xref: /openbmc/linux/net/netfilter/Kconfig (revision 276e552e)
1# SPDX-License-Identifier: GPL-2.0-only
2menu "Core Netfilter Configuration"
3	depends on INET && NETFILTER
4
5config NETFILTER_INGRESS
6	bool "Netfilter ingress support"
7	default y
8	select NET_INGRESS
9	help
10	  This allows you to classify packets from ingress using the Netfilter
11	  infrastructure.
12
13config NETFILTER_NETLINK
14	tristate
15
16config NETFILTER_FAMILY_BRIDGE
17	bool
18
19config NETFILTER_FAMILY_ARP
20	bool
21
22config NETFILTER_NETLINK_ACCT
23	tristate "Netfilter NFACCT over NFNETLINK interface"
24	depends on NETFILTER_ADVANCED
25	select NETFILTER_NETLINK
26	help
27	  If this option is enabled, the kernel will include support
28	  for extended accounting via NFNETLINK.
29
30config NETFILTER_NETLINK_QUEUE
31	tristate "Netfilter NFQUEUE over NFNETLINK interface"
32	depends on NETFILTER_ADVANCED
33	select NETFILTER_NETLINK
34	help
35	  If this option is enabled, the kernel will include support
36	  for queueing packets via NFNETLINK.
37
38config NETFILTER_NETLINK_LOG
39	tristate "Netfilter LOG over NFNETLINK interface"
40	default m if NETFILTER_ADVANCED=n
41	select NETFILTER_NETLINK
42	help
43	  If this option is enabled, the kernel will include support
44	  for logging packets via NFNETLINK.
45
46	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
47	  and is also scheduled to replace the old syslog-based ipt_LOG
48	  and ip6t_LOG modules.
49
50config NETFILTER_NETLINK_OSF
51	tristate "Netfilter OSF over NFNETLINK interface"
52	depends on NETFILTER_ADVANCED
53	select NETFILTER_NETLINK
54	help
55	  If this option is enabled, the kernel will include support
56	  for passive OS fingerprint via NFNETLINK.
57
58config NF_CONNTRACK
59	tristate "Netfilter connection tracking support"
60	default m if NETFILTER_ADVANCED=n
61	select NF_DEFRAG_IPV4
62	select NF_DEFRAG_IPV6 if IPV6 != n
63	help
64	  Connection tracking keeps a record of what packets have passed
65	  through your machine, in order to figure out how they are related
66	  into connections.
67
68	  This is required to do Masquerading or other kinds of Network
69	  Address Translation.  It can also be used to enhance packet
70	  filtering (see `Connection state match support' below).
71
72	  To compile it as a module, choose M here.  If unsure, say N.
73
74config NF_LOG_SYSLOG
75	tristate "Syslog packet logging"
76	default m if NETFILTER_ADVANCED=n
77	help
78	  This option enable support for packet logging via syslog.
79	  It supports IPv4, IPV6, ARP and common transport protocols such
80	  as TCP and UDP.
81	  This is a simpler but less flexible logging method compared to
82	  CONFIG_NETFILTER_NETLINK_LOG.
83	  If both are enabled the backend to use can be configured at run-time
84	  by means of per-address-family sysctl tunables.
85
86if NF_CONNTRACK
87config NETFILTER_CONNCOUNT
88	tristate
89
90config NF_CONNTRACK_MARK
91	bool  'Connection mark tracking support'
92	depends on NETFILTER_ADVANCED
93	help
94	  This option enables support for connection marks, used by the
95	  `CONNMARK' target and `connmark' match. Similar to the mark value
96	  of packets, but this mark value is kept in the conntrack session
97	  instead of the individual packets.
98
99config NF_CONNTRACK_SECMARK
100	bool  'Connection tracking security mark support'
101	depends on NETWORK_SECMARK
102	default m if NETFILTER_ADVANCED=n
103	help
104	  This option enables security markings to be applied to
105	  connections.  Typically they are copied to connections from
106	  packets using the CONNSECMARK target and copied back from
107	  connections to packets with the same target, with the packets
108	  being originally labeled via SECMARK.
109
110	  If unsure, say 'N'.
111
112config NF_CONNTRACK_ZONES
113	bool  'Connection tracking zones'
114	depends on NETFILTER_ADVANCED
115	help
116	  This option enables support for connection tracking zones.
117	  Normally, each connection needs to have a unique system wide
118	  identity. Connection tracking zones allow to have multiple
119	  connections using the same identity, as long as they are
120	  contained in different zones.
121
122	  If unsure, say `N'.
123
124config NF_CONNTRACK_PROCFS
125	bool "Supply CT list in procfs (OBSOLETE)"
126	default y
127	depends on PROC_FS
128	help
129	This option enables for the list of known conntrack entries
130	to be shown in procfs under net/netfilter/nf_conntrack. This
131	is considered obsolete in favor of using the conntrack(8)
132	tool which uses Netlink.
133
134config NF_CONNTRACK_EVENTS
135	bool "Connection tracking events"
136	depends on NETFILTER_ADVANCED
137	help
138	  If this option is enabled, the connection tracking code will
139	  provide a notifier chain that can be used by other kernel code
140	  to get notified about changes in the connection tracking state.
141
142	  If unsure, say `N'.
143
144config NF_CONNTRACK_TIMEOUT
145	bool  'Connection tracking timeout'
146	depends on NETFILTER_ADVANCED
147	help
148	  This option enables support for connection tracking timeout
149	  extension. This allows you to attach timeout policies to flow
150	  via the CT target.
151
152	  If unsure, say `N'.
153
154config NF_CONNTRACK_TIMESTAMP
155	bool  'Connection tracking timestamping'
156	depends on NETFILTER_ADVANCED
157	help
158	  This option enables support for connection tracking timestamping.
159	  This allows you to store the flow start-time and to obtain
160	  the flow-stop time (once it has been destroyed) via Connection
161	  tracking events.
162
163	  If unsure, say `N'.
164
165config NF_CONNTRACK_LABELS
166	bool "Connection tracking labels"
167	help
168	  This option enables support for assigning user-defined flag bits
169	  to connection tracking entries.  It can be used with xtables connlabel
170	  match and the nftables ct expression.
171
172config NF_CT_PROTO_DCCP
173	bool 'DCCP protocol connection tracking support'
174	depends on NETFILTER_ADVANCED
175	default y
176	help
177	  With this option enabled, the layer 3 independent connection
178	  tracking code will be able to do state tracking on DCCP connections.
179
180	  If unsure, say Y.
181
182config NF_CT_PROTO_GRE
183	bool
184
185config NF_CT_PROTO_SCTP
186	bool 'SCTP protocol connection tracking support'
187	depends on NETFILTER_ADVANCED
188	default y
189	select LIBCRC32C
190	help
191	  With this option enabled, the layer 3 independent connection
192	  tracking code will be able to do state tracking on SCTP connections.
193
194	  If unsure, say Y.
195
196config NF_CT_PROTO_UDPLITE
197	bool 'UDP-Lite protocol connection tracking support'
198	depends on NETFILTER_ADVANCED
199	default y
200	help
201	  With this option enabled, the layer 3 independent connection
202	  tracking code will be able to do state tracking on UDP-Lite
203	  connections.
204
205	  If unsure, say Y.
206
207config NF_CONNTRACK_AMANDA
208	tristate "Amanda backup protocol support"
209	depends on NETFILTER_ADVANCED
210	select TEXTSEARCH
211	select TEXTSEARCH_KMP
212	help
213	  If you are running the Amanda backup package <http://www.amanda.org/>
214	  on this machine or machines that will be MASQUERADED through this
215	  machine, then you may want to enable this feature.  This allows the
216	  connection tracking and natting code to allow the sub-channels that
217	  Amanda requires for communication of the backup data, messages and
218	  index.
219
220	  To compile it as a module, choose M here.  If unsure, say N.
221
222config NF_CONNTRACK_FTP
223	tristate "FTP protocol support"
224	default m if NETFILTER_ADVANCED=n
225	help
226	  Tracking FTP connections is problematic: special helpers are
227	  required for tracking them, and doing masquerading and other forms
228	  of Network Address Translation on them.
229
230	  This is FTP support on Layer 3 independent connection tracking.
231
232	  To compile it as a module, choose M here.  If unsure, say N.
233
234config NF_CONNTRACK_H323
235	tristate "H.323 protocol support"
236	depends on IPV6 || IPV6=n
237	depends on NETFILTER_ADVANCED
238	help
239	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
240	  important VoIP protocols, it is widely used by voice hardware and
241	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
242	  Gnomemeeting, etc.
243
244	  With this module you can support H.323 on a connection tracking/NAT
245	  firewall.
246
247	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
248	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
249	  whiteboard, file transfer, etc. For more information, please
250	  visit http://nath323.sourceforge.net/.
251
252	  To compile it as a module, choose M here.  If unsure, say N.
253
254config NF_CONNTRACK_IRC
255	tristate "IRC protocol support"
256	default m if NETFILTER_ADVANCED=n
257	help
258	  There is a commonly-used extension to IRC called
259	  Direct Client-to-Client Protocol (DCC).  This enables users to send
260	  files to each other, and also chat to each other without the need
261	  of a server.  DCC Sending is used anywhere you send files over IRC,
262	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
263	  using NAT, this extension will enable you to send files and initiate
264	  chats.  Note that you do NOT need this extension to get files or
265	  have others initiate chats, or everything else in IRC.
266
267	  To compile it as a module, choose M here.  If unsure, say N.
268
269config NF_CONNTRACK_BROADCAST
270	tristate
271
272config NF_CONNTRACK_NETBIOS_NS
273	tristate "NetBIOS name service protocol support"
274	select NF_CONNTRACK_BROADCAST
275	help
276	  NetBIOS name service requests are sent as broadcast messages from an
277	  unprivileged port and responded to with unicast messages to the
278	  same port. This make them hard to firewall properly because connection
279	  tracking doesn't deal with broadcasts. This helper tracks locally
280	  originating NetBIOS name service requests and the corresponding
281	  responses. It relies on correct IP address configuration, specifically
282	  netmask and broadcast address. When properly configured, the output
283	  of "ip address show" should look similar to this:
284
285	  $ ip -4 address show eth0
286	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
287	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
288
289	  To compile it as a module, choose M here.  If unsure, say N.
290
291config NF_CONNTRACK_SNMP
292	tristate "SNMP service protocol support"
293	depends on NETFILTER_ADVANCED
294	select NF_CONNTRACK_BROADCAST
295	help
296	  SNMP service requests are sent as broadcast messages from an
297	  unprivileged port and responded to with unicast messages to the
298	  same port. This make them hard to firewall properly because connection
299	  tracking doesn't deal with broadcasts. This helper tracks locally
300	  originating SNMP service requests and the corresponding
301	  responses. It relies on correct IP address configuration, specifically
302	  netmask and broadcast address.
303
304	  To compile it as a module, choose M here.  If unsure, say N.
305
306config NF_CONNTRACK_PPTP
307	tristate "PPtP protocol support"
308	depends on NETFILTER_ADVANCED
309	select NF_CT_PROTO_GRE
310	help
311	  This module adds support for PPTP (Point to Point Tunnelling
312	  Protocol, RFC2637) connection tracking and NAT.
313
314	  If you are running PPTP sessions over a stateful firewall or NAT
315	  box, you may want to enable this feature.
316
317	  Please note that not all PPTP modes of operation are supported yet.
318	  Specifically these limitations exist:
319	    - Blindly assumes that control connections are always established
320	      in PNS->PAC direction. This is a violation of RFC2637.
321	    - Only supports a single call within each session
322
323	  To compile it as a module, choose M here.  If unsure, say N.
324
325config NF_CONNTRACK_SANE
326	tristate "SANE protocol support"
327	depends on NETFILTER_ADVANCED
328	help
329	  SANE is a protocol for remote access to scanners as implemented
330	  by the 'saned' daemon. Like FTP, it uses separate control and
331	  data connections.
332
333	  With this module you can support SANE on a connection tracking
334	  firewall.
335
336	  To compile it as a module, choose M here.  If unsure, say N.
337
338config NF_CONNTRACK_SIP
339	tristate "SIP protocol support"
340	default m if NETFILTER_ADVANCED=n
341	help
342	  SIP is an application-layer control protocol that can establish,
343	  modify, and terminate multimedia sessions (conferences) such as
344	  Internet telephony calls. With the nf_conntrack_sip and
345	  the nf_nat_sip modules you can support the protocol on a connection
346	  tracking/NATing firewall.
347
348	  To compile it as a module, choose M here.  If unsure, say N.
349
350config NF_CONNTRACK_TFTP
351	tristate "TFTP protocol support"
352	depends on NETFILTER_ADVANCED
353	help
354	  TFTP connection tracking helper, this is required depending
355	  on how restrictive your ruleset is.
356	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
357	  you will need this.
358
359	  To compile it as a module, choose M here.  If unsure, say N.
360
361config NF_CT_NETLINK
362	tristate 'Connection tracking netlink interface'
363	select NETFILTER_NETLINK
364	default m if NETFILTER_ADVANCED=n
365	help
366	  This option enables support for a netlink-based userspace interface
367
368config NF_CT_NETLINK_TIMEOUT
369	tristate  'Connection tracking timeout tuning via Netlink'
370	select NETFILTER_NETLINK
371	depends on NETFILTER_ADVANCED
372	depends on NF_CONNTRACK_TIMEOUT
373	help
374	  This option enables support for connection tracking timeout
375	  fine-grain tuning. This allows you to attach specific timeout
376	  policies to flows, instead of using the global timeout policy.
377
378	  If unsure, say `N'.
379
380config NF_CT_NETLINK_HELPER
381	tristate 'Connection tracking helpers in user-space via Netlink'
382	select NETFILTER_NETLINK
383	depends on NF_CT_NETLINK
384	depends on NETFILTER_NETLINK_QUEUE
385	depends on NETFILTER_NETLINK_GLUE_CT
386	depends on NETFILTER_ADVANCED
387	help
388	  This option enables the user-space connection tracking helpers
389	  infrastructure.
390
391	  If unsure, say `N'.
392
393config NETFILTER_NETLINK_GLUE_CT
394	bool "NFQUEUE and NFLOG integration with Connection Tracking"
395	default n
396	depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
397	help
398	  If this option is enabled, NFQUEUE and NFLOG can include
399	  Connection Tracking information together with the packet is
400	  the enqueued via NFNETLINK.
401
402config NF_NAT
403	tristate "Network Address Translation support"
404	depends on NF_CONNTRACK
405	default m if NETFILTER_ADVANCED=n
406	help
407	  The NAT option allows masquerading, port forwarding and other
408	  forms of full Network Address Port Translation. This can be
409	  controlled by iptables, ip6tables or nft.
410
411config NF_NAT_AMANDA
412	tristate
413	depends on NF_CONNTRACK && NF_NAT
414	default NF_NAT && NF_CONNTRACK_AMANDA
415
416config NF_NAT_FTP
417	tristate
418	depends on NF_CONNTRACK && NF_NAT
419	default NF_NAT && NF_CONNTRACK_FTP
420
421config NF_NAT_IRC
422	tristate
423	depends on NF_CONNTRACK && NF_NAT
424	default NF_NAT && NF_CONNTRACK_IRC
425
426config NF_NAT_SIP
427	tristate
428	depends on NF_CONNTRACK && NF_NAT
429	default NF_NAT && NF_CONNTRACK_SIP
430
431config NF_NAT_TFTP
432	tristate
433	depends on NF_CONNTRACK && NF_NAT
434	default NF_NAT && NF_CONNTRACK_TFTP
435
436config NF_NAT_REDIRECT
437	bool
438
439config NF_NAT_MASQUERADE
440	bool
441
442config NETFILTER_SYNPROXY
443	tristate
444
445endif # NF_CONNTRACK
446
447config NF_TABLES
448	select NETFILTER_NETLINK
449	select LIBCRC32C
450	tristate "Netfilter nf_tables support"
451	help
452	  nftables is the new packet classification framework that intends to
453	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
454	  provides a pseudo-state machine with an extensible instruction-set
455	  (also known as expressions) that the userspace 'nft' utility
456	  (https://www.netfilter.org/projects/nftables) uses to build the
457	  rule-set. It also comes with the generic set infrastructure that
458	  allows you to construct mappings between matchings and actions
459	  for performance lookups.
460
461	  To compile it as a module, choose M here.
462
463if NF_TABLES
464config NF_TABLES_INET
465	depends on IPV6
466	select NF_TABLES_IPV4
467	select NF_TABLES_IPV6
468	bool "Netfilter nf_tables mixed IPv4/IPv6 tables support"
469	help
470	  This option enables support for a mixed IPv4/IPv6 "inet" table.
471
472config NF_TABLES_NETDEV
473	bool "Netfilter nf_tables netdev tables support"
474	help
475	  This option enables support for the "netdev" table.
476
477config NFT_NUMGEN
478	tristate "Netfilter nf_tables number generator module"
479	help
480	  This option adds the number generator expression used to perform
481	  incremental counting and random numbers bound to a upper limit.
482
483config NFT_CT
484	depends on NF_CONNTRACK
485	tristate "Netfilter nf_tables conntrack module"
486	help
487	  This option adds the "ct" expression that you can use to match
488	  connection tracking information such as the flow state.
489
490config NFT_FLOW_OFFLOAD
491	depends on NF_CONNTRACK && NF_FLOW_TABLE
492	tristate "Netfilter nf_tables hardware flow offload module"
493	help
494	  This option adds the "flow_offload" expression that you can use to
495	  choose what flows are placed into the hardware.
496
497config NFT_COUNTER
498	tristate "Netfilter nf_tables counter module"
499	help
500	  This option adds the "counter" expression that you can use to
501	  include packet and byte counters in a rule.
502
503config NFT_CONNLIMIT
504	tristate "Netfilter nf_tables connlimit module"
505	depends on NF_CONNTRACK
506	depends on NETFILTER_ADVANCED
507	select NETFILTER_CONNCOUNT
508	help
509	  This option adds the "connlimit" expression that you can use to
510	  ratelimit rule matchings per connections.
511
512config NFT_LOG
513	tristate "Netfilter nf_tables log module"
514	help
515	  This option adds the "log" expression that you can use to log
516	  packets matching some criteria.
517
518config NFT_LIMIT
519	tristate "Netfilter nf_tables limit module"
520	help
521	  This option adds the "limit" expression that you can use to
522	  ratelimit rule matchings.
523
524config NFT_MASQ
525	depends on NF_CONNTRACK
526	depends on NF_NAT
527	select NF_NAT_MASQUERADE
528	tristate "Netfilter nf_tables masquerade support"
529	help
530	  This option adds the "masquerade" expression that you can use
531	  to perform NAT in the masquerade flavour.
532
533config NFT_REDIR
534	depends on NF_CONNTRACK
535	depends on NF_NAT
536	tristate "Netfilter nf_tables redirect support"
537	select NF_NAT_REDIRECT
538	help
539	  This options adds the "redirect" expression that you can use
540	  to perform NAT in the redirect flavour.
541
542config NFT_NAT
543	depends on NF_CONNTRACK
544	select NF_NAT
545	depends on NF_TABLES_IPV4 || NF_TABLES_IPV6
546	tristate "Netfilter nf_tables nat module"
547	help
548	  This option adds the "nat" expression that you can use to perform
549	  typical Network Address Translation (NAT) packet transformations.
550
551config NFT_TUNNEL
552	tristate "Netfilter nf_tables tunnel module"
553	help
554	  This option adds the "tunnel" expression that you can use to set
555	  tunneling policies.
556
557config NFT_OBJREF
558	tristate "Netfilter nf_tables stateful object reference module"
559	help
560	  This option adds the "objref" expression that allows you to refer to
561	  stateful objects, such as counters and quotas.
562
563config NFT_QUEUE
564	depends on NETFILTER_NETLINK_QUEUE
565	tristate "Netfilter nf_tables queue module"
566	help
567	  This is required if you intend to use the userspace queueing
568	  infrastructure (also known as NFQUEUE) from nftables.
569
570config NFT_QUOTA
571	tristate "Netfilter nf_tables quota module"
572	help
573	  This option adds the "quota" expression that you can use to match
574	  enforce bytes quotas.
575
576config NFT_REJECT
577	default m if NETFILTER_ADVANCED=n
578	tristate "Netfilter nf_tables reject support"
579	depends on !NF_TABLES_INET || (IPV6!=m || m)
580	help
581	  This option adds the "reject" expression that you can use to
582	  explicitly deny and notify via TCP reset/ICMP informational errors
583	  unallowed traffic.
584
585config NFT_REJECT_INET
586	depends on NF_TABLES_INET
587	default NFT_REJECT
588	tristate
589
590config NFT_COMPAT
591	depends on NETFILTER_XTABLES
592	tristate "Netfilter x_tables over nf_tables module"
593	help
594	  This is required if you intend to use any of existing
595	  x_tables match/target extensions over the nf_tables
596	  framework.
597
598config NFT_HASH
599	tristate "Netfilter nf_tables hash module"
600	help
601	  This option adds the "hash" expression that you can use to perform
602	  a hash operation on registers.
603
604config NFT_FIB
605	tristate
606
607config NFT_FIB_INET
608	depends on NF_TABLES_INET
609	depends on NFT_FIB_IPV4
610	depends on NFT_FIB_IPV6
611	tristate "Netfilter nf_tables fib inet support"
612	help
613	  This option allows using the FIB expression from the inet table.
614	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
615	  on the protocol of the packet.
616
617config NFT_XFRM
618	tristate "Netfilter nf_tables xfrm/IPSec security association matching"
619	depends on XFRM
620	help
621	  This option adds an expression that you can use to extract properties
622	  of a packets security association.
623
624config NFT_SOCKET
625	tristate "Netfilter nf_tables socket match support"
626	depends on IPV6 || IPV6=n
627	select NF_SOCKET_IPV4
628	select NF_SOCKET_IPV6 if NF_TABLES_IPV6
629	help
630	  This option allows matching for the presence or absence of a
631	  corresponding socket and its attributes.
632
633config NFT_OSF
634	tristate "Netfilter nf_tables passive OS fingerprint support"
635	depends on NETFILTER_ADVANCED
636	select NETFILTER_NETLINK_OSF
637	help
638	  This option allows matching packets from an specific OS.
639
640config NFT_TPROXY
641	tristate "Netfilter nf_tables tproxy support"
642	depends on IPV6 || IPV6=n
643	select NF_DEFRAG_IPV4
644	select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
645	select NF_TPROXY_IPV4
646	select NF_TPROXY_IPV6 if NF_TABLES_IPV6
647	help
648	  This makes transparent proxy support available in nftables.
649
650config NFT_SYNPROXY
651	tristate "Netfilter nf_tables SYNPROXY expression support"
652	depends on NF_CONNTRACK && NETFILTER_ADVANCED
653	select NETFILTER_SYNPROXY
654	select SYN_COOKIES
655	help
656	  The SYNPROXY expression allows you to intercept TCP connections and
657	  establish them using syncookies before they are passed on to the
658	  server. This allows to avoid conntrack and server resource usage
659	  during SYN-flood attacks.
660
661if NF_TABLES_NETDEV
662
663config NF_DUP_NETDEV
664	tristate "Netfilter packet duplication support"
665	help
666	  This option enables the generic packet duplication infrastructure
667	  for Netfilter.
668
669config NFT_DUP_NETDEV
670	tristate "Netfilter nf_tables netdev packet duplication support"
671	select NF_DUP_NETDEV
672	help
673	  This option enables packet duplication for the "netdev" family.
674
675config NFT_FWD_NETDEV
676	tristate "Netfilter nf_tables netdev packet forwarding support"
677	select NF_DUP_NETDEV
678	help
679	  This option enables packet forwarding for the "netdev" family.
680
681config NFT_FIB_NETDEV
682	depends on NFT_FIB_IPV4
683	depends on NFT_FIB_IPV6
684	tristate "Netfilter nf_tables netdev fib lookups support"
685	help
686	  This option allows using the FIB expression from the netdev table.
687	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
688	  on the protocol of the packet.
689
690config NFT_REJECT_NETDEV
691	depends on NFT_REJECT_IPV4
692	depends on NFT_REJECT_IPV6
693	tristate "Netfilter nf_tables netdev REJECT support"
694	help
695	  This option enables the REJECT support from the netdev table.
696	  The return packet generation will be delegated to the IPv4
697	  or IPv6 ICMP or TCP RST implementation depending on the
698	  protocol of the packet.
699
700endif # NF_TABLES_NETDEV
701
702endif # NF_TABLES
703
704config NF_FLOW_TABLE_INET
705	tristate "Netfilter flow table mixed IPv4/IPv6 module"
706	depends on NF_FLOW_TABLE
707	help
708	  This option adds the flow table mixed IPv4/IPv6 support.
709
710	  To compile it as a module, choose M here.
711
712config NF_FLOW_TABLE
713	tristate "Netfilter flow table module"
714	depends on NETFILTER_INGRESS
715	depends on NF_CONNTRACK
716	depends on NF_TABLES
717	help
718	  This option adds the flow table core infrastructure.
719
720	  To compile it as a module, choose M here.
721
722config NETFILTER_XTABLES
723	tristate "Netfilter Xtables support (required for ip_tables)"
724	default m if NETFILTER_ADVANCED=n
725	help
726	  This is required if you intend to use any of ip_tables,
727	  ip6_tables or arp_tables.
728
729if NETFILTER_XTABLES
730
731config NETFILTER_XTABLES_COMPAT
732	bool "Netfilter Xtables 32bit support"
733	depends on COMPAT
734	default y
735	help
736	   This option provides a translation layer to run 32bit arp,ip(6),ebtables
737	   binaries on 64bit kernels.
738
739	   If unsure, say N.
740
741comment "Xtables combined modules"
742
743config NETFILTER_XT_MARK
744	tristate 'nfmark target and match support'
745	default m if NETFILTER_ADVANCED=n
746	help
747	This option adds the "MARK" target and "mark" match.
748
749	Netfilter mark matching allows you to match packets based on the
750	"nfmark" value in the packet.
751	The target allows you to create rules in the "mangle" table which alter
752	the netfilter mark (nfmark) field associated with the packet.
753
754	Prior to routing, the nfmark can influence the routing method and can
755	also be used by other subsystems to change their behavior.
756
757config NETFILTER_XT_CONNMARK
758	tristate 'ctmark target and match support'
759	depends on NF_CONNTRACK
760	depends on NETFILTER_ADVANCED
761	select NF_CONNTRACK_MARK
762	help
763	This option adds the "CONNMARK" target and "connmark" match.
764
765	Netfilter allows you to store a mark value per connection (a.k.a.
766	ctmark), similarly to the packet mark (nfmark). Using this
767	target and match, you can set and match on this mark.
768
769config NETFILTER_XT_SET
770	tristate 'set target and match support'
771	depends on IP_SET
772	depends on NETFILTER_ADVANCED
773	help
774	  This option adds the "SET" target and "set" match.
775
776	  Using this target and match, you can add/delete and match
777	  elements in the sets created by ipset(8).
778
779	  To compile it as a module, choose M here.  If unsure, say N.
780
781# alphabetically ordered list of targets
782
783comment "Xtables targets"
784
785config NETFILTER_XT_TARGET_AUDIT
786	tristate "AUDIT target support"
787	depends on AUDIT
788	depends on NETFILTER_ADVANCED
789	help
790	  This option adds a 'AUDIT' target, which can be used to create
791	  audit records for packets dropped/accepted.
792
793	  To compileit as a module, choose M here. If unsure, say N.
794
795config NETFILTER_XT_TARGET_CHECKSUM
796	tristate "CHECKSUM target support"
797	depends on IP_NF_MANGLE || IP6_NF_MANGLE
798	depends on NETFILTER_ADVANCED
799	help
800	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle
801	  table to work around buggy DHCP clients in virtualized environments.
802
803	  Some old DHCP clients drop packets because they are not aware
804	  that the checksum would normally be offloaded to hardware and
805	  thus should be considered valid.
806	  This target can be used to fill in the checksum using iptables
807	  when such packets are sent via a virtual network device.
808
809	  To compile it as a module, choose M here.  If unsure, say N.
810
811config NETFILTER_XT_TARGET_CLASSIFY
812	tristate '"CLASSIFY" target support'
813	depends on NETFILTER_ADVANCED
814	help
815	  This option adds a `CLASSIFY' target, which enables the user to set
816	  the priority of a packet. Some qdiscs can use this value for
817	  classification, among these are:
818
819  	  atm, cbq, dsmark, pfifo_fast, htb, prio
820
821	  To compile it as a module, choose M here.  If unsure, say N.
822
823config NETFILTER_XT_TARGET_CONNMARK
824	tristate  '"CONNMARK" target support'
825	depends on NF_CONNTRACK
826	depends on NETFILTER_ADVANCED
827	select NETFILTER_XT_CONNMARK
828	help
829	This is a backwards-compat option for the user's convenience
830	(e.g. when running oldconfig). It selects
831	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
832
833config NETFILTER_XT_TARGET_CONNSECMARK
834	tristate '"CONNSECMARK" target support'
835	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
836	default m if NETFILTER_ADVANCED=n
837	help
838	  The CONNSECMARK target copies security markings from packets
839	  to connections, and restores security markings from connections
840	  to packets (if the packets are not already marked).  This would
841	  normally be used in conjunction with the SECMARK target.
842
843	  To compile it as a module, choose M here.  If unsure, say N.
844
845config NETFILTER_XT_TARGET_CT
846	tristate '"CT" target support'
847	depends on NF_CONNTRACK
848	depends on IP_NF_RAW || IP6_NF_RAW
849	depends on NETFILTER_ADVANCED
850	help
851	  This options adds a `CT' target, which allows to specify initial
852	  connection tracking parameters like events to be delivered and
853	  the helper to be used.
854
855	  To compile it as a module, choose M here.  If unsure, say N.
856
857config NETFILTER_XT_TARGET_DSCP
858	tristate '"DSCP" and "TOS" target support'
859	depends on IP_NF_MANGLE || IP6_NF_MANGLE
860	depends on NETFILTER_ADVANCED
861	help
862	  This option adds a `DSCP' target, which allows you to manipulate
863	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
864
865	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
866
867	  It also adds the "TOS" target, which allows you to create rules in
868	  the "mangle" table which alter the Type Of Service field of an IPv4
869	  or the Priority field of an IPv6 packet, prior to routing.
870
871	  To compile it as a module, choose M here.  If unsure, say N.
872
873config NETFILTER_XT_TARGET_HL
874	tristate '"HL" hoplimit target support'
875	depends on IP_NF_MANGLE || IP6_NF_MANGLE
876	depends on NETFILTER_ADVANCED
877	help
878	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
879	targets, which enable the user to change the
880	hoplimit/time-to-live value of the IP header.
881
882	While it is safe to decrement the hoplimit/TTL value, the
883	modules also allow to increment and set the hoplimit value of
884	the header to arbitrary values. This is EXTREMELY DANGEROUS
885	since you can easily create immortal packets that loop
886	forever on the network.
887
888config NETFILTER_XT_TARGET_HMARK
889	tristate '"HMARK" target support'
890	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
891	depends on NETFILTER_ADVANCED
892	help
893	This option adds the "HMARK" target.
894
895	The target allows you to create rules in the "raw" and "mangle" tables
896	which set the skbuff mark by means of hash calculation within a given
897	range. The nfmark can influence the routing method and can also be used
898	by other subsystems to change their behaviour.
899
900	To compile it as a module, choose M here. If unsure, say N.
901
902config NETFILTER_XT_TARGET_IDLETIMER
903	tristate  "IDLETIMER target support"
904	depends on NETFILTER_ADVANCED
905	help
906
907	  This option adds the `IDLETIMER' target.  Each matching packet
908	  resets the timer associated with label specified when the rule is
909	  added.  When the timer expires, it triggers a sysfs notification.
910	  The remaining time for expiration can be read via sysfs.
911
912	  To compile it as a module, choose M here.  If unsure, say N.
913
914config NETFILTER_XT_TARGET_LED
915	tristate '"LED" target support'
916	depends on LEDS_CLASS && LEDS_TRIGGERS
917	depends on NETFILTER_ADVANCED
918	help
919	  This option adds a `LED' target, which allows you to blink LEDs in
920	  response to particular packets passing through your machine.
921
922	  This can be used to turn a spare LED into a network activity LED,
923	  which only flashes in response to FTP transfers, for example.  Or
924	  you could have an LED which lights up for a minute or two every time
925	  somebody connects to your machine via SSH.
926
927	  You will need support for the "led" class to make this work.
928
929	  To create an LED trigger for incoming SSH traffic:
930	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
931
932	  Then attach the new trigger to an LED on your system:
933	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
934
935	  For more information on the LEDs available on your system, see
936	  Documentation/leds/leds-class.rst
937
938config NETFILTER_XT_TARGET_LOG
939	tristate "LOG target support"
940	select NF_LOG_SYSLOG
941	select NF_LOG_IPV6 if IP6_NF_IPTABLES
942	default m if NETFILTER_ADVANCED=n
943	help
944	  This option adds a `LOG' target, which allows you to create rules in
945	  any iptables table which records the packet header to the syslog.
946
947	  To compile it as a module, choose M here.  If unsure, say N.
948
949config NETFILTER_XT_TARGET_MARK
950	tristate '"MARK" target support'
951	depends on NETFILTER_ADVANCED
952	select NETFILTER_XT_MARK
953	help
954	This is a backwards-compat option for the user's convenience
955	(e.g. when running oldconfig). It selects
956	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
957
958config NETFILTER_XT_NAT
959	tristate '"SNAT and DNAT" targets support'
960	depends on NF_NAT
961	help
962	This option enables the SNAT and DNAT targets.
963
964	To compile it as a module, choose M here. If unsure, say N.
965
966config NETFILTER_XT_TARGET_NETMAP
967	tristate '"NETMAP" target support'
968	depends on NF_NAT
969	help
970	NETMAP is an implementation of static 1:1 NAT mapping of network
971	addresses. It maps the network address part, while keeping the host
972	address part intact.
973
974	To compile it as a module, choose M here. If unsure, say N.
975
976config NETFILTER_XT_TARGET_NFLOG
977	tristate '"NFLOG" target support'
978	default m if NETFILTER_ADVANCED=n
979	select NETFILTER_NETLINK_LOG
980	help
981	  This option enables the NFLOG target, which allows to LOG
982	  messages through nfnetlink_log.
983
984	  To compile it as a module, choose M here.  If unsure, say N.
985
986config NETFILTER_XT_TARGET_NFQUEUE
987	tristate '"NFQUEUE" target Support'
988	depends on NETFILTER_ADVANCED
989	select NETFILTER_NETLINK_QUEUE
990	help
991	  This target replaced the old obsolete QUEUE target.
992
993	  As opposed to QUEUE, it supports 65535 different queues,
994	  not just one.
995
996	  To compile it as a module, choose M here.  If unsure, say N.
997
998config NETFILTER_XT_TARGET_NOTRACK
999	tristate  '"NOTRACK" target support (DEPRECATED)'
1000	depends on NF_CONNTRACK
1001	depends on IP_NF_RAW || IP6_NF_RAW
1002	depends on NETFILTER_ADVANCED
1003	select NETFILTER_XT_TARGET_CT
1004
1005config NETFILTER_XT_TARGET_RATEEST
1006	tristate '"RATEEST" target support'
1007	depends on NETFILTER_ADVANCED
1008	help
1009	  This option adds a `RATEEST' target, which allows to measure
1010	  rates similar to TC estimators. The `rateest' match can be
1011	  used to match on the measured rates.
1012
1013	  To compile it as a module, choose M here.  If unsure, say N.
1014
1015config NETFILTER_XT_TARGET_REDIRECT
1016	tristate "REDIRECT target support"
1017	depends on NF_NAT
1018	select NF_NAT_REDIRECT
1019	help
1020	REDIRECT is a special case of NAT: all incoming connections are
1021	mapped onto the incoming interface's address, causing the packets to
1022	come to the local machine instead of passing through. This is
1023	useful for transparent proxies.
1024
1025	To compile it as a module, choose M here. If unsure, say N.
1026
1027config NETFILTER_XT_TARGET_MASQUERADE
1028	tristate "MASQUERADE target support"
1029	depends on NF_NAT
1030	default m if NETFILTER_ADVANCED=n
1031	select NF_NAT_MASQUERADE
1032	help
1033	  Masquerading is a special case of NAT: all outgoing connections are
1034	  changed to seem to come from a particular interface's address, and
1035	  if the interface goes down, those connections are lost.  This is
1036	  only useful for dialup accounts with dynamic IP address (ie. your IP
1037	  address will be different on next dialup).
1038
1039	  To compile it as a module, choose M here.  If unsure, say N.
1040
1041config NETFILTER_XT_TARGET_TEE
1042	tristate '"TEE" - packet cloning to alternate destination'
1043	depends on NETFILTER_ADVANCED
1044	depends on IPV6 || IPV6=n
1045	depends on !NF_CONNTRACK || NF_CONNTRACK
1046	depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES
1047	select NF_DUP_IPV4
1048	select NF_DUP_IPV6 if IP6_NF_IPTABLES
1049	help
1050	This option adds a "TEE" target with which a packet can be cloned and
1051	this clone be rerouted to another nexthop.
1052
1053config NETFILTER_XT_TARGET_TPROXY
1054	tristate '"TPROXY" target transparent proxying support'
1055	depends on NETFILTER_XTABLES
1056	depends on NETFILTER_ADVANCED
1057	depends on IPV6 || IPV6=n
1058	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1059	depends on IP_NF_MANGLE
1060	select NF_DEFRAG_IPV4
1061	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1062	select NF_TPROXY_IPV4
1063	select NF_TPROXY_IPV6 if IP6_NF_IPTABLES
1064	help
1065	  This option adds a `TPROXY' target, which is somewhat similar to
1066	  REDIRECT.  It can only be used in the mangle table and is useful
1067	  to redirect traffic to a transparent proxy.  It does _not_ depend
1068	  on Netfilter connection tracking and NAT, unlike REDIRECT.
1069	  For it to work you will have to configure certain iptables rules
1070	  and use policy routing. For more information on how to set it up
1071	  see Documentation/networking/tproxy.rst.
1072
1073	  To compile it as a module, choose M here.  If unsure, say N.
1074
1075config NETFILTER_XT_TARGET_TRACE
1076	tristate  '"TRACE" target support'
1077	depends on IP_NF_RAW || IP6_NF_RAW
1078	depends on NETFILTER_ADVANCED
1079	help
1080	  The TRACE target allows you to mark packets so that the kernel
1081	  will log every rule which match the packets as those traverse
1082	  the tables, chains, rules.
1083
1084	  If you want to compile it as a module, say M here and read
1085	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1086
1087config NETFILTER_XT_TARGET_SECMARK
1088	tristate '"SECMARK" target support'
1089	depends on NETWORK_SECMARK
1090	default m if NETFILTER_ADVANCED=n
1091	help
1092	  The SECMARK target allows security marking of network
1093	  packets, for use with security subsystems.
1094
1095	  To compile it as a module, choose M here.  If unsure, say N.
1096
1097config NETFILTER_XT_TARGET_TCPMSS
1098	tristate '"TCPMSS" target support'
1099	depends on IPV6 || IPV6=n
1100	default m if NETFILTER_ADVANCED=n
1101	help
1102	  This option adds a `TCPMSS' target, which allows you to alter the
1103	  MSS value of TCP SYN packets, to control the maximum size for that
1104	  connection (usually limiting it to your outgoing interface's MTU
1105	  minus 40).
1106
1107	  This is used to overcome criminally braindead ISPs or servers which
1108	  block ICMP Fragmentation Needed packets.  The symptoms of this
1109	  problem are that everything works fine from your Linux
1110	  firewall/router, but machines behind it can never exchange large
1111	  packets:
1112	        1) Web browsers connect, then hang with no data received.
1113	        2) Small mail works fine, but large emails hang.
1114	        3) ssh works fine, but scp hangs after initial handshaking.
1115
1116	  Workaround: activate this option and add a rule to your firewall
1117	  configuration like:
1118
1119	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1120	                 -j TCPMSS --clamp-mss-to-pmtu
1121
1122	  To compile it as a module, choose M here.  If unsure, say N.
1123
1124config NETFILTER_XT_TARGET_TCPOPTSTRIP
1125	tristate '"TCPOPTSTRIP" target support'
1126	depends on IP_NF_MANGLE || IP6_NF_MANGLE
1127	depends on NETFILTER_ADVANCED
1128	help
1129	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
1130	  TCP options from TCP packets.
1131
1132# alphabetically ordered list of matches
1133
1134comment "Xtables matches"
1135
1136config NETFILTER_XT_MATCH_ADDRTYPE
1137	tristate '"addrtype" address type match support'
1138	default m if NETFILTER_ADVANCED=n
1139	help
1140	  This option allows you to match what routing thinks of an address,
1141	  eg. UNICAST, LOCAL, BROADCAST, ...
1142
1143	  If you want to compile it as a module, say M here and read
1144	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1145
1146config NETFILTER_XT_MATCH_BPF
1147	tristate '"bpf" match support'
1148	depends on NETFILTER_ADVANCED
1149	help
1150	  BPF matching applies a linux socket filter to each packet and
1151	  accepts those for which the filter returns non-zero.
1152
1153	  To compile it as a module, choose M here.  If unsure, say N.
1154
1155config NETFILTER_XT_MATCH_CGROUP
1156	tristate '"control group" match support'
1157	depends on NETFILTER_ADVANCED
1158	depends on CGROUPS
1159	select CGROUP_NET_CLASSID
1160	help
1161	Socket/process control group matching allows you to match locally
1162	generated packets based on which net_cls control group processes
1163	belong to.
1164
1165config NETFILTER_XT_MATCH_CLUSTER
1166	tristate '"cluster" match support'
1167	depends on NF_CONNTRACK
1168	depends on NETFILTER_ADVANCED
1169	help
1170	  This option allows you to build work-load-sharing clusters of
1171	  network servers/stateful firewalls without having a dedicated
1172	  load-balancing router/server/switch. Basically, this match returns
1173	  true when the packet must be handled by this cluster node. Thus,
1174	  all nodes see all packets and this match decides which node handles
1175	  what packets. The work-load sharing algorithm is based on source
1176	  address hashing.
1177
1178	  If you say Y or M here, try `iptables -m cluster --help` for
1179	  more information.
1180
1181config NETFILTER_XT_MATCH_COMMENT
1182	tristate  '"comment" match support'
1183	depends on NETFILTER_ADVANCED
1184	help
1185	  This option adds a `comment' dummy-match, which allows you to put
1186	  comments in your iptables ruleset.
1187
1188	  If you want to compile it as a module, say M here and read
1189	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1190
1191config NETFILTER_XT_MATCH_CONNBYTES
1192	tristate  '"connbytes" per-connection counter match support'
1193	depends on NF_CONNTRACK
1194	depends on NETFILTER_ADVANCED
1195	help
1196	  This option adds a `connbytes' match, which allows you to match the
1197	  number of bytes and/or packets for each direction within a connection.
1198
1199	  If you want to compile it as a module, say M here and read
1200	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1201
1202config NETFILTER_XT_MATCH_CONNLABEL
1203	tristate '"connlabel" match support'
1204	select NF_CONNTRACK_LABELS
1205	depends on NF_CONNTRACK
1206	depends on NETFILTER_ADVANCED
1207	help
1208	  This match allows you to test and assign userspace-defined labels names
1209	  to a connection.  The kernel only stores bit values - mapping
1210	  names to bits is done by userspace.
1211
1212	  Unlike connmark, more than 32 flag bits may be assigned to a
1213	  connection simultaneously.
1214
1215config NETFILTER_XT_MATCH_CONNLIMIT
1216	tristate '"connlimit" match support'
1217	depends on NF_CONNTRACK
1218	depends on NETFILTER_ADVANCED
1219	select NETFILTER_CONNCOUNT
1220	help
1221	  This match allows you to match against the number of parallel
1222	  connections to a server per client IP address (or address block).
1223
1224config NETFILTER_XT_MATCH_CONNMARK
1225	tristate  '"connmark" connection mark match support'
1226	depends on NF_CONNTRACK
1227	depends on NETFILTER_ADVANCED
1228	select NETFILTER_XT_CONNMARK
1229	help
1230	This is a backwards-compat option for the user's convenience
1231	(e.g. when running oldconfig). It selects
1232	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1233
1234config NETFILTER_XT_MATCH_CONNTRACK
1235	tristate '"conntrack" connection tracking match support'
1236	depends on NF_CONNTRACK
1237	default m if NETFILTER_ADVANCED=n
1238	help
1239	  This is a general conntrack match module, a superset of the state match.
1240
1241	  It allows matching on additional conntrack information, which is
1242	  useful in complex configurations, such as NAT gateways with multiple
1243	  internet links or tunnels.
1244
1245	  To compile it as a module, choose M here.  If unsure, say N.
1246
1247config NETFILTER_XT_MATCH_CPU
1248	tristate '"cpu" match support'
1249	depends on NETFILTER_ADVANCED
1250	help
1251	  CPU matching allows you to match packets based on the CPU
1252	  currently handling the packet.
1253
1254	  To compile it as a module, choose M here.  If unsure, say N.
1255
1256config NETFILTER_XT_MATCH_DCCP
1257	tristate '"dccp" protocol match support'
1258	depends on NETFILTER_ADVANCED
1259	default IP_DCCP
1260	help
1261	  With this option enabled, you will be able to use the iptables
1262	  `dccp' match in order to match on DCCP source/destination ports
1263	  and DCCP flags.
1264
1265	  If you want to compile it as a module, say M here and read
1266	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1267
1268config NETFILTER_XT_MATCH_DEVGROUP
1269	tristate '"devgroup" match support'
1270	depends on NETFILTER_ADVANCED
1271	help
1272	  This options adds a `devgroup' match, which allows to match on the
1273	  device group a network device is assigned to.
1274
1275	  To compile it as a module, choose M here.  If unsure, say N.
1276
1277config NETFILTER_XT_MATCH_DSCP
1278	tristate '"dscp" and "tos" match support'
1279	depends on NETFILTER_ADVANCED
1280	help
1281	  This option adds a `DSCP' match, which allows you to match against
1282	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1283
1284	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
1285
1286	  It will also add a "tos" match, which allows you to match packets
1287	  based on the Type Of Service fields of the IPv4 packet (which share
1288	  the same bits as DSCP).
1289
1290	  To compile it as a module, choose M here.  If unsure, say N.
1291
1292config NETFILTER_XT_MATCH_ECN
1293	tristate '"ecn" match support'
1294	depends on NETFILTER_ADVANCED
1295	help
1296	This option adds an "ECN" match, which allows you to match against
1297	the IPv4 and TCP header ECN fields.
1298
1299	To compile it as a module, choose M here. If unsure, say N.
1300
1301config NETFILTER_XT_MATCH_ESP
1302	tristate '"esp" match support'
1303	depends on NETFILTER_ADVANCED
1304	help
1305	  This match extension allows you to match a range of SPIs
1306	  inside ESP header of IPSec packets.
1307
1308	  To compile it as a module, choose M here.  If unsure, say N.
1309
1310config NETFILTER_XT_MATCH_HASHLIMIT
1311	tristate '"hashlimit" match support'
1312	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1313	depends on NETFILTER_ADVANCED
1314	help
1315	  This option adds a `hashlimit' match.
1316
1317	  As opposed to `limit', this match dynamically creates a hash table
1318	  of limit buckets, based on your selection of source/destination
1319	  addresses and/or ports.
1320
1321	  It enables you to express policies like `10kpps for any given
1322	  destination address' or `500pps from any given source address'
1323	  with a single rule.
1324
1325config NETFILTER_XT_MATCH_HELPER
1326	tristate '"helper" match support'
1327	depends on NF_CONNTRACK
1328	depends on NETFILTER_ADVANCED
1329	help
1330	  Helper matching allows you to match packets in dynamic connections
1331	  tracked by a conntrack-helper, ie. nf_conntrack_ftp
1332
1333	  To compile it as a module, choose M here.  If unsure, say Y.
1334
1335config NETFILTER_XT_MATCH_HL
1336	tristate '"hl" hoplimit/TTL match support'
1337	depends on NETFILTER_ADVANCED
1338	help
1339	HL matching allows you to match packets based on the hoplimit
1340	in the IPv6 header, or the time-to-live field in the IPv4
1341	header of the packet.
1342
1343config NETFILTER_XT_MATCH_IPCOMP
1344	tristate '"ipcomp" match support'
1345	depends on NETFILTER_ADVANCED
1346	help
1347	  This match extension allows you to match a range of CPIs(16 bits)
1348	  inside IPComp header of IPSec packets.
1349
1350	  To compile it as a module, choose M here.  If unsure, say N.
1351
1352config NETFILTER_XT_MATCH_IPRANGE
1353	tristate '"iprange" address range match support'
1354	depends on NETFILTER_ADVANCED
1355	help
1356	This option adds a "iprange" match, which allows you to match based on
1357	an IP address range. (Normal iptables only matches on single addresses
1358	with an optional mask.)
1359
1360	If unsure, say M.
1361
1362config NETFILTER_XT_MATCH_IPVS
1363	tristate '"ipvs" match support'
1364	depends on IP_VS
1365	depends on NETFILTER_ADVANCED
1366	depends on NF_CONNTRACK
1367	help
1368	  This option allows you to match against IPVS properties of a packet.
1369
1370	  If unsure, say N.
1371
1372config NETFILTER_XT_MATCH_L2TP
1373	tristate '"l2tp" match support'
1374	depends on NETFILTER_ADVANCED
1375	default L2TP
1376	help
1377	This option adds an "L2TP" match, which allows you to match against
1378	L2TP protocol header fields.
1379
1380	To compile it as a module, choose M here. If unsure, say N.
1381
1382config NETFILTER_XT_MATCH_LENGTH
1383	tristate '"length" match support'
1384	depends on NETFILTER_ADVANCED
1385	help
1386	  This option allows you to match the length of a packet against a
1387	  specific value or range of values.
1388
1389	  To compile it as a module, choose M here.  If unsure, say N.
1390
1391config NETFILTER_XT_MATCH_LIMIT
1392	tristate '"limit" match support'
1393	depends on NETFILTER_ADVANCED
1394	help
1395	  limit matching allows you to control the rate at which a rule can be
1396	  matched: mainly useful in combination with the LOG target ("LOG
1397	  target support", below) and to avoid some Denial of Service attacks.
1398
1399	  To compile it as a module, choose M here.  If unsure, say N.
1400
1401config NETFILTER_XT_MATCH_MAC
1402	tristate '"mac" address match support'
1403	depends on NETFILTER_ADVANCED
1404	help
1405	  MAC matching allows you to match packets based on the source
1406	  Ethernet address of the packet.
1407
1408	  To compile it as a module, choose M here.  If unsure, say N.
1409
1410config NETFILTER_XT_MATCH_MARK
1411	tristate '"mark" match support'
1412	depends on NETFILTER_ADVANCED
1413	select NETFILTER_XT_MARK
1414	help
1415	This is a backwards-compat option for the user's convenience
1416	(e.g. when running oldconfig). It selects
1417	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1418
1419config NETFILTER_XT_MATCH_MULTIPORT
1420	tristate '"multiport" Multiple port match support'
1421	depends on NETFILTER_ADVANCED
1422	help
1423	  Multiport matching allows you to match TCP or UDP packets based on
1424	  a series of source or destination ports: normally a rule can only
1425	  match a single range of ports.
1426
1427	  To compile it as a module, choose M here.  If unsure, say N.
1428
1429config NETFILTER_XT_MATCH_NFACCT
1430	tristate '"nfacct" match support'
1431	depends on NETFILTER_ADVANCED
1432	select NETFILTER_NETLINK_ACCT
1433	help
1434	  This option allows you to use the extended accounting through
1435	  nfnetlink_acct.
1436
1437	  To compile it as a module, choose M here.  If unsure, say N.
1438
1439config NETFILTER_XT_MATCH_OSF
1440	tristate '"osf" Passive OS fingerprint match'
1441	depends on NETFILTER_ADVANCED
1442	select NETFILTER_NETLINK_OSF
1443	help
1444	  This option selects the Passive OS Fingerprinting match module
1445	  that allows to passively match the remote operating system by
1446	  analyzing incoming TCP SYN packets.
1447
1448	  Rules and loading software can be downloaded from
1449	  http://www.ioremap.net/projects/osf
1450
1451	  To compile it as a module, choose M here.  If unsure, say N.
1452
1453config NETFILTER_XT_MATCH_OWNER
1454	tristate '"owner" match support'
1455	depends on NETFILTER_ADVANCED
1456	help
1457	Socket owner matching allows you to match locally-generated packets
1458	based on who created the socket: the user or group. It is also
1459	possible to check whether a socket actually exists.
1460
1461config NETFILTER_XT_MATCH_POLICY
1462	tristate 'IPsec "policy" match support'
1463	depends on XFRM
1464	default m if NETFILTER_ADVANCED=n
1465	help
1466	  Policy matching allows you to match packets based on the
1467	  IPsec policy that was used during decapsulation/will
1468	  be used during encapsulation.
1469
1470	  To compile it as a module, choose M here.  If unsure, say N.
1471
1472config NETFILTER_XT_MATCH_PHYSDEV
1473	tristate '"physdev" match support'
1474	depends on BRIDGE && BRIDGE_NETFILTER
1475	depends on NETFILTER_ADVANCED
1476	help
1477	  Physdev packet matching matches against the physical bridge ports
1478	  the IP packet arrived on or will leave by.
1479
1480	  To compile it as a module, choose M here.  If unsure, say N.
1481
1482config NETFILTER_XT_MATCH_PKTTYPE
1483	tristate '"pkttype" packet type match support'
1484	depends on NETFILTER_ADVANCED
1485	help
1486	  Packet type matching allows you to match a packet by
1487	  its "class", eg. BROADCAST, MULTICAST, ...
1488
1489	  Typical usage:
1490	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1491
1492	  To compile it as a module, choose M here.  If unsure, say N.
1493
1494config NETFILTER_XT_MATCH_QUOTA
1495	tristate '"quota" match support'
1496	depends on NETFILTER_ADVANCED
1497	help
1498	  This option adds a `quota' match, which allows to match on a
1499	  byte counter.
1500
1501	  If you want to compile it as a module, say M here and read
1502	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1503
1504config NETFILTER_XT_MATCH_RATEEST
1505	tristate '"rateest" match support'
1506	depends on NETFILTER_ADVANCED
1507	select NETFILTER_XT_TARGET_RATEEST
1508	help
1509	  This option adds a `rateest' match, which allows to match on the
1510	  rate estimated by the RATEEST target.
1511
1512	  To compile it as a module, choose M here.  If unsure, say N.
1513
1514config NETFILTER_XT_MATCH_REALM
1515	tristate  '"realm" match support'
1516	depends on NETFILTER_ADVANCED
1517	select IP_ROUTE_CLASSID
1518	help
1519	  This option adds a `realm' match, which allows you to use the realm
1520	  key from the routing subsystem inside iptables.
1521
1522	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1523	  in tc world.
1524
1525	  If you want to compile it as a module, say M here and read
1526	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1527
1528config NETFILTER_XT_MATCH_RECENT
1529	tristate '"recent" match support'
1530	depends on NETFILTER_ADVANCED
1531	help
1532	This match is used for creating one or many lists of recently
1533	used addresses and then matching against that/those list(s).
1534
1535	Short options are available by using 'iptables -m recent -h'
1536	Official Website: <http://snowman.net/projects/ipt_recent/>
1537
1538config NETFILTER_XT_MATCH_SCTP
1539	tristate  '"sctp" protocol match support'
1540	depends on NETFILTER_ADVANCED
1541	default IP_SCTP
1542	help
1543	  With this option enabled, you will be able to use the
1544	  `sctp' match in order to match on SCTP source/destination ports
1545	  and SCTP chunk types.
1546
1547	  If you want to compile it as a module, say M here and read
1548	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1549
1550config NETFILTER_XT_MATCH_SOCKET
1551	tristate '"socket" match support'
1552	depends on NETFILTER_XTABLES
1553	depends on NETFILTER_ADVANCED
1554	depends on IPV6 || IPV6=n
1555	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1556	select NF_SOCKET_IPV4
1557	select NF_SOCKET_IPV6 if IP6_NF_IPTABLES
1558	select NF_DEFRAG_IPV4
1559	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1560	help
1561	  This option adds a `socket' match, which can be used to match
1562	  packets for which a TCP or UDP socket lookup finds a valid socket.
1563	  It can be used in combination with the MARK target and policy
1564	  routing to implement full featured non-locally bound sockets.
1565
1566	  To compile it as a module, choose M here.  If unsure, say N.
1567
1568config NETFILTER_XT_MATCH_STATE
1569	tristate '"state" match support'
1570	depends on NF_CONNTRACK
1571	default m if NETFILTER_ADVANCED=n
1572	help
1573	  Connection state matching allows you to match packets based on their
1574	  relationship to a tracked connection (ie. previous packets).  This
1575	  is a powerful tool for packet classification.
1576
1577	  To compile it as a module, choose M here.  If unsure, say N.
1578
1579config NETFILTER_XT_MATCH_STATISTIC
1580	tristate '"statistic" match support'
1581	depends on NETFILTER_ADVANCED
1582	help
1583	  This option adds a `statistic' match, which allows you to match
1584	  on packets periodically or randomly with a given percentage.
1585
1586	  To compile it as a module, choose M here.  If unsure, say N.
1587
1588config NETFILTER_XT_MATCH_STRING
1589	tristate  '"string" match support'
1590	depends on NETFILTER_ADVANCED
1591	select TEXTSEARCH
1592	select TEXTSEARCH_KMP
1593	select TEXTSEARCH_BM
1594	select TEXTSEARCH_FSM
1595	help
1596	  This option adds a `string' match, which allows you to look for
1597	  pattern matchings in packets.
1598
1599	  To compile it as a module, choose M here.  If unsure, say N.
1600
1601config NETFILTER_XT_MATCH_TCPMSS
1602	tristate '"tcpmss" match support'
1603	depends on NETFILTER_ADVANCED
1604	help
1605	  This option adds a `tcpmss' match, which allows you to examine the
1606	  MSS value of TCP SYN packets, which control the maximum packet size
1607	  for that connection.
1608
1609	  To compile it as a module, choose M here.  If unsure, say N.
1610
1611config NETFILTER_XT_MATCH_TIME
1612	tristate '"time" match support'
1613	depends on NETFILTER_ADVANCED
1614	help
1615	  This option adds a "time" match, which allows you to match based on
1616	  the packet arrival time (at the machine which netfilter is running)
1617	  on) or departure time/date (for locally generated packets).
1618
1619	  If you say Y here, try `iptables -m time --help` for
1620	  more information.
1621
1622	  If you want to compile it as a module, say M here.
1623	  If unsure, say N.
1624
1625config NETFILTER_XT_MATCH_U32
1626	tristate '"u32" match support'
1627	depends on NETFILTER_ADVANCED
1628	help
1629	  u32 allows you to extract quantities of up to 4 bytes from a packet,
1630	  AND them with specified masks, shift them by specified amounts and
1631	  test whether the results are in any of a set of specified ranges.
1632	  The specification of what to extract is general enough to skip over
1633	  headers with lengths stored in the packet, as in IP or TCP header
1634	  lengths.
1635
1636	  Details and examples are in the kernel module source.
1637
1638endif # NETFILTER_XTABLES
1639
1640endmenu
1641
1642source "net/netfilter/ipset/Kconfig"
1643
1644source "net/netfilter/ipvs/Kconfig"
1645