_CONNTRACK_IRC 271 tristate "IRC protocol support" 272 default m if NETFILTER_ADVANCED=n 273 help 274 There is a commonly-used extension to IRC called 275 Direct Client-to-Client Protocol (DCC). This enables users to send 276 files to each other, and also chat to each other without the need 277 of a server. DCC Sending is used anywhere you send files over IRC, 278 and DCC Chat is most commonly used by Eggdrop bots. If you are 279 using NAT, this extension will enable you to send files and initiate 280 chats. Note that you do NOT need this extension to get files or 281 have others initiate chats, or everything else in IRC. 282 283 To compile it as a module, choose M here. If unsure, say N. 284 285config NF_CONNTRACK_BROADCAST 286 tristate 287 288config NF_CONNTRACK_NETBIOS_NS 289 tristate "NetBIOS name service protocol support" 290 select NF_CONNTRACK_BROADCAST 291 help 292 NetBIOS name service requests are sent as broadcast messages from an 293 unprivileged port and responded to with unicast messages to the 294 same port. This make them hard to firewall properly because connection 295 tracking doesn't deal with broadcasts. This helper tracks locally 296 originating NetBIOS name service requests and the corresponding 297 responses. It relies on correct IP address configuration, specifically 298 netmask and broadcast address. When properly configured, the output 299 of "ip address show" should look similar to this: 300 301 $ ip -4 address show eth0 302 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 303 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 304 305 To compile it as a module, choose M here. If unsure, say N. 306 307config NF_CONNTRACK_SNMP 308 tristate "SNMP service protocol support" 309 depends on NETFILTER_ADVANCED 310 select NF_CONNTRACK_BROADCAST 311 help 312 SNMP service requests are sent as broadcast messages from an 313 unprivileged port and responded to with unicast messages to the 314 same port. This make them hard to firewall properly because connection 315 tracking doesn't deal with broadcasts. This helper tracks locally 316 originating SNMP service requests and the corresponding 317 responses. It relies on correct IP address configuration, specifically 318 netmask and broadcast address. 319 320 To compile it as a module, choose M here. If unsure, say N. 321 322config NF_CONNTRACK_PPTP 323 tristate "PPtP protocol support" 324 depends on NETFILTER_ADVANCED 325 select NF_CT_PROTO_GRE 326 help 327 This module adds support for PPTP (Point to Point Tunnelling 328 Protocol, RFC2637) connection tracking and NAT. 329 330 If you are running PPTP sessions over a stateful firewall or NAT 331 box, you may want to enable this feature. 332 333 Please note that not all PPTP modes of operation are supported yet. 334 Specifically these limitations exist: 335 - Blindly assumes that control connections are always established 336 in PNS->PAC direction. This is a violation of RFC2637. 337 - Only supports a single call within each session 338 339 To compile it as a module, choose M here. If unsure, say N. 340 341config NF_CONNTRACK_SANE 342 tristate "SANE protocol support" 343 depends on NETFILTER_ADVANCED 344 help 345 SANE is a protocol for remote access to scanners as implemented 346 by the 'saned' daemon. Like FTP, it uses separate control and 347 data connections. 348 349 With this module you can support SANE on a connection tracking 350 firewall. 351 352 To compile it as a module, choose M here. If unsure, say N. 353 354config NF_CONNTRACK_SIP 355 tristate "SIP protocol support" 356 default m if NETFILTER_ADVANCED=n 357 help 358 SIP is an application-layer control protocol that can establish, 359 modify, and terminate multimedia sessions (conferences) such as 360 Internet telephony calls. With the nf_conntrack_sip and 361 the nf_nat_sip modules you can support the protocol on a connection 362 tracking/NATing firewall. 363 364 To compile it as a module, choose M here. If unsure, say N. 365 366config NF_CONNTRACK_TFTP 367 tristate "TFTP protocol support" 368 depends on NETFILTER_ADVANCED 369 help 370 TFTP connection tracking helper, this is required depending 371 on how restrictive your ruleset is. 372 If you are using a tftp client behind -j SNAT or -j MASQUERADING 373 you will need this. 374 375 To compile it as a module, choose M here. If unsure, say N. 376 377config NF_CT_NETLINK 378 tristate 'Connection tracking netlink interface' 379 select NETFILTER_NETLINK 380 default m if NETFILTER_ADVANCED=n 381 help 382 This option enables support for a netlink-based userspace interface 383 384config NF_CT_NETLINK_TIMEOUT 385 tristate 'Connection tracking timeout tuning via Netlink' 386 select NETFILTER_NETLINK 387 depends on NETFILTER_ADVANCED 388 depends on NF_CONNTRACK_TIMEOUT 389 help 390 This option enables support for connection tracking timeout 391 fine-grain tuning. This allows you to attach specific timeout 392 policies to flows, instead of using the global timeout policy. 393 394 If unsure, say `N'. 395 396config NF_CT_NETLINK_HELPER 397 tristate 'Connection tracking helpers in user-space via Netlink' 398 select NETFILTER_NETLINK 399 depends on NF_CT_NETLINK 400 depends on NETFILTER_NETLINK_QUEUE 401 depends on NETFILTER_NETLINK_GLUE_CT 402 depends on NETFILTER_ADVANCED 403 help 404 This option enables the user-space connection tracking helpers 405 infrastructure. 406 407 If unsure, say `N'. 408 409config NETFILTER_NETLINK_GLUE_CT 410 bool "NFQUEUE and NFLOG integration with Connection Tracking" 411 default n 412 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 413 help 414 If this option is enabled, NFQUEUE and NFLOG can include 415 Connection Tracking information together with the packet is 416 the enqueued via NFNETLINK. 417 418config NF_NAT 419 tristate "Network Address Translation support" 420 depends on NF_CONNTRACK 421 default m if NETFILTER_ADVANCED=n 422 help 423 The NAT option allows masquerading, port forwarding and other 424 forms of full Network Address Port Translation. This can be 425 controlled by iptables, ip6tables or nft. 426 427config NF_NAT_AMANDA 428 tristate 429 depends on NF_CONNTRACK && NF_NAT 430 default NF_NAT && NF_CONNTRACK_AMANDA 431 432config NF_NAT_FTP 433 tristate 434 depends on NF_CONNTRACK && NF_NAT 435 default NF_NAT && NF_CONNTRACK_FTP 436 437config NF_NAT_IRC 438 tristate 439 depends on NF_CONNTRACK && NF_NAT 440 default NF_NAT && NF_CONNTRACK_IRC 441 442config NF_NAT_SIP 443 tristate 444 depends on NF_CONNTRACK && NF_NAT 445 default NF_NAT && NF_CONNTRACK_SIP 446 447config NF_NAT_TFTP 448 tristate 449 depends on NF_CONNTRACK && NF_NAT 450 default NF_NAT && NF_CONNTRACK_TFTP 451 452config NF_NAT_REDIRECT 453 bool 454 455config NF_NAT_MASQUERADE 456 bool 457 458config NF_NAT_OVS 459 bool 460 461config NETFILTER_SYNPROXY 462 tristate 463 464endif # NF_CONNTRACK 465 466config NF_TABLES 467 select NETFILTER_NETLINK 468 select NET_CRC32C 469 tristate "Netfilter nf_tables support" 470 help 471 nftables is the new packet classification framework that intends to 472 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 473 provides a pseudo-state machine with an extensible instruction-set 474 (also known as expressions) that the userspace 'nft' utility 475 (https://www.netfilter.org/projects/nftables) uses to build the 476 rule-set. It also comes with the generic set infrastructure that 477 allows you to construct mappings between matchings and actions 478 for performance lookups. 479 480 To compile it as a module, choose M here. 481 482if NF_TABLES 483config NF_TABLES_INET 484 depends on IPV6 485 select NF_TABLES_IPV4 486 select NF_TABLES_IPV6 487 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 488 help 489 This option enables support for a mixed IPv4/IPv6 "inet" table. 490 491config NF_TABLES_NETDEV 492 bool "Netfilter nf_tables netdev tables support" 493 help 494 This option enables support for the "netdev" table. 495 496config NFT_NUMGEN 497 tristate "Netfilter nf_tables number generator module" 498 help 499 This option adds the number generator expression used to perform 500 incremental counting and random numbers bound to a upper limit. 501 502config NFT_CT 503 depends on NF_CONNTRACK 504 tristate "Netfilter nf_tables conntrack module" 505 help 506 This option adds the "ct" expression that you can use to match 507 connection tracking information such as the flow state. 508 509config NFT_EXTHDR_DCCP 510 bool "Netfilter nf_tables exthdr DCCP support (DEPRECATED)" 511 default n 512 help 513 This option adds support for matching on DCCP extension headers. 514 515config NFT_FLOW_OFFLOAD 516 depends on NF_CONNTRACK && NF_FLOW_TABLE 517 tristate "Netfilter nf_tables hardware flow offload module" 518 help 519 This option adds the "flow_offload" expression that you can use to 520 choose what flows are placed into the hardware. 521 522config NFT_CONNLIMIT 523 tristate "Netfilter nf_tables connlimit module" 524 depends on NF_CONNTRACK 525 depends on NETFILTER_ADVANCED 526 select NETFILTER_CONNCOUNT 527 help 528 This option adds the "connlimit" expression that you can use to 529 ratelimit rule matchings per connections. 530 531config NFT_LOG 532 tristate "Netfilter nf_tables log module" 533 help 534 This option adds the "log" expression that you can use to log 535 packets matching some criteria. 536 537config NFT_LIMIT 538 tristate "Netfilter nf_tables limit module" 539 help 540 This option adds the "limit" expression that you can use to 541 ratelimit rule matchings. 542 543config NFT_MASQ 544 depends on NF_CONNTRACK 545 depends on NF_NAT 546 select NF_NAT_MASQUERADE 547 tristate "Netfilter nf_tables masquerade support" 548 help 549 This option adds the "masquerade" expression that you can use 550 to perform NAT in the masquerade flavour. 551 552config NFT_REDIR 553 depends on NF_CONNTRACK 554 depends on NF_NAT 555 tristate "Netfilter nf_tables redirect support" 556 select NF_NAT_REDIRECT 557 help 558 This options adds the "redirect" expression that you can use 559 to perform NAT in the redirect flavour. 560 561config NFT_NAT 562 depends on NF_CONNTRACK 563 select NF_NAT 564 depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 565 tristate "Netfilter nf_tables nat module" 566 help 567 This option adds the "nat" expression that you can use to perform 568 typical Network Address Translation (NAT) packet transformations. 569 570config NFT_TUNNEL 571 tristate "Netfilter nf_tables tunnel module" 572 help 573 This option adds the "tunnel" expression that you can use to set 574 tunneling policies. 575 576config NFT_QUEUE 577 depends on NETFILTER_NETLINK_QUEUE 578 tristate "Netfilter nf_tables queue module" 579 help 580 This is required if you intend to use the userspace queueing 581 infrastructure (also known as NFQUEUE) from nftables. 582 583config NFT_QUOTA 584 tristate "Netfilter nf_tables quota module" 585 help 586 This option adds the "quota" expression that you can use to match 587 enforce bytes quotas. 588 589config NFT_REJECT 590 default m if NETFILTER_ADVANCED=n 591 tristate "Netfilter nf_tables reject support" 592 depends on !NF_TABLES_INET || (IPV6!=m || m) 593 help 594 This option adds the "reject" expression that you can use to 595 explicitly deny and notify via TCP reset/ICMP informational errors 596 unallowed traffic. 597 598config NFT_REJECT_INET 599 depends on NF_TABLES_INET 600 default NFT_REJECT 601 tristate 602 603config NFT_COMPAT 604 depends on NETFILTER_XTABLES 605 tristate "Netfilter x_tables over nf_tables module" 606 help 607 This is required if you intend to use any of existing 608 x_tables match/target extensions over the nf_tables 609 framework. 610 611config NFT_HASH 612 tristate "Netfilter nf_tables hash module" 613 help 614 This option adds the "hash" expression that you can use to perform 615 a hash operation on registers. 616 617config NFT_FIB 618 tristate 619 620config NFT_FIB_INET 621 depends on NF_TABLES_INET 622 depends on NFT_FIB_IPV4 623 depends on NFT_FIB_IPV6 624 tristate "Netfilter nf_tables fib inet support" 625 help 626 This option allows using the FIB expression from the inet table. 627 The lookup will be delegated to the IPv4 or IPv6 FIB depending 628 on the protocol of the packet. 629 630config NFT_XFRM 631 tristate "Netfilter nf_tables xfrm/IPSec security association matching" 632 depends on XFRM 633 help 634 This option adds an expression that you can use to extract properties 635 of a packets security association. 636 637config NFT_SOCKET 638 tristate "Netfilter nf_tables socket match support" 639 depends on IPV6 || IPV6=n 640 select NF_SOCKET_IPV4 641 select NF_SOCKET_IPV6 if NF_TABLES_IPV6 642 help 643 This option allows matching for the presence or absence of a 644 corresponding socket and its attributes. 645 646config NFT_OSF 647 tristate "Netfilter nf_tables passive OS fingerprint support" 648 depends on NETFILTER_ADVANCED 649 select NETFILTER_NETLINK_OSF 650 help 651 This option allows matching packets from an specific OS. 652 653config NFT_TPROXY 654 tristate "Netfilter nf_tables tproxy support" 655 depends on IPV6 || IPV6=n 656 select NF_DEFRAG_IPV4 657 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 658 select NF_TPROXY_IPV4 659 select NF_TPROXY_IPV6 if NF_TABLES_IPV6 660 help 661 This makes transparent proxy support available in nftables. 662 663config NFT_SYNPROXY 664 tristate "Netfilter nf_tables SYNPROXY expression support" 665 depends on NF_CONNTRACK && NETFILTER_ADVANCED 666 select NETFILTER_SYNPROXY 667 select SYN_COOKIES 668 help 669 The SYNPROXY expression allows you to intercept TCP connections and 670 establish them using syncookies before they are passed on to the 671 server. This allows to avoid conntrack and server resource usage 672 during SYN-flood attacks. 673 674if NF_TABLES_NETDEV 675 676config NF_DUP_NETDEV 677 tristate "Netfilter packet duplication support" 678 help 679 This option enables the generic packet duplication infrastructure 680 for Netfilter. 681 682config NFT_DUP_NETDEV 683 tristate "Netfilter nf_tables netdev packet duplication support" 684 select NF_DUP_NETDEV 685 help 686 This option enables packet duplication for the "netdev" family. 687 688config NFT_FWD_NETDEV 689 tristate "Netfilter nf_tables netdev packet forwarding support" 690 select NF_DUP_NETDEV 691 help 692 This option enables packet forwarding for the "netdev" family. 693 694config NFT_FIB_NETDEV 695 depends on NFT_FIB_IPV4 696 depends on NFT_FIB_IPV6 697 tristate "Netfilter nf_tables netdev fib lookups support" 698 help 699 This option allows using the FIB expression from the netdev table. 700 The lookup will be delegated to the IPv4 or IPv6 FIB depending 701 on the protocol of the packet. 702 703config NFT_REJECT_NETDEV 704 depends on NFT_REJECT_IPV4 705 depends on NFT_REJECT_IPV6 706 tristate "Netfilter nf_tables netdev REJECT support" 707 help 708 This option enables the REJECT support from the netdev table. 709 The return packet generation will be delegated to the IPv4 710 or IPv6 ICMP or TCP RST implementation depending on the 711 protocol of the packet. 712 713endif # NF_TABLES_NETDEV 714 715endif # NF_TABLES 716 717config NF_FLOW_TABLE_INET 718 tristate "Netfilter flow table mixed IPv4/IPv6 module" 719 depends on NF_FLOW_TABLE 720 help 721 This option adds the flow table mixed IPv4/IPv6 support. 722 723 To compile it as a module, choose M here. 724 725config NF_FLOW_TABLE 726 tristate "Netfilter flow table module" 727 depends on NETFILTER_INGRESS 728 depends on NF_CONNTRACK 729 depends on NF_TABLES 730 help 731 This option adds the flow table core infrastructure. 732 733 To compile it as a module, choose M here. 734 735config NF_FLOW_TABLE_PROCFS 736 bool "Supply flow table statistics in procfs" 737 depends on NF_FLOW_TABLE 738 depends on PROC_FS 739 help 740 This option enables for the flow table offload statistics 741 to be shown in procfs under net/netfilter/nf_flowtable. 742 743config NETFILTER_XTABLES 744 tristate "Netfilter Xtables support (required for ip_tables)" 745 default m if NETFILTER_ADVANCED=n 746 help 747 This is required if you intend to use any of ip_tables, 748 ip6_tables or arp_tables. 749 750if NETFILTER_XTABLES 751 752config NETFILTER_XTABLES_COMPAT 753 bool "Netfilter Xtables 32bit support" 754 depends on COMPAT 755 help 756 This option provides a translation layer to run 32bit arp,ip(6),ebtables 757 binaries on 64bit kernels. 758 759 If unsure, say N. 760 761comment "Xtables combined modules" 762 763config NETFILTER_XT_MARK 764 tristate 'nfmark target and match support' 765 default m if NETFILTER_ADVANCED=n 766 help 767 This option adds the "MARK" target and "mark" match. 768 769 Netfilter mark matching allows you to match packets based on the 770 "nfmark" value in the packet. 771 The target allows you to create rules in the "mangle" table which alter 772 the netfilter mark (nfmark) field associated with the packet. 773 774 Prior to routing, the nfmark can influence the routing method and can 775 also be used by other subsystems to change their behavior. 776 777config NETFILTER_XT_CONNMARK 778 tristate 'ctmark target and match support' 779 depends on NF_CONNTRACK 780 depends on NETFILTER_ADVANCED 781 select NF_CONNTRACK_MARK 782 help 783 This option adds the "CONNMARK" target and "connmark" match. 784 785 Netfilter allows you to store a mark value per connection (a.k.a. 786 ctmark), similarly to the packet mark (nfmark). Using this 787 target and match, you can set and match on this mark. 788 789config NETFILTER_XT_SET 790 tristate 'set target and match support' 791 depends on IP_SET 792 depends on NETFILTER_ADVANCED 793 help 794 This option adds the "SET" target and "set" match. 795 796 Using this target and match, you can add/delete and match 797 elements in the sets created by ipset(8). 798 799 To compile it as a module, choose M here. If unsure, say N. 800 801# alphabetically ordered list of targets 802 803comment "Xtables targets" 804 805config NETFILTER_XT_TARGET_AUDIT 806 tristate "AUDIT target support" 807 depends on AUDIT 808 depends on NETFILTER_ADVANCED 809 help 810 This option adds a 'AUDIT' target, which can be used to create 811 audit records for packets dropped/accepted. 812 813 To compileit as a module, choose M here. If unsure, say N. 814 815config NETFILTER_XT_TARGET_CHECKSUM 816 tristate "CHECKSUM target support" 817 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 818 depends on NETFILTER_ADVANCED 819 help 820 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 821 table to work around buggy DHCP clients in virtualized environments. 822 823 Some old DHCP clients drop packets because they are not aware 824 that the checksum would normally be offloaded to hardware and 825 thus should be considered valid. 826 This target can be used to fill in the checksum using iptables 827 when such packets are sent via a virtual network device. 828 829 To compile it as a module, choose M here. If unsure, say N. 830 831config NETFILTER_XT_TARGET_CLASSIFY 832 tristate '"CLASSIFY" target support' 833 depends on NETFILTER_ADVANCED 834 help 835 This option adds a `CLASSIFY' target, which enables the user to set 836 the priority of a packet. Some qdiscs can use this value for 837 classification, among these are: 838 839 atm, cbq, dsmark, pfifo_fast, htb, prio 840 841 To compile it as a module, choose M here. If unsure, say N. 842 843config NETFILTER_XT_TARGET_CONNMARK 844 tristate '"CONNMARK" target support' 845 depends on NF_CONNTRACK 846 depends on NETFILTER_ADVANCED 847 select NETFILTER_XT_CONNMARK 848 help 849 This is a backwards-compat option for the user's convenience 850 (e.g. when running oldconfig). It selects 851 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 852 853config NETFILTER_XT_TARGET_CONNSECMARK 854 tristate '"CONNSECMARK" target support' 855 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 856 default m if NETFILTER_ADVANCED=n 857 help 858 The CONNSECMARK target copies security markings from packets 859 to connections, and restores security markings from connections 860 to packets (if the packets are not already marked). This would 861 normally be used in conjunction with the SECMARK target. 862 863 To compile it as a module, choose M here. If unsure, say N. 864 865config NETFILTER_XT_TARGET_CT 866 tristate '"CT" target support' 867 depends on NF_CONNTRACK 868 depends on IP_NF_RAW || IP6_NF_RAW || NFT_COMPAT 869 depends on NETFILTER_ADVANCED 870 help 871 This options adds a `CT' target, which allows to specify initial 872 connection tracking parameters like events to be delivered and 873 the helper to be used. 874 875 To compile it as a module, choose M here. If unsure, say N. 876 877config NETFILTER_XT_TARGET_DSCP 878 tristate '"DSCP" and "TOS" target support' 879 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 880 depends on NETFILTER_ADVANCED 881 help 882 This option adds a `DSCP' target, which allows you to manipulate 883 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 884 885 The DSCP field can have any value between 0x0 and 0x3f inclusive. 886 887 It also adds the "TOS" target, which allows you to create rules in 888 the "mangle" table which alter the Type Of Service field of an IPv4 889 or the Priority field of an IPv6 packet, prior to routing. 890 891 To compile it as a module, choose M here. If unsure, say N. 892 893config NETFILTER_XT_TARGET_HL 894 tristate '"HL" hoplimit target support' 895 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 896 depends on NETFILTER_ADVANCED 897 help 898 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 899 targets, which enable the user to change the 900 hoplimit/time-to-live value of the IP header. 901 902 While it is safe to decrement the hoplimit/TTL value, the 903 modules also allow to increment and set the hoplimit value of 904 the header to arbitrary values. This is EXTREMELY DANGEROUS 905 since you can easily create immortal packets that loop 906 forever on the network. 907 908config NETFILTER_XT_TARGET_HMARK 909 tristate '"HMARK" target support' 910 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 911 depends on NETFILTER_ADVANCED 912 help 913 This option adds the "HMARK" target. 914 915 The target allows you to create rules in the "raw" and "mangle" tables 916 which set the skbuff mark by means of hash calculation within a given 917 range. The nfmark can influence the routing method and can also be used 918 by other subsystems to change their behaviour. 919 920 To compile it as a module, choose M here. If unsure, say N. 921 922config NETFILTER_XT_TARGET_IDLETIMER 923 tristate "IDLETIMER target support" 924 depends on NETFILTER_ADVANCED 925 help 926 927 This option adds the `IDLETIMER' target. Each matching packet 928 resets the timer associated with label specified when the rule is 929 added. When the timer expires, it triggers a sysfs notification. 930 The remaining time for expiration can be read via sysfs. 931 932 To compile it as a module, choose M here. If unsure, say N. 933 934config NETFILTER_XT_TARGET_LED 935 tristate '"LED" target support' 936 depends on LEDS_CLASS && LEDS_TRIGGERS 937 depends on NETFILTER_ADVANCED 938 help 939 This option adds a `LED' target, which allows you to blink LEDs in 940 response to particular packets passing through your machine. 941 942 This can be used to turn a spare LED into a network activity LED, 943 which only flashes in response to FTP transfers, for example. Or 944 you could have an LED which lights up for a minute or two every time 945 somebody connects to your machine via SSH. 946 947 You will need support for the "led" class to make this work. 948 949 To create an LED trigger for incoming SSH traffic: 950 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 951 952 Then attach the new trigger to an LED on your system: 953 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 954 955 For more information on the LEDs available on your system, see 956 Documentation/leds/leds-class.rst 957 958config NETFILTER_XT_TARGET_LOG 959 tristate "LOG target support" 960 select NF_LOG_SYSLOG 961 select NF_LOG_IPV6 if IP6_NF_IPTABLES 962 default m if NETFILTER_ADVANCED=n 963 help 964 This option adds a `LOG' target, which allows you to create rules in 965 any iptables table which records the packet header to the syslog. 966 967 To compile it as a module, choose M here. If unsure, say N. 968 969config NETFILTER_XT_TARGET_MARK 970 tristate '"MARK" target support' 971 depends on NETFILTER_ADVANCED 972 select NETFILTER_XT_MARK 973 help 974 This is a backwards-compat option for the user's convenience 975 (e.g. when running oldconfig). It selects 976 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 977 978config NETFILTER_XT_NAT 979 tristate '"SNAT and DNAT" targets support' 980 depends on NF_NAT 981 help 982 This option enables the SNAT and DNAT targets. 983 984 To compile it as a module, choose M here. If unsure, say N. 985 986config NETFILTER_XT_TARGET_NETMAP 987 tristate '"NETMAP" target support' 988 depends on NF_NAT 989 help 990 NETMAP is an implementation of static 1:1 NAT mapping of network 991 addresses. It maps the network address part, while keeping the host 992 address part intact. 993 994 To compile it as a module, choose M here. If unsure, say N. 995 996config NETFILTER_XT_TARGET_NFLOG 997 tristate '"NFLOG" target support' 998 default m if NETFILTER_ADVANCED=n 999 select NETFILTER_NETLINK_LOG 1000 help 1001 This option enables the NFLOG target, which allows to LOG 1002 messages through nfnetlink_log. 1003 1004 To compile it as a module, choose M here. If unsure, say N. 1005 1006config NETFILTER_XT_TARGET_NFQUEUE 1007 tristate '"NFQUEUE" target Support' 1008 depends on NETFILTER_ADVANCED 1009 select NETFILTER_NETLINK_QUEUE 1010 help 1011 This target replaced the old obsolete QUEUE target. 1012 1013 As opposed to QUEUE, it supports 65535 different queues, 1014 not just one. 1015 1016 To compile it as a module, choose M here. If unsure, say N. 1017 1018config NETFILTER_XT_TARGET_NOTRACK 1019 tristate '"NOTRACK" target support (DEPRECATED)' 1020 depends on NF_CONNTRACK 1021 depends on IP_NF_RAW || IP6_NF_RAW 1022 depends on NETFILTER_ADVANCED 1023 select NETFILTER_XT_TARGET_CT 1024 1025config NETFILTER_XT_TARGET_RATEEST 1026 tristate '"RATEEST" target support' 1027 depends on NETFILTER_ADVANCED 1028 help 1029 This option adds a `RATEEST' target, which allows to measure 1030 rates similar to TC estimators. The `rateest' match can be 1031 used to match on the measured rates. 1032 1033 To compile it as a module, choose M here. If unsure, say N. 1034 1035config NETFILTER_XT_TARGET_REDIRECT 1036 tristate "REDIRECT target support" 1037 depends on NF_NAT 1038 select NF_NAT_REDIRECT 1039 help 1040 REDIRECT is a special case of NAT: all incoming connections are 1041 mapped onto the incoming interface's address, causing the packets to 1042 come to the local machine instead of passing through. This is 1043 useful for transparent proxies. 1044 1045 To compile it as a module, choose M here. If unsure, say N. 1046 1047config NETFILTER_XT_TARGET_MASQUERADE 1048 tristate "MASQUERADE target support" 1049 depends on NF_NAT 1050 default m if NETFILTER_ADVANCED=n 1051 select NF_NAT_MASQUERADE 1052 help 1053 Masquerading is a special case of NAT: all outgoing connections are 1054 changed to seem to come from a particular interface's address, and 1055 if the interface goes down, those connections are lost. This is 1056 only useful for dialup accounts with dynamic IP address (ie. your IP 1057 address will be different on next dialup). 1058 1059 To compile it as a module, choose M here. If unsure, say N. 1060 1061config NETFILTER_XT_TARGET_TEE 1062 tristate '"TEE" - packet cloning to alternate destination' 1063 depends on NETFILTER_ADVANCED 1064 depends on IPV6 || IPV6=n 1065 depends on !NF_CONNTRACK || NF_CONNTRACK 1066 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES 1067 select NF_DUP_IPV4 1068 select NF_DUP_IPV6 if IP6_NF_IPTABLES 1069 help 1070 This option adds a "TEE" target with which a packet can be cloned and 1071 this clone be rerouted to another nexthop. 1072 1073config NETFILTER_XT_TARGET_TPROXY 1074 tristate '"TPROXY" target transparent proxying support' 1075 depends on NETFILTER_XTABLES 1076 depends on NETFILTER_ADVANCED 1077 depends on IPV6 || IPV6=n 1078 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1079 depends on IP_NF_MANGLE || NFT_COMPAT 1080 select NF_DEFRAG_IPV4 1081 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1082 select NF_TPROXY_IPV4 1083 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 1084 help 1085 This option adds a `TPROXY' target, which is somewhat similar to 1086 REDIRECT. It can only be used in the mangle table and is useful 1087 to redirect traffic to a transparent proxy. It does _not_ depend 1088 on Netfilter connection tracking and NAT, unlike REDIRECT. 1089 For it to work you will have to configure certain iptables rules 1090 and use policy routing. For more information on how to set it up 1091 see Documentation/networking/tproxy.rst. 1092 1093 To compile it as a module, choose M here. If unsure, say N. 1094 1095config NETFILTER_XT_TARGET_TRACE 1096 tristate '"TRACE" target support' 1097 depends on IP_NF_RAW || IP6_NF_RAW 1098 depends on NETFILTER_ADVANCED 1099 help 1100 The TRACE target allows you to mark packets so that the kernel 1101 will log every rule which match the packets as those traverse 1102 the tables, chains, rules. 1103 1104 If you want to compile it as a module, say M here and read 1105 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1106 1107config NETFILTER_XT_TARGET_SECMARK 1108 tristate '"SECMARK" target support' 1109 depends on NETWORK_SECMARK 1110 default m if NETFILTER_ADVANCED=n 1111 help 1112 The SECMARK target allows security marking of network 1113 packets, for use with security subsystems. 1114 1115 To compile it as a module, choose M here. If unsure, say N. 1116 1117config NETFILTER_XT_TARGET_TCPMSS 1118 tristate '"TCPMSS" target support' 1119 depends on IPV6 || IPV6=n 1120 default m if NETFILTER_ADVANCED=n 1121 help 1122 This option adds a `TCPMSS' target, which allows you to alter the 1123 MSS value of TCP SYN packets, to control the maximum size for that 1124 connection (usually limiting it to your outgoing interface's MTU 1125 minus 40). 1126 1127 This is used to overcome criminally braindead ISPs or servers which 1128 block ICMP Fragmentation Needed packets. The symptoms of this 1129 problem are that everything works fine from your Linux 1130 firewall/router, but machines behind it can never exchange large 1131 packets: 1132 1) Web browsers connect, then hang with no data received. 1133 2) Small mail works fine, but large emails hang. 1134 3) ssh works fine, but scp hangs after initial handshaking. 1135 1136 Workaround: activate this option and add a rule to your firewall 1137 configuration like: 1138 1139 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1140 -j TCPMSS --clamp-mss-to-pmtu 1141 1142 To compile it as a module, choose M here. If unsure, say N. 1143 1144config NETFILTER_XT_TARGET_TCPOPTSTRIP 1145 tristate '"TCPOPTSTRIP" target support' 1146 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 1147 depends on NETFILTER_ADVANCED 1148 help 1149 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1150 TCP options from TCP packets. 1151 1152# alphabetically ordered list of matches 1153 1154comment "Xtables matches" 1155 1156config NETFILTER_XT_MATCH_ADDRTYPE 1157 tristate '"addrtype" address type match support' 1158 default m if NETFILTER_ADVANCED=n 1159 help 1160 This option allows you to match what routing thinks of an address, 1161 eg. UNICAST, LOCAL, BROADCAST, ... 1162 1163 If you want to compile it as a module, say M here and read 1164 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1165 1166config NETFILTER_XT_MATCH_BPF 1167 tristate '"bpf" match support' 1168 depends on NETFILTER_ADVANCED 1169 help 1170 BPF matching applies a linux socket filter to each packet and 1171 accepts those for which the filter returns non-zero. 1172 1173 To compile it as a module, choose M here. If unsure, say N. 1174 1175config NETFILTER_XT_MATCH_CGROUP 1176 tristate '"control group" match support' 1177 depends on NETFILTER_ADVANCED 1178 depends on CGROUPS 1179 select SOCK_CGROUP_DATA 1180 help 1181 Socket/process control group matching allows you to match locally 1182 generated packets based on which net_cls control group processes 1183 belong to. 1184 1185config NETFILTER_XT_MATCH_CLUSTER 1186 tristate '"cluster" match support' 1187 depends on NF_CONNTRACK 1188 depends on NETFILTER_ADVANCED 1189 help 1190 This option allows you to build work-load-sharing clusters of 1191 network servers/stateful firewalls without having a dedicated 1192 load-balancing router/server/switch. Basically, this match returns 1193 true when the packet must be handled by this cluster node. Thus, 1194 all nodes see all packets and this match decides which node handles 1195 what packets. The work-load sharing algorithm is based on source 1196 address hashing. 1197 1198 If you say Y or M here, try `iptables -m cluster --help` for 1199 more information. 1200 1201config NETFILTER_XT_MATCH_COMMENT 1202 tristate '"comment" match support' 1203 depends on NETFILTER_ADVANCED 1204 help 1205 This option adds a `comment' dummy-match, which allows you to put 1206 comments in your iptables ruleset. 1207 1208 If you want to compile it as a module, say M here and read 1209 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1210 1211config NETFILTER_XT_MATCH_CONNBYTES 1212 tristate '"connbytes" per-connection counter match support' 1213 depends on NF_CONNTRACK 1214 depends on NETFILTER_ADVANCED 1215 help 1216 This option adds a `connbytes' match, which allows you to match the 1217 number of bytes and/or packets for each direction within a connection. 1218 1219 If you want to compile it as a module, say M here and read 1220 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1221 1222config NETFILTER_XT_MATCH_CONNLABEL 1223 tristate '"connlabel" match support' 1224 select NF_CONNTRACK_LABELS 1225 depends on NF_CONNTRACK 1226 depends on NETFILTER_ADVANCED 1227 help 1228 This match allows you to test and assign userspace-defined labels names 1229 to a connection. The kernel only stores bit values - mapping 1230 names to bits is done by userspace. 1231 1232 Unlike connmark, more than 32 flag bits may be assigned to a 1233 connection simultaneously. 1234 1235config NETFILTER_XT_MATCH_CONNLIMIT 1236 tristate '"connlimit" match support' 1237 depends on NF_CONNTRACK 1238 depends on NETFILTER_ADVANCED 1239 select NETFILTER_CONNCOUNT 1240 help 1241 This match allows you to match against the number of parallel 1242 connections to a server per client IP address (or address block). 1243 1244config NETFILTER_XT_MATCH_CONNMARK 1245 tristate '"connmark" connection mark match support' 1246 depends on NF_CONNTRACK 1247 depends on NETFILTER_ADVANCED 1248 select NETFILTER_XT_CONNMARK 1249 help 1250 This is a backwards-compat option for the user's convenience 1251 (e.g. when running oldconfig). It selects 1252 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1253 1254config NETFILTER_XT_MATCH_CONNTRACK 1255 tristate '"conntrack" connection tracking match support' 1256 depends on NF_CONNTRACK 1257 default m if NETFILTER_ADVANCED=n 1258 help 1259 This is a general conntrack match module, a superset of the state match. 1260 1261 It allows matching on additional conntrack information, which is 1262 useful in complex configurations, such as NAT gateways with multiple 1263 internet links or tunnels. 1264 1265 To compile it as a module, choose M here. If unsure, say N. 1266 1267config NETFILTER_XT_MATCH_CPU 1268 tristate '"cpu" match support' 1269 depends on NETFILTER_ADVANCED 1270 help 1271 CPU matching allows you to match packets based on the CPU 1272 currently handling the packet. 1273 1274 To compile it as a module, choose M here. If unsure, say N. 1275 1276config NETFILTER_XT_MATCH_DCCP 1277 tristate '"dccp" protocol match support (DEPRECATED)' 1278 depends on NETFILTER_ADVANCED 1279 default n 1280 help 1281 With this option enabled, you will be able to use the iptables 1282 `dccp' match in order to match on DCCP source/destination ports 1283 and DCCP flags. 1284 1285 If you want to compile it as a module, say M here and read 1286 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1287 1288config NETFILTER_XT_MATCH_DEVGROUP 1289 tristate '"devgroup" match support' 1290 depends on NETFILTER_ADVANCED 1291 help 1292 This options adds a `devgroup' match, which allows to match on the 1293 device group a network device is assigned to. 1294 1295 To compile it as a module, choose M here. If unsure, say N. 1296 1297config NETFILTER_XT_MATCH_DSCP 1298 tristate '"dscp" and "tos" match support' 1299 depends on NETFILTER_ADVANCED 1300 help 1301 This option adds a `DSCP' match, which allows you to match against 1302 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1303 1304 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1305 1306 It will also add a "tos" match, which allows you to match packets 1307 based on the Type Of Service fields of the IPv4 packet (which share 1308 the same bits as DSCP). 1309 1310 To compile it as a module, choose M here. If unsure, say N. 1311 1312config NETFILTER_XT_MATCH_ECN 1313 tristate '"ecn" match support' 1314 depends on NETFILTER_ADVANCED 1315 help 1316 This option adds an "ECN" match, which allows you to match against 1317 the IPv4 and TCP header ECN fields. 1318 1319 To compile it as a module, choose M here. If unsure, say N. 1320 1321config NETFILTER_XT_MATCH_ESP 1322 tristate '"esp" match support' 1323 depends on NETFILTER_ADVANCED 1324 help 1325 This match extension allows you to match a range of SPIs 1326 inside ESP header of IPSec packets. 1327 1328 To compile it as a module, choose M here. If unsure, say N. 1329 1330config NETFILTER_XT_MATCH_HASHLIMIT 1331 tristate '"hashlimit" match support' 1332 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1333 depends on NETFILTER_ADVANCED 1334 help 1335 This option adds a `hashlimit' match. 1336 1337 As opposed to `limit', this match dynamically creates a hash table 1338 of limit buckets, based on your selection of source/destination 1339 addresses and/or ports. 1340 1341 It enables you to express policies like `10kpps for any given 1342 destination address' or `500pps from any given source address' 1343 with a single rule. 1344 1345config NETFILTER_XT_MATCH_HELPER 1346 tristate '"helper" match support' 1347 depends on NF_CONNTRACK 1348 depends on NETFILTER_ADVANCED 1349 help 1350 Helper matching allows you to match packets in dynamic connections 1351 tracked by a conntrack-helper, ie. nf_conntrack_ftp 1352 1353 To compile it as a module, choose M here. If unsure, say Y. 1354 1355config NETFILTER_XT_MATCH_HL 1356 tristate '"hl" hoplimit/TTL match support' 1357 depends on NETFILTER_ADVANCED 1358 help 1359 HL matching allows you to match packets based on the hoplimit 1360 in the IPv6 header, or the time-to-live field in the IPv4 1361 header of the packet. 1362 1363config NETFILTER_XT_MATCH_IPCOMP 1364 tristate '"ipcomp" match support' 1365 depends on NETFILTER_ADVANCED 1366 help 1367 This match extension allows you to match a range of CPIs(16 bits) 1368 inside IPComp header of IPSec packets. 1369 1370 To compile it as a module, choose M here. If unsure, say N. 1371 1372config NETFILTER_XT_MATCH_IPRANGE 1373 tristate '"iprange" address range match support' 1374 depends on NETFILTER_ADVANCED 1375 help 1376 This option adds a "iprange" match, which allows you to match based on 1377 an IP address range. (Normal iptables only matches on single addresses 1378 with an optional mask.) 1379 1380 If unsure, say M. 1381 1382config NETFILTER_XT_MATCH_IPVS 1383 tristate '"ipvs" match support' 1384 depends on IP_VS 1385 depends on NETFILTER_ADVANCED 1386 depends on NF_CONNTRACK 1387 help 1388 This option allows you to match against IPVS properties of a packet. 1389 1390 If unsure, say N. 1391 1392config NETFILTER_XT_MATCH_L2TP 1393 tristate '"l2tp" match support' 1394 depends on NETFILTER_ADVANCED 1395 default L2TP 1396 help 1397 This option adds an "L2TP" match, which allows you to match against 1398 L2TP protocol header fields. 1399 1400 To compile it as a module, choose M here. If unsure, say N. 1401 1402config NETFILTER_XT_MATCH_LENGTH 1403 tristate '"length" match support' 1404 depends on NETFILTER_ADVANCED 1405 help 1406 This option allows you to match the length of a packet against a 1407 specific value or range of values. 1408 1409 To compile it as a module, choose M here. If unsure, say N. 1410 1411config NETFILTER_XT_MATCH_LIMIT 1412 tristate '"limit" match support' 1413 depends on NETFILTER_ADVANCED 1414 help 1415 limit matching allows you to control the rate at which a rule can be 1416 matched: mainly useful in combination with the LOG target ("LOG 1417 target support", below) and to avoid some Denial of Service attacks. 1418 1419 To compile it as a module, choose M here. If unsure, say N. 1420 1421config NETFILTER_XT_MATCH_MAC 1422 tristate '"mac" address match support' 1423 depends on NETFILTER_ADVANCED 1424 help 1425 MAC matching allows you to match packets based on the source 1426 Ethernet address of the packet. 1427 1428 To compile it as a module, choose M here. If unsure, say N. 1429 1430config NETFILTER_XT_MATCH_MARK 1431 tristate '"mark" match support' 1432 depends on NETFILTER_ADVANCED 1433 select NETFILTER_XT_MARK 1434 help 1435 This is a backwards-compat option for the user's convenience 1436 (e.g. when running oldconfig). It selects 1437 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1438 1439config NETFILTER_XT_MATCH_MULTIPORT 1440 tristate '"multiport" Multiple port match support' 1441 depends on NETFILTER_ADVANCED 1442 help 1443 Multiport matching allows you to match TCP or UDP packets based on 1444 a series of source or destination ports: normally a rule can only 1445 match a single range of ports. 1446 1447 To compile it as a module, choose M here. If unsure, say N. 1448 1449config NETFILTER_XT_MATCH_NFACCT 1450 tristate '"nfacct" match support' 1451 depends on NETFILTER_ADVANCED 1452 select NETFILTER_NETLINK_ACCT 1453 help 1454 This option allows you to use the extended accounting through 1455 nfnetlink_acct. 1456 1457 To compile it as a module, choose M here. If unsure, say N. 1458 1459config NETFILTER_XT_MATCH_OSF 1460 tristate '"osf" Passive OS fingerprint match' 1461 depends on NETFILTER_ADVANCED 1462 select NETFILTER_NETLINK_OSF 1463 help 1464 This option selects the Passive OS Fingerprinting match module 1465 that allows to passively match the remote operating system by 1466 analyzing incoming TCP SYN packets. 1467 1468 Rules and loading software can be downloaded from 1469 http://www.ioremap.net/projects/osf 1470 1471 To compile it as a module, choose M here. If unsure, say N. 1472 1473config NETFILTER_XT_MATCH_OWNER 1474 tristate '"owner" match support' 1475 depends on NETFILTER_ADVANCED 1476 help 1477 Socket owner matching allows you to match locally-generated packets 1478 based on who created the socket: the user or group. It is also 1479 possible to check whether a socket actually exists. 1480 1481config NETFILTER_XT_MATCH_POLICY 1482 tristate 'IPsec "policy" match support' 1483 depends on XFRM 1484 default m if NETFILTER_ADVANCED=n 1485 help 1486 Policy matching allows you to match packets based on the 1487 IPsec policy that was used during decapsulation/will 1488 be used during encapsulation. 1489 1490 To compile it as a module, choose M here. If unsure, say N. 1491 1492config NETFILTER_XT_MATCH_PHYSDEV 1493 tristate '"physdev" match support' 1494 depends on BRIDGE && BRIDGE_NETFILTER 1495 depends on NETFILTER_ADVANCED 1496 help 1497 Physdev packet matching matches against the physical bridge ports 1498 the IP packet arrived on or will leave by. 1499 1500 To compile it as a module, choose M here. If unsure, say N. 1501 1502config NETFILTER_XT_MATCH_PKTTYPE 1503 tristate '"pkttype" packet type match support' 1504 depends on NETFILTER_ADVANCED 1505 help 1506 Packet type matching allows you to match a packet by 1507 its "class", eg. BROADCAST, MULTICAST, ... 1508 1509 Typical usage: 1510 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1511 1512 To compile it as a module, choose M here. If unsure, say N. 1513 1514config NETFILTER_XT_MATCH_QUOTA 1515 tristate '"quota" match support' 1516 depends on NETFILTER_ADVANCED 1517 help 1518 This option adds a `quota' match, which allows to match on a 1519 byte counter. 1520 1521 If you want to compile it as a module, say M here and read 1522 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1523 1524config NETFILTER_XT_MATCH_RATEEST 1525 tristate '"rateest" match support' 1526 depends on NETFILTER_ADVANCED 1527 select NETFILTER_XT_TARGET_RATEEST 1528 help 1529 This option adds a `rateest' match, which allows to match on the 1530 rate estimated by the RATEEST target. 1531 1532 To compile it as a module, choose M here. If unsure, say N. 1533 1534config NETFILTER_XT_MATCH_REALM 1535 tristate '"realm" match support' 1536 depends on NETFILTER_ADVANCED 1537 select IP_ROUTE_CLASSID 1538 help 1539 This option adds a `realm' match, which allows you to use the realm 1540 key from the routing subsystem inside iptables. 1541 1542 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1543 in tc world. 1544 1545 If you want to compile it as a module, say M here and read 1546 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1547 1548config NETFILTER_XT_MATCH_RECENT 1549 tristate '"recent" match support' 1550 depends on NETFILTER_ADVANCED 1551 help 1552 This match is used for creating one or many lists of recently 1553 used addresses and then matching against that/those list(s). 1554 1555 Short options are available by using 'iptables -m recent -h' 1556 Official Website: <http://snowman.net/projects/ipt_recent/> 1557 1558config NETFILTER_XT_MATCH_SCTP 1559 tristate '"sctp" protocol match support' 1560 depends on NETFILTER_ADVANCED 1561 default IP_SCTP 1562 help 1563 With this option enabled, you will be able to use the 1564 `sctp' match in order to match on SCTP source/destination ports 1565 and SCTP chunk types. 1566 1567 If you want to compile it as a module, say M here and read 1568 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1569 1570config NETFILTER_XT_MATCH_SOCKET 1571 tristate '"socket" match support' 1572 depends on NETFILTER_XTABLES 1573 depends on NETFILTER_ADVANCED 1574 depends on IPV6 || IPV6=n 1575 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1576 select NF_SOCKET_IPV4 1577 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES 1578 select NF_DEFRAG_IPV4 1579 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1580 help 1581 This option adds a `socket' match, which can be used to match 1582 packets for which a TCP or UDP socket lookup finds a valid socket. 1583 It can be used in combination with the MARK target and policy 1584 routing to implement full featured non-locally bound sockets. 1585 1586 To compile it as a module, choose M here. If unsure, say N. 1587 1588config NETFILTER_XT_MATCH_STATE 1589 tristate '"state" match support' 1590 depends on NF_CONNTRACK 1591 default m if NETFILTER_ADVANCED=n 1592 help 1593 Connection state matching allows you to match packets based on their 1594 relationship to a tracked connection (ie. previous packets). This 1595 is a powerful tool for packet classification. 1596 1597 To compile it as a module, choose M here. If unsure, say N. 1598 1599config NETFILTER_XT_MATCH_STATISTIC 1600 tristate '"statistic" match support' 1601 depends on NETFILTER_ADVANCED 1602 help 1603 This option adds a `statistic' match, which allows you to match 1604 on packets periodically or randomly with a given percentage. 1605 1606 To compile it as a module, choose M here. If unsure, say N. 1607 1608config NETFILTER_XT_MATCH_STRING 1609 tristate '"string" match support' 1610 depends on NETFILTER_ADVANCED 1611 select TEXTSEARCH 1612 select TEXTSEARCH_KMP 1613 select TEXTSEARCH_BM 1614 select TEXTSEARCH_FSM 1615 help 1616 This option adds a `string' match, which allows you to look for 1617 pattern matchings in packets. 1618 1619 To compile it as a module, choose M here. If unsure, say N. 1620 1621config NETFILTER_XT_MATCH_TCPMSS 1622 tristate '"tcpmss" match support' 1623 depends on NETFILTER_ADVANCED 1624 help 1625 This option adds a `tcpmss' match, which allows you to examine the 1626 MSS value of TCP SYN packets, which control the maximum packet size 1627 for that connection. 1628 1629 To compile it as a module, choose M here. If unsure, say N. 1630 1631config NETFILTER_XT_MATCH_TIME 1632 tristate '"time" match support' 1633 depends on NETFILTER_ADVANCED 1634 help 1635 This option adds a "time" match, which allows you to match based on 1636 the packet arrival time (at the machine which netfilter is running) 1637 on) or departure time/date (for locally generated packets). 1638 1639 If you say Y here, try `iptables -m time --help` for 1640 more information. 1641 1642 If you want to compile it as a module, say M here. 1643 If unsure, say N. 1644 1645config NETFILTER_XT_MATCH_U32 1646 tristate '"u32" match support' 1647 depends on NETFILTER_ADVANCED 1648 help 1649 u32 allows you to extract quantities of up to 4 bytes from a packet, 1650 AND them with specified masks, shift them by specified amounts and 1651 test whether the results are in any of a set of specified ranges. 1652 The specification of what to extract is general enough to skip over 1653 headers with lengths stored in the packet, as in IP or TCP header 1654 lengths. 1655 1656 Details and examples are in the kernel module source. 1657 1658endif # NETFILTER_XTABLES 1659 1660endmenu 1661 1662source "net/netfilter/ipset/Kconfig" 1663 1664source "net/netfilter/ipvs/Kconfig" 1665