1# SPDX-License-Identifier: GPL-2.0-only 2menu "Core Netfilter Configuration" 3 depends on NET && INET && NETFILTER 4 5config NETFILTER_INGRESS 6 bool "Netfilter ingress support" 7 default y 8 select NET_INGRESS 9 help 10 This allows you to classify packets from ingress using the Netfilter 11 infrastructure. 12 13config NETFILTER_NETLINK 14 tristate 15 16config NETFILTER_FAMILY_BRIDGE 17 bool 18 19config NETFILTER_FAMILY_ARP 20 bool 21 22config NETFILTER_NETLINK_ACCT 23 tristate "Netfilter NFACCT over NFNETLINK interface" 24 depends on NETFILTER_ADVANCED 25 select NETFILTER_NETLINK 26 help 27 If this option is enabled, the kernel will include support 28 for extended accounting via NFNETLINK. 29 30config NETFILTER_NETLINK_QUEUE 31 tristate "Netfilter NFQUEUE over NFNETLINK interface" 32 depends on NETFILTER_ADVANCED 33 select NETFILTER_NETLINK 34 help 35 If this option is enabled, the kernel will include support 36 for queueing packets via NFNETLINK. 37 38config NETFILTER_NETLINK_LOG 39 tristate "Netfilter LOG over NFNETLINK interface" 40 default m if NETFILTER_ADVANCED=n 41 select NETFILTER_NETLINK 42 help 43 If this option is enabled, the kernel will include support 44 for logging packets via NFNETLINK. 45 46 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 47 and is also scheduled to replace the old syslog-based ipt_LOG 48 and ip6t_LOG modules. 49 50config NETFILTER_NETLINK_OSF 51 tristate "Netfilter OSF over NFNETLINK interface" 52 depends on NETFILTER_ADVANCED 53 select NETFILTER_NETLINK 54 help 55 If this option is enabled, the kernel will include support 56 for passive OS fingerprint via NFNETLINK. 57 58config NF_CONNTRACK 59 tristate "Netfilter connection tracking support" 60 default m if NETFILTER_ADVANCED=n 61 select NF_DEFRAG_IPV4 62 select NF_DEFRAG_IPV6 if IPV6 != n 63 help 64 Connection tracking keeps a record of what packets have passed 65 through your machine, in order to figure out how they are related 66 into connections. 67 68 This is required to do Masquerading or other kinds of Network 69 Address Translation. It can also be used to enhance packet 70 filtering (see `Connection state match support' below). 71 72 To compile it as a module, choose M here. If unsure, say N. 73 74config NF_LOG_COMMON 75 tristate 76 77config NF_LOG_NETDEV 78 tristate "Netdev packet logging" 79 select NF_LOG_COMMON 80 81if NF_CONNTRACK 82config NETFILTER_CONNCOUNT 83 tristate 84 85config NF_CONNTRACK_MARK 86 bool 'Connection mark tracking support' 87 depends on NETFILTER_ADVANCED 88 help 89 This option enables support for connection marks, used by the 90 `CONNMARK' target and `connmark' match. Similar to the mark value 91 of packets, but this mark value is kept in the conntrack session 92 instead of the individual packets. 93 94config NF_CONNTRACK_SECMARK 95 bool 'Connection tracking security mark support' 96 depends on NETWORK_SECMARK 97 default m if NETFILTER_ADVANCED=n 98 help 99 This option enables security markings to be applied to 100 connections. Typically they are copied to connections from 101 packets using the CONNSECMARK target and copied back from 102 connections to packets with the same target, with the packets 103 being originally labeled via SECMARK. 104 105 If unsure, say 'N'. 106 107config NF_CONNTRACK_ZONES 108 bool 'Connection tracking zones' 109 depends on NETFILTER_ADVANCED 110 help 111 This option enables support for connection tracking zones. 112 Normally, each connection needs to have a unique system wide 113 identity. Connection tracking zones allow to have multiple 114 connections using the same identity, as long as they are 115 contained in different zones. 116 117 If unsure, say `N'. 118 119config NF_CONNTRACK_PROCFS 120 bool "Supply CT list in procfs (OBSOLETE)" 121 default y 122 depends on PROC_FS 123 ---help--- 124 This option enables for the list of known conntrack entries 125 to be shown in procfs under net/netfilter/nf_conntrack. This 126 is considered obsolete in favor of using the conntrack(8) 127 tool which uses Netlink. 128 129config NF_CONNTRACK_EVENTS 130 bool "Connection tracking events" 131 depends on NETFILTER_ADVANCED 132 help 133 If this option is enabled, the connection tracking code will 134 provide a notifier chain that can be used by other kernel code 135 to get notified about changes in the connection tracking state. 136 137 If unsure, say `N'. 138 139config NF_CONNTRACK_TIMEOUT 140 bool 'Connection tracking timeout' 141 depends on NETFILTER_ADVANCED 142 help 143 This option enables support for connection tracking timeout 144 extension. This allows you to attach timeout policies to flow 145 via the CT target. 146 147 If unsure, say `N'. 148 149config NF_CONNTRACK_TIMESTAMP 150 bool 'Connection tracking timestamping' 151 depends on NETFILTER_ADVANCED 152 help 153 This option enables support for connection tracking timestamping. 154 This allows you to store the flow start-time and to obtain 155 the flow-stop time (once it has been destroyed) via Connection 156 tracking events. 157 158 If unsure, say `N'. 159 160config NF_CONNTRACK_LABELS 161 bool "Connection tracking labels" 162 help 163 This option enables support for assigning user-defined flag bits 164 to connection tracking entries. It can be used with xtables connlabel 165 match and the nftables ct expression. 166 167config NF_CT_PROTO_DCCP 168 bool 'DCCP protocol connection tracking support' 169 depends on NETFILTER_ADVANCED 170 default y 171 help 172 With this option enabled, the layer 3 independent connection 173 tracking code will be able to do state tracking on DCCP connections. 174 175 If unsure, say Y. 176 177config NF_CT_PROTO_GRE 178 bool 179 180config NF_CT_PROTO_SCTP 181 bool 'SCTP protocol connection tracking support' 182 depends on NETFILTER_ADVANCED 183 default y 184 select LIBCRC32C 185 help 186 With this option enabled, the layer 3 independent connection 187 tracking code will be able to do state tracking on SCTP connections. 188 189 If unsure, say Y. 190 191config NF_CT_PROTO_UDPLITE 192 bool 'UDP-Lite protocol connection tracking support' 193 depends on NETFILTER_ADVANCED 194 default y 195 help 196 With this option enabled, the layer 3 independent connection 197 tracking code will be able to do state tracking on UDP-Lite 198 connections. 199 200 If unsure, say Y. 201 202config NF_CONNTRACK_AMANDA 203 tristate "Amanda backup protocol support" 204 depends on NETFILTER_ADVANCED 205 select TEXTSEARCH 206 select TEXTSEARCH_KMP 207 help 208 If you are running the Amanda backup package <http://www.amanda.org/> 209 on this machine or machines that will be MASQUERADED through this 210 machine, then you may want to enable this feature. This allows the 211 connection tracking and natting code to allow the sub-channels that 212 Amanda requires for communication of the backup data, messages and 213 index. 214 215 To compile it as a module, choose M here. If unsure, say N. 216 217config NF_CONNTRACK_FTP 218 tristate "FTP protocol support" 219 default m if NETFILTER_ADVANCED=n 220 help 221 Tracking FTP connections is problematic: special helpers are 222 required for tracking them, and doing masquerading and other forms 223 of Network Address Translation on them. 224 225 This is FTP support on Layer 3 independent connection tracking. 226 227 To compile it as a module, choose M here. If unsure, say N. 228 229config NF_CONNTRACK_H323 230 tristate "H.323 protocol support" 231 depends on IPV6 || IPV6=n 232 depends on NETFILTER_ADVANCED 233 help 234 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 235 important VoIP protocols, it is widely used by voice hardware and 236 software including voice gateways, IP phones, Netmeeting, OpenPhone, 237 Gnomemeeting, etc. 238 239 With this module you can support H.323 on a connection tracking/NAT 240 firewall. 241 242 This module supports RAS, Fast Start, H.245 Tunnelling, Call 243 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 244 whiteboard, file transfer, etc. For more information, please 245 visit http://nath323.sourceforge.net/. 246 247 To compile it as a module, choose M here. If unsure, say N. 248 249config NF_CONNTRACK_IRC 250 tristate "IRC protocol support" 251 default m if NETFILTER_ADVANCED=n 252 help 253 There is a commonly-used extension to IRC called 254 Direct Client-to-Client Protocol (DCC). This enables users to send 255 files to each other, and also chat to each other without the need 256 of a server. DCC Sending is used anywhere you send files over IRC, 257 and DCC Chat is most commonly used by Eggdrop bots. If you are 258 using NAT, this extension will enable you to send files and initiate 259 chats. Note that you do NOT need this extension to get files or 260 have others initiate chats, or everything else in IRC. 261 262 To compile it as a module, choose M here. If unsure, say N. 263 264config NF_CONNTRACK_BROADCAST 265 tristate 266 267config NF_CONNTRACK_NETBIOS_NS 268 tristate "NetBIOS name service protocol support" 269 select NF_CONNTRACK_BROADCAST 270 help 271 NetBIOS name service requests are sent as broadcast messages from an 272 unprivileged port and responded to with unicast messages to the 273 same port. This make them hard to firewall properly because connection 274 tracking doesn't deal with broadcasts. This helper tracks locally 275 originating NetBIOS name service requests and the corresponding 276 responses. It relies on correct IP address configuration, specifically 277 netmask and broadcast address. When properly configured, the output 278 of "ip address show" should look similar to this: 279 280 $ ip -4 address show eth0 281 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 282 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 283 284 To compile it as a module, choose M here. If unsure, say N. 285 286config NF_CONNTRACK_SNMP 287 tristate "SNMP service protocol support" 288 depends on NETFILTER_ADVANCED 289 select NF_CONNTRACK_BROADCAST 290 help 291 SNMP service requests are sent as broadcast messages from an 292 unprivileged port and responded to with unicast messages to the 293 same port. This make them hard to firewall properly because connection 294 tracking doesn't deal with broadcasts. This helper tracks locally 295 originating SNMP service requests and the corresponding 296 responses. It relies on correct IP address configuration, specifically 297 netmask and broadcast address. 298 299 To compile it as a module, choose M here. If unsure, say N. 300 301config NF_CONNTRACK_PPTP 302 tristate "PPtP protocol support" 303 depends on NETFILTER_ADVANCED 304 select NF_CT_PROTO_GRE 305 help 306 This module adds support for PPTP (Point to Point Tunnelling 307 Protocol, RFC2637) connection tracking and NAT. 308 309 If you are running PPTP sessions over a stateful firewall or NAT 310 box, you may want to enable this feature. 311 312 Please note that not all PPTP modes of operation are supported yet. 313 Specifically these limitations exist: 314 - Blindly assumes that control connections are always established 315 in PNS->PAC direction. This is a violation of RFC2637. 316 - Only supports a single call within each session 317 318 To compile it as a module, choose M here. If unsure, say N. 319 320config NF_CONNTRACK_SANE 321 tristate "SANE protocol support" 322 depends on NETFILTER_ADVANCED 323 help 324 SANE is a protocol for remote access to scanners as implemented 325 by the 'saned' daemon. Like FTP, it uses separate control and 326 data connections. 327 328 With this module you can support SANE on a connection tracking 329 firewall. 330 331 To compile it as a module, choose M here. If unsure, say N. 332 333config NF_CONNTRACK_SIP 334 tristate "SIP protocol support" 335 default m if NETFILTER_ADVANCED=n 336 help 337 SIP is an application-layer control protocol that can establish, 338 modify, and terminate multimedia sessions (conferences) such as 339 Internet telephony calls. With the nf_conntrack_sip and 340 the nf_nat_sip modules you can support the protocol on a connection 341 tracking/NATing firewall. 342 343 To compile it as a module, choose M here. If unsure, say N. 344 345config NF_CONNTRACK_TFTP 346 tristate "TFTP protocol support" 347 depends on NETFILTER_ADVANCED 348 help 349 TFTP connection tracking helper, this is required depending 350 on how restrictive your ruleset is. 351 If you are using a tftp client behind -j SNAT or -j MASQUERADING 352 you will need this. 353 354 To compile it as a module, choose M here. If unsure, say N. 355 356config NF_CT_NETLINK 357 tristate 'Connection tracking netlink interface' 358 select NETFILTER_NETLINK 359 default m if NETFILTER_ADVANCED=n 360 help 361 This option enables support for a netlink-based userspace interface 362 363config NF_CT_NETLINK_TIMEOUT 364 tristate 'Connection tracking timeout tuning via Netlink' 365 select NETFILTER_NETLINK 366 depends on NETFILTER_ADVANCED 367 depends on NF_CONNTRACK_TIMEOUT 368 help 369 This option enables support for connection tracking timeout 370 fine-grain tuning. This allows you to attach specific timeout 371 policies to flows, instead of using the global timeout policy. 372 373 If unsure, say `N'. 374 375config NF_CT_NETLINK_HELPER 376 tristate 'Connection tracking helpers in user-space via Netlink' 377 select NETFILTER_NETLINK 378 depends on NF_CT_NETLINK 379 depends on NETFILTER_NETLINK_QUEUE 380 depends on NETFILTER_NETLINK_GLUE_CT 381 depends on NETFILTER_ADVANCED 382 help 383 This option enables the user-space connection tracking helpers 384 infrastructure. 385 386 If unsure, say `N'. 387 388config NETFILTER_NETLINK_GLUE_CT 389 bool "NFQUEUE and NFLOG integration with Connection Tracking" 390 default n 391 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 392 help 393 If this option is enabled, NFQUEUE and NFLOG can include 394 Connection Tracking information together with the packet is 395 the enqueued via NFNETLINK. 396 397config NF_NAT 398 tristate "Network Address Translation support" 399 depends on NF_CONNTRACK 400 default m if NETFILTER_ADVANCED=n 401 help 402 The NAT option allows masquerading, port forwarding and other 403 forms of full Network Address Port Translation. This can be 404 controlled by iptables, ip6tables or nft. 405 406config NF_NAT_AMANDA 407 tristate 408 depends on NF_CONNTRACK && NF_NAT 409 default NF_NAT && NF_CONNTRACK_AMANDA 410 411config NF_NAT_FTP 412 tristate 413 depends on NF_CONNTRACK && NF_NAT 414 default NF_NAT && NF_CONNTRACK_FTP 415 416config NF_NAT_IRC 417 tristate 418 depends on NF_CONNTRACK && NF_NAT 419 default NF_NAT && NF_CONNTRACK_IRC 420 421config NF_NAT_SIP 422 tristate 423 depends on NF_CONNTRACK && NF_NAT 424 default NF_NAT && NF_CONNTRACK_SIP 425 426config NF_NAT_TFTP 427 tristate 428 depends on NF_CONNTRACK && NF_NAT 429 default NF_NAT && NF_CONNTRACK_TFTP 430 431config NF_NAT_REDIRECT 432 bool 433 434config NF_NAT_MASQUERADE 435 bool 436 437config NETFILTER_SYNPROXY 438 tristate 439 440endif # NF_CONNTRACK 441 442config NF_TABLES 443 select NETFILTER_NETLINK 444 tristate "Netfilter nf_tables support" 445 help 446 nftables is the new packet classification framework that intends to 447 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 448 provides a pseudo-state machine with an extensible instruction-set 449 (also known as expressions) that the userspace 'nft' utility 450 (http://www.netfilter.org/projects/nftables) uses to build the 451 rule-set. It also comes with the generic set infrastructure that 452 allows you to construct mappings between matchings and actions 453 for performance lookups. 454 455 To compile it as a module, choose M here. 456 457if NF_TABLES 458 459config NF_TABLES_SET 460 tristate "Netfilter nf_tables set infrastructure" 461 help 462 This option enables the nf_tables set infrastructure that allows to 463 look up for elements in a set and to build one-way mappings between 464 matchings and actions. 465 466config NF_TABLES_INET 467 depends on IPV6 468 select NF_TABLES_IPV4 469 select NF_TABLES_IPV6 470 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 471 help 472 This option enables support for a mixed IPv4/IPv6 "inet" table. 473 474config NF_TABLES_NETDEV 475 bool "Netfilter nf_tables netdev tables support" 476 help 477 This option enables support for the "netdev" table. 478 479config NFT_NUMGEN 480 tristate "Netfilter nf_tables number generator module" 481 help 482 This option adds the number generator expression used to perform 483 incremental counting and random numbers bound to a upper limit. 484 485config NFT_CT 486 depends on NF_CONNTRACK 487 tristate "Netfilter nf_tables conntrack module" 488 help 489 This option adds the "ct" expression that you can use to match 490 connection tracking information such as the flow state. 491 492config NFT_FLOW_OFFLOAD 493 depends on NF_CONNTRACK && NF_FLOW_TABLE 494 tristate "Netfilter nf_tables hardware flow offload module" 495 help 496 This option adds the "flow_offload" expression that you can use to 497 choose what flows are placed into the hardware. 498 499config NFT_COUNTER 500 tristate "Netfilter nf_tables counter module" 501 help 502 This option adds the "counter" expression that you can use to 503 include packet and byte counters in a rule. 504 505config NFT_CONNLIMIT 506 tristate "Netfilter nf_tables connlimit module" 507 depends on NF_CONNTRACK 508 depends on NETFILTER_ADVANCED 509 select NETFILTER_CONNCOUNT 510 help 511 This option adds the "connlimit" expression that you can use to 512 ratelimit rule matchings per connections. 513 514config NFT_LOG 515 tristate "Netfilter nf_tables log module" 516 help 517 This option adds the "log" expression that you can use to log 518 packets matching some criteria. 519 520config NFT_LIMIT 521 tristate "Netfilter nf_tables limit module" 522 help 523 This option adds the "limit" expression that you can use to 524 ratelimit rule matchings. 525 526config NFT_MASQ 527 depends on NF_CONNTRACK 528 depends on NF_NAT 529 select NF_NAT_MASQUERADE 530 tristate "Netfilter nf_tables masquerade support" 531 help 532 This option adds the "masquerade" expression that you can use 533 to perform NAT in the masquerade flavour. 534 535config NFT_REDIR 536 depends on NF_CONNTRACK 537 depends on NF_NAT 538 tristate "Netfilter nf_tables redirect support" 539 select NF_NAT_REDIRECT 540 help 541 This options adds the "redirect" expression that you can use 542 to perform NAT in the redirect flavour. 543 544config NFT_NAT 545 depends on NF_CONNTRACK 546 select NF_NAT 547 depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 548 tristate "Netfilter nf_tables nat module" 549 help 550 This option adds the "nat" expression that you can use to perform 551 typical Network Address Translation (NAT) packet transformations. 552 553config NFT_TUNNEL 554 tristate "Netfilter nf_tables tunnel module" 555 help 556 This option adds the "tunnel" expression that you can use to set 557 tunneling policies. 558 559config NFT_OBJREF 560 tristate "Netfilter nf_tables stateful object reference module" 561 help 562 This option adds the "objref" expression that allows you to refer to 563 stateful objects, such as counters and quotas. 564 565config NFT_QUEUE 566 depends on NETFILTER_NETLINK_QUEUE 567 tristate "Netfilter nf_tables queue module" 568 help 569 This is required if you intend to use the userspace queueing 570 infrastructure (also known as NFQUEUE) from nftables. 571 572config NFT_QUOTA 573 tristate "Netfilter nf_tables quota module" 574 help 575 This option adds the "quota" expression that you can use to match 576 enforce bytes quotas. 577 578config NFT_REJECT 579 default m if NETFILTER_ADVANCED=n 580 tristate "Netfilter nf_tables reject support" 581 depends on !NF_TABLES_INET || (IPV6!=m || m) 582 help 583 This option adds the "reject" expression that you can use to 584 explicitly deny and notify via TCP reset/ICMP informational errors 585 unallowed traffic. 586 587config NFT_REJECT_INET 588 depends on NF_TABLES_INET 589 default NFT_REJECT 590 tristate 591 592config NFT_COMPAT 593 depends on NETFILTER_XTABLES 594 tristate "Netfilter x_tables over nf_tables module" 595 help 596 This is required if you intend to use any of existing 597 x_tables match/target extensions over the nf_tables 598 framework. 599 600config NFT_HASH 601 tristate "Netfilter nf_tables hash module" 602 help 603 This option adds the "hash" expression that you can use to perform 604 a hash operation on registers. 605 606config NFT_FIB 607 tristate 608 609config NFT_FIB_INET 610 depends on NF_TABLES_INET 611 depends on NFT_FIB_IPV4 612 depends on NFT_FIB_IPV6 613 tristate "Netfilter nf_tables fib inet support" 614 help 615 This option allows using the FIB expression from the inet table. 616 The lookup will be delegated to the IPv4 or IPv6 FIB depending 617 on the protocol of the packet. 618 619config NFT_XFRM 620 tristate "Netfilter nf_tables xfrm/IPSec security association matching" 621 depends on XFRM 622 help 623 This option adds an expression that you can use to extract properties 624 of a packets security association. 625 626config NFT_SOCKET 627 tristate "Netfilter nf_tables socket match support" 628 depends on IPV6 || IPV6=n 629 select NF_SOCKET_IPV4 630 select NF_SOCKET_IPV6 if NF_TABLES_IPV6 631 help 632 This option allows matching for the presence or absence of a 633 corresponding socket and its attributes. 634 635config NFT_OSF 636 tristate "Netfilter nf_tables passive OS fingerprint support" 637 depends on NETFILTER_ADVANCED 638 select NETFILTER_NETLINK_OSF 639 help 640 This option allows matching packets from an specific OS. 641 642config NFT_TPROXY 643 tristate "Netfilter nf_tables tproxy support" 644 depends on IPV6 || IPV6=n 645 select NF_DEFRAG_IPV4 646 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 647 select NF_TPROXY_IPV4 648 select NF_TPROXY_IPV6 if NF_TABLES_IPV6 649 help 650 This makes transparent proxy support available in nftables. 651 652config NFT_SYNPROXY 653 tristate "Netfilter nf_tables SYNPROXY expression support" 654 depends on NF_CONNTRACK && NETFILTER_ADVANCED 655 select NETFILTER_SYNPROXY 656 select SYN_COOKIES 657 help 658 The SYNPROXY expression allows you to intercept TCP connections and 659 establish them using syncookies before they are passed on to the 660 server. This allows to avoid conntrack and server resource usage 661 during SYN-flood attacks. 662 663if NF_TABLES_NETDEV 664 665config NF_DUP_NETDEV 666 tristate "Netfilter packet duplication support" 667 help 668 This option enables the generic packet duplication infrastructure 669 for Netfilter. 670 671config NFT_DUP_NETDEV 672 tristate "Netfilter nf_tables netdev packet duplication support" 673 select NF_DUP_NETDEV 674 help 675 This option enables packet duplication for the "netdev" family. 676 677config NFT_FWD_NETDEV 678 tristate "Netfilter nf_tables netdev packet forwarding support" 679 select NF_DUP_NETDEV 680 help 681 This option enables packet forwarding for the "netdev" family. 682 683config NFT_FIB_NETDEV 684 depends on NFT_FIB_IPV4 685 depends on NFT_FIB_IPV6 686 tristate "Netfilter nf_tables netdev fib lookups support" 687 help 688 This option allows using the FIB expression from the netdev table. 689 The lookup will be delegated to the IPv4 or IPv6 FIB depending 690 on the protocol of the packet. 691 692endif # NF_TABLES_NETDEV 693 694endif # NF_TABLES 695 696config NF_FLOW_TABLE_INET 697 tristate "Netfilter flow table mixed IPv4/IPv6 module" 698 depends on NF_FLOW_TABLE 699 help 700 This option adds the flow table mixed IPv4/IPv6 support. 701 702 To compile it as a module, choose M here. 703 704config NF_FLOW_TABLE 705 tristate "Netfilter flow table module" 706 depends on NETFILTER_INGRESS 707 depends on NF_CONNTRACK 708 depends on NF_TABLES 709 help 710 This option adds the flow table core infrastructure. 711 712 To compile it as a module, choose M here. 713 714config NETFILTER_XTABLES 715 tristate "Netfilter Xtables support (required for ip_tables)" 716 default m if NETFILTER_ADVANCED=n 717 help 718 This is required if you intend to use any of ip_tables, 719 ip6_tables or arp_tables. 720 721if NETFILTER_XTABLES 722 723comment "Xtables combined modules" 724 725config NETFILTER_XT_MARK 726 tristate 'nfmark target and match support' 727 default m if NETFILTER_ADVANCED=n 728 ---help--- 729 This option adds the "MARK" target and "mark" match. 730 731 Netfilter mark matching allows you to match packets based on the 732 "nfmark" value in the packet. 733 The target allows you to create rules in the "mangle" table which alter 734 the netfilter mark (nfmark) field associated with the packet. 735 736 Prior to routing, the nfmark can influence the routing method and can 737 also be used by other subsystems to change their behavior. 738 739config NETFILTER_XT_CONNMARK 740 tristate 'ctmark target and match support' 741 depends on NF_CONNTRACK 742 depends on NETFILTER_ADVANCED 743 select NF_CONNTRACK_MARK 744 ---help--- 745 This option adds the "CONNMARK" target and "connmark" match. 746 747 Netfilter allows you to store a mark value per connection (a.k.a. 748 ctmark), similarly to the packet mark (nfmark). Using this 749 target and match, you can set and match on this mark. 750 751config NETFILTER_XT_SET 752 tristate 'set target and match support' 753 depends on IP_SET 754 depends on NETFILTER_ADVANCED 755 help 756 This option adds the "SET" target and "set" match. 757 758 Using this target and match, you can add/delete and match 759 elements in the sets created by ipset(8). 760 761 To compile it as a module, choose M here. If unsure, say N. 762 763# alphabetically ordered list of targets 764 765comment "Xtables targets" 766 767config NETFILTER_XT_TARGET_AUDIT 768 tristate "AUDIT target support" 769 depends on AUDIT 770 depends on NETFILTER_ADVANCED 771 ---help--- 772 This option adds a 'AUDIT' target, which can be used to create 773 audit records for packets dropped/accepted. 774 775 To compileit as a module, choose M here. If unsure, say N. 776 777config NETFILTER_XT_TARGET_CHECKSUM 778 tristate "CHECKSUM target support" 779 depends on IP_NF_MANGLE || IP6_NF_MANGLE 780 depends on NETFILTER_ADVANCED 781 ---help--- 782 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 783 table to work around buggy DHCP clients in virtualized environments. 784 785 Some old DHCP clients drop packets because they are not aware 786 that the checksum would normally be offloaded to hardware and 787 thus should be considered valid. 788 This target can be used to fill in the checksum using iptables 789 when such packets are sent via a virtual network device. 790 791 To compile it as a module, choose M here. If unsure, say N. 792 793config NETFILTER_XT_TARGET_CLASSIFY 794 tristate '"CLASSIFY" target support' 795 depends on NETFILTER_ADVANCED 796 help 797 This option adds a `CLASSIFY' target, which enables the user to set 798 the priority of a packet. Some qdiscs can use this value for 799 classification, among these are: 800 801 atm, cbq, dsmark, pfifo_fast, htb, prio 802 803 To compile it as a module, choose M here. If unsure, say N. 804 805config NETFILTER_XT_TARGET_CONNMARK 806 tristate '"CONNMARK" target support' 807 depends on NF_CONNTRACK 808 depends on NETFILTER_ADVANCED 809 select NETFILTER_XT_CONNMARK 810 ---help--- 811 This is a backwards-compat option for the user's convenience 812 (e.g. when running oldconfig). It selects 813 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 814 815config NETFILTER_XT_TARGET_CONNSECMARK 816 tristate '"CONNSECMARK" target support' 817 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 818 default m if NETFILTER_ADVANCED=n 819 help 820 The CONNSECMARK target copies security markings from packets 821 to connections, and restores security markings from connections 822 to packets (if the packets are not already marked). This would 823 normally be used in conjunction with the SECMARK target. 824 825 To compile it as a module, choose M here. If unsure, say N. 826 827config NETFILTER_XT_TARGET_CT 828 tristate '"CT" target support' 829 depends on NF_CONNTRACK 830 depends on IP_NF_RAW || IP6_NF_RAW 831 depends on NETFILTER_ADVANCED 832 help 833 This options adds a `CT' target, which allows to specify initial 834 connection tracking parameters like events to be delivered and 835 the helper to be used. 836 837 To compile it as a module, choose M here. If unsure, say N. 838 839config NETFILTER_XT_TARGET_DSCP 840 tristate '"DSCP" and "TOS" target support' 841 depends on IP_NF_MANGLE || IP6_NF_MANGLE 842 depends on NETFILTER_ADVANCED 843 help 844 This option adds a `DSCP' target, which allows you to manipulate 845 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 846 847 The DSCP field can have any value between 0x0 and 0x3f inclusive. 848 849 It also adds the "TOS" target, which allows you to create rules in 850 the "mangle" table which alter the Type Of Service field of an IPv4 851 or the Priority field of an IPv6 packet, prior to routing. 852 853 To compile it as a module, choose M here. If unsure, say N. 854 855config NETFILTER_XT_TARGET_HL 856 tristate '"HL" hoplimit target support' 857 depends on IP_NF_MANGLE || IP6_NF_MANGLE 858 depends on NETFILTER_ADVANCED 859 ---help--- 860 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 861 targets, which enable the user to change the 862 hoplimit/time-to-live value of the IP header. 863 864 While it is safe to decrement the hoplimit/TTL value, the 865 modules also allow to increment and set the hoplimit value of 866 the header to arbitrary values. This is EXTREMELY DANGEROUS 867 since you can easily create immortal packets that loop 868 forever on the network. 869 870config NETFILTER_XT_TARGET_HMARK 871 tristate '"HMARK" target support' 872 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 873 depends on NETFILTER_ADVANCED 874 ---help--- 875 This option adds the "HMARK" target. 876 877 The target allows you to create rules in the "raw" and "mangle" tables 878 which set the skbuff mark by means of hash calculation within a given 879 range. The nfmark can influence the routing method and can also be used 880 by other subsystems to change their behaviour. 881 882 To compile it as a module, choose M here. If unsure, say N. 883 884config NETFILTER_XT_TARGET_IDLETIMER 885 tristate "IDLETIMER target support" 886 depends on NETFILTER_ADVANCED 887 help 888 889 This option adds the `IDLETIMER' target. Each matching packet 890 resets the timer associated with label specified when the rule is 891 added. When the timer expires, it triggers a sysfs notification. 892 The remaining time for expiration can be read via sysfs. 893 894 To compile it as a module, choose M here. If unsure, say N. 895 896config NETFILTER_XT_TARGET_LED 897 tristate '"LED" target support' 898 depends on LEDS_CLASS && LEDS_TRIGGERS 899 depends on NETFILTER_ADVANCED 900 help 901 This option adds a `LED' target, which allows you to blink LEDs in 902 response to particular packets passing through your machine. 903 904 This can be used to turn a spare LED into a network activity LED, 905 which only flashes in response to FTP transfers, for example. Or 906 you could have an LED which lights up for a minute or two every time 907 somebody connects to your machine via SSH. 908 909 You will need support for the "led" class to make this work. 910 911 To create an LED trigger for incoming SSH traffic: 912 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 913 914 Then attach the new trigger to an LED on your system: 915 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 916 917 For more information on the LEDs available on your system, see 918 Documentation/leds/leds-class.rst 919 920config NETFILTER_XT_TARGET_LOG 921 tristate "LOG target support" 922 select NF_LOG_COMMON 923 select NF_LOG_IPV4 924 select NF_LOG_IPV6 if IP6_NF_IPTABLES 925 default m if NETFILTER_ADVANCED=n 926 help 927 This option adds a `LOG' target, which allows you to create rules in 928 any iptables table which records the packet header to the syslog. 929 930 To compile it as a module, choose M here. If unsure, say N. 931 932config NETFILTER_XT_TARGET_MARK 933 tristate '"MARK" target support' 934 depends on NETFILTER_ADVANCED 935 select NETFILTER_XT_MARK 936 ---help--- 937 This is a backwards-compat option for the user's convenience 938 (e.g. when running oldconfig). It selects 939 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 940 941config NETFILTER_XT_NAT 942 tristate '"SNAT and DNAT" targets support' 943 depends on NF_NAT 944 ---help--- 945 This option enables the SNAT and DNAT targets. 946 947 To compile it as a module, choose M here. If unsure, say N. 948 949config NETFILTER_XT_TARGET_NETMAP 950 tristate '"NETMAP" target support' 951 depends on NF_NAT 952 ---help--- 953 NETMAP is an implementation of static 1:1 NAT mapping of network 954 addresses. It maps the network address part, while keeping the host 955 address part intact. 956 957 To compile it as a module, choose M here. If unsure, say N. 958 959config NETFILTER_XT_TARGET_NFLOG 960 tristate '"NFLOG" target support' 961 default m if NETFILTER_ADVANCED=n 962 select NETFILTER_NETLINK_LOG 963 help 964 This option enables the NFLOG target, which allows to LOG 965 messages through nfnetlink_log. 966 967 To compile it as a module, choose M here. If unsure, say N. 968 969config NETFILTER_XT_TARGET_NFQUEUE 970 tristate '"NFQUEUE" target Support' 971 depends on NETFILTER_ADVANCED 972 select NETFILTER_NETLINK_QUEUE 973 help 974 This target replaced the old obsolete QUEUE target. 975 976 As opposed to QUEUE, it supports 65535 different queues, 977 not just one. 978 979 To compile it as a module, choose M here. If unsure, say N. 980 981config NETFILTER_XT_TARGET_NOTRACK 982 tristate '"NOTRACK" target support (DEPRECATED)' 983 depends on NF_CONNTRACK 984 depends on IP_NF_RAW || IP6_NF_RAW 985 depends on NETFILTER_ADVANCED 986 select NETFILTER_XT_TARGET_CT 987 988config NETFILTER_XT_TARGET_RATEEST 989 tristate '"RATEEST" target support' 990 depends on NETFILTER_ADVANCED 991 help 992 This option adds a `RATEEST' target, which allows to measure 993 rates similar to TC estimators. The `rateest' match can be 994 used to match on the measured rates. 995 996 To compile it as a module, choose M here. If unsure, say N. 997 998config NETFILTER_XT_TARGET_REDIRECT 999 tristate "REDIRECT target support" 1000 depends on NF_NAT 1001 select NF_NAT_REDIRECT 1002 ---help--- 1003 REDIRECT is a special case of NAT: all incoming connections are 1004 mapped onto the incoming interface's address, causing the packets to 1005 come to the local machine instead of passing through. This is 1006 useful for transparent proxies. 1007 1008 To compile it as a module, choose M here. If unsure, say N. 1009 1010config NETFILTER_XT_TARGET_MASQUERADE 1011 tristate "MASQUERADE target support" 1012 depends on NF_NAT 1013 default m if NETFILTER_ADVANCED=n 1014 select NF_NAT_MASQUERADE 1015 help 1016 Masquerading is a special case of NAT: all outgoing connections are 1017 changed to seem to come from a particular interface's address, and 1018 if the interface goes down, those connections are lost. This is 1019 only useful for dialup accounts with dynamic IP address (ie. your IP 1020 address will be different on next dialup). 1021 1022 To compile it as a module, choose M here. If unsure, say N. 1023 1024config NETFILTER_XT_TARGET_TEE 1025 tristate '"TEE" - packet cloning to alternate destination' 1026 depends on NETFILTER_ADVANCED 1027 depends on IPV6 || IPV6=n 1028 depends on !NF_CONNTRACK || NF_CONNTRACK 1029 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES 1030 select NF_DUP_IPV4 1031 select NF_DUP_IPV6 if IP6_NF_IPTABLES 1032 ---help--- 1033 This option adds a "TEE" target with which a packet can be cloned and 1034 this clone be rerouted to another nexthop. 1035 1036config NETFILTER_XT_TARGET_TPROXY 1037 tristate '"TPROXY" target transparent proxying support' 1038 depends on NETFILTER_XTABLES 1039 depends on NETFILTER_ADVANCED 1040 depends on IPV6 || IPV6=n 1041 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1042 depends on IP_NF_MANGLE 1043 select NF_DEFRAG_IPV4 1044 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1045 select NF_TPROXY_IPV4 1046 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 1047 help 1048 This option adds a `TPROXY' target, which is somewhat similar to 1049 REDIRECT. It can only be used in the mangle table and is useful 1050 to redirect traffic to a transparent proxy. It does _not_ depend 1051 on Netfilter connection tracking and NAT, unlike REDIRECT. 1052 For it to work you will have to configure certain iptables rules 1053 and use policy routing. For more information on how to set it up 1054 see Documentation/networking/tproxy.txt. 1055 1056 To compile it as a module, choose M here. If unsure, say N. 1057 1058config NETFILTER_XT_TARGET_TRACE 1059 tristate '"TRACE" target support' 1060 depends on IP_NF_RAW || IP6_NF_RAW 1061 depends on NETFILTER_ADVANCED 1062 help 1063 The TRACE target allows you to mark packets so that the kernel 1064 will log every rule which match the packets as those traverse 1065 the tables, chains, rules. 1066 1067 If you want to compile it as a module, say M here and read 1068 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1069 1070config NETFILTER_XT_TARGET_SECMARK 1071 tristate '"SECMARK" target support' 1072 depends on NETWORK_SECMARK 1073 default m if NETFILTER_ADVANCED=n 1074 help 1075 The SECMARK target allows security marking of network 1076 packets, for use with security subsystems. 1077 1078 To compile it as a module, choose M here. If unsure, say N. 1079 1080config NETFILTER_XT_TARGET_TCPMSS 1081 tristate '"TCPMSS" target support' 1082 depends on IPV6 || IPV6=n 1083 default m if NETFILTER_ADVANCED=n 1084 ---help--- 1085 This option adds a `TCPMSS' target, which allows you to alter the 1086 MSS value of TCP SYN packets, to control the maximum size for that 1087 connection (usually limiting it to your outgoing interface's MTU 1088 minus 40). 1089 1090 This is used to overcome criminally braindead ISPs or servers which 1091 block ICMP Fragmentation Needed packets. The symptoms of this 1092 problem are that everything works fine from your Linux 1093 firewall/router, but machines behind it can never exchange large 1094 packets: 1095 1) Web browsers connect, then hang with no data received. 1096 2) Small mail works fine, but large emails hang. 1097 3) ssh works fine, but scp hangs after initial handshaking. 1098 1099 Workaround: activate this option and add a rule to your firewall 1100 configuration like: 1101 1102 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1103 -j TCPMSS --clamp-mss-to-pmtu 1104 1105 To compile it as a module, choose M here. If unsure, say N. 1106 1107config NETFILTER_XT_TARGET_TCPOPTSTRIP 1108 tristate '"TCPOPTSTRIP" target support' 1109 depends on IP_NF_MANGLE || IP6_NF_MANGLE 1110 depends on NETFILTER_ADVANCED 1111 help 1112 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1113 TCP options from TCP packets. 1114 1115# alphabetically ordered list of matches 1116 1117comment "Xtables matches" 1118 1119config NETFILTER_XT_MATCH_ADDRTYPE 1120 tristate '"addrtype" address type match support' 1121 default m if NETFILTER_ADVANCED=n 1122 ---help--- 1123 This option allows you to match what routing thinks of an address, 1124 eg. UNICAST, LOCAL, BROADCAST, ... 1125 1126 If you want to compile it as a module, say M here and read 1127 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1128 1129config NETFILTER_XT_MATCH_BPF 1130 tristate '"bpf" match support' 1131 depends on NETFILTER_ADVANCED 1132 help 1133 BPF matching applies a linux socket filter to each packet and 1134 accepts those for which the filter returns non-zero. 1135 1136 To compile it as a module, choose M here. If unsure, say N. 1137 1138config NETFILTER_XT_MATCH_CGROUP 1139 tristate '"control group" match support' 1140 depends on NETFILTER_ADVANCED 1141 depends on CGROUPS 1142 select CGROUP_NET_CLASSID 1143 ---help--- 1144 Socket/process control group matching allows you to match locally 1145 generated packets based on which net_cls control group processes 1146 belong to. 1147 1148config NETFILTER_XT_MATCH_CLUSTER 1149 tristate '"cluster" match support' 1150 depends on NF_CONNTRACK 1151 depends on NETFILTER_ADVANCED 1152 ---help--- 1153 This option allows you to build work-load-sharing clusters of 1154 network servers/stateful firewalls without having a dedicated 1155 load-balancing router/server/switch. Basically, this match returns 1156 true when the packet must be handled by this cluster node. Thus, 1157 all nodes see all packets and this match decides which node handles 1158 what packets. The work-load sharing algorithm is based on source 1159 address hashing. 1160 1161 If you say Y or M here, try `iptables -m cluster --help` for 1162 more information. 1163 1164config NETFILTER_XT_MATCH_COMMENT 1165 tristate '"comment" match support' 1166 depends on NETFILTER_ADVANCED 1167 help 1168 This option adds a `comment' dummy-match, which allows you to put 1169 comments in your iptables ruleset. 1170 1171 If you want to compile it as a module, say M here and read 1172 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1173 1174config NETFILTER_XT_MATCH_CONNBYTES 1175 tristate '"connbytes" per-connection counter match support' 1176 depends on NF_CONNTRACK 1177 depends on NETFILTER_ADVANCED 1178 help 1179 This option adds a `connbytes' match, which allows you to match the 1180 number of bytes and/or packets for each direction within a connection. 1181 1182 If you want to compile it as a module, say M here and read 1183 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1184 1185config NETFILTER_XT_MATCH_CONNLABEL 1186 tristate '"connlabel" match support' 1187 select NF_CONNTRACK_LABELS 1188 depends on NF_CONNTRACK 1189 depends on NETFILTER_ADVANCED 1190 ---help--- 1191 This match allows you to test and assign userspace-defined labels names 1192 to a connection. The kernel only stores bit values - mapping 1193 names to bits is done by userspace. 1194 1195 Unlike connmark, more than 32 flag bits may be assigned to a 1196 connection simultaneously. 1197 1198config NETFILTER_XT_MATCH_CONNLIMIT 1199 tristate '"connlimit" match support' 1200 depends on NF_CONNTRACK 1201 depends on NETFILTER_ADVANCED 1202 select NETFILTER_CONNCOUNT 1203 ---help--- 1204 This match allows you to match against the number of parallel 1205 connections to a server per client IP address (or address block). 1206 1207config NETFILTER_XT_MATCH_CONNMARK 1208 tristate '"connmark" connection mark match support' 1209 depends on NF_CONNTRACK 1210 depends on NETFILTER_ADVANCED 1211 select NETFILTER_XT_CONNMARK 1212 ---help--- 1213 This is a backwards-compat option for the user's convenience 1214 (e.g. when running oldconfig). It selects 1215 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1216 1217config NETFILTER_XT_MATCH_CONNTRACK 1218 tristate '"conntrack" connection tracking match support' 1219 depends on NF_CONNTRACK 1220 default m if NETFILTER_ADVANCED=n 1221 help 1222 This is a general conntrack match module, a superset of the state match. 1223 1224 It allows matching on additional conntrack information, which is 1225 useful in complex configurations, such as NAT gateways with multiple 1226 internet links or tunnels. 1227 1228 To compile it as a module, choose M here. If unsure, say N. 1229 1230config NETFILTER_XT_MATCH_CPU 1231 tristate '"cpu" match support' 1232 depends on NETFILTER_ADVANCED 1233 help 1234 CPU matching allows you to match packets based on the CPU 1235 currently handling the packet. 1236 1237 To compile it as a module, choose M here. If unsure, say N. 1238 1239config NETFILTER_XT_MATCH_DCCP 1240 tristate '"dccp" protocol match support' 1241 depends on NETFILTER_ADVANCED 1242 default IP_DCCP 1243 help 1244 With this option enabled, you will be able to use the iptables 1245 `dccp' match in order to match on DCCP source/destination ports 1246 and DCCP flags. 1247 1248 If you want to compile it as a module, say M here and read 1249 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1250 1251config NETFILTER_XT_MATCH_DEVGROUP 1252 tristate '"devgroup" match support' 1253 depends on NETFILTER_ADVANCED 1254 help 1255 This options adds a `devgroup' match, which allows to match on the 1256 device group a network device is assigned to. 1257 1258 To compile it as a module, choose M here. If unsure, say N. 1259 1260config NETFILTER_XT_MATCH_DSCP 1261 tristate '"dscp" and "tos" match support' 1262 depends on NETFILTER_ADVANCED 1263 help 1264 This option adds a `DSCP' match, which allows you to match against 1265 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1266 1267 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1268 1269 It will also add a "tos" match, which allows you to match packets 1270 based on the Type Of Service fields of the IPv4 packet (which share 1271 the same bits as DSCP). 1272 1273 To compile it as a module, choose M here. If unsure, say N. 1274 1275config NETFILTER_XT_MATCH_ECN 1276 tristate '"ecn" match support' 1277 depends on NETFILTER_ADVANCED 1278 ---help--- 1279 This option adds an "ECN" match, which allows you to match against 1280 the IPv4 and TCP header ECN fields. 1281 1282 To compile it as a module, choose M here. If unsure, say N. 1283 1284config NETFILTER_XT_MATCH_ESP 1285 tristate '"esp" match support' 1286 depends on NETFILTER_ADVANCED 1287 help 1288 This match extension allows you to match a range of SPIs 1289 inside ESP header of IPSec packets. 1290 1291 To compile it as a module, choose M here. If unsure, say N. 1292 1293config NETFILTER_XT_MATCH_HASHLIMIT 1294 tristate '"hashlimit" match support' 1295 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1296 depends on NETFILTER_ADVANCED 1297 help 1298 This option adds a `hashlimit' match. 1299 1300 As opposed to `limit', this match dynamically creates a hash table 1301 of limit buckets, based on your selection of source/destination 1302 addresses and/or ports. 1303 1304 It enables you to express policies like `10kpps for any given 1305 destination address' or `500pps from any given source address' 1306 with a single rule. 1307 1308config NETFILTER_XT_MATCH_HELPER 1309 tristate '"helper" match support' 1310 depends on NF_CONNTRACK 1311 depends on NETFILTER_ADVANCED 1312 help 1313 Helper matching allows you to match packets in dynamic connections 1314 tracked by a conntrack-helper, ie. nf_conntrack_ftp 1315 1316 To compile it as a module, choose M here. If unsure, say Y. 1317 1318config NETFILTER_XT_MATCH_HL 1319 tristate '"hl" hoplimit/TTL match support' 1320 depends on NETFILTER_ADVANCED 1321 ---help--- 1322 HL matching allows you to match packets based on the hoplimit 1323 in the IPv6 header, or the time-to-live field in the IPv4 1324 header of the packet. 1325 1326config NETFILTER_XT_MATCH_IPCOMP 1327 tristate '"ipcomp" match support' 1328 depends on NETFILTER_ADVANCED 1329 help 1330 This match extension allows you to match a range of CPIs(16 bits) 1331 inside IPComp header of IPSec packets. 1332 1333 To compile it as a module, choose M here. If unsure, say N. 1334 1335config NETFILTER_XT_MATCH_IPRANGE 1336 tristate '"iprange" address range match support' 1337 depends on NETFILTER_ADVANCED 1338 ---help--- 1339 This option adds a "iprange" match, which allows you to match based on 1340 an IP address range. (Normal iptables only matches on single addresses 1341 with an optional mask.) 1342 1343 If unsure, say M. 1344 1345config NETFILTER_XT_MATCH_IPVS 1346 tristate '"ipvs" match support' 1347 depends on IP_VS 1348 depends on NETFILTER_ADVANCED 1349 depends on NF_CONNTRACK 1350 help 1351 This option allows you to match against IPVS properties of a packet. 1352 1353 If unsure, say N. 1354 1355config NETFILTER_XT_MATCH_L2TP 1356 tristate '"l2tp" match support' 1357 depends on NETFILTER_ADVANCED 1358 default L2TP 1359 ---help--- 1360 This option adds an "L2TP" match, which allows you to match against 1361 L2TP protocol header fields. 1362 1363 To compile it as a module, choose M here. If unsure, say N. 1364 1365config NETFILTER_XT_MATCH_LENGTH 1366 tristate '"length" match support' 1367 depends on NETFILTER_ADVANCED 1368 help 1369 This option allows you to match the length of a packet against a 1370 specific value or range of values. 1371 1372 To compile it as a module, choose M here. If unsure, say N. 1373 1374config NETFILTER_XT_MATCH_LIMIT 1375 tristate '"limit" match support' 1376 depends on NETFILTER_ADVANCED 1377 help 1378 limit matching allows you to control the rate at which a rule can be 1379 matched: mainly useful in combination with the LOG target ("LOG 1380 target support", below) and to avoid some Denial of Service attacks. 1381 1382 To compile it as a module, choose M here. If unsure, say N. 1383 1384config NETFILTER_XT_MATCH_MAC 1385 tristate '"mac" address match support' 1386 depends on NETFILTER_ADVANCED 1387 help 1388 MAC matching allows you to match packets based on the source 1389 Ethernet address of the packet. 1390 1391 To compile it as a module, choose M here. If unsure, say N. 1392 1393config NETFILTER_XT_MATCH_MARK 1394 tristate '"mark" match support' 1395 depends on NETFILTER_ADVANCED 1396 select NETFILTER_XT_MARK 1397 ---help--- 1398 This is a backwards-compat option for the user's convenience 1399 (e.g. when running oldconfig). It selects 1400 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1401 1402config NETFILTER_XT_MATCH_MULTIPORT 1403 tristate '"multiport" Multiple port match support' 1404 depends on NETFILTER_ADVANCED 1405 help 1406 Multiport matching allows you to match TCP or UDP packets based on 1407 a series of source or destination ports: normally a rule can only 1408 match a single range of ports. 1409 1410 To compile it as a module, choose M here. If unsure, say N. 1411 1412config NETFILTER_XT_MATCH_NFACCT 1413 tristate '"nfacct" match support' 1414 depends on NETFILTER_ADVANCED 1415 select NETFILTER_NETLINK_ACCT 1416 help 1417 This option allows you to use the extended accounting through 1418 nfnetlink_acct. 1419 1420 To compile it as a module, choose M here. If unsure, say N. 1421 1422config NETFILTER_XT_MATCH_OSF 1423 tristate '"osf" Passive OS fingerprint match' 1424 depends on NETFILTER_ADVANCED 1425 select NETFILTER_NETLINK_OSF 1426 help 1427 This option selects the Passive OS Fingerprinting match module 1428 that allows to passively match the remote operating system by 1429 analyzing incoming TCP SYN packets. 1430 1431 Rules and loading software can be downloaded from 1432 http://www.ioremap.net/projects/osf 1433 1434 To compile it as a module, choose M here. If unsure, say N. 1435 1436config NETFILTER_XT_MATCH_OWNER 1437 tristate '"owner" match support' 1438 depends on NETFILTER_ADVANCED 1439 ---help--- 1440 Socket owner matching allows you to match locally-generated packets 1441 based on who created the socket: the user or group. It is also 1442 possible to check whether a socket actually exists. 1443 1444config NETFILTER_XT_MATCH_POLICY 1445 tristate 'IPsec "policy" match support' 1446 depends on XFRM 1447 default m if NETFILTER_ADVANCED=n 1448 help 1449 Policy matching allows you to match packets based on the 1450 IPsec policy that was used during decapsulation/will 1451 be used during encapsulation. 1452 1453 To compile it as a module, choose M here. If unsure, say N. 1454 1455config NETFILTER_XT_MATCH_PHYSDEV 1456 tristate '"physdev" match support' 1457 depends on BRIDGE && BRIDGE_NETFILTER 1458 depends on NETFILTER_ADVANCED 1459 help 1460 Physdev packet matching matches against the physical bridge ports 1461 the IP packet arrived on or will leave by. 1462 1463 To compile it as a module, choose M here. If unsure, say N. 1464 1465config NETFILTER_XT_MATCH_PKTTYPE 1466 tristate '"pkttype" packet type match support' 1467 depends on NETFILTER_ADVANCED 1468 help 1469 Packet type matching allows you to match a packet by 1470 its "class", eg. BROADCAST, MULTICAST, ... 1471 1472 Typical usage: 1473 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1474 1475 To compile it as a module, choose M here. If unsure, say N. 1476 1477config NETFILTER_XT_MATCH_QUOTA 1478 tristate '"quota" match support' 1479 depends on NETFILTER_ADVANCED 1480 help 1481 This option adds a `quota' match, which allows to match on a 1482 byte counter. 1483 1484 If you want to compile it as a module, say M here and read 1485 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1486 1487config NETFILTER_XT_MATCH_QUOTA2 1488 tristate '"quota2" match support' 1489 depends on NETFILTER_ADVANCED 1490 help 1491 This option adds a `quota2' match, which allows to match on a 1492 byte counter correctly and not per CPU. 1493 It allows naming the quotas. 1494 This is based on http://xtables-addons.git.sourceforge.net 1495 1496 If you want to compile it as a module, say M here and read 1497 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1498 1499config NETFILTER_XT_MATCH_QUOTA2_LOG 1500 bool '"quota2" Netfilter LOG support' 1501 depends on NETFILTER_XT_MATCH_QUOTA2 1502 default n 1503 help 1504 This option allows `quota2' to log ONCE when a quota limit 1505 is passed. It logs via NETLINK using the NETLINK_NFLOG family. 1506 It logs similarly to how ipt_ULOG would without data. 1507 1508 If unsure, say `N'. 1509 1510config NETFILTER_XT_MATCH_RATEEST 1511 tristate '"rateest" match support' 1512 depends on NETFILTER_ADVANCED 1513 select NETFILTER_XT_TARGET_RATEEST 1514 help 1515 This option adds a `rateest' match, which allows to match on the 1516 rate estimated by the RATEEST target. 1517 1518 To compile it as a module, choose M here. If unsure, say N. 1519 1520config NETFILTER_XT_MATCH_REALM 1521 tristate '"realm" match support' 1522 depends on NETFILTER_ADVANCED 1523 select IP_ROUTE_CLASSID 1524 help 1525 This option adds a `realm' match, which allows you to use the realm 1526 key from the routing subsystem inside iptables. 1527 1528 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1529 in tc world. 1530 1531 If you want to compile it as a module, say M here and read 1532 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1533 1534config NETFILTER_XT_MATCH_RECENT 1535 tristate '"recent" match support' 1536 depends on NETFILTER_ADVANCED 1537 ---help--- 1538 This match is used for creating one or many lists of recently 1539 used addresses and then matching against that/those list(s). 1540 1541 Short options are available by using 'iptables -m recent -h' 1542 Official Website: <http://snowman.net/projects/ipt_recent/> 1543 1544config NETFILTER_XT_MATCH_SCTP 1545 tristate '"sctp" protocol match support' 1546 depends on NETFILTER_ADVANCED 1547 default IP_SCTP 1548 help 1549 With this option enabled, you will be able to use the 1550 `sctp' match in order to match on SCTP source/destination ports 1551 and SCTP chunk types. 1552 1553 If you want to compile it as a module, say M here and read 1554 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1555 1556config NETFILTER_XT_MATCH_SOCKET 1557 tristate '"socket" match support' 1558 depends on NETFILTER_XTABLES 1559 depends on NETFILTER_ADVANCED 1560 depends on IPV6 || IPV6=n 1561 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1562 select NF_SOCKET_IPV4 1563 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES 1564 select NF_DEFRAG_IPV4 1565 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1566 help 1567 This option adds a `socket' match, which can be used to match 1568 packets for which a TCP or UDP socket lookup finds a valid socket. 1569 It can be used in combination with the MARK target and policy 1570 routing to implement full featured non-locally bound sockets. 1571 1572 To compile it as a module, choose M here. If unsure, say N. 1573 1574config NETFILTER_XT_MATCH_STATE 1575 tristate '"state" match support' 1576 depends on NF_CONNTRACK 1577 default m if NETFILTER_ADVANCED=n 1578 help 1579 Connection state matching allows you to match packets based on their 1580 relationship to a tracked connection (ie. previous packets). This 1581 is a powerful tool for packet classification. 1582 1583 To compile it as a module, choose M here. If unsure, say N. 1584 1585config NETFILTER_XT_MATCH_STATISTIC 1586 tristate '"statistic" match support' 1587 depends on NETFILTER_ADVANCED 1588 help 1589 This option adds a `statistic' match, which allows you to match 1590 on packets periodically or randomly with a given percentage. 1591 1592 To compile it as a module, choose M here. If unsure, say N. 1593 1594config NETFILTER_XT_MATCH_STRING 1595 tristate '"string" match support' 1596 depends on NETFILTER_ADVANCED 1597 select TEXTSEARCH 1598 select TEXTSEARCH_KMP 1599 select TEXTSEARCH_BM 1600 select TEXTSEARCH_FSM 1601 help 1602 This option adds a `string' match, which allows you to look for 1603 pattern matchings in packets. 1604 1605 To compile it as a module, choose M here. If unsure, say N. 1606 1607config NETFILTER_XT_MATCH_TCPMSS 1608 tristate '"tcpmss" match support' 1609 depends on NETFILTER_ADVANCED 1610 help 1611 This option adds a `tcpmss' match, which allows you to examine the 1612 MSS value of TCP SYN packets, which control the maximum packet size 1613 for that connection. 1614 1615 To compile it as a module, choose M here. If unsure, say N. 1616 1617config NETFILTER_XT_MATCH_TIME 1618 tristate '"time" match support' 1619 depends on NETFILTER_ADVANCED 1620 ---help--- 1621 This option adds a "time" match, which allows you to match based on 1622 the packet arrival time (at the machine which netfilter is running) 1623 on) or departure time/date (for locally generated packets). 1624 1625 If you say Y here, try `iptables -m time --help` for 1626 more information. 1627 1628 If you want to compile it as a module, say M here. 1629 If unsure, say N. 1630 1631config NETFILTER_XT_MATCH_U32 1632 tristate '"u32" match support' 1633 depends on NETFILTER_ADVANCED 1634 ---help--- 1635 u32 allows you to extract quantities of up to 4 bytes from a packet, 1636 AND them with specified masks, shift them by specified amounts and 1637 test whether the results are in any of a set of specified ranges. 1638 The specification of what to extract is general enough to skip over 1639 headers with lengths stored in the packet, as in IP or TCP header 1640 lengths. 1641 1642 Details and examples are in the kernel module source. 1643 1644endif # NETFILTER_XTABLES 1645 1646endmenu 1647 1648source "net/netfilter/ipset/Kconfig" 1649 1650source "net/netfilter/ipvs/Kconfig" 1651