0001 # SPDX-License-Identifier: GPL-2.0-only
0002 menu "Core Netfilter Configuration"
0003 depends on INET && NETFILTER
0004
0005 config NETFILTER_INGRESS
0006 bool "Netfilter ingress support"
0007 default y
0008 select NET_INGRESS
0009 help
0010 This allows you to classify packets from ingress using the Netfilter
0011 infrastructure.
0012
0013 config NETFILTER_EGRESS
0014 bool "Netfilter egress support"
0015 default y
0016 select NET_EGRESS
0017 help
0018 This allows you to classify packets before transmission using the
0019 Netfilter infrastructure.
0020
0021 config NETFILTER_SKIP_EGRESS
0022 def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB)
0023
0024 config NETFILTER_NETLINK
0025 tristate
0026
0027 config NETFILTER_FAMILY_BRIDGE
0028 bool
0029
0030 config NETFILTER_FAMILY_ARP
0031 bool
0032
0033 config NETFILTER_NETLINK_HOOK
0034 tristate "Netfilter base hook dump support"
0035 depends on NETFILTER_ADVANCED
0036 depends on NF_TABLES
0037 select NETFILTER_NETLINK
0038 help
0039 If this option is enabled, the kernel will include support
0040 to list the base netfilter hooks via NFNETLINK.
0041 This is helpful for debugging.
0042
0043 config NETFILTER_NETLINK_ACCT
0044 tristate "Netfilter NFACCT over NFNETLINK interface"
0045 depends on NETFILTER_ADVANCED
0046 select NETFILTER_NETLINK
0047 help
0048 If this option is enabled, the kernel will include support
0049 for extended accounting via NFNETLINK.
0050
0051 config NETFILTER_NETLINK_QUEUE
0052 tristate "Netfilter NFQUEUE over NFNETLINK interface"
0053 depends on NETFILTER_ADVANCED
0054 select NETFILTER_NETLINK
0055 help
0056 If this option is enabled, the kernel will include support
0057 for queueing packets via NFNETLINK.
0058
0059 config NETFILTER_NETLINK_LOG
0060 tristate "Netfilter LOG over NFNETLINK interface"
0061 default m if NETFILTER_ADVANCED=n
0062 select NETFILTER_NETLINK
0063 help
0064 If this option is enabled, the kernel will include support
0065 for logging packets via NFNETLINK.
0066
0067 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
0068 and is also scheduled to replace the old syslog-based ipt_LOG
0069 and ip6t_LOG modules.
0070
0071 config NETFILTER_NETLINK_OSF
0072 tristate "Netfilter OSF over NFNETLINK interface"
0073 depends on NETFILTER_ADVANCED
0074 select NETFILTER_NETLINK
0075 help
0076 If this option is enabled, the kernel will include support
0077 for passive OS fingerprint via NFNETLINK.
0078
0079 config NF_CONNTRACK
0080 tristate "Netfilter connection tracking support"
0081 default m if NETFILTER_ADVANCED=n
0082 select NF_DEFRAG_IPV4
0083 select NF_DEFRAG_IPV6 if IPV6 != n
0084 help
0085 Connection tracking keeps a record of what packets have passed
0086 through your machine, in order to figure out how they are related
0087 into connections.
0088
0089 This is required to do Masquerading or other kinds of Network
0090 Address Translation. It can also be used to enhance packet
0091 filtering (see `Connection state match support' below).
0092
0093 To compile it as a module, choose M here. If unsure, say N.
0094
0095 config NF_LOG_SYSLOG
0096 tristate "Syslog packet logging"
0097 default m if NETFILTER_ADVANCED=n
0098 help
0099 This option enable support for packet logging via syslog.
0100 It supports IPv4, IPV6, ARP and common transport protocols such
0101 as TCP and UDP.
0102 This is a simpler but less flexible logging method compared to
0103 CONFIG_NETFILTER_NETLINK_LOG.
0104 If both are enabled the backend to use can be configured at run-time
0105 by means of per-address-family sysctl tunables.
0106
0107 if NF_CONNTRACK
0108 config NETFILTER_CONNCOUNT
0109 tristate
0110
0111 config NF_CONNTRACK_MARK
0112 bool 'Connection mark tracking support'
0113 depends on NETFILTER_ADVANCED
0114 help
0115 This option enables support for connection marks, used by the
0116 `CONNMARK' target and `connmark' match. Similar to the mark value
0117 of packets, but this mark value is kept in the conntrack session
0118 instead of the individual packets.
0119
0120 config NF_CONNTRACK_SECMARK
0121 bool 'Connection tracking security mark support'
0122 depends on NETWORK_SECMARK
0123 default y if NETFILTER_ADVANCED=n
0124 help
0125 This option enables security markings to be applied to
0126 connections. Typically they are copied to connections from
0127 packets using the CONNSECMARK target and copied back from
0128 connections to packets with the same target, with the packets
0129 being originally labeled via SECMARK.
0130
0131 If unsure, say 'N'.
0132
0133 config NF_CONNTRACK_ZONES
0134 bool 'Connection tracking zones'
0135 depends on NETFILTER_ADVANCED
0136 help
0137 This option enables support for connection tracking zones.
0138 Normally, each connection needs to have a unique system wide
0139 identity. Connection tracking zones allow to have multiple
0140 connections using the same identity, as long as they are
0141 contained in different zones.
0142
0143 If unsure, say `N'.
0144
0145 config NF_CONNTRACK_PROCFS
0146 bool "Supply CT list in procfs (OBSOLETE)"
0147 depends on PROC_FS
0148 help
0149 This option enables for the list of known conntrack entries
0150 to be shown in procfs under net/netfilter/nf_conntrack. This
0151 is considered obsolete in favor of using the conntrack(8)
0152 tool which uses Netlink.
0153
0154 config NF_CONNTRACK_EVENTS
0155 bool "Connection tracking events"
0156 depends on NETFILTER_ADVANCED
0157 help
0158 If this option is enabled, the connection tracking code will
0159 provide a notifier chain that can be used by other kernel code
0160 to get notified about changes in the connection tracking state.
0161
0162 If unsure, say `N'.
0163
0164 config NF_CONNTRACK_TIMEOUT
0165 bool 'Connection tracking timeout'
0166 depends on NETFILTER_ADVANCED
0167 help
0168 This option enables support for connection tracking timeout
0169 extension. This allows you to attach timeout policies to flow
0170 via the CT target.
0171
0172 If unsure, say `N'.
0173
0174 config NF_CONNTRACK_TIMESTAMP
0175 bool 'Connection tracking timestamping'
0176 depends on NETFILTER_ADVANCED
0177 help
0178 This option enables support for connection tracking timestamping.
0179 This allows you to store the flow start-time and to obtain
0180 the flow-stop time (once it has been destroyed) via Connection
0181 tracking events.
0182
0183 If unsure, say `N'.
0184
0185 config NF_CONNTRACK_LABELS
0186 bool "Connection tracking labels"
0187 help
0188 This option enables support for assigning user-defined flag bits
0189 to connection tracking entries. It can be used with xtables connlabel
0190 match and the nftables ct expression.
0191
0192 config NF_CT_PROTO_DCCP
0193 bool 'DCCP protocol connection tracking support'
0194 depends on NETFILTER_ADVANCED
0195 default y
0196 help
0197 With this option enabled, the layer 3 independent connection
0198 tracking code will be able to do state tracking on DCCP connections.
0199
0200 If unsure, say Y.
0201
0202 config NF_CT_PROTO_GRE
0203 bool
0204
0205 config NF_CT_PROTO_SCTP
0206 bool 'SCTP protocol connection tracking support'
0207 depends on NETFILTER_ADVANCED
0208 default y
0209 select LIBCRC32C
0210 help
0211 With this option enabled, the layer 3 independent connection
0212 tracking code will be able to do state tracking on SCTP connections.
0213
0214 If unsure, say Y.
0215
0216 config NF_CT_PROTO_UDPLITE
0217 bool 'UDP-Lite protocol connection tracking support'
0218 depends on NETFILTER_ADVANCED
0219 default y
0220 help
0221 With this option enabled, the layer 3 independent connection
0222 tracking code will be able to do state tracking on UDP-Lite
0223 connections.
0224
0225 If unsure, say Y.
0226
0227 config NF_CONNTRACK_AMANDA
0228 tristate "Amanda backup protocol support"
0229 depends on NETFILTER_ADVANCED
0230 select TEXTSEARCH
0231 select TEXTSEARCH_KMP
0232 help
0233 If you are running the Amanda backup package <http://www.amanda.org/>
0234 on this machine or machines that will be MASQUERADED through this
0235 machine, then you may want to enable this feature. This allows the
0236 connection tracking and natting code to allow the sub-channels that
0237 Amanda requires for communication of the backup data, messages and
0238 index.
0239
0240 To compile it as a module, choose M here. If unsure, say N.
0241
0242 config NF_CONNTRACK_FTP
0243 tristate "FTP protocol support"
0244 default m if NETFILTER_ADVANCED=n
0245 help
0246 Tracking FTP connections is problematic: special helpers are
0247 required for tracking them, and doing masquerading and other forms
0248 of Network Address Translation on them.
0249
0250 This is FTP support on Layer 3 independent connection tracking.
0251
0252 To compile it as a module, choose M here. If unsure, say N.
0253
0254 config NF_CONNTRACK_H323
0255 tristate "H.323 protocol support"
0256 depends on IPV6 || IPV6=n
0257 depends on NETFILTER_ADVANCED
0258 help
0259 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
0260 important VoIP protocols, it is widely used by voice hardware and
0261 software including voice gateways, IP phones, Netmeeting, OpenPhone,
0262 Gnomemeeting, etc.
0263
0264 With this module you can support H.323 on a connection tracking/NAT
0265 firewall.
0266
0267 This module supports RAS, Fast Start, H.245 Tunnelling, Call
0268 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
0269 whiteboard, file transfer, etc. For more information, please
0270 visit http://nath323.sourceforge.net/.
0271
0272 To compile it as a module, choose M here. If unsure, say N.
0273
0274 config NF_CONNTRACK_IRC
0275 tristate "IRC protocol support"
0276 default m if NETFILTER_ADVANCED=n
0277 help
0278 There is a commonly-used extension to IRC called
0279 Direct Client-to-Client Protocol (DCC). This enables users to send
0280 files to each other, and also chat to each other without the need
0281 of a server. DCC Sending is used anywhere you send files over IRC,
0282 and DCC Chat is most commonly used by Eggdrop bots. If you are
0283 using NAT, this extension will enable you to send files and initiate
0284 chats. Note that you do NOT need this extension to get files or
0285 have others initiate chats, or everything else in IRC.
0286
0287 To compile it as a module, choose M here. If unsure, say N.
0288
0289 config NF_CONNTRACK_BROADCAST
0290 tristate
0291
0292 config NF_CONNTRACK_NETBIOS_NS
0293 tristate "NetBIOS name service protocol support"
0294 select NF_CONNTRACK_BROADCAST
0295 help
0296 NetBIOS name service requests are sent as broadcast messages from an
0297 unprivileged port and responded to with unicast messages to the
0298 same port. This make them hard to firewall properly because connection
0299 tracking doesn't deal with broadcasts. This helper tracks locally
0300 originating NetBIOS name service requests and the corresponding
0301 responses. It relies on correct IP address configuration, specifically
0302 netmask and broadcast address. When properly configured, the output
0303 of "ip address show" should look similar to this:
0304
0305 $ ip -4 address show eth0
0306 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
0307 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
0308
0309 To compile it as a module, choose M here. If unsure, say N.
0310
0311 config NF_CONNTRACK_SNMP
0312 tristate "SNMP service protocol support"
0313 depends on NETFILTER_ADVANCED
0314 select NF_CONNTRACK_BROADCAST
0315 help
0316 SNMP service requests are sent as broadcast messages from an
0317 unprivileged port and responded to with unicast messages to the
0318 same port. This make them hard to firewall properly because connection
0319 tracking doesn't deal with broadcasts. This helper tracks locally
0320 originating SNMP service requests and the corresponding
0321 responses. It relies on correct IP address configuration, specifically
0322 netmask and broadcast address.
0323
0324 To compile it as a module, choose M here. If unsure, say N.
0325
0326 config NF_CONNTRACK_PPTP
0327 tristate "PPtP protocol support"
0328 depends on NETFILTER_ADVANCED
0329 select NF_CT_PROTO_GRE
0330 help
0331 This module adds support for PPTP (Point to Point Tunnelling
0332 Protocol, RFC2637) connection tracking and NAT.
0333
0334 If you are running PPTP sessions over a stateful firewall or NAT
0335 box, you may want to enable this feature.
0336
0337 Please note that not all PPTP modes of operation are supported yet.
0338 Specifically these limitations exist:
0339 - Blindly assumes that control connections are always established
0340 in PNS->PAC direction. This is a violation of RFC2637.
0341 - Only supports a single call within each session
0342
0343 To compile it as a module, choose M here. If unsure, say N.
0344
0345 config NF_CONNTRACK_SANE
0346 tristate "SANE protocol support"
0347 depends on NETFILTER_ADVANCED
0348 help
0349 SANE is a protocol for remote access to scanners as implemented
0350 by the 'saned' daemon. Like FTP, it uses separate control and
0351 data connections.
0352
0353 With this module you can support SANE on a connection tracking
0354 firewall.
0355
0356 To compile it as a module, choose M here. If unsure, say N.
0357
0358 config NF_CONNTRACK_SIP
0359 tristate "SIP protocol support"
0360 default m if NETFILTER_ADVANCED=n
0361 help
0362 SIP is an application-layer control protocol that can establish,
0363 modify, and terminate multimedia sessions (conferences) such as
0364 Internet telephony calls. With the nf_conntrack_sip and
0365 the nf_nat_sip modules you can support the protocol on a connection
0366 tracking/NATing firewall.
0367
0368 To compile it as a module, choose M here. If unsure, say N.
0369
0370 config NF_CONNTRACK_TFTP
0371 tristate "TFTP protocol support"
0372 depends on NETFILTER_ADVANCED
0373 help
0374 TFTP connection tracking helper, this is required depending
0375 on how restrictive your ruleset is.
0376 If you are using a tftp client behind -j SNAT or -j MASQUERADING
0377 you will need this.
0378
0379 To compile it as a module, choose M here. If unsure, say N.
0380
0381 config NF_CT_NETLINK
0382 tristate 'Connection tracking netlink interface'
0383 select NETFILTER_NETLINK
0384 default m if NETFILTER_ADVANCED=n
0385 help
0386 This option enables support for a netlink-based userspace interface
0387
0388 config NF_CT_NETLINK_TIMEOUT
0389 tristate 'Connection tracking timeout tuning via Netlink'
0390 select NETFILTER_NETLINK
0391 depends on NETFILTER_ADVANCED
0392 depends on NF_CONNTRACK_TIMEOUT
0393 help
0394 This option enables support for connection tracking timeout
0395 fine-grain tuning. This allows you to attach specific timeout
0396 policies to flows, instead of using the global timeout policy.
0397
0398 If unsure, say `N'.
0399
0400 config NF_CT_NETLINK_HELPER
0401 tristate 'Connection tracking helpers in user-space via Netlink'
0402 select NETFILTER_NETLINK
0403 depends on NF_CT_NETLINK
0404 depends on NETFILTER_NETLINK_QUEUE
0405 depends on NETFILTER_NETLINK_GLUE_CT
0406 depends on NETFILTER_ADVANCED
0407 help
0408 This option enables the user-space connection tracking helpers
0409 infrastructure.
0410
0411 If unsure, say `N'.
0412
0413 config NETFILTER_NETLINK_GLUE_CT
0414 bool "NFQUEUE and NFLOG integration with Connection Tracking"
0415 default n
0416 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
0417 help
0418 If this option is enabled, NFQUEUE and NFLOG can include
0419 Connection Tracking information together with the packet is
0420 the enqueued via NFNETLINK.
0421
0422 config NF_NAT
0423 tristate "Network Address Translation support"
0424 depends on NF_CONNTRACK
0425 default m if NETFILTER_ADVANCED=n
0426 help
0427 The NAT option allows masquerading, port forwarding and other
0428 forms of full Network Address Port Translation. This can be
0429 controlled by iptables, ip6tables or nft.
0430
0431 config NF_NAT_AMANDA
0432 tristate
0433 depends on NF_CONNTRACK && NF_NAT
0434 default NF_NAT && NF_CONNTRACK_AMANDA
0435
0436 config NF_NAT_FTP
0437 tristate
0438 depends on NF_CONNTRACK && NF_NAT
0439 default NF_NAT && NF_CONNTRACK_FTP
0440
0441 config NF_NAT_IRC
0442 tristate
0443 depends on NF_CONNTRACK && NF_NAT
0444 default NF_NAT && NF_CONNTRACK_IRC
0445
0446 config NF_NAT_SIP
0447 tristate
0448 depends on NF_CONNTRACK && NF_NAT
0449 default NF_NAT && NF_CONNTRACK_SIP
0450
0451 config NF_NAT_TFTP
0452 tristate
0453 depends on NF_CONNTRACK && NF_NAT
0454 default NF_NAT && NF_CONNTRACK_TFTP
0455
0456 config NF_NAT_REDIRECT
0457 bool
0458
0459 config NF_NAT_MASQUERADE
0460 bool
0461
0462 config NETFILTER_SYNPROXY
0463 tristate
0464
0465 endif # NF_CONNTRACK
0466
0467 config NF_TABLES
0468 select NETFILTER_NETLINK
0469 select LIBCRC32C
0470 tristate "Netfilter nf_tables support"
0471 help
0472 nftables is the new packet classification framework that intends to
0473 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
0474 provides a pseudo-state machine with an extensible instruction-set
0475 (also known as expressions) that the userspace 'nft' utility
0476 (https://www.netfilter.org/projects/nftables) uses to build the
0477 rule-set. It also comes with the generic set infrastructure that
0478 allows you to construct mappings between matchings and actions
0479 for performance lookups.
0480
0481 To compile it as a module, choose M here.
0482
0483 if NF_TABLES
0484 config NF_TABLES_INET
0485 depends on IPV6
0486 select NF_TABLES_IPV4
0487 select NF_TABLES_IPV6
0488 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support"
0489 help
0490 This option enables support for a mixed IPv4/IPv6 "inet" table.
0491
0492 config NF_TABLES_NETDEV
0493 bool "Netfilter nf_tables netdev tables support"
0494 help
0495 This option enables support for the "netdev" table.
0496
0497 config NFT_NUMGEN
0498 tristate "Netfilter nf_tables number generator module"
0499 help
0500 This option adds the number generator expression used to perform
0501 incremental counting and random numbers bound to a upper limit.
0502
0503 config NFT_CT
0504 depends on NF_CONNTRACK
0505 tristate "Netfilter nf_tables conntrack module"
0506 help
0507 This option adds the "ct" expression that you can use to match
0508 connection tracking information such as the flow state.
0509
0510 config NFT_FLOW_OFFLOAD
0511 depends on NF_CONNTRACK && NF_FLOW_TABLE
0512 tristate "Netfilter nf_tables hardware flow offload module"
0513 help
0514 This option adds the "flow_offload" expression that you can use to
0515 choose what flows are placed into the hardware.
0516
0517 config NFT_CONNLIMIT
0518 tristate "Netfilter nf_tables connlimit module"
0519 depends on NF_CONNTRACK
0520 depends on NETFILTER_ADVANCED
0521 select NETFILTER_CONNCOUNT
0522 help
0523 This option adds the "connlimit" expression that you can use to
0524 ratelimit rule matchings per connections.
0525
0526 config NFT_LOG
0527 tristate "Netfilter nf_tables log module"
0528 help
0529 This option adds the "log" expression that you can use to log
0530 packets matching some criteria.
0531
0532 config NFT_LIMIT
0533 tristate "Netfilter nf_tables limit module"
0534 help
0535 This option adds the "limit" expression that you can use to
0536 ratelimit rule matchings.
0537
0538 config NFT_MASQ
0539 depends on NF_CONNTRACK
0540 depends on NF_NAT
0541 select NF_NAT_MASQUERADE
0542 tristate "Netfilter nf_tables masquerade support"
0543 help
0544 This option adds the "masquerade" expression that you can use
0545 to perform NAT in the masquerade flavour.
0546
0547 config NFT_REDIR
0548 depends on NF_CONNTRACK
0549 depends on NF_NAT
0550 tristate "Netfilter nf_tables redirect support"
0551 select NF_NAT_REDIRECT
0552 help
0553 This options adds the "redirect" expression that you can use
0554 to perform NAT in the redirect flavour.
0555
0556 config NFT_NAT
0557 depends on NF_CONNTRACK
0558 select NF_NAT
0559 depends on NF_TABLES_IPV4 || NF_TABLES_IPV6
0560 tristate "Netfilter nf_tables nat module"
0561 help
0562 This option adds the "nat" expression that you can use to perform
0563 typical Network Address Translation (NAT) packet transformations.
0564
0565 config NFT_TUNNEL
0566 tristate "Netfilter nf_tables tunnel module"
0567 help
0568 This option adds the "tunnel" expression that you can use to set
0569 tunneling policies.
0570
0571 config NFT_OBJREF
0572 tristate "Netfilter nf_tables stateful object reference module"
0573 help
0574 This option adds the "objref" expression that allows you to refer to
0575 stateful objects, such as counters and quotas.
0576
0577 config NFT_QUEUE
0578 depends on NETFILTER_NETLINK_QUEUE
0579 tristate "Netfilter nf_tables queue module"
0580 help
0581 This is required if you intend to use the userspace queueing
0582 infrastructure (also known as NFQUEUE) from nftables.
0583
0584 config NFT_QUOTA
0585 tristate "Netfilter nf_tables quota module"
0586 help
0587 This option adds the "quota" expression that you can use to match
0588 enforce bytes quotas.
0589
0590 config NFT_REJECT
0591 default m if NETFILTER_ADVANCED=n
0592 tristate "Netfilter nf_tables reject support"
0593 depends on !NF_TABLES_INET || (IPV6!=m || m)
0594 help
0595 This option adds the "reject" expression that you can use to
0596 explicitly deny and notify via TCP reset/ICMP informational errors
0597 unallowed traffic.
0598
0599 config NFT_REJECT_INET
0600 depends on NF_TABLES_INET
0601 default NFT_REJECT
0602 tristate
0603
0604 config NFT_COMPAT
0605 depends on NETFILTER_XTABLES
0606 tristate "Netfilter x_tables over nf_tables module"
0607 help
0608 This is required if you intend to use any of existing
0609 x_tables match/target extensions over the nf_tables
0610 framework.
0611
0612 config NFT_HASH
0613 tristate "Netfilter nf_tables hash module"
0614 help
0615 This option adds the "hash" expression that you can use to perform
0616 a hash operation on registers.
0617
0618 config NFT_FIB
0619 tristate
0620
0621 config NFT_FIB_INET
0622 depends on NF_TABLES_INET
0623 depends on NFT_FIB_IPV4
0624 depends on NFT_FIB_IPV6
0625 tristate "Netfilter nf_tables fib inet support"
0626 help
0627 This option allows using the FIB expression from the inet table.
0628 The lookup will be delegated to the IPv4 or IPv6 FIB depending
0629 on the protocol of the packet.
0630
0631 config NFT_XFRM
0632 tristate "Netfilter nf_tables xfrm/IPSec security association matching"
0633 depends on XFRM
0634 help
0635 This option adds an expression that you can use to extract properties
0636 of a packets security association.
0637
0638 config NFT_SOCKET
0639 tristate "Netfilter nf_tables socket match support"
0640 depends on IPV6 || IPV6=n
0641 select NF_SOCKET_IPV4
0642 select NF_SOCKET_IPV6 if NF_TABLES_IPV6
0643 help
0644 This option allows matching for the presence or absence of a
0645 corresponding socket and its attributes.
0646
0647 config NFT_OSF
0648 tristate "Netfilter nf_tables passive OS fingerprint support"
0649 depends on NETFILTER_ADVANCED
0650 select NETFILTER_NETLINK_OSF
0651 help
0652 This option allows matching packets from an specific OS.
0653
0654 config NFT_TPROXY
0655 tristate "Netfilter nf_tables tproxy support"
0656 depends on IPV6 || IPV6=n
0657 select NF_DEFRAG_IPV4
0658 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
0659 select NF_TPROXY_IPV4
0660 select NF_TPROXY_IPV6 if NF_TABLES_IPV6
0661 help
0662 This makes transparent proxy support available in nftables.
0663
0664 config NFT_SYNPROXY
0665 tristate "Netfilter nf_tables SYNPROXY expression support"
0666 depends on NF_CONNTRACK && NETFILTER_ADVANCED
0667 select NETFILTER_SYNPROXY
0668 select SYN_COOKIES
0669 help
0670 The SYNPROXY expression allows you to intercept TCP connections and
0671 establish them using syncookies before they are passed on to the
0672 server. This allows to avoid conntrack and server resource usage
0673 during SYN-flood attacks.
0674
0675 if NF_TABLES_NETDEV
0676
0677 config NF_DUP_NETDEV
0678 tristate "Netfilter packet duplication support"
0679 help
0680 This option enables the generic packet duplication infrastructure
0681 for Netfilter.
0682
0683 config NFT_DUP_NETDEV
0684 tristate "Netfilter nf_tables netdev packet duplication support"
0685 select NF_DUP_NETDEV
0686 help
0687 This option enables packet duplication for the "netdev" family.
0688
0689 config NFT_FWD_NETDEV
0690 tristate "Netfilter nf_tables netdev packet forwarding support"
0691 select NF_DUP_NETDEV
0692 help
0693 This option enables packet forwarding for the "netdev" family.
0694
0695 config NFT_FIB_NETDEV
0696 depends on NFT_FIB_IPV4
0697 depends on NFT_FIB_IPV6
0698 tristate "Netfilter nf_tables netdev fib lookups support"
0699 help
0700 This option allows using the FIB expression from the netdev table.
0701 The lookup will be delegated to the IPv4 or IPv6 FIB depending
0702 on the protocol of the packet.
0703
0704 config NFT_REJECT_NETDEV
0705 depends on NFT_REJECT_IPV4
0706 depends on NFT_REJECT_IPV6
0707 tristate "Netfilter nf_tables netdev REJECT support"
0708 help
0709 This option enables the REJECT support from the netdev table.
0710 The return packet generation will be delegated to the IPv4
0711 or IPv6 ICMP or TCP RST implementation depending on the
0712 protocol of the packet.
0713
0714 endif # NF_TABLES_NETDEV
0715
0716 endif # NF_TABLES
0717
0718 config NF_FLOW_TABLE_INET
0719 tristate "Netfilter flow table mixed IPv4/IPv6 module"
0720 depends on NF_FLOW_TABLE
0721 help
0722 This option adds the flow table mixed IPv4/IPv6 support.
0723
0724 To compile it as a module, choose M here.
0725
0726 config NF_FLOW_TABLE
0727 tristate "Netfilter flow table module"
0728 depends on NETFILTER_INGRESS
0729 depends on NF_CONNTRACK
0730 depends on NF_TABLES
0731 help
0732 This option adds the flow table core infrastructure.
0733
0734 To compile it as a module, choose M here.
0735
0736 config NF_FLOW_TABLE_PROCFS
0737 bool "Supply flow table statistics in procfs"
0738 depends on NF_FLOW_TABLE
0739 depends on PROC_FS
0740 help
0741 This option enables for the flow table offload statistics
0742 to be shown in procfs under net/netfilter/nf_flowtable.
0743
0744 config NETFILTER_XTABLES
0745 tristate "Netfilter Xtables support (required for ip_tables)"
0746 default m if NETFILTER_ADVANCED=n
0747 help
0748 This is required if you intend to use any of ip_tables,
0749 ip6_tables or arp_tables.
0750
0751 if NETFILTER_XTABLES
0752
0753 config NETFILTER_XTABLES_COMPAT
0754 bool "Netfilter Xtables 32bit support"
0755 depends on COMPAT
0756 default y
0757 help
0758 This option provides a translation layer to run 32bit arp,ip(6),ebtables
0759 binaries on 64bit kernels.
0760
0761 If unsure, say N.
0762
0763 comment "Xtables combined modules"
0764
0765 config NETFILTER_XT_MARK
0766 tristate 'nfmark target and match support'
0767 default m if NETFILTER_ADVANCED=n
0768 help
0769 This option adds the "MARK" target and "mark" match.
0770
0771 Netfilter mark matching allows you to match packets based on the
0772 "nfmark" value in the packet.
0773 The target allows you to create rules in the "mangle" table which alter
0774 the netfilter mark (nfmark) field associated with the packet.
0775
0776 Prior to routing, the nfmark can influence the routing method and can
0777 also be used by other subsystems to change their behavior.
0778
0779 config NETFILTER_XT_CONNMARK
0780 tristate 'ctmark target and match support'
0781 depends on NF_CONNTRACK
0782 depends on NETFILTER_ADVANCED
0783 select NF_CONNTRACK_MARK
0784 help
0785 This option adds the "CONNMARK" target and "connmark" match.
0786
0787 Netfilter allows you to store a mark value per connection (a.k.a.
0788 ctmark), similarly to the packet mark (nfmark). Using this
0789 target and match, you can set and match on this mark.
0790
0791 config NETFILTER_XT_SET
0792 tristate 'set target and match support'
0793 depends on IP_SET
0794 depends on NETFILTER_ADVANCED
0795 help
0796 This option adds the "SET" target and "set" match.
0797
0798 Using this target and match, you can add/delete and match
0799 elements in the sets created by ipset(8).
0800
0801 To compile it as a module, choose M here. If unsure, say N.
0802
0803 # alphabetically ordered list of targets
0804
0805 comment "Xtables targets"
0806
0807 config NETFILTER_XT_TARGET_AUDIT
0808 tristate "AUDIT target support"
0809 depends on AUDIT
0810 depends on NETFILTER_ADVANCED
0811 help
0812 This option adds a 'AUDIT' target, which can be used to create
0813 audit records for packets dropped/accepted.
0814
0815 To compileit as a module, choose M here. If unsure, say N.
0816
0817 config NETFILTER_XT_TARGET_CHECKSUM
0818 tristate "CHECKSUM target support"
0819 depends on IP_NF_MANGLE || IP6_NF_MANGLE
0820 depends on NETFILTER_ADVANCED
0821 help
0822 This option adds a `CHECKSUM' target, which can be used in the iptables mangle
0823 table to work around buggy DHCP clients in virtualized environments.
0824
0825 Some old DHCP clients drop packets because they are not aware
0826 that the checksum would normally be offloaded to hardware and
0827 thus should be considered valid.
0828 This target can be used to fill in the checksum using iptables
0829 when such packets are sent via a virtual network device.
0830
0831 To compile it as a module, choose M here. If unsure, say N.
0832
0833 config NETFILTER_XT_TARGET_CLASSIFY
0834 tristate '"CLASSIFY" target support'
0835 depends on NETFILTER_ADVANCED
0836 help
0837 This option adds a `CLASSIFY' target, which enables the user to set
0838 the priority of a packet. Some qdiscs can use this value for
0839 classification, among these are:
0840
0841 atm, cbq, dsmark, pfifo_fast, htb, prio
0842
0843 To compile it as a module, choose M here. If unsure, say N.
0844
0845 config NETFILTER_XT_TARGET_CONNMARK
0846 tristate '"CONNMARK" target support'
0847 depends on NF_CONNTRACK
0848 depends on NETFILTER_ADVANCED
0849 select NETFILTER_XT_CONNMARK
0850 help
0851 This is a backwards-compat option for the user's convenience
0852 (e.g. when running oldconfig). It selects
0853 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
0854
0855 config NETFILTER_XT_TARGET_CONNSECMARK
0856 tristate '"CONNSECMARK" target support'
0857 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
0858 default m if NETFILTER_ADVANCED=n
0859 help
0860 The CONNSECMARK target copies security markings from packets
0861 to connections, and restores security markings from connections
0862 to packets (if the packets are not already marked). This would
0863 normally be used in conjunction with the SECMARK target.
0864
0865 To compile it as a module, choose M here. If unsure, say N.
0866
0867 config NETFILTER_XT_TARGET_CT
0868 tristate '"CT" target support'
0869 depends on NF_CONNTRACK
0870 depends on IP_NF_RAW || IP6_NF_RAW
0871 depends on NETFILTER_ADVANCED
0872 help
0873 This options adds a `CT' target, which allows to specify initial
0874 connection tracking parameters like events to be delivered and
0875 the helper to be used.
0876
0877 To compile it as a module, choose M here. If unsure, say N.
0878
0879 config NETFILTER_XT_TARGET_DSCP
0880 tristate '"DSCP" and "TOS" target support'
0881 depends on IP_NF_MANGLE || IP6_NF_MANGLE
0882 depends on NETFILTER_ADVANCED
0883 help
0884 This option adds a `DSCP' target, which allows you to manipulate
0885 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
0886
0887 The DSCP field can have any value between 0x0 and 0x3f inclusive.
0888
0889 It also adds the "TOS" target, which allows you to create rules in
0890 the "mangle" table which alter the Type Of Service field of an IPv4
0891 or the Priority field of an IPv6 packet, prior to routing.
0892
0893 To compile it as a module, choose M here. If unsure, say N.
0894
0895 config NETFILTER_XT_TARGET_HL
0896 tristate '"HL" hoplimit target support'
0897 depends on IP_NF_MANGLE || IP6_NF_MANGLE
0898 depends on NETFILTER_ADVANCED
0899 help
0900 This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
0901 targets, which enable the user to change the
0902 hoplimit/time-to-live value of the IP header.
0903
0904 While it is safe to decrement the hoplimit/TTL value, the
0905 modules also allow to increment and set the hoplimit value of
0906 the header to arbitrary values. This is EXTREMELY DANGEROUS
0907 since you can easily create immortal packets that loop
0908 forever on the network.
0909
0910 config NETFILTER_XT_TARGET_HMARK
0911 tristate '"HMARK" target support'
0912 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
0913 depends on NETFILTER_ADVANCED
0914 help
0915 This option adds the "HMARK" target.
0916
0917 The target allows you to create rules in the "raw" and "mangle" tables
0918 which set the skbuff mark by means of hash calculation within a given
0919 range. The nfmark can influence the routing method and can also be used
0920 by other subsystems to change their behaviour.
0921
0922 To compile it as a module, choose M here. If unsure, say N.
0923
0924 config NETFILTER_XT_TARGET_IDLETIMER
0925 tristate "IDLETIMER target support"
0926 depends on NETFILTER_ADVANCED
0927 help
0928
0929 This option adds the `IDLETIMER' target. Each matching packet
0930 resets the timer associated with label specified when the rule is
0931 added. When the timer expires, it triggers a sysfs notification.
0932 The remaining time for expiration can be read via sysfs.
0933
0934 To compile it as a module, choose M here. If unsure, say N.
0935
0936 config NETFILTER_XT_TARGET_LED
0937 tristate '"LED" target support'
0938 depends on LEDS_CLASS && LEDS_TRIGGERS
0939 depends on NETFILTER_ADVANCED
0940 help
0941 This option adds a `LED' target, which allows you to blink LEDs in
0942 response to particular packets passing through your machine.
0943
0944 This can be used to turn a spare LED into a network activity LED,
0945 which only flashes in response to FTP transfers, for example. Or
0946 you could have an LED which lights up for a minute or two every time
0947 somebody connects to your machine via SSH.
0948
0949 You will need support for the "led" class to make this work.
0950
0951 To create an LED trigger for incoming SSH traffic:
0952 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
0953
0954 Then attach the new trigger to an LED on your system:
0955 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
0956
0957 For more information on the LEDs available on your system, see
0958 Documentation/leds/leds-class.rst
0959
0960 config NETFILTER_XT_TARGET_LOG
0961 tristate "LOG target support"
0962 select NF_LOG_SYSLOG
0963 select NF_LOG_IPV6 if IP6_NF_IPTABLES
0964 default m if NETFILTER_ADVANCED=n
0965 help
0966 This option adds a `LOG' target, which allows you to create rules in
0967 any iptables table which records the packet header to the syslog.
0968
0969 To compile it as a module, choose M here. If unsure, say N.
0970
0971 config NETFILTER_XT_TARGET_MARK
0972 tristate '"MARK" target support'
0973 depends on NETFILTER_ADVANCED
0974 select NETFILTER_XT_MARK
0975 help
0976 This is a backwards-compat option for the user's convenience
0977 (e.g. when running oldconfig). It selects
0978 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
0979
0980 config NETFILTER_XT_NAT
0981 tristate '"SNAT and DNAT" targets support'
0982 depends on NF_NAT
0983 help
0984 This option enables the SNAT and DNAT targets.
0985
0986 To compile it as a module, choose M here. If unsure, say N.
0987
0988 config NETFILTER_XT_TARGET_NETMAP
0989 tristate '"NETMAP" target support'
0990 depends on NF_NAT
0991 help
0992 NETMAP is an implementation of static 1:1 NAT mapping of network
0993 addresses. It maps the network address part, while keeping the host
0994 address part intact.
0995
0996 To compile it as a module, choose M here. If unsure, say N.
0997
0998 config NETFILTER_XT_TARGET_NFLOG
0999 tristate '"NFLOG" target support'
1000 default m if NETFILTER_ADVANCED=n
1001 select NETFILTER_NETLINK_LOG
1002 help
1003 This option enables the NFLOG target, which allows to LOG
1004 messages through nfnetlink_log.
1005
1006 To compile it as a module, choose M here. If unsure, say N.
1007
1008 config NETFILTER_XT_TARGET_NFQUEUE
1009 tristate '"NFQUEUE" target Support'
1010 depends on NETFILTER_ADVANCED
1011 select NETFILTER_NETLINK_QUEUE
1012 help
1013 This target replaced the old obsolete QUEUE target.
1014
1015 As opposed to QUEUE, it supports 65535 different queues,
1016 not just one.
1017
1018 To compile it as a module, choose M here. If unsure, say N.
1019
1020 config NETFILTER_XT_TARGET_NOTRACK
1021 tristate '"NOTRACK" target support (DEPRECATED)'
1022 depends on NF_CONNTRACK
1023 depends on IP_NF_RAW || IP6_NF_RAW
1024 depends on NETFILTER_ADVANCED
1025 select NETFILTER_XT_TARGET_CT
1026
1027 config NETFILTER_XT_TARGET_RATEEST
1028 tristate '"RATEEST" target support'
1029 depends on NETFILTER_ADVANCED
1030 help
1031 This option adds a `RATEEST' target, which allows to measure
1032 rates similar to TC estimators. The `rateest' match can be
1033 used to match on the measured rates.
1034
1035 To compile it as a module, choose M here. If unsure, say N.
1036
1037 config NETFILTER_XT_TARGET_REDIRECT
1038 tristate "REDIRECT target support"
1039 depends on NF_NAT
1040 select NF_NAT_REDIRECT
1041 help
1042 REDIRECT is a special case of NAT: all incoming connections are
1043 mapped onto the incoming interface's address, causing the packets to
1044 come to the local machine instead of passing through. This is
1045 useful for transparent proxies.
1046
1047 To compile it as a module, choose M here. If unsure, say N.
1048
1049 config NETFILTER_XT_TARGET_MASQUERADE
1050 tristate "MASQUERADE target support"
1051 depends on NF_NAT
1052 default m if NETFILTER_ADVANCED=n
1053 select NF_NAT_MASQUERADE
1054 help
1055 Masquerading is a special case of NAT: all outgoing connections are
1056 changed to seem to come from a particular interface's address, and
1057 if the interface goes down, those connections are lost. This is
1058 only useful for dialup accounts with dynamic IP address (ie. your IP
1059 address will be different on next dialup).
1060
1061 To compile it as a module, choose M here. If unsure, say N.
1062
1063 config NETFILTER_XT_TARGET_TEE
1064 tristate '"TEE" - packet cloning to alternate destination'
1065 depends on NETFILTER_ADVANCED
1066 depends on IPV6 || IPV6=n
1067 depends on !NF_CONNTRACK || NF_CONNTRACK
1068 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES
1069 select NF_DUP_IPV4
1070 select NF_DUP_IPV6 if IP6_NF_IPTABLES
1071 help
1072 This option adds a "TEE" target with which a packet can be cloned and
1073 this clone be rerouted to another nexthop.
1074
1075 config NETFILTER_XT_TARGET_TPROXY
1076 tristate '"TPROXY" target transparent proxying support'
1077 depends on NETFILTER_XTABLES
1078 depends on NETFILTER_ADVANCED
1079 depends on IPV6 || IPV6=n
1080 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1081 depends on IP_NF_MANGLE
1082 select NF_DEFRAG_IPV4
1083 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1084 select NF_TPROXY_IPV4
1085 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES
1086 help
1087 This option adds a `TPROXY' target, which is somewhat similar to
1088 REDIRECT. It can only be used in the mangle table and is useful
1089 to redirect traffic to a transparent proxy. It does _not_ depend
1090 on Netfilter connection tracking and NAT, unlike REDIRECT.
1091 For it to work you will have to configure certain iptables rules
1092 and use policy routing. For more information on how to set it up
1093 see Documentation/networking/tproxy.rst.
1094
1095 To compile it as a module, choose M here. If unsure, say N.
1096
1097 config NETFILTER_XT_TARGET_TRACE
1098 tristate '"TRACE" target support'
1099 depends on IP_NF_RAW || IP6_NF_RAW
1100 depends on NETFILTER_ADVANCED
1101 help
1102 The TRACE target allows you to mark packets so that the kernel
1103 will log every rule which match the packets as those traverse
1104 the tables, chains, rules.
1105
1106 If you want to compile it as a module, say M here and read
1107 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1108
1109 config NETFILTER_XT_TARGET_SECMARK
1110 tristate '"SECMARK" target support'
1111 depends on NETWORK_SECMARK
1112 default m if NETFILTER_ADVANCED=n
1113 help
1114 The SECMARK target allows security marking of network
1115 packets, for use with security subsystems.
1116
1117 To compile it as a module, choose M here. If unsure, say N.
1118
1119 config NETFILTER_XT_TARGET_TCPMSS
1120 tristate '"TCPMSS" target support'
1121 depends on IPV6 || IPV6=n
1122 default m if NETFILTER_ADVANCED=n
1123 help
1124 This option adds a `TCPMSS' target, which allows you to alter the
1125 MSS value of TCP SYN packets, to control the maximum size for that
1126 connection (usually limiting it to your outgoing interface's MTU
1127 minus 40).
1128
1129 This is used to overcome criminally braindead ISPs or servers which
1130 block ICMP Fragmentation Needed packets. The symptoms of this
1131 problem are that everything works fine from your Linux
1132 firewall/router, but machines behind it can never exchange large
1133 packets:
1134 1) Web browsers connect, then hang with no data received.
1135 2) Small mail works fine, but large emails hang.
1136 3) ssh works fine, but scp hangs after initial handshaking.
1137
1138 Workaround: activate this option and add a rule to your firewall
1139 configuration like:
1140
1141 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1142 -j TCPMSS --clamp-mss-to-pmtu
1143
1144 To compile it as a module, choose M here. If unsure, say N.
1145
1146 config NETFILTER_XT_TARGET_TCPOPTSTRIP
1147 tristate '"TCPOPTSTRIP" target support'
1148 depends on IP_NF_MANGLE || IP6_NF_MANGLE
1149 depends on NETFILTER_ADVANCED
1150 help
1151 This option adds a "TCPOPTSTRIP" target, which allows you to strip
1152 TCP options from TCP packets.
1153
1154 # alphabetically ordered list of matches
1155
1156 comment "Xtables matches"
1157
1158 config NETFILTER_XT_MATCH_ADDRTYPE
1159 tristate '"addrtype" address type match support'
1160 default m if NETFILTER_ADVANCED=n
1161 help
1162 This option allows you to match what routing thinks of an address,
1163 eg. UNICAST, LOCAL, BROADCAST, ...
1164
1165 If you want to compile it as a module, say M here and read
1166 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1167
1168 config NETFILTER_XT_MATCH_BPF
1169 tristate '"bpf" match support'
1170 depends on NETFILTER_ADVANCED
1171 help
1172 BPF matching applies a linux socket filter to each packet and
1173 accepts those for which the filter returns non-zero.
1174
1175 To compile it as a module, choose M here. If unsure, say N.
1176
1177 config NETFILTER_XT_MATCH_CGROUP
1178 tristate '"control group" match support'
1179 depends on NETFILTER_ADVANCED
1180 depends on CGROUPS
1181 select CGROUP_NET_CLASSID
1182 help
1183 Socket/process control group matching allows you to match locally
1184 generated packets based on which net_cls control group processes
1185 belong to.
1186
1187 config NETFILTER_XT_MATCH_CLUSTER
1188 tristate '"cluster" match support'
1189 depends on NF_CONNTRACK
1190 depends on NETFILTER_ADVANCED
1191 help
1192 This option allows you to build work-load-sharing clusters of
1193 network servers/stateful firewalls without having a dedicated
1194 load-balancing router/server/switch. Basically, this match returns
1195 true when the packet must be handled by this cluster node. Thus,
1196 all nodes see all packets and this match decides which node handles
1197 what packets. The work-load sharing algorithm is based on source
1198 address hashing.
1199
1200 If you say Y or M here, try `iptables -m cluster --help` for
1201 more information.
1202
1203 config NETFILTER_XT_MATCH_COMMENT
1204 tristate '"comment" match support'
1205 depends on NETFILTER_ADVANCED
1206 help
1207 This option adds a `comment' dummy-match, which allows you to put
1208 comments in your iptables ruleset.
1209
1210 If you want to compile it as a module, say M here and read
1211 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1212
1213 config NETFILTER_XT_MATCH_CONNBYTES
1214 tristate '"connbytes" per-connection counter match support'
1215 depends on NF_CONNTRACK
1216 depends on NETFILTER_ADVANCED
1217 help
1218 This option adds a `connbytes' match, which allows you to match the
1219 number of bytes and/or packets for each direction within a connection.
1220
1221 If you want to compile it as a module, say M here and read
1222 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1223
1224 config NETFILTER_XT_MATCH_CONNLABEL
1225 tristate '"connlabel" match support'
1226 select NF_CONNTRACK_LABELS
1227 depends on NF_CONNTRACK
1228 depends on NETFILTER_ADVANCED
1229 help
1230 This match allows you to test and assign userspace-defined labels names
1231 to a connection. The kernel only stores bit values - mapping
1232 names to bits is done by userspace.
1233
1234 Unlike connmark, more than 32 flag bits may be assigned to a
1235 connection simultaneously.
1236
1237 config NETFILTER_XT_MATCH_CONNLIMIT
1238 tristate '"connlimit" match support'
1239 depends on NF_CONNTRACK
1240 depends on NETFILTER_ADVANCED
1241 select NETFILTER_CONNCOUNT
1242 help
1243 This match allows you to match against the number of parallel
1244 connections to a server per client IP address (or address block).
1245
1246 config NETFILTER_XT_MATCH_CONNMARK
1247 tristate '"connmark" connection mark match support'
1248 depends on NF_CONNTRACK
1249 depends on NETFILTER_ADVANCED
1250 select NETFILTER_XT_CONNMARK
1251 help
1252 This is a backwards-compat option for the user's convenience
1253 (e.g. when running oldconfig). It selects
1254 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1255
1256 config NETFILTER_XT_MATCH_CONNTRACK
1257 tristate '"conntrack" connection tracking match support'
1258 depends on NF_CONNTRACK
1259 default m if NETFILTER_ADVANCED=n
1260 help
1261 This is a general conntrack match module, a superset of the state match.
1262
1263 It allows matching on additional conntrack information, which is
1264 useful in complex configurations, such as NAT gateways with multiple
1265 internet links or tunnels.
1266
1267 To compile it as a module, choose M here. If unsure, say N.
1268
1269 config NETFILTER_XT_MATCH_CPU
1270 tristate '"cpu" match support'
1271 depends on NETFILTER_ADVANCED
1272 help
1273 CPU matching allows you to match packets based on the CPU
1274 currently handling the packet.
1275
1276 To compile it as a module, choose M here. If unsure, say N.
1277
1278 config NETFILTER_XT_MATCH_DCCP
1279 tristate '"dccp" protocol match support'
1280 depends on NETFILTER_ADVANCED
1281 default IP_DCCP
1282 help
1283 With this option enabled, you will be able to use the iptables
1284 `dccp' match in order to match on DCCP source/destination ports
1285 and DCCP flags.
1286
1287 If you want to compile it as a module, say M here and read
1288 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1289
1290 config NETFILTER_XT_MATCH_DEVGROUP
1291 tristate '"devgroup" match support'
1292 depends on NETFILTER_ADVANCED
1293 help
1294 This options adds a `devgroup' match, which allows to match on the
1295 device group a network device is assigned to.
1296
1297 To compile it as a module, choose M here. If unsure, say N.
1298
1299 config NETFILTER_XT_MATCH_DSCP
1300 tristate '"dscp" and "tos" match support'
1301 depends on NETFILTER_ADVANCED
1302 help
1303 This option adds a `DSCP' match, which allows you to match against
1304 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1305
1306 The DSCP field can have any value between 0x0 and 0x3f inclusive.
1307
1308 It will also add a "tos" match, which allows you to match packets
1309 based on the Type Of Service fields of the IPv4 packet (which share
1310 the same bits as DSCP).
1311
1312 To compile it as a module, choose M here. If unsure, say N.
1313
1314 config NETFILTER_XT_MATCH_ECN
1315 tristate '"ecn" match support'
1316 depends on NETFILTER_ADVANCED
1317 help
1318 This option adds an "ECN" match, which allows you to match against
1319 the IPv4 and TCP header ECN fields.
1320
1321 To compile it as a module, choose M here. If unsure, say N.
1322
1323 config NETFILTER_XT_MATCH_ESP
1324 tristate '"esp" match support'
1325 depends on NETFILTER_ADVANCED
1326 help
1327 This match extension allows you to match a range of SPIs
1328 inside ESP header of IPSec packets.
1329
1330 To compile it as a module, choose M here. If unsure, say N.
1331
1332 config NETFILTER_XT_MATCH_HASHLIMIT
1333 tristate '"hashlimit" match support'
1334 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1335 depends on NETFILTER_ADVANCED
1336 help
1337 This option adds a `hashlimit' match.
1338
1339 As opposed to `limit', this match dynamically creates a hash table
1340 of limit buckets, based on your selection of source/destination
1341 addresses and/or ports.
1342
1343 It enables you to express policies like `10kpps for any given
1344 destination address' or `500pps from any given source address'
1345 with a single rule.
1346
1347 config NETFILTER_XT_MATCH_HELPER
1348 tristate '"helper" match support'
1349 depends on NF_CONNTRACK
1350 depends on NETFILTER_ADVANCED
1351 help
1352 Helper matching allows you to match packets in dynamic connections
1353 tracked by a conntrack-helper, ie. nf_conntrack_ftp
1354
1355 To compile it as a module, choose M here. If unsure, say Y.
1356
1357 config NETFILTER_XT_MATCH_HL
1358 tristate '"hl" hoplimit/TTL match support'
1359 depends on NETFILTER_ADVANCED
1360 help
1361 HL matching allows you to match packets based on the hoplimit
1362 in the IPv6 header, or the time-to-live field in the IPv4
1363 header of the packet.
1364
1365 config NETFILTER_XT_MATCH_IPCOMP
1366 tristate '"ipcomp" match support'
1367 depends on NETFILTER_ADVANCED
1368 help
1369 This match extension allows you to match a range of CPIs(16 bits)
1370 inside IPComp header of IPSec packets.
1371
1372 To compile it as a module, choose M here. If unsure, say N.
1373
1374 config NETFILTER_XT_MATCH_IPRANGE
1375 tristate '"iprange" address range match support'
1376 depends on NETFILTER_ADVANCED
1377 help
1378 This option adds a "iprange" match, which allows you to match based on
1379 an IP address range. (Normal iptables only matches on single addresses
1380 with an optional mask.)
1381
1382 If unsure, say M.
1383
1384 config NETFILTER_XT_MATCH_IPVS
1385 tristate '"ipvs" match support'
1386 depends on IP_VS
1387 depends on NETFILTER_ADVANCED
1388 depends on NF_CONNTRACK
1389 help
1390 This option allows you to match against IPVS properties of a packet.
1391
1392 If unsure, say N.
1393
1394 config NETFILTER_XT_MATCH_L2TP
1395 tristate '"l2tp" match support'
1396 depends on NETFILTER_ADVANCED
1397 default L2TP
1398 help
1399 This option adds an "L2TP" match, which allows you to match against
1400 L2TP protocol header fields.
1401
1402 To compile it as a module, choose M here. If unsure, say N.
1403
1404 config NETFILTER_XT_MATCH_LENGTH
1405 tristate '"length" match support'
1406 depends on NETFILTER_ADVANCED
1407 help
1408 This option allows you to match the length of a packet against a
1409 specific value or range of values.
1410
1411 To compile it as a module, choose M here. If unsure, say N.
1412
1413 config NETFILTER_XT_MATCH_LIMIT
1414 tristate '"limit" match support'
1415 depends on NETFILTER_ADVANCED
1416 help
1417 limit matching allows you to control the rate at which a rule can be
1418 matched: mainly useful in combination with the LOG target ("LOG
1419 target support", below) and to avoid some Denial of Service attacks.
1420
1421 To compile it as a module, choose M here. If unsure, say N.
1422
1423 config NETFILTER_XT_MATCH_MAC
1424 tristate '"mac" address match support'
1425 depends on NETFILTER_ADVANCED
1426 help
1427 MAC matching allows you to match packets based on the source
1428 Ethernet address of the packet.
1429
1430 To compile it as a module, choose M here. If unsure, say N.
1431
1432 config NETFILTER_XT_MATCH_MARK
1433 tristate '"mark" match support'
1434 depends on NETFILTER_ADVANCED
1435 select NETFILTER_XT_MARK
1436 help
1437 This is a backwards-compat option for the user's convenience
1438 (e.g. when running oldconfig). It selects
1439 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1440
1441 config NETFILTER_XT_MATCH_MULTIPORT
1442 tristate '"multiport" Multiple port match support'
1443 depends on NETFILTER_ADVANCED
1444 help
1445 Multiport matching allows you to match TCP or UDP packets based on
1446 a series of source or destination ports: normally a rule can only
1447 match a single range of ports.
1448
1449 To compile it as a module, choose M here. If unsure, say N.
1450
1451 config NETFILTER_XT_MATCH_NFACCT
1452 tristate '"nfacct" match support'
1453 depends on NETFILTER_ADVANCED
1454 select NETFILTER_NETLINK_ACCT
1455 help
1456 This option allows you to use the extended accounting through
1457 nfnetlink_acct.
1458
1459 To compile it as a module, choose M here. If unsure, say N.
1460
1461 config NETFILTER_XT_MATCH_OSF
1462 tristate '"osf" Passive OS fingerprint match'
1463 depends on NETFILTER_ADVANCED
1464 select NETFILTER_NETLINK_OSF
1465 help
1466 This option selects the Passive OS Fingerprinting match module
1467 that allows to passively match the remote operating system by
1468 analyzing incoming TCP SYN packets.
1469
1470 Rules and loading software can be downloaded from
1471 http://www.ioremap.net/projects/osf
1472
1473 To compile it as a module, choose M here. If unsure, say N.
1474
1475 config NETFILTER_XT_MATCH_OWNER
1476 tristate '"owner" match support'
1477 depends on NETFILTER_ADVANCED
1478 help
1479 Socket owner matching allows you to match locally-generated packets
1480 based on who created the socket: the user or group. It is also
1481 possible to check whether a socket actually exists.
1482
1483 config NETFILTER_XT_MATCH_POLICY
1484 tristate 'IPsec "policy" match support'
1485 depends on XFRM
1486 default m if NETFILTER_ADVANCED=n
1487 help
1488 Policy matching allows you to match packets based on the
1489 IPsec policy that was used during decapsulation/will
1490 be used during encapsulation.
1491
1492 To compile it as a module, choose M here. If unsure, say N.
1493
1494 config NETFILTER_XT_MATCH_PHYSDEV
1495 tristate '"physdev" match support'
1496 depends on BRIDGE && BRIDGE_NETFILTER
1497 depends on NETFILTER_ADVANCED
1498 help
1499 Physdev packet matching matches against the physical bridge ports
1500 the IP packet arrived on or will leave by.
1501
1502 To compile it as a module, choose M here. If unsure, say N.
1503
1504 config NETFILTER_XT_MATCH_PKTTYPE
1505 tristate '"pkttype" packet type match support'
1506 depends on NETFILTER_ADVANCED
1507 help
1508 Packet type matching allows you to match a packet by
1509 its "class", eg. BROADCAST, MULTICAST, ...
1510
1511 Typical usage:
1512 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1513
1514 To compile it as a module, choose M here. If unsure, say N.
1515
1516 config NETFILTER_XT_MATCH_QUOTA
1517 tristate '"quota" match support'
1518 depends on NETFILTER_ADVANCED
1519 help
1520 This option adds a `quota' match, which allows to match on a
1521 byte counter.
1522
1523 If you want to compile it as a module, say M here and read
1524 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1525
1526 config NETFILTER_XT_MATCH_RATEEST
1527 tristate '"rateest" match support'
1528 depends on NETFILTER_ADVANCED
1529 select NETFILTER_XT_TARGET_RATEEST
1530 help
1531 This option adds a `rateest' match, which allows to match on the
1532 rate estimated by the RATEEST target.
1533
1534 To compile it as a module, choose M here. If unsure, say N.
1535
1536 config NETFILTER_XT_MATCH_REALM
1537 tristate '"realm" match support'
1538 depends on NETFILTER_ADVANCED
1539 select IP_ROUTE_CLASSID
1540 help
1541 This option adds a `realm' match, which allows you to use the realm
1542 key from the routing subsystem inside iptables.
1543
1544 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1545 in tc world.
1546
1547 If you want to compile it as a module, say M here and read
1548 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1549
1550 config NETFILTER_XT_MATCH_RECENT
1551 tristate '"recent" match support'
1552 depends on NETFILTER_ADVANCED
1553 help
1554 This match is used for creating one or many lists of recently
1555 used addresses and then matching against that/those list(s).
1556
1557 Short options are available by using 'iptables -m recent -h'
1558 Official Website: <http://snowman.net/projects/ipt_recent/>
1559
1560 config NETFILTER_XT_MATCH_SCTP
1561 tristate '"sctp" protocol match support'
1562 depends on NETFILTER_ADVANCED
1563 default IP_SCTP
1564 help
1565 With this option enabled, you will be able to use the
1566 `sctp' match in order to match on SCTP source/destination ports
1567 and SCTP chunk types.
1568
1569 If you want to compile it as a module, say M here and read
1570 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1571
1572 config NETFILTER_XT_MATCH_SOCKET
1573 tristate '"socket" match support'
1574 depends on NETFILTER_XTABLES
1575 depends on NETFILTER_ADVANCED
1576 depends on IPV6 || IPV6=n
1577 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1578 select NF_SOCKET_IPV4
1579 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES
1580 select NF_DEFRAG_IPV4
1581 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1582 help
1583 This option adds a `socket' match, which can be used to match
1584 packets for which a TCP or UDP socket lookup finds a valid socket.
1585 It can be used in combination with the MARK target and policy
1586 routing to implement full featured non-locally bound sockets.
1587
1588 To compile it as a module, choose M here. If unsure, say N.
1589
1590 config NETFILTER_XT_MATCH_STATE
1591 tristate '"state" match support'
1592 depends on NF_CONNTRACK
1593 default m if NETFILTER_ADVANCED=n
1594 help
1595 Connection state matching allows you to match packets based on their
1596 relationship to a tracked connection (ie. previous packets). This
1597 is a powerful tool for packet classification.
1598
1599 To compile it as a module, choose M here. If unsure, say N.
1600
1601 config NETFILTER_XT_MATCH_STATISTIC
1602 tristate '"statistic" match support'
1603 depends on NETFILTER_ADVANCED
1604 help
1605 This option adds a `statistic' match, which allows you to match
1606 on packets periodically or randomly with a given percentage.
1607
1608 To compile it as a module, choose M here. If unsure, say N.
1609
1610 config NETFILTER_XT_MATCH_STRING
1611 tristate '"string" match support'
1612 depends on NETFILTER_ADVANCED
1613 select TEXTSEARCH
1614 select TEXTSEARCH_KMP
1615 select TEXTSEARCH_BM
1616 select TEXTSEARCH_FSM
1617 help
1618 This option adds a `string' match, which allows you to look for
1619 pattern matchings in packets.
1620
1621 To compile it as a module, choose M here. If unsure, say N.
1622
1623 config NETFILTER_XT_MATCH_TCPMSS
1624 tristate '"tcpmss" match support'
1625 depends on NETFILTER_ADVANCED
1626 help
1627 This option adds a `tcpmss' match, which allows you to examine the
1628 MSS value of TCP SYN packets, which control the maximum packet size
1629 for that connection.
1630
1631 To compile it as a module, choose M here. If unsure, say N.
1632
1633 config NETFILTER_XT_MATCH_TIME
1634 tristate '"time" match support'
1635 depends on NETFILTER_ADVANCED
1636 help
1637 This option adds a "time" match, which allows you to match based on
1638 the packet arrival time (at the machine which netfilter is running)
1639 on) or departure time/date (for locally generated packets).
1640
1641 If you say Y here, try `iptables -m time --help` for
1642 more information.
1643
1644 If you want to compile it as a module, say M here.
1645 If unsure, say N.
1646
1647 config NETFILTER_XT_MATCH_U32
1648 tristate '"u32" match support'
1649 depends on NETFILTER_ADVANCED
1650 help
1651 u32 allows you to extract quantities of up to 4 bytes from a packet,
1652 AND them with specified masks, shift them by specified amounts and
1653 test whether the results are in any of a set of specified ranges.
1654 The specification of what to extract is general enough to skip over
1655 headers with lengths stored in the packet, as in IP or TCP header
1656 lengths.
1657
1658 Details and examples are in the kernel module source.
1659
1660 endif # NETFILTER_XTABLES
1661
1662 endmenu
1663
1664 source "net/netfilter/ipset/Kconfig"
1665
1666 source "net/netfilter/ipvs/Kconfig"
