• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# SPDX-License-Identifier: GPL-2.0-only
2menu "Core Netfilter Configuration"
3	depends on NET && INET && NETFILTER
4
5config NETFILTER_INGRESS
6	bool "Netfilter ingress support"
7	default y
8	select NET_INGRESS
9	help
10	  This allows you to classify packets from ingress using the Netfilter
11	  infrastructure.
12
13config NETFILTER_NETLINK
14	tristate
15
16config NETFILTER_FAMILY_BRIDGE
17	bool
18
19config NETFILTER_FAMILY_ARP
20	bool
21
22config NETFILTER_NETLINK_ACCT
23	tristate "Netfilter NFACCT over NFNETLINK interface"
24	depends on NETFILTER_ADVANCED
25	select NETFILTER_NETLINK
26	help
27	  If this option is enabled, the kernel will include support
28	  for extended accounting via NFNETLINK.
29
30config NETFILTER_NETLINK_QUEUE
31	tristate "Netfilter NFQUEUE over NFNETLINK interface"
32	depends on NETFILTER_ADVANCED
33	select NETFILTER_NETLINK
34	help
35	  If this option is enabled, the kernel will include support
36	  for queueing packets via NFNETLINK.
37
38config NETFILTER_NETLINK_LOG
39	tristate "Netfilter LOG over NFNETLINK interface"
40	default m if NETFILTER_ADVANCED=n
41	select NETFILTER_NETLINK
42	help
43	  If this option is enabled, the kernel will include support
44	  for logging packets via NFNETLINK.
45
46	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
47	  and is also scheduled to replace the old syslog-based ipt_LOG
48	  and ip6t_LOG modules.
49
50config NETFILTER_NETLINK_OSF
51	tristate "Netfilter OSF over NFNETLINK interface"
52	depends on NETFILTER_ADVANCED
53	select NETFILTER_NETLINK
54	help
55	  If this option is enabled, the kernel will include support
56	  for passive OS fingerprint via NFNETLINK.
57
58config NF_CONNTRACK
59	tristate "Netfilter connection tracking support"
60	default m if NETFILTER_ADVANCED=n
61	select NF_DEFRAG_IPV4
62	select NF_DEFRAG_IPV6 if IPV6 != n
63	help
64	  Connection tracking keeps a record of what packets have passed
65	  through your machine, in order to figure out how they are related
66	  into connections.
67
68	  This is required to do Masquerading or other kinds of Network
69	  Address Translation.  It can also be used to enhance packet
70	  filtering (see `Connection state match support' below).
71
72	  To compile it as a module, choose M here.  If unsure, say N.
73
74config NF_LOG_COMMON
75	tristate
76
77config NF_LOG_NETDEV
78	tristate "Netdev packet logging"
79	select NF_LOG_COMMON
80
81if NF_CONNTRACK
82config NETFILTER_CONNCOUNT
83	tristate
84
85config NF_CONNTRACK_MARK
86	bool  'Connection mark tracking support'
87	depends on NETFILTER_ADVANCED
88	help
89	  This option enables support for connection marks, used by the
90	  `CONNMARK' target and `connmark' match. Similar to the mark value
91	  of packets, but this mark value is kept in the conntrack session
92	  instead of the individual packets.
93
94config NF_CONNTRACK_SECMARK
95	bool  'Connection tracking security mark support'
96	depends on NETWORK_SECMARK
97	default y if NETFILTER_ADVANCED=n
98	help
99	  This option enables security markings to be applied to
100	  connections.  Typically they are copied to connections from
101	  packets using the CONNSECMARK target and copied back from
102	  connections to packets with the same target, with the packets
103	  being originally labeled via SECMARK.
104
105	  If unsure, say 'N'.
106
107config NF_CONNTRACK_ZONES
108	bool  'Connection tracking zones'
109	depends on NETFILTER_ADVANCED
110	help
111	  This option enables support for connection tracking zones.
112	  Normally, each connection needs to have a unique system wide
113	  identity. Connection tracking zones allow to have multiple
114	  connections using the same identity, as long as they are
115	  contained in different zones.
116
117	  If unsure, say `N'.
118
119config NF_CONNTRACK_PROCFS
120	bool "Supply CT list in procfs (OBSOLETE)"
121	depends on PROC_FS
122	help
123	This option enables for the list of known conntrack entries
124	to be shown in procfs under net/netfilter/nf_conntrack. This
125	is considered obsolete in favor of using the conntrack(8)
126	tool which uses Netlink.
127
128config NF_CONNTRACK_EVENTS
129	bool "Connection tracking events"
130	depends on NETFILTER_ADVANCED
131	help
132	  If this option is enabled, the connection tracking code will
133	  provide a notifier chain that can be used by other kernel code
134	  to get notified about changes in the connection tracking state.
135
136	  If unsure, say `N'.
137
138config NF_CONNTRACK_TIMEOUT
139	bool  'Connection tracking timeout'
140	depends on NETFILTER_ADVANCED
141	help
142	  This option enables support for connection tracking timeout
143	  extension. This allows you to attach timeout policies to flow
144	  via the CT target.
145
146	  If unsure, say `N'.
147
148config NF_CONNTRACK_TIMESTAMP
149	bool  'Connection tracking timestamping'
150	depends on NETFILTER_ADVANCED
151	help
152	  This option enables support for connection tracking timestamping.
153	  This allows you to store the flow start-time and to obtain
154	  the flow-stop time (once it has been destroyed) via Connection
155	  tracking events.
156
157	  If unsure, say `N'.
158
159config NF_CONNTRACK_LABELS
160	bool "Connection tracking labels"
161	help
162	  This option enables support for assigning user-defined flag bits
163	  to connection tracking entries.  It can be used with xtables connlabel
164	  match and the nftables ct expression.
165
166config NF_CT_PROTO_DCCP
167	bool 'DCCP protocol connection tracking support'
168	depends on NETFILTER_ADVANCED
169	default y
170	help
171	  With this option enabled, the layer 3 independent connection
172	  tracking code will be able to do state tracking on DCCP connections.
173
174	  If unsure, say Y.
175
176config NF_CT_PROTO_GRE
177	bool
178
179config NF_CT_PROTO_SCTP
180	bool 'SCTP protocol connection tracking support'
181	depends on NETFILTER_ADVANCED
182	default y
183	select LIBCRC32C
184	help
185	  With this option enabled, the layer 3 independent connection
186	  tracking code will be able to do state tracking on SCTP connections.
187
188	  If unsure, say Y.
189
190config NF_CT_PROTO_UDPLITE
191	bool 'UDP-Lite protocol connection tracking support'
192	depends on NETFILTER_ADVANCED
193	default y
194	help
195	  With this option enabled, the layer 3 independent connection
196	  tracking code will be able to do state tracking on UDP-Lite
197	  connections.
198
199	  If unsure, say Y.
200
201config NF_CONNTRACK_AMANDA
202	tristate "Amanda backup protocol support"
203	depends on NETFILTER_ADVANCED
204	select TEXTSEARCH
205	select TEXTSEARCH_KMP
206	help
207	  If you are running the Amanda backup package <http://www.amanda.org/>
208	  on this machine or machines that will be MASQUERADED through this
209	  machine, then you may want to enable this feature.  This allows the
210	  connection tracking and natting code to allow the sub-channels that
211	  Amanda requires for communication of the backup data, messages and
212	  index.
213
214	  To compile it as a module, choose M here.  If unsure, say N.
215
216config NF_CONNTRACK_FTP
217	tristate "FTP protocol support"
218	default m if NETFILTER_ADVANCED=n
219	help
220	  Tracking FTP connections is problematic: special helpers are
221	  required for tracking them, and doing masquerading and other forms
222	  of Network Address Translation on them.
223
224	  This is FTP support on Layer 3 independent connection tracking.
225
226	  To compile it as a module, choose M here.  If unsure, say N.
227
228config NF_CONNTRACK_H323
229	tristate "H.323 protocol support"
230	depends on IPV6 || IPV6=n
231	depends on NETFILTER_ADVANCED
232	help
233	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
234	  important VoIP protocols, it is widely used by voice hardware and
235	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
236	  Gnomemeeting, etc.
237
238	  With this module you can support H.323 on a connection tracking/NAT
239	  firewall.
240
241	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
242	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
243	  whiteboard, file transfer, etc. For more information, please
244	  visit http://nath323.sourceforge.net/.
245
246	  To compile it as a module, choose M here.  If unsure, say N.
247
248config NF_CONNTRACK_IRC
249	tristate "IRC protocol support"
250	default m if NETFILTER_ADVANCED=n
251	help
252	  There is a commonly-used extension to IRC called
253	  Direct Client-to-Client Protocol (DCC).  This enables users to send
254	  files to each other, and also chat to each other without the need
255	  of a server.  DCC Sending is used anywhere you send files over IRC,
256	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
257	  using NAT, this extension will enable you to send files and initiate
258	  chats.  Note that you do NOT need this extension to get files or
259	  have others initiate chats, or everything else in IRC.
260
261	  To compile it as a module, choose M here.  If unsure, say N.
262
263config NF_CONNTRACK_BROADCAST
264	tristate
265
266config NF_CONNTRACK_NETBIOS_NS
267	tristate "NetBIOS name service protocol support"
268	select NF_CONNTRACK_BROADCAST
269	help
270	  NetBIOS name service requests are sent as broadcast messages from an
271	  unprivileged port and responded to with unicast messages to the
272	  same port. This make them hard to firewall properly because connection
273	  tracking doesn't deal with broadcasts. This helper tracks locally
274	  originating NetBIOS name service requests and the corresponding
275	  responses. It relies on correct IP address configuration, specifically
276	  netmask and broadcast address. When properly configured, the output
277	  of "ip address show" should look similar to this:
278
279	  $ ip -4 address show eth0
280	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
281	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
282
283	  To compile it as a module, choose M here.  If unsure, say N.
284
285config NF_CONNTRACK_SNMP
286	tristate "SNMP service protocol support"
287	depends on NETFILTER_ADVANCED
288	select NF_CONNTRACK_BROADCAST
289	help
290	  SNMP service requests are sent as broadcast messages from an
291	  unprivileged port and responded to with unicast messages to the
292	  same port. This make them hard to firewall properly because connection
293	  tracking doesn't deal with broadcasts. This helper tracks locally
294	  originating SNMP service requests and the corresponding
295	  responses. It relies on correct IP address configuration, specifically
296	  netmask and broadcast address.
297
298	  To compile it as a module, choose M here.  If unsure, say N.
299
300config NF_CONNTRACK_PPTP
301	tristate "PPtP protocol support"
302	depends on NETFILTER_ADVANCED
303	select NF_CT_PROTO_GRE
304	help
305	  This module adds support for PPTP (Point to Point Tunnelling
306	  Protocol, RFC2637) connection tracking and NAT.
307
308	  If you are running PPTP sessions over a stateful firewall or NAT
309	  box, you may want to enable this feature.
310
311	  Please note that not all PPTP modes of operation are supported yet.
312	  Specifically these limitations exist:
313	    - Blindly assumes that control connections are always established
314	      in PNS->PAC direction. This is a violation of RFC2637.
315	    - Only supports a single call within each session
316
317	  To compile it as a module, choose M here.  If unsure, say N.
318
319config NF_CONNTRACK_SANE
320	tristate "SANE protocol support"
321	depends on NETFILTER_ADVANCED
322	help
323	  SANE is a protocol for remote access to scanners as implemented
324	  by the 'saned' daemon. Like FTP, it uses separate control and
325	  data connections.
326
327	  With this module you can support SANE on a connection tracking
328	  firewall.
329
330	  To compile it as a module, choose M here.  If unsure, say N.
331
332config NF_CONNTRACK_SIP
333	tristate "SIP protocol support"
334	default m if NETFILTER_ADVANCED=n
335	help
336	  SIP is an application-layer control protocol that can establish,
337	  modify, and terminate multimedia sessions (conferences) such as
338	  Internet telephony calls. With the nf_conntrack_sip and
339	  the nf_nat_sip modules you can support the protocol on a connection
340	  tracking/NATing firewall.
341
342	  To compile it as a module, choose M here.  If unsure, say N.
343
344config NF_CONNTRACK_TFTP
345	tristate "TFTP protocol support"
346	depends on NETFILTER_ADVANCED
347	help
348	  TFTP connection tracking helper, this is required depending
349	  on how restrictive your ruleset is.
350	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
351	  you will need this.
352
353	  To compile it as a module, choose M here.  If unsure, say N.
354
355config NF_CT_NETLINK
356	tristate 'Connection tracking netlink interface'
357	select NETFILTER_NETLINK
358	default m if NETFILTER_ADVANCED=n
359	help
360	  This option enables support for a netlink-based userspace interface
361
362config NF_CT_NETLINK_TIMEOUT
363	tristate  'Connection tracking timeout tuning via Netlink'
364	select NETFILTER_NETLINK
365	depends on NETFILTER_ADVANCED
366	depends on NF_CONNTRACK_TIMEOUT
367	help
368	  This option enables support for connection tracking timeout
369	  fine-grain tuning. This allows you to attach specific timeout
370	  policies to flows, instead of using the global timeout policy.
371
372	  If unsure, say `N'.
373
374config NF_CT_NETLINK_HELPER
375	tristate 'Connection tracking helpers in user-space via Netlink'
376	select NETFILTER_NETLINK
377	depends on NF_CT_NETLINK
378	depends on NETFILTER_NETLINK_QUEUE
379	depends on NETFILTER_NETLINK_GLUE_CT
380	depends on NETFILTER_ADVANCED
381	help
382	  This option enables the user-space connection tracking helpers
383	  infrastructure.
384
385	  If unsure, say `N'.
386
387config NETFILTER_NETLINK_GLUE_CT
388	bool "NFQUEUE and NFLOG integration with Connection Tracking"
389	default n
390	depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
391	help
392	  If this option is enabled, NFQUEUE and NFLOG can include
393	  Connection Tracking information together with the packet is
394	  the enqueued via NFNETLINK.
395
396config NF_NAT
397	tristate "Network Address Translation support"
398	depends on NF_CONNTRACK
399	default m if NETFILTER_ADVANCED=n
400	help
401	  The NAT option allows masquerading, port forwarding and other
402	  forms of full Network Address Port Translation. This can be
403	  controlled by iptables, ip6tables or nft.
404
405config NF_NAT_AMANDA
406	tristate
407	depends on NF_CONNTRACK && NF_NAT
408	default NF_NAT && NF_CONNTRACK_AMANDA
409
410config NF_NAT_FTP
411	tristate
412	depends on NF_CONNTRACK && NF_NAT
413	default NF_NAT && NF_CONNTRACK_FTP
414
415config NF_NAT_IRC
416	tristate
417	depends on NF_CONNTRACK && NF_NAT
418	default NF_NAT && NF_CONNTRACK_IRC
419
420config NF_NAT_SIP
421	tristate
422	depends on NF_CONNTRACK && NF_NAT
423	default NF_NAT && NF_CONNTRACK_SIP
424
425config NF_NAT_TFTP
426	tristate
427	depends on NF_CONNTRACK && NF_NAT
428	default NF_NAT && NF_CONNTRACK_TFTP
429
430config NF_NAT_REDIRECT
431	bool
432
433config NF_NAT_MASQUERADE
434	bool
435
436config NETFILTER_SYNPROXY
437	tristate
438
439endif # NF_CONNTRACK
440
441config NF_TABLES
442	select NETFILTER_NETLINK
443	select LIBCRC32C
444	tristate "Netfilter nf_tables support"
445	help
446	  nftables is the new packet classification framework that intends to
447	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
448	  provides a pseudo-state machine with an extensible instruction-set
449	  (also known as expressions) that the userspace 'nft' utility
450	  (https://www.netfilter.org/projects/nftables) uses to build the
451	  rule-set. It also comes with the generic set infrastructure that
452	  allows you to construct mappings between matchings and actions
453	  for performance lookups.
454
455	  To compile it as a module, choose M here.
456
457if NF_TABLES
458config NF_TABLES_INET
459	depends on IPV6
460	select NF_TABLES_IPV4
461	select NF_TABLES_IPV6
462	bool "Netfilter nf_tables mixed IPv4/IPv6 tables support"
463	help
464	  This option enables support for a mixed IPv4/IPv6 "inet" table.
465
466config NF_TABLES_NETDEV
467	bool "Netfilter nf_tables netdev tables support"
468	help
469	  This option enables support for the "netdev" table.
470
471config NFT_NUMGEN
472	tristate "Netfilter nf_tables number generator module"
473	help
474	  This option adds the number generator expression used to perform
475	  incremental counting and random numbers bound to a upper limit.
476
477config NFT_CT
478	depends on NF_CONNTRACK
479	tristate "Netfilter nf_tables conntrack module"
480	help
481	  This option adds the "ct" expression that you can use to match
482	  connection tracking information such as the flow state.
483
484config NFT_FLOW_OFFLOAD
485	depends on NF_CONNTRACK && NF_FLOW_TABLE
486	tristate "Netfilter nf_tables hardware flow offload module"
487	help
488	  This option adds the "flow_offload" expression that you can use to
489	  choose what flows are placed into the hardware.
490
491config NFT_COUNTER
492	tristate "Netfilter nf_tables counter module"
493	help
494	  This option adds the "counter" expression that you can use to
495	  include packet and byte counters in a rule.
496
497config NFT_CONNLIMIT
498	tristate "Netfilter nf_tables connlimit module"
499	depends on NF_CONNTRACK
500	depends on NETFILTER_ADVANCED
501	select NETFILTER_CONNCOUNT
502	help
503	  This option adds the "connlimit" expression that you can use to
504	  ratelimit rule matchings per connections.
505
506config NFT_LOG
507	tristate "Netfilter nf_tables log module"
508	help
509	  This option adds the "log" expression that you can use to log
510	  packets matching some criteria.
511
512config NFT_LIMIT
513	tristate "Netfilter nf_tables limit module"
514	help
515	  This option adds the "limit" expression that you can use to
516	  ratelimit rule matchings.
517
518config NFT_MASQ
519	depends on NF_CONNTRACK
520	depends on NF_NAT
521	select NF_NAT_MASQUERADE
522	tristate "Netfilter nf_tables masquerade support"
523	help
524	  This option adds the "masquerade" expression that you can use
525	  to perform NAT in the masquerade flavour.
526
527config NFT_REDIR
528	depends on NF_CONNTRACK
529	depends on NF_NAT
530	tristate "Netfilter nf_tables redirect support"
531	select NF_NAT_REDIRECT
532	help
533	  This options adds the "redirect" expression that you can use
534	  to perform NAT in the redirect flavour.
535
536config NFT_NAT
537	depends on NF_CONNTRACK
538	select NF_NAT
539	depends on NF_TABLES_IPV4 || NF_TABLES_IPV6
540	tristate "Netfilter nf_tables nat module"
541	help
542	  This option adds the "nat" expression that you can use to perform
543	  typical Network Address Translation (NAT) packet transformations.
544
545config NFT_TUNNEL
546	tristate "Netfilter nf_tables tunnel module"
547	help
548	  This option adds the "tunnel" expression that you can use to set
549	  tunneling policies.
550
551config NFT_OBJREF
552	tristate "Netfilter nf_tables stateful object reference module"
553	help
554	  This option adds the "objref" expression that allows you to refer to
555	  stateful objects, such as counters and quotas.
556
557config NFT_QUEUE
558	depends on NETFILTER_NETLINK_QUEUE
559	tristate "Netfilter nf_tables queue module"
560	help
561	  This is required if you intend to use the userspace queueing
562	  infrastructure (also known as NFQUEUE) from nftables.
563
564config NFT_QUOTA
565	tristate "Netfilter nf_tables quota module"
566	help
567	  This option adds the "quota" expression that you can use to match
568	  enforce bytes quotas.
569
570config NFT_REJECT
571	default m if NETFILTER_ADVANCED=n
572	tristate "Netfilter nf_tables reject support"
573	depends on !NF_TABLES_INET || (IPV6!=m || m)
574	help
575	  This option adds the "reject" expression that you can use to
576	  explicitly deny and notify via TCP reset/ICMP informational errors
577	  unallowed traffic.
578
579config NFT_REJECT_INET
580	depends on NF_TABLES_INET
581	default NFT_REJECT
582	tristate
583
584config NFT_COMPAT
585	depends on NETFILTER_XTABLES
586	tristate "Netfilter x_tables over nf_tables module"
587	help
588	  This is required if you intend to use any of existing
589	  x_tables match/target extensions over the nf_tables
590	  framework.
591
592config NFT_HASH
593	tristate "Netfilter nf_tables hash module"
594	help
595	  This option adds the "hash" expression that you can use to perform
596	  a hash operation on registers.
597
598config NFT_FIB
599	tristate
600
601config NFT_FIB_INET
602	depends on NF_TABLES_INET
603	depends on NFT_FIB_IPV4
604	depends on NFT_FIB_IPV6
605	tristate "Netfilter nf_tables fib inet support"
606	help
607	  This option allows using the FIB expression from the inet table.
608	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
609	  on the protocol of the packet.
610
611config NFT_XFRM
612	tristate "Netfilter nf_tables xfrm/IPSec security association matching"
613	depends on XFRM
614	help
615	  This option adds an expression that you can use to extract properties
616	  of a packets security association.
617
618config NFT_SOCKET
619	tristate "Netfilter nf_tables socket match support"
620	depends on IPV6 || IPV6=n
621	select NF_SOCKET_IPV4
622	select NF_SOCKET_IPV6 if NF_TABLES_IPV6
623	help
624	  This option allows matching for the presence or absence of a
625	  corresponding socket and its attributes.
626
627config NFT_OSF
628	tristate "Netfilter nf_tables passive OS fingerprint support"
629	depends on NETFILTER_ADVANCED
630	select NETFILTER_NETLINK_OSF
631	help
632	  This option allows matching packets from an specific OS.
633
634config NFT_TPROXY
635	tristate "Netfilter nf_tables tproxy support"
636	depends on IPV6 || IPV6=n
637	select NF_DEFRAG_IPV4
638	select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
639	select NF_TPROXY_IPV4
640	select NF_TPROXY_IPV6 if NF_TABLES_IPV6
641	help
642	  This makes transparent proxy support available in nftables.
643
644config NFT_SYNPROXY
645	tristate "Netfilter nf_tables SYNPROXY expression support"
646	depends on NF_CONNTRACK && NETFILTER_ADVANCED
647	select NETFILTER_SYNPROXY
648	select SYN_COOKIES
649	help
650	  The SYNPROXY expression allows you to intercept TCP connections and
651	  establish them using syncookies before they are passed on to the
652	  server. This allows to avoid conntrack and server resource usage
653	  during SYN-flood attacks.
654
655if NF_TABLES_NETDEV
656
657config NF_DUP_NETDEV
658	tristate "Netfilter packet duplication support"
659	help
660	  This option enables the generic packet duplication infrastructure
661	  for Netfilter.
662
663config NFT_DUP_NETDEV
664	tristate "Netfilter nf_tables netdev packet duplication support"
665	select NF_DUP_NETDEV
666	help
667	  This option enables packet duplication for the "netdev" family.
668
669config NFT_FWD_NETDEV
670	tristate "Netfilter nf_tables netdev packet forwarding support"
671	select NF_DUP_NETDEV
672	help
673	  This option enables packet forwarding for the "netdev" family.
674
675config NFT_FIB_NETDEV
676	depends on NFT_FIB_IPV4
677	depends on NFT_FIB_IPV6
678	tristate "Netfilter nf_tables netdev fib lookups support"
679	help
680	  This option allows using the FIB expression from the netdev table.
681	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
682	  on the protocol of the packet.
683
684endif # NF_TABLES_NETDEV
685
686endif # NF_TABLES
687
688config NF_FLOW_TABLE_INET
689	tristate "Netfilter flow table mixed IPv4/IPv6 module"
690	depends on NF_FLOW_TABLE
691	help
692	  This option adds the flow table mixed IPv4/IPv6 support.
693
694	  To compile it as a module, choose M here.
695
696config NF_FLOW_TABLE
697	tristate "Netfilter flow table module"
698	depends on NETFILTER_INGRESS
699	depends on NF_CONNTRACK
700	depends on NF_TABLES
701	help
702	  This option adds the flow table core infrastructure.
703
704	  To compile it as a module, choose M here.
705
706config NETFILTER_XTABLES
707	tristate "Netfilter Xtables support (required for ip_tables)"
708	default m if NETFILTER_ADVANCED=n
709	help
710	  This is required if you intend to use any of ip_tables,
711	  ip6_tables or arp_tables.
712
713if NETFILTER_XTABLES
714
715comment "Xtables combined modules"
716
717config NETFILTER_XT_MARK
718	tristate 'nfmark target and match support'
719	default m if NETFILTER_ADVANCED=n
720	help
721	This option adds the "MARK" target and "mark" match.
722
723	Netfilter mark matching allows you to match packets based on the
724	"nfmark" value in the packet.
725	The target allows you to create rules in the "mangle" table which alter
726	the netfilter mark (nfmark) field associated with the packet.
727
728	Prior to routing, the nfmark can influence the routing method and can
729	also be used by other subsystems to change their behavior.
730
731config NETFILTER_XT_CONNMARK
732	tristate 'ctmark target and match support'
733	depends on NF_CONNTRACK
734	depends on NETFILTER_ADVANCED
735	select NF_CONNTRACK_MARK
736	help
737	This option adds the "CONNMARK" target and "connmark" match.
738
739	Netfilter allows you to store a mark value per connection (a.k.a.
740	ctmark), similarly to the packet mark (nfmark). Using this
741	target and match, you can set and match on this mark.
742
743config NETFILTER_XT_SET
744	tristate 'set target and match support'
745	depends on IP_SET
746	depends on NETFILTER_ADVANCED
747	help
748	  This option adds the "SET" target and "set" match.
749
750	  Using this target and match, you can add/delete and match
751	  elements in the sets created by ipset(8).
752
753	  To compile it as a module, choose M here.  If unsure, say N.
754
755# alphabetically ordered list of targets
756
757comment "Xtables targets"
758
759config NETFILTER_XT_TARGET_AUDIT
760	tristate "AUDIT target support"
761	depends on AUDIT
762	depends on NETFILTER_ADVANCED
763	help
764	  This option adds a 'AUDIT' target, which can be used to create
765	  audit records for packets dropped/accepted.
766
767	  To compileit as a module, choose M here. If unsure, say N.
768
769config NETFILTER_XT_TARGET_CHECKSUM
770	tristate "CHECKSUM target support"
771	depends on IP_NF_MANGLE || IP6_NF_MANGLE
772	depends on NETFILTER_ADVANCED
773	help
774	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle
775	  table to work around buggy DHCP clients in virtualized environments.
776
777	  Some old DHCP clients drop packets because they are not aware
778	  that the checksum would normally be offloaded to hardware and
779	  thus should be considered valid.
780	  This target can be used to fill in the checksum using iptables
781	  when such packets are sent via a virtual network device.
782
783	  To compile it as a module, choose M here.  If unsure, say N.
784
785config NETFILTER_XT_TARGET_CLASSIFY
786	tristate '"CLASSIFY" target support'
787	depends on NETFILTER_ADVANCED
788	help
789	  This option adds a `CLASSIFY' target, which enables the user to set
790	  the priority of a packet. Some qdiscs can use this value for
791	  classification, among these are:
792
793  	  atm, cbq, dsmark, pfifo_fast, htb, prio
794
795	  To compile it as a module, choose M here.  If unsure, say N.
796
797config NETFILTER_XT_TARGET_CONNMARK
798	tristate  '"CONNMARK" target support'
799	depends on NF_CONNTRACK
800	depends on NETFILTER_ADVANCED
801	select NETFILTER_XT_CONNMARK
802	help
803	This is a backwards-compat option for the user's convenience
804	(e.g. when running oldconfig). It selects
805	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
806
807config NETFILTER_XT_TARGET_CONNSECMARK
808	tristate '"CONNSECMARK" target support'
809	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
810	default m if NETFILTER_ADVANCED=n
811	help
812	  The CONNSECMARK target copies security markings from packets
813	  to connections, and restores security markings from connections
814	  to packets (if the packets are not already marked).  This would
815	  normally be used in conjunction with the SECMARK target.
816
817	  To compile it as a module, choose M here.  If unsure, say N.
818
819config NETFILTER_XT_TARGET_CT
820	tristate '"CT" target support'
821	depends on NF_CONNTRACK
822	depends on IP_NF_RAW || IP6_NF_RAW
823	depends on NETFILTER_ADVANCED
824	help
825	  This options adds a `CT' target, which allows to specify initial
826	  connection tracking parameters like events to be delivered and
827	  the helper to be used.
828
829	  To compile it as a module, choose M here.  If unsure, say N.
830
831config NETFILTER_XT_TARGET_DSCP
832	tristate '"DSCP" and "TOS" target support'
833	depends on IP_NF_MANGLE || IP6_NF_MANGLE
834	depends on NETFILTER_ADVANCED
835	help
836	  This option adds a `DSCP' target, which allows you to manipulate
837	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
838
839	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
840
841	  It also adds the "TOS" target, which allows you to create rules in
842	  the "mangle" table which alter the Type Of Service field of an IPv4
843	  or the Priority field of an IPv6 packet, prior to routing.
844
845	  To compile it as a module, choose M here.  If unsure, say N.
846
847config NETFILTER_XT_TARGET_HL
848	tristate '"HL" hoplimit target support'
849	depends on IP_NF_MANGLE || IP6_NF_MANGLE
850	depends on NETFILTER_ADVANCED
851	help
852	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
853	targets, which enable the user to change the
854	hoplimit/time-to-live value of the IP header.
855
856	While it is safe to decrement the hoplimit/TTL value, the
857	modules also allow to increment and set the hoplimit value of
858	the header to arbitrary values. This is EXTREMELY DANGEROUS
859	since you can easily create immortal packets that loop
860	forever on the network.
861
862config NETFILTER_XT_TARGET_HMARK
863	tristate '"HMARK" target support'
864	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
865	depends on NETFILTER_ADVANCED
866	help
867	This option adds the "HMARK" target.
868
869	The target allows you to create rules in the "raw" and "mangle" tables
870	which set the skbuff mark by means of hash calculation within a given
871	range. The nfmark can influence the routing method and can also be used
872	by other subsystems to change their behaviour.
873
874	To compile it as a module, choose M here. If unsure, say N.
875
876config NETFILTER_XT_TARGET_IDLETIMER
877	tristate  "IDLETIMER target support"
878	depends on NETFILTER_ADVANCED
879	help
880
881	  This option adds the `IDLETIMER' target.  Each matching packet
882	  resets the timer associated with label specified when the rule is
883	  added.  When the timer expires, it triggers a sysfs notification.
884	  The remaining time for expiration can be read via sysfs.
885
886	  To compile it as a module, choose M here.  If unsure, say N.
887
888config NETFILTER_XT_TARGET_LED
889	tristate '"LED" target support'
890	depends on LEDS_CLASS && LEDS_TRIGGERS
891	depends on NETFILTER_ADVANCED
892	help
893	  This option adds a `LED' target, which allows you to blink LEDs in
894	  response to particular packets passing through your machine.
895
896	  This can be used to turn a spare LED into a network activity LED,
897	  which only flashes in response to FTP transfers, for example.  Or
898	  you could have an LED which lights up for a minute or two every time
899	  somebody connects to your machine via SSH.
900
901	  You will need support for the "led" class to make this work.
902
903	  To create an LED trigger for incoming SSH traffic:
904	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
905
906	  Then attach the new trigger to an LED on your system:
907	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
908
909	  For more information on the LEDs available on your system, see
910	  Documentation/leds/leds-class.rst
911
912config NETFILTER_XT_TARGET_LOG
913	tristate "LOG target support"
914	select NF_LOG_COMMON
915	select NF_LOG_IPV4
916	select NF_LOG_IPV6 if IP6_NF_IPTABLES
917	default m if NETFILTER_ADVANCED=n
918	help
919	  This option adds a `LOG' target, which allows you to create rules in
920	  any iptables table which records the packet header to the syslog.
921
922	  To compile it as a module, choose M here.  If unsure, say N.
923
924config NETFILTER_XT_TARGET_MARK
925	tristate '"MARK" target support'
926	depends on NETFILTER_ADVANCED
927	select NETFILTER_XT_MARK
928	help
929	This is a backwards-compat option for the user's convenience
930	(e.g. when running oldconfig). It selects
931	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
932
933config NETFILTER_XT_NAT
934	tristate '"SNAT and DNAT" targets support'
935	depends on NF_NAT
936	help
937	This option enables the SNAT and DNAT targets.
938
939	To compile it as a module, choose M here. If unsure, say N.
940
941config NETFILTER_XT_TARGET_NETMAP
942	tristate '"NETMAP" target support'
943	depends on NF_NAT
944	help
945	NETMAP is an implementation of static 1:1 NAT mapping of network
946	addresses. It maps the network address part, while keeping the host
947	address part intact.
948
949	To compile it as a module, choose M here. If unsure, say N.
950
951config NETFILTER_XT_TARGET_NFLOG
952	tristate '"NFLOG" target support'
953	default m if NETFILTER_ADVANCED=n
954	select NETFILTER_NETLINK_LOG
955	help
956	  This option enables the NFLOG target, which allows to LOG
957	  messages through nfnetlink_log.
958
959	  To compile it as a module, choose M here.  If unsure, say N.
960
961config NETFILTER_XT_TARGET_NFQUEUE
962	tristate '"NFQUEUE" target Support'
963	depends on NETFILTER_ADVANCED
964	select NETFILTER_NETLINK_QUEUE
965	help
966	  This target replaced the old obsolete QUEUE target.
967
968	  As opposed to QUEUE, it supports 65535 different queues,
969	  not just one.
970
971	  To compile it as a module, choose M here.  If unsure, say N.
972
973config NETFILTER_XT_TARGET_NOTRACK
974	tristate  '"NOTRACK" target support (DEPRECATED)'
975	depends on NF_CONNTRACK
976	depends on IP_NF_RAW || IP6_NF_RAW
977	depends on NETFILTER_ADVANCED
978	select NETFILTER_XT_TARGET_CT
979
980config NETFILTER_XT_TARGET_RATEEST
981	tristate '"RATEEST" target support'
982	depends on NETFILTER_ADVANCED
983	help
984	  This option adds a `RATEEST' target, which allows to measure
985	  rates similar to TC estimators. The `rateest' match can be
986	  used to match on the measured rates.
987
988	  To compile it as a module, choose M here.  If unsure, say N.
989
990config NETFILTER_XT_TARGET_REDIRECT
991	tristate "REDIRECT target support"
992	depends on NF_NAT
993	select NF_NAT_REDIRECT
994	help
995	REDIRECT is a special case of NAT: all incoming connections are
996	mapped onto the incoming interface's address, causing the packets to
997	come to the local machine instead of passing through. This is
998	useful for transparent proxies.
999
1000	To compile it as a module, choose M here. If unsure, say N.
1001
1002config NETFILTER_XT_TARGET_MASQUERADE
1003	tristate "MASQUERADE target support"
1004	depends on NF_NAT
1005	default m if NETFILTER_ADVANCED=n
1006	select NF_NAT_MASQUERADE
1007	help
1008	  Masquerading is a special case of NAT: all outgoing connections are
1009	  changed to seem to come from a particular interface's address, and
1010	  if the interface goes down, those connections are lost.  This is
1011	  only useful for dialup accounts with dynamic IP address (ie. your IP
1012	  address will be different on next dialup).
1013
1014	  To compile it as a module, choose M here.  If unsure, say N.
1015
1016config NETFILTER_XT_TARGET_TEE
1017	tristate '"TEE" - packet cloning to alternate destination'
1018	depends on NETFILTER_ADVANCED
1019	depends on IPV6 || IPV6=n
1020	depends on !NF_CONNTRACK || NF_CONNTRACK
1021	depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES
1022	select NF_DUP_IPV4
1023	select NF_DUP_IPV6 if IP6_NF_IPTABLES
1024	help
1025	This option adds a "TEE" target with which a packet can be cloned and
1026	this clone be rerouted to another nexthop.
1027
1028config NETFILTER_XT_TARGET_TPROXY
1029	tristate '"TPROXY" target transparent proxying support'
1030	depends on NETFILTER_XTABLES
1031	depends on NETFILTER_ADVANCED
1032	depends on IPV6 || IPV6=n
1033	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1034	depends on IP_NF_MANGLE
1035	select NF_DEFRAG_IPV4
1036	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1037	select NF_TPROXY_IPV4
1038	select NF_TPROXY_IPV6 if IP6_NF_IPTABLES
1039	help
1040	  This option adds a `TPROXY' target, which is somewhat similar to
1041	  REDIRECT.  It can only be used in the mangle table and is useful
1042	  to redirect traffic to a transparent proxy.  It does _not_ depend
1043	  on Netfilter connection tracking and NAT, unlike REDIRECT.
1044	  For it to work you will have to configure certain iptables rules
1045	  and use policy routing. For more information on how to set it up
1046	  see Documentation/networking/tproxy.rst.
1047
1048	  To compile it as a module, choose M here.  If unsure, say N.
1049
1050config NETFILTER_XT_TARGET_TRACE
1051	tristate  '"TRACE" target support'
1052	depends on IP_NF_RAW || IP6_NF_RAW
1053	depends on NETFILTER_ADVANCED
1054	help
1055	  The TRACE target allows you to mark packets so that the kernel
1056	  will log every rule which match the packets as those traverse
1057	  the tables, chains, rules.
1058
1059	  If you want to compile it as a module, say M here and read
1060	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1061
1062config NETFILTER_XT_TARGET_SECMARK
1063	tristate '"SECMARK" target support'
1064	depends on NETWORK_SECMARK
1065	default m if NETFILTER_ADVANCED=n
1066	help
1067	  The SECMARK target allows security marking of network
1068	  packets, for use with security subsystems.
1069
1070	  To compile it as a module, choose M here.  If unsure, say N.
1071
1072config NETFILTER_XT_TARGET_TCPMSS
1073	tristate '"TCPMSS" target support'
1074	depends on IPV6 || IPV6=n
1075	default m if NETFILTER_ADVANCED=n
1076	help
1077	  This option adds a `TCPMSS' target, which allows you to alter the
1078	  MSS value of TCP SYN packets, to control the maximum size for that
1079	  connection (usually limiting it to your outgoing interface's MTU
1080	  minus 40).
1081
1082	  This is used to overcome criminally braindead ISPs or servers which
1083	  block ICMP Fragmentation Needed packets.  The symptoms of this
1084	  problem are that everything works fine from your Linux
1085	  firewall/router, but machines behind it can never exchange large
1086	  packets:
1087	        1) Web browsers connect, then hang with no data received.
1088	        2) Small mail works fine, but large emails hang.
1089	        3) ssh works fine, but scp hangs after initial handshaking.
1090
1091	  Workaround: activate this option and add a rule to your firewall
1092	  configuration like:
1093
1094	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1095	                 -j TCPMSS --clamp-mss-to-pmtu
1096
1097	  To compile it as a module, choose M here.  If unsure, say N.
1098
1099config NETFILTER_XT_TARGET_TCPOPTSTRIP
1100	tristate '"TCPOPTSTRIP" target support'
1101	depends on IP_NF_MANGLE || IP6_NF_MANGLE
1102	depends on NETFILTER_ADVANCED
1103	help
1104	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
1105	  TCP options from TCP packets.
1106
1107# alphabetically ordered list of matches
1108
1109comment "Xtables matches"
1110
1111config NETFILTER_XT_MATCH_ADDRTYPE
1112	tristate '"addrtype" address type match support'
1113	default m if NETFILTER_ADVANCED=n
1114	help
1115	  This option allows you to match what routing thinks of an address,
1116	  eg. UNICAST, LOCAL, BROADCAST, ...
1117
1118	  If you want to compile it as a module, say M here and read
1119	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1120
1121config NETFILTER_XT_MATCH_BPF
1122	tristate '"bpf" match support'
1123	depends on NETFILTER_ADVANCED
1124	help
1125	  BPF matching applies a linux socket filter to each packet and
1126	  accepts those for which the filter returns non-zero.
1127
1128	  To compile it as a module, choose M here.  If unsure, say N.
1129
1130config NETFILTER_XT_MATCH_CGROUP
1131	tristate '"control group" match support'
1132	depends on NETFILTER_ADVANCED
1133	depends on CGROUPS
1134	select CGROUP_NET_CLASSID
1135	help
1136	Socket/process control group matching allows you to match locally
1137	generated packets based on which net_cls control group processes
1138	belong to.
1139
1140config NETFILTER_XT_MATCH_CLUSTER
1141	tristate '"cluster" match support'
1142	depends on NF_CONNTRACK
1143	depends on NETFILTER_ADVANCED
1144	help
1145	  This option allows you to build work-load-sharing clusters of
1146	  network servers/stateful firewalls without having a dedicated
1147	  load-balancing router/server/switch. Basically, this match returns
1148	  true when the packet must be handled by this cluster node. Thus,
1149	  all nodes see all packets and this match decides which node handles
1150	  what packets. The work-load sharing algorithm is based on source
1151	  address hashing.
1152
1153	  If you say Y or M here, try `iptables -m cluster --help` for
1154	  more information.
1155
1156config NETFILTER_XT_MATCH_COMMENT
1157	tristate  '"comment" match support'
1158	depends on NETFILTER_ADVANCED
1159	help
1160	  This option adds a `comment' dummy-match, which allows you to put
1161	  comments in your iptables ruleset.
1162
1163	  If you want to compile it as a module, say M here and read
1164	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1165
1166config NETFILTER_XT_MATCH_CONNBYTES
1167	tristate  '"connbytes" per-connection counter match support'
1168	depends on NF_CONNTRACK
1169	depends on NETFILTER_ADVANCED
1170	help
1171	  This option adds a `connbytes' match, which allows you to match the
1172	  number of bytes and/or packets for each direction within a connection.
1173
1174	  If you want to compile it as a module, say M here and read
1175	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1176
1177config NETFILTER_XT_MATCH_CONNLABEL
1178	tristate '"connlabel" match support'
1179	select NF_CONNTRACK_LABELS
1180	depends on NF_CONNTRACK
1181	depends on NETFILTER_ADVANCED
1182	help
1183	  This match allows you to test and assign userspace-defined labels names
1184	  to a connection.  The kernel only stores bit values - mapping
1185	  names to bits is done by userspace.
1186
1187	  Unlike connmark, more than 32 flag bits may be assigned to a
1188	  connection simultaneously.
1189
1190config NETFILTER_XT_MATCH_CONNLIMIT
1191	tristate '"connlimit" match support'
1192	depends on NF_CONNTRACK
1193	depends on NETFILTER_ADVANCED
1194	select NETFILTER_CONNCOUNT
1195	help
1196	  This match allows you to match against the number of parallel
1197	  connections to a server per client IP address (or address block).
1198
1199config NETFILTER_XT_MATCH_CONNMARK
1200	tristate  '"connmark" connection mark match support'
1201	depends on NF_CONNTRACK
1202	depends on NETFILTER_ADVANCED
1203	select NETFILTER_XT_CONNMARK
1204	help
1205	This is a backwards-compat option for the user's convenience
1206	(e.g. when running oldconfig). It selects
1207	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1208
1209config NETFILTER_XT_MATCH_CONNTRACK
1210	tristate '"conntrack" connection tracking match support'
1211	depends on NF_CONNTRACK
1212	default m if NETFILTER_ADVANCED=n
1213	help
1214	  This is a general conntrack match module, a superset of the state match.
1215
1216	  It allows matching on additional conntrack information, which is
1217	  useful in complex configurations, such as NAT gateways with multiple
1218	  internet links or tunnels.
1219
1220	  To compile it as a module, choose M here.  If unsure, say N.
1221
1222config NETFILTER_XT_MATCH_CPU
1223	tristate '"cpu" match support'
1224	depends on NETFILTER_ADVANCED
1225	help
1226	  CPU matching allows you to match packets based on the CPU
1227	  currently handling the packet.
1228
1229	  To compile it as a module, choose M here.  If unsure, say N.
1230
1231config NETFILTER_XT_MATCH_DCCP
1232	tristate '"dccp" protocol match support'
1233	depends on NETFILTER_ADVANCED
1234	default IP_DCCP
1235	help
1236	  With this option enabled, you will be able to use the iptables
1237	  `dccp' match in order to match on DCCP source/destination ports
1238	  and DCCP flags.
1239
1240	  If you want to compile it as a module, say M here and read
1241	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1242
1243config NETFILTER_XT_MATCH_DEVGROUP
1244	tristate '"devgroup" match support'
1245	depends on NETFILTER_ADVANCED
1246	help
1247	  This options adds a `devgroup' match, which allows to match on the
1248	  device group a network device is assigned to.
1249
1250	  To compile it as a module, choose M here.  If unsure, say N.
1251
1252config NETFILTER_XT_MATCH_DSCP
1253	tristate '"dscp" and "tos" match support'
1254	depends on NETFILTER_ADVANCED
1255	help
1256	  This option adds a `DSCP' match, which allows you to match against
1257	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1258
1259	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
1260
1261	  It will also add a "tos" match, which allows you to match packets
1262	  based on the Type Of Service fields of the IPv4 packet (which share
1263	  the same bits as DSCP).
1264
1265	  To compile it as a module, choose M here.  If unsure, say N.
1266
1267config NETFILTER_XT_MATCH_ECN
1268	tristate '"ecn" match support'
1269	depends on NETFILTER_ADVANCED
1270	help
1271	This option adds an "ECN" match, which allows you to match against
1272	the IPv4 and TCP header ECN fields.
1273
1274	To compile it as a module, choose M here. If unsure, say N.
1275
1276config NETFILTER_XT_MATCH_ESP
1277	tristate '"esp" match support'
1278	depends on NETFILTER_ADVANCED
1279	help
1280	  This match extension allows you to match a range of SPIs
1281	  inside ESP header of IPSec packets.
1282
1283	  To compile it as a module, choose M here.  If unsure, say N.
1284
1285config NETFILTER_XT_MATCH_HASHLIMIT
1286	tristate '"hashlimit" match support'
1287	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1288	depends on NETFILTER_ADVANCED
1289	help
1290	  This option adds a `hashlimit' match.
1291
1292	  As opposed to `limit', this match dynamically creates a hash table
1293	  of limit buckets, based on your selection of source/destination
1294	  addresses and/or ports.
1295
1296	  It enables you to express policies like `10kpps for any given
1297	  destination address' or `500pps from any given source address'
1298	  with a single rule.
1299
1300config NETFILTER_XT_MATCH_HELPER
1301	tristate '"helper" match support'
1302	depends on NF_CONNTRACK
1303	depends on NETFILTER_ADVANCED
1304	help
1305	  Helper matching allows you to match packets in dynamic connections
1306	  tracked by a conntrack-helper, ie. nf_conntrack_ftp
1307
1308	  To compile it as a module, choose M here.  If unsure, say Y.
1309
1310config NETFILTER_XT_MATCH_HL
1311	tristate '"hl" hoplimit/TTL match support'
1312	depends on NETFILTER_ADVANCED
1313	help
1314	HL matching allows you to match packets based on the hoplimit
1315	in the IPv6 header, or the time-to-live field in the IPv4
1316	header of the packet.
1317
1318config NETFILTER_XT_MATCH_IPCOMP
1319	tristate '"ipcomp" match support'
1320	depends on NETFILTER_ADVANCED
1321	help
1322	  This match extension allows you to match a range of CPIs(16 bits)
1323	  inside IPComp header of IPSec packets.
1324
1325	  To compile it as a module, choose M here.  If unsure, say N.
1326
1327config NETFILTER_XT_MATCH_IPRANGE
1328	tristate '"iprange" address range match support'
1329	depends on NETFILTER_ADVANCED
1330	help
1331	This option adds a "iprange" match, which allows you to match based on
1332	an IP address range. (Normal iptables only matches on single addresses
1333	with an optional mask.)
1334
1335	If unsure, say M.
1336
1337config NETFILTER_XT_MATCH_IPVS
1338	tristate '"ipvs" match support'
1339	depends on IP_VS
1340	depends on NETFILTER_ADVANCED
1341	depends on NF_CONNTRACK
1342	help
1343	  This option allows you to match against IPVS properties of a packet.
1344
1345	  If unsure, say N.
1346
1347config NETFILTER_XT_MATCH_L2TP
1348	tristate '"l2tp" match support'
1349	depends on NETFILTER_ADVANCED
1350	default L2TP
1351	help
1352	This option adds an "L2TP" match, which allows you to match against
1353	L2TP protocol header fields.
1354
1355	To compile it as a module, choose M here. If unsure, say N.
1356
1357config NETFILTER_XT_MATCH_LENGTH
1358	tristate '"length" match support'
1359	depends on NETFILTER_ADVANCED
1360	help
1361	  This option allows you to match the length of a packet against a
1362	  specific value or range of values.
1363
1364	  To compile it as a module, choose M here.  If unsure, say N.
1365
1366config NETFILTER_XT_MATCH_LIMIT
1367	tristate '"limit" match support'
1368	depends on NETFILTER_ADVANCED
1369	help
1370	  limit matching allows you to control the rate at which a rule can be
1371	  matched: mainly useful in combination with the LOG target ("LOG
1372	  target support", below) and to avoid some Denial of Service attacks.
1373
1374	  To compile it as a module, choose M here.  If unsure, say N.
1375
1376config NETFILTER_XT_MATCH_MAC
1377	tristate '"mac" address match support'
1378	depends on NETFILTER_ADVANCED
1379	help
1380	  MAC matching allows you to match packets based on the source
1381	  Ethernet address of the packet.
1382
1383	  To compile it as a module, choose M here.  If unsure, say N.
1384
1385config NETFILTER_XT_MATCH_MARK
1386	tristate '"mark" match support'
1387	depends on NETFILTER_ADVANCED
1388	select NETFILTER_XT_MARK
1389	help
1390	This is a backwards-compat option for the user's convenience
1391	(e.g. when running oldconfig). It selects
1392	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1393
1394config NETFILTER_XT_MATCH_MULTIPORT
1395	tristate '"multiport" Multiple port match support'
1396	depends on NETFILTER_ADVANCED
1397	help
1398	  Multiport matching allows you to match TCP or UDP packets based on
1399	  a series of source or destination ports: normally a rule can only
1400	  match a single range of ports.
1401
1402	  To compile it as a module, choose M here.  If unsure, say N.
1403
1404config NETFILTER_XT_MATCH_NFACCT
1405	tristate '"nfacct" match support'
1406	depends on NETFILTER_ADVANCED
1407	select NETFILTER_NETLINK_ACCT
1408	help
1409	  This option allows you to use the extended accounting through
1410	  nfnetlink_acct.
1411
1412	  To compile it as a module, choose M here.  If unsure, say N.
1413
1414config NETFILTER_XT_MATCH_OSF
1415	tristate '"osf" Passive OS fingerprint match'
1416	depends on NETFILTER_ADVANCED
1417	select NETFILTER_NETLINK_OSF
1418	help
1419	  This option selects the Passive OS Fingerprinting match module
1420	  that allows to passively match the remote operating system by
1421	  analyzing incoming TCP SYN packets.
1422
1423	  Rules and loading software can be downloaded from
1424	  http://www.ioremap.net/projects/osf
1425
1426	  To compile it as a module, choose M here.  If unsure, say N.
1427
1428config NETFILTER_XT_MATCH_OWNER
1429	tristate '"owner" match support'
1430	depends on NETFILTER_ADVANCED
1431	help
1432	Socket owner matching allows you to match locally-generated packets
1433	based on who created the socket: the user or group. It is also
1434	possible to check whether a socket actually exists.
1435
1436config NETFILTER_XT_MATCH_POLICY
1437	tristate 'IPsec "policy" match support'
1438	depends on XFRM
1439	default m if NETFILTER_ADVANCED=n
1440	help
1441	  Policy matching allows you to match packets based on the
1442	  IPsec policy that was used during decapsulation/will
1443	  be used during encapsulation.
1444
1445	  To compile it as a module, choose M here.  If unsure, say N.
1446
1447config NETFILTER_XT_MATCH_PHYSDEV
1448	tristate '"physdev" match support'
1449	depends on BRIDGE && BRIDGE_NETFILTER
1450	depends on NETFILTER_ADVANCED
1451	help
1452	  Physdev packet matching matches against the physical bridge ports
1453	  the IP packet arrived on or will leave by.
1454
1455	  To compile it as a module, choose M here.  If unsure, say N.
1456
1457config NETFILTER_XT_MATCH_PKTTYPE
1458	tristate '"pkttype" packet type match support'
1459	depends on NETFILTER_ADVANCED
1460	help
1461	  Packet type matching allows you to match a packet by
1462	  its "class", eg. BROADCAST, MULTICAST, ...
1463
1464	  Typical usage:
1465	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1466
1467	  To compile it as a module, choose M here.  If unsure, say N.
1468
1469config NETFILTER_XT_MATCH_QUOTA
1470	tristate '"quota" match support'
1471	depends on NETFILTER_ADVANCED
1472	help
1473	  This option adds a `quota' match, which allows to match on a
1474	  byte counter.
1475
1476	  If you want to compile it as a module, say M here and read
1477	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1478
1479config NETFILTER_XT_MATCH_QUOTA2
1480	tristate '"quota2" match support'
1481	depends on NETFILTER_ADVANCED
1482	help
1483	  This option adds a `quota2' match, which allows to match on a
1484	  byte counter correctly and not per CPU.
1485	  It allows naming the quotas.
1486	  This is based on http://xtables-addons.git.sourceforge.net
1487
1488	  If you want to compile it as a module, say M here and read
1489	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
1490
1491config NETFILTER_XT_MATCH_RATEEST
1492	tristate '"rateest" match support'
1493	depends on NETFILTER_ADVANCED
1494	select NETFILTER_XT_TARGET_RATEEST
1495	help
1496	  This option adds a `rateest' match, which allows to match on the
1497	  rate estimated by the RATEEST target.
1498
1499	  To compile it as a module, choose M here.  If unsure, say N.
1500
1501config NETFILTER_XT_MATCH_REALM
1502	tristate  '"realm" match support'
1503	depends on NETFILTER_ADVANCED
1504	select IP_ROUTE_CLASSID
1505	help
1506	  This option adds a `realm' match, which allows you to use the realm
1507	  key from the routing subsystem inside iptables.
1508
1509	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1510	  in tc world.
1511
1512	  If you want to compile it as a module, say M here and read
1513	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1514
1515config NETFILTER_XT_MATCH_RECENT
1516	tristate '"recent" match support'
1517	depends on NETFILTER_ADVANCED
1518	help
1519	This match is used for creating one or many lists of recently
1520	used addresses and then matching against that/those list(s).
1521
1522	Short options are available by using 'iptables -m recent -h'
1523	Official Website: <http://snowman.net/projects/ipt_recent/>
1524
1525config NETFILTER_XT_MATCH_SCTP
1526	tristate  '"sctp" protocol match support'
1527	depends on NETFILTER_ADVANCED
1528	default IP_SCTP
1529	help
1530	  With this option enabled, you will be able to use the
1531	  `sctp' match in order to match on SCTP source/destination ports
1532	  and SCTP chunk types.
1533
1534	  If you want to compile it as a module, say M here and read
1535	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1536
1537config NETFILTER_XT_MATCH_SOCKET
1538	tristate '"socket" match support'
1539	depends on NETFILTER_XTABLES
1540	depends on NETFILTER_ADVANCED
1541	depends on IPV6 || IPV6=n
1542	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1543	select NF_SOCKET_IPV4
1544	select NF_SOCKET_IPV6 if IP6_NF_IPTABLES
1545	select NF_DEFRAG_IPV4
1546	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1547	help
1548	  This option adds a `socket' match, which can be used to match
1549	  packets for which a TCP or UDP socket lookup finds a valid socket.
1550	  It can be used in combination with the MARK target and policy
1551	  routing to implement full featured non-locally bound sockets.
1552
1553	  To compile it as a module, choose M here.  If unsure, say N.
1554
1555config NETFILTER_XT_MATCH_STATE
1556	tristate '"state" match support'
1557	depends on NF_CONNTRACK
1558	default m if NETFILTER_ADVANCED=n
1559	help
1560	  Connection state matching allows you to match packets based on their
1561	  relationship to a tracked connection (ie. previous packets).  This
1562	  is a powerful tool for packet classification.
1563
1564	  To compile it as a module, choose M here.  If unsure, say N.
1565
1566config NETFILTER_XT_MATCH_STATISTIC
1567	tristate '"statistic" match support'
1568	depends on NETFILTER_ADVANCED
1569	help
1570	  This option adds a `statistic' match, which allows you to match
1571	  on packets periodically or randomly with a given percentage.
1572
1573	  To compile it as a module, choose M here.  If unsure, say N.
1574
1575config NETFILTER_XT_MATCH_STRING
1576	tristate  '"string" match support'
1577	depends on NETFILTER_ADVANCED
1578	select TEXTSEARCH
1579	select TEXTSEARCH_KMP
1580	select TEXTSEARCH_BM
1581	select TEXTSEARCH_FSM
1582	help
1583	  This option adds a `string' match, which allows you to look for
1584	  pattern matchings in packets.
1585
1586	  To compile it as a module, choose M here.  If unsure, say N.
1587
1588config NETFILTER_XT_MATCH_TCPMSS
1589	tristate '"tcpmss" match support'
1590	depends on NETFILTER_ADVANCED
1591	help
1592	  This option adds a `tcpmss' match, which allows you to examine the
1593	  MSS value of TCP SYN packets, which control the maximum packet size
1594	  for that connection.
1595
1596	  To compile it as a module, choose M here.  If unsure, say N.
1597
1598config NETFILTER_XT_MATCH_TIME
1599	tristate '"time" match support'
1600	depends on NETFILTER_ADVANCED
1601	help
1602	  This option adds a "time" match, which allows you to match based on
1603	  the packet arrival time (at the machine which netfilter is running)
1604	  on) or departure time/date (for locally generated packets).
1605
1606	  If you say Y here, try `iptables -m time --help` for
1607	  more information.
1608
1609	  If you want to compile it as a module, say M here.
1610	  If unsure, say N.
1611
1612config NETFILTER_XT_MATCH_U32
1613	tristate '"u32" match support'
1614	depends on NETFILTER_ADVANCED
1615	help
1616	  u32 allows you to extract quantities of up to 4 bytes from a packet,
1617	  AND them with specified masks, shift them by specified amounts and
1618	  test whether the results are in any of a set of specified ranges.
1619	  The specification of what to extract is general enough to skip over
1620	  headers with lengths stored in the packet, as in IP or TCP header
1621	  lengths.
1622
1623	  Details and examples are in the kernel module source.
1624
1625endif # NETFILTER_XTABLES
1626
1627endmenu
1628
1629source "net/netfilter/ipset/Kconfig"
1630
1631source "net/netfilter/ipvs/Kconfig"
1632