1# SPDX-License-Identifier: GPL-2.0-only 2menu "Core Netfilter Configuration" 3 depends on INET && NETFILTER 4 5config NETFILTER_INGRESS 6 bool "Netfilter ingress support" 7 default y 8 select NET_INGRESS 9 help 10 This allows you to classify packets from ingress using the Netfilter 11 infrastructure. 12 13config NETFILTER_EGRESS 14 bool "Netfilter egress support" 15 default y 16 select NET_EGRESS 17 help 18 This allows you to classify packets before transmission using the 19 Netfilter infrastructure. 20 21config NETFILTER_SKIP_EGRESS 22 def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB) 23 24config NETFILTER_NETLINK 25 tristate 26 27config NETFILTER_FAMILY_BRIDGE 28 bool 29 30config NETFILTER_FAMILY_ARP 31 bool 32 33config NETFILTER_BPF_LINK 34 def_bool BPF_SYSCALL 35 36config NETFILTER_NETLINK_HOOK 37 tristate "Netfilter base hook dump support" 38 depends on NETFILTER_ADVANCED 39 depends on NF_TABLES 40 select NETFILTER_NETLINK 41 help 42 If this option is enabled, the kernel will include support 43 to list the base netfilter hooks via NFNETLINK. 44 This is helpful for debugging. 45 46config NETFILTER_NETLINK_ACCT 47 tristate "Netfilter NFACCT over NFNETLINK interface" 48 depends on NETFILTER_ADVANCED 49 select NETFILTER_NETLINK 50 help 51 If this option is enabled, the kernel will include support 52 for extended accounting via NFNETLINK. 53 54config NETFILTER_NETLINK_QUEUE 55 tristate "Netfilter NFQUEUE over NFNETLINK interface" 56 depends on NETFILTER_ADVANCED 57 select NETFILTER_NETLINK 58 help 59 If this option is enabled, the kernel will include support 60 for queueing packets via NFNETLINK. 61 62config NETFILTER_NETLINK_LOG 63 tristate "Netfilter LOG over NFNETLINK interface" 64 default m if NETFILTER_ADVANCED=n 65 select NETFILTER_NETLINK 66 help 67 If this option is enabled, the kernel will include support 68 for logging packets via NFNETLINK. 69 70 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 71 and is also scheduled to replace the old syslog-based ipt_LOG 72 and ip6t_LOG modules. 73 74config NETFILTER_NETLINK_OSF 75 tristate "Netfilter OSF over NFNETLINK interface" 76 depends on NETFILTER_ADVANCED 77 select NETFILTER_NETLINK 78 help 79 If this option is enabled, the kernel will include support 80 for passive OS fingerprint via NFNETLINK. 81 82config NF_CONNTRACK 83 tristate "Netfilter connection tracking support" 84 default m if NETFILTER_ADVANCED=n 85 select NF_DEFRAG_IPV4 86 select NF_DEFRAG_IPV6 if IPV6 != n 87 help 88 Connection tracking keeps a record of what packets have passed 89 through your machine, in order to figure out how they are related 90 into connections. 91 92 This is required to do Masquerading or other kinds of Network 93 Address Translation. It can also be used to enhance packet 94 filtering (see `Connection state match support' below). 95 96 To compile it as a module, choose M here. If unsure, say N. 97 98config NF_LOG_SYSLOG 99 tristate "Syslog packet logging" 100 default m if NETFILTER_ADVANCED=n 101 help 102 This option enable support for packet logging via syslog. 103 It supports IPv4, IPV6, ARP and common transport protocols such 104 as TCP and UDP. 105 This is a simpler but less flexible logging method compared to 106 CONFIG_NETFILTER_NETLINK_LOG. 107 If both are enabled the backend to use can be configured at run-time 108 by means of per-address-family sysctl tunables. 109 110if NF_CONNTRACK 111config NETFILTER_CONNCOUNT 112 tristate 113 114config NF_CONNTRACK_MARK 115 bool 'Connection mark tracking support' 116 depends on NETFILTER_ADVANCED 117 help 118 This option enables support for connection marks, used by the 119 `CONNMARK' target and `connmark' match. Similar to the mark value 120 of packets, but this mark value is kept in the conntrack session 121 instead of the individual packets. 122 123config NF_CONNTRACK_SECMARK 124 bool 'Connection tracking security mark support' 125 depends on NETWORK_SECMARK 126 default y if NETFILTER_ADVANCED=n 127 help 128 This option enables security markings to be applied to 129 connections. Typically they are copied to connections from 130 packets using the CONNSECMARK target and copied back from 131 connections to packets with the same target, with the packets 132 being originally labeled via SECMARK. 133 134 If unsure, say 'N'. 135 136config NF_CONNTRACK_ZONES 137 bool 'Connection tracking zones' 138 depends on NETFILTER_ADVANCED 139 help 140 This option enables support for connection tracking zones. 141 Normally, each connection needs to have a unique system wide 142 identity. Connection tracking zones allow to have multiple 143 connections using the same identity, as long as they are 144 contained in different zones. 145 146 If unsure, say `N'. 147 148config NF_CONNTRACK_PROCFS 149 bool "Supply CT list in procfs (OBSOLETE)" 150 depends on PROC_FS 151 help 152 This option enables for the list of known conntrack entries 153 to be shown in procfs under net/netfilter/nf_conntrack. This 154 is considered obsolete in favor of using the conntrack(8) 155 tool which uses Netlink. 156 157config NF_CONNTRACK_EVENTS 158 bool "Connection tracking events" 159 depends on NETFILTER_ADVANCED 160 help 161 If this option is enabled, the connection tracking code will 162 provide a notifier chain that can be used by other kernel code 163 to get notified about changes in the connection tracking state. 164 165 If unsure, say `N'. 166 167config NF_CONNTRACK_TIMEOUT 168 bool 'Connection tracking timeout' 169 depends on NETFILTER_ADVANCED 170 help 171 This option enables support for connection tracking timeout 172 extension. This allows you to attach timeout policies to flow 173 via the CT target. 174 175 If unsure, say `N'. 176 177config NF_CONNTRACK_TIMESTAMP 178 bool 'Connection tracking timestamping' 179 depends on NETFILTER_ADVANCED 180 help 181 This option enables support for connection tracking timestamping. 182 This allows you to store the flow start-time and to obtain 183 the flow-stop time (once it has been destroyed) via Connection 184 tracking events. 185 186 If unsure, say `N'. 187 188config NF_CONNTRACK_LABELS 189 bool "Connection tracking labels" 190 help 191 This option enables support for assigning user-defined flag bits 192 to connection tracking entries. It can be used with xtables connlabel 193 match and the nftables ct expression. 194 195config NF_CONNTRACK_OVS 196 bool 197 198config NF_CT_PROTO_GRE 199 bool 200 201config NF_CT_PROTO_SCTP 202 bool 'SCTP protocol connection tracking support' 203 depends on NETFILTER_ADVANCED 204 default y 205 select NET_CRC32C 206 help 207 With this option enabled, the layer 3 independent connection 208 tracking code will be able to do state tracking on SCTP connections. 209 210 If unsure, say Y. 211 212config NF_CT_PROTO_UDPLITE 213 bool 'UDP-Lite protocol connection tracking support' 214 depends on NETFILTER_ADVANCED 215 default y 216 help 217 With this option enabled, the layer 3 independent connection 218 tracking code will be able to do state tracking on UDP-Lite 219 connections. 220 221 If unsure, say Y. 222 223config NF_CONNTRACK_AMANDA 224 tristate "Amanda backup protocol support" 225 depends on NETFILTER_ADVANCED 226 select TEXTSEARCH 227 select TEXTSEARCH_KMP 228 help 229 If you are running the Amanda backup package <http://www.amanda.org/> 230 on this machine or machines that will be MASQUERADED through this 231 machine, then you may want to enable this feature. This allows the 232 connection tracking and natting code to allow the sub-channels that 233 Amanda requires for communication of the backup data, messages and 234 index. 235 236 To compile it as a module, choose M here. If unsure, say N. 237 238config NF_CONNTRACK_FTP 239 tristate "FTP protocol support" 240 default m if NETFILTER_ADVANCED=n 241 help 242 Tracking FTP connections is problematic: special helpers are 243 required for tracking them, and doing masquerading and other forms 244 of Network Address Translation on them. 245 246 This is FTP support on Layer 3 independent connection tracking. 247 248 To compile it as a module, choose M here. If unsure, say N. 249 250config NF_CONNTRACK_H323 251 tristate "H.323 protocol support" 252 depends on NETFILTER_ADVANCED 253 help 254 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 255 important VoIP protocols, it is widely used by voice hardware and 256 software including voice gateways, IP phones, Netmeeting, OpenPhone, 257 Gnomemeeting, etc. 258 259 With this module you can support H.323 on a connection tracking/NAT 260 firewall. 261 262 This module supports RAS, Fast Start, H.245 Tunnelling, Call 263 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 264 whiteboard, file transfer, etc. For more information, please 265 visit http://nath323.sourceforge.net/. 266 267 To compile it as a module, choose M here. If unsure, say N. 268 269config NF_CONNTRACK_IRC 270 tristate "IRC protocol support" 271 default m if NETFILTER_ADVANCED=n 272 help 273 There is a commonly-used extension to IRC called 274 Direct Client-to-Client Protocol (DCC). This enables users to send 275 files to each other, and also chat to each other without the need 276 of a server. DCC Sending is used anywhere you send files over IRC, 277 and DCC Chat is most commonly used by Eggdrop bots. If you are 278 using NAT, this extension will enable you to send files and initiate 279 chats. Note that you do NOT need this extension to get files or 280 have others initiate chats, or everything else in IRC. 281 282 To compile it as a module, choose M here. If unsure, say N. 283 284config NF_CONNTRACK_BROADCAST 285 tristate 286 287config NF_CONNTRACK_NETBIOS_NS 288 tristate "NetBIOS name service protocol support" 289 select NF_CONNTRACK_BROADCAST 290 help 291 NetBIOS name service requests are sent as broadcast messages from an 292 unprivileged port and responded to with unicast messages to the 293 same port. This make them hard to firewall properly because connection 294 tracking doesn't deal with broadcasts. This helper tracks locally 295 originating NetBIOS name service requests and the corresponding 296 responses. It relies on correct IP address configuration, specifically 297 netmask and broadcast address. When properly configured, the output 298 of "ip address show" should look similar to this: 299 300 $ ip -4 address show eth0 301 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 302 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 303 304 To compile it as a module, choose M here. If unsure, say N. 305 306config NF_CONNTRACK_SNMP 307 tristate "SNMP service protocol support" 308 depends on NETFILTER_ADVANCED 309 select NF_CONNTRACK_BROADCAST 310 help 311 SNMP service requests are sent as broadcast messages from an 312 unprivileged port and responded to with unicast messages to the 313 same port. This make them hard to firewall properly because connection 314 tracking doesn't deal with broadcasts. This helper tracks locally 315 originating SNMP service requests and the corresponding 316 responses. It relies on correct IP address configuration, specifically 317 netmask and broadcast address. 318 319 To compile it as a module, choose M here. If unsure, say N. 320 321config NF_CONNTRACK_PPTP 322 tristate "PPtP protocol support" 323 depends on NETFILTER_ADVANCED 324 select NF_CT_PROTO_GRE 325 help 326 This module adds support for PPTP (Point to Point Tunnelling 327 Protocol, RFC2637) connection tracking and NAT. 328 329 If you are running PPTP sessions over a stateful firewall or NAT 330 box, you may want to enable this feature. 331 332 Please note that not all PPTP modes of operation are supported yet. 333 Specifically these limitations exist: 334 - Blindly assumes that control connections are always established 335 in PNS->PAC direction. This is a violation of RFC2637. 336 - Only supports a single call within each session 337 338 To compile it as a module, choose M here. If unsure, say N. 339 340config NF_CONNTRACK_SANE 341 tristate "SANE protocol support" 342 depends on NETFILTER_ADVANCED 343 help 344 SANE is a protocol for remote access to scanners as implemented 345 by the 'saned' daemon. Like FTP, it uses separate control and 346 data connections. 347 348 With this module you can support SANE on a connection tracking 349 firewall. 350 351 To compile it as a module, choose M here. If unsure, say N. 352 353config NF_CONNTRACK_SIP 354 tristate "SIP protocol support" 355 default m if NETFILTER_ADVANCED=n 356 help 357 SIP is an application-layer control protocol that can establish, 358 modify, and terminate multimedia sessions (conferences) such as 359 Internet telephony calls. With the nf_conntrack_sip and 360 the nf_nat_sip modules you can support the protocol on a connection 361 tracking/NATing firewall. 362 363 To compile it as a module, choose M here. If unsure, say N. 364 365config NF_CONNTRACK_TFTP 366 tristate "TFTP protocol support" 367 depends on NETFILTER_ADVANCED 368 help 369 TFTP connection tracking helper, this is required depending 370 on how restrictive your ruleset is. 371 If you are using a tftp client behind -j SNAT or -j MASQUERADING 372 you will need this. 373 374 To compile it as a module, choose M here. If unsure, say N. 375 376config NF_CT_NETLINK 377 tristate 'Connection tracking netlink interface' 378 select NETFILTER_NETLINK 379 default m if NETFILTER_ADVANCED=n 380 help 381 This option enables support for a netlink-based userspace interface 382 383config NF_CT_NETLINK_TIMEOUT 384 tristate 'Connection tracking timeout tuning via Netlink' 385 select NETFILTER_NETLINK 386 depends on NETFILTER_ADVANCED 387 depends on NF_CONNTRACK_TIMEOUT 388 help 389 This option enables support for connection tracking timeout 390 fine-grain tuning. This allows you to attach specific timeout 391 policies to flows, instead of using the global timeout policy. 392 393 If unsure, say `N'. 394 395config NF_CT_NETLINK_HELPER 396 tristate 'Connection tracking helpers in user-space via Netlink' 397 select NETFILTER_NETLINK 398 depends on NF_CT_NETLINK 399 depends on NETFILTER_NETLINK_QUEUE 400 depends on NETFILTER_NETLINK_GLUE_CT 401 depends on NETFILTER_ADVANCED 402 help 403 This option enables the user-space connection tracking helpers 404 infrastructure. 405 406 If unsure, say `N'. 407 408config NETFILTER_NETLINK_GLUE_CT 409 bool "NFQUEUE and NFLOG integration with Connection Tracking" 410 default n 411 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 412 help 413 If this option is enabled, NFQUEUE and NFLOG can include 414 Connection Tracking information together with the packet is 415 the enqueued via NFNETLINK. 416 417config NF_NAT 418 tristate "Network Address Translation support" 419 depends on NF_CONNTRACK 420 default m if NETFILTER_ADVANCED=n 421 help 422 The NAT option allows masquerading, port forwarding and other 423 forms of full Network Address Port Translation. This can be 424 controlled by iptables, ip6tables or nft. 425 426config NF_NAT_AMANDA 427 tristate 428 depends on NF_CONNTRACK && NF_NAT 429 default NF_NAT && NF_CONNTRACK_AMANDA 430 431config NF_NAT_FTP 432 tristate 433 depends on NF_CONNTRACK && NF_NAT 434 default NF_NAT && NF_CONNTRACK_FTP 435 436config NF_NAT_IRC 437 tristate 438 depends on NF_CONNTRACK && NF_NAT 439 default NF_NAT && NF_CONNTRACK_IRC 440 441config NF_NAT_SIP 442 tristate 443 depends on NF_CONNTRACK && NF_NAT 444 default NF_NAT && NF_CONNTRACK_SIP 445 446config NF_NAT_TFTP 447 tristate 448 depends on NF_CONNTRACK && NF_NAT 449 default NF_NAT && NF_CONNTRACK_TFTP 450 451config NF_NAT_REDIRECT 452 bool 453 454config NF_NAT_MASQUERADE 455 bool 456 457config NF_NAT_OVS 458 bool 459 460config NETFILTER_SYNPROXY 461 tristate 462 463endif # NF_CONNTRACK 464 465config NF_TABLES 466 select NETFILTER_NETLINK 467 select NET_CRC32C 468 tristate "Netfilter nf_tables support" 469 help 470 nftables is the new packet classification framework that intends to 471 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 472 provides a pseudo-state machine with an extensible instruction-set 473 (also known as expressions) that the userspace 'nft' utility 474 (https://www.netfilter.org/projects/nftables) uses to build the 475 rule-set. It also comes with the generic set infrastructure that 476 allows you to construct mappings between matchings and actions 477 for performance lookups. 478 479 To compile it as a module, choose M here. 480 481if NF_TABLES 482config NF_TABLES_INET 483 depends on IPV6 484 select NF_TABLES_IPV4 485 select NF_TABLES_IPV6 486 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 487 help 488 This option enables support for a mixed IPv4/IPv6 "inet" table. 489 490config NF_TABLES_NETDEV 491 bool "Netfilter nf_tables netdev tables support" 492 help 493 This option enables support for the "netdev" table. 494 495config NFT_NUMGEN 496 tristate "Netfilter nf_tables number generator module" 497 help 498 This option adds the number generator expression used to perform 499 incremental counting and random numbers bound to a upper limit. 500 501config NFT_CT 502 depends on NF_CONNTRACK 503 tristate "Netfilter nf_tables conntrack module" 504 help 505 This option adds the "ct" expression that you can use to match 506 connection tracking information such as the flow state. 507 508config NFT_EXTHDR_DCCP 509 bool "Netfilter nf_tables exthdr DCCP support (DEPRECATED)" 510 default n 511 help 512 This option adds support for matching on DCCP extension headers. 513 514config NFT_FLOW_OFFLOAD 515 depends on NF_CONNTRACK && NF_FLOW_TABLE 516 tristate "Netfilter nf_tables hardware flow offload module" 517 help 518 This option adds the "flow_offload" expression that you can use to 519 choose what flows are placed into the hardware. 520 521config NFT_CONNLIMIT 522 tristate "Netfilter nf_tables connlimit module" 523 depends on NF_CONNTRACK 524 depends on NETFILTER_ADVANCED 525 select NETFILTER_CONNCOUNT 526 help 527 This option adds the "connlimit" expression that you can use to 528 ratelimit rule matchings per connections. 529 530config NFT_LOG 531 tristate "Netfilter nf_tables log module" 532 help 533 This option adds the "log" expression that you can use to log 534 packets matching some criteria. 535 536config NFT_LIMIT 537 tristate "Netfilter nf_tables limit module" 538 help 539 This option adds the "limit" expression that you can use to 540 ratelimit rule matchings. 541 542config NFT_MASQ 543 depends on NF_CONNTRACK 544 depends on NF_NAT 545 select NF_NAT_MASQUERADE 546 tristate "Netfilter nf_tables masquerade support" 547 help 548 This option adds the "masquerade" expression that you can use 549 to perform NAT in the masquerade flavour. 550 551config NFT_REDIR 552 depends on NF_CONNTRACK 553 depends on NF_NAT 554 tristate "Netfilter nf_tables redirect support" 555 select NF_NAT_REDIRECT 556 help 557 This options adds the "redirect" expression that you can use 558 to perform NAT in the redirect flavour. 559 560config NFT_NAT 561 depends on NF_CONNTRACK 562 select NF_NAT 563 depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 564 tristate "Netfilter nf_tables nat module" 565 help 566 This option adds the "nat" expression that you can use to perform 567 typical Network Address Translation (NAT) packet transformations. 568 569config NFT_TUNNEL 570 tristate "Netfilter nf_tables tunnel module" 571 help 572 This option adds the "tunnel" expression that you can use to set 573 tunneling policies. 574 575config NFT_QUEUE 576 depends on NETFILTER_NETLINK_QUEUE 577 tristate "Netfilter nf_tables queue module" 578 help 579 This is required if you intend to use the userspace queueing 580 infrastructure (also known as NFQUEUE) from nftables. 581 582config NFT_QUOTA 583 tristate "Netfilter nf_tables quota module" 584 help 585 This option adds the "quota" expression that you can use to match 586 enforce bytes quotas. 587 588config NFT_REJECT 589 default m if NETFILTER_ADVANCED=n 590 tristate "Netfilter nf_tables reject support" 591 help 592 This option adds the "reject" expression that you can use to 593 explicitly deny and notify via TCP reset/ICMP informational errors 594 unallowed traffic. 595 596config NFT_REJECT_INET 597 depends on NF_TABLES_INET 598 default NFT_REJECT 599 tristate 600 601config NFT_COMPAT 602 depends on NETFILTER_XTABLES 603 tristate "Netfilter x_tables over nf_tables module" 604 help 605 This is required if you intend to use any of existing 606 x_tables match/target extensions over the nf_tables 607 framework. 608 609config NFT_HASH 610 tristate "Netfilter nf_tables hash module" 611 help 612 This option adds the "hash" expression that you can use to perform 613 a hash operation on registers. 614 615config NFT_FIB 616 tristate 617 618config NFT_FIB_INET 619 depends on NF_TABLES_INET 620 depends on NFT_FIB_IPV4 621 depends on NFT_FIB_IPV6 622 tristate "Netfilter nf_tables fib inet support" 623 help 624 This option allows using the FIB expression from the inet table. 625 The lookup will be delegated to the IPv4 or IPv6 FIB depending 626 on the protocol of the packet. 627 628config NFT_XFRM 629 tristate "Netfilter nf_tables xfrm/IPSec security association matching" 630 depends on XFRM 631 help 632 This option adds an expression that you can use to extract properties 633 of a packets security association. 634 635config NFT_SOCKET 636 tristate "Netfilter nf_tables socket match support" 637 select NF_SOCKET_IPV4 638 select NF_SOCKET_IPV6 if NF_TABLES_IPV6 639 help 640 This option allows matching for the presence or absence of a 641 corresponding socket and its attributes. 642 643config NFT_OSF 644 tristate "Netfilter nf_tables passive OS fingerprint support" 645 depends on NETFILTER_ADVANCED 646 select NETFILTER_NETLINK_OSF 647 help 648 This option allows matching packets from an specific OS. 649 650config NFT_TPROXY 651 tristate "Netfilter nf_tables tproxy support" 652 select NF_DEFRAG_IPV4 653 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 654 select NF_TPROXY_IPV4 655 select NF_TPROXY_IPV6 if NF_TABLES_IPV6 656 help 657 This makes transparent proxy support available in nftables. 658 659config NFT_SYNPROXY 660 tristate "Netfilter nf_tables SYNPROXY expression support" 661 depends on NF_CONNTRACK && NETFILTER_ADVANCED 662 select NETFILTER_SYNPROXY 663 select SYN_COOKIES 664 help 665 The SYNPROXY expression allows you to intercept TCP connections and 666 establish them using syncookies before they are passed on to the 667 server. This allows to avoid conntrack and server resource usage 668 during SYN-flood attacks. 669 670if NF_TABLES_NETDEV 671 672config NF_DUP_NETDEV 673 tristate "Netfilter packet duplication support" 674 help 675 This option enables the generic packet duplication infrastructure 676 for Netfilter. 677 678config NFT_DUP_NETDEV 679 tristate "Netfilter nf_tables netdev packet duplication support" 680 select NF_DUP_NETDEV 681 help 682 This option enables packet duplication for the "netdev" family. 683 684config NFT_FWD_NETDEV 685 tristate "Netfilter nf_tables netdev packet forwarding support" 686 select NF_DUP_NETDEV 687 help 688 This option enables packet forwarding for the "netdev" family. 689 690config NFT_FIB_NETDEV 691 depends on NFT_FIB_IPV4 692 depends on NFT_FIB_IPV6 693 tristate "Netfilter nf_tables netdev fib lookups support" 694 help 695 This option allows using the FIB expression from the netdev table. 696 The lookup will be delegated to the IPv4 or IPv6 FIB depending 697 on the protocol of the packet. 698 699config NFT_REJECT_NETDEV 700 depends on NFT_REJECT_IPV4 701 depends on NFT_REJECT_IPV6 702 tristate "Netfilter nf_tables netdev REJECT support" 703 help 704 This option enables the REJECT support from the netdev table. 705 The return packet generation will be delegated to the IPv4 706 or IPv6 ICMP or TCP RST implementation depending on the 707 protocol of the packet. 708 709endif # NF_TABLES_NETDEV 710 711endif # NF_TABLES 712 713config NF_FLOW_TABLE_INET 714 tristate "Netfilter flow table mixed IPv4/IPv6 module" 715 depends on NF_FLOW_TABLE 716 help 717 This option adds the flow table mixed IPv4/IPv6 support. 718 719 To compile it as a module, choose M here. 720 721config NF_FLOW_TABLE 722 tristate "Netfilter flow table module" 723 depends on NETFILTER_INGRESS 724 depends on NF_CONNTRACK 725 depends on NF_TABLES 726 help 727 This option adds the flow table core infrastructure. 728 729 To compile it as a module, choose M here. 730 731config NF_FLOW_TABLE_PROCFS 732 bool "Supply flow table statistics in procfs" 733 depends on NF_FLOW_TABLE 734 depends on PROC_FS 735 help 736 This option enables for the flow table offload statistics 737 to be shown in procfs under net/netfilter/nf_flowtable. 738 739config NETFILTER_XTABLES 740 tristate "Netfilter Xtables support (required for ip_tables)" 741 default m if NETFILTER_ADVANCED=n 742 help 743 This is required if you intend to use any of ip_tables, 744 ip6_tables or arp_tables. 745 746if NETFILTER_XTABLES 747 748config NETFILTER_XTABLES_COMPAT 749 bool "Netfilter Xtables 32bit support" 750 depends on COMPAT 751 help 752 This option provides a translation layer to run 32bit arp,ip(6),ebtables 753 binaries on 64bit kernels. 754 755 If unsure, say N. 756 757config NETFILTER_XTABLES_LEGACY 758 bool "Netfilter legacy tables support" 759 depends on !PREEMPT_RT 760 help 761 Say Y here if you still require support for legacy tables. This is 762 required by the legacy tools (iptables-legacy) and is not needed if 763 you use iptables over nftables (iptables-nft). 764 Legacy support is not limited to IP, it also includes EBTABLES and 765 ARPTABLES. 766 767comment "Xtables combined modules" 768 769config NETFILTER_XT_MARK 770 tristate 'nfmark target and match support' 771 default m if NETFILTER_ADVANCED=n 772 help 773 This option adds the "MARK" target and "mark" match. 774 775 Netfilter mark matching allows you to match packets based on the 776 "nfmark" value in the packet. 777 The target allows you to create rules in the "mangle" table which alter 778 the netfilter mark (nfmark) field associated with the packet. 779 780 Prior to routing, the nfmark can influence the routing method and can 781 also be used by other subsystems to change their behavior. 782 783config NETFILTER_XT_CONNMARK 784 tristate 'ctmark target and match support' 785 depends on NF_CONNTRACK 786 depends on NETFILTER_ADVANCED 787 select NF_CONNTRACK_MARK 788 help 789 This option adds the "CONNMARK" target and "connmark" match. 790 791 Netfilter allows you to store a mark value per connection (a.k.a. 792 ctmark), similarly to the packet mark (nfmark). Using this 793 target and match, you can set and match on this mark. 794 795config NETFILTER_XT_SET 796 tristate 'set target and match support' 797 depends on IP_SET 798 depends on NETFILTER_ADVANCED 799 help 800 This option adds the "SET" target and "set" match. 801 802 Using this target and match, you can add/delete and match 803 elements in the sets created by ipset(8). 804 805 To compile it as a module, choose M here. If unsure, say N. 806 807# alphabetically ordered list of targets 808 809comment "Xtables targets" 810 811config NETFILTER_XT_TARGET_AUDIT 812 tristate "AUDIT target support" 813 depends on AUDIT 814 depends on NETFILTER_ADVANCED 815 help 816 This option adds a 'AUDIT' target, which can be used to create 817 audit records for packets dropped/accepted. 818 819 To compileit as a module, choose M here. If unsure, say N. 820 821config NETFILTER_XT_TARGET_CHECKSUM 822 tristate "CHECKSUM target support" 823 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 824 depends on NETFILTER_ADVANCED 825 help 826 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 827 table to work around buggy DHCP clients in virtualized environments. 828 829 Some old DHCP clients drop packets because they are not aware 830 that the checksum would normally be offloaded to hardware and 831 thus should be considered valid. 832 This target can be used to fill in the checksum using iptables 833 when such packets are sent via a virtual network device. 834 835 To compile it as a module, choose M here. If unsure, say N. 836 837config NETFILTER_XT_TARGET_CLASSIFY 838 tristate '"CLASSIFY" target support' 839 depends on NETFILTER_ADVANCED 840 help 841 This option adds a `CLASSIFY' target, which enables the user to set 842 the priority of a packet. Some qdiscs can use this value for 843 classification, among these are: 844 845 atm, cbq, dsmark, pfifo_fast, htb, prio 846 847 To compile it as a module, choose M here. If unsure, say N. 848 849config NETFILTER_XT_TARGET_CONNMARK 850 tristate '"CONNMARK" target support' 851 depends on NF_CONNTRACK 852 depends on NETFILTER_ADVANCED 853 select NETFILTER_XT_CONNMARK 854 help 855 This is a backwards-compat option for the user's convenience 856 (e.g. when running oldconfig). It selects 857 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 858 859config NETFILTER_XT_TARGET_CONNSECMARK 860 tristate '"CONNSECMARK" target support' 861 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 862 default m if NETFILTER_ADVANCED=n 863 help 864 The CONNSECMARK target copies security markings from packets 865 to connections, and restores security markings from connections 866 to packets (if the packets are not already marked). This would 867 normally be used in conjunction with the SECMARK target. 868 869 To compile it as a module, choose M here. If unsure, say N. 870 871config NETFILTER_XT_TARGET_CT 872 tristate '"CT" target support' 873 depends on NF_CONNTRACK 874 depends on IP_NF_RAW || IP6_NF_RAW || NFT_COMPAT 875 depends on NETFILTER_ADVANCED 876 help 877 This options adds a `CT' target, which allows to specify initial 878 connection tracking parameters like events to be delivered and 879 the helper to be used. 880 881 To compile it as a module, choose M here. If unsure, say N. 882 883config NETFILTER_XT_TARGET_DSCP 884 tristate '"DSCP" and "TOS" target support' 885 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 886 depends on NETFILTER_ADVANCED 887 help 888 This option adds a `DSCP' target, which allows you to manipulate 889 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 890 891 The DSCP field can have any value between 0x0 and 0x3f inclusive. 892 893 It also adds the "TOS" target, which allows you to create rules in 894 the "mangle" table which alter the Type Of Service field of an IPv4 895 or the Priority field of an IPv6 packet, prior to routing. 896 897 To compile it as a module, choose M here. If unsure, say N. 898 899config NETFILTER_XT_TARGET_HL 900 tristate '"HL" hoplimit target support' 901 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 902 depends on NETFILTER_ADVANCED 903 help 904 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 905 targets, which enable the user to change the 906 hoplimit/time-to-live value of the IP header. 907 908 While it is safe to decrement the hoplimit/TTL value, the 909 modules also allow to increment and set the hoplimit value of 910 the header to arbitrary values. This is EXTREMELY DANGEROUS 911 since you can easily create immortal packets that loop 912 forever on the network. 913 914config NETFILTER_XT_TARGET_HMARK 915 tristate '"HMARK" target support' 916 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 917 depends on NETFILTER_ADVANCED 918 help 919 This option adds the "HMARK" target. 920 921 The target allows you to create rules in the "raw" and "mangle" tables 922 which set the skbuff mark by means of hash calculation within a given 923 range. The nfmark can influence the routing method and can also be used 924 by other subsystems to change their behaviour. 925 926 To compile it as a module, choose M here. If unsure, say N. 927 928config NETFILTER_XT_TARGET_IDLETIMER 929 tristate "IDLETIMER target support" 930 depends on NETFILTER_ADVANCED 931 help 932 933 This option adds the `IDLETIMER' target. Each matching packet 934 resets the timer associated with label specified when the rule is 935 added. When the timer expires, it triggers a sysfs notification. 936 The remaining time for expiration can be read via sysfs. 937 938 To compile it as a module, choose M here. If unsure, say N. 939 940config NETFILTER_XT_TARGET_LED 941 tristate '"LED" target support' 942 depends on LEDS_CLASS && LEDS_TRIGGERS 943 depends on NETFILTER_ADVANCED 944 help 945 This option adds a `LED' target, which allows you to blink LEDs in 946 response to particular packets passing through your machine. 947 948 This can be used to turn a spare LED into a network activity LED, 949 which only flashes in response to FTP transfers, for example. Or 950 you could have an LED which lights up for a minute or two every time 951 somebody connects to your machine via SSH. 952 953 You will need support for the "led" class to make this work. 954 955 To create an LED trigger for incoming SSH traffic: 956 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 957 958 Then attach the new trigger to an LED on your system: 959 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 960 961 For more information on the LEDs available on your system, see 962 Documentation/leds/leds-class.rst 963 964config NETFILTER_XT_TARGET_LOG 965 tristate "LOG target support" 966 select NF_LOG_SYSLOG 967 select NF_LOG_IPV6 if IP6_NF_IPTABLES 968 default m if NETFILTER_ADVANCED=n 969 help 970 This option adds a `LOG' target, which allows you to create rules in 971 any iptables table which records the packet header to the syslog. 972 973 To compile it as a module, choose M here. If unsure, say N. 974 975config NETFILTER_XT_TARGET_MARK 976 tristate '"MARK" target support' 977 depends on NETFILTER_ADVANCED 978 select NETFILTER_XT_MARK 979 help 980 This is a backwards-compat option for the user's convenience 981 (e.g. when running oldconfig). It selects 982 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 983 984config NETFILTER_XT_NAT 985 tristate '"SNAT and DNAT" targets support' 986 depends on NF_NAT 987 help 988 This option enables the SNAT and DNAT targets. 989 990 To compile it as a module, choose M here. If unsure, say N. 991 992config NETFILTER_XT_TARGET_NETMAP 993 tristate '"NETMAP" target support' 994 depends on NF_NAT 995 help 996 NETMAP is an implementation of static 1:1 NAT mapping of network 997 addresses. It maps the network address part, while keeping the host 998 address part intact. 999 1000 To compile it as a module, choose M here. If unsure, say N. 1001 1002config NETFILTER_XT_TARGET_NFLOG 1003 tristate '"NFLOG" target support' 1004 default m if NETFILTER_ADVANCED=n 1005 select NETFILTER_NETLINK_LOG 1006 help 1007 This option enables the NFLOG target, which allows to LOG 1008 messages through nfnetlink_log. 1009 1010 To compile it as a module, choose M here. If unsure, say N. 1011 1012config NETFILTER_XT_TARGET_NFQUEUE 1013 tristate '"NFQUEUE" target Support' 1014 depends on NETFILTER_ADVANCED 1015 select NETFILTER_NETLINK_QUEUE 1016 help 1017 This target replaced the old obsolete QUEUE target. 1018 1019 As opposed to QUEUE, it supports 65535 different queues, 1020 not just one. 1021 1022 To compile it as a module, choose M here. If unsure, say N. 1023 1024config NETFILTER_XT_TARGET_NOTRACK 1025 tristate '"NOTRACK" target support (DEPRECATED)' 1026 depends on NF_CONNTRACK 1027 depends on IP_NF_RAW || IP6_NF_RAW 1028 depends on NETFILTER_ADVANCED 1029 select NETFILTER_XT_TARGET_CT 1030 1031config NETFILTER_XT_TARGET_RATEEST 1032 tristate '"RATEEST" target support' 1033 depends on NETFILTER_ADVANCED 1034 help 1035 This option adds a `RATEEST' target, which allows to measure 1036 rates similar to TC estimators. The `rateest' match can be 1037 used to match on the measured rates. 1038 1039 To compile it as a module, choose M here. If unsure, say N. 1040 1041config NETFILTER_XT_TARGET_REDIRECT 1042 tristate "REDIRECT target support" 1043 depends on NF_NAT 1044 select NF_NAT_REDIRECT 1045 help 1046 REDIRECT is a special case of NAT: all incoming connections are 1047 mapped onto the incoming interface's address, causing the packets to 1048 come to the local machine instead of passing through. This is 1049 useful for transparent proxies. 1050 1051 To compile it as a module, choose M here. If unsure, say N. 1052 1053config NETFILTER_XT_TARGET_MASQUERADE 1054 tristate "MASQUERADE target support" 1055 depends on NF_NAT 1056 default m if NETFILTER_ADVANCED=n 1057 select NF_NAT_MASQUERADE 1058 help 1059 Masquerading is a special case of NAT: all outgoing connections are 1060 changed to seem to come from a particular interface's address, and 1061 if the interface goes down, those connections are lost. This is 1062 only useful for dialup accounts with dynamic IP address (ie. your IP 1063 address will be different on next dialup). 1064 1065 To compile it as a module, choose M here. If unsure, say N. 1066 1067config NETFILTER_XT_TARGET_TEE 1068 tristate '"TEE" - packet cloning to alternate destination' 1069 depends on NETFILTER_ADVANCED 1070 depends on !NF_CONNTRACK || NF_CONNTRACK 1071 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES 1072 select NF_DUP_IPV4 1073 select NF_DUP_IPV6 if IP6_NF_IPTABLES 1074 help 1075 This option adds a "TEE" target with which a packet can be cloned and 1076 this clone be rerouted to another nexthop. 1077 1078config NETFILTER_XT_TARGET_TPROXY 1079 tristate '"TPROXY" target transparent proxying support' 1080 depends on NETFILTER_XTABLES 1081 depends on NETFILTER_ADVANCED 1082 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1083 depends on IP_NF_MANGLE || NFT_COMPAT 1084 select NF_DEFRAG_IPV4 1085 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1086 select NF_TPROXY_IPV4 1087 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 1088 help 1089 This option adds a `TPROXY' target, which is somewhat similar to 1090 REDIRECT. It can only be used in the mangle table and is useful 1091 to redirect traffic to a transparent proxy. It does _not_ depend 1092 on Netfilter connection tracking and NAT, unlike REDIRECT. 1093 For it to work you will have to configure certain iptables rules 1094 and use policy routing. For more information on how to set it up 1095 see Documentation/networking/tproxy.rst. 1096 1097 To compile it as a module, choose M here. If unsure, say N. 1098 1099config NETFILTER_XT_TARGET_TRACE 1100 tristate '"TRACE" target support' 1101 depends on IP_NF_RAW || IP6_NF_RAW 1102 depends on NETFILTER_ADVANCED 1103 help 1104 The TRACE target allows you to mark packets so that the kernel 1105 will log every rule which match the packets as those traverse 1106 the tables, chains, rules. 1107 1108 If you want to compile it as a module, say M here and read 1109 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1110 1111config NETFILTER_XT_TARGET_SECMARK 1112 tristate '"SECMARK" target support' 1113 depends on NETWORK_SECMARK 1114 default m if NETFILTER_ADVANCED=n 1115 help 1116 The SECMARK target allows security marking of network 1117 packets, for use with security subsystems. 1118 1119 To compile it as a module, choose M here. If unsure, say N. 1120 1121config NETFILTER_XT_TARGET_TCPMSS 1122 tristate '"TCPMSS" target support' 1123 default m if NETFILTER_ADVANCED=n 1124 help 1125 This option adds a `TCPMSS' target, which allows you to alter the 1126 MSS value of TCP SYN packets, to control the maximum size for that 1127 connection (usually limiting it to your outgoing interface's MTU 1128 minus 40). 1129 1130 This is used to overcome criminally braindead ISPs or servers which 1131 block ICMP Fragmentation Needed packets. The symptoms of this 1132 problem are that everything works fine from your Linux 1133 firewall/router, but machines behind it can never exchange large 1134 packets: 1135 1) Web browsers connect, then hang with no data received. 1136 2) Small mail works fine, but large emails hang. 1137 3) ssh works fine, but scp hangs after initial handshaking. 1138 1139 Workaround: activate this option and add a rule to your firewall 1140 configuration like: 1141 1142 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1143 -j TCPMSS --clamp-mss-to-pmtu 1144 1145 To compile it as a module, choose M here. If unsure, say N. 1146 1147config NETFILTER_XT_TARGET_TCPOPTSTRIP 1148 tristate '"TCPOPTSTRIP" target support' 1149 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 1150 depends on NETFILTER_ADVANCED 1151 help 1152 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1153 TCP options from TCP packets. 1154 1155# alphabetically ordered list of matches 1156 1157comment "Xtables matches" 1158 1159config NETFILTER_XT_MATCH_ADDRTYPE 1160 tristate '"addrtype" address type match support' 1161 default m if NETFILTER_ADVANCED=n 1162 help 1163 This option allows you to match what routing thinks of an address, 1164 eg. UNICAST, LOCAL, BROADCAST, ... 1165 1166 If you want to compile it as a module, say M here and read 1167 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1168 1169config NETFILTER_XT_MATCH_BPF 1170 tristate '"bpf" match support' 1171 depends on NETFILTER_ADVANCED 1172 help 1173 BPF matching applies a linux socket filter to each packet and 1174 accepts those for which the filter returns non-zero. 1175 1176 To compile it as a module, choose M here. If unsure, say N. 1177 1178config NETFILTER_XT_MATCH_CGROUP 1179 tristate '"control group" match support' 1180 depends on NETFILTER_ADVANCED 1181 depends on CGROUPS 1182 select SOCK_CGROUP_DATA 1183 help 1184 Socket/process control group matching allows you to match locally 1185 generated packets based on which net_cls control group processes 1186 belong to. 1187 1188config NETFILTER_XT_MATCH_CLUSTER 1189 tristate '"cluster" match support' 1190 depends on NF_CONNTRACK 1191 depends on NETFILTER_ADVANCED 1192 help 1193 This option allows you to build work-load-sharing clusters of 1194 network servers/stateful firewalls without having a dedicated 1195 load-balancing router/server/switch. Basically, this match returns 1196 true when the packet must be handled by this cluster node. Thus, 1197 all nodes see all packets and this match decides which node handles 1198 what packets. The work-load sharing algorithm is based on source 1199 address hashing. 1200 1201 If you say Y or M here, try `iptables -m cluster --help` for 1202 more information. 1203 1204config NETFILTER_XT_MATCH_COMMENT 1205 tristate '"comment" match support' 1206 depends on NETFILTER_ADVANCED 1207 help 1208 This option adds a `comment' dummy-match, which allows you to put 1209 comments in your iptables ruleset. 1210 1211 If you want to compile it as a module, say M here and read 1212 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1213 1214config NETFILTER_XT_MATCH_CONNBYTES 1215 tristate '"connbytes" per-connection counter match support' 1216 depends on NF_CONNTRACK 1217 depends on NETFILTER_ADVANCED 1218 help 1219 This option adds a `connbytes' match, which allows you to match the 1220 number of bytes and/or packets for each direction within a connection. 1221 1222 If you want to compile it as a module, say M here and read 1223 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1224 1225config NETFILTER_XT_MATCH_CONNLABEL 1226 tristate '"connlabel" match support' 1227 select NF_CONNTRACK_LABELS 1228 depends on NF_CONNTRACK 1229 depends on NETFILTER_ADVANCED 1230 help 1231 This match allows you to test and assign userspace-defined labels names 1232 to a connection. The kernel only stores bit values - mapping 1233 names to bits is done by userspace. 1234 1235 Unlike connmark, more than 32 flag bits may be assigned to a 1236 connection simultaneously. 1237 1238config NETFILTER_XT_MATCH_CONNLIMIT 1239 tristate '"connlimit" match support' 1240 depends on NF_CONNTRACK 1241 depends on NETFILTER_ADVANCED 1242 select NETFILTER_CONNCOUNT 1243 help 1244 This match allows you to match against the number of parallel 1245 connections to a server per client IP address (or address block). 1246 1247config NETFILTER_XT_MATCH_CONNMARK 1248 tristate '"connmark" connection mark match support' 1249 depends on NF_CONNTRACK 1250 depends on NETFILTER_ADVANCED 1251 select NETFILTER_XT_CONNMARK 1252 help 1253 This is a backwards-compat option for the user's convenience 1254 (e.g. when running oldconfig). It selects 1255 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1256 1257config NETFILTER_XT_MATCH_CONNTRACK 1258 tristate '"conntrack" connection tracking match support' 1259 depends on NF_CONNTRACK 1260 default m if NETFILTER_ADVANCED=n 1261 help 1262 This is a general conntrack match module, a superset of the state match. 1263 1264 It allows matching on additional conntrack information, which is 1265 useful in complex configurations, such as NAT gateways with multiple 1266 internet links or tunnels. 1267 1268 To compile it as a module, choose M here. If unsure, say N. 1269 1270config NETFILTER_XT_MATCH_CPU 1271 tristate '"cpu" match support' 1272 depends on NETFILTER_ADVANCED 1273 help 1274 CPU matching allows you to match packets based on the CPU 1275 currently handling the packet. 1276 1277 To compile it as a module, choose M here. If unsure, say N. 1278 1279config NETFILTER_XT_MATCH_DCCP 1280 tristate '"dccp" protocol match support (DEPRECATED)' 1281 depends on NETFILTER_ADVANCED 1282 default n 1283 help 1284 With this option enabled, you will be able to use the iptables 1285 `dccp' match in order to match on DCCP source/destination ports 1286 and DCCP flags. 1287 1288 If you want to compile it as a module, say M here and read 1289 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1290 1291config NETFILTER_XT_MATCH_DEVGROUP 1292 tristate '"devgroup" match support' 1293 depends on NETFILTER_ADVANCED 1294 help 1295 This options adds a `devgroup' match, which allows to match on the 1296 device group a network device is assigned to. 1297 1298 To compile it as a module, choose M here. If unsure, say N. 1299 1300config NETFILTER_XT_MATCH_DSCP 1301 tristate '"dscp" and "tos" match support' 1302 depends on NETFILTER_ADVANCED 1303 help 1304 This option adds a `DSCP' match, which allows you to match against 1305 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1306 1307 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1308 1309 It will also add a "tos" match, which allows you to match packets 1310 based on the Type Of Service fields of the IPv4 packet (which share 1311 the same bits as DSCP). 1312 1313 To compile it as a module, choose M here. If unsure, say N. 1314 1315config NETFILTER_XT_MATCH_ECN 1316 tristate '"ecn" match support' 1317 depends on NETFILTER_ADVANCED 1318 help 1319 This option adds an "ECN" match, which allows you to match against 1320 the IPv4 and TCP header ECN fields. 1321 1322 To compile it as a module, choose M here. If unsure, say N. 1323 1324config NETFILTER_XT_MATCH_ESP 1325 tristate '"esp" match support' 1326 depends on NETFILTER_ADVANCED 1327 help 1328 This match extension allows you to match a range of SPIs 1329 inside ESP header of IPSec packets. 1330 1331 To compile it as a module, choose M here. If unsure, say N. 1332 1333config NETFILTER_XT_MATCH_HASHLIMIT 1334 tristate '"hashlimit" match support' 1335 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1336 depends on NETFILTER_ADVANCED 1337 help 1338 This option adds a `hashlimit' match. 1339 1340 As opposed to `limit', this match dynamically creates a hash table 1341 of limit buckets, based on your selection of source/destination 1342 addresses and/or ports. 1343 1344 It enables you to express policies like `10kpps for any given 1345 destination address' or `500pps from any given source address' 1346 with a single rule. 1347 1348config NETFILTER_XT_MATCH_HELPER 1349 tristate '"helper" match support' 1350 depends on NF_CONNTRACK 1351 depends on NETFILTER_ADVANCED 1352 help 1353 Helper matching allows you to match packets in dynamic connections 1354 tracked by a conntrack-helper, ie. nf_conntrack_ftp 1355 1356 To compile it as a module, choose M here. If unsure, say Y. 1357 1358config NETFILTER_XT_MATCH_HL 1359 tristate '"hl" hoplimit/TTL match support' 1360 depends on NETFILTER_ADVANCED 1361 help 1362 HL matching allows you to match packets based on the hoplimit 1363 in the IPv6 header, or the time-to-live field in the IPv4 1364 header of the packet. 1365 1366config NETFILTER_XT_MATCH_IPCOMP 1367 tristate '"ipcomp" match support' 1368 depends on NETFILTER_ADVANCED 1369 help 1370 This match extension allows you to match a range of CPIs(16 bits) 1371 inside IPComp header of IPSec packets. 1372 1373 To compile it as a module, choose M here. If unsure, say N. 1374 1375config NETFILTER_XT_MATCH_IPRANGE 1376 tristate '"iprange" address range match support' 1377 depends on NETFILTER_ADVANCED 1378 help 1379 This option adds a "iprange" match, which allows you to match based on 1380 an IP address range. (Normal iptables only matches on single addresses 1381 with an optional mask.) 1382 1383 If unsure, say M. 1384 1385config NETFILTER_XT_MATCH_IPVS 1386 tristate '"ipvs" match support' 1387 depends on IP_VS 1388 depends on NETFILTER_ADVANCED 1389 depends on NF_CONNTRACK 1390 help 1391 This option allows you to match against IPVS properties of a packet. 1392 1393 If unsure, say N. 1394 1395config NETFILTER_XT_MATCH_L2TP 1396 tristate '"l2tp" match support' 1397 depends on NETFILTER_ADVANCED 1398 default L2TP 1399 help 1400 This option adds an "L2TP" match, which allows you to match against 1401 L2TP protocol header fields. 1402 1403 To compile it as a module, choose M here. If unsure, say N. 1404 1405config NETFILTER_XT_MATCH_LENGTH 1406 tristate '"length" match support' 1407 depends on NETFILTER_ADVANCED 1408 help 1409 This option allows you to match the length of a packet against a 1410 specific value or range of values. 1411 1412 To compile it as a module, choose M here. If unsure, say N. 1413 1414config NETFILTER_XT_MATCH_LIMIT 1415 tristate '"limit" match support' 1416 depends on NETFILTER_ADVANCED 1417 help 1418 limit matching allows you to control the rate at which a rule can be 1419 matched: mainly useful in combination with the LOG target ("LOG 1420 target support", below) and to avoid some Denial of Service attacks. 1421 1422 To compile it as a module, choose M here. If unsure, say N. 1423 1424config NETFILTER_XT_MATCH_MAC 1425 tristate '"mac" address match support' 1426 depends on NETFILTER_ADVANCED 1427 help 1428 MAC matching allows you to match packets based on the source 1429 Ethernet address of the packet. 1430 1431 To compile it as a module, choose M here. If unsure, say N. 1432 1433config NETFILTER_XT_MATCH_MARK 1434 tristate '"mark" match support' 1435 depends on NETFILTER_ADVANCED 1436 select NETFILTER_XT_MARK 1437 help 1438 This is a backwards-compat option for the user's convenience 1439 (e.g. when running oldconfig). It selects 1440 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1441 1442config NETFILTER_XT_MATCH_MULTIPORT 1443 tristate '"multiport" Multiple port match support' 1444 depends on NETFILTER_ADVANCED 1445 help 1446 Multiport matching allows you to match TCP or UDP packets based on 1447 a series of source or destination ports: normally a rule can only 1448 match a single range of ports. 1449 1450 To compile it as a module, choose M here. If unsure, say N. 1451 1452config NETFILTER_XT_MATCH_NFACCT 1453 tristate '"nfacct" match support' 1454 depends on NETFILTER_ADVANCED 1455 select NETFILTER_NETLINK_ACCT 1456 help 1457 This option allows you to use the extended accounting through 1458 nfnetlink_acct. 1459 1460 To compile it as a module, choose M here. If unsure, say N. 1461 1462config NETFILTER_XT_MATCH_OSF 1463 tristate '"osf" Passive OS fingerprint match' 1464 depends on NETFILTER_ADVANCED 1465 select NETFILTER_NETLINK_OSF 1466 help 1467 This option selects the Passive OS Fingerprinting match module 1468 that allows to passively match the remote operating system by 1469 analyzing incoming TCP SYN packets. 1470 1471 Rules and loading software can be downloaded from 1472 http://www.ioremap.net/projects/osf 1473 1474 To compile it as a module, choose M here. If unsure, say N. 1475 1476config NETFILTER_XT_MATCH_OWNER 1477 tristate '"owner" match support' 1478 depends on NETFILTER_ADVANCED 1479 help 1480 Socket owner matching allows you to match locally-generated packets 1481 based on who created the socket: the user or group. It is also 1482 possible to check whether a socket actually exists. 1483 1484config NETFILTER_XT_MATCH_POLICY 1485 tristate 'IPsec "policy" match support' 1486 depends on XFRM 1487 default m if NETFILTER_ADVANCED=n 1488 help 1489 Policy matching allows you to match packets based on the 1490 IPsec policy that was used during decapsulation/will 1491 be used during encapsulation. 1492 1493 To compile it as a module, choose M here. If unsure, say N. 1494 1495config NETFILTER_XT_MATCH_PHYSDEV 1496 tristate '"physdev" match support' 1497 depends on BRIDGE && BRIDGE_NETFILTER 1498 depends on NETFILTER_ADVANCED 1499 help 1500 Physdev packet matching matches against the physical bridge ports 1501 the IP packet arrived on or will leave by. 1502 1503 To compile it as a module, choose M here. If unsure, say N. 1504 1505config NETFILTER_XT_MATCH_PKTTYPE 1506 tristate '"pkttype" packet type match support' 1507 depends on NETFILTER_ADVANCED 1508 help 1509 Packet type matching allows you to match a packet by 1510 its "class", eg. BROADCAST, MULTICAST, ... 1511 1512 Typical usage: 1513 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1514 1515 To compile it as a module, choose M here. If unsure, say N. 1516 1517config NETFILTER_XT_MATCH_QUOTA 1518 tristate '"quota" match support' 1519 depends on NETFILTER_ADVANCED 1520 help 1521 This option adds a `quota' match, which allows to match on a 1522 byte counter. 1523 1524 If you want to compile it as a module, say M here and read 1525 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1526 1527config NETFILTER_XT_MATCH_RATEEST 1528 tristate '"rateest" match support' 1529 depends on NETFILTER_ADVANCED 1530 select NETFILTER_XT_TARGET_RATEEST 1531 help 1532 This option adds a `rateest' match, which allows to match on the 1533 rate estimated by the RATEEST target. 1534 1535 To compile it as a module, choose M here. If unsure, say N. 1536 1537config NETFILTER_XT_MATCH_REALM 1538 tristate '"realm" match support' 1539 depends on NETFILTER_ADVANCED 1540 select IP_ROUTE_CLASSID 1541 help 1542 This option adds a `realm' match, which allows you to use the realm 1543 key from the routing subsystem inside iptables. 1544 1545 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1546 in tc world. 1547 1548 If you want to compile it as a module, say M here and read 1549 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1550 1551config NETFILTER_XT_MATCH_RECENT 1552 tristate '"recent" match support' 1553 depends on NETFILTER_ADVANCED 1554 help 1555 This match is used for creating one or many lists of recently 1556 used addresses and then matching against that/those list(s). 1557 1558 Short options are available by using 'iptables -m recent -h' 1559 Official Website: <http://snowman.net/projects/ipt_recent/> 1560 1561config NETFILTER_XT_MATCH_SCTP 1562 tristate '"sctp" protocol match support' 1563 depends on NETFILTER_ADVANCED 1564 default IP_SCTP 1565 help 1566 With this option enabled, you will be able to use the 1567 `sctp' match in order to match on SCTP source/destination ports 1568 and SCTP chunk types. 1569 1570 If you want to compile it as a module, say M here and read 1571 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1572 1573config NETFILTER_XT_MATCH_SOCKET 1574 tristate '"socket" match support' 1575 depends on NETFILTER_XTABLES 1576 depends on NETFILTER_ADVANCED 1577 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1578 select NF_SOCKET_IPV4 1579 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES 1580 select NF_DEFRAG_IPV4 1581 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1582 help 1583 This option adds a `socket' match, which can be used to match 1584 packets for which a TCP or UDP socket lookup finds a valid socket. 1585 It can be used in combination with the MARK target and policy 1586 routing to implement full featured non-locally bound sockets. 1587 1588 To compile it as a module, choose M here. If unsure, say N. 1589 1590config NETFILTER_XT_MATCH_STATE 1591 tristate '"state" match support' 1592 depends on NF_CONNTRACK 1593 default m if NETFILTER_ADVANCED=n 1594 help 1595 Connection state matching allows you to match packets based on their 1596 relationship to a tracked connection (ie. previous packets). This 1597 is a powerful tool for packet classification. 1598 1599 To compile it as a module, choose M here. If unsure, say N. 1600 1601config NETFILTER_XT_MATCH_STATISTIC 1602 tristate '"statistic" match support' 1603 depends on NETFILTER_ADVANCED 1604 help 1605 This option adds a `statistic' match, which allows you to match 1606 on packets periodically or randomly with a given percentage. 1607 1608 To compile it as a module, choose M here. If unsure, say N. 1609 1610config NETFILTER_XT_MATCH_STRING 1611 tristate '"string" match support' 1612 depends on NETFILTER_ADVANCED 1613 select TEXTSEARCH 1614 select TEXTSEARCH_KMP 1615 select TEXTSEARCH_BM 1616 select TEXTSEARCH_FSM 1617 help 1618 This option adds a `string' match, which allows you to look for 1619 pattern matchings in packets. 1620 1621 To compile it as a module, choose M here. If unsure, say N. 1622 1623config NETFILTER_XT_MATCH_TCPMSS 1624 tristate '"tcpmss" match support' 1625 depends on NETFILTER_ADVANCED 1626 help 1627 This option adds a `tcpmss' match, which allows you to examine the 1628 MSS value of TCP SYN packets, which control the maximum packet size 1629 for that connection. 1630 1631 To compile it as a module, choose M here. If unsure, say N. 1632 1633config NETFILTER_XT_MATCH_TIME 1634 tristate '"time" match support' 1635 depends on NETFILTER_ADVANCED 1636 help 1637 This option adds a "time" match, which allows you to match based on 1638 the packet arrival time (at the machine which netfilter is running) 1639 on) or departure time/date (for locally generated packets). 1640 1641 If you say Y here, try `iptables -m time --help` for 1642 more information. 1643 1644 If you want to compile it as a module, say M here. 1645 If unsure, say N. 1646 1647config NETFILTER_XT_MATCH_U32 1648 tristate '"u32" match support' 1649 depends on NETFILTER_ADVANCED 1650 help 1651 u32 allows you to extract quantities of up to 4 bytes from a packet, 1652 AND them with specified masks, shift them by specified amounts and 1653 test whether the results are in any of a set of specified ranges. 1654 The specification of what to extract is general enough to skip over 1655 headers with lengths stored in the packet, as in IP or TCP header 1656 lengths. 1657 1658 Details and examples are in the kernel module source. 1659 1660endif # NETFILTER_XTABLES 1661 1662endmenu 1663 1664source "net/netfilter/ipset/Kconfig" 1665 1666source "net/netfilter/ipvs/Kconfig" 1667