1 # SPDX-License-Identifier: GPL-2.0-only 2 menu "Core Netfilter Configuration" 3 depends on INET && NETFILTER 4 5 config NETFILTER_INGRESS 6 bool "Netfilter ingress support" 7 default y 8 select NET_INGRESS 9 help 10 This allows you to classify packets from ingress using the Netfilter 11 infrastructure. 12 13 config NETFILTER_EGRESS 14 bool "Netfilter egress support" 15 default y 16 select NET_EGRESS 17 help 18 This allows you to classify packets before transmission using the 19 Netfilter infrastructure. 20 21 config NETFILTER_SKIP_EGRESS 22 def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB) 23 24 config NETFILTER_NETLINK 25 tristate 26 27 config NETFILTER_FAMILY_BRIDGE 28 bool 29 30 config NETFILTER_FAMILY_ARP 31 bool 32 33 config NETFILTER_BPF_LINK 34 def_bool BPF_SYSCALL 35 36 config NETFILTER_NETLINK_HOOK 37 tristate "Netfilter base hook dump support" 38 depends on NETFILTER_ADVANCED 39 depends on NF_TABLES 40 select NETFILTER_NETLINK 41 help 42 If this option is enabled, the kernel will include support 43 to list the base netfilter hooks via NFNETLINK. 44 This is helpful for debugging. 45 46 config NETFILTER_NETLINK_ACCT 47 tristate "Netfilter NFACCT over NFNETLINK interface" 48 depends on NETFILTER_ADVANCED 49 select NETFILTER_NETLINK 50 help 51 If this option is enabled, the kernel will include support 52 for extended accounting via NFNETLINK. 53 54 config NETFILTER_NETLINK_QUEUE 55 tristate "Netfilter NFQUEUE over NFNETLINK interface" 56 depends on NETFILTER_ADVANCED 57 select NETFILTER_NETLINK 58 help 59 If this option is enabled, the kernel will include support 60 for queueing packets via NFNETLINK. 61 62 config NETFILTER_NETLINK_LOG 63 tristate "Netfilter LOG over NFNETLINK interface" 64 default m if NETFILTER_ADVANCED=n 65 select NETFILTER_NETLINK 66 help 67 If this option is enabled, the kernel will include support 68 for logging packets via NFNETLINK. 69 70 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 71 and is also scheduled to replace the old syslog-based ipt_LOG 72 and ip6t_LOG modules. 73 74 config NETFILTER_NETLINK_OSF 75 tristate "Netfilter OSF over NFNETLINK interface" 76 depends on NETFILTER_ADVANCED 77 select NETFILTER_NETLINK 78 help 79 If this option is enabled, the kernel will include support 80 for passive OS fingerprint via NFNETLINK. 81 82 config NF_CONNTRACK 83 tristate "Netfilter connection tracking support" 84 default m if NETFILTER_ADVANCED=n 85 select NF_DEFRAG_IPV4 86 select NF_DEFRAG_IPV6 if IPV6 != n 87 help 88 Connection tracking keeps a record of what packets have passed 89 through your machine, in order to figure out how they are related 90 into connections. 91 92 This is required to do Masquerading or other kinds of Network 93 Address Translation. It can also be used to enhance packet 94 filtering (see `Connection state match support' below). 95 96 To compile it as a module, choose M here. If unsure, say N. 97 98 config NF_LOG_SYSLOG 99 tristate "Syslog packet logging" 100 default m if NETFILTER_ADVANCED=n 101 help 102 This option enable support for packet logging via syslog. 103 It supports IPv4, IPV6, ARP and common transport protocols such 104 as TCP and UDP. 105 This is a simpler but less flexible logging method compared to 106 CONFIG_NETFILTER_NETLINK_LOG. 107 If both are enabled the backend to use can be configured at run-time 108 by means of per-address-family sysctl tunables. 109 110 if NF_CONNTRACK 111 config NETFILTER_CONNCOUNT 112 tristate 113 114 config NF_CONNTRACK_MARK 115 bool 'Connection mark tracking support' 116 depends on NETFILTER_ADVANCED 117 help 118 This option enables support for connection marks, used by the 119 `CONNMARK' target and `connmark' match. Similar to the mark value 120 of packets, but this mark value is kept in the conntrack session 121 instead of the individual packets. 122 123 config NF_CONNTRACK_SECMARK 124 bool 'Connection tracking security mark support' 125 depends on NETWORK_SECMARK 126 default y if NETFILTER_ADVANCED=n 127 help 128 This option enables security markings to be applied to 129 connections. Typically they are copied to connections from 130 packets using the CONNSECMARK target and copied back from 131 connections to packets with the same target, with the packets 132 being originally labeled via SECMARK. 133 134 If unsure, say 'N'. 135 136 config NF_CONNTRACK_ZONES 137 bool 'Connection tracking zones' 138 depends on NETFILTER_ADVANCED 139 help 140 This option enables support for connection tracking zones. 141 Normally, each connection needs to have a unique system wide 142 identity. Connection tracking zones allow to have multiple 143 connections using the same identity, as long as they are 144 contained in different zones. 145 146 If unsure, say `N'. 147 148 config NF_CONNTRACK_PROCFS 149 bool "Supply CT list in procfs (OBSOLETE)" 150 depends on PROC_FS 151 help 152 This option enables for the list of known conntrack entries 153 to be shown in procfs under net/netfilter/nf_conntrack. This 154 is considered obsolete in favor of using the conntrack(8) 155 tool which uses Netlink. 156 157 config NF_CONNTRACK_EVENTS 158 bool "Connection tracking events" 159 depends on NETFILTER_ADVANCED 160 help 161 If this option is enabled, the connection tracking code will 162 provide a notifier chain that can be used by other kernel code 163 to get notified about changes in the connection tracking state. 164 165 If unsure, say `N'. 166 167 config NF_CONNTRACK_TIMEOUT 168 bool 'Connection tracking timeout' 169 depends on NETFILTER_ADVANCED 170 help 171 This option enables support for connection tracking timeout 172 extension. This allows you to attach timeout policies to flow 173 via the CT target. 174 175 If unsure, say `N'. 176 177 config NF_CONNTRACK_TIMESTAMP 178 bool 'Connection tracking timestamping' 179 depends on NETFILTER_ADVANCED 180 help 181 This option enables support for connection tracking timestamping. 182 This allows you to store the flow start-time and to obtain 183 the flow-stop time (once it has been destroyed) via Connection 184 tracking events. 185 186 If unsure, say `N'. 187 188 config NF_CONNTRACK_LABELS 189 bool "Connection tracking labels" 190 help 191 This option enables support for assigning user-defined flag bits 192 to connection tracking entries. It can be used with xtables connlabel 193 match and the nftables ct expression. 194 195 config NF_CONNTRACK_OVS 196 bool 197 198 config NF_CT_PROTO_DCCP 199 bool 'DCCP protocol connection tracking support' 200 depends on NETFILTER_ADVANCED 201 default y 202 help 203 With this option enabled, the layer 3 independent connection 204 tracking code will be able to do state tracking on DCCP connections. 205 206 If unsure, say Y. 207 208 config NF_CT_PROTO_GRE 209 bool 210 211 config NF_CT_PROTO_SCTP 212 bool 'SCTP protocol connection tracking support' 213 depends on NETFILTER_ADVANCED 214 default y 215 select LIBCRC32C 216 help 217 With this option enabled, the layer 3 independent connection 218 tracking code will be able to do state tracking on SCTP connections. 219 220 If unsure, say Y. 221 222 config NF_CT_PROTO_UDPLITE 223 bool 'UDP-Lite protocol connection tracking support' 224 depends on NETFILTER_ADVANCED 225 default y 226 help 227 With this option enabled, the layer 3 independent connection 228 tracking code will be able to do state tracking on UDP-Lite 229 connections. 230 231 If unsure, say Y. 232 233 config NF_CONNTRACK_AMANDA 234 tristate "Amanda backup protocol support" 235 depends on NETFILTER_ADVANCED 236 select TEXTSEARCH 237 select TEXTSEARCH_KMP 238 help 239 If you are running the Amanda backup package <http://www.amanda.org/> 240 on this machine or machines that will be MASQUERADED through this 241 machine, then you may want to enable this feature. This allows the 242 connection tracking and natting code to allow the sub-channels that 243 Amanda requires for communication of the backup data, messages and 244 index. 245 246 To compile it as a module, choose M here. If unsure, say N. 247 248 config NF_CONNTRACK_FTP 249 tristate "FTP protocol support" 250 default m if NETFILTER_ADVANCED=n 251 help 252 Tracking FTP connections is problematic: special helpers are 253 required for tracking them, and doing masquerading and other forms 254 of Network Address Translation on them. 255 256 This is FTP support on Layer 3 independent connection tracking. 257 258 To compile it as a module, choose M here. If unsure, say N. 259 260 config NF_CONNTRACK_H323 261 tristate "H.323 protocol support" 262 depends on IPV6 || IPV6=n 263 depends on NETFILTER_ADVANCED 264 help 265 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 266 important VoIP protocols, it is widely used by voice hardware and 267 software including voice gateways, IP phones, Netmeeting, OpenPhone, 268 Gnomemeeting, etc. 269 270 With this module you can support H.323 on a connection tracking/NAT 271 firewall. 272 273 This module supports RAS, Fast Start, H.245 Tunnelling, Call 274 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 275 whiteboard, file transfer, etc. For more information, please 276 visit http://nath323.sourceforge.net/. 277 278 To compile it as a module, choose M here. If unsure, say N. 279 280 config NF_CONNTRACK_IRC 281 tristate "IRC protocol support" 282 default m if NETFILTER_ADVANCED=n 283 help 284 There is a commonly-used extension to IRC called 285 Direct Client-to-Client Protocol (DCC). This enables users to send 286 files to each other, and also chat to each other without the need 287 of a server. DCC Sending is used anywhere you send files over IRC, 288 and DCC Chat is most commonly used by Eggdrop bots. If you are 289 using NAT, this extension will enable you to send files and initiate 290 chats. Note that you do NOT need this extension to get files or 291 have others initiate chats, or everything else in IRC. 292 293 To compile it as a module, choose M here. If unsure, say N. 294 295 config NF_CONNTRACK_BROADCAST 296 tristate 297 298 config NF_CONNTRACK_NETBIOS_NS 299 tristate "NetBIOS name service protocol support" 300 select NF_CONNTRACK_BROADCAST 301 help 302 NetBIOS name service requests are sent as broadcast messages from an 303 unprivileged port and responded to with unicast messages to the 304 same port. This make them hard to firewall properly because connection 305 tracking doesn't deal with broadcasts. This helper tracks locally 306 originating NetBIOS name service requests and the corresponding 307 responses. It relies on correct IP address configuration, specifically 308 netmask and broadcast address. When properly configured, the output 309 of "ip address show" should look similar to this: 310 311 $ ip -4 address show eth0 312 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 313 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 314 315 To compile it as a module, choose M here. If unsure, say N. 316 317 config NF_CONNTRACK_SNMP 318 tristate "SNMP service protocol support" 319 depends on NETFILTER_ADVANCED 320 select NF_CONNTRACK_BROADCAST 321 help 322 SNMP service requests are sent as broadcast messages from an 323 unprivileged port and responded to with unicast messages to the 324 same port. This make them hard to firewall properly because connection 325 tracking doesn't deal with broadcasts. This helper tracks locally 326 originating SNMP service requests and the corresponding 327 responses. It relies on correct IP address configuration, specifically 328 netmask and broadcast address. 329 330 To compile it as a module, choose M here. If unsure, say N. 331 332 config NF_CONNTRACK_PPTP 333 tristate "PPtP protocol support" 334 depends on NETFILTER_ADVANCED 335 select NF_CT_PROTO_GRE 336 help 337 This module adds support for PPTP (Point to Point Tunnelling 338 Protocol, RFC2637) connection tracking and NAT. 339 340 If you are running PPTP sessions over a stateful firewall or NAT 341 box, you may want to enable this feature. 342 343 Please note that not all PPTP modes of operation are supported yet. 344 Specifically these limitations exist: 345 - Blindly assumes that control connections are always established 346 in PNS->PAC direction. This is a violation of RFC2637. 347 - Only supports a single call within each session 348 349 To compile it as a module, choose M here. If unsure, say N. 350 351 config NF_CONNTRACK_SANE 352 tristate "SANE protocol support" 353 depends on NETFILTER_ADVANCED 354 help 355 SANE is a protocol for remote access to scanners as implemented 356 by the 'saned' daemon. Like FTP, it uses separate control and 357 data connections. 358 359 With this module you can support SANE on a connection tracking 360 firewall. 361 362 To compile it as a module, choose M here. If unsure, say N. 363 364 config NF_CONNTRACK_SIP 365 tristate "SIP protocol support" 366 default m if NETFILTER_ADVANCED=n 367 help 368 SIP is an application-layer control protocol that can establish, 369 modify, and terminate multimedia sessions (conferences) such as 370 Internet telephony calls. With the nf_conntrack_sip and 371 the nf_nat_sip modules you can support the protocol on a connection 372 tracking/NATing firewall. 373 374 To compile it as a module, choose M here. If unsure, say N. 375 376 config NF_CONNTRACK_TFTP 377 tristate "TFTP protocol support" 378 depends on NETFILTER_ADVANCED 379 help 380 TFTP connection tracking helper, this is required depending 381 on how restrictive your ruleset is. 382 If you are using a tftp client behind -j SNAT or -j MASQUERADING 383 you will need this. 384 385 To compile it as a module, choose M here. If unsure, say N. 386 387 config NF_CT_NETLINK 388 tristate 'Connection tracking netlink interface' 389 select NETFILTER_NETLINK 390 default m if NETFILTER_ADVANCED=n 391 help 392 This option enables support for a netlink-based userspace interface 393 394 config NF_CT_NETLINK_TIMEOUT 395 tristate 'Connection tracking timeout tuning via Netlink' 396 select NETFILTER_NETLINK 397 depends on NETFILTER_ADVANCED 398 depends on NF_CONNTRACK_TIMEOUT 399 help 400 This option enables support for connection tracking timeout 401 fine-grain tuning. This allows you to attach specific timeout 402 policies to flows, instead of using the global timeout policy. 403 404 If unsure, say `N'. 405 406 config NF_CT_NETLINK_HELPER 407 tristate 'Connection tracking helpers in user-space via Netlink' 408 select NETFILTER_NETLINK 409 depends on NF_CT_NETLINK 410 depends on NETFILTER_NETLINK_QUEUE 411 depends on NETFILTER_NETLINK_GLUE_CT 412 depends on NETFILTER_ADVANCED 413 help 414 This option enables the user-space connection tracking helpers 415 infrastructure. 416 417 If unsure, say `N'. 418 419 config NETFILTER_NETLINK_GLUE_CT 420 bool "NFQUEUE and NFLOG integration with Connection Tracking" 421 default n 422 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 423 help 424 If this option is enabled, NFQUEUE and NFLOG can include 425 Connection Tracking information together with the packet is 426 the enqueued via NFNETLINK. 427 428 config NF_NAT 429 tristate "Network Address Translation support" 430 depends on NF_CONNTRACK 431 default m if NETFILTER_ADVANCED=n 432 help 433 The NAT option allows masquerading, port forwarding and other 434 forms of full Network Address Port Translation. This can be 435 controlled by iptables, ip6tables or nft. 436 437 config NF_NAT_AMANDA 438 tristate 439 depends on NF_CONNTRACK && NF_NAT 440 default NF_NAT && NF_CONNTRACK_AMANDA 441 442 config NF_NAT_FTP 443 tristate 444 depends on NF_CONNTRACK && NF_NAT 445 default NF_NAT && NF_CONNTRACK_FTP 446 447 config NF_NAT_IRC 448 tristate 449 depends on NF_CONNTRACK && NF_NAT 450 default NF_NAT && NF_CONNTRACK_IRC 451 452 config NF_NAT_SIP 453 tristate 454 depends on NF_CONNTRACK && NF_NAT 455 default NF_NAT && NF_CONNTRACK_SIP 456 457 config NF_NAT_TFTP 458 tristate 459 depends on NF_CONNTRACK && NF_NAT 460 default NF_NAT && NF_CONNTRACK_TFTP 461 462 config NF_NAT_REDIRECT 463 bool 464 465 config NF_NAT_MASQUERADE 466 bool 467 468 config NF_NAT_OVS 469 bool 470 471 config NETFILTER_SYNPROXY 472 tristate 473 474 endif # NF_CONNTRACK 475 476 config NF_TABLES 477 select NETFILTER_NETLINK 478 select LIBCRC32C 479 tristate "Netfilter nf_tables support" 480 help 481 nftables is the new packet classification framework that intends to 482 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 483 provides a pseudo-state machine with an extensible instruction-set 484 (also known as expressions) that the userspace 'nft' utility 485 (https://www.netfilter.org/projects/nftables) uses to build the 486 rule-set. It also comes with the generic set infrastructure that 487 allows you to construct mappings between matchings and actions 488 for performance lookups. 489 490 To compile it as a module, choose M here. 491 492 if NF_TABLES 493 config NF_TABLES_INET 494 depends on IPV6 495 select NF_TABLES_IPV4 496 select NF_TABLES_IPV6 497 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 498 help 499 This option enables support for a mixed IPv4/IPv6 "inet" table. 500 501 config NF_TABLES_NETDEV 502 bool "Netfilter nf_tables netdev tables support" 503 help 504 This option enables support for the "netdev" table. 505 506 config NFT_NUMGEN 507 tristate "Netfilter nf_tables number generator module" 508 help 509 This option adds the number generator expression used to perform 510 incremental counting and random numbers bound to a upper limit. 511 512 config NFT_CT 513 depends on NF_CONNTRACK 514 tristate "Netfilter nf_tables conntrack module" 515 help 516 This option adds the "ct" expression that you can use to match 517 connection tracking information such as the flow state. 518 519 config NFT_FLOW_OFFLOAD 520 depends on NF_CONNTRACK && NF_FLOW_TABLE 521 tristate "Netfilter nf_tables hardware flow offload module" 522 help 523 This option adds the "flow_offload" expression that you can use to 524 choose what flows are placed into the hardware. 525 526 config NFT_CONNLIMIT 527 tristate "Netfilter nf_tables connlimit module" 528 depends on NF_CONNTRACK 529 depends on NETFILTER_ADVANCED 530 select NETFILTER_CONNCOUNT 531 help 532 This option adds the "connlimit" expression that you can use to 533 ratelimit rule matchings per connections. 534 535 config NFT_LOG 536 tristate "Netfilter nf_tables log module" 537 help 538 This option adds the "log" expression that you can use to log 539 packets matching some criteria. 540 541 config NFT_LIMIT 542 tristate "Netfilter nf_tables limit module" 543 help 544 This option adds the "limit" expression that you can use to 545 ratelimit rule matchings. 546 547 config NFT_MASQ 548 depends on NF_CONNTRACK 549 depends on NF_NAT 550 select NF_NAT_MASQUERADE 551 tristate "Netfilter nf_tables masquerade support" 552 help 553 This option adds the "masquerade" expression that you can use 554 to perform NAT in the masquerade flavour. 555 556 config NFT_REDIR 557 depends on NF_CONNTRACK 558 depends on NF_NAT 559 tristate "Netfilter nf_tables redirect support" 560 select NF_NAT_REDIRECT 561 help 562 This options adds the "redirect" expression that you can use 563 to perform NAT in the redirect flavour. 564 565 config NFT_NAT 566 depends on NF_CONNTRACK 567 select NF_NAT 568 depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 569 tristate "Netfilter nf_tables nat module" 570 help 571 This option adds the "nat" expression that you can use to perform 572 typical Network Address Translation (NAT) packet transformations. 573 574 config NFT_TUNNEL 575 tristate "Netfilter nf_tables tunnel module" 576 help 577 This option adds the "tunnel" expression that you can use to set 578 tunneling policies. 579 580 config NFT_QUEUE 581 depends on NETFILTER_NETLINK_QUEUE 582 tristate "Netfilter nf_tables queue module" 583 help 584 This is required if you intend to use the userspace queueing 585 infrastructure (also known as NFQUEUE) from nftables. 586 587 config NFT_QUOTA 588 tristate "Netfilter nf_tables quota module" 589 help 590 This option adds the "quota" expression that you can use to match 591 enforce bytes quotas. 592 593 config NFT_REJECT 594 default m if NETFILTER_ADVANCED=n 595 tristate "Netfilter nf_tables reject support" 596 depends on !NF_TABLES_INET || (IPV6!=m || m) 597 help 598 This option adds the "reject" expression that you can use to 599 explicitly deny and notify via TCP reset/ICMP informational errors 600 unallowed traffic. 601 602 config NFT_REJECT_INET 603 depends on NF_TABLES_INET 604 default NFT_REJECT 605 tristate 606 607 config NFT_COMPAT 608 depends on NETFILTER_XTABLES 609 tristate "Netfilter x_tables over nf_tables module" 610 help 611 This is required if you intend to use any of existing 612 x_tables match/target extensions over the nf_tables 613 framework. 614 615 config NFT_HASH 616 tristate "Netfilter nf_tables hash module" 617 help 618 This option adds the "hash" expression that you can use to perform 619 a hash operation on registers. 620 621 config NFT_FIB 622 tristate 623 624 config NFT_FIB_INET 625 depends on NF_TABLES_INET 626 depends on NFT_FIB_IPV4 627 depends on NFT_FIB_IPV6 628 tristate "Netfilter nf_tables fib inet support" 629 help 630 This option allows using the FIB expression from the inet table. 631 The lookup will be delegated to the IPv4 or IPv6 FIB depending 632 on the protocol of the packet. 633 634 config NFT_XFRM 635 tristate "Netfilter nf_tables xfrm/IPSec security association matching" 636 depends on XFRM 637 help 638 This option adds an expression that you can use to extract properties 639 of a packets security association. 640 641 config NFT_SOCKET 642 tristate "Netfilter nf_tables socket match support" 643 depends on IPV6 || IPV6=n 644 select NF_SOCKET_IPV4 645 select NF_SOCKET_IPV6 if NF_TABLES_IPV6 646 help 647 This option allows matching for the presence or absence of a 648 corresponding socket and its attributes. 649 650 config NFT_OSF 651 tristate "Netfilter nf_tables passive OS fingerprint support" 652 depends on NETFILTER_ADVANCED 653 select NETFILTER_NETLINK_OSF 654 help 655 This option allows matching packets from an specific OS. 656 657 config NFT_TPROXY 658 tristate "Netfilter nf_tables tproxy support" 659 depends on IPV6 || IPV6=n 660 select NF_DEFRAG_IPV4 661 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 662 select NF_TPROXY_IPV4 663 select NF_TPROXY_IPV6 if NF_TABLES_IPV6 664 help 665 This makes transparent proxy support available in nftables. 666 667 config NFT_SYNPROXY 668 tristate "Netfilter nf_tables SYNPROXY expression support" 669 depends on NF_CONNTRACK && NETFILTER_ADVANCED 670 select NETFILTER_SYNPROXY 671 select SYN_COOKIES 672 help 673 The SYNPROXY expression allows you to intercept TCP connections and 674 establish them using syncookies before they are passed on to the 675 server. This allows to avoid conntrack and server resource usage 676 during SYN-flood attacks. 677 678 if NF_TABLES_NETDEV 679 680 config NF_DUP_NETDEV 681 tristate "Netfilter packet duplication support" 682 help 683 This option enables the generic packet duplication infrastructure 684 for Netfilter. 685 686 config NFT_DUP_NETDEV 687 tristate "Netfilter nf_tables netdev packet duplication support" 688 select NF_DUP_NETDEV 689 help 690 This option enables packet duplication for the "netdev" family. 691 692 config NFT_FWD_NETDEV 693 tristate "Netfilter nf_tables netdev packet forwarding support" 694 select NF_DUP_NETDEV 695 help 696 This option enables packet forwarding for the "netdev" family. 697 698 config NFT_FIB_NETDEV 699 depends on NFT_FIB_IPV4 700 depends on NFT_FIB_IPV6 701 tristate "Netfilter nf_tables netdev fib lookups support" 702 help 703 This option allows using the FIB expression from the netdev table. 704 The lookup will be delegated to the IPv4 or IPv6 FIB depending 705 on the protocol of the packet. 706 707 config NFT_REJECT_NETDEV 708 depends on NFT_REJECT_IPV4 709 depends on NFT_REJECT_IPV6 710 tristate "Netfilter nf_tables netdev REJECT support" 711 help 712 This option enables the REJECT support from the netdev table. 713 The return packet generation will be delegated to the IPv4 714 or IPv6 ICMP or TCP RST implementation depending on the 715 protocol of the packet. 716 717 endif # NF_TABLES_NETDEV 718 719 endif # NF_TABLES 720 721 config NF_FLOW_TABLE_INET 722 tristate "Netfilter flow table mixed IPv4/IPv6 module" 723 depends on NF_FLOW_TABLE 724 help 725 This option adds the flow table mixed IPv4/IPv6 support. 726 727 To compile it as a module, choose M here. 728 729 config NF_FLOW_TABLE 730 tristate "Netfilter flow table module" 731 depends on NETFILTER_INGRESS 732 depends on NF_CONNTRACK 733 depends on NF_TABLES 734 help 735 This option adds the flow table core infrastructure. 736 737 To compile it as a module, choose M here. 738 739 config NF_FLOW_TABLE_PROCFS 740 bool "Supply flow table statistics in procfs" 741 depends on NF_FLOW_TABLE 742 depends on PROC_FS 743 help 744 This option enables for the flow table offload statistics 745 to be shown in procfs under net/netfilter/nf_flowtable. 746 747 config NETFILTER_XTABLES 748 tristate "Netfilter Xtables support (required for ip_tables)" 749 default m if NETFILTER_ADVANCED=n 750 help 751 This is required if you intend to use any of ip_tables, 752 ip6_tables or arp_tables. 753 754 if NETFILTER_XTABLES 755 756 config NETFILTER_XTABLES_COMPAT 757 bool "Netfilter Xtables 32bit support" 758 depends on COMPAT 759 help 760 This option provides a translation layer to run 32bit arp,ip(6),ebtables 761 binaries on 64bit kernels. 762 763 If unsure, say N. 764 765 comment "Xtables combined modules" 766 767 config NETFILTER_XT_MARK 768 tristate 'nfmark target and match support' 769 default m if NETFILTER_ADVANCED=n 770 help 771 This option adds the "MARK" target and "mark" match. 772 773 Netfilter mark matching allows you to match packets based on the 774 "nfmark" value in the packet. 775 The target allows you to create rules in the "mangle" table which alter 776 the netfilter mark (nfmark) field associated with the packet. 777 778 Prior to routing, the nfmark can influence the routing method and can 779 also be used by other subsystems to change their behavior. 780 781 config NETFILTER_XT_CONNMARK 782 tristate 'ctmark target and match support' 783 depends on NF_CONNTRACK 784 depends on NETFILTER_ADVANCED 785 select NF_CONNTRACK_MARK 786 help 787 This option adds the "CONNMARK" target and "connmark" match. 788 789 Netfilter allows you to store a mark value per connection (a.k.a. 790 ctmark), similarly to the packet mark (nfmark). Using this 791 target and match, you can set and match on this mark. 792 793 config NETFILTER_XT_SET 794 tristate 'set target and match support' 795 depends on IP_SET 796 depends on NETFILTER_ADVANCED 797 help 798 This option adds the "SET" target and "set" match. 799 800 Using this target and match, you can add/delete and match 801 elements in the sets created by ipset(8). 802 803 To compile it as a module, choose M here. If unsure, say N. 804 805 # alphabetically ordered list of targets 806 807 comment "Xtables targets" 808 809 config NETFILTER_XT_TARGET_AUDIT 810 tristate "AUDIT target support" 811 depends on AUDIT 812 depends on NETFILTER_ADVANCED 813 help 814 This option adds a 'AUDIT' target, which can be used to create 815 audit records for packets dropped/accepted. 816 817 To compileit as a module, choose M here. If unsure, say N. 818 819 config NETFILTER_XT_TARGET_CHECKSUM 820 tristate "CHECKSUM target support" 821 depends on IP_NF_MANGLE || IP6_NF_MANGLE 822 depends on NETFILTER_ADVANCED 823 help 824 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 825 table to work around buggy DHCP clients in virtualized environments. 826 827 Some old DHCP clients drop packets because they are not aware 828 that the checksum would normally be offloaded to hardware and 829 thus should be considered valid. 830 This target can be used to fill in the checksum using iptables 831 when such packets are sent via a virtual network device. 832 833 To compile it as a module, choose M here. If unsure, say N. 834 835 config NETFILTER_XT_TARGET_CLASSIFY 836 tristate '"CLASSIFY" target support' 837 depends on NETFILTER_ADVANCED 838 help 839 This option adds a `CLASSIFY' target, which enables the user to set 840 the priority of a packet. Some qdiscs can use this value for 841 classification, among these are: 842 843 atm, cbq, dsmark, pfifo_fast, htb, prio 844 845 To compile it as a module, choose M here. If unsure, say N. 846 847 config NETFILTER_XT_TARGET_CONNMARK 848 tristate '"CONNMARK" target support' 849 depends on NF_CONNTRACK 850 depends on NETFILTER_ADVANCED 851 select NETFILTER_XT_CONNMARK 852 help 853 This is a backwards-compat option for the user's convenience 854 (e.g. when running oldconfig). It selects 855 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 856 857 config NETFILTER_XT_TARGET_CONNSECMARK 858 tristate '"CONNSECMARK" target support' 859 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 860 default m if NETFILTER_ADVANCED=n 861 help 862 The CONNSECMARK target copies security markings from packets 863 to connections, and restores security markings from connections 864 to packets (if the packets are not already marked). This would 865 normally be used in conjunction with the SECMARK target. 866 867 To compile it as a module, choose M here. If unsure, say N. 868 869 config NETFILTER_XT_TARGET_CT 870 tristate '"CT" target support' 871 depends on NF_CONNTRACK 872 depends on IP_NF_RAW || IP6_NF_RAW 873 depends on NETFILTER_ADVANCED 874 help 875 This options adds a `CT' target, which allows to specify initial 876 connection tracking parameters like events to be delivered and 877 the helper to be used. 878 879 To compile it as a module, choose M here. If unsure, say N. 880 881 config NETFILTER_XT_TARGET_DSCP 882 tristate '"DSCP" and "TOS" target support' 883 depends on IP_NF_MANGLE || IP6_NF_MANGLE 884 depends on NETFILTER_ADVANCED 885 help 886 This option adds a `DSCP' target, which allows you to manipulate 887 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 888 889 The DSCP field can have any value between 0x0 and 0x3f inclusive. 890 891 It also adds the "TOS" target, which allows you to create rules in 892 the "mangle" table which alter the Type Of Service field of an IPv4 893 or the Priority field of an IPv6 packet, prior to routing. 894 895 To compile it as a module, choose M here. If unsure, say N. 896 897 config NETFILTER_XT_TARGET_HL 898 tristate '"HL" hoplimit target support' 899 depends on IP_NF_MANGLE || IP6_NF_MANGLE 900 depends on NETFILTER_ADVANCED 901 help 902 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 903 targets, which enable the user to change the 904 hoplimit/time-to-live value of the IP header. 905 906 While it is safe to decrement the hoplimit/TTL value, the 907 modules also allow to increment and set the hoplimit value of 908 the header to arbitrary values. This is EXTREMELY DANGEROUS 909 since you can easily create immortal packets that loop 910 forever on the network. 911 912 config NETFILTER_XT_TARGET_HMARK 913 tristate '"HMARK" target support' 914 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 915 depends on NETFILTER_ADVANCED 916 help 917 This option adds the "HMARK" target. 918 919 The target allows you to create rules in the "raw" and "mangle" tables 920 which set the skbuff mark by means of hash calculation within a given 921 range. The nfmark can influence the routing method and can also be used 922 by other subsystems to change their behaviour. 923 924 To compile it as a module, choose M here. If unsure, say N. 925 926 config NETFILTER_XT_TARGET_IDLETIMER 927 tristate "IDLETIMER target support" 928 depends on NETFILTER_ADVANCED 929 help 930 931 This option adds the `IDLETIMER' target. Each matching packet 932 resets the timer associated with label specified when the rule is 933 added. When the timer expires, it triggers a sysfs notification. 934 The remaining time for expiration can be read via sysfs. 935 936 To compile it as a module, choose M here. If unsure, say N. 937 938 config NETFILTER_XT_TARGET_LED 939 tristate '"LED" target support' 940 depends on LEDS_CLASS && LEDS_TRIGGERS 941 depends on NETFILTER_ADVANCED 942 help 943 This option adds a `LED' target, which allows you to blink LEDs in 944 response to particular packets passing through your machine. 945 946 This can be used to turn a spare LED into a network activity LED, 947 which only flashes in response to FTP transfers, for example. Or 948 you could have an LED which lights up for a minute or two every time 949 somebody connects to your machine via SSH. 950 951 You will need support for the "led" class to make this work. 952 953 To create an LED trigger for incoming SSH traffic: 954 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 955 956 Then attach the new trigger to an LED on your system: 957 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 958 959 For more information on the LEDs available on your system, see 960 Documentation/leds/leds-class.rst 961 962 config NETFILTER_XT_TARGET_LOG 963 tristate "LOG target support" 964 select NF_LOG_SYSLOG 965 select NF_LOG_IPV6 if IP6_NF_IPTABLES 966 default m if NETFILTER_ADVANCED=n 967 help 968 This option adds a `LOG' target, which allows you to create rules in 969 any iptables table which records the packet header to the syslog. 970 971 To compile it as a module, choose M here. If unsure, say N. 972 973 config NETFILTER_XT_TARGET_MARK 974 tristate '"MARK" target support' 975 depends on NETFILTER_ADVANCED 976 select NETFILTER_XT_MARK 977 help 978 This is a backwards-compat option for the user's convenience 979 (e.g. when running oldconfig). It selects 980 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 981 982 config NETFILTER_XT_NAT 983 tristate '"SNAT and DNAT" targets support' 984 depends on NF_NAT 985 help 986 This option enables the SNAT and DNAT targets. 987 988 To compile it as a module, choose M here. If unsure, say N. 989 990 config NETFILTER_XT_TARGET_NETMAP 991 tristate '"NETMAP" target support' 992 depends on NF_NAT 993 help 994 NETMAP is an implementation of static 1:1 NAT mapping of network 995 addresses. It maps the network address part, while keeping the host 996 address part intact. 997 998 To compile it as a module, choose M here. If unsure, say N. 999 1000 config NETFILTER_XT_TARGET_NFLOG 1001 tristate '"NFLOG" target support' 1002 default m if NETFILTER_ADVANCED=n 1003 select NETFILTER_NETLINK_LOG 1004 help 1005 This option enables the NFLOG target, which allows to LOG 1006 messages through nfnetlink_log. 1007 1008 To compile it as a module, choose M here. If unsure, say N. 1009 1010 config NETFILTER_XT_TARGET_NFQUEUE 1011 tristate '"NFQUEUE" target Support' 1012 depends on NETFILTER_ADVANCED 1013 select NETFILTER_NETLINK_QUEUE 1014 help 1015 This target replaced the old obsolete QUEUE target. 1016 1017 As opposed to QUEUE, it supports 65535 different queues, 1018 not just one. 1019 1020 To compile it as a module, choose M here. If unsure, say N. 1021 1022 config NETFILTER_XT_TARGET_NOTRACK 1023 tristate '"NOTRACK" target support (DEPRECATED)' 1024 depends on NF_CONNTRACK 1025 depends on IP_NF_RAW || IP6_NF_RAW 1026 depends on NETFILTER_ADVANCED 1027 select NETFILTER_XT_TARGET_CT 1028 1029 config NETFILTER_XT_TARGET_RATEEST 1030 tristate '"RATEEST" target support' 1031 depends on NETFILTER_ADVANCED 1032 help 1033 This option adds a `RATEEST' target, which allows to measure 1034 rates similar to TC estimators. The `rateest' match can be 1035 used to match on the measured rates. 1036 1037 To compile it as a module, choose M here. If unsure, say N. 1038 1039 config NETFILTER_XT_TARGET_REDIRECT 1040 tristate "REDIRECT target support" 1041 depends on NF_NAT 1042 select NF_NAT_REDIRECT 1043 help 1044 REDIRECT is a special case of NAT: all incoming connections are 1045 mapped onto the incoming interface's address, causing the packets to 1046 come to the local machine instead of passing through. This is 1047 useful for transparent proxies. 1048 1049 To compile it as a module, choose M here. If unsure, say N. 1050 1051 config NETFILTER_XT_TARGET_MASQUERADE 1052 tristate "MASQUERADE target support" 1053 depends on NF_NAT 1054 default m if NETFILTER_ADVANCED=n 1055 select NF_NAT_MASQUERADE 1056 help 1057 Masquerading is a special case of NAT: all outgoing connections are 1058 changed to seem to come from a particular interface's address, and 1059 if the interface goes down, those connections are lost. This is 1060 only useful for dialup accounts with dynamic IP address (ie. your IP 1061 address will be different on next dialup). 1062 1063 To compile it as a module, choose M here. If unsure, say N. 1064 1065 config NETFILTER_XT_TARGET_TEE 1066 tristate '"TEE" - packet cloning to alternate destination' 1067 depends on NETFILTER_ADVANCED 1068 depends on IPV6 || IPV6=n 1069 depends on !NF_CONNTRACK || NF_CONNTRACK 1070 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES 1071 select NF_DUP_IPV4 1072 select NF_DUP_IPV6 if IP6_NF_IPTABLES 1073 help 1074 This option adds a "TEE" target with which a packet can be cloned and 1075 this clone be rerouted to another nexthop. 1076 1077 config NETFILTER_XT_TARGET_TPROXY 1078 tristate '"TPROXY" target transparent proxying support' 1079 depends on NETFILTER_XTABLES 1080 depends on NETFILTER_ADVANCED 1081 depends on IPV6 || IPV6=n 1082 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1083 depends on IP_NF_MANGLE 1084 select NF_DEFRAG_IPV4 1085 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1086 select NF_TPROXY_IPV4 1087 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 1088 help 1089 This option adds a `TPROXY' target, which is somewhat similar to 1090 REDIRECT. It can only be used in the mangle table and is useful 1091 to redirect traffic to a transparent proxy. It does _not_ depend 1092 on Netfilter connection tracking and NAT, unlike REDIRECT. 1093 For it to work you will have to configure certain iptables rules 1094 and use policy routing. For more information on how to set it up 1095 see Documentation/networking/tproxy.rst. 1096 1097 To compile it as a module, choose M here. If unsure, say N. 1098 1099 config NETFILTER_XT_TARGET_TRACE 1100 tristate '"TRACE" target support' 1101 depends on IP_NF_RAW || IP6_NF_RAW 1102 depends on NETFILTER_ADVANCED 1103 help 1104 The TRACE target allows you to mark packets so that the kernel 1105 will log every rule which match the packets as those traverse 1106 the tables, chains, rules. 1107 1108 If you want to compile it as a module, say M here and read 1109 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1110 1111 config NETFILTER_XT_TARGET_SECMARK 1112 tristate '"SECMARK" target support' 1113 depends on NETWORK_SECMARK 1114 default m if NETFILTER_ADVANCED=n 1115 help 1116 The SECMARK target allows security marking of network 1117 packets, for use with security subsystems. 1118 1119 To compile it as a module, choose M here. If unsure, say N. 1120 1121 config NETFILTER_XT_TARGET_TCPMSS 1122 tristate '"TCPMSS" target support' 1123 depends on IPV6 || IPV6=n 1124 default m if NETFILTER_ADVANCED=n 1125 help 1126 This option adds a `TCPMSS' target, which allows you to alter the 1127 MSS value of TCP SYN packets, to control the maximum size for that 1128 connection (usually limiting it to your outgoing interface's MTU 1129 minus 40). 1130 1131 This is used to overcome criminally braindead ISPs or servers which 1132 block ICMP Fragmentation Needed packets. The symptoms of this 1133 problem are that everything works fine from your Linux 1134 firewall/router, but machines behind it can never exchange large 1135 packets: 1136 1) Web browsers connect, then hang with no data received. 1137 2) Small mail works fine, but large emails hang. 1138 3) ssh works fine, but scp hangs after initial handshaking. 1139 1140 Workaround: activate this option and add a rule to your firewall 1141 configuration like: 1142 1143 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1144 -j TCPMSS --clamp-mss-to-pmtu 1145 1146 To compile it as a module, choose M here. If unsure, say N. 1147 1148 config NETFILTER_XT_TARGET_TCPOPTSTRIP 1149 tristate '"TCPOPTSTRIP" target support' 1150 depends on IP_NF_MANGLE || IP6_NF_MANGLE 1151 depends on NETFILTER_ADVANCED 1152 help 1153 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1154 TCP options from TCP packets. 1155 1156 # alphabetically ordered list of matches 1157 1158 comment "Xtables matches" 1159 1160 config NETFILTER_XT_MATCH_ADDRTYPE 1161 tristate '"addrtype" address type match support' 1162 default m if NETFILTER_ADVANCED=n 1163 help 1164 This option allows you to match what routing thinks of an address, 1165 eg. UNICAST, LOCAL, BROADCAST, ... 1166 1167 If you want to compile it as a module, say M here and read 1168 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1169 1170 config NETFILTER_XT_MATCH_BPF 1171 tristate '"bpf" match support' 1172 depends on NETFILTER_ADVANCED 1173 help 1174 BPF matching applies a linux socket filter to each packet and 1175 accepts those for which the filter returns non-zero. 1176 1177 To compile it as a module, choose M here. If unsure, say N. 1178 1179 config NETFILTER_XT_MATCH_CGROUP 1180 tristate '"control group" match support' 1181 depends on NETFILTER_ADVANCED 1182 depends on CGROUPS 1183 select CGROUP_NET_CLASSID 1184 help 1185 Socket/process control group matching allows you to match locally 1186 generated packets based on which net_cls control group processes 1187 belong to. 1188 1189 config NETFILTER_XT_MATCH_CLUSTER 1190 tristate '"cluster" match support' 1191 depends on NF_CONNTRACK 1192 depends on NETFILTER_ADVANCED 1193 help 1194 This option allows you to build work-load-sharing clusters of 1195 network servers/stateful firewalls without having a dedicated 1196 load-balancing router/server/switch. Basically, this match returns 1197 true when the packet must be handled by this cluster node. Thus, 1198 all nodes see all packets and this match decides which node handles 1199 what packets. The work-load sharing algorithm is based on source 1200 address hashing. 1201 1202 If you say Y or M here, try `iptables -m cluster --help` for 1203 more information. 1204 1205 config NETFILTER_XT_MATCH_COMMENT 1206 tristate '"comment" match support' 1207 depends on NETFILTER_ADVANCED 1208 help 1209 This option adds a `comment' dummy-match, which allows you to put 1210 comments in your iptables ruleset. 1211 1212 If you want to compile it as a module, say M here and read 1213 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1214 1215 config NETFILTER_XT_MATCH_CONNBYTES 1216 tristate '"connbytes" per-connection counter match support' 1217 depends on NF_CONNTRACK 1218 depends on NETFILTER_ADVANCED 1219 help 1220 This option adds a `connbytes' match, which allows you to match the 1221 number of bytes and/or packets for each direction within a connection. 1222 1223 If you want to compile it as a module, say M here and read 1224 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1225 1226 config NETFILTER_XT_MATCH_CONNLABEL 1227 tristate '"connlabel" match support' 1228 select NF_CONNTRACK_LABELS 1229 depends on NF_CONNTRACK 1230 depends on NETFILTER_ADVANCED 1231 help 1232 This match allows you to test and assign userspace-defined labels names 1233 to a connection. The kernel only stores bit values - mapping 1234 names to bits is done by userspace. 1235 1236 Unlike connmark, more than 32 flag bits may be assigned to a 1237 connection simultaneously. 1238 1239 config NETFILTER_XT_MATCH_CONNLIMIT 1240 tristate '"connlimit" match support' 1241 depends on NF_CONNTRACK 1242 depends on NETFILTER_ADVANCED 1243 select NETFILTER_CONNCOUNT 1244 help 1245 This match allows you to match against the number of parallel 1246 connections to a server per client IP address (or address block). 1247 1248 config NETFILTER_XT_MATCH_CONNMARK 1249 tristate '"connmark" connection mark match support' 1250 depends on NF_CONNTRACK 1251 depends on NETFILTER_ADVANCED 1252 select NETFILTER_XT_CONNMARK 1253 help 1254 This is a backwards-compat option for the user's convenience 1255 (e.g. when running oldconfig). It selects 1256 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1257 1258 config NETFILTER_XT_MATCH_CONNTRACK 1259 tristate '"conntrack" connection tracking match support' 1260 depends on NF_CONNTRACK 1261 default m if NETFILTER_ADVANCED=n 1262 help 1263 This is a general conntrack match module, a superset of the state match. 1264 1265 It allows matching on additional conntrack information, which is 1266 useful in complex configurations, such as NAT gateways with multiple 1267 internet links or tunnels. 1268 1269 To compile it as a module, choose M here. If unsure, say N. 1270 1271 config NETFILTER_XT_MATCH_CPU 1272 tristate '"cpu" match support' 1273 depends on NETFILTER_ADVANCED 1274 help 1275 CPU matching allows you to match packets based on the CPU 1276 currently handling the packet. 1277 1278 To compile it as a module, choose M here. If unsure, say N. 1279 1280 config NETFILTER_XT_MATCH_DCCP 1281 tristate '"dccp" protocol match support' 1282 depends on NETFILTER_ADVANCED 1283 default IP_DCCP 1284 help 1285 With this option enabled, you will be able to use the iptables 1286 `dccp' match in order to match on DCCP source/destination ports 1287 and DCCP flags. 1288 1289 If you want to compile it as a module, say M here and read 1290 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1291 1292 config NETFILTER_XT_MATCH_DEVGROUP 1293 tristate '"devgroup" match support' 1294 depends on NETFILTER_ADVANCED 1295 help 1296 This options adds a `devgroup' match, which allows to match on the 1297 device group a network device is assigned to. 1298 1299 To compile it as a module, choose M here. If unsure, say N. 1300 1301 config NETFILTER_XT_MATCH_DSCP 1302 tristate '"dscp" and "tos" match support' 1303 depends on NETFILTER_ADVANCED 1304 help 1305 This option adds a `DSCP' match, which allows you to match against 1306 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1307 1308 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1309 1310 It will also add a "tos" match, which allows you to match packets 1311 based on the Type Of Service fields of the IPv4 packet (which share 1312 the same bits as DSCP). 1313 1314 To compile it as a module, choose M here. If unsure, say N. 1315 1316 config NETFILTER_XT_MATCH_ECN 1317 tristate '"ecn" match support' 1318 depends on NETFILTER_ADVANCED 1319 help 1320 This option adds an "ECN" match, which allows you to match against 1321 the IPv4 and TCP header ECN fields. 1322 1323 To compile it as a module, choose M here. If unsure, say N. 1324 1325 config NETFILTER_XT_MATCH_ESP 1326 tristate '"esp" match support' 1327 depends on NETFILTER_ADVANCED 1328 help 1329 This match extension allows you to match a range of SPIs 1330 inside ESP header of IPSec packets. 1331 1332 To compile it as a module, choose M here. If unsure, say N. 1333 1334 config NETFILTER_XT_MATCH_HASHLIMIT 1335 tristate '"hashlimit" match support' 1336 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1337 depends on NETFILTER_ADVANCED 1338 help 1339 This option adds a `hashlimit' match. 1340 1341 As opposed to `limit', this match dynamically creates a hash table 1342 of limit buckets, based on your selection of source/destination 1343 addresses and/or ports. 1344 1345 It enables you to express policies like `10kpps for any given 1346 destination address' or `500pps from any given source address' 1347 with a single rule. 1348 1349 config NETFILTER_XT_MATCH_HELPER 1350 tristate '"helper" match support' 1351 depends on NF_CONNTRACK 1352 depends on NETFILTER_ADVANCED 1353 help 1354 Helper matching allows you to match packets in dynamic connections 1355 tracked by a conntrack-helper, ie. nf_conntrack_ftp 1356 1357 To compile it as a module, choose M here. If unsure, say Y. 1358 1359 config NETFILTER_XT_MATCH_HL 1360 tristate '"hl" hoplimit/TTL match support' 1361 depends on NETFILTER_ADVANCED 1362 help 1363 HL matching allows you to match packets based on the hoplimit 1364 in the IPv6 header, or the time-to-live field in the IPv4 1365 header of the packet. 1366 1367 config NETFILTER_XT_MATCH_IPCOMP 1368 tristate '"ipcomp" match support' 1369 depends on NETFILTER_ADVANCED 1370 help 1371 This match extension allows you to match a range of CPIs(16 bits) 1372 inside IPComp header of IPSec packets. 1373 1374 To compile it as a module, choose M here. If unsure, say N. 1375 1376 config NETFILTER_XT_MATCH_IPRANGE 1377 tristate '"iprange" address range match support' 1378 depends on NETFILTER_ADVANCED 1379 help 1380 This option adds a "iprange" match, which allows you to match based on 1381 an IP address range. (Normal iptables only matches on single addresses 1382 with an optional mask.) 1383 1384 If unsure, say M. 1385 1386 config NETFILTER_XT_MATCH_IPVS 1387 tristate '"ipvs" match support' 1388 depends on IP_VS 1389 depends on NETFILTER_ADVANCED 1390 depends on NF_CONNTRACK 1391 help 1392 This option allows you to match against IPVS properties of a packet. 1393 1394 If unsure, say N. 1395 1396 config NETFILTER_XT_MATCH_L2TP 1397 tristate '"l2tp" match support' 1398 depends on NETFILTER_ADVANCED 1399 default L2TP 1400 help 1401 This option adds an "L2TP" match, which allows you to match against 1402 L2TP protocol header fields. 1403 1404 To compile it as a module, choose M here. If unsure, say N. 1405 1406 config NETFILTER_XT_MATCH_LENGTH 1407 tristate '"length" match support' 1408 depends on NETFILTER_ADVANCED 1409 help 1410 This option allows you to match the length of a packet against a 1411 specific value or range of values. 1412 1413 To compile it as a module, choose M here. If unsure, say N. 1414 1415 config NETFILTER_XT_MATCH_LIMIT 1416 tristate '"limit" match support' 1417 depends on NETFILTER_ADVANCED 1418 help 1419 limit matching allows you to control the rate at which a rule can be 1420 matched: mainly useful in combination with the LOG target ("LOG 1421 target support", below) and to avoid some Denial of Service attacks. 1422 1423 To compile it as a module, choose M here. If unsure, say N. 1424 1425 config NETFILTER_XT_MATCH_MAC 1426 tristate '"mac" address match support' 1427 depends on NETFILTER_ADVANCED 1428 help 1429 MAC matching allows you to match packets based on the source 1430 Ethernet address of the packet. 1431 1432 To compile it as a module, choose M here. If unsure, say N. 1433 1434 config NETFILTER_XT_MATCH_MARK 1435 tristate '"mark" match support' 1436 depends on NETFILTER_ADVANCED 1437 select NETFILTER_XT_MARK 1438 help 1439 This is a backwards-compat option for the user's convenience 1440 (e.g. when running oldconfig). It selects 1441 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1442 1443 config NETFILTER_XT_MATCH_MULTIPORT 1444 tristate '"multiport" Multiple port match support' 1445 depends on NETFILTER_ADVANCED 1446 help 1447 Multiport matching allows you to match TCP or UDP packets based on 1448 a series of source or destination ports: normally a rule can only 1449 match a single range of ports. 1450 1451 To compile it as a module, choose M here. If unsure, say N. 1452 1453 config NETFILTER_XT_MATCH_NFACCT 1454 tristate '"nfacct" match support' 1455 depends on NETFILTER_ADVANCED 1456 select NETFILTER_NETLINK_ACCT 1457 help 1458 This option allows you to use the extended accounting through 1459 nfnetlink_acct. 1460 1461 To compile it as a module, choose M here. If unsure, say N. 1462 1463 config NETFILTER_XT_MATCH_OSF 1464 tristate '"osf" Passive OS fingerprint match' 1465 depends on NETFILTER_ADVANCED 1466 select NETFILTER_NETLINK_OSF 1467 help 1468 This option selects the Passive OS Fingerprinting match module 1469 that allows to passively match the remote operating system by 1470 analyzing incoming TCP SYN packets. 1471 1472 Rules and loading software can be downloaded from 1473 http://www.ioremap.net/projects/osf 1474 1475 To compile it as a module, choose M here. If unsure, say N. 1476 1477 config NETFILTER_XT_MATCH_OWNER 1478 tristate '"owner" match support' 1479 depends on NETFILTER_ADVANCED 1480 help 1481 Socket owner matching allows you to match locally-generated packets 1482 based on who created the socket: the user or group. It is also 1483 possible to check whether a socket actually exists. 1484 1485 config NETFILTER_XT_MATCH_POLICY 1486 tristate 'IPsec "policy" match support' 1487 depends on XFRM 1488 default m if NETFILTER_ADVANCED=n 1489 help 1490 Policy matching allows you to match packets based on the 1491 IPsec policy that was used during decapsulation/will 1492 be used during encapsulation. 1493 1494 To compile it as a module, choose M here. If unsure, say N. 1495 1496 config NETFILTER_XT_MATCH_PHYSDEV 1497 tristate '"physdev" match support' 1498 depends on BRIDGE && BRIDGE_NETFILTER 1499 depends on NETFILTER_ADVANCED 1500 help 1501 Physdev packet matching matches against the physical bridge ports 1502 the IP packet arrived on or will leave by. 1503 1504 To compile it as a module, choose M here. If unsure, say N. 1505 1506 config NETFILTER_XT_MATCH_PKTTYPE 1507 tristate '"pkttype" packet type match support' 1508 depends on NETFILTER_ADVANCED 1509 help 1510 Packet type matching allows you to match a packet by 1511 its "class", eg. BROADCAST, MULTICAST, ... 1512 1513 Typical usage: 1514 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1515 1516 To compile it as a module, choose M here. If unsure, say N. 1517 1518 config NETFILTER_XT_MATCH_QUOTA 1519 tristate '"quota" match support' 1520 depends on NETFILTER_ADVANCED 1521 help 1522 This option adds a `quota' match, which allows to match on a 1523 byte counter. 1524 1525 If you want to compile it as a module, say M here and read 1526 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1527 1528 config NETFILTER_XT_MATCH_RATEEST 1529 tristate '"rateest" match support' 1530 depends on NETFILTER_ADVANCED 1531 select NETFILTER_XT_TARGET_RATEEST 1532 help 1533 This option adds a `rateest' match, which allows to match on the 1534 rate estimated by the RATEEST target. 1535 1536 To compile it as a module, choose M here. If unsure, say N. 1537 1538 config NETFILTER_XT_MATCH_REALM 1539 tristate '"realm" match support' 1540 depends on NETFILTER_ADVANCED 1541 select IP_ROUTE_CLASSID 1542 help 1543 This option adds a `realm' match, which allows you to use the realm 1544 key from the routing subsystem inside iptables. 1545 1546 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1547 in tc world. 1548 1549 If you want to compile it as a module, say M here and read 1550 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1551 1552 config NETFILTER_XT_MATCH_RECENT 1553 tristate '"recent" match support' 1554 depends on NETFILTER_ADVANCED 1555 help 1556 This match is used for creating one or many lists of recently 1557 used addresses and then matching against that/those list(s). 1558 1559 Short options are available by using 'iptables -m recent -h' 1560 Official Website: <http://snowman.net/projects/ipt_recent/> 1561 1562 config NETFILTER_XT_MATCH_SCTP 1563 tristate '"sctp" protocol match support' 1564 depends on NETFILTER_ADVANCED 1565 default IP_SCTP 1566 help 1567 With this option enabled, you will be able to use the 1568 `sctp' match in order to match on SCTP source/destination ports 1569 and SCTP chunk types. 1570 1571 If you want to compile it as a module, say M here and read 1572 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1573 1574 config NETFILTER_XT_MATCH_SOCKET 1575 tristate '"socket" match support' 1576 depends on NETFILTER_XTABLES 1577 depends on NETFILTER_ADVANCED 1578 depends on IPV6 || IPV6=n 1579 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1580 select NF_SOCKET_IPV4 1581 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES 1582 select NF_DEFRAG_IPV4 1583 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1584 help 1585 This option adds a `socket' match, which can be used to match 1586 packets for which a TCP or UDP socket lookup finds a valid socket. 1587 It can be used in combination with the MARK target and policy 1588 routing to implement full featured non-locally bound sockets. 1589 1590 To compile it as a module, choose M here. If unsure, say N. 1591 1592 config NETFILTER_XT_MATCH_STATE 1593 tristate '"state" match support' 1594 depends on NF_CONNTRACK 1595 default m if NETFILTER_ADVANCED=n 1596 help 1597 Connection state matching allows you to match packets based on their 1598 relationship to a tracked connection (ie. previous packets). This 1599 is a powerful tool for packet classification. 1600 1601 To compile it as a module, choose M here. If unsure, say N. 1602 1603 config NETFILTER_XT_MATCH_STATISTIC 1604 tristate '"statistic" match support' 1605 depends on NETFILTER_ADVANCED 1606 help 1607 This option adds a `statistic' match, which allows you to match 1608 on packets periodically or randomly with a given percentage. 1609 1610 To compile it as a module, choose M here. If unsure, say N. 1611 1612 config NETFILTER_XT_MATCH_STRING 1613 tristate '"string" match support' 1614 depends on NETFILTER_ADVANCED 1615 select TEXTSEARCH 1616 select TEXTSEARCH_KMP 1617 select TEXTSEARCH_BM 1618 select TEXTSEARCH_FSM 1619 help 1620 This option adds a `string' match, which allows you to look for 1621 pattern matchings in packets. 1622 1623 To compile it as a module, choose M here. If unsure, say N. 1624 1625 config NETFILTER_XT_MATCH_TCPMSS 1626 tristate '"tcpmss" match support' 1627 depends on NETFILTER_ADVANCED 1628 help 1629 This option adds a `tcpmss' match, which allows you to examine the 1630 MSS value of TCP SYN packets, which control the maximum packet size 1631 for that connection. 1632 1633 To compile it as a module, choose M here. If unsure, say N. 1634 1635 config NETFILTER_XT_MATCH_TIME 1636 tristate '"time" match support' 1637 depends on NETFILTER_ADVANCED 1638 help 1639 This option adds a "time" match, which allows you to match based on 1640 the packet arrival time (at the machine which netfilter is running) 1641 on) or departure time/date (for locally generated packets). 1642 1643 If you say Y here, try `iptables -m time --help` for 1644 more information. 1645 1646 If you want to compile it as a module, say M here. 1647 If unsure, say N. 1648 1649 config NETFILTER_XT_MATCH_U32 1650 tristate '"u32" match support' 1651 depends on NETFILTER_ADVANCED 1652 help 1653 u32 allows you to extract quantities of up to 4 bytes from a packet, 1654 AND them with specified masks, shift them by specified amounts and 1655 test whether the results are in any of a set of specified ranges. 1656 The specification of what to extract is general enough to skip over 1657 headers with lengths stored in the packet, as in IP or TCP header 1658 lengths. 1659 1660 Details and examples are in the kernel module source. 1661 1662 endif # NETFILTER_XTABLES 1663 1664 endmenu 1665 1666 source "net/netfilter/ipset/Kconfig" 1667 1668 source "net/netfilter/ipvs/Kconfig" 1669