xref: /openbmc/linux/net/netfilter/Kconfig (revision 7f400a1d)
1# SPDX-License-Identifier: GPL-2.0-only
2menu "Core Netfilter Configuration"
3	depends on INET && NETFILTER
4
5config NETFILTER_INGRESS
6	bool "Netfilter ingress support"
7	default y
8	select NET_INGRESS
9	help
10	  This allows you to classify packets from ingress using the Netfilter
11	  infrastructure.
12
13config NETFILTER_EGRESS
14	bool "Netfilter egress support"
15	default y
16	select NET_EGRESS
17	help
18	  This allows you to classify packets before transmission using the
19	  Netfilter infrastructure.
20
21config NETFILTER_SKIP_EGRESS
22	def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB)
23
24config NETFILTER_NETLINK
25	tristate
26
27config NETFILTER_FAMILY_BRIDGE
28	bool
29
30config NETFILTER_FAMILY_ARP
31	bool
32
33config NETFILTER_NETLINK_HOOK
34	tristate "Netfilter base hook dump support"
35	depends on NETFILTER_ADVANCED
36	depends on NF_TABLES
37	select NETFILTER_NETLINK
38	help
39	  If this option is enabled, the kernel will include support
40	  to list the base netfilter hooks via NFNETLINK.
41	  This is helpful for debugging.
42
43config NETFILTER_NETLINK_ACCT
44	tristate "Netfilter NFACCT over NFNETLINK interface"
45	depends on NETFILTER_ADVANCED
46	select NETFILTER_NETLINK
47	help
48	  If this option is enabled, the kernel will include support
49	  for extended accounting via NFNETLINK.
50
51config NETFILTER_NETLINK_QUEUE
52	tristate "Netfilter NFQUEUE over NFNETLINK interface"
53	depends on NETFILTER_ADVANCED
54	select NETFILTER_NETLINK
55	help
56	  If this option is enabled, the kernel will include support
57	  for queueing packets via NFNETLINK.
58
59config NETFILTER_NETLINK_LOG
60	tristate "Netfilter LOG over NFNETLINK interface"
61	default m if NETFILTER_ADVANCED=n
62	select NETFILTER_NETLINK
63	help
64	  If this option is enabled, the kernel will include support
65	  for logging packets via NFNETLINK.
66
67	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
68	  and is also scheduled to replace the old syslog-based ipt_LOG
69	  and ip6t_LOG modules.
70
71config NETFILTER_NETLINK_OSF
72	tristate "Netfilter OSF over NFNETLINK interface"
73	depends on NETFILTER_ADVANCED
74	select NETFILTER_NETLINK
75	help
76	  If this option is enabled, the kernel will include support
77	  for passive OS fingerprint via NFNETLINK.
78
79config NF_CONNTRACK
80	tristate "Netfilter connection tracking support"
81	default m if NETFILTER_ADVANCED=n
82	select NF_DEFRAG_IPV4
83	select NF_DEFRAG_IPV6 if IPV6 != n
84	help
85	  Connection tracking keeps a record of what packets have passed
86	  through your machine, in order to figure out how they are related
87	  into connections.
88
89	  This is required to do Masquerading or other kinds of Network
90	  Address Translation.  It can also be used to enhance packet
91	  filtering (see `Connection state match support' below).
92
93	  To compile it as a module, choose M here.  If unsure, say N.
94
95config NF_LOG_SYSLOG
96	tristate "Syslog packet logging"
97	default m if NETFILTER_ADVANCED=n
98	help
99	  This option enable support for packet logging via syslog.
100	  It supports IPv4, IPV6, ARP and common transport protocols such
101	  as TCP and UDP.
102	  This is a simpler but less flexible logging method compared to
103	  CONFIG_NETFILTER_NETLINK_LOG.
104	  If both are enabled the backend to use can be configured at run-time
105	  by means of per-address-family sysctl tunables.
106
107if NF_CONNTRACK
108config NETFILTER_CONNCOUNT
109	tristate
110
111config NF_CONNTRACK_MARK
112	bool  'Connection mark tracking support'
113	depends on NETFILTER_ADVANCED
114	help
115	  This option enables support for connection marks, used by the
116	  `CONNMARK' target and `connmark' match. Similar to the mark value
117	  of packets, but this mark value is kept in the conntrack session
118	  instead of the individual packets.
119
120config NF_CONNTRACK_SECMARK
121	bool  'Connection tracking security mark support'
122	depends on NETWORK_SECMARK
123	default y if NETFILTER_ADVANCED=n
124	help
125	  This option enables security markings to be applied to
126	  connections.  Typically they are copied to connections from
127	  packets using the CONNSECMARK target and copied back from
128	  connections to packets with the same target, with the packets
129	  being originally labeled via SECMARK.
130
131	  If unsure, say 'N'.
132
133config NF_CONNTRACK_ZONES
134	bool  'Connection tracking zones'
135	depends on NETFILTER_ADVANCED
136	help
137	  This option enables support for connection tracking zones.
138	  Normally, each connection needs to have a unique system wide
139	  identity. Connection tracking zones allow to have multiple
140	  connections using the same identity, as long as they are
141	  contained in different zones.
142
143	  If unsure, say `N'.
144
145config NF_CONNTRACK_PROCFS
146	bool "Supply CT list in procfs (OBSOLETE)"
147	depends on PROC_FS
148	help
149	This option enables for the list of known conntrack entries
150	to be shown in procfs under net/netfilter/nf_conntrack. This
151	is considered obsolete in favor of using the conntrack(8)
152	tool which uses Netlink.
153
154config NF_CONNTRACK_EVENTS
155	bool "Connection tracking events"
156	depends on NETFILTER_ADVANCED
157	help
158	  If this option is enabled, the connection tracking code will
159	  provide a notifier chain that can be used by other kernel code
160	  to get notified about changes in the connection tracking state.
161
162	  If unsure, say `N'.
163
164config NF_CONNTRACK_TIMEOUT
165	bool  'Connection tracking timeout'
166	depends on NETFILTER_ADVANCED
167	help
168	  This option enables support for connection tracking timeout
169	  extension. This allows you to attach timeout policies to flow
170	  via the CT target.
171
172	  If unsure, say `N'.
173
174config NF_CONNTRACK_TIMESTAMP
175	bool  'Connection tracking timestamping'
176	depends on NETFILTER_ADVANCED
177	help
178	  This option enables support for connection tracking timestamping.
179	  This allows you to store the flow start-time and to obtain
180	  the flow-stop time (once it has been destroyed) via Connection
181	  tracking events.
182
183	  If unsure, say `N'.
184
185config NF_CONNTRACK_LABELS
186	bool "Connection tracking labels"
187	help
188	  This option enables support for assigning user-defined flag bits
189	  to connection tracking entries.  It can be used with xtables connlabel
190	  match and the nftables ct expression.
191
192config NF_CONNTRACK_OVS
193	bool
194
195config NF_CT_PROTO_DCCP
196	bool 'DCCP protocol connection tracking support'
197	depends on NETFILTER_ADVANCED
198	default y
199	help
200	  With this option enabled, the layer 3 independent connection
201	  tracking code will be able to do state tracking on DCCP connections.
202
203	  If unsure, say Y.
204
205config NF_CT_PROTO_GRE
206	bool
207
208config NF_CT_PROTO_SCTP
209	bool 'SCTP protocol connection tracking support'
210	depends on NETFILTER_ADVANCED
211	default y
212	select LIBCRC32C
213	help
214	  With this option enabled, the layer 3 independent connection
215	  tracking code will be able to do state tracking on SCTP connections.
216
217	  If unsure, say Y.
218
219config NF_CT_PROTO_UDPLITE
220	bool 'UDP-Lite protocol connection tracking support'
221	depends on NETFILTER_ADVANCED
222	default y
223	help
224	  With this option enabled, the layer 3 independent connection
225	  tracking code will be able to do state tracking on UDP-Lite
226	  connections.
227
228	  If unsure, say Y.
229
230config NF_CONNTRACK_AMANDA
231	tristate "Amanda backup protocol support"
232	depends on NETFILTER_ADVANCED
233	select TEXTSEARCH
234	select TEXTSEARCH_KMP
235	help
236	  If you are running the Amanda backup package <http://www.amanda.org/>
237	  on this machine or machines that will be MASQUERADED through this
238	  machine, then you may want to enable this feature.  This allows the
239	  connection tracking and natting code to allow the sub-channels that
240	  Amanda requires for communication of the backup data, messages and
241	  index.
242
243	  To compile it as a module, choose M here.  If unsure, say N.
244
245config NF_CONNTRACK_FTP
246	tristate "FTP protocol support"
247	default m if NETFILTER_ADVANCED=n
248	help
249	  Tracking FTP connections is problematic: special helpers are
250	  required for tracking them, and doing masquerading and other forms
251	  of Network Address Translation on them.
252
253	  This is FTP support on Layer 3 independent connection tracking.
254
255	  To compile it as a module, choose M here.  If unsure, say N.
256
257config NF_CONNTRACK_H323
258	tristate "H.323 protocol support"
259	depends on IPV6 || IPV6=n
260	depends on NETFILTER_ADVANCED
261	help
262	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
263	  important VoIP protocols, it is widely used by voice hardware and
264	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
265	  Gnomemeeting, etc.
266
267	  With this module you can support H.323 on a connection tracking/NAT
268	  firewall.
269
270	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
271	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
272	  whiteboard, file transfer, etc. For more information, please
273	  visit http://nath323.sourceforge.net/.
274
275	  To compile it as a module, choose M here.  If unsure, say N.
276
277config NF_CONNTRACK_IRC
278	tristate "IRC protocol support"
279	default m if NETFILTER_ADVANCED=n
280	help
281	  There is a commonly-used extension to IRC called
282	  Direct Client-to-Client Protocol (DCC).  This enables users to send
283	  files to each other, and also chat to each other without the need
284	  of a server.  DCC Sending is used anywhere you send files over IRC,
285	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
286	  using NAT, this extension will enable you to send files and initiate
287	  chats.  Note that you do NOT need this extension to get files or
288	  have others initiate chats, or everything else in IRC.
289
290	  To compile it as a module, choose M here.  If unsure, say N.
291
292config NF_CONNTRACK_BROADCAST
293	tristate
294
295config NF_CONNTRACK_NETBIOS_NS
296	tristate "NetBIOS name service protocol support"
297	select NF_CONNTRACK_BROADCAST
298	help
299	  NetBIOS name service requests are sent as broadcast messages from an
300	  unprivileged port and responded to with unicast messages to the
301	  same port. This make them hard to firewall properly because connection
302	  tracking doesn't deal with broadcasts. This helper tracks locally
303	  originating NetBIOS name service requests and the corresponding
304	  responses. It relies on correct IP address configuration, specifically
305	  netmask and broadcast address. When properly configured, the output
306	  of "ip address show" should look similar to this:
307
308	  $ ip -4 address show eth0
309	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
310	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
311
312	  To compile it as a module, choose M here.  If unsure, say N.
313
314config NF_CONNTRACK_SNMP
315	tristate "SNMP service protocol support"
316	depends on NETFILTER_ADVANCED
317	select NF_CONNTRACK_BROADCAST
318	help
319	  SNMP service requests are sent as broadcast messages from an
320	  unprivileged port and responded to with unicast messages to the
321	  same port. This make them hard to firewall properly because connection
322	  tracking doesn't deal with broadcasts. This helper tracks locally
323	  originating SNMP service requests and the corresponding
324	  responses. It relies on correct IP address configuration, specifically
325	  netmask and broadcast address.
326
327	  To compile it as a module, choose M here.  If unsure, say N.
328
329config NF_CONNTRACK_PPTP
330	tristate "PPtP protocol support"
331	depends on NETFILTER_ADVANCED
332	select NF_CT_PROTO_GRE
333	help
334	  This module adds support for PPTP (Point to Point Tunnelling
335	  Protocol, RFC2637) connection tracking and NAT.
336
337	  If you are running PPTP sessions over a stateful firewall or NAT
338	  box, you may want to enable this feature.
339
340	  Please note that not all PPTP modes of operation are supported yet.
341	  Specifically these limitations exist:
342	    - Blindly assumes that control connections are always established
343	      in PNS->PAC direction. This is a violation of RFC2637.
344	    - Only supports a single call within each session
345
346	  To compile it as a module, choose M here.  If unsure, say N.
347
348config NF_CONNTRACK_SANE
349	tristate "SANE protocol support"
350	depends on NETFILTER_ADVANCED
351	help
352	  SANE is a protocol for remote access to scanners as implemented
353	  by the 'saned' daemon. Like FTP, it uses separate control and
354	  data connections.
355
356	  With this module you can support SANE on a connection tracking
357	  firewall.
358
359	  To compile it as a module, choose M here.  If unsure, say N.
360
361config NF_CONNTRACK_SIP
362	tristate "SIP protocol support"
363	default m if NETFILTER_ADVANCED=n
364	help
365	  SIP is an application-layer control protocol that can establish,
366	  modify, and terminate multimedia sessions (conferences) such as
367	  Internet telephony calls. With the nf_conntrack_sip and
368	  the nf_nat_sip modules you can support the protocol on a connection
369	  tracking/NATing firewall.
370
371	  To compile it as a module, choose M here.  If unsure, say N.
372
373config NF_CONNTRACK_TFTP
374	tristate "TFTP protocol support"
375	depends on NETFILTER_ADVANCED
376	help
377	  TFTP connection tracking helper, this is required depending
378	  on how restrictive your ruleset is.
379	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
380	  you will need this.
381
382	  To compile it as a module, choose M here.  If unsure, say N.
383
384config NF_CT_NETLINK
385	tristate 'Connection tracking netlink interface'
386	select NETFILTER_NETLINK
387	default m if NETFILTER_ADVANCED=n
388	help
389	  This option enables support for a netlink-based userspace interface
390
391config NF_CT_NETLINK_TIMEOUT
392	tristate  'Connection tracking timeout tuning via Netlink'
393	select NETFILTER_NETLINK
394	depends on NETFILTER_ADVANCED
395	depends on NF_CONNTRACK_TIMEOUT
396	help
397	  This option enables support for connection tracking timeout
398	  fine-grain tuning. This allows you to attach specific timeout
399	  policies to flows, instead of using the global timeout policy.
400
401	  If unsure, say `N'.
402
403config NF_CT_NETLINK_HELPER
404	tristate 'Connection tracking helpers in user-space via Netlink'
405	select NETFILTER_NETLINK
406	depends on NF_CT_NETLINK
407	depends on NETFILTER_NETLINK_QUEUE
408	depends on NETFILTER_NETLINK_GLUE_CT
409	depends on NETFILTER_ADVANCED
410	help
411	  This option enables the user-space connection tracking helpers
412	  infrastructure.
413
414	  If unsure, say `N'.
415
416config NETFILTER_NETLINK_GLUE_CT
417	bool "NFQUEUE and NFLOG integration with Connection Tracking"
418	default n
419	depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
420	help
421	  If this option is enabled, NFQUEUE and NFLOG can include
422	  Connection Tracking information together with the packet is
423	  the enqueued via NFNETLINK.
424
425config NF_NAT
426	tristate "Network Address Translation support"
427	depends on NF_CONNTRACK
428	default m if NETFILTER_ADVANCED=n
429	help
430	  The NAT option allows masquerading, port forwarding and other
431	  forms of full Network Address Port Translation. This can be
432	  controlled by iptables, ip6tables or nft.
433
434config NF_NAT_AMANDA
435	tristate
436	depends on NF_CONNTRACK && NF_NAT
437	default NF_NAT && NF_CONNTRACK_AMANDA
438
439config NF_NAT_FTP
440	tristate
441	depends on NF_CONNTRACK && NF_NAT
442	default NF_NAT && NF_CONNTRACK_FTP
443
444config NF_NAT_IRC
445	tristate
446	depends on NF_CONNTRACK && NF_NAT
447	default NF_NAT && NF_CONNTRACK_IRC
448
449config NF_NAT_SIP
450	tristate
451	depends on NF_CONNTRACK && NF_NAT
452	default NF_NAT && NF_CONNTRACK_SIP
453
454config NF_NAT_TFTP
455	tristate
456	depends on NF_CONNTRACK && NF_NAT
457	default NF_NAT && NF_CONNTRACK_TFTP
458
459config NF_NAT_REDIRECT
460	bool
461
462config NF_NAT_MASQUERADE
463	bool
464
465config NF_NAT_OVS
466	bool
467
468config NETFILTER_SYNPROXY
469	tristate
470
471endif # NF_CONNTRACK
472
473config NF_TABLES
474	select NETFILTER_NETLINK
475	select LIBCRC32C
476	tristate "Netfilter nf_tables support"
477	help
478	  nftables is the new packet classification framework that intends to
479	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
480	  provides a pseudo-state machine with an extensible instruction-set
481	  (also known as expressions) that the userspace 'nft' utility
482	  (https://www.netfilter.org/projects/nftables) uses to build the
483	  rule-set. It also comes with the generic set infrastructure that
484	  allows you to construct mappings between matchings and actions
485	  for performance lookups.
486
487	  To compile it as a module, choose M here.
488
489if NF_TABLES
490config NF_TABLES_INET
491	depends on IPV6
492	select NF_TABLES_IPV4
493	select NF_TABLES_IPV6
494	bool "Netfilter nf_tables mixed IPv4/IPv6 tables support"
495	help
496	  This option enables support for a mixed IPv4/IPv6 "inet" table.
497
498config NF_TABLES_NETDEV
499	bool "Netfilter nf_tables netdev tables support"
500	help
501	  This option enables support for the "netdev" table.
502
503config NFT_NUMGEN
504	tristate "Netfilter nf_tables number generator module"
505	help
506	  This option adds the number generator expression used to perform
507	  incremental counting and random numbers bound to a upper limit.
508
509config NFT_CT
510	depends on NF_CONNTRACK
511	tristate "Netfilter nf_tables conntrack module"
512	help
513	  This option adds the "ct" expression that you can use to match
514	  connection tracking information such as the flow state.
515
516config NFT_FLOW_OFFLOAD
517	depends on NF_CONNTRACK && NF_FLOW_TABLE
518	tristate "Netfilter nf_tables hardware flow offload module"
519	help
520	  This option adds the "flow_offload" expression that you can use to
521	  choose what flows are placed into the hardware.
522
523config NFT_CONNLIMIT
524	tristate "Netfilter nf_tables connlimit module"
525	depends on NF_CONNTRACK
526	depends on NETFILTER_ADVANCED
527	select NETFILTER_CONNCOUNT
528	help
529	  This option adds the "connlimit" expression that you can use to
530	  ratelimit rule matchings per connections.
531
532config NFT_LOG
533	tristate "Netfilter nf_tables log module"
534	help
535	  This option adds the "log" expression that you can use to log
536	  packets matching some criteria.
537
538config NFT_LIMIT
539	tristate "Netfilter nf_tables limit module"
540	help
541	  This option adds the "limit" expression that you can use to
542	  ratelimit rule matchings.
543
544config NFT_MASQ
545	depends on NF_CONNTRACK
546	depends on NF_NAT
547	select NF_NAT_MASQUERADE
548	tristate "Netfilter nf_tables masquerade support"
549	help
550	  This option adds the "masquerade" expression that you can use
551	  to perform NAT in the masquerade flavour.
552
553config NFT_REDIR
554	depends on NF_CONNTRACK
555	depends on NF_NAT
556	tristate "Netfilter nf_tables redirect support"
557	select NF_NAT_REDIRECT
558	help
559	  This options adds the "redirect" expression that you can use
560	  to perform NAT in the redirect flavour.
561
562config NFT_NAT
563	depends on NF_CONNTRACK
564	select NF_NAT
565	depends on NF_TABLES_IPV4 || NF_TABLES_IPV6
566	tristate "Netfilter nf_tables nat module"
567	help
568	  This option adds the "nat" expression that you can use to perform
569	  typical Network Address Translation (NAT) packet transformations.
570
571config NFT_TUNNEL
572	tristate "Netfilter nf_tables tunnel module"
573	help
574	  This option adds the "tunnel" expression that you can use to set
575	  tunneling policies.
576
577config NFT_QUEUE
578	depends on NETFILTER_NETLINK_QUEUE
579	tristate "Netfilter nf_tables queue module"
580	help
581	  This is required if you intend to use the userspace queueing
582	  infrastructure (also known as NFQUEUE) from nftables.
583
584config NFT_QUOTA
585	tristate "Netfilter nf_tables quota module"
586	help
587	  This option adds the "quota" expression that you can use to match
588	  enforce bytes quotas.
589
590config NFT_REJECT
591	default m if NETFILTER_ADVANCED=n
592	tristate "Netfilter nf_tables reject support"
593	depends on !NF_TABLES_INET || (IPV6!=m || m)
594	help
595	  This option adds the "reject" expression that you can use to
596	  explicitly deny and notify via TCP reset/ICMP informational errors
597	  unallowed traffic.
598
599config NFT_REJECT_INET
600	depends on NF_TABLES_INET
601	default NFT_REJECT
602	tristate
603
604config NFT_COMPAT
605	depends on NETFILTER_XTABLES
606	tristate "Netfilter x_tables over nf_tables module"
607	help
608	  This is required if you intend to use any of existing
609	  x_tables match/target extensions over the nf_tables
610	  framework.
611
612config NFT_HASH
613	tristate "Netfilter nf_tables hash module"
614	help
615	  This option adds the "hash" expression that you can use to perform
616	  a hash operation on registers.
617
618config NFT_FIB
619	tristate
620
621config NFT_FIB_INET
622	depends on NF_TABLES_INET
623	depends on NFT_FIB_IPV4
624	depends on NFT_FIB_IPV6
625	tristate "Netfilter nf_tables fib inet support"
626	help
627	  This option allows using the FIB expression from the inet table.
628	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
629	  on the protocol of the packet.
630
631config NFT_XFRM
632	tristate "Netfilter nf_tables xfrm/IPSec security association matching"
633	depends on XFRM
634	help
635	  This option adds an expression that you can use to extract properties
636	  of a packets security association.
637
638config NFT_SOCKET
639	tristate "Netfilter nf_tables socket match support"
640	depends on IPV6 || IPV6=n
641	select NF_SOCKET_IPV4
642	select NF_SOCKET_IPV6 if NF_TABLES_IPV6
643	help
644	  This option allows matching for the presence or absence of a
645	  corresponding socket and its attributes.
646
647config NFT_OSF
648	tristate "Netfilter nf_tables passive OS fingerprint support"
649	depends on NETFILTER_ADVANCED
650	select NETFILTER_NETLINK_OSF
651	help
652	  This option allows matching packets from an specific OS.
653
654config NFT_TPROXY
655	tristate "Netfilter nf_tables tproxy support"
656	depends on IPV6 || IPV6=n
657	select NF_DEFRAG_IPV4
658	select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
659	select NF_TPROXY_IPV4
660	select NF_TPROXY_IPV6 if NF_TABLES_IPV6
661	help
662	  This makes transparent proxy support available in nftables.
663
664config NFT_SYNPROXY
665	tristate "Netfilter nf_tables SYNPROXY expression support"
666	depends on NF_CONNTRACK && NETFILTER_ADVANCED
667	select NETFILTER_SYNPROXY
668	select SYN_COOKIES
669	help
670	  The SYNPROXY expression allows you to intercept TCP connections and
671	  establish them using syncookies before they are passed on to the
672	  server. This allows to avoid conntrack and server resource usage
673	  during SYN-flood attacks.
674
675if NF_TABLES_NETDEV
676
677config NF_DUP_NETDEV
678	tristate "Netfilter packet duplication support"
679	help
680	  This option enables the generic packet duplication infrastructure
681	  for Netfilter.
682
683config NFT_DUP_NETDEV
684	tristate "Netfilter nf_tables netdev packet duplication support"
685	select NF_DUP_NETDEV
686	help
687	  This option enables packet duplication for the "netdev" family.
688
689config NFT_FWD_NETDEV
690	tristate "Netfilter nf_tables netdev packet forwarding support"
691	select NF_DUP_NETDEV
692	help
693	  This option enables packet forwarding for the "netdev" family.
694
695config NFT_FIB_NETDEV
696	depends on NFT_FIB_IPV4
697	depends on NFT_FIB_IPV6
698	tristate "Netfilter nf_tables netdev fib lookups support"
699	help
700	  This option allows using the FIB expression from the netdev table.
701	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
702	  on the protocol of the packet.
703
704config NFT_REJECT_NETDEV
705	depends on NFT_REJECT_IPV4
706	depends on NFT_REJECT_IPV6
707	tristate "Netfilter nf_tables netdev REJECT support"
708	help
709	  This option enables the REJECT support from the netdev table.
710	  The return packet generation will be delegated to the IPv4
711	  or IPv6 ICMP or TCP RST implementation depending on the
712	  protocol of the packet.
713
714endif # NF_TABLES_NETDEV
715
716endif # NF_TABLES
717
718config NF_FLOW_TABLE_INET
719	tristate "Netfilter flow table mixed IPv4/IPv6 module"
720	depends on NF_FLOW_TABLE
721	help
722	  This option adds the flow table mixed IPv4/IPv6 support.
723
724	  To compile it as a module, choose M here.
725
726config NF_FLOW_TABLE
727	tristate "Netfilter flow table module"
728	depends on NETFILTER_INGRESS
729	depends on NF_CONNTRACK
730	depends on NF_TABLES
731	help
732	  This option adds the flow table core infrastructure.
733
734	  To compile it as a module, choose M here.
735
736config NF_FLOW_TABLE_PROCFS
737	bool "Supply flow table statistics in procfs"
738	depends on NF_FLOW_TABLE
739	depends on PROC_FS
740	help
741	  This option enables for the flow table offload statistics
742	  to be shown in procfs under net/netfilter/nf_flowtable.
743
744config NETFILTER_XTABLES
745	tristate "Netfilter Xtables support (required for ip_tables)"
746	default m if NETFILTER_ADVANCED=n
747	help
748	  This is required if you intend to use any of ip_tables,
749	  ip6_tables or arp_tables.
750
751if NETFILTER_XTABLES
752
753config NETFILTER_XTABLES_COMPAT
754	bool "Netfilter Xtables 32bit support"
755	depends on COMPAT
756	default y
757	help
758	   This option provides a translation layer to run 32bit arp,ip(6),ebtables
759	   binaries on 64bit kernels.
760
761	   If unsure, say N.
762
763comment "Xtables combined modules"
764
765config NETFILTER_XT_MARK
766	tristate 'nfmark target and match support'
767	default m if NETFILTER_ADVANCED=n
768	help
769	This option adds the "MARK" target and "mark" match.
770
771	Netfilter mark matching allows you to match packets based on the
772	"nfmark" value in the packet.
773	The target allows you to create rules in the "mangle" table which alter
774	the netfilter mark (nfmark) field associated with the packet.
775
776	Prior to routing, the nfmark can influence the routing method and can
777	also be used by other subsystems to change their behavior.
778
779config NETFILTER_XT_CONNMARK
780	tristate 'ctmark target and match support'
781	depends on NF_CONNTRACK
782	depends on NETFILTER_ADVANCED
783	select NF_CONNTRACK_MARK
784	help
785	This option adds the "CONNMARK" target and "connmark" match.
786
787	Netfilter allows you to store a mark value per connection (a.k.a.
788	ctmark), similarly to the packet mark (nfmark). Using this
789	target and match, you can set and match on this mark.
790
791config NETFILTER_XT_SET
792	tristate 'set target and match support'
793	depends on IP_SET
794	depends on NETFILTER_ADVANCED
795	help
796	  This option adds the "SET" target and "set" match.
797
798	  Using this target and match, you can add/delete and match
799	  elements in the sets created by ipset(8).
800
801	  To compile it as a module, choose M here.  If unsure, say N.
802
803# alphabetically ordered list of targets
804
805comment "Xtables targets"
806
807config NETFILTER_XT_TARGET_AUDIT
808	tristate "AUDIT target support"
809	depends on AUDIT
810	depends on NETFILTER_ADVANCED
811	help
812	  This option adds a 'AUDIT' target, which can be used to create
813	  audit records for packets dropped/accepted.
814
815	  To compileit as a module, choose M here. If unsure, say N.
816
817config NETFILTER_XT_TARGET_CHECKSUM
818	tristate "CHECKSUM target support"
819	depends on IP_NF_MANGLE || IP6_NF_MANGLE
820	depends on NETFILTER_ADVANCED
821	help
822	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle
823	  table to work around buggy DHCP clients in virtualized environments.
824
825	  Some old DHCP clients drop packets because they are not aware
826	  that the checksum would normally be offloaded to hardware and
827	  thus should be considered valid.
828	  This target can be used to fill in the checksum using iptables
829	  when such packets are sent via a virtual network device.
830
831	  To compile it as a module, choose M here.  If unsure, say N.
832
833config NETFILTER_XT_TARGET_CLASSIFY
834	tristate '"CLASSIFY" target support'
835	depends on NETFILTER_ADVANCED
836	help
837	  This option adds a `CLASSIFY' target, which enables the user to set
838	  the priority of a packet. Some qdiscs can use this value for
839	  classification, among these are:
840
841	  atm, cbq, dsmark, pfifo_fast, htb, prio
842
843	  To compile it as a module, choose M here.  If unsure, say N.
844
845config NETFILTER_XT_TARGET_CONNMARK
846	tristate  '"CONNMARK" target support'
847	depends on NF_CONNTRACK
848	depends on NETFILTER_ADVANCED
849	select NETFILTER_XT_CONNMARK
850	help
851	This is a backwards-compat option for the user's convenience
852	(e.g. when running oldconfig). It selects
853	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
854
855config NETFILTER_XT_TARGET_CONNSECMARK
856	tristate '"CONNSECMARK" target support'
857	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
858	default m if NETFILTER_ADVANCED=n
859	help
860	  The CONNSECMARK target copies security markings from packets
861	  to connections, and restores security markings from connections
862	  to packets (if the packets are not already marked).  This would
863	  normally be used in conjunction with the SECMARK target.
864
865	  To compile it as a module, choose M here.  If unsure, say N.
866
867config NETFILTER_XT_TARGET_CT
868	tristate '"CT" target support'
869	depends on NF_CONNTRACK
870	depends on IP_NF_RAW || IP6_NF_RAW
871	depends on NETFILTER_ADVANCED
872	help
873	  This options adds a `CT' target, which allows to specify initial
874	  connection tracking parameters like events to be delivered and
875	  the helper to be used.
876
877	  To compile it as a module, choose M here.  If unsure, say N.
878
879config NETFILTER_XT_TARGET_DSCP
880	tristate '"DSCP" and "TOS" target support'
881	depends on IP_NF_MANGLE || IP6_NF_MANGLE
882	depends on NETFILTER_ADVANCED
883	help
884	  This option adds a `DSCP' target, which allows you to manipulate
885	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
886
887	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
888
889	  It also adds the "TOS" target, which allows you to create rules in
890	  the "mangle" table which alter the Type Of Service field of an IPv4
891	  or the Priority field of an IPv6 packet, prior to routing.
892
893	  To compile it as a module, choose M here.  If unsure, say N.
894
895config NETFILTER_XT_TARGET_HL
896	tristate '"HL" hoplimit target support'
897	depends on IP_NF_MANGLE || IP6_NF_MANGLE
898	depends on NETFILTER_ADVANCED
899	help
900	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
901	targets, which enable the user to change the
902	hoplimit/time-to-live value of the IP header.
903
904	While it is safe to decrement the hoplimit/TTL value, the
905	modules also allow to increment and set the hoplimit value of
906	the header to arbitrary values. This is EXTREMELY DANGEROUS
907	since you can easily create immortal packets that loop
908	forever on the network.
909
910config NETFILTER_XT_TARGET_HMARK
911	tristate '"HMARK" target support'
912	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
913	depends on NETFILTER_ADVANCED
914	help
915	This option adds the "HMARK" target.
916
917	The target allows you to create rules in the "raw" and "mangle" tables
918	which set the skbuff mark by means of hash calculation within a given
919	range. The nfmark can influence the routing method and can also be used
920	by other subsystems to change their behaviour.
921
922	To compile it as a module, choose M here. If unsure, say N.
923
924config NETFILTER_XT_TARGET_IDLETIMER
925	tristate  "IDLETIMER target support"
926	depends on NETFILTER_ADVANCED
927	help
928
929	  This option adds the `IDLETIMER' target.  Each matching packet
930	  resets the timer associated with label specified when the rule is
931	  added.  When the timer expires, it triggers a sysfs notification.
932	  The remaining time for expiration can be read via sysfs.
933
934	  To compile it as a module, choose M here.  If unsure, say N.
935
936config NETFILTER_XT_TARGET_LED
937	tristate '"LED" target support'
938	depends on LEDS_CLASS && LEDS_TRIGGERS
939	depends on NETFILTER_ADVANCED
940	help
941	  This option adds a `LED' target, which allows you to blink LEDs in
942	  response to particular packets passing through your machine.
943
944	  This can be used to turn a spare LED into a network activity LED,
945	  which only flashes in response to FTP transfers, for example.  Or
946	  you could have an LED which lights up for a minute or two every time
947	  somebody connects to your machine via SSH.
948
949	  You will need support for the "led" class to make this work.
950
951	  To create an LED trigger for incoming SSH traffic:
952	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
953
954	  Then attach the new trigger to an LED on your system:
955	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
956
957	  For more information on the LEDs available on your system, see
958	  Documentation/leds/leds-class.rst
959
960config NETFILTER_XT_TARGET_LOG
961	tristate "LOG target support"
962	select NF_LOG_SYSLOG
963	select NF_LOG_IPV6 if IP6_NF_IPTABLES
964	default m if NETFILTER_ADVANCED=n
965	help
966	  This option adds a `LOG' target, which allows you to create rules in
967	  any iptables table which records the packet header to the syslog.
968
969	  To compile it as a module, choose M here.  If unsure, say N.
970
971config NETFILTER_XT_TARGET_MARK
972	tristate '"MARK" target support'
973	depends on NETFILTER_ADVANCED
974	select NETFILTER_XT_MARK
975	help
976	This is a backwards-compat option for the user's convenience
977	(e.g. when running oldconfig). It selects
978	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
979
980config NETFILTER_XT_NAT
981	tristate '"SNAT and DNAT" targets support'
982	depends on NF_NAT
983	help
984	This option enables the SNAT and DNAT targets.
985
986	To compile it as a module, choose M here. If unsure, say N.
987
988config NETFILTER_XT_TARGET_NETMAP
989	tristate '"NETMAP" target support'
990	depends on NF_NAT
991	help
992	NETMAP is an implementation of static 1:1 NAT mapping of network
993	addresses. It maps the network address part, while keeping the host
994	address part intact.
995
996	To compile it as a module, choose M here. If unsure, say N.
997
998config NETFILTER_XT_TARGET_NFLOG
999	tristate '"NFLOG" target support'
1000	default m if NETFILTER_ADVANCED=n
1001	select NETFILTER_NETLINK_LOG
1002	help
1003	  This option enables the NFLOG target, which allows to LOG
1004	  messages through nfnetlink_log.
1005
1006	  To compile it as a module, choose M here.  If unsure, say N.
1007
1008config NETFILTER_XT_TARGET_NFQUEUE
1009	tristate '"NFQUEUE" target Support'
1010	depends on NETFILTER_ADVANCED
1011	select NETFILTER_NETLINK_QUEUE
1012	help
1013	  This target replaced the old obsolete QUEUE target.
1014
1015	  As opposed to QUEUE, it supports 65535 different queues,
1016	  not just one.
1017
1018	  To compile it as a module, choose M here.  If unsure, say N.
1019
1020config NETFILTER_XT_TARGET_NOTRACK
1021	tristate  '"NOTRACK" target support (DEPRECATED)'
1022	depends on NF_CONNTRACK
1023	depends on IP_NF_RAW || IP6_NF_RAW
1024	depends on NETFILTER_ADVANCED
1025	select NETFILTER_XT_TARGET_CT
1026
1027config NETFILTER_XT_TARGET_RATEEST
1028	tristate '"RATEEST" target support'
1029	depends on NETFILTER_ADVANCED
1030	help
1031	  This option adds a `RATEEST' target, which allows to measure
1032	  rates similar to TC estimators. The `rateest' match can be
1033	  used to match on the measured rates.
1034
1035	  To compile it as a module, choose M here.  If unsure, say N.
1036
1037config NETFILTER_XT_TARGET_REDIRECT
1038	tristate "REDIRECT target support"
1039	depends on NF_NAT
1040	select NF_NAT_REDIRECT
1041	help
1042	REDIRECT is a special case of NAT: all incoming connections are
1043	mapped onto the incoming interface's address, causing the packets to
1044	come to the local machine instead of passing through. This is
1045	useful for transparent proxies.
1046
1047	To compile it as a module, choose M here. If unsure, say N.
1048
1049config NETFILTER_XT_TARGET_MASQUERADE
1050	tristate "MASQUERADE target support"
1051	depends on NF_NAT
1052	default m if NETFILTER_ADVANCED=n
1053	select NF_NAT_MASQUERADE
1054	help
1055	  Masquerading is a special case of NAT: all outgoing connections are
1056	  changed to seem to come from a particular interface's address, and
1057	  if the interface goes down, those connections are lost.  This is
1058	  only useful for dialup accounts with dynamic IP address (ie. your IP
1059	  address will be different on next dialup).
1060
1061	  To compile it as a module, choose M here.  If unsure, say N.
1062
1063config NETFILTER_XT_TARGET_TEE
1064	tristate '"TEE" - packet cloning to alternate destination'
1065	depends on NETFILTER_ADVANCED
1066	depends on IPV6 || IPV6=n
1067	depends on !NF_CONNTRACK || NF_CONNTRACK
1068	depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES
1069	select NF_DUP_IPV4
1070	select NF_DUP_IPV6 if IP6_NF_IPTABLES
1071	help
1072	This option adds a "TEE" target with which a packet can be cloned and
1073	this clone be rerouted to another nexthop.
1074
1075config NETFILTER_XT_TARGET_TPROXY
1076	tristate '"TPROXY" target transparent proxying support'
1077	depends on NETFILTER_XTABLES
1078	depends on NETFILTER_ADVANCED
1079	depends on IPV6 || IPV6=n
1080	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1081	depends on IP_NF_MANGLE
1082	select NF_DEFRAG_IPV4
1083	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1084	select NF_TPROXY_IPV4
1085	select NF_TPROXY_IPV6 if IP6_NF_IPTABLES
1086	help
1087	  This option adds a `TPROXY' target, which is somewhat similar to
1088	  REDIRECT.  It can only be used in the mangle table and is useful
1089	  to redirect traffic to a transparent proxy.  It does _not_ depend
1090	  on Netfilter connection tracking and NAT, unlike REDIRECT.
1091	  For it to work you will have to configure certain iptables rules
1092	  and use policy routing. For more information on how to set it up
1093	  see Documentation/networking/tproxy.rst.
1094
1095	  To compile it as a module, choose M here.  If unsure, say N.
1096
1097config NETFILTER_XT_TARGET_TRACE
1098	tristate  '"TRACE" target support'
1099	depends on IP_NF_RAW || IP6_NF_RAW
1100	depends on NETFILTER_ADVANCED
1101	help
1102	  The TRACE target allows you to mark packets so that the kernel
1103	  will log every rule which match the packets as those traverse
1104	  the tables, chains, rules.
1105
1106	  If you want to compile it as a module, say M here and read
1107	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1108
1109config NETFILTER_XT_TARGET_SECMARK
1110	tristate '"SECMARK" target support'
1111	depends on NETWORK_SECMARK
1112	default m if NETFILTER_ADVANCED=n
1113	help
1114	  The SECMARK target allows security marking of network
1115	  packets, for use with security subsystems.
1116
1117	  To compile it as a module, choose M here.  If unsure, say N.
1118
1119config NETFILTER_XT_TARGET_TCPMSS
1120	tristate '"TCPMSS" target support'
1121	depends on IPV6 || IPV6=n
1122	default m if NETFILTER_ADVANCED=n
1123	help
1124	  This option adds a `TCPMSS' target, which allows you to alter the
1125	  MSS value of TCP SYN packets, to control the maximum size for that
1126	  connection (usually limiting it to your outgoing interface's MTU
1127	  minus 40).
1128
1129	  This is used to overcome criminally braindead ISPs or servers which
1130	  block ICMP Fragmentation Needed packets.  The symptoms of this
1131	  problem are that everything works fine from your Linux
1132	  firewall/router, but machines behind it can never exchange large
1133	  packets:
1134	        1) Web browsers connect, then hang with no data received.
1135	        2) Small mail works fine, but large emails hang.
1136	        3) ssh works fine, but scp hangs after initial handshaking.
1137
1138	  Workaround: activate this option and add a rule to your firewall
1139	  configuration like:
1140
1141	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1142	                 -j TCPMSS --clamp-mss-to-pmtu
1143
1144	  To compile it as a module, choose M here.  If unsure, say N.
1145
1146config NETFILTER_XT_TARGET_TCPOPTSTRIP
1147	tristate '"TCPOPTSTRIP" target support'
1148	depends on IP_NF_MANGLE || IP6_NF_MANGLE
1149	depends on NETFILTER_ADVANCED
1150	help
1151	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
1152	  TCP options from TCP packets.
1153
1154# alphabetically ordered list of matches
1155
1156comment "Xtables matches"
1157
1158config NETFILTER_XT_MATCH_ADDRTYPE
1159	tristate '"addrtype" address type match support'
1160	default m if NETFILTER_ADVANCED=n
1161	help
1162	  This option allows you to match what routing thinks of an address,
1163	  eg. UNICAST, LOCAL, BROADCAST, ...
1164
1165	  If you want to compile it as a module, say M here and read
1166	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1167
1168config NETFILTER_XT_MATCH_BPF
1169	tristate '"bpf" match support'
1170	depends on NETFILTER_ADVANCED
1171	help
1172	  BPF matching applies a linux socket filter to each packet and
1173	  accepts those for which the filter returns non-zero.
1174
1175	  To compile it as a module, choose M here.  If unsure, say N.
1176
1177config NETFILTER_XT_MATCH_CGROUP
1178	tristate '"control group" match support'
1179	depends on NETFILTER_ADVANCED
1180	depends on CGROUPS
1181	select CGROUP_NET_CLASSID
1182	help
1183	Socket/process control group matching allows you to match locally
1184	generated packets based on which net_cls control group processes
1185	belong to.
1186
1187config NETFILTER_XT_MATCH_CLUSTER
1188	tristate '"cluster" match support'
1189	depends on NF_CONNTRACK
1190	depends on NETFILTER_ADVANCED
1191	help
1192	  This option allows you to build work-load-sharing clusters of
1193	  network servers/stateful firewalls without having a dedicated
1194	  load-balancing router/server/switch. Basically, this match returns
1195	  true when the packet must be handled by this cluster node. Thus,
1196	  all nodes see all packets and this match decides which node handles
1197	  what packets. The work-load sharing algorithm is based on source
1198	  address hashing.
1199
1200	  If you say Y or M here, try `iptables -m cluster --help` for
1201	  more information.
1202
1203config NETFILTER_XT_MATCH_COMMENT
1204	tristate  '"comment" match support'
1205	depends on NETFILTER_ADVANCED
1206	help
1207	  This option adds a `comment' dummy-match, which allows you to put
1208	  comments in your iptables ruleset.
1209
1210	  If you want to compile it as a module, say M here and read
1211	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1212
1213config NETFILTER_XT_MATCH_CONNBYTES
1214	tristate  '"connbytes" per-connection counter match support'
1215	depends on NF_CONNTRACK
1216	depends on NETFILTER_ADVANCED
1217	help
1218	  This option adds a `connbytes' match, which allows you to match the
1219	  number of bytes and/or packets for each direction within a connection.
1220
1221	  If you want to compile it as a module, say M here and read
1222	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1223
1224config NETFILTER_XT_MATCH_CONNLABEL
1225	tristate '"connlabel" match support'
1226	select NF_CONNTRACK_LABELS
1227	depends on NF_CONNTRACK
1228	depends on NETFILTER_ADVANCED
1229	help
1230	  This match allows you to test and assign userspace-defined labels names
1231	  to a connection.  The kernel only stores bit values - mapping
1232	  names to bits is done by userspace.
1233
1234	  Unlike connmark, more than 32 flag bits may be assigned to a
1235	  connection simultaneously.
1236
1237config NETFILTER_XT_MATCH_CONNLIMIT
1238	tristate '"connlimit" match support'
1239	depends on NF_CONNTRACK
1240	depends on NETFILTER_ADVANCED
1241	select NETFILTER_CONNCOUNT
1242	help
1243	  This match allows you to match against the number of parallel
1244	  connections to a server per client IP address (or address block).
1245
1246config NETFILTER_XT_MATCH_CONNMARK
1247	tristate  '"connmark" connection mark match support'
1248	depends on NF_CONNTRACK
1249	depends on NETFILTER_ADVANCED
1250	select NETFILTER_XT_CONNMARK
1251	help
1252	This is a backwards-compat option for the user's convenience
1253	(e.g. when running oldconfig). It selects
1254	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1255
1256config NETFILTER_XT_MATCH_CONNTRACK
1257	tristate '"conntrack" connection tracking match support'
1258	depends on NF_CONNTRACK
1259	default m if NETFILTER_ADVANCED=n
1260	help
1261	  This is a general conntrack match module, a superset of the state match.
1262
1263	  It allows matching on additional conntrack information, which is
1264	  useful in complex configurations, such as NAT gateways with multiple
1265	  internet links or tunnels.
1266
1267	  To compile it as a module, choose M here.  If unsure, say N.
1268
1269config NETFILTER_XT_MATCH_CPU
1270	tristate '"cpu" match support'
1271	depends on NETFILTER_ADVANCED
1272	help
1273	  CPU matching allows you to match packets based on the CPU
1274	  currently handling the packet.
1275
1276	  To compile it as a module, choose M here.  If unsure, say N.
1277
1278config NETFILTER_XT_MATCH_DCCP
1279	tristate '"dccp" protocol match support'
1280	depends on NETFILTER_ADVANCED
1281	default IP_DCCP
1282	help
1283	  With this option enabled, you will be able to use the iptables
1284	  `dccp' match in order to match on DCCP source/destination ports
1285	  and DCCP flags.
1286
1287	  If you want to compile it as a module, say M here and read
1288	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1289
1290config NETFILTER_XT_MATCH_DEVGROUP
1291	tristate '"devgroup" match support'
1292	depends on NETFILTER_ADVANCED
1293	help
1294	  This options adds a `devgroup' match, which allows to match on the
1295	  device group a network device is assigned to.
1296
1297	  To compile it as a module, choose M here.  If unsure, say N.
1298
1299config NETFILTER_XT_MATCH_DSCP
1300	tristate '"dscp" and "tos" match support'
1301	depends on NETFILTER_ADVANCED
1302	help
1303	  This option adds a `DSCP' match, which allows you to match against
1304	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1305
1306	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
1307
1308	  It will also add a "tos" match, which allows you to match packets
1309	  based on the Type Of Service fields of the IPv4 packet (which share
1310	  the same bits as DSCP).
1311
1312	  To compile it as a module, choose M here.  If unsure, say N.
1313
1314config NETFILTER_XT_MATCH_ECN
1315	tristate '"ecn" match support'
1316	depends on NETFILTER_ADVANCED
1317	help
1318	This option adds an "ECN" match, which allows you to match against
1319	the IPv4 and TCP header ECN fields.
1320
1321	To compile it as a module, choose M here. If unsure, say N.
1322
1323config NETFILTER_XT_MATCH_ESP
1324	tristate '"esp" match support'
1325	depends on NETFILTER_ADVANCED
1326	help
1327	  This match extension allows you to match a range of SPIs
1328	  inside ESP header of IPSec packets.
1329
1330	  To compile it as a module, choose M here.  If unsure, say N.
1331
1332config NETFILTER_XT_MATCH_HASHLIMIT
1333	tristate '"hashlimit" match support'
1334	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1335	depends on NETFILTER_ADVANCED
1336	help
1337	  This option adds a `hashlimit' match.
1338
1339	  As opposed to `limit', this match dynamically creates a hash table
1340	  of limit buckets, based on your selection of source/destination
1341	  addresses and/or ports.
1342
1343	  It enables you to express policies like `10kpps for any given
1344	  destination address' or `500pps from any given source address'
1345	  with a single rule.
1346
1347config NETFILTER_XT_MATCH_HELPER
1348	tristate '"helper" match support'
1349	depends on NF_CONNTRACK
1350	depends on NETFILTER_ADVANCED
1351	help
1352	  Helper matching allows you to match packets in dynamic connections
1353	  tracked by a conntrack-helper, ie. nf_conntrack_ftp
1354
1355	  To compile it as a module, choose M here.  If unsure, say Y.
1356
1357config NETFILTER_XT_MATCH_HL
1358	tristate '"hl" hoplimit/TTL match support'
1359	depends on NETFILTER_ADVANCED
1360	help
1361	HL matching allows you to match packets based on the hoplimit
1362	in the IPv6 header, or the time-to-live field in the IPv4
1363	header of the packet.
1364
1365config NETFILTER_XT_MATCH_IPCOMP
1366	tristate '"ipcomp" match support'
1367	depends on NETFILTER_ADVANCED
1368	help
1369	  This match extension allows you to match a range of CPIs(16 bits)
1370	  inside IPComp header of IPSec packets.
1371
1372	  To compile it as a module, choose M here.  If unsure, say N.
1373
1374config NETFILTER_XT_MATCH_IPRANGE
1375	tristate '"iprange" address range match support'
1376	depends on NETFILTER_ADVANCED
1377	help
1378	This option adds a "iprange" match, which allows you to match based on
1379	an IP address range. (Normal iptables only matches on single addresses
1380	with an optional mask.)
1381
1382	If unsure, say M.
1383
1384config NETFILTER_XT_MATCH_IPVS
1385	tristate '"ipvs" match support'
1386	depends on IP_VS
1387	depends on NETFILTER_ADVANCED
1388	depends on NF_CONNTRACK
1389	help
1390	  This option allows you to match against IPVS properties of a packet.
1391
1392	  If unsure, say N.
1393
1394config NETFILTER_XT_MATCH_L2TP
1395	tristate '"l2tp" match support'
1396	depends on NETFILTER_ADVANCED
1397	default L2TP
1398	help
1399	This option adds an "L2TP" match, which allows you to match against
1400	L2TP protocol header fields.
1401
1402	To compile it as a module, choose M here. If unsure, say N.
1403
1404config NETFILTER_XT_MATCH_LENGTH
1405	tristate '"length" match support'
1406	depends on NETFILTER_ADVANCED
1407	help
1408	  This option allows you to match the length of a packet against a
1409	  specific value or range of values.
1410
1411	  To compile it as a module, choose M here.  If unsure, say N.
1412
1413config NETFILTER_XT_MATCH_LIMIT
1414	tristate '"limit" match support'
1415	depends on NETFILTER_ADVANCED
1416	help
1417	  limit matching allows you to control the rate at which a rule can be
1418	  matched: mainly useful in combination with the LOG target ("LOG
1419	  target support", below) and to avoid some Denial of Service attacks.
1420
1421	  To compile it as a module, choose M here.  If unsure, say N.
1422
1423config NETFILTER_XT_MATCH_MAC
1424	tristate '"mac" address match support'
1425	depends on NETFILTER_ADVANCED
1426	help
1427	  MAC matching allows you to match packets based on the source
1428	  Ethernet address of the packet.
1429
1430	  To compile it as a module, choose M here.  If unsure, say N.
1431
1432config NETFILTER_XT_MATCH_MARK
1433	tristate '"mark" match support'
1434	depends on NETFILTER_ADVANCED
1435	select NETFILTER_XT_MARK
1436	help
1437	This is a backwards-compat option for the user's convenience
1438	(e.g. when running oldconfig). It selects
1439	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1440
1441config NETFILTER_XT_MATCH_MULTIPORT
1442	tristate '"multiport" Multiple port match support'
1443	depends on NETFILTER_ADVANCED
1444	help
1445	  Multiport matching allows you to match TCP or UDP packets based on
1446	  a series of source or destination ports: normally a rule can only
1447	  match a single range of ports.
1448
1449	  To compile it as a module, choose M here.  If unsure, say N.
1450
1451config NETFILTER_XT_MATCH_NFACCT
1452	tristate '"nfacct" match support'
1453	depends on NETFILTER_ADVANCED
1454	select NETFILTER_NETLINK_ACCT
1455	help
1456	  This option allows you to use the extended accounting through
1457	  nfnetlink_acct.
1458
1459	  To compile it as a module, choose M here.  If unsure, say N.
1460
1461config NETFILTER_XT_MATCH_OSF
1462	tristate '"osf" Passive OS fingerprint match'
1463	depends on NETFILTER_ADVANCED
1464	select NETFILTER_NETLINK_OSF
1465	help
1466	  This option selects the Passive OS Fingerprinting match module
1467	  that allows to passively match the remote operating system by
1468	  analyzing incoming TCP SYN packets.
1469
1470	  Rules and loading software can be downloaded from
1471	  http://www.ioremap.net/projects/osf
1472
1473	  To compile it as a module, choose M here.  If unsure, say N.
1474
1475config NETFILTER_XT_MATCH_OWNER
1476	tristate '"owner" match support'
1477	depends on NETFILTER_ADVANCED
1478	help
1479	Socket owner matching allows you to match locally-generated packets
1480	based on who created the socket: the user or group. It is also
1481	possible to check whether a socket actually exists.
1482
1483config NETFILTER_XT_MATCH_POLICY
1484	tristate 'IPsec "policy" match support'
1485	depends on XFRM
1486	default m if NETFILTER_ADVANCED=n
1487	help
1488	  Policy matching allows you to match packets based on the
1489	  IPsec policy that was used during decapsulation/will
1490	  be used during encapsulation.
1491
1492	  To compile it as a module, choose M here.  If unsure, say N.
1493
1494config NETFILTER_XT_MATCH_PHYSDEV
1495	tristate '"physdev" match support'
1496	depends on BRIDGE && BRIDGE_NETFILTER
1497	depends on NETFILTER_ADVANCED
1498	help
1499	  Physdev packet matching matches against the physical bridge ports
1500	  the IP packet arrived on or will leave by.
1501
1502	  To compile it as a module, choose M here.  If unsure, say N.
1503
1504config NETFILTER_XT_MATCH_PKTTYPE
1505	tristate '"pkttype" packet type match support'
1506	depends on NETFILTER_ADVANCED
1507	help
1508	  Packet type matching allows you to match a packet by
1509	  its "class", eg. BROADCAST, MULTICAST, ...
1510
1511	  Typical usage:
1512	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1513
1514	  To compile it as a module, choose M here.  If unsure, say N.
1515
1516config NETFILTER_XT_MATCH_QUOTA
1517	tristate '"quota" match support'
1518	depends on NETFILTER_ADVANCED
1519	help
1520	  This option adds a `quota' match, which allows to match on a
1521	  byte counter.
1522
1523	  If you want to compile it as a module, say M here and read
1524	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1525
1526config NETFILTER_XT_MATCH_RATEEST
1527	tristate '"rateest" match support'
1528	depends on NETFILTER_ADVANCED
1529	select NETFILTER_XT_TARGET_RATEEST
1530	help
1531	  This option adds a `rateest' match, which allows to match on the
1532	  rate estimated by the RATEEST target.
1533
1534	  To compile it as a module, choose M here.  If unsure, say N.
1535
1536config NETFILTER_XT_MATCH_REALM
1537	tristate  '"realm" match support'
1538	depends on NETFILTER_ADVANCED
1539	select IP_ROUTE_CLASSID
1540	help
1541	  This option adds a `realm' match, which allows you to use the realm
1542	  key from the routing subsystem inside iptables.
1543
1544	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1545	  in tc world.
1546
1547	  If you want to compile it as a module, say M here and read
1548	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1549
1550config NETFILTER_XT_MATCH_RECENT
1551	tristate '"recent" match support'
1552	depends on NETFILTER_ADVANCED
1553	help
1554	This match is used for creating one or many lists of recently
1555	used addresses and then matching against that/those list(s).
1556
1557	Short options are available by using 'iptables -m recent -h'
1558	Official Website: <http://snowman.net/projects/ipt_recent/>
1559
1560config NETFILTER_XT_MATCH_SCTP
1561	tristate  '"sctp" protocol match support'
1562	depends on NETFILTER_ADVANCED
1563	default IP_SCTP
1564	help
1565	  With this option enabled, you will be able to use the
1566	  `sctp' match in order to match on SCTP source/destination ports
1567	  and SCTP chunk types.
1568
1569	  If you want to compile it as a module, say M here and read
1570	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1571
1572config NETFILTER_XT_MATCH_SOCKET
1573	tristate '"socket" match support'
1574	depends on NETFILTER_XTABLES
1575	depends on NETFILTER_ADVANCED
1576	depends on IPV6 || IPV6=n
1577	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1578	select NF_SOCKET_IPV4
1579	select NF_SOCKET_IPV6 if IP6_NF_IPTABLES
1580	select NF_DEFRAG_IPV4
1581	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1582	help
1583	  This option adds a `socket' match, which can be used to match
1584	  packets for which a TCP or UDP socket lookup finds a valid socket.
1585	  It can be used in combination with the MARK target and policy
1586	  routing to implement full featured non-locally bound sockets.
1587
1588	  To compile it as a module, choose M here.  If unsure, say N.
1589
1590config NETFILTER_XT_MATCH_STATE
1591	tristate '"state" match support'
1592	depends on NF_CONNTRACK
1593	default m if NETFILTER_ADVANCED=n
1594	help
1595	  Connection state matching allows you to match packets based on their
1596	  relationship to a tracked connection (ie. previous packets).  This
1597	  is a powerful tool for packet classification.
1598
1599	  To compile it as a module, choose M here.  If unsure, say N.
1600
1601config NETFILTER_XT_MATCH_STATISTIC
1602	tristate '"statistic" match support'
1603	depends on NETFILTER_ADVANCED
1604	help
1605	  This option adds a `statistic' match, which allows you to match
1606	  on packets periodically or randomly with a given percentage.
1607
1608	  To compile it as a module, choose M here.  If unsure, say N.
1609
1610config NETFILTER_XT_MATCH_STRING
1611	tristate  '"string" match support'
1612	depends on NETFILTER_ADVANCED
1613	select TEXTSEARCH
1614	select TEXTSEARCH_KMP
1615	select TEXTSEARCH_BM
1616	select TEXTSEARCH_FSM
1617	help
1618	  This option adds a `string' match, which allows you to look for
1619	  pattern matchings in packets.
1620
1621	  To compile it as a module, choose M here.  If unsure, say N.
1622
1623config NETFILTER_XT_MATCH_TCPMSS
1624	tristate '"tcpmss" match support'
1625	depends on NETFILTER_ADVANCED
1626	help
1627	  This option adds a `tcpmss' match, which allows you to examine the
1628	  MSS value of TCP SYN packets, which control the maximum packet size
1629	  for that connection.
1630
1631	  To compile it as a module, choose M here.  If unsure, say N.
1632
1633config NETFILTER_XT_MATCH_TIME
1634	tristate '"time" match support'
1635	depends on NETFILTER_ADVANCED
1636	help
1637	  This option adds a "time" match, which allows you to match based on
1638	  the packet arrival time (at the machine which netfilter is running)
1639	  on) or departure time/date (for locally generated packets).
1640
1641	  If you say Y here, try `iptables -m time --help` for
1642	  more information.
1643
1644	  If you want to compile it as a module, say M here.
1645	  If unsure, say N.
1646
1647config NETFILTER_XT_MATCH_U32
1648	tristate '"u32" match support'
1649	depends on NETFILTER_ADVANCED
1650	help
1651	  u32 allows you to extract quantities of up to 4 bytes from a packet,
1652	  AND them with specified masks, shift them by specified amounts and
1653	  test whether the results are in any of a set of specified ranges.
1654	  The specification of what to extract is general enough to skip over
1655	  headers with lengths stored in the packet, as in IP or TCP header
1656	  lengths.
1657
1658	  Details and examples are in the kernel module source.
1659
1660endif # NETFILTER_XTABLES
1661
1662endmenu
1663
1664source "net/netfilter/ipset/Kconfig"
1665
1666source "net/netfilter/ipvs/Kconfig"
1667