1# SPDX-License-Identifier: GPL-2.0-only 2menu "Core Netfilter Configuration" 3 depends on INET && NETFILTER 4 5config NETFILTER_INGRESS 6 bool "Netfilter ingress support" 7 default y 8 select NET_INGRESS 9 help 10 This allows you to classify packets from ingress using the Netfilter 11 infrastructure. 12 13config NETFILTER_NETLINK 14 tristate 15 16config NETFILTER_FAMILY_BRIDGE 17 bool 18 19config NETFILTER_FAMILY_ARP 20 bool 21 22config NETFILTER_NETLINK_HOOK 23 tristate "Netfilter base hook dump support" 24 depends on NETFILTER_ADVANCED 25 depends on NF_TABLES 26 select NETFILTER_NETLINK 27 help 28 If this option is enabled, the kernel will include support 29 to list the base netfilter hooks via NFNETLINK. 30 This is helpful for debugging. 31 32config NETFILTER_NETLINK_ACCT 33 tristate "Netfilter NFACCT over NFNETLINK interface" 34 depends on NETFILTER_ADVANCED 35 select NETFILTER_NETLINK 36 help 37 If this option is enabled, the kernel will include support 38 for extended accounting via NFNETLINK. 39 40config NETFILTER_NETLINK_QUEUE 41 tristate "Netfilter NFQUEUE over NFNETLINK interface" 42 depends on NETFILTER_ADVANCED 43 select NETFILTER_NETLINK 44 help 45 If this option is enabled, the kernel will include support 46 for queueing packets via NFNETLINK. 47 48config NETFILTER_NETLINK_LOG 49 tristate "Netfilter LOG over NFNETLINK interface" 50 default m if NETFILTER_ADVANCED=n 51 select NETFILTER_NETLINK 52 help 53 If this option is enabled, the kernel will include support 54 for logging packets via NFNETLINK. 55 56 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 57 and is also scheduled to replace the old syslog-based ipt_LOG 58 and ip6t_LOG modules. 59 60config NETFILTER_NETLINK_OSF 61 tristate "Netfilter OSF over NFNETLINK interface" 62 depends on NETFILTER_ADVANCED 63 select NETFILTER_NETLINK 64 help 65 If this option is enabled, the kernel will include support 66 for passive OS fingerprint via NFNETLINK. 67 68config NF_CONNTRACK 69 tristate "Netfilter connection tracking support" 70 default m if NETFILTER_ADVANCED=n 71 select NF_DEFRAG_IPV4 72 select NF_DEFRAG_IPV6 if IPV6 != n 73 help 74 Connection tracking keeps a record of what packets have passed 75 through your machine, in order to figure out how they are related 76 into connections. 77 78 This is required to do Masquerading or other kinds of Network 79 Address Translation. It can also be used to enhance packet 80 filtering (see `Connection state match support' below). 81 82 To compile it as a module, choose M here. If unsure, say N. 83 84config NF_LOG_SYSLOG 85 tristate "Syslog packet logging" 86 default m if NETFILTER_ADVANCED=n 87 help 88 This option enable support for packet logging via syslog. 89 It supports IPv4, IPV6, ARP and common transport protocols such 90 as TCP and UDP. 91 This is a simpler but less flexible logging method compared to 92 CONFIG_NETFILTER_NETLINK_LOG. 93 If both are enabled the backend to use can be configured at run-time 94 by means of per-address-family sysctl tunables. 95 96if NF_CONNTRACK 97config NETFILTER_CONNCOUNT 98 tristate 99 100config NF_CONNTRACK_MARK 101 bool 'Connection mark tracking support' 102 depends on NETFILTER_ADVANCED 103 help 104 This option enables support for connection marks, used by the 105 `CONNMARK' target and `connmark' match. Similar to the mark value 106 of packets, but this mark value is kept in the conntrack session 107 instead of the individual packets. 108 109config NF_CONNTRACK_SECMARK 110 bool 'Connection tracking security mark support' 111 depends on NETWORK_SECMARK 112 default y if NETFILTER_ADVANCED=n 113 help 114 This option enables security markings to be applied to 115 connections. Typically they are copied to connections from 116 packets using the CONNSECMARK target and copied back from 117 connections to packets with the same target, with the packets 118 being originally labeled via SECMARK. 119 120 If unsure, say 'N'. 121 122config NF_CONNTRACK_ZONES 123 bool 'Connection tracking zones' 124 depends on NETFILTER_ADVANCED 125 help 126 This option enables support for connection tracking zones. 127 Normally, each connection needs to have a unique system wide 128 identity. Connection tracking zones allow to have multiple 129 connections using the same identity, as long as they are 130 contained in different zones. 131 132 If unsure, say `N'. 133 134config NF_CONNTRACK_PROCFS 135 bool "Supply CT list in procfs (OBSOLETE)" 136 depends on PROC_FS 137 help 138 This option enables for the list of known conntrack entries 139 to be shown in procfs under net/netfilter/nf_conntrack. This 140 is considered obsolete in favor of using the conntrack(8) 141 tool which uses Netlink. 142 143config NF_CONNTRACK_EVENTS 144 bool "Connection tracking events" 145 depends on NETFILTER_ADVANCED 146 help 147 If this option is enabled, the connection tracking code will 148 provide a notifier chain that can be used by other kernel code 149 to get notified about changes in the connection tracking state. 150 151 If unsure, say `N'. 152 153config NF_CONNTRACK_TIMEOUT 154 bool 'Connection tracking timeout' 155 depends on NETFILTER_ADVANCED 156 help 157 This option enables support for connection tracking timeout 158 extension. This allows you to attach timeout policies to flow 159 via the CT target. 160 161 If unsure, say `N'. 162 163config NF_CONNTRACK_TIMESTAMP 164 bool 'Connection tracking timestamping' 165 depends on NETFILTER_ADVANCED 166 help 167 This option enables support for connection tracking timestamping. 168 This allows you to store the flow start-time and to obtain 169 the flow-stop time (once it has been destroyed) via Connection 170 tracking events. 171 172 If unsure, say `N'. 173 174config NF_CONNTRACK_LABELS 175 bool "Connection tracking labels" 176 help 177 This option enables support for assigning user-defined flag bits 178 to connection tracking entries. It can be used with xtables connlabel 179 match and the nftables ct expression. 180 181config NF_CT_PROTO_DCCP 182 bool 'DCCP protocol connection tracking support' 183 depends on NETFILTER_ADVANCED 184 default y 185 help 186 With this option enabled, the layer 3 independent connection 187 tracking code will be able to do state tracking on DCCP connections. 188 189 If unsure, say Y. 190 191config NF_CT_PROTO_GRE 192 bool 193 194config NF_CT_PROTO_SCTP 195 bool 'SCTP protocol connection tracking support' 196 depends on NETFILTER_ADVANCED 197 default y 198 select LIBCRC32C 199 help 200 With this option enabled, the layer 3 independent connection 201 tracking code will be able to do state tracking on SCTP connections. 202 203 If unsure, say Y. 204 205config NF_CT_PROTO_UDPLITE 206 bool 'UDP-Lite protocol connection tracking support' 207 depends on NETFILTER_ADVANCED 208 default y 209 help 210 With this option enabled, the layer 3 independent connection 211 tracking code will be able to do state tracking on UDP-Lite 212 connections. 213 214 If unsure, say Y. 215 216config NF_CONNTRACK_AMANDA 217 tristate "Amanda backup protocol support" 218 depends on NETFILTER_ADVANCED 219 select TEXTSEARCH 220 select TEXTSEARCH_KMP 221 help 222 If you are running the Amanda backup package <http://www.amanda.org/> 223 on this machine or machines that will be MASQUERADED through this 224 machine, then you may want to enable this feature. This allows the 225 connection tracking and natting code to allow the sub-channels that 226 Amanda requires for communication of the backup data, messages and 227 index. 228 229 To compile it as a module, choose M here. If unsure, say N. 230 231config NF_CONNTRACK_FTP 232 tristate "FTP protocol support" 233 default m if NETFILTER_ADVANCED=n 234 help 235 Tracking FTP connections is problematic: special helpers are 236 required for tracking them, and doing masquerading and other forms 237 of Network Address Translation on them. 238 239 This is FTP support on Layer 3 independent connection tracking. 240 241 To compile it as a module, choose M here. If unsure, say N. 242 243config NF_CONNTRACK_H323 244 tristate "H.323 protocol support" 245 depends on IPV6 || IPV6=n 246 depends on NETFILTER_ADVANCED 247 help 248 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 249 important VoIP protocols, it is widely used by voice hardware and 250 software including voice gateways, IP phones, Netmeeting, OpenPhone, 251 Gnomemeeting, etc. 252 253 With this module you can support H.323 on a connection tracking/NAT 254 firewall. 255 256 This module supports RAS, Fast Start, H.245 Tunnelling, Call 257 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 258 whiteboard, file transfer, etc. For more information, please 259 visit http://nath323.sourceforge.net/. 260 261 To compile it as a module, choose M here. If unsure, say N. 262 263config NF_CONNTRACK_IRC 264 tristate "IRC protocol support" 265 default m if NETFILTER_ADVANCED=n 266 help 267 There is a commonly-used extension to IRC called 268 Direct Client-to-Client Protocol (DCC). This enables users to send 269 files to each other, and also chat to each other without the need 270 of a server. DCC Sending is used anywhere you send files over IRC, 271 and DCC Chat is most commonly used by Eggdrop bots. If you are 272 using NAT, this extension will enable you to send files and initiate 273 chats. Note that you do NOT need this extension to get files or 274 have others initiate chats, or everything else in IRC. 275 276 To compile it as a module, choose M here. If unsure, say N. 277 278config NF_CONNTRACK_BROADCAST 279 tristate 280 281config NF_CONNTRACK_NETBIOS_NS 282 tristate "NetBIOS name service protocol support" 283 select NF_CONNTRACK_BROADCAST 284 help 285 NetBIOS name service requests are sent as broadcast messages from an 286 unprivileged port and responded to with unicast messages to the 287 same port. This make them hard to firewall properly because connection 288 tracking doesn't deal with broadcasts. This helper tracks locally 289 originating NetBIOS name service requests and the corresponding 290 responses. It relies on correct IP address configuration, specifically 291 netmask and broadcast address. When properly configured, the output 292 of "ip address show" should look similar to this: 293 294 $ ip -4 address show eth0 295 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 296 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 297 298 To compile it as a module, choose M here. If unsure, say N. 299 300config NF_CONNTRACK_SNMP 301 tristate "SNMP service protocol support" 302 depends on NETFILTER_ADVANCED 303 select NF_CONNTRACK_BROADCAST 304 help 305 SNMP service requests are sent as broadcast messages from an 306 unprivileged port and responded to with unicast messages to the 307 same port. This make them hard to firewall properly because connection 308 tracking doesn't deal with broadcasts. This helper tracks locally 309 originating SNMP service requests and the corresponding 310 responses. It relies on correct IP address configuration, specifically 311 netmask and broadcast address. 312 313 To compile it as a module, choose M here. If unsure, say N. 314 315config NF_CONNTRACK_PPTP 316 tristate "PPtP protocol support" 317 depends on NETFILTER_ADVANCED 318 select NF_CT_PROTO_GRE 319 help 320 This module adds support for PPTP (Point to Point Tunnelling 321 Protocol, RFC2637) connection tracking and NAT. 322 323 If you are running PPTP sessions over a stateful firewall or NAT 324 box, you may want to enable this feature. 325 326 Please note that not all PPTP modes of operation are supported yet. 327 Specifically these limitations exist: 328 - Blindly assumes that control connections are always established 329 in PNS->PAC direction. This is a violation of RFC2637. 330 - Only supports a single call within each session 331 332 To compile it as a module, choose M here. If unsure, say N. 333 334config NF_CONNTRACK_SANE 335 tristate "SANE protocol support" 336 depends on NETFILTER_ADVANCED 337 help 338 SANE is a protocol for remote access to scanners as implemented 339 by the 'saned' daemon. Like FTP, it uses separate control and 340 data connections. 341 342 With this module you can support SANE on a connection tracking 343 firewall. 344 345 To compile it as a module, choose M here. If unsure, say N. 346 347config NF_CONNTRACK_SIP 348 tristate "SIP protocol support" 349 default m if NETFILTER_ADVANCED=n 350 help 351 SIP is an application-layer control protocol that can establish, 352 modify, and terminate multimedia sessions (conferences) such as 353 Internet telephony calls. With the nf_conntrack_sip and 354 the nf_nat_sip modules you can support the protocol on a connection 355 tracking/NATing firewall. 356 357 To compile it as a module, choose M here. If unsure, say N. 358 359config NF_CONNTRACK_TFTP 360 tristate "TFTP protocol support" 361 depends on NETFILTER_ADVANCED 362 help 363 TFTP connection tracking helper, this is required depending 364 on how restrictive your ruleset is. 365 If you are using a tftp client behind -j SNAT or -j MASQUERADING 366 you will need this. 367 368 To compile it as a module, choose M here. If unsure, say N. 369 370config NF_CT_NETLINK 371 tristate 'Connection tracking netlink interface' 372 select NETFILTER_NETLINK 373 default m if NETFILTER_ADVANCED=n 374 help 375 This option enables support for a netlink-based userspace interface 376 377config NF_CT_NETLINK_TIMEOUT 378 tristate 'Connection tracking timeout tuning via Netlink' 379 select NETFILTER_NETLINK 380 depends on NETFILTER_ADVANCED 381 depends on NF_CONNTRACK_TIMEOUT 382 help 383 This option enables support for connection tracking timeout 384 fine-grain tuning. This allows you to attach specific timeout 385 policies to flows, instead of using the global timeout policy. 386 387 If unsure, say `N'. 388 389config NF_CT_NETLINK_HELPER 390 tristate 'Connection tracking helpers in user-space via Netlink' 391 select NETFILTER_NETLINK 392 depends on NF_CT_NETLINK 393 depends on NETFILTER_NETLINK_QUEUE 394 depends on NETFILTER_NETLINK_GLUE_CT 395 depends on NETFILTER_ADVANCED 396 help 397 This option enables the user-space connection tracking helpers 398 infrastructure. 399 400 If unsure, say `N'. 401 402config NETFILTER_NETLINK_GLUE_CT 403 bool "NFQUEUE and NFLOG integration with Connection Tracking" 404 default n 405 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 406 help 407 If this option is enabled, NFQUEUE and NFLOG can include 408 Connection Tracking information together with the packet is 409 the enqueued via NFNETLINK. 410 411config NF_NAT 412 tristate "Network Address Translation support" 413 depends on NF_CONNTRACK 414 default m if NETFILTER_ADVANCED=n 415 help 416 The NAT option allows masquerading, port forwarding and other 417 forms of full Network Address Port Translation. This can be 418 controlled by iptables, ip6tables or nft. 419 420config NF_NAT_AMANDA 421 tristate 422 depends on NF_CONNTRACK && NF_NAT 423 default NF_NAT && NF_CONNTRACK_AMANDA 424 425config NF_NAT_FTP 426 tristate 427 depends on NF_CONNTRACK && NF_NAT 428 default NF_NAT && NF_CONNTRACK_FTP 429 430config NF_NAT_IRC 431 tristate 432 depends on NF_CONNTRACK && NF_NAT 433 default NF_NAT && NF_CONNTRACK_IRC 434 435config NF_NAT_SIP 436 tristate 437 depends on NF_CONNTRACK && NF_NAT 438 default NF_NAT && NF_CONNTRACK_SIP 439 440config NF_NAT_TFTP 441 tristate 442 depends on NF_CONNTRACK && NF_NAT 443 default NF_NAT && NF_CONNTRACK_TFTP 444 445config NF_NAT_REDIRECT 446 bool 447 448config NF_NAT_MASQUERADE 449 bool 450 451config NETFILTER_SYNPROXY 452 tristate 453 454endif # NF_CONNTRACK 455 456config NF_TABLES 457 select NETFILTER_NETLINK 458 select LIBCRC32C 459 tristate "Netfilter nf_tables support" 460 help 461 nftables is the new packet classification framework that intends to 462 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 463 provides a pseudo-state machine with an extensible instruction-set 464 (also known as expressions) that the userspace 'nft' utility 465 (https://www.netfilter.org/projects/nftables) uses to build the 466 rule-set. It also comes with the generic set infrastructure that 467 allows you to construct mappings between matchings and actions 468 for performance lookups. 469 470 To compile it as a module, choose M here. 471 472if NF_TABLES 473config NF_TABLES_INET 474 depends on IPV6 475 select NF_TABLES_IPV4 476 select NF_TABLES_IPV6 477 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 478 help 479 This option enables support for a mixed IPv4/IPv6 "inet" table. 480 481config NF_TABLES_NETDEV 482 bool "Netfilter nf_tables netdev tables support" 483 help 484 This option enables support for the "netdev" table. 485 486config NFT_NUMGEN 487 tristate "Netfilter nf_tables number generator module" 488 help 489 This option adds the number generator expression used to perform 490 incremental counting and random numbers bound to a upper limit. 491 492config NFT_CT 493 depends on NF_CONNTRACK 494 tristate "Netfilter nf_tables conntrack module" 495 help 496 This option adds the "ct" expression that you can use to match 497 connection tracking information such as the flow state. 498 499config NFT_FLOW_OFFLOAD 500 depends on NF_CONNTRACK && NF_FLOW_TABLE 501 tristate "Netfilter nf_tables hardware flow offload module" 502 help 503 This option adds the "flow_offload" expression that you can use to 504 choose what flows are placed into the hardware. 505 506config NFT_COUNTER 507 tristate "Netfilter nf_tables counter module" 508 help 509 This option adds the "counter" expression that you can use to 510 include packet and byte counters in a rule. 511 512config NFT_CONNLIMIT 513 tristate "Netfilter nf_tables connlimit module" 514 depends on NF_CONNTRACK 515 depends on NETFILTER_ADVANCED 516 select NETFILTER_CONNCOUNT 517 help 518 This option adds the "connlimit" expression that you can use to 519 ratelimit rule matchings per connections. 520 521config NFT_LOG 522 tristate "Netfilter nf_tables log module" 523 help 524 This option adds the "log" expression that you can use to log 525 packets matching some criteria. 526 527config NFT_LIMIT 528 tristate "Netfilter nf_tables limit module" 529 help 530 This option adds the "limit" expression that you can use to 531 ratelimit rule matchings. 532 533config NFT_MASQ 534 depends on NF_CONNTRACK 535 depends on NF_NAT 536 select NF_NAT_MASQUERADE 537 tristate "Netfilter nf_tables masquerade support" 538 help 539 This option adds the "masquerade" expression that you can use 540 to perform NAT in the masquerade flavour. 541 542config NFT_REDIR 543 depends on NF_CONNTRACK 544 depends on NF_NAT 545 tristate "Netfilter nf_tables redirect support" 546 select NF_NAT_REDIRECT 547 help 548 This options adds the "redirect" expression that you can use 549 to perform NAT in the redirect flavour. 550 551config NFT_NAT 552 depends on NF_CONNTRACK 553 select NF_NAT 554 depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 555 tristate "Netfilter nf_tables nat module" 556 help 557 This option adds the "nat" expression that you can use to perform 558 typical Network Address Translation (NAT) packet transformations. 559 560config NFT_TUNNEL 561 tristate "Netfilter nf_tables tunnel module" 562 help 563 This option adds the "tunnel" expression that you can use to set 564 tunneling policies. 565 566config NFT_OBJREF 567 tristate "Netfilter nf_tables stateful object reference module" 568 help 569 This option adds the "objref" expression that allows you to refer to 570 stateful objects, such as counters and quotas. 571 572config NFT_QUEUE 573 depends on NETFILTER_NETLINK_QUEUE 574 tristate "Netfilter nf_tables queue module" 575 help 576 This is required if you intend to use the userspace queueing 577 infrastructure (also known as NFQUEUE) from nftables. 578 579config NFT_QUOTA 580 tristate "Netfilter nf_tables quota module" 581 help 582 This option adds the "quota" expression that you can use to match 583 enforce bytes quotas. 584 585config NFT_REJECT 586 default m if NETFILTER_ADVANCED=n 587 tristate "Netfilter nf_tables reject support" 588 depends on !NF_TABLES_INET || (IPV6!=m || m) 589 help 590 This option adds the "reject" expression that you can use to 591 explicitly deny and notify via TCP reset/ICMP informational errors 592 unallowed traffic. 593 594config NFT_REJECT_INET 595 depends on NF_TABLES_INET 596 default NFT_REJECT 597 tristate 598 599config NFT_COMPAT 600 depends on NETFILTER_XTABLES 601 tristate "Netfilter x_tables over nf_tables module" 602 help 603 This is required if you intend to use any of existing 604 x_tables match/target extensions over the nf_tables 605 framework. 606 607config NFT_HASH 608 tristate "Netfilter nf_tables hash module" 609 help 610 This option adds the "hash" expression that you can use to perform 611 a hash operation on registers. 612 613config NFT_FIB 614 tristate 615 616config NFT_FIB_INET 617 depends on NF_TABLES_INET 618 depends on NFT_FIB_IPV4 619 depends on NFT_FIB_IPV6 620 tristate "Netfilter nf_tables fib inet support" 621 help 622 This option allows using the FIB expression from the inet table. 623 The lookup will be delegated to the IPv4 or IPv6 FIB depending 624 on the protocol of the packet. 625 626config NFT_XFRM 627 tristate "Netfilter nf_tables xfrm/IPSec security association matching" 628 depends on XFRM 629 help 630 This option adds an expression that you can use to extract properties 631 of a packets security association. 632 633config NFT_SOCKET 634 tristate "Netfilter nf_tables socket match support" 635 depends on IPV6 || IPV6=n 636 select NF_SOCKET_IPV4 637 select NF_SOCKET_IPV6 if NF_TABLES_IPV6 638 help 639 This option allows matching for the presence or absence of a 640 corresponding socket and its attributes. 641 642config NFT_OSF 643 tristate "Netfilter nf_tables passive OS fingerprint support" 644 depends on NETFILTER_ADVANCED 645 select NETFILTER_NETLINK_OSF 646 help 647 This option allows matching packets from an specific OS. 648 649config NFT_TPROXY 650 tristate "Netfilter nf_tables tproxy support" 651 depends on IPV6 || IPV6=n 652 select NF_DEFRAG_IPV4 653 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 654 select NF_TPROXY_IPV4 655 select NF_TPROXY_IPV6 if NF_TABLES_IPV6 656 help 657 This makes transparent proxy support available in nftables. 658 659config NFT_SYNPROXY 660 tristate "Netfilter nf_tables SYNPROXY expression support" 661 depends on NF_CONNTRACK && NETFILTER_ADVANCED 662 select NETFILTER_SYNPROXY 663 select SYN_COOKIES 664 help 665 The SYNPROXY expression allows you to intercept TCP connections and 666 establish them using syncookies before they are passed on to the 667 server. This allows to avoid conntrack and server resource usage 668 during SYN-flood attacks. 669 670if NF_TABLES_NETDEV 671 672config NF_DUP_NETDEV 673 tristate "Netfilter packet duplication support" 674 help 675 This option enables the generic packet duplication infrastructure 676 for Netfilter. 677 678config NFT_DUP_NETDEV 679 tristate "Netfilter nf_tables netdev packet duplication support" 680 select NF_DUP_NETDEV 681 help 682 This option enables packet duplication for the "netdev" family. 683 684config NFT_FWD_NETDEV 685 tristate "Netfilter nf_tables netdev packet forwarding support" 686 select NF_DUP_NETDEV 687 help 688 This option enables packet forwarding for the "netdev" family. 689 690config NFT_FIB_NETDEV 691 depends on NFT_FIB_IPV4 692 depends on NFT_FIB_IPV6 693 tristate "Netfilter nf_tables netdev fib lookups support" 694 help 695 This option allows using the FIB expression from the netdev table. 696 The lookup will be delegated to the IPv4 or IPv6 FIB depending 697 on the protocol of the packet. 698 699config NFT_REJECT_NETDEV 700 depends on NFT_REJECT_IPV4 701 depends on NFT_REJECT_IPV6 702 tristate "Netfilter nf_tables netdev REJECT support" 703 help 704 This option enables the REJECT support from the netdev table. 705 The return packet generation will be delegated to the IPv4 706 or IPv6 ICMP or TCP RST implementation depending on the 707 protocol of the packet. 708 709endif # NF_TABLES_NETDEV 710 711endif # NF_TABLES 712 713config NF_FLOW_TABLE_INET 714 tristate "Netfilter flow table mixed IPv4/IPv6 module" 715 depends on NF_FLOW_TABLE 716 help 717 This option adds the flow table mixed IPv4/IPv6 support. 718 719 To compile it as a module, choose M here. 720 721config NF_FLOW_TABLE 722 tristate "Netfilter flow table module" 723 depends on NETFILTER_INGRESS 724 depends on NF_CONNTRACK 725 depends on NF_TABLES 726 help 727 This option adds the flow table core infrastructure. 728 729 To compile it as a module, choose M here. 730 731config NETFILTER_XTABLES 732 tristate "Netfilter Xtables support (required for ip_tables)" 733 default m if NETFILTER_ADVANCED=n 734 help 735 This is required if you intend to use any of ip_tables, 736 ip6_tables or arp_tables. 737 738if NETFILTER_XTABLES 739 740config NETFILTER_XTABLES_COMPAT 741 bool "Netfilter Xtables 32bit support" 742 depends on COMPAT 743 default y 744 help 745 This option provides a translation layer to run 32bit arp,ip(6),ebtables 746 binaries on 64bit kernels. 747 748 If unsure, say N. 749 750comment "Xtables combined modules" 751 752config NETFILTER_XT_MARK 753 tristate 'nfmark target and match support' 754 default m if NETFILTER_ADVANCED=n 755 help 756 This option adds the "MARK" target and "mark" match. 757 758 Netfilter mark matching allows you to match packets based on the 759 "nfmark" value in the packet. 760 The target allows you to create rules in the "mangle" table which alter 761 the netfilter mark (nfmark) field associated with the packet. 762 763 Prior to routing, the nfmark can influence the routing method and can 764 also be used by other subsystems to change their behavior. 765 766config NETFILTER_XT_CONNMARK 767 tristate 'ctmark target and match support' 768 depends on NF_CONNTRACK 769 depends on NETFILTER_ADVANCED 770 select NF_CONNTRACK_MARK 771 help 772 This option adds the "CONNMARK" target and "connmark" match. 773 774 Netfilter allows you to store a mark value per connection (a.k.a. 775 ctmark), similarly to the packet mark (nfmark). Using this 776 target and match, you can set and match on this mark. 777 778config NETFILTER_XT_SET 779 tristate 'set target and match support' 780 depends on IP_SET 781 depends on NETFILTER_ADVANCED 782 help 783 This option adds the "SET" target and "set" match. 784 785 Using this target and match, you can add/delete and match 786 elements in the sets created by ipset(8). 787 788 To compile it as a module, choose M here. If unsure, say N. 789 790# alphabetically ordered list of targets 791 792comment "Xtables targets" 793 794config NETFILTER_XT_TARGET_AUDIT 795 tristate "AUDIT target support" 796 depends on AUDIT 797 depends on NETFILTER_ADVANCED 798 help 799 This option adds a 'AUDIT' target, which can be used to create 800 audit records for packets dropped/accepted. 801 802 To compileit as a module, choose M here. If unsure, say N. 803 804config NETFILTER_XT_TARGET_CHECKSUM 805 tristate "CHECKSUM target support" 806 depends on IP_NF_MANGLE || IP6_NF_MANGLE 807 depends on NETFILTER_ADVANCED 808 help 809 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 810 table to work around buggy DHCP clients in virtualized environments. 811 812 Some old DHCP clients drop packets because they are not aware 813 that the checksum would normally be offloaded to hardware and 814 thus should be considered valid. 815 This target can be used to fill in the checksum using iptables 816 when such packets are sent via a virtual network device. 817 818 To compile it as a module, choose M here. If unsure, say N. 819 820config NETFILTER_XT_TARGET_CLASSIFY 821 tristate '"CLASSIFY" target support' 822 depends on NETFILTER_ADVANCED 823 help 824 This option adds a `CLASSIFY' target, which enables the user to set 825 the priority of a packet. Some qdiscs can use this value for 826 classification, among these are: 827 828 atm, cbq, dsmark, pfifo_fast, htb, prio 829 830 To compile it as a module, choose M here. If unsure, say N. 831 832config NETFILTER_XT_TARGET_CONNMARK 833 tristate '"CONNMARK" target support' 834 depends on NF_CONNTRACK 835 depends on NETFILTER_ADVANCED 836 select NETFILTER_XT_CONNMARK 837 help 838 This is a backwards-compat option for the user's convenience 839 (e.g. when running oldconfig). It selects 840 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 841 842config NETFILTER_XT_TARGET_CONNSECMARK 843 tristate '"CONNSECMARK" target support' 844 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 845 default m if NETFILTER_ADVANCED=n 846 help 847 The CONNSECMARK target copies security markings from packets 848 to connections, and restores security markings from connections 849 to packets (if the packets are not already marked). This would 850 normally be used in conjunction with the SECMARK target. 851 852 To compile it as a module, choose M here. If unsure, say N. 853 854config NETFILTER_XT_TARGET_CT 855 tristate '"CT" target support' 856 depends on NF_CONNTRACK 857 depends on IP_NF_RAW || IP6_NF_RAW 858 depends on NETFILTER_ADVANCED 859 help 860 This options adds a `CT' target, which allows to specify initial 861 connection tracking parameters like events to be delivered and 862 the helper to be used. 863 864 To compile it as a module, choose M here. If unsure, say N. 865 866config NETFILTER_XT_TARGET_DSCP 867 tristate '"DSCP" and "TOS" target support' 868 depends on IP_NF_MANGLE || IP6_NF_MANGLE 869 depends on NETFILTER_ADVANCED 870 help 871 This option adds a `DSCP' target, which allows you to manipulate 872 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 873 874 The DSCP field can have any value between 0x0 and 0x3f inclusive. 875 876 It also adds the "TOS" target, which allows you to create rules in 877 the "mangle" table which alter the Type Of Service field of an IPv4 878 or the Priority field of an IPv6 packet, prior to routing. 879 880 To compile it as a module, choose M here. If unsure, say N. 881 882config NETFILTER_XT_TARGET_HL 883 tristate '"HL" hoplimit target support' 884 depends on IP_NF_MANGLE || IP6_NF_MANGLE 885 depends on NETFILTER_ADVANCED 886 help 887 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 888 targets, which enable the user to change the 889 hoplimit/time-to-live value of the IP header. 890 891 While it is safe to decrement the hoplimit/TTL value, the 892 modules also allow to increment and set the hoplimit value of 893 the header to arbitrary values. This is EXTREMELY DANGEROUS 894 since you can easily create immortal packets that loop 895 forever on the network. 896 897config NETFILTER_XT_TARGET_HMARK 898 tristate '"HMARK" target support' 899 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 900 depends on NETFILTER_ADVANCED 901 help 902 This option adds the "HMARK" target. 903 904 The target allows you to create rules in the "raw" and "mangle" tables 905 which set the skbuff mark by means of hash calculation within a given 906 range. The nfmark can influence the routing method and can also be used 907 by other subsystems to change their behaviour. 908 909 To compile it as a module, choose M here. If unsure, say N. 910 911config NETFILTER_XT_TARGET_IDLETIMER 912 tristate "IDLETIMER target support" 913 depends on NETFILTER_ADVANCED 914 help 915 916 This option adds the `IDLETIMER' target. Each matching packet 917 resets the timer associated with label specified when the rule is 918 added. When the timer expires, it triggers a sysfs notification. 919 The remaining time for expiration can be read via sysfs. 920 921 To compile it as a module, choose M here. If unsure, say N. 922 923config NETFILTER_XT_TARGET_LED 924 tristate '"LED" target support' 925 depends on LEDS_CLASS && LEDS_TRIGGERS 926 depends on NETFILTER_ADVANCED 927 help 928 This option adds a `LED' target, which allows you to blink LEDs in 929 response to particular packets passing through your machine. 930 931 This can be used to turn a spare LED into a network activity LED, 932 which only flashes in response to FTP transfers, for example. Or 933 you could have an LED which lights up for a minute or two every time 934 somebody connects to your machine via SSH. 935 936 You will need support for the "led" class to make this work. 937 938 To create an LED trigger for incoming SSH traffic: 939 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 940 941 Then attach the new trigger to an LED on your system: 942 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 943 944 For more information on the LEDs available on your system, see 945 Documentation/leds/leds-class.rst 946 947config NETFILTER_XT_TARGET_LOG 948 tristate "LOG target support" 949 select NF_LOG_SYSLOG 950 select NF_LOG_IPV6 if IP6_NF_IPTABLES 951 default m if NETFILTER_ADVANCED=n 952 help 953 This option adds a `LOG' target, which allows you to create rules in 954 any iptables table which records the packet header to the syslog. 955 956 To compile it as a module, choose M here. If unsure, say N. 957 958config NETFILTER_XT_TARGET_MARK 959 tristate '"MARK" target support' 960 depends on NETFILTER_ADVANCED 961 select NETFILTER_XT_MARK 962 help 963 This is a backwards-compat option for the user's convenience 964 (e.g. when running oldconfig). It selects 965 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 966 967config NETFILTER_XT_NAT 968 tristate '"SNAT and DNAT" targets support' 969 depends on NF_NAT 970 help 971 This option enables the SNAT and DNAT targets. 972 973 To compile it as a module, choose M here. If unsure, say N. 974 975config NETFILTER_XT_TARGET_NETMAP 976 tristate '"NETMAP" target support' 977 depends on NF_NAT 978 help 979 NETMAP is an implementation of static 1:1 NAT mapping of network 980 addresses. It maps the network address part, while keeping the host 981 address part intact. 982 983 To compile it as a module, choose M here. If unsure, say N. 984 985config NETFILTER_XT_TARGET_NFLOG 986 tristate '"NFLOG" target support' 987 default m if NETFILTER_ADVANCED=n 988 select NETFILTER_NETLINK_LOG 989 help 990 This option enables the NFLOG target, which allows to LOG 991 messages through nfnetlink_log. 992 993 To compile it as a module, choose M here. If unsure, say N. 994 995config NETFILTER_XT_TARGET_NFQUEUE 996 tristate '"NFQUEUE" target Support' 997 depends on NETFILTER_ADVANCED 998 select NETFILTER_NETLINK_QUEUE 999 help 1000 This target replaced the old obsolete QUEUE target. 1001 1002 As opposed to QUEUE, it supports 65535 different queues, 1003 not just one. 1004 1005 To compile it as a module, choose M here. If unsure, say N. 1006 1007config NETFILTER_XT_TARGET_NOTRACK 1008 tristate '"NOTRACK" target support (DEPRECATED)' 1009 depends on NF_CONNTRACK 1010 depends on IP_NF_RAW || IP6_NF_RAW 1011 depends on NETFILTER_ADVANCED 1012 select NETFILTER_XT_TARGET_CT 1013 1014config NETFILTER_XT_TARGET_RATEEST 1015 tristate '"RATEEST" target support' 1016 depends on NETFILTER_ADVANCED 1017 help 1018 This option adds a `RATEEST' target, which allows to measure 1019 rates similar to TC estimators. The `rateest' match can be 1020 used to match on the measured rates. 1021 1022 To compile it as a module, choose M here. If unsure, say N. 1023 1024config NETFILTER_XT_TARGET_REDIRECT 1025 tristate "REDIRECT target support" 1026 depends on NF_NAT 1027 select NF_NAT_REDIRECT 1028 help 1029 REDIRECT is a special case of NAT: all incoming connections are 1030 mapped onto the incoming interface's address, causing the packets to 1031 come to the local machine instead of passing through. This is 1032 useful for transparent proxies. 1033 1034 To compile it as a module, choose M here. If unsure, say N. 1035 1036config NETFILTER_XT_TARGET_MASQUERADE 1037 tristate "MASQUERADE target support" 1038 depends on NF_NAT 1039 default m if NETFILTER_ADVANCED=n 1040 select NF_NAT_MASQUERADE 1041 help 1042 Masquerading is a special case of NAT: all outgoing connections are 1043 changed to seem to come from a particular interface's address, and 1044 if the interface goes down, those connections are lost. This is 1045 only useful for dialup accounts with dynamic IP address (ie. your IP 1046 address will be different on next dialup). 1047 1048 To compile it as a module, choose M here. If unsure, say N. 1049 1050config NETFILTER_XT_TARGET_TEE 1051 tristate '"TEE" - packet cloning to alternate destination' 1052 depends on NETFILTER_ADVANCED 1053 depends on IPV6 || IPV6=n 1054 depends on !NF_CONNTRACK || NF_CONNTRACK 1055 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES 1056 select NF_DUP_IPV4 1057 select NF_DUP_IPV6 if IP6_NF_IPTABLES 1058 help 1059 This option adds a "TEE" target with which a packet can be cloned and 1060 this clone be rerouted to another nexthop. 1061 1062config NETFILTER_XT_TARGET_TPROXY 1063 tristate '"TPROXY" target transparent proxying support' 1064 depends on NETFILTER_XTABLES 1065 depends on NETFILTER_ADVANCED 1066 depends on IPV6 || IPV6=n 1067 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1068 depends on IP_NF_MANGLE 1069 select NF_DEFRAG_IPV4 1070 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1071 select NF_TPROXY_IPV4 1072 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 1073 help 1074 This option adds a `TPROXY' target, which is somewhat similar to 1075 REDIRECT. It can only be used in the mangle table and is useful 1076 to redirect traffic to a transparent proxy. It does _not_ depend 1077 on Netfilter connection tracking and NAT, unlike REDIRECT. 1078 For it to work you will have to configure certain iptables rules 1079 and use policy routing. For more information on how to set it up 1080 see Documentation/networking/tproxy.rst. 1081 1082 To compile it as a module, choose M here. If unsure, say N. 1083 1084config NETFILTER_XT_TARGET_TRACE 1085 tristate '"TRACE" target support' 1086 depends on IP_NF_RAW || IP6_NF_RAW 1087 depends on NETFILTER_ADVANCED 1088 help 1089 The TRACE target allows you to mark packets so that the kernel 1090 will log every rule which match the packets as those traverse 1091 the tables, chains, rules. 1092 1093 If you want to compile it as a module, say M here and read 1094 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1095 1096config NETFILTER_XT_TARGET_SECMARK 1097 tristate '"SECMARK" target support' 1098 depends on NETWORK_SECMARK 1099 default m if NETFILTER_ADVANCED=n 1100 help 1101 The SECMARK target allows security marking of network 1102 packets, for use with security subsystems. 1103 1104 To compile it as a module, choose M here. If unsure, say N. 1105 1106config NETFILTER_XT_TARGET_TCPMSS 1107 tristate '"TCPMSS" target support' 1108 depends on IPV6 || IPV6=n 1109 default m if NETFILTER_ADVANCED=n 1110 help 1111 This option adds a `TCPMSS' target, which allows you to alter the 1112 MSS value of TCP SYN packets, to control the maximum size for that 1113 connection (usually limiting it to your outgoing interface's MTU 1114 minus 40). 1115 1116 This is used to overcome criminally braindead ISPs or servers which 1117 block ICMP Fragmentation Needed packets. The symptoms of this 1118 problem are that everything works fine from your Linux 1119 firewall/router, but machines behind it can never exchange large 1120 packets: 1121 1) Web browsers connect, then hang with no data received. 1122 2) Small mail works fine, but large emails hang. 1123 3) ssh works fine, but scp hangs after initial handshaking. 1124 1125 Workaround: activate this option and add a rule to your firewall 1126 configuration like: 1127 1128 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1129 -j TCPMSS --clamp-mss-to-pmtu 1130 1131 To compile it as a module, choose M here. If unsure, say N. 1132 1133config NETFILTER_XT_TARGET_TCPOPTSTRIP 1134 tristate '"TCPOPTSTRIP" target support' 1135 depends on IP_NF_MANGLE || IP6_NF_MANGLE 1136 depends on NETFILTER_ADVANCED 1137 help 1138 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1139 TCP options from TCP packets. 1140 1141# alphabetically ordered list of matches 1142 1143comment "Xtables matches" 1144 1145config NETFILTER_XT_MATCH_ADDRTYPE 1146 tristate '"addrtype" address type match support' 1147 default m if NETFILTER_ADVANCED=n 1148 help 1149 This option allows you to match what routing thinks of an address, 1150 eg. UNICAST, LOCAL, BROADCAST, ... 1151 1152 If you want to compile it as a module, say M here and read 1153 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1154 1155config NETFILTER_XT_MATCH_BPF 1156 tristate '"bpf" match support' 1157 depends on NETFILTER_ADVANCED 1158 help 1159 BPF matching applies a linux socket filter to each packet and 1160 accepts those for which the filter returns non-zero. 1161 1162 To compile it as a module, choose M here. If unsure, say N. 1163 1164config NETFILTER_XT_MATCH_CGROUP 1165 tristate '"control group" match support' 1166 depends on NETFILTER_ADVANCED 1167 depends on CGROUPS 1168 select CGROUP_NET_CLASSID 1169 help 1170 Socket/process control group matching allows you to match locally 1171 generated packets based on which net_cls control group processes 1172 belong to. 1173 1174config NETFILTER_XT_MATCH_CLUSTER 1175 tristate '"cluster" match support' 1176 depends on NF_CONNTRACK 1177 depends on NETFILTER_ADVANCED 1178 help 1179 This option allows you to build work-load-sharing clusters of 1180 network servers/stateful firewalls without having a dedicated 1181 load-balancing router/server/switch. Basically, this match returns 1182 true when the packet must be handled by this cluster node. Thus, 1183 all nodes see all packets and this match decides which node handles 1184 what packets. The work-load sharing algorithm is based on source 1185 address hashing. 1186 1187 If you say Y or M here, try `iptables -m cluster --help` for 1188 more information. 1189 1190config NETFILTER_XT_MATCH_COMMENT 1191 tristate '"comment" match support' 1192 depends on NETFILTER_ADVANCED 1193 help 1194 This option adds a `comment' dummy-match, which allows you to put 1195 comments in your iptables ruleset. 1196 1197 If you want to compile it as a module, say M here and read 1198 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1199 1200config NETFILTER_XT_MATCH_CONNBYTES 1201 tristate '"connbytes" per-connection counter match support' 1202 depends on NF_CONNTRACK 1203 depends on NETFILTER_ADVANCED 1204 help 1205 This option adds a `connbytes' match, which allows you to match the 1206 number of bytes and/or packets for each direction within a connection. 1207 1208 If you want to compile it as a module, say M here and read 1209 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1210 1211config NETFILTER_XT_MATCH_CONNLABEL 1212 tristate '"connlabel" match support' 1213 select NF_CONNTRACK_LABELS 1214 depends on NF_CONNTRACK 1215 depends on NETFILTER_ADVANCED 1216 help 1217 This match allows you to test and assign userspace-defined labels names 1218 to a connection. The kernel only stores bit values - mapping 1219 names to bits is done by userspace. 1220 1221 Unlike connmark, more than 32 flag bits may be assigned to a 1222 connection simultaneously. 1223 1224config NETFILTER_XT_MATCH_CONNLIMIT 1225 tristate '"connlimit" match support' 1226 depends on NF_CONNTRACK 1227 depends on NETFILTER_ADVANCED 1228 select NETFILTER_CONNCOUNT 1229 help 1230 This match allows you to match against the number of parallel 1231 connections to a server per client IP address (or address block). 1232 1233config NETFILTER_XT_MATCH_CONNMARK 1234 tristate '"connmark" connection mark match support' 1235 depends on NF_CONNTRACK 1236 depends on NETFILTER_ADVANCED 1237 select NETFILTER_XT_CONNMARK 1238 help 1239 This is a backwards-compat option for the user's convenience 1240 (e.g. when running oldconfig). It selects 1241 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1242 1243config NETFILTER_XT_MATCH_CONNTRACK 1244 tristate '"conntrack" connection tracking match support' 1245 depends on NF_CONNTRACK 1246 default m if NETFILTER_ADVANCED=n 1247 help 1248 This is a general conntrack match module, a superset of the state match. 1249 1250 It allows matching on additional conntrack information, which is 1251 useful in complex configurations, such as NAT gateways with multiple 1252 internet links or tunnels. 1253 1254 To compile it as a module, choose M here. If unsure, say N. 1255 1256config NETFILTER_XT_MATCH_CPU 1257 tristate '"cpu" match support' 1258 depends on NETFILTER_ADVANCED 1259 help 1260 CPU matching allows you to match packets based on the CPU 1261 currently handling the packet. 1262 1263 To compile it as a module, choose M here. If unsure, say N. 1264 1265config NETFILTER_XT_MATCH_DCCP 1266 tristate '"dccp" protocol match support' 1267 depends on NETFILTER_ADVANCED 1268 default IP_DCCP 1269 help 1270 With this option enabled, you will be able to use the iptables 1271 `dccp' match in order to match on DCCP source/destination ports 1272 and DCCP flags. 1273 1274 If you want to compile it as a module, say M here and read 1275 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1276 1277config NETFILTER_XT_MATCH_DEVGROUP 1278 tristate '"devgroup" match support' 1279 depends on NETFILTER_ADVANCED 1280 help 1281 This options adds a `devgroup' match, which allows to match on the 1282 device group a network device is assigned to. 1283 1284 To compile it as a module, choose M here. If unsure, say N. 1285 1286config NETFILTER_XT_MATCH_DSCP 1287 tristate '"dscp" and "tos" match support' 1288 depends on NETFILTER_ADVANCED 1289 help 1290 This option adds a `DSCP' match, which allows you to match against 1291 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1292 1293 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1294 1295 It will also add a "tos" match, which allows you to match packets 1296 based on the Type Of Service fields of the IPv4 packet (which share 1297 the same bits as DSCP). 1298 1299 To compile it as a module, choose M here. If unsure, say N. 1300 1301config NETFILTER_XT_MATCH_ECN 1302 tristate '"ecn" match support' 1303 depends on NETFILTER_ADVANCED 1304 help 1305 This option adds an "ECN" match, which allows you to match against 1306 the IPv4 and TCP header ECN fields. 1307 1308 To compile it as a module, choose M here. If unsure, say N. 1309 1310config NETFILTER_XT_MATCH_ESP 1311 tristate '"esp" match support' 1312 depends on NETFILTER_ADVANCED 1313 help 1314 This match extension allows you to match a range of SPIs 1315 inside ESP header of IPSec packets. 1316 1317 To compile it as a module, choose M here. If unsure, say N. 1318 1319config NETFILTER_XT_MATCH_HASHLIMIT 1320 tristate '"hashlimit" match support' 1321 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1322 depends on NETFILTER_ADVANCED 1323 help 1324 This option adds a `hashlimit' match. 1325 1326 As opposed to `limit', this match dynamically creates a hash table 1327 of limit buckets, based on your selection of source/destination 1328 addresses and/or ports. 1329 1330 It enables you to express policies like `10kpps for any given 1331 destination address' or `500pps from any given source address' 1332 with a single rule. 1333 1334config NETFILTER_XT_MATCH_HELPER 1335 tristate '"helper" match support' 1336 depends on NF_CONNTRACK 1337 depends on NETFILTER_ADVANCED 1338 help 1339 Helper matching allows you to match packets in dynamic connections 1340 tracked by a conntrack-helper, ie. nf_conntrack_ftp 1341 1342 To compile it as a module, choose M here. If unsure, say Y. 1343 1344config NETFILTER_XT_MATCH_HL 1345 tristate '"hl" hoplimit/TTL match support' 1346 depends on NETFILTER_ADVANCED 1347 help 1348 HL matching allows you to match packets based on the hoplimit 1349 in the IPv6 header, or the time-to-live field in the IPv4 1350 header of the packet. 1351 1352config NETFILTER_XT_MATCH_IPCOMP 1353 tristate '"ipcomp" match support' 1354 depends on NETFILTER_ADVANCED 1355 help 1356 This match extension allows you to match a range of CPIs(16 bits) 1357 inside IPComp header of IPSec packets. 1358 1359 To compile it as a module, choose M here. If unsure, say N. 1360 1361config NETFILTER_XT_MATCH_IPRANGE 1362 tristate '"iprange" address range match support' 1363 depends on NETFILTER_ADVANCED 1364 help 1365 This option adds a "iprange" match, which allows you to match based on 1366 an IP address range. (Normal iptables only matches on single addresses 1367 with an optional mask.) 1368 1369 If unsure, say M. 1370 1371config NETFILTER_XT_MATCH_IPVS 1372 tristate '"ipvs" match support' 1373 depends on IP_VS 1374 depends on NETFILTER_ADVANCED 1375 depends on NF_CONNTRACK 1376 help 1377 This option allows you to match against IPVS properties of a packet. 1378 1379 If unsure, say N. 1380 1381config NETFILTER_XT_MATCH_L2TP 1382 tristate '"l2tp" match support' 1383 depends on NETFILTER_ADVANCED 1384 default L2TP 1385 help 1386 This option adds an "L2TP" match, which allows you to match against 1387 L2TP protocol header fields. 1388 1389 To compile it as a module, choose M here. If unsure, say N. 1390 1391config NETFILTER_XT_MATCH_LENGTH 1392 tristate '"length" match support' 1393 depends on NETFILTER_ADVANCED 1394 help 1395 This option allows you to match the length of a packet against a 1396 specific value or range of values. 1397 1398 To compile it as a module, choose M here. If unsure, say N. 1399 1400config NETFILTER_XT_MATCH_LIMIT 1401 tristate '"limit" match support' 1402 depends on NETFILTER_ADVANCED 1403 help 1404 limit matching allows you to control the rate at which a rule can be 1405 matched: mainly useful in combination with the LOG target ("LOG 1406 target support", below) and to avoid some Denial of Service attacks. 1407 1408 To compile it as a module, choose M here. If unsure, say N. 1409 1410config NETFILTER_XT_MATCH_MAC 1411 tristate '"mac" address match support' 1412 depends on NETFILTER_ADVANCED 1413 help 1414 MAC matching allows you to match packets based on the source 1415 Ethernet address of the packet. 1416 1417 To compile it as a module, choose M here. If unsure, say N. 1418 1419config NETFILTER_XT_MATCH_MARK 1420 tristate '"mark" match support' 1421 depends on NETFILTER_ADVANCED 1422 select NETFILTER_XT_MARK 1423 help 1424 This is a backwards-compat option for the user's convenience 1425 (e.g. when running oldconfig). It selects 1426 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1427 1428config NETFILTER_XT_MATCH_MULTIPORT 1429 tristate '"multiport" Multiple port match support' 1430 depends on NETFILTER_ADVANCED 1431 help 1432 Multiport matching allows you to match TCP or UDP packets based on 1433 a series of source or destination ports: normally a rule can only 1434 match a single range of ports. 1435 1436 To compile it as a module, choose M here. If unsure, say N. 1437 1438config NETFILTER_XT_MATCH_NFACCT 1439 tristate '"nfacct" match support' 1440 depends on NETFILTER_ADVANCED 1441 select NETFILTER_NETLINK_ACCT 1442 help 1443 This option allows you to use the extended accounting through 1444 nfnetlink_acct. 1445 1446 To compile it as a module, choose M here. If unsure, say N. 1447 1448config NETFILTER_XT_MATCH_OSF 1449 tristate '"osf" Passive OS fingerprint match' 1450 depends on NETFILTER_ADVANCED 1451 select NETFILTER_NETLINK_OSF 1452 help 1453 This option selects the Passive OS Fingerprinting match module 1454 that allows to passively match the remote operating system by 1455 analyzing incoming TCP SYN packets. 1456 1457 Rules and loading software can be downloaded from 1458 http://www.ioremap.net/projects/osf 1459 1460 To compile it as a module, choose M here. If unsure, say N. 1461 1462config NETFILTER_XT_MATCH_OWNER 1463 tristate '"owner" match support' 1464 depends on NETFILTER_ADVANCED 1465 help 1466 Socket owner matching allows you to match locally-generated packets 1467 based on who created the socket: the user or group. It is also 1468 possible to check whether a socket actually exists. 1469 1470config NETFILTER_XT_MATCH_POLICY 1471 tristate 'IPsec "policy" match support' 1472 depends on XFRM 1473 default m if NETFILTER_ADVANCED=n 1474 help 1475 Policy matching allows you to match packets based on the 1476 IPsec policy that was used during decapsulation/will 1477 be used during encapsulation. 1478 1479 To compile it as a module, choose M here. If unsure, say N. 1480 1481config NETFILTER_XT_MATCH_PHYSDEV 1482 tristate '"physdev" match support' 1483 depends on BRIDGE && BRIDGE_NETFILTER 1484 depends on NETFILTER_ADVANCED 1485 help 1486 Physdev packet matching matches against the physical bridge ports 1487 the IP packet arrived on or will leave by. 1488 1489 To compile it as a module, choose M here. If unsure, say N. 1490 1491config NETFILTER_XT_MATCH_PKTTYPE 1492 tristate '"pkttype" packet type match support' 1493 depends on NETFILTER_ADVANCED 1494 help 1495 Packet type matching allows you to match a packet by 1496 its "class", eg. BROADCAST, MULTICAST, ... 1497 1498 Typical usage: 1499 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1500 1501 To compile it as a module, choose M here. If unsure, say N. 1502 1503config NETFILTER_XT_MATCH_QUOTA 1504 tristate '"quota" match support' 1505 depends on NETFILTER_ADVANCED 1506 help 1507 This option adds a `quota' match, which allows to match on a 1508 byte counter. 1509 1510 If you want to compile it as a module, say M here and read 1511 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1512 1513config NETFILTER_XT_MATCH_QUOTA2 1514 tristate '"quota2" match support' 1515 depends on NETFILTER_ADVANCED 1516 help 1517 This option adds a `quota2' match, which allows to match on a 1518 byte counter correctly and not per CPU. 1519 It allows naming the quotas. 1520 This is based on http://xtables-addons.git.sourceforge.net 1521 1522 If you want to compile it as a module, say M here and read 1523 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 1524 1525config NETFILTER_XT_MATCH_QUOTA2_LOG 1526 bool '"quota2" Netfilter LOG support' 1527 depends on NETFILTER_XT_MATCH_QUOTA2 1528 default n 1529 help 1530 This option allows `quota2' to log ONCE when a quota limit 1531 is passed. It logs via NETLINK using the NETLINK_NFLOG family. 1532 It logs similarly to how ipt_ULOG would without data. 1533 1534 If unsure, say `N'. 1535 1536config NETFILTER_XT_MATCH_RATEEST 1537 tristate '"rateest" match support' 1538 depends on NETFILTER_ADVANCED 1539 select NETFILTER_XT_TARGET_RATEEST 1540 help 1541 This option adds a `rateest' match, which allows to match on the 1542 rate estimated by the RATEEST target. 1543 1544 To compile it as a module, choose M here. If unsure, say N. 1545 1546config NETFILTER_XT_MATCH_REALM 1547 tristate '"realm" match support' 1548 depends on NETFILTER_ADVANCED 1549 select IP_ROUTE_CLASSID 1550 help 1551 This option adds a `realm' match, which allows you to use the realm 1552 key from the routing subsystem inside iptables. 1553 1554 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1555 in tc world. 1556 1557 If you want to compile it as a module, say M here and read 1558 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1559 1560config NETFILTER_XT_MATCH_RECENT 1561 tristate '"recent" match support' 1562 depends on NETFILTER_ADVANCED 1563 help 1564 This match is used for creating one or many lists of recently 1565 used addresses and then matching against that/those list(s). 1566 1567 Short options are available by using 'iptables -m recent -h' 1568 Official Website: <http://snowman.net/projects/ipt_recent/> 1569 1570config NETFILTER_XT_MATCH_SCTP 1571 tristate '"sctp" protocol match support' 1572 depends on NETFILTER_ADVANCED 1573 default IP_SCTP 1574 help 1575 With this option enabled, you will be able to use the 1576 `sctp' match in order to match on SCTP source/destination ports 1577 and SCTP chunk types. 1578 1579 If you want to compile it as a module, say M here and read 1580 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1581 1582config NETFILTER_XT_MATCH_SOCKET 1583 tristate '"socket" match support' 1584 depends on NETFILTER_XTABLES 1585 depends on NETFILTER_ADVANCED 1586 depends on IPV6 || IPV6=n 1587 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1588 select NF_SOCKET_IPV4 1589 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES 1590 select NF_DEFRAG_IPV4 1591 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1592 help 1593 This option adds a `socket' match, which can be used to match 1594 packets for which a TCP or UDP socket lookup finds a valid socket. 1595 It can be used in combination with the MARK target and policy 1596 routing to implement full featured non-locally bound sockets. 1597 1598 To compile it as a module, choose M here. If unsure, say N. 1599 1600config NETFILTER_XT_MATCH_STATE 1601 tristate '"state" match support' 1602 depends on NF_CONNTRACK 1603 default m if NETFILTER_ADVANCED=n 1604 help 1605 Connection state matching allows you to match packets based on their 1606 relationship to a tracked connection (ie. previous packets). This 1607 is a powerful tool for packet classification. 1608 1609 To compile it as a module, choose M here. If unsure, say N. 1610 1611config NETFILTER_XT_MATCH_STATISTIC 1612 tristate '"statistic" match support' 1613 depends on NETFILTER_ADVANCED 1614 help 1615 This option adds a `statistic' match, which allows you to match 1616 on packets periodically or randomly with a given percentage. 1617 1618 To compile it as a module, choose M here. If unsure, say N. 1619 1620config NETFILTER_XT_MATCH_STRING 1621 tristate '"string" match support' 1622 depends on NETFILTER_ADVANCED 1623 select TEXTSEARCH 1624 select TEXTSEARCH_KMP 1625 select TEXTSEARCH_BM 1626 select TEXTSEARCH_FSM 1627 help 1628 This option adds a `string' match, which allows you to look for 1629 pattern matchings in packets. 1630 1631 To compile it as a module, choose M here. If unsure, say N. 1632 1633config NETFILTER_XT_MATCH_TCPMSS 1634 tristate '"tcpmss" match support' 1635 depends on NETFILTER_ADVANCED 1636 help 1637 This option adds a `tcpmss' match, which allows you to examine the 1638 MSS value of TCP SYN packets, which control the maximum packet size 1639 for that connection. 1640 1641 To compile it as a module, choose M here. If unsure, say N. 1642 1643config NETFILTER_XT_MATCH_TIME 1644 tristate '"time" match support' 1645 depends on NETFILTER_ADVANCED 1646 help 1647 This option adds a "time" match, which allows you to match based on 1648 the packet arrival time (at the machine which netfilter is running) 1649 on) or departure time/date (for locally generated packets). 1650 1651 If you say Y here, try `iptables -m time --help` for 1652 more information. 1653 1654 If you want to compile it as a module, say M here. 1655 If unsure, say N. 1656 1657config NETFILTER_XT_MATCH_U32 1658 tristate '"u32" match support' 1659 depends on NETFILTER_ADVANCED 1660 help 1661 u32 allows you to extract quantities of up to 4 bytes from a packet, 1662 AND them with specified masks, shift them by specified amounts and 1663 test whether the results are in any of a set of specified ranges. 1664 The specification of what to extract is general enough to skip over 1665 headers with lengths stored in the packet, as in IP or TCP header 1666 lengths. 1667 1668 Details and examples are in the kernel module source. 1669 1670endif # NETFILTER_XTABLES 1671 1672endmenu 1673 1674source "net/netfilter/ipset/Kconfig" 1675 1676source "net/netfilter/ipvs/Kconfig" 1677