1# SPDX-License-Identifier: GPL-2.0-only 2menu "Core Netfilter Configuration" 3 depends on INET && NETFILTER 4 5config NETFILTER_INGRESS 6 bool "Netfilter ingress support" 7 default y 8 select NET_INGRESS 9 help 10 This allows you to classify packets from ingress using the Netfilter 11 infrastructure. 12 13config NETFILTER_NETLINK 14 tristate 15 16config NETFILTER_FAMILY_BRIDGE 17 bool 18 19config NETFILTER_FAMILY_ARP 20 bool 21 22config NETFILTER_NETLINK_ACCT 23 tristate "Netfilter NFACCT over NFNETLINK interface" 24 depends on NETFILTER_ADVANCED 25 select NETFILTER_NETLINK 26 help 27 If this option is enabled, the kernel will include support 28 for extended accounting via NFNETLINK. 29 30config NETFILTER_NETLINK_QUEUE 31 tristate "Netfilter NFQUEUE over NFNETLINK interface" 32 depends on NETFILTER_ADVANCED 33 select NETFILTER_NETLINK 34 help 35 If this option is enabled, the kernel will include support 36 for queueing packets via NFNETLINK. 37 38config NETFILTER_NETLINK_LOG 39 tristate "Netfilter LOG over NFNETLINK interface" 40 default m if NETFILTER_ADVANCED=n 41 select NETFILTER_NETLINK 42 help 43 If this option is enabled, the kernel will include support 44 for logging packets via NFNETLINK. 45 46 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 47 and is also scheduled to replace the old syslog-based ipt_LOG 48 and ip6t_LOG modules. 49 50config NETFILTER_NETLINK_OSF 51 tristate "Netfilter OSF over NFNETLINK interface" 52 depends on NETFILTER_ADVANCED 53 select NETFILTER_NETLINK 54 help 55 If this option is enabled, the kernel will include support 56 for passive OS fingerprint via NFNETLINK. 57 58config NF_CONNTRACK 59 tristate "Netfilter connection tracking support" 60 default m if NETFILTER_ADVANCED=n 61 select NF_DEFRAG_IPV4 62 select NF_DEFRAG_IPV6 if IPV6 != n 63 help 64 Connection tracking keeps a record of what packets have passed 65 through your machine, in order to figure out how they are related 66 into connections. 67 68 This is required to do Masquerading or other kinds of Network 69 Address Translation. It can also be used to enhance packet 70 filtering (see `Connection state match support' below). 71 72 To compile it as a module, choose M here. If unsure, say N. 73 74config NF_LOG_SYSLOG 75 tristate "Syslog packet logging" 76 default m if NETFILTER_ADVANCED=n 77 help 78 This option enable support for packet logging via syslog. 79 It supports IPv4, IPV6, ARP and common transport protocols such 80 as TCP and UDP. 81 This is a simpler but less flexible logging method compared to 82 CONFIG_NETFILTER_NETLINK_LOG. 83 If both are enabled the backend to use can be configured at run-time 84 by means of per-address-family sysctl tunables. 85 86if NF_CONNTRACK 87config NETFILTER_CONNCOUNT 88 tristate 89 90config NF_CONNTRACK_MARK 91 bool 'Connection mark tracking support' 92 depends on NETFILTER_ADVANCED 93 help 94 This option enables support for connection marks, used by the 95 `CONNMARK' target and `connmark' match. Similar to the mark value 96 of packets, but this mark value is kept in the conntrack session 97 instead of the individual packets. 98 99config NF_CONNTRACK_SECMARK 100 bool 'Connection tracking security mark support' 101 depends on NETWORK_SECMARK 102 default m if NETFILTER_ADVANCED=n 103 help 104 This option enables security markings to be applied to 105 connections. Typically they are copied to connections from 106 packets using the CONNSECMARK target and copied back from 107 connections to packets with the same target, with the packets 108 being originally labeled via SECMARK. 109 110 If unsure, say 'N'. 111 112config NF_CONNTRACK_ZONES 113 bool 'Connection tracking zones' 114 depends on NETFILTER_ADVANCED 115 help 116 This option enables support for connection tracking zones. 117 Normally, each connection needs to have a unique system wide 118 identity. Connection tracking zones allow to have multiple 119 connections using the same identity, as long as they are 120 contained in different zones. 121 122 If unsure, say `N'. 123 124config NF_CONNTRACK_PROCFS 125 bool "Supply CT list in procfs (OBSOLETE)" 126 default y 127 depends on PROC_FS 128 help 129 This option enables for the list of known conntrack entries 130 to be shown in procfs under net/netfilter/nf_conntrack. This 131 is considered obsolete in favor of using the conntrack(8) 132 tool which uses Netlink. 133 134config NF_CONNTRACK_EVENTS 135 bool "Connection tracking events" 136 depends on NETFILTER_ADVANCED 137 help 138 If this option is enabled, the connection tracking code will 139 provide a notifier chain that can be used by other kernel code 140 to get notified about changes in the connection tracking state. 141 142 If unsure, say `N'. 143 144config NF_CONNTRACK_TIMEOUT 145 bool 'Connection tracking timeout' 146 depends on NETFILTER_ADVANCED 147 help 148 This option enables support for connection tracking timeout 149 extension. This allows you to attach timeout policies to flow 150 via the CT target. 151 152 If unsure, say `N'. 153 154config NF_CONNTRACK_TIMESTAMP 155 bool 'Connection tracking timestamping' 156 depends on NETFILTER_ADVANCED 157 help 158 This option enables support for connection tracking timestamping. 159 This allows you to store the flow start-time and to obtain 160 the flow-stop time (once it has been destroyed) via Connection 161 tracking events. 162 163 If unsure, say `N'. 164 165config NF_CONNTRACK_LABELS 166 bool "Connection tracking labels" 167 help 168 This option enables support for assigning user-defined flag bits 169 to connection tracking entries. It can be used with xtables connlabel 170 match and the nftables ct expression. 171 172config NF_CT_PROTO_DCCP 173 bool 'DCCP protocol connection tracking support' 174 depends on NETFILTER_ADVANCED 175 default y 176 help 177 With this option enabled, the layer 3 independent connection 178 tracking code will be able to do state tracking on DCCP connections. 179 180 If unsure, say Y. 181 182config NF_CT_PROTO_GRE 183 bool 184 185config NF_CT_PROTO_SCTP 186 bool 'SCTP protocol connection tracking support' 187 depends on NETFILTER_ADVANCED 188 default y 189 select LIBCRC32C 190 help 191 With this option enabled, the layer 3 independent connection 192 tracking code will be able to do state tracking on SCTP connections. 193 194 If unsure, say Y. 195 196config NF_CT_PROTO_UDPLITE 197 bool 'UDP-Lite protocol connection tracking support' 198 depends on NETFILTER_ADVANCED 199 default y 200 help 201 With this option enabled, the layer 3 independent connection 202 tracking code will be able to do state tracking on UDP-Lite 203 connections. 204 205 If unsure, say Y. 206 207config NF_CONNTRACK_AMANDA 208 tristate "Amanda backup protocol support" 209 depends on NETFILTER_ADVANCED 210 select TEXTSEARCH 211 select TEXTSEARCH_KMP 212 help 213 If you are running the Amanda backup package <http://www.amanda.org/> 214 on this machine or machines that will be MASQUERADED through this 215 machine, then you may want to enable this feature. This allows the 216 connection tracking and natting code to allow the sub-channels that 217 Amanda requires for communication of the backup data, messages and 218 index. 219 220 To compile it as a module, choose M here. If unsure, say N. 221 222config NF_CONNTRACK_FTP 223 tristate "FTP protocol support" 224 default m if NETFILTER_ADVANCED=n 225 help 226 Tracking FTP connections is problematic: special helpers are 227 required for tracking them, and doing masquerading and other forms 228 of Network Address Translation on them. 229 230 This is FTP support on Layer 3 independent connection tracking. 231 232 To compile it as a module, choose M here. If unsure, say N. 233 234config NF_CONNTRACK_H323 235 tristate "H.323 protocol support" 236 depends on IPV6 || IPV6=n 237 depends on NETFILTER_ADVANCED 238 help 239 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 240 important VoIP protocols, it is widely used by voice hardware and 241 software including voice gateways, IP phones, Netmeeting, OpenPhone, 242 Gnomemeeting, etc. 243 244 With this module you can support H.323 on a connection tracking/NAT 245 firewall. 246 247 This module supports RAS, Fast Start, H.245 Tunnelling, Call 248 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 249 whiteboard, file transfer, etc. For more information, please 250 visit http://nath323.sourceforge.net/. 251 252 To compile it as a module, choose M here. If unsure, say N. 253 254config NF_CONNTRACK_IRC 255 tristate "IRC protocol support" 256 default m if NETFILTER_ADVANCED=n 257 help 258 There is a commonly-used extension to IRC called 259 Direct Client-to-Client Protocol (DCC). This enables users to send 260 files to each other, and also chat to each other without the need 261 of a server. DCC Sending is used anywhere you send files over IRC, 262 and DCC Chat is most commonly used by Eggdrop bots. If you are 263 using NAT, this extension will enable you to send files and initiate 264 chats. Note that you do NOT need this extension to get files or 265 have others initiate chats, or everything else in IRC. 266 267 To compile it as a module, choose M here. If unsure, say N. 268 269config NF_CONNTRACK_BROADCAST 270 tristate 271 272config NF_CONNTRACK_NETBIOS_NS 273 tristate "NetBIOS name service protocol support" 274 select NF_CONNTRACK_BROADCAST 275 help 276 NetBIOS name service requests are sent as broadcast messages from an 277 unprivileged port and responded to with unicast messages to the 278 same port. This make them hard to firewall properly because connection 279 tracking doesn't deal with broadcasts. This helper tracks locally 280 originating NetBIOS name service requests and the corresponding 281 responses. It relies on correct IP address configuration, specifically 282 netmask and broadcast address. When properly configured, the output 283 of "ip address show" should look similar to this: 284 285 $ ip -4 address show eth0 286 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 287 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 288 289 To compile it as a module, choose M here. If unsure, say N. 290 291config NF_CONNTRACK_SNMP 292 tristate "SNMP service protocol support" 293 depends on NETFILTER_ADVANCED 294 select NF_CONNTRACK_BROADCAST 295 help 296 SNMP service requests are sent as broadcast messages from an 297 unprivileged port and responded to with unicast messages to the 298 same port. This make them hard to firewall properly because connection 299 tracking doesn't deal with broadcasts. This helper tracks locally 300 originating SNMP service requests and the corresponding 301 responses. It relies on correct IP address configuration, specifically 302 netmask and broadcast address. 303 304 To compile it as a module, choose M here. If unsure, say N. 305 306config NF_CONNTRACK_PPTP 307 tristate "PPtP protocol support" 308 depends on NETFILTER_ADVANCED 309 select NF_CT_PROTO_GRE 310 help 311 This module adds support for PPTP (Point to Point Tunnelling 312 Protocol, RFC2637) connection tracking and NAT. 313 314 If you are running PPTP sessions over a stateful firewall or NAT 315 box, you may want to enable this feature. 316 317 Please note that not all PPTP modes of operation are supported yet. 318 Specifically these limitations exist: 319 - Blindly assumes that control connections are always established 320 in PNS->PAC direction. This is a violation of RFC2637. 321 - Only supports a single call within each session 322 323 To compile it as a module, choose M here. If unsure, say N. 324 325config NF_CONNTRACK_SANE 326 tristate "SANE protocol support" 327 depends on NETFILTER_ADVANCED 328 help 329 SANE is a protocol for remote access to scanners as implemented 330 by the 'saned' daemon. Like FTP, it uses separate control and 331 data connections. 332 333 With this module you can support SANE on a connection tracking 334 firewall. 335 336 To compile it as a module, choose M here. If unsure, say N. 337 338config NF_CONNTRACK_SIP 339 tristate "SIP protocol support" 340 default m if NETFILTER_ADVANCED=n 341 help 342 SIP is an application-layer control protocol that can establish, 343 modify, and terminate multimedia sessions (conferences) such as 344 Internet telephony calls. With the nf_conntrack_sip and 345 the nf_nat_sip modules you can support the protocol on a connection 346 tracking/NATing firewall. 347 348 To compile it as a module, choose M here. If unsure, say N. 349 350config NF_CONNTRACK_TFTP 351 tristate "TFTP protocol support" 352 depends on NETFILTER_ADVANCED 353 help 354 TFTP connection tracking helper, this is required depending 355 on how restrictive your ruleset is. 356 If you are using a tftp client behind -j SNAT or -j MASQUERADING 357 you will need this. 358 359 To compile it as a module, choose M here. If unsure, say N. 360 361config NF_CT_NETLINK 362 tristate 'Connection tracking netlink interface' 363 select NETFILTER_NETLINK 364 default m if NETFILTER_ADVANCED=n 365 help 366 This option enables support for a netlink-based userspace interface 367 368config NF_CT_NETLINK_TIMEOUT 369 tristate 'Connection tracking timeout tuning via Netlink' 370 select NETFILTER_NETLINK 371 depends on NETFILTER_ADVANCED 372 depends on NF_CONNTRACK_TIMEOUT 373 help 374 This option enables support for connection tracking timeout 375 fine-grain tuning. This allows you to attach specific timeout 376 policies to flows, instead of using the global timeout policy. 377 378 If unsure, say `N'. 379 380config NF_CT_NETLINK_HELPER 381 tristate 'Connection tracking helpers in user-space via Netlink' 382 select NETFILTER_NETLINK 383 depends on NF_CT_NETLINK 384 depends on NETFILTER_NETLINK_QUEUE 385 depends on NETFILTER_NETLINK_GLUE_CT 386 depends on NETFILTER_ADVANCED 387 help 388 This option enables the user-space connection tracking helpers 389 infrastructure. 390 391 If unsure, say `N'. 392 393config NETFILTER_NETLINK_GLUE_CT 394 bool "NFQUEUE and NFLOG integration with Connection Tracking" 395 default n 396 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 397 help 398 If this option is enabled, NFQUEUE and NFLOG can include 399 Connection Tracking information together with the packet is 400 the enqueued via NFNETLINK. 401 402config NF_NAT 403 tristate "Network Address Translation support" 404 depends on NF_CONNTRACK 405 default m if NETFILTER_ADVANCED=n 406 help 407 The NAT option allows masquerading, port forwarding and other 408 forms of full Network Address Port Translation. This can be 409 controlled by iptables, ip6tables or nft. 410 411config NF_NAT_AMANDA 412 tristate 413 depends on NF_CONNTRACK && NF_NAT 414 default NF_NAT && NF_CONNTRACK_AMANDA 415 416config NF_NAT_FTP 417 tristate 418 depends on NF_CONNTRACK && NF_NAT 419 default NF_NAT && NF_CONNTRACK_FTP 420 421config NF_NAT_IRC 422 tristate 423 depends on NF_CONNTRACK && NF_NAT 424 default NF_NAT && NF_CONNTRACK_IRC 425 426config NF_NAT_SIP 427 tristate 428 depends on NF_CONNTRACK && NF_NAT 429 default NF_NAT && NF_CONNTRACK_SIP 430 431config NF_NAT_TFTP 432 tristate 433 depends on NF_CONNTRACK && NF_NAT 434 default NF_NAT && NF_CONNTRACK_TFTP 435 436config NF_NAT_REDIRECT 437 bool 438 439config NF_NAT_MASQUERADE 440 bool 441 442config NETFILTER_SYNPROXY 443 tristate 444 445endif # NF_CONNTRACK 446 447config NF_TABLES 448 select NETFILTER_NETLINK 449 select LIBCRC32C 450 tristate "Netfilter nf_tables support" 451 help 452 nftables is the new packet classification framework that intends to 453 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 454 provides a pseudo-state machine with an extensible instruction-set 455 (also known as expressions) that the userspace 'nft' utility 456 (https://www.netfilter.org/projects/nftables) uses to build the 457 rule-set. It also comes with the generic set infrastructure that 458 allows you to construct mappings between matchings and actions 459 for performance lookups. 460 461 To compile it as a module, choose M here. 462 463if NF_TABLES 464config NF_TABLES_INET 465 depends on IPV6 466 select NF_TABLES_IPV4 467 select NF_TABLES_IPV6 468 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 469 help 470 This option enables support for a mixed IPv4/IPv6 "inet" table. 471 472config NF_TABLES_NETDEV 473 bool "Netfilter nf_tables netdev tables support" 474 help 475 This option enables support for the "netdev" table. 476 477config NFT_NUMGEN 478 tristate "Netfilter nf_tables number generator module" 479 help 480 This option adds the number generator expression used to perform 481 incremental counting and random numbers bound to a upper limit. 482 483config NFT_CT 484 depends on NF_CONNTRACK 485 tristate "Netfilter nf_tables conntrack module" 486 help 487 This option adds the "ct" expression that you can use to match 488 connection tracking information such as the flow state. 489 490config NFT_FLOW_OFFLOAD 491 depends on NF_CONNTRACK && NF_FLOW_TABLE 492 tristate "Netfilter nf_tables hardware flow offload module" 493 help 494 This option adds the "flow_offload" expression that you can use to 495 choose what flows are placed into the hardware. 496 497config NFT_COUNTER 498 tristate "Netfilter nf_tables counter module" 499 help 500 This option adds the "counter" expression that you can use to 501 include packet and byte counters in a rule. 502 503config NFT_CONNLIMIT 504 tristate "Netfilter nf_tables connlimit module" 505 depends on NF_CONNTRACK 506 depends on NETFILTER_ADVANCED 507 select NETFILTER_CONNCOUNT 508 help 509 This option adds the "connlimit" expression that you can use to 510 ratelimit rule matchings per connections. 511 512config NFT_LOG 513 tristate "Netfilter nf_tables log module" 514 help 515 This option adds the "log" expression that you can use to log 516 packets matching some criteria. 517 518config NFT_LIMIT 519 tristate "Netfilter nf_tables limit module" 520 help 521 This option adds the "limit" expression that you can use to 522 ratelimit rule matchings. 523 524config NFT_MASQ 525 depends on NF_CONNTRACK 526 depends on NF_NAT 527 select NF_NAT_MASQUERADE 528 tristate "Netfilter nf_tables masquerade support" 529 help 530 This option adds the "masquerade" expression that you can use 531 to perform NAT in the masquerade flavour. 532 533config NFT_REDIR 534 depends on NF_CONNTRACK 535 depends on NF_NAT 536 tristate "Netfilter nf_tables redirect support" 537 select NF_NAT_REDIRECT 538 help 539 This options adds the "redirect" expression that you can use 540 to perform NAT in the redirect flavour. 541 542config NFT_NAT 543 depends on NF_CONNTRACK 544 select NF_NAT 545 depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 546 tristate "Netfilter nf_tables nat module" 547 help 548 This option adds the "nat" expression that you can use to perform 549 typical Network Address Translation (NAT) packet transformations. 550 551config NFT_TUNNEL 552 tristate "Netfilter nf_tables tunnel module" 553 help 554 This option adds the "tunnel" expression that you can use to set 555 tunneling policies. 556 557config NFT_OBJREF 558 tristate "Netfilter nf_tables stateful object reference module" 559 help 560 This option adds the "objref" expression that allows you to refer to 561 stateful objects, such as counters and quotas. 562 563config NFT_QUEUE 564 depends on NETFILTER_NETLINK_QUEUE 565 tristate "Netfilter nf_tables queue module" 566 help 567 This is required if you intend to use the userspace queueing 568 infrastructure (also known as NFQUEUE) from nftables. 569 570config NFT_QUOTA 571 tristate "Netfilter nf_tables quota module" 572 help 573 This option adds the "quota" expression that you can use to match 574 enforce bytes quotas. 575 576config NFT_REJECT 577 default m if NETFILTER_ADVANCED=n 578 tristate "Netfilter nf_tables reject support" 579 depends on !NF_TABLES_INET || (IPV6!=m || m) 580 help 581 This option adds the "reject" expression that you can use to 582 explicitly deny and notify via TCP reset/ICMP informational errors 583 unallowed traffic. 584 585config NFT_REJECT_INET 586 depends on NF_TABLES_INET 587 default NFT_REJECT 588 tristate 589 590config NFT_COMPAT 591 depends on NETFILTER_XTABLES 592 tristate "Netfilter x_tables over nf_tables module" 593 help 594 This is required if you intend to use any of existing 595 x_tables match/target extensions over the nf_tables 596 framework. 597 598config NFT_HASH 599 tristate "Netfilter nf_tables hash module" 600 help 601 This option adds the "hash" expression that you can use to perform 602 a hash operation on registers. 603 604config NFT_FIB 605 tristate 606 607config NFT_FIB_INET 608 depends on NF_TABLES_INET 609 depends on NFT_FIB_IPV4 610 depends on NFT_FIB_IPV6 611 tristate "Netfilter nf_tables fib inet support" 612 help 613 This option allows using the FIB expression from the inet table. 614 The lookup will be delegated to the IPv4 or IPv6 FIB depending 615 on the protocol of the packet. 616 617config NFT_XFRM 618 tristate "Netfilter nf_tables xfrm/IPSec security association matching" 619 depends on XFRM 620 help 621 This option adds an expression that you can use to extract properties 622 of a packets security association. 623 624config NFT_SOCKET 625 tristate "Netfilter nf_tables socket match support" 626 depends on IPV6 || IPV6=n 627 select NF_SOCKET_IPV4 628 select NF_SOCKET_IPV6 if NF_TABLES_IPV6 629 help 630 This option allows matching for the presence or absence of a 631 corresponding socket and its attributes. 632 633config NFT_OSF 634 tristate "Netfilter nf_tables passive OS fingerprint support" 635 depends on NETFILTER_ADVANCED 636 select NETFILTER_NETLINK_OSF 637 help 638 This option allows matching packets from an specific OS. 639 640config NFT_TPROXY 641 tristate "Netfilter nf_tables tproxy support" 642 depends on IPV6 || IPV6=n 643 select NF_DEFRAG_IPV4 644 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 645 select NF_TPROXY_IPV4 646 select NF_TPROXY_IPV6 if NF_TABLES_IPV6 647 help 648 This makes transparent proxy support available in nftables. 649 650config NFT_SYNPROXY 651 tristate "Netfilter nf_tables SYNPROXY expression support" 652 depends on NF_CONNTRACK && NETFILTER_ADVANCED 653 select NETFILTER_SYNPROXY 654 select SYN_COOKIES 655 help 656 The SYNPROXY expression allows you to intercept TCP connections and 657 establish them using syncookies before they are passed on to the 658 server. This allows to avoid conntrack and server resource usage 659 during SYN-flood attacks. 660 661if NF_TABLES_NETDEV 662 663config NF_DUP_NETDEV 664 tristate "Netfilter packet duplication support" 665 help 666 This option enables the generic packet duplication infrastructure 667 for Netfilter. 668 669config NFT_DUP_NETDEV 670 tristate "Netfilter nf_tables netdev packet duplication support" 671 select NF_DUP_NETDEV 672 help 673 This option enables packet duplication for the "netdev" family. 674 675config NFT_FWD_NETDEV 676 tristate "Netfilter nf_tables netdev packet forwarding support" 677 select NF_DUP_NETDEV 678 help 679 This option enables packet forwarding for the "netdev" family. 680 681config NFT_FIB_NETDEV 682 depends on NFT_FIB_IPV4 683 depends on NFT_FIB_IPV6 684 tristate "Netfilter nf_tables netdev fib lookups support" 685 help 686 This option allows using the FIB expression from the netdev table. 687 The lookup will be delegated to the IPv4 or IPv6 FIB depending 688 on the protocol of the packet. 689 690config NFT_REJECT_NETDEV 691 depends on NFT_REJECT_IPV4 692 depends on NFT_REJECT_IPV6 693 tristate "Netfilter nf_tables netdev REJECT support" 694 help 695 This option enables the REJECT support from the netdev table. 696 The return packet generation will be delegated to the IPv4 697 or IPv6 ICMP or TCP RST implementation depending on the 698 protocol of the packet. 699 700endif # NF_TABLES_NETDEV 701 702endif # NF_TABLES 703 704config NF_FLOW_TABLE_INET 705 tristate "Netfilter flow table mixed IPv4/IPv6 module" 706 depends on NF_FLOW_TABLE 707 help 708 This option adds the flow table mixed IPv4/IPv6 support. 709 710 To compile it as a module, choose M here. 711 712config NF_FLOW_TABLE 713 tristate "Netfilter flow table module" 714 depends on NETFILTER_INGRESS 715 depends on NF_CONNTRACK 716 depends on NF_TABLES 717 help 718 This option adds the flow table core infrastructure. 719 720 To compile it as a module, choose M here. 721 722config NETFILTER_XTABLES 723 tristate "Netfilter Xtables support (required for ip_tables)" 724 default m if NETFILTER_ADVANCED=n 725 help 726 This is required if you intend to use any of ip_tables, 727 ip6_tables or arp_tables. 728 729if NETFILTER_XTABLES 730 731comment "Xtables combined modules" 732 733config NETFILTER_XT_MARK 734 tristate 'nfmark target and match support' 735 default m if NETFILTER_ADVANCED=n 736 help 737 This option adds the "MARK" target and "mark" match. 738 739 Netfilter mark matching allows you to match packets based on the 740 "nfmark" value in the packet. 741 The target allows you to create rules in the "mangle" table which alter 742 the netfilter mark (nfmark) field associated with the packet. 743 744 Prior to routing, the nfmark can influence the routing method and can 745 also be used by other subsystems to change their behavior. 746 747config NETFILTER_XT_CONNMARK 748 tristate 'ctmark target and match support' 749 depends on NF_CONNTRACK 750 depends on NETFILTER_ADVANCED 751 select NF_CONNTRACK_MARK 752 help 753 This option adds the "CONNMARK" target and "connmark" match. 754 755 Netfilter allows you to store a mark value per connection (a.k.a. 756 ctmark), similarly to the packet mark (nfmark). Using this 757 target and match, you can set and match on this mark. 758 759config NETFILTER_XT_SET 760 tristate 'set target and match support' 761 depends on IP_SET 762 depends on NETFILTER_ADVANCED 763 help 764 This option adds the "SET" target and "set" match. 765 766 Using this target and match, you can add/delete and match 767 elements in the sets created by ipset(8). 768 769 To compile it as a module, choose M here. If unsure, say N. 770 771# alphabetically ordered list of targets 772 773comment "Xtables targets" 774 775config NETFILTER_XT_TARGET_AUDIT 776 tristate "AUDIT target support" 777 depends on AUDIT 778 depends on NETFILTER_ADVANCED 779 help 780 This option adds a 'AUDIT' target, which can be used to create 781 audit records for packets dropped/accepted. 782 783 To compileit as a module, choose M here. If unsure, say N. 784 785config NETFILTER_XT_TARGET_CHECKSUM 786 tristate "CHECKSUM target support" 787 depends on IP_NF_MANGLE || IP6_NF_MANGLE 788 depends on NETFILTER_ADVANCED 789 help 790 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 791 table to work around buggy DHCP clients in virtualized environments. 792 793 Some old DHCP clients drop packets because they are not aware 794 that the checksum would normally be offloaded to hardware and 795 thus should be considered valid. 796 This target can be used to fill in the checksum using iptables 797 when such packets are sent via a virtual network device. 798 799 To compile it as a module, choose M here. If unsure, say N. 800 801config NETFILTER_XT_TARGET_CLASSIFY 802 tristate '"CLASSIFY" target support' 803 depends on NETFILTER_ADVANCED 804 help 805 This option adds a `CLASSIFY' target, which enables the user to set 806 the priority of a packet. Some qdiscs can use this value for 807 classification, among these are: 808 809 atm, cbq, dsmark, pfifo_fast, htb, prio 810 811 To compile it as a module, choose M here. If unsure, say N. 812 813config NETFILTER_XT_TARGET_CONNMARK 814 tristate '"CONNMARK" target support' 815 depends on NF_CONNTRACK 816 depends on NETFILTER_ADVANCED 817 select NETFILTER_XT_CONNMARK 818 help 819 This is a backwards-compat option for the user's convenience 820 (e.g. when running oldconfig). It selects 821 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 822 823config NETFILTER_XT_TARGET_CONNSECMARK 824 tristate '"CONNSECMARK" target support' 825 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 826 default m if NETFILTER_ADVANCED=n 827 help 828 The CONNSECMARK target copies security markings from packets 829 to connections, and restores security markings from connections 830 to packets (if the packets are not already marked). This would 831 normally be used in conjunction with the SECMARK target. 832 833 To compile it as a module, choose M here. If unsure, say N. 834 835config NETFILTER_XT_TARGET_CT 836 tristate '"CT" target support' 837 depends on NF_CONNTRACK 838 depends on IP_NF_RAW || IP6_NF_RAW 839 depends on NETFILTER_ADVANCED 840 help 841 This options adds a `CT' target, which allows to specify initial 842 connection tracking parameters like events to be delivered and 843 the helper to be used. 844 845 To compile it as a module, choose M here. If unsure, say N. 846 847config NETFILTER_XT_TARGET_DSCP 848 tristate '"DSCP" and "TOS" target support' 849 depends on IP_NF_MANGLE || IP6_NF_MANGLE 850 depends on NETFILTER_ADVANCED 851 help 852 This option adds a `DSCP' target, which allows you to manipulate 853 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 854 855 The DSCP field can have any value between 0x0 and 0x3f inclusive. 856 857 It also adds the "TOS" target, which allows you to create rules in 858 the "mangle" table which alter the Type Of Service field of an IPv4 859 or the Priority field of an IPv6 packet, prior to routing. 860 861 To compile it as a module, choose M here. If unsure, say N. 862 863config NETFILTER_XT_TARGET_HL 864 tristate '"HL" hoplimit target support' 865 depends on IP_NF_MANGLE || IP6_NF_MANGLE 866 depends on NETFILTER_ADVANCED 867 help 868 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 869 targets, which enable the user to change the 870 hoplimit/time-to-live value of the IP header. 871 872 While it is safe to decrement the hoplimit/TTL value, the 873 modules also allow to increment and set the hoplimit value of 874 the header to arbitrary values. This is EXTREMELY DANGEROUS 875 since you can easily create immortal packets that loop 876 forever on the network. 877 878config NETFILTER_XT_TARGET_HMARK 879 tristate '"HMARK" target support' 880 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 881 depends on NETFILTER_ADVANCED 882 help 883 This option adds the "HMARK" target. 884 885 The target allows you to create rules in the "raw" and "mangle" tables 886 which set the skbuff mark by means of hash calculation within a given 887 range. The nfmark can influence the routing method and can also be used 888 by other subsystems to change their behaviour. 889 890 To compile it as a module, choose M here. If unsure, say N. 891 892config NETFILTER_XT_TARGET_IDLETIMER 893 tristate "IDLETIMER target support" 894 depends on NETFILTER_ADVANCED 895 help 896 897 This option adds the `IDLETIMER' target. Each matching packet 898 resets the timer associated with label specified when the rule is 899 added. When the timer expires, it triggers a sysfs notification. 900 The remaining time for expiration can be read via sysfs. 901 902 To compile it as a module, choose M here. If unsure, say N. 903 904config NETFILTER_XT_TARGET_LED 905 tristate '"LED" target support' 906 depends on LEDS_CLASS && LEDS_TRIGGERS 907 depends on NETFILTER_ADVANCED 908 help 909 This option adds a `LED' target, which allows you to blink LEDs in 910 response to particular packets passing through your machine. 911 912 This can be used to turn a spare LED into a network activity LED, 913 which only flashes in response to FTP transfers, for example. Or 914 you could have an LED which lights up for a minute or two every time 915 somebody connects to your machine via SSH. 916 917 You will need support for the "led" class to make this work. 918 919 To create an LED trigger for incoming SSH traffic: 920 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 921 922 Then attach the new trigger to an LED on your system: 923 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 924 925 For more information on the LEDs available on your system, see 926 Documentation/leds/leds-class.rst 927 928config NETFILTER_XT_TARGET_LOG 929 tristate "LOG target support" 930 select NF_LOG_SYSLOG 931 select NF_LOG_IPV6 if IP6_NF_IPTABLES 932 default m if NETFILTER_ADVANCED=n 933 help 934 This option adds a `LOG' target, which allows you to create rules in 935 any iptables table which records the packet header to the syslog. 936 937 To compile it as a module, choose M here. If unsure, say N. 938 939config NETFILTER_XT_TARGET_MARK 940 tristate '"MARK" target support' 941 depends on NETFILTER_ADVANCED 942 select NETFILTER_XT_MARK 943 help 944 This is a backwards-compat option for the user's convenience 945 (e.g. when running oldconfig). It selects 946 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 947 948config NETFILTER_XT_NAT 949 tristate '"SNAT and DNAT" targets support' 950 depends on NF_NAT 951 help 952 This option enables the SNAT and DNAT targets. 953 954 To compile it as a module, choose M here. If unsure, say N. 955 956config NETFILTER_XT_TARGET_NETMAP 957 tristate '"NETMAP" target support' 958 depends on NF_NAT 959 help 960 NETMAP is an implementation of static 1:1 NAT mapping of network 961 addresses. It maps the network address part, while keeping the host 962 address part intact. 963 964 To compile it as a module, choose M here. If unsure, say N. 965 966config NETFILTER_XT_TARGET_NFLOG 967 tristate '"NFLOG" target support' 968 default m if NETFILTER_ADVANCED=n 969 select NETFILTER_NETLINK_LOG 970 help 971 This option enables the NFLOG target, which allows to LOG 972 messages through nfnetlink_log. 973 974 To compile it as a module, choose M here. If unsure, say N. 975 976config NETFILTER_XT_TARGET_NFQUEUE 977 tristate '"NFQUEUE" target Support' 978 depends on NETFILTER_ADVANCED 979 select NETFILTER_NETLINK_QUEUE 980 help 981 This target replaced the old obsolete QUEUE target. 982 983 As opposed to QUEUE, it supports 65535 different queues, 984 not just one. 985 986 To compile it as a module, choose M here. If unsure, say N. 987 988config NETFILTER_XT_TARGET_NOTRACK 989 tristate '"NOTRACK" target support (DEPRECATED)' 990 depends on NF_CONNTRACK 991 depends on IP_NF_RAW || IP6_NF_RAW 992 depends on NETFILTER_ADVANCED 993 select NETFILTER_XT_TARGET_CT 994 995config NETFILTER_XT_TARGET_RATEEST 996 tristate '"RATEEST" target support' 997 depends on NETFILTER_ADVANCED 998 help 999 This option adds a `RATEEST' target, which allows to measure 1000 rates similar to TC estimators. The `rateest' match can be 1001 used to match on the measured rates. 1002 1003 To compile it as a module, choose M here. If unsure, say N. 1004 1005config NETFILTER_XT_TARGET_REDIRECT 1006 tristate "REDIRECT target support" 1007 depends on NF_NAT 1008 select NF_NAT_REDIRECT 1009 help 1010 REDIRECT is a special case of NAT: all incoming connections are 1011 mapped onto the incoming interface's address, causing the packets to 1012 come to the local machine instead of passing through. This is 1013 useful for transparent proxies. 1014 1015 To compile it as a module, choose M here. If unsure, say N. 1016 1017config NETFILTER_XT_TARGET_MASQUERADE 1018 tristate "MASQUERADE target support" 1019 depends on NF_NAT 1020 default m if NETFILTER_ADVANCED=n 1021 select NF_NAT_MASQUERADE 1022 help 1023 Masquerading is a special case of NAT: all outgoing connections are 1024 changed to seem to come from a particular interface's address, and 1025 if the interface goes down, those connections are lost. This is 1026 only useful for dialup accounts with dynamic IP address (ie. your IP 1027 address will be different on next dialup). 1028 1029 To compile it as a module, choose M here. If unsure, say N. 1030 1031config NETFILTER_XT_TARGET_TEE 1032 tristate '"TEE" - packet cloning to alternate destination' 1033 depends on NETFILTER_ADVANCED 1034 depends on IPV6 || IPV6=n 1035 depends on !NF_CONNTRACK || NF_CONNTRACK 1036 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES 1037 select NF_DUP_IPV4 1038 select NF_DUP_IPV6 if IP6_NF_IPTABLES 1039 help 1040 This option adds a "TEE" target with which a packet can be cloned and 1041 this clone be rerouted to another nexthop. 1042 1043config NETFILTER_XT_TARGET_TPROXY 1044 tristate '"TPROXY" target transparent proxying support' 1045 depends on NETFILTER_XTABLES 1046 depends on NETFILTER_ADVANCED 1047 depends on IPV6 || IPV6=n 1048 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1049 depends on IP_NF_MANGLE 1050 select NF_DEFRAG_IPV4 1051 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1052 select NF_TPROXY_IPV4 1053 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 1054 help 1055 This option adds a `TPROXY' target, which is somewhat similar to 1056 REDIRECT. It can only be used in the mangle table and is useful 1057 to redirect traffic to a transparent proxy. It does _not_ depend 1058 on Netfilter connection tracking and NAT, unlike REDIRECT. 1059 For it to work you will have to configure certain iptables rules 1060 and use policy routing. For more information on how to set it up 1061 see Documentation/networking/tproxy.rst. 1062 1063 To compile it as a module, choose M here. If unsure, say N. 1064 1065config NETFILTER_XT_TARGET_TRACE 1066 tristate '"TRACE" target support' 1067 depends on IP_NF_RAW || IP6_NF_RAW 1068 depends on NETFILTER_ADVANCED 1069 help 1070 The TRACE target allows you to mark packets so that the kernel 1071 will log every rule which match the packets as those traverse 1072 the tables, chains, rules. 1073 1074 If you want to compile it as a module, say M here and read 1075 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1076 1077config NETFILTER_XT_TARGET_SECMARK 1078 tristate '"SECMARK" target support' 1079 depends on NETWORK_SECMARK 1080 default m if NETFILTER_ADVANCED=n 1081 help 1082 The SECMARK target allows security marking of network 1083 packets, for use with security subsystems. 1084 1085 To compile it as a module, choose M here. If unsure, say N. 1086 1087config NETFILTER_XT_TARGET_TCPMSS 1088 tristate '"TCPMSS" target support' 1089 depends on IPV6 || IPV6=n 1090 default m if NETFILTER_ADVANCED=n 1091 help 1092 This option adds a `TCPMSS' target, which allows you to alter the 1093 MSS value of TCP SYN packets, to control the maximum size for that 1094 connection (usually limiting it to your outgoing interface's MTU 1095 minus 40). 1096 1097 This is used to overcome criminally braindead ISPs or servers which 1098 block ICMP Fragmentation Needed packets. The symptoms of this 1099 problem are that everything works fine from your Linux 1100 firewall/router, but machines behind it can never exchange large 1101 packets: 1102 1) Web browsers connect, then hang with no data received. 1103 2) Small mail works fine, but large emails hang. 1104 3) ssh works fine, but scp hangs after initial handshaking. 1105 1106 Workaround: activate this option and add a rule to your firewall 1107 configuration like: 1108 1109 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1110 -j TCPMSS --clamp-mss-to-pmtu 1111 1112 To compile it as a module, choose M here. If unsure, say N. 1113 1114config NETFILTER_XT_TARGET_TCPOPTSTRIP 1115 tristate '"TCPOPTSTRIP" target support' 1116 depends on IP_NF_MANGLE || IP6_NF_MANGLE 1117 depends on NETFILTER_ADVANCED 1118 help 1119 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1120 TCP options from TCP packets. 1121 1122# alphabetically ordered list of matches 1123 1124comment "Xtables matches" 1125 1126config NETFILTER_XT_MATCH_ADDRTYPE 1127 tristate '"addrtype" address type match support' 1128 default m if NETFILTER_ADVANCED=n 1129 help 1130 This option allows you to match what routing thinks of an address, 1131 eg. UNICAST, LOCAL, BROADCAST, ... 1132 1133 If you want to compile it as a module, say M here and read 1134 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1135 1136config NETFILTER_XT_MATCH_BPF 1137 tristate '"bpf" match support' 1138 depends on NETFILTER_ADVANCED 1139 help 1140 BPF matching applies a linux socket filter to each packet and 1141 accepts those for which the filter returns non-zero. 1142 1143 To compile it as a module, choose M here. If unsure, say N. 1144 1145config NETFILTER_XT_MATCH_CGROUP 1146 tristate '"control group" match support' 1147 depends on NETFILTER_ADVANCED 1148 depends on CGROUPS 1149 select CGROUP_NET_CLASSID 1150 help 1151 Socket/process control group matching allows you to match locally 1152 generated packets based on which net_cls control group processes 1153 belong to. 1154 1155config NETFILTER_XT_MATCH_CLUSTER 1156 tristate '"cluster" match support' 1157 depends on NF_CONNTRACK 1158 depends on NETFILTER_ADVANCED 1159 help 1160 This option allows you to build work-load-sharing clusters of 1161 network servers/stateful firewalls without having a dedicated 1162 load-balancing router/server/switch. Basically, this match returns 1163 true when the packet must be handled by this cluster node. Thus, 1164 all nodes see all packets and this match decides which node handles 1165 what packets. The work-load sharing algorithm is based on source 1166 address hashing. 1167 1168 If you say Y or M here, try `iptables -m cluster --help` for 1169 more information. 1170 1171config NETFILTER_XT_MATCH_COMMENT 1172 tristate '"comment" match support' 1173 depends on NETFILTER_ADVANCED 1174 help 1175 This option adds a `comment' dummy-match, which allows you to put 1176 comments in your iptables ruleset. 1177 1178 If you want to compile it as a module, say M here and read 1179 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1180 1181config NETFILTER_XT_MATCH_CONNBYTES 1182 tristate '"connbytes" per-connection counter match support' 1183 depends on NF_CONNTRACK 1184 depends on NETFILTER_ADVANCED 1185 help 1186 This option adds a `connbytes' match, which allows you to match the 1187 number of bytes and/or packets for each direction within a connection. 1188 1189 If you want to compile it as a module, say M here and read 1190 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1191 1192config NETFILTER_XT_MATCH_CONNLABEL 1193 tristate '"connlabel" match support' 1194 select NF_CONNTRACK_LABELS 1195 depends on NF_CONNTRACK 1196 depends on NETFILTER_ADVANCED 1197 help 1198 This match allows you to test and assign userspace-defined labels names 1199 to a connection. The kernel only stores bit values - mapping 1200 names to bits is done by userspace. 1201 1202 Unlike connmark, more than 32 flag bits may be assigned to a 1203 connection simultaneously. 1204 1205config NETFILTER_XT_MATCH_CONNLIMIT 1206 tristate '"connlimit" match support' 1207 depends on NF_CONNTRACK 1208 depends on NETFILTER_ADVANCED 1209 select NETFILTER_CONNCOUNT 1210 help 1211 This match allows you to match against the number of parallel 1212 connections to a server per client IP address (or address block). 1213 1214config NETFILTER_XT_MATCH_CONNMARK 1215 tristate '"connmark" connection mark match support' 1216 depends on NF_CONNTRACK 1217 depends on NETFILTER_ADVANCED 1218 select NETFILTER_XT_CONNMARK 1219 help 1220 This is a backwards-compat option for the user's convenience 1221 (e.g. when running oldconfig). It selects 1222 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1223 1224config NETFILTER_XT_MATCH_CONNTRACK 1225 tristate '"conntrack" connection tracking match support' 1226 depends on NF_CONNTRACK 1227 default m if NETFILTER_ADVANCED=n 1228 help 1229 This is a general conntrack match module, a superset of the state match. 1230 1231 It allows matching on additional conntrack information, which is 1232 useful in complex configurations, such as NAT gateways with multiple 1233 internet links or tunnels. 1234 1235 To compile it as a module, choose M here. If unsure, say N. 1236 1237config NETFILTER_XT_MATCH_CPU 1238 tristate '"cpu" match support' 1239 depends on NETFILTER_ADVANCED 1240 help 1241 CPU matching allows you to match packets based on the CPU 1242 currently handling the packet. 1243 1244 To compile it as a module, choose M here. If unsure, say N. 1245 1246config NETFILTER_XT_MATCH_DCCP 1247 tristate '"dccp" protocol match support' 1248 depends on NETFILTER_ADVANCED 1249 default IP_DCCP 1250 help 1251 With this option enabled, you will be able to use the iptables 1252 `dccp' match in order to match on DCCP source/destination ports 1253 and DCCP flags. 1254 1255 If you want to compile it as a module, say M here and read 1256 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1257 1258config NETFILTER_XT_MATCH_DEVGROUP 1259 tristate '"devgroup" match support' 1260 depends on NETFILTER_ADVANCED 1261 help 1262 This options adds a `devgroup' match, which allows to match on the 1263 device group a network device is assigned to. 1264 1265 To compile it as a module, choose M here. If unsure, say N. 1266 1267config NETFILTER_XT_MATCH_DSCP 1268 tristate '"dscp" and "tos" match support' 1269 depends on NETFILTER_ADVANCED 1270 help 1271 This option adds a `DSCP' match, which allows you to match against 1272 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1273 1274 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1275 1276 It will also add a "tos" match, which allows you to match packets 1277 based on the Type Of Service fields of the IPv4 packet (which share 1278 the same bits as DSCP). 1279 1280 To compile it as a module, choose M here. If unsure, say N. 1281 1282config NETFILTER_XT_MATCH_ECN 1283 tristate '"ecn" match support' 1284 depends on NETFILTER_ADVANCED 1285 help 1286 This option adds an "ECN" match, which allows you to match against 1287 the IPv4 and TCP header ECN fields. 1288 1289 To compile it as a module, choose M here. If unsure, say N. 1290 1291config NETFILTER_XT_MATCH_ESP 1292 tristate '"esp" match support' 1293 depends on NETFILTER_ADVANCED 1294 help 1295 This match extension allows you to match a range of SPIs 1296 inside ESP header of IPSec packets. 1297 1298 To compile it as a module, choose M here. If unsure, say N. 1299 1300config NETFILTER_XT_MATCH_HASHLIMIT 1301 tristate '"hashlimit" match support' 1302 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1303 depends on NETFILTER_ADVANCED 1304 help 1305 This option adds a `hashlimit' match. 1306 1307 As opposed to `limit', this match dynamically creates a hash table 1308 of limit buckets, based on your selection of source/destination 1309 addresses and/or ports. 1310 1311 It enables you to express policies like `10kpps for any given 1312 destination address' or `500pps from any given source address' 1313 with a single rule. 1314 1315config NETFILTER_XT_MATCH_HELPER 1316 tristate '"helper" match support' 1317 depends on NF_CONNTRACK 1318 depends on NETFILTER_ADVANCED 1319 help 1320 Helper matching allows you to match packets in dynamic connections 1321 tracked by a conntrack-helper, ie. nf_conntrack_ftp 1322 1323 To compile it as a module, choose M here. If unsure, say Y. 1324 1325config NETFILTER_XT_MATCH_HL 1326 tristate '"hl" hoplimit/TTL match support' 1327 depends on NETFILTER_ADVANCED 1328 help 1329 HL matching allows you to match packets based on the hoplimit 1330 in the IPv6 header, or the time-to-live field in the IPv4 1331 header of the packet. 1332 1333config NETFILTER_XT_MATCH_IPCOMP 1334 tristate '"ipcomp" match support' 1335 depends on NETFILTER_ADVANCED 1336 help 1337 This match extension allows you to match a range of CPIs(16 bits) 1338 inside IPComp header of IPSec packets. 1339 1340 To compile it as a module, choose M here. If unsure, say N. 1341 1342config NETFILTER_XT_MATCH_IPRANGE 1343 tristate '"iprange" address range match support' 1344 depends on NETFILTER_ADVANCED 1345 help 1346 This option adds a "iprange" match, which allows you to match based on 1347 an IP address range. (Normal iptables only matches on single addresses 1348 with an optional mask.) 1349 1350 If unsure, say M. 1351 1352config NETFILTER_XT_MATCH_IPVS 1353 tristate '"ipvs" match support' 1354 depends on IP_VS 1355 depends on NETFILTER_ADVANCED 1356 depends on NF_CONNTRACK 1357 help 1358 This option allows you to match against IPVS properties of a packet. 1359 1360 If unsure, say N. 1361 1362config NETFILTER_XT_MATCH_L2TP 1363 tristate '"l2tp" match support' 1364 depends on NETFILTER_ADVANCED 1365 default L2TP 1366 help 1367 This option adds an "L2TP" match, which allows you to match against 1368 L2TP protocol header fields. 1369 1370 To compile it as a module, choose M here. If unsure, say N. 1371 1372config NETFILTER_XT_MATCH_LENGTH 1373 tristate '"length" match support' 1374 depends on NETFILTER_ADVANCED 1375 help 1376 This option allows you to match the length of a packet against a 1377 specific value or range of values. 1378 1379 To compile it as a module, choose M here. If unsure, say N. 1380 1381config NETFILTER_XT_MATCH_LIMIT 1382 tristate '"limit" match support' 1383 depends on NETFILTER_ADVANCED 1384 help 1385 limit matching allows you to control the rate at which a rule can be 1386 matched: mainly useful in combination with the LOG target ("LOG 1387 target support", below) and to avoid some Denial of Service attacks. 1388 1389 To compile it as a module, choose M here. If unsure, say N. 1390 1391config NETFILTER_XT_MATCH_MAC 1392 tristate '"mac" address match support' 1393 depends on NETFILTER_ADVANCED 1394 help 1395 MAC matching allows you to match packets based on the source 1396 Ethernet address of the packet. 1397 1398 To compile it as a module, choose M here. If unsure, say N. 1399 1400config NETFILTER_XT_MATCH_MARK 1401 tristate '"mark" match support' 1402 depends on NETFILTER_ADVANCED 1403 select NETFILTER_XT_MARK 1404 help 1405 This is a backwards-compat option for the user's convenience 1406 (e.g. when running oldconfig). It selects 1407 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1408 1409config NETFILTER_XT_MATCH_MULTIPORT 1410 tristate '"multiport" Multiple port match support' 1411 depends on NETFILTER_ADVANCED 1412 help 1413 Multiport matching allows you to match TCP or UDP packets based on 1414 a series of source or destination ports: normally a rule can only 1415 match a single range of ports. 1416 1417 To compile it as a module, choose M here. If unsure, say N. 1418 1419config NETFILTER_XT_MATCH_NFACCT 1420 tristate '"nfacct" match support' 1421 depends on NETFILTER_ADVANCED 1422 select NETFILTER_NETLINK_ACCT 1423 help 1424 This option allows you to use the extended accounting through 1425 nfnetlink_acct. 1426 1427 To compile it as a module, choose M here. If unsure, say N. 1428 1429config NETFILTER_XT_MATCH_OSF 1430 tristate '"osf" Passive OS fingerprint match' 1431 depends on NETFILTER_ADVANCED 1432 select NETFILTER_NETLINK_OSF 1433 help 1434 This option selects the Passive OS Fingerprinting match module 1435 that allows to passively match the remote operating system by 1436 analyzing incoming TCP SYN packets. 1437 1438 Rules and loading software can be downloaded from 1439 http://www.ioremap.net/projects/osf 1440 1441 To compile it as a module, choose M here. If unsure, say N. 1442 1443config NETFILTER_XT_MATCH_OWNER 1444 tristate '"owner" match support' 1445 depends on NETFILTER_ADVANCED 1446 help 1447 Socket owner matching allows you to match locally-generated packets 1448 based on who created the socket: the user or group. It is also 1449 possible to check whether a socket actually exists. 1450 1451config NETFILTER_XT_MATCH_POLICY 1452 tristate 'IPsec "policy" match support' 1453 depends on XFRM 1454 default m if NETFILTER_ADVANCED=n 1455 help 1456 Policy matching allows you to match packets based on the 1457 IPsec policy that was used during decapsulation/will 1458 be used during encapsulation. 1459 1460 To compile it as a module, choose M here. If unsure, say N. 1461 1462config NETFILTER_XT_MATCH_PHYSDEV 1463 tristate '"physdev" match support' 1464 depends on BRIDGE && BRIDGE_NETFILTER 1465 depends on NETFILTER_ADVANCED 1466 help 1467 Physdev packet matching matches against the physical bridge ports 1468 the IP packet arrived on or will leave by. 1469 1470 To compile it as a module, choose M here. If unsure, say N. 1471 1472config NETFILTER_XT_MATCH_PKTTYPE 1473 tristate '"pkttype" packet type match support' 1474 depends on NETFILTER_ADVANCED 1475 help 1476 Packet type matching allows you to match a packet by 1477 its "class", eg. BROADCAST, MULTICAST, ... 1478 1479 Typical usage: 1480 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1481 1482 To compile it as a module, choose M here. If unsure, say N. 1483 1484config NETFILTER_XT_MATCH_QUOTA 1485 tristate '"quota" match support' 1486 depends on NETFILTER_ADVANCED 1487 help 1488 This option adds a `quota' match, which allows to match on a 1489 byte counter. 1490 1491 If you want to compile it as a module, say M here and read 1492 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1493 1494config NETFILTER_XT_MATCH_RATEEST 1495 tristate '"rateest" match support' 1496 depends on NETFILTER_ADVANCED 1497 select NETFILTER_XT_TARGET_RATEEST 1498 help 1499 This option adds a `rateest' match, which allows to match on the 1500 rate estimated by the RATEEST target. 1501 1502 To compile it as a module, choose M here. If unsure, say N. 1503 1504config NETFILTER_XT_MATCH_REALM 1505 tristate '"realm" match support' 1506 depends on NETFILTER_ADVANCED 1507 select IP_ROUTE_CLASSID 1508 help 1509 This option adds a `realm' match, which allows you to use the realm 1510 key from the routing subsystem inside iptables. 1511 1512 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1513 in tc world. 1514 1515 If you want to compile it as a module, say M here and read 1516 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1517 1518config NETFILTER_XT_MATCH_RECENT 1519 tristate '"recent" match support' 1520 depends on NETFILTER_ADVANCED 1521 help 1522 This match is used for creating one or many lists of recently 1523 used addresses and then matching against that/those list(s). 1524 1525 Short options are available by using 'iptables -m recent -h' 1526 Official Website: <http://snowman.net/projects/ipt_recent/> 1527 1528config NETFILTER_XT_MATCH_SCTP 1529 tristate '"sctp" protocol match support' 1530 depends on NETFILTER_ADVANCED 1531 default IP_SCTP 1532 help 1533 With this option enabled, you will be able to use the 1534 `sctp' match in order to match on SCTP source/destination ports 1535 and SCTP chunk types. 1536 1537 If you want to compile it as a module, say M here and read 1538 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1539 1540config NETFILTER_XT_MATCH_SOCKET 1541 tristate '"socket" match support' 1542 depends on NETFILTER_XTABLES 1543 depends on NETFILTER_ADVANCED 1544 depends on IPV6 || IPV6=n 1545 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1546 select NF_SOCKET_IPV4 1547 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES 1548 select NF_DEFRAG_IPV4 1549 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1550 help 1551 This option adds a `socket' match, which can be used to match 1552 packets for which a TCP or UDP socket lookup finds a valid socket. 1553 It can be used in combination with the MARK target and policy 1554 routing to implement full featured non-locally bound sockets. 1555 1556 To compile it as a module, choose M here. If unsure, say N. 1557 1558config NETFILTER_XT_MATCH_STATE 1559 tristate '"state" match support' 1560 depends on NF_CONNTRACK 1561 default m if NETFILTER_ADVANCED=n 1562 help 1563 Connection state matching allows you to match packets based on their 1564 relationship to a tracked connection (ie. previous packets). This 1565 is a powerful tool for packet classification. 1566 1567 To compile it as a module, choose M here. If unsure, say N. 1568 1569config NETFILTER_XT_MATCH_STATISTIC 1570 tristate '"statistic" match support' 1571 depends on NETFILTER_ADVANCED 1572 help 1573 This option adds a `statistic' match, which allows you to match 1574 on packets periodically or randomly with a given percentage. 1575 1576 To compile it as a module, choose M here. If unsure, say N. 1577 1578config NETFILTER_XT_MATCH_STRING 1579 tristate '"string" match support' 1580 depends on NETFILTER_ADVANCED 1581 select TEXTSEARCH 1582 select TEXTSEARCH_KMP 1583 select TEXTSEARCH_BM 1584 select TEXTSEARCH_FSM 1585 help 1586 This option adds a `string' match, which allows you to look for 1587 pattern matchings in packets. 1588 1589 To compile it as a module, choose M here. If unsure, say N. 1590 1591config NETFILTER_XT_MATCH_TCPMSS 1592 tristate '"tcpmss" match support' 1593 depends on NETFILTER_ADVANCED 1594 help 1595 This option adds a `tcpmss' match, which allows you to examine the 1596 MSS value of TCP SYN packets, which control the maximum packet size 1597 for that connection. 1598 1599 To compile it as a module, choose M here. If unsure, say N. 1600 1601config NETFILTER_XT_MATCH_TIME 1602 tristate '"time" match support' 1603 depends on NETFILTER_ADVANCED 1604 help 1605 This option adds a "time" match, which allows you to match based on 1606 the packet arrival time (at the machine which netfilter is running) 1607 on) or departure time/date (for locally generated packets). 1608 1609 If you say Y here, try `iptables -m time --help` for 1610 more information. 1611 1612 If you want to compile it as a module, say M here. 1613 If unsure, say N. 1614 1615config NETFILTER_XT_MATCH_U32 1616 tristate '"u32" match support' 1617 depends on NETFILTER_ADVANCED 1618 help 1619 u32 allows you to extract quantities of up to 4 bytes from a packet, 1620 AND them with specified masks, shift them by specified amounts and 1621 test whether the results are in any of a set of specified ranges. 1622 The specification of what to extract is general enough to skip over 1623 headers with lengths stored in the packet, as in IP or TCP header 1624 lengths. 1625 1626 Details and examples are in the kernel module source. 1627 1628endif # NETFILTER_XTABLES 1629 1630endmenu 1631 1632source "net/netfilter/ipset/Kconfig" 1633 1634source "net/netfilter/ipvs/Kconfig" 1635