xref: /openbmc/linux/net/netfilter/Kconfig (revision a89aa749ece9c6fee7932163472d2ee0efd6ddd3)
1# SPDX-License-Identifier: GPL-2.0-only
2menu "Core Netfilter Configuration"
3	depends on NET && INET && NETFILTER
4
5config NETFILTER_INGRESS
6	bool "Netfilter ingress support"
7	default y
8	select NET_INGRESS
9	help
10	  This allows you to classify packets from ingress using the Netfilter
11	  infrastructure.
12
13config NETFILTER_NETLINK
14	tristate
15
16config NETFILTER_FAMILY_BRIDGE
17	bool
18
19config NETFILTER_FAMILY_ARP
20	bool
21
22config NETFILTER_NETLINK_ACCT
23	tristate "Netfilter NFACCT over NFNETLINK interface"
24	depends on NETFILTER_ADVANCED
25	select NETFILTER_NETLINK
26	help
27	  If this option is enabled, the kernel will include support
28	  for extended accounting via NFNETLINK.
29
30config NETFILTER_NETLINK_QUEUE
31	tristate "Netfilter NFQUEUE over NFNETLINK interface"
32	depends on NETFILTER_ADVANCED
33	select NETFILTER_NETLINK
34	help
35	  If this option is enabled, the kernel will include support
36	  for queueing packets via NFNETLINK.
37
38config NETFILTER_NETLINK_LOG
39	tristate "Netfilter LOG over NFNETLINK interface"
40	default m if NETFILTER_ADVANCED=n
41	select NETFILTER_NETLINK
42	help
43	  If this option is enabled, the kernel will include support
44	  for logging packets via NFNETLINK.
45
46	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
47	  and is also scheduled to replace the old syslog-based ipt_LOG
48	  and ip6t_LOG modules.
49
50config NETFILTER_NETLINK_OSF
51	tristate "Netfilter OSF over NFNETLINK interface"
52	depends on NETFILTER_ADVANCED
53	select NETFILTER_NETLINK
54	help
55	  If this option is enabled, the kernel will include support
56	  for passive OS fingerprint via NFNETLINK.
57
58config NF_CONNTRACK
59	tristate "Netfilter connection tracking support"
60	default m if NETFILTER_ADVANCED=n
61	select NF_DEFRAG_IPV4
62	select NF_DEFRAG_IPV6 if IPV6 != n
63	help
64	  Connection tracking keeps a record of what packets have passed
65	  through your machine, in order to figure out how they are related
66	  into connections.
67
68	  This is required to do Masquerading or other kinds of Network
69	  Address Translation.  It can also be used to enhance packet
70	  filtering (see `Connection state match support' below).
71
72	  To compile it as a module, choose M here.  If unsure, say N.
73
74config NF_LOG_COMMON
75	tristate
76
77config NF_LOG_NETDEV
78	tristate "Netdev packet logging"
79	select NF_LOG_COMMON
80
81if NF_CONNTRACK
82config NETFILTER_CONNCOUNT
83	tristate
84
85config NF_CONNTRACK_MARK
86	bool  'Connection mark tracking support'
87	depends on NETFILTER_ADVANCED
88	help
89	  This option enables support for connection marks, used by the
90	  `CONNMARK' target and `connmark' match. Similar to the mark value
91	  of packets, but this mark value is kept in the conntrack session
92	  instead of the individual packets.
93
94config NF_CONNTRACK_SECMARK
95	bool  'Connection tracking security mark support'
96	depends on NETWORK_SECMARK
97	default m if NETFILTER_ADVANCED=n
98	help
99	  This option enables security markings to be applied to
100	  connections.  Typically they are copied to connections from
101	  packets using the CONNSECMARK target and copied back from
102	  connections to packets with the same target, with the packets
103	  being originally labeled via SECMARK.
104
105	  If unsure, say 'N'.
106
107config NF_CONNTRACK_ZONES
108	bool  'Connection tracking zones'
109	depends on NETFILTER_ADVANCED
110	help
111	  This option enables support for connection tracking zones.
112	  Normally, each connection needs to have a unique system wide
113	  identity. Connection tracking zones allow to have multiple
114	  connections using the same identity, as long as they are
115	  contained in different zones.
116
117	  If unsure, say `N'.
118
119config NF_CONNTRACK_PROCFS
120	bool "Supply CT list in procfs (OBSOLETE)"
121	default y
122	depends on PROC_FS
123	---help---
124	This option enables for the list of known conntrack entries
125	to be shown in procfs under net/netfilter/nf_conntrack. This
126	is considered obsolete in favor of using the conntrack(8)
127	tool which uses Netlink.
128
129config NF_CONNTRACK_EVENTS
130	bool "Connection tracking events"
131	depends on NETFILTER_ADVANCED
132	help
133	  If this option is enabled, the connection tracking code will
134	  provide a notifier chain that can be used by other kernel code
135	  to get notified about changes in the connection tracking state.
136
137	  If unsure, say `N'.
138
139config NF_CONNTRACK_TIMEOUT
140	bool  'Connection tracking timeout'
141	depends on NETFILTER_ADVANCED
142	help
143	  This option enables support for connection tracking timeout
144	  extension. This allows you to attach timeout policies to flow
145	  via the CT target.
146
147	  If unsure, say `N'.
148
149config NF_CONNTRACK_TIMESTAMP
150	bool  'Connection tracking timestamping'
151	depends on NETFILTER_ADVANCED
152	help
153	  This option enables support for connection tracking timestamping.
154	  This allows you to store the flow start-time and to obtain
155	  the flow-stop time (once it has been destroyed) via Connection
156	  tracking events.
157
158	  If unsure, say `N'.
159
160config NF_CONNTRACK_LABELS
161	bool "Connection tracking labels"
162	help
163	  This option enables support for assigning user-defined flag bits
164	  to connection tracking entries.  It can be used with xtables connlabel
165	  match and the nftables ct expression.
166
167config NF_CT_PROTO_DCCP
168	bool 'DCCP protocol connection tracking support'
169	depends on NETFILTER_ADVANCED
170	default y
171	help
172	  With this option enabled, the layer 3 independent connection
173	  tracking code will be able to do state tracking on DCCP connections.
174
175	  If unsure, say Y.
176
177config NF_CT_PROTO_GRE
178	bool
179
180config NF_CT_PROTO_SCTP
181	bool 'SCTP protocol connection tracking support'
182	depends on NETFILTER_ADVANCED
183	default y
184	select LIBCRC32C
185	help
186	  With this option enabled, the layer 3 independent connection
187	  tracking code will be able to do state tracking on SCTP connections.
188
189	  If unsure, say Y.
190
191config NF_CT_PROTO_UDPLITE
192	bool 'UDP-Lite protocol connection tracking support'
193	depends on NETFILTER_ADVANCED
194	default y
195	help
196	  With this option enabled, the layer 3 independent connection
197	  tracking code will be able to do state tracking on UDP-Lite
198	  connections.
199
200	  If unsure, say Y.
201
202config NF_CONNTRACK_AMANDA
203	tristate "Amanda backup protocol support"
204	depends on NETFILTER_ADVANCED
205	select TEXTSEARCH
206	select TEXTSEARCH_KMP
207	help
208	  If you are running the Amanda backup package <http://www.amanda.org/>
209	  on this machine or machines that will be MASQUERADED through this
210	  machine, then you may want to enable this feature.  This allows the
211	  connection tracking and natting code to allow the sub-channels that
212	  Amanda requires for communication of the backup data, messages and
213	  index.
214
215	  To compile it as a module, choose M here.  If unsure, say N.
216
217config NF_CONNTRACK_FTP
218	tristate "FTP protocol support"
219	default m if NETFILTER_ADVANCED=n
220	help
221	  Tracking FTP connections is problematic: special helpers are
222	  required for tracking them, and doing masquerading and other forms
223	  of Network Address Translation on them.
224
225	  This is FTP support on Layer 3 independent connection tracking.
226
227	  To compile it as a module, choose M here.  If unsure, say N.
228
229config NF_CONNTRACK_H323
230	tristate "H.323 protocol support"
231	depends on IPV6 || IPV6=n
232	depends on NETFILTER_ADVANCED
233	help
234	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
235	  important VoIP protocols, it is widely used by voice hardware and
236	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
237	  Gnomemeeting, etc.
238
239	  With this module you can support H.323 on a connection tracking/NAT
240	  firewall.
241
242	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
243	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
244	  whiteboard, file transfer, etc. For more information, please
245	  visit http://nath323.sourceforge.net/.
246
247	  To compile it as a module, choose M here.  If unsure, say N.
248
249config NF_CONNTRACK_IRC
250	tristate "IRC protocol support"
251	default m if NETFILTER_ADVANCED=n
252	help
253	  There is a commonly-used extension to IRC called
254	  Direct Client-to-Client Protocol (DCC).  This enables users to send
255	  files to each other, and also chat to each other without the need
256	  of a server.  DCC Sending is used anywhere you send files over IRC,
257	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
258	  using NAT, this extension will enable you to send files and initiate
259	  chats.  Note that you do NOT need this extension to get files or
260	  have others initiate chats, or everything else in IRC.
261
262	  To compile it as a module, choose M here.  If unsure, say N.
263
264config NF_CONNTRACK_BROADCAST
265	tristate
266
267config NF_CONNTRACK_NETBIOS_NS
268	tristate "NetBIOS name service protocol support"
269	select NF_CONNTRACK_BROADCAST
270	help
271	  NetBIOS name service requests are sent as broadcast messages from an
272	  unprivileged port and responded to with unicast messages to the
273	  same port. This make them hard to firewall properly because connection
274	  tracking doesn't deal with broadcasts. This helper tracks locally
275	  originating NetBIOS name service requests and the corresponding
276	  responses. It relies on correct IP address configuration, specifically
277	  netmask and broadcast address. When properly configured, the output
278	  of "ip address show" should look similar to this:
279
280	  $ ip -4 address show eth0
281	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
282	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
283
284	  To compile it as a module, choose M here.  If unsure, say N.
285
286config NF_CONNTRACK_SNMP
287	tristate "SNMP service protocol support"
288	depends on NETFILTER_ADVANCED
289	select NF_CONNTRACK_BROADCAST
290	help
291	  SNMP service requests are sent as broadcast messages from an
292	  unprivileged port and responded to with unicast messages to the
293	  same port. This make them hard to firewall properly because connection
294	  tracking doesn't deal with broadcasts. This helper tracks locally
295	  originating SNMP service requests and the corresponding
296	  responses. It relies on correct IP address configuration, specifically
297	  netmask and broadcast address.
298
299	  To compile it as a module, choose M here.  If unsure, say N.
300
301config NF_CONNTRACK_PPTP
302	tristate "PPtP protocol support"
303	depends on NETFILTER_ADVANCED
304	select NF_CT_PROTO_GRE
305	help
306	  This module adds support for PPTP (Point to Point Tunnelling
307	  Protocol, RFC2637) connection tracking and NAT.
308
309	  If you are running PPTP sessions over a stateful firewall or NAT
310	  box, you may want to enable this feature.
311
312	  Please note that not all PPTP modes of operation are supported yet.
313	  Specifically these limitations exist:
314	    - Blindly assumes that control connections are always established
315	      in PNS->PAC direction. This is a violation of RFC2637.
316	    - Only supports a single call within each session
317
318	  To compile it as a module, choose M here.  If unsure, say N.
319
320config NF_CONNTRACK_SANE
321	tristate "SANE protocol support"
322	depends on NETFILTER_ADVANCED
323	help
324	  SANE is a protocol for remote access to scanners as implemented
325	  by the 'saned' daemon. Like FTP, it uses separate control and
326	  data connections.
327
328	  With this module you can support SANE on a connection tracking
329	  firewall.
330
331	  To compile it as a module, choose M here.  If unsure, say N.
332
333config NF_CONNTRACK_SIP
334	tristate "SIP protocol support"
335	default m if NETFILTER_ADVANCED=n
336	help
337	  SIP is an application-layer control protocol that can establish,
338	  modify, and terminate multimedia sessions (conferences) such as
339	  Internet telephony calls. With the nf_conntrack_sip and
340	  the nf_nat_sip modules you can support the protocol on a connection
341	  tracking/NATing firewall.
342
343	  To compile it as a module, choose M here.  If unsure, say N.
344
345config NF_CONNTRACK_TFTP
346	tristate "TFTP protocol support"
347	depends on NETFILTER_ADVANCED
348	help
349	  TFTP connection tracking helper, this is required depending
350	  on how restrictive your ruleset is.
351	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
352	  you will need this.
353
354	  To compile it as a module, choose M here.  If unsure, say N.
355
356config NF_CT_NETLINK
357	tristate 'Connection tracking netlink interface'
358	select NETFILTER_NETLINK
359	default m if NETFILTER_ADVANCED=n
360	help
361	  This option enables support for a netlink-based userspace interface
362
363config NF_CT_NETLINK_TIMEOUT
364	tristate  'Connection tracking timeout tuning via Netlink'
365	select NETFILTER_NETLINK
366	depends on NETFILTER_ADVANCED
367	depends on NF_CONNTRACK_TIMEOUT
368	help
369	  This option enables support for connection tracking timeout
370	  fine-grain tuning. This allows you to attach specific timeout
371	  policies to flows, instead of using the global timeout policy.
372
373	  If unsure, say `N'.
374
375config NF_CT_NETLINK_HELPER
376	tristate 'Connection tracking helpers in user-space via Netlink'
377	select NETFILTER_NETLINK
378	depends on NF_CT_NETLINK
379	depends on NETFILTER_NETLINK_QUEUE
380	depends on NETFILTER_NETLINK_GLUE_CT
381	depends on NETFILTER_ADVANCED
382	help
383	  This option enables the user-space connection tracking helpers
384	  infrastructure.
385
386	  If unsure, say `N'.
387
388config NETFILTER_NETLINK_GLUE_CT
389	bool "NFQUEUE and NFLOG integration with Connection Tracking"
390	default n
391	depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
392	help
393	  If this option is enabled, NFQUEUE and NFLOG can include
394	  Connection Tracking information together with the packet is
395	  the enqueued via NFNETLINK.
396
397config NF_NAT
398	tristate "Network Address Translation support"
399	depends on NF_CONNTRACK
400	default m if NETFILTER_ADVANCED=n
401	help
402	  The NAT option allows masquerading, port forwarding and other
403	  forms of full Network Address Port Translation. This can be
404	  controlled by iptables, ip6tables or nft.
405
406config NF_NAT_AMANDA
407	tristate
408	depends on NF_CONNTRACK && NF_NAT
409	default NF_NAT && NF_CONNTRACK_AMANDA
410
411config NF_NAT_FTP
412	tristate
413	depends on NF_CONNTRACK && NF_NAT
414	default NF_NAT && NF_CONNTRACK_FTP
415
416config NF_NAT_IRC
417	tristate
418	depends on NF_CONNTRACK && NF_NAT
419	default NF_NAT && NF_CONNTRACK_IRC
420
421config NF_NAT_SIP
422	tristate
423	depends on NF_CONNTRACK && NF_NAT
424	default NF_NAT && NF_CONNTRACK_SIP
425
426config NF_NAT_TFTP
427	tristate
428	depends on NF_CONNTRACK && NF_NAT
429	default NF_NAT && NF_CONNTRACK_TFTP
430
431config NF_NAT_REDIRECT
432	bool
433
434config NF_NAT_MASQUERADE
435	bool
436
437config NETFILTER_SYNPROXY
438	tristate
439
440endif # NF_CONNTRACK
441
442config NF_TABLES
443	select NETFILTER_NETLINK
444	tristate "Netfilter nf_tables support"
445	help
446	  nftables is the new packet classification framework that intends to
447	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
448	  provides a pseudo-state machine with an extensible instruction-set
449	  (also known as expressions) that the userspace 'nft' utility
450	  (http://www.netfilter.org/projects/nftables) uses to build the
451	  rule-set. It also comes with the generic set infrastructure that
452	  allows you to construct mappings between matchings and actions
453	  for performance lookups.
454
455	  To compile it as a module, choose M here.
456
457if NF_TABLES
458config NF_TABLES_INET
459	depends on IPV6
460	select NF_TABLES_IPV4
461	select NF_TABLES_IPV6
462	bool "Netfilter nf_tables mixed IPv4/IPv6 tables support"
463	help
464	  This option enables support for a mixed IPv4/IPv6 "inet" table.
465
466config NF_TABLES_NETDEV
467	bool "Netfilter nf_tables netdev tables support"
468	help
469	  This option enables support for the "netdev" table.
470
471config NFT_NUMGEN
472	tristate "Netfilter nf_tables number generator module"
473	help
474	  This option adds the number generator expression used to perform
475	  incremental counting and random numbers bound to a upper limit.
476
477config NFT_CT
478	depends on NF_CONNTRACK
479	tristate "Netfilter nf_tables conntrack module"
480	help
481	  This option adds the "ct" expression that you can use to match
482	  connection tracking information such as the flow state.
483
484config NFT_FLOW_OFFLOAD
485	depends on NF_CONNTRACK && NF_FLOW_TABLE
486	tristate "Netfilter nf_tables hardware flow offload module"
487	help
488	  This option adds the "flow_offload" expression that you can use to
489	  choose what flows are placed into the hardware.
490
491config NFT_COUNTER
492	tristate "Netfilter nf_tables counter module"
493	help
494	  This option adds the "counter" expression that you can use to
495	  include packet and byte counters in a rule.
496
497config NFT_CONNLIMIT
498	tristate "Netfilter nf_tables connlimit module"
499	depends on NF_CONNTRACK
500	depends on NETFILTER_ADVANCED
501	select NETFILTER_CONNCOUNT
502	help
503	  This option adds the "connlimit" expression that you can use to
504	  ratelimit rule matchings per connections.
505
506config NFT_LOG
507	tristate "Netfilter nf_tables log module"
508	help
509	  This option adds the "log" expression that you can use to log
510	  packets matching some criteria.
511
512config NFT_LIMIT
513	tristate "Netfilter nf_tables limit module"
514	help
515	  This option adds the "limit" expression that you can use to
516	  ratelimit rule matchings.
517
518config NFT_MASQ
519	depends on NF_CONNTRACK
520	depends on NF_NAT
521	select NF_NAT_MASQUERADE
522	tristate "Netfilter nf_tables masquerade support"
523	help
524	  This option adds the "masquerade" expression that you can use
525	  to perform NAT in the masquerade flavour.
526
527config NFT_REDIR
528	depends on NF_CONNTRACK
529	depends on NF_NAT
530	tristate "Netfilter nf_tables redirect support"
531	select NF_NAT_REDIRECT
532	help
533	  This options adds the "redirect" expression that you can use
534	  to perform NAT in the redirect flavour.
535
536config NFT_NAT
537	depends on NF_CONNTRACK
538	select NF_NAT
539	depends on NF_TABLES_IPV4 || NF_TABLES_IPV6
540	tristate "Netfilter nf_tables nat module"
541	help
542	  This option adds the "nat" expression that you can use to perform
543	  typical Network Address Translation (NAT) packet transformations.
544
545config NFT_TUNNEL
546	tristate "Netfilter nf_tables tunnel module"
547	help
548	  This option adds the "tunnel" expression that you can use to set
549	  tunneling policies.
550
551config NFT_OBJREF
552	tristate "Netfilter nf_tables stateful object reference module"
553	help
554	  This option adds the "objref" expression that allows you to refer to
555	  stateful objects, such as counters and quotas.
556
557config NFT_QUEUE
558	depends on NETFILTER_NETLINK_QUEUE
559	tristate "Netfilter nf_tables queue module"
560	help
561	  This is required if you intend to use the userspace queueing
562	  infrastructure (also known as NFQUEUE) from nftables.
563
564config NFT_QUOTA
565	tristate "Netfilter nf_tables quota module"
566	help
567	  This option adds the "quota" expression that you can use to match
568	  enforce bytes quotas.
569
570config NFT_REJECT
571	default m if NETFILTER_ADVANCED=n
572	tristate "Netfilter nf_tables reject support"
573	depends on !NF_TABLES_INET || (IPV6!=m || m)
574	help
575	  This option adds the "reject" expression that you can use to
576	  explicitly deny and notify via TCP reset/ICMP informational errors
577	  unallowed traffic.
578
579config NFT_REJECT_INET
580	depends on NF_TABLES_INET
581	default NFT_REJECT
582	tristate
583
584config NFT_COMPAT
585	depends on NETFILTER_XTABLES
586	tristate "Netfilter x_tables over nf_tables module"
587	help
588	  This is required if you intend to use any of existing
589	  x_tables match/target extensions over the nf_tables
590	  framework.
591
592config NFT_HASH
593	tristate "Netfilter nf_tables hash module"
594	help
595	  This option adds the "hash" expression that you can use to perform
596	  a hash operation on registers.
597
598config NFT_FIB
599	tristate
600
601config NFT_FIB_INET
602	depends on NF_TABLES_INET
603	depends on NFT_FIB_IPV4
604	depends on NFT_FIB_IPV6
605	tristate "Netfilter nf_tables fib inet support"
606	help
607	  This option allows using the FIB expression from the inet table.
608	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
609	  on the protocol of the packet.
610
611config NFT_XFRM
612	tristate "Netfilter nf_tables xfrm/IPSec security association matching"
613	depends on XFRM
614	help
615	  This option adds an expression that you can use to extract properties
616	  of a packets security association.
617
618config NFT_SOCKET
619	tristate "Netfilter nf_tables socket match support"
620	depends on IPV6 || IPV6=n
621	select NF_SOCKET_IPV4
622	select NF_SOCKET_IPV6 if NF_TABLES_IPV6
623	help
624	  This option allows matching for the presence or absence of a
625	  corresponding socket and its attributes.
626
627config NFT_OSF
628	tristate "Netfilter nf_tables passive OS fingerprint support"
629	depends on NETFILTER_ADVANCED
630	select NETFILTER_NETLINK_OSF
631	help
632	  This option allows matching packets from an specific OS.
633
634config NFT_TPROXY
635	tristate "Netfilter nf_tables tproxy support"
636	depends on IPV6 || IPV6=n
637	select NF_DEFRAG_IPV4
638	select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
639	select NF_TPROXY_IPV4
640	select NF_TPROXY_IPV6 if NF_TABLES_IPV6
641	help
642	  This makes transparent proxy support available in nftables.
643
644config NFT_SYNPROXY
645	tristate "Netfilter nf_tables SYNPROXY expression support"
646	depends on NF_CONNTRACK && NETFILTER_ADVANCED
647	select NETFILTER_SYNPROXY
648	select SYN_COOKIES
649	help
650	  The SYNPROXY expression allows you to intercept TCP connections and
651	  establish them using syncookies before they are passed on to the
652	  server. This allows to avoid conntrack and server resource usage
653	  during SYN-flood attacks.
654
655if NF_TABLES_NETDEV
656
657config NF_DUP_NETDEV
658	tristate "Netfilter packet duplication support"
659	help
660	  This option enables the generic packet duplication infrastructure
661	  for Netfilter.
662
663config NFT_DUP_NETDEV
664	tristate "Netfilter nf_tables netdev packet duplication support"
665	select NF_DUP_NETDEV
666	help
667	  This option enables packet duplication for the "netdev" family.
668
669config NFT_FWD_NETDEV
670	tristate "Netfilter nf_tables netdev packet forwarding support"
671	select NF_DUP_NETDEV
672	help
673	  This option enables packet forwarding for the "netdev" family.
674
675config NFT_FIB_NETDEV
676	depends on NFT_FIB_IPV4
677	depends on NFT_FIB_IPV6
678	tristate "Netfilter nf_tables netdev fib lookups support"
679	help
680	  This option allows using the FIB expression from the netdev table.
681	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
682	  on the protocol of the packet.
683
684endif # NF_TABLES_NETDEV
685
686endif # NF_TABLES
687
688config NF_FLOW_TABLE_INET
689	tristate "Netfilter flow table mixed IPv4/IPv6 module"
690	depends on NF_FLOW_TABLE
691	help
692	  This option adds the flow table mixed IPv4/IPv6 support.
693
694	  To compile it as a module, choose M here.
695
696config NF_FLOW_TABLE
697	tristate "Netfilter flow table module"
698	depends on NETFILTER_INGRESS
699	depends on NF_CONNTRACK
700	depends on NF_TABLES
701	help
702	  This option adds the flow table core infrastructure.
703
704	  To compile it as a module, choose M here.
705
706config NETFILTER_XTABLES
707	tristate "Netfilter Xtables support (required for ip_tables)"
708	default m if NETFILTER_ADVANCED=n
709	help
710	  This is required if you intend to use any of ip_tables,
711	  ip6_tables or arp_tables.
712
713if NETFILTER_XTABLES
714
715comment "Xtables combined modules"
716
717config NETFILTER_XT_MARK
718	tristate 'nfmark target and match support'
719	default m if NETFILTER_ADVANCED=n
720	---help---
721	This option adds the "MARK" target and "mark" match.
722
723	Netfilter mark matching allows you to match packets based on the
724	"nfmark" value in the packet.
725	The target allows you to create rules in the "mangle" table which alter
726	the netfilter mark (nfmark) field associated with the packet.
727
728	Prior to routing, the nfmark can influence the routing method and can
729	also be used by other subsystems to change their behavior.
730
731config NETFILTER_XT_CONNMARK
732	tristate 'ctmark target and match support'
733	depends on NF_CONNTRACK
734	depends on NETFILTER_ADVANCED
735	select NF_CONNTRACK_MARK
736	---help---
737	This option adds the "CONNMARK" target and "connmark" match.
738
739	Netfilter allows you to store a mark value per connection (a.k.a.
740	ctmark), similarly to the packet mark (nfmark). Using this
741	target and match, you can set and match on this mark.
742
743config NETFILTER_XT_SET
744	tristate 'set target and match support'
745	depends on IP_SET
746	depends on NETFILTER_ADVANCED
747	help
748	  This option adds the "SET" target and "set" match.
749
750	  Using this target and match, you can add/delete and match
751	  elements in the sets created by ipset(8).
752
753	  To compile it as a module, choose M here.  If unsure, say N.
754
755# alphabetically ordered list of targets
756
757comment "Xtables targets"
758
759config NETFILTER_XT_TARGET_AUDIT
760	tristate "AUDIT target support"
761	depends on AUDIT
762	depends on NETFILTER_ADVANCED
763	---help---
764	  This option adds a 'AUDIT' target, which can be used to create
765	  audit records for packets dropped/accepted.
766
767	  To compileit as a module, choose M here. If unsure, say N.
768
769config NETFILTER_XT_TARGET_CHECKSUM
770	tristate "CHECKSUM target support"
771	depends on IP_NF_MANGLE || IP6_NF_MANGLE
772	depends on NETFILTER_ADVANCED
773	---help---
774	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle
775	  table to work around buggy DHCP clients in virtualized environments.
776
777	  Some old DHCP clients drop packets because they are not aware
778	  that the checksum would normally be offloaded to hardware and
779	  thus should be considered valid.
780	  This target can be used to fill in the checksum using iptables
781	  when such packets are sent via a virtual network device.
782
783	  To compile it as a module, choose M here.  If unsure, say N.
784
785config NETFILTER_XT_TARGET_CLASSIFY
786	tristate '"CLASSIFY" target support'
787	depends on NETFILTER_ADVANCED
788	help
789	  This option adds a `CLASSIFY' target, which enables the user to set
790	  the priority of a packet. Some qdiscs can use this value for
791	  classification, among these are:
792
793  	  atm, cbq, dsmark, pfifo_fast, htb, prio
794
795	  To compile it as a module, choose M here.  If unsure, say N.
796
797config NETFILTER_XT_TARGET_CONNMARK
798	tristate  '"CONNMARK" target support'
799	depends on NF_CONNTRACK
800	depends on NETFILTER_ADVANCED
801	select NETFILTER_XT_CONNMARK
802	---help---
803	This is a backwards-compat option for the user's convenience
804	(e.g. when running oldconfig). It selects
805	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
806
807config NETFILTER_XT_TARGET_CONNSECMARK
808	tristate '"CONNSECMARK" target support'
809	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
810	default m if NETFILTER_ADVANCED=n
811	help
812	  The CONNSECMARK target copies security markings from packets
813	  to connections, and restores security markings from connections
814	  to packets (if the packets are not already marked).  This would
815	  normally be used in conjunction with the SECMARK target.
816
817	  To compile it as a module, choose M here.  If unsure, say N.
818
819config NETFILTER_XT_TARGET_CT
820	tristate '"CT" target support'
821	depends on NF_CONNTRACK
822	depends on IP_NF_RAW || IP6_NF_RAW
823	depends on NETFILTER_ADVANCED
824	help
825	  This options adds a `CT' target, which allows to specify initial
826	  connection tracking parameters like events to be delivered and
827	  the helper to be used.
828
829	  To compile it as a module, choose M here.  If unsure, say N.
830
831config NETFILTER_XT_TARGET_DSCP
832	tristate '"DSCP" and "TOS" target support'
833	depends on IP_NF_MANGLE || IP6_NF_MANGLE
834	depends on NETFILTER_ADVANCED
835	help
836	  This option adds a `DSCP' target, which allows you to manipulate
837	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
838
839	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
840
841	  It also adds the "TOS" target, which allows you to create rules in
842	  the "mangle" table which alter the Type Of Service field of an IPv4
843	  or the Priority field of an IPv6 packet, prior to routing.
844
845	  To compile it as a module, choose M here.  If unsure, say N.
846
847config NETFILTER_XT_TARGET_HL
848	tristate '"HL" hoplimit target support'
849	depends on IP_NF_MANGLE || IP6_NF_MANGLE
850	depends on NETFILTER_ADVANCED
851	---help---
852	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
853	targets, which enable the user to change the
854	hoplimit/time-to-live value of the IP header.
855
856	While it is safe to decrement the hoplimit/TTL value, the
857	modules also allow to increment and set the hoplimit value of
858	the header to arbitrary values. This is EXTREMELY DANGEROUS
859	since you can easily create immortal packets that loop
860	forever on the network.
861
862config NETFILTER_XT_TARGET_HMARK
863	tristate '"HMARK" target support'
864	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
865	depends on NETFILTER_ADVANCED
866	---help---
867	This option adds the "HMARK" target.
868
869	The target allows you to create rules in the "raw" and "mangle" tables
870	which set the skbuff mark by means of hash calculation within a given
871	range. The nfmark can influence the routing method and can also be used
872	by other subsystems to change their behaviour.
873
874	To compile it as a module, choose M here. If unsure, say N.
875
876config NETFILTER_XT_TARGET_IDLETIMER
877	tristate  "IDLETIMER target support"
878	depends on NETFILTER_ADVANCED
879	help
880
881	  This option adds the `IDLETIMER' target.  Each matching packet
882	  resets the timer associated with label specified when the rule is
883	  added.  When the timer expires, it triggers a sysfs notification.
884	  The remaining time for expiration can be read via sysfs.
885
886	  To compile it as a module, choose M here.  If unsure, say N.
887
888config NETFILTER_XT_TARGET_LED
889	tristate '"LED" target support'
890	depends on LEDS_CLASS && LEDS_TRIGGERS
891	depends on NETFILTER_ADVANCED
892	help
893	  This option adds a `LED' target, which allows you to blink LEDs in
894	  response to particular packets passing through your machine.
895
896	  This can be used to turn a spare LED into a network activity LED,
897	  which only flashes in response to FTP transfers, for example.  Or
898	  you could have an LED which lights up for a minute or two every time
899	  somebody connects to your machine via SSH.
900
901	  You will need support for the "led" class to make this work.
902
903	  To create an LED trigger for incoming SSH traffic:
904	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
905
906	  Then attach the new trigger to an LED on your system:
907	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
908
909	  For more information on the LEDs available on your system, see
910	  Documentation/leds/leds-class.rst
911
912config NETFILTER_XT_TARGET_LOG
913	tristate "LOG target support"
914	select NF_LOG_COMMON
915	select NF_LOG_IPV4
916	select NF_LOG_IPV6 if IP6_NF_IPTABLES
917	default m if NETFILTER_ADVANCED=n
918	help
919	  This option adds a `LOG' target, which allows you to create rules in
920	  any iptables table which records the packet header to the syslog.
921
922	  To compile it as a module, choose M here.  If unsure, say N.
923
924config NETFILTER_XT_TARGET_MARK
925	tristate '"MARK" target support'
926	depends on NETFILTER_ADVANCED
927	select NETFILTER_XT_MARK
928	---help---
929	This is a backwards-compat option for the user's convenience
930	(e.g. when running oldconfig). It selects
931	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
932
933config NETFILTER_XT_NAT
934	tristate '"SNAT and DNAT" targets support'
935	depends on NF_NAT
936	---help---
937	This option enables the SNAT and DNAT targets.
938
939	To compile it as a module, choose M here. If unsure, say N.
940
941config NETFILTER_XT_TARGET_NETMAP
942	tristate '"NETMAP" target support'
943	depends on NF_NAT
944	---help---
945	NETMAP is an implementation of static 1:1 NAT mapping of network
946	addresses. It maps the network address part, while keeping the host
947	address part intact.
948
949	To compile it as a module, choose M here. If unsure, say N.
950
951config NETFILTER_XT_TARGET_NFLOG
952	tristate '"NFLOG" target support'
953	default m if NETFILTER_ADVANCED=n
954	select NETFILTER_NETLINK_LOG
955	help
956	  This option enables the NFLOG target, which allows to LOG
957	  messages through nfnetlink_log.
958
959	  To compile it as a module, choose M here.  If unsure, say N.
960
961config NETFILTER_XT_TARGET_NFQUEUE
962	tristate '"NFQUEUE" target Support'
963	depends on NETFILTER_ADVANCED
964	select NETFILTER_NETLINK_QUEUE
965	help
966	  This target replaced the old obsolete QUEUE target.
967
968	  As opposed to QUEUE, it supports 65535 different queues,
969	  not just one.
970
971	  To compile it as a module, choose M here.  If unsure, say N.
972
973config NETFILTER_XT_TARGET_NOTRACK
974	tristate  '"NOTRACK" target support (DEPRECATED)'
975	depends on NF_CONNTRACK
976	depends on IP_NF_RAW || IP6_NF_RAW
977	depends on NETFILTER_ADVANCED
978	select NETFILTER_XT_TARGET_CT
979
980config NETFILTER_XT_TARGET_RATEEST
981	tristate '"RATEEST" target support'
982	depends on NETFILTER_ADVANCED
983	help
984	  This option adds a `RATEEST' target, which allows to measure
985	  rates similar to TC estimators. The `rateest' match can be
986	  used to match on the measured rates.
987
988	  To compile it as a module, choose M here.  If unsure, say N.
989
990config NETFILTER_XT_TARGET_REDIRECT
991	tristate "REDIRECT target support"
992	depends on NF_NAT
993	select NF_NAT_REDIRECT
994	---help---
995	REDIRECT is a special case of NAT: all incoming connections are
996	mapped onto the incoming interface's address, causing the packets to
997	come to the local machine instead of passing through. This is
998	useful for transparent proxies.
999
1000	To compile it as a module, choose M here. If unsure, say N.
1001
1002config NETFILTER_XT_TARGET_MASQUERADE
1003	tristate "MASQUERADE target support"
1004	depends on NF_NAT
1005	default m if NETFILTER_ADVANCED=n
1006	select NF_NAT_MASQUERADE
1007	help
1008	  Masquerading is a special case of NAT: all outgoing connections are
1009	  changed to seem to come from a particular interface's address, and
1010	  if the interface goes down, those connections are lost.  This is
1011	  only useful for dialup accounts with dynamic IP address (ie. your IP
1012	  address will be different on next dialup).
1013
1014	  To compile it as a module, choose M here.  If unsure, say N.
1015
1016config NETFILTER_XT_TARGET_TEE
1017	tristate '"TEE" - packet cloning to alternate destination'
1018	depends on NETFILTER_ADVANCED
1019	depends on IPV6 || IPV6=n
1020	depends on !NF_CONNTRACK || NF_CONNTRACK
1021	depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES
1022	select NF_DUP_IPV4
1023	select NF_DUP_IPV6 if IP6_NF_IPTABLES
1024	---help---
1025	This option adds a "TEE" target with which a packet can be cloned and
1026	this clone be rerouted to another nexthop.
1027
1028config NETFILTER_XT_TARGET_TPROXY
1029	tristate '"TPROXY" target transparent proxying support'
1030	depends on NETFILTER_XTABLES
1031	depends on NETFILTER_ADVANCED
1032	depends on IPV6 || IPV6=n
1033	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1034	depends on IP_NF_MANGLE
1035	select NF_DEFRAG_IPV4
1036	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1037	select NF_TPROXY_IPV4
1038	select NF_TPROXY_IPV6 if IP6_NF_IPTABLES
1039	help
1040	  This option adds a `TPROXY' target, which is somewhat similar to
1041	  REDIRECT.  It can only be used in the mangle table and is useful
1042	  to redirect traffic to a transparent proxy.  It does _not_ depend
1043	  on Netfilter connection tracking and NAT, unlike REDIRECT.
1044	  For it to work you will have to configure certain iptables rules
1045	  and use policy routing. For more information on how to set it up
1046	  see Documentation/networking/tproxy.txt.
1047
1048	  To compile it as a module, choose M here.  If unsure, say N.
1049
1050config NETFILTER_XT_TARGET_TRACE
1051	tristate  '"TRACE" target support'
1052	depends on IP_NF_RAW || IP6_NF_RAW
1053	depends on NETFILTER_ADVANCED
1054	help
1055	  The TRACE target allows you to mark packets so that the kernel
1056	  will log every rule which match the packets as those traverse
1057	  the tables, chains, rules.
1058
1059	  If you want to compile it as a module, say M here and read
1060	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1061
1062config NETFILTER_XT_TARGET_SECMARK
1063	tristate '"SECMARK" target support'
1064	depends on NETWORK_SECMARK
1065	default m if NETFILTER_ADVANCED=n
1066	help
1067	  The SECMARK target allows security marking of network
1068	  packets, for use with security subsystems.
1069
1070	  To compile it as a module, choose M here.  If unsure, say N.
1071
1072config NETFILTER_XT_TARGET_TCPMSS
1073	tristate '"TCPMSS" target support'
1074	depends on IPV6 || IPV6=n
1075	default m if NETFILTER_ADVANCED=n
1076	---help---
1077	  This option adds a `TCPMSS' target, which allows you to alter the
1078	  MSS value of TCP SYN packets, to control the maximum size for that
1079	  connection (usually limiting it to your outgoing interface's MTU
1080	  minus 40).
1081
1082	  This is used to overcome criminally braindead ISPs or servers which
1083	  block ICMP Fragmentation Needed packets.  The symptoms of this
1084	  problem are that everything works fine from your Linux
1085	  firewall/router, but machines behind it can never exchange large
1086	  packets:
1087	        1) Web browsers connect, then hang with no data received.
1088	        2) Small mail works fine, but large emails hang.
1089	        3) ssh works fine, but scp hangs after initial handshaking.
1090
1091	  Workaround: activate this option and add a rule to your firewall
1092	  configuration like:
1093
1094	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1095	                 -j TCPMSS --clamp-mss-to-pmtu
1096
1097	  To compile it as a module, choose M here.  If unsure, say N.
1098
1099config NETFILTER_XT_TARGET_TCPOPTSTRIP
1100	tristate '"TCPOPTSTRIP" target support'
1101	depends on IP_NF_MANGLE || IP6_NF_MANGLE
1102	depends on NETFILTER_ADVANCED
1103	help
1104	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
1105	  TCP options from TCP packets.
1106
1107# alphabetically ordered list of matches
1108
1109comment "Xtables matches"
1110
1111config NETFILTER_XT_MATCH_ADDRTYPE
1112	tristate '"addrtype" address type match support'
1113	default m if NETFILTER_ADVANCED=n
1114	---help---
1115	  This option allows you to match what routing thinks of an address,
1116	  eg. UNICAST, LOCAL, BROADCAST, ...
1117
1118	  If you want to compile it as a module, say M here and read
1119	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1120
1121config NETFILTER_XT_MATCH_BPF
1122	tristate '"bpf" match support'
1123	depends on NETFILTER_ADVANCED
1124	help
1125	  BPF matching applies a linux socket filter to each packet and
1126	  accepts those for which the filter returns non-zero.
1127
1128	  To compile it as a module, choose M here.  If unsure, say N.
1129
1130config NETFILTER_XT_MATCH_CGROUP
1131	tristate '"control group" match support'
1132	depends on NETFILTER_ADVANCED
1133	depends on CGROUPS
1134	select CGROUP_NET_CLASSID
1135	---help---
1136	Socket/process control group matching allows you to match locally
1137	generated packets based on which net_cls control group processes
1138	belong to.
1139
1140config NETFILTER_XT_MATCH_CLUSTER
1141	tristate '"cluster" match support'
1142	depends on NF_CONNTRACK
1143	depends on NETFILTER_ADVANCED
1144	---help---
1145	  This option allows you to build work-load-sharing clusters of
1146	  network servers/stateful firewalls without having a dedicated
1147	  load-balancing router/server/switch. Basically, this match returns
1148	  true when the packet must be handled by this cluster node. Thus,
1149	  all nodes see all packets and this match decides which node handles
1150	  what packets. The work-load sharing algorithm is based on source
1151	  address hashing.
1152
1153	  If you say Y or M here, try `iptables -m cluster --help` for
1154	  more information.
1155
1156config NETFILTER_XT_MATCH_COMMENT
1157	tristate  '"comment" match support'
1158	depends on NETFILTER_ADVANCED
1159	help
1160	  This option adds a `comment' dummy-match, which allows you to put
1161	  comments in your iptables ruleset.
1162
1163	  If you want to compile it as a module, say M here and read
1164	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1165
1166config NETFILTER_XT_MATCH_CONNBYTES
1167	tristate  '"connbytes" per-connection counter match support'
1168	depends on NF_CONNTRACK
1169	depends on NETFILTER_ADVANCED
1170	help
1171	  This option adds a `connbytes' match, which allows you to match the
1172	  number of bytes and/or packets for each direction within a connection.
1173
1174	  If you want to compile it as a module, say M here and read
1175	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1176
1177config NETFILTER_XT_MATCH_CONNLABEL
1178	tristate '"connlabel" match support'
1179	select NF_CONNTRACK_LABELS
1180	depends on NF_CONNTRACK
1181	depends on NETFILTER_ADVANCED
1182	---help---
1183	  This match allows you to test and assign userspace-defined labels names
1184	  to a connection.  The kernel only stores bit values - mapping
1185	  names to bits is done by userspace.
1186
1187	  Unlike connmark, more than 32 flag bits may be assigned to a
1188	  connection simultaneously.
1189
1190config NETFILTER_XT_MATCH_CONNLIMIT
1191	tristate '"connlimit" match support'
1192	depends on NF_CONNTRACK
1193	depends on NETFILTER_ADVANCED
1194	select NETFILTER_CONNCOUNT
1195	---help---
1196	  This match allows you to match against the number of parallel
1197	  connections to a server per client IP address (or address block).
1198
1199config NETFILTER_XT_MATCH_CONNMARK
1200	tristate  '"connmark" connection mark match support'
1201	depends on NF_CONNTRACK
1202	depends on NETFILTER_ADVANCED
1203	select NETFILTER_XT_CONNMARK
1204	---help---
1205	This is a backwards-compat option for the user's convenience
1206	(e.g. when running oldconfig). It selects
1207	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1208
1209config NETFILTER_XT_MATCH_CONNTRACK
1210	tristate '"conntrack" connection tracking match support'
1211	depends on NF_CONNTRACK
1212	default m if NETFILTER_ADVANCED=n
1213	help
1214	  This is a general conntrack match module, a superset of the state match.
1215
1216	  It allows matching on additional conntrack information, which is
1217	  useful in complex configurations, such as NAT gateways with multiple
1218	  internet links or tunnels.
1219
1220	  To compile it as a module, choose M here.  If unsure, say N.
1221
1222config NETFILTER_XT_MATCH_CPU
1223	tristate '"cpu" match support'
1224	depends on NETFILTER_ADVANCED
1225	help
1226	  CPU matching allows you to match packets based on the CPU
1227	  currently handling the packet.
1228
1229	  To compile it as a module, choose M here.  If unsure, say N.
1230
1231config NETFILTER_XT_MATCH_DCCP
1232	tristate '"dccp" protocol match support'
1233	depends on NETFILTER_ADVANCED
1234	default IP_DCCP
1235	help
1236	  With this option enabled, you will be able to use the iptables
1237	  `dccp' match in order to match on DCCP source/destination ports
1238	  and DCCP flags.
1239
1240	  If you want to compile it as a module, say M here and read
1241	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1242
1243config NETFILTER_XT_MATCH_DEVGROUP
1244	tristate '"devgroup" match support'
1245	depends on NETFILTER_ADVANCED
1246	help
1247	  This options adds a `devgroup' match, which allows to match on the
1248	  device group a network device is assigned to.
1249
1250	  To compile it as a module, choose M here.  If unsure, say N.
1251
1252config NETFILTER_XT_MATCH_DSCP
1253	tristate '"dscp" and "tos" match support'
1254	depends on NETFILTER_ADVANCED
1255	help
1256	  This option adds a `DSCP' match, which allows you to match against
1257	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1258
1259	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
1260
1261	  It will also add a "tos" match, which allows you to match packets
1262	  based on the Type Of Service fields of the IPv4 packet (which share
1263	  the same bits as DSCP).
1264
1265	  To compile it as a module, choose M here.  If unsure, say N.
1266
1267config NETFILTER_XT_MATCH_ECN
1268	tristate '"ecn" match support'
1269	depends on NETFILTER_ADVANCED
1270	---help---
1271	This option adds an "ECN" match, which allows you to match against
1272	the IPv4 and TCP header ECN fields.
1273
1274	To compile it as a module, choose M here. If unsure, say N.
1275
1276config NETFILTER_XT_MATCH_ESP
1277	tristate '"esp" match support'
1278	depends on NETFILTER_ADVANCED
1279	help
1280	  This match extension allows you to match a range of SPIs
1281	  inside ESP header of IPSec packets.
1282
1283	  To compile it as a module, choose M here.  If unsure, say N.
1284
1285config NETFILTER_XT_MATCH_HASHLIMIT
1286	tristate '"hashlimit" match support'
1287	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1288	depends on NETFILTER_ADVANCED
1289	help
1290	  This option adds a `hashlimit' match.
1291
1292	  As opposed to `limit', this match dynamically creates a hash table
1293	  of limit buckets, based on your selection of source/destination
1294	  addresses and/or ports.
1295
1296	  It enables you to express policies like `10kpps for any given
1297	  destination address' or `500pps from any given source address'
1298	  with a single rule.
1299
1300config NETFILTER_XT_MATCH_HELPER
1301	tristate '"helper" match support'
1302	depends on NF_CONNTRACK
1303	depends on NETFILTER_ADVANCED
1304	help
1305	  Helper matching allows you to match packets in dynamic connections
1306	  tracked by a conntrack-helper, ie. nf_conntrack_ftp
1307
1308	  To compile it as a module, choose M here.  If unsure, say Y.
1309
1310config NETFILTER_XT_MATCH_HL
1311	tristate '"hl" hoplimit/TTL match support'
1312	depends on NETFILTER_ADVANCED
1313	---help---
1314	HL matching allows you to match packets based on the hoplimit
1315	in the IPv6 header, or the time-to-live field in the IPv4
1316	header of the packet.
1317
1318config NETFILTER_XT_MATCH_IPCOMP
1319	tristate '"ipcomp" match support'
1320	depends on NETFILTER_ADVANCED
1321	help
1322	  This match extension allows you to match a range of CPIs(16 bits)
1323	  inside IPComp header of IPSec packets.
1324
1325	  To compile it as a module, choose M here.  If unsure, say N.
1326
1327config NETFILTER_XT_MATCH_IPRANGE
1328	tristate '"iprange" address range match support'
1329	depends on NETFILTER_ADVANCED
1330	---help---
1331	This option adds a "iprange" match, which allows you to match based on
1332	an IP address range. (Normal iptables only matches on single addresses
1333	with an optional mask.)
1334
1335	If unsure, say M.
1336
1337config NETFILTER_XT_MATCH_IPVS
1338	tristate '"ipvs" match support'
1339	depends on IP_VS
1340	depends on NETFILTER_ADVANCED
1341	depends on NF_CONNTRACK
1342	help
1343	  This option allows you to match against IPVS properties of a packet.
1344
1345	  If unsure, say N.
1346
1347config NETFILTER_XT_MATCH_L2TP
1348	tristate '"l2tp" match support'
1349	depends on NETFILTER_ADVANCED
1350	default L2TP
1351	---help---
1352	This option adds an "L2TP" match, which allows you to match against
1353	L2TP protocol header fields.
1354
1355	To compile it as a module, choose M here. If unsure, say N.
1356
1357config NETFILTER_XT_MATCH_LENGTH
1358	tristate '"length" match support'
1359	depends on NETFILTER_ADVANCED
1360	help
1361	  This option allows you to match the length of a packet against a
1362	  specific value or range of values.
1363
1364	  To compile it as a module, choose M here.  If unsure, say N.
1365
1366config NETFILTER_XT_MATCH_LIMIT
1367	tristate '"limit" match support'
1368	depends on NETFILTER_ADVANCED
1369	help
1370	  limit matching allows you to control the rate at which a rule can be
1371	  matched: mainly useful in combination with the LOG target ("LOG
1372	  target support", below) and to avoid some Denial of Service attacks.
1373
1374	  To compile it as a module, choose M here.  If unsure, say N.
1375
1376config NETFILTER_XT_MATCH_MAC
1377	tristate '"mac" address match support'
1378	depends on NETFILTER_ADVANCED
1379	help
1380	  MAC matching allows you to match packets based on the source
1381	  Ethernet address of the packet.
1382
1383	  To compile it as a module, choose M here.  If unsure, say N.
1384
1385config NETFILTER_XT_MATCH_MARK
1386	tristate '"mark" match support'
1387	depends on NETFILTER_ADVANCED
1388	select NETFILTER_XT_MARK
1389	---help---
1390	This is a backwards-compat option for the user's convenience
1391	(e.g. when running oldconfig). It selects
1392	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1393
1394config NETFILTER_XT_MATCH_MULTIPORT
1395	tristate '"multiport" Multiple port match support'
1396	depends on NETFILTER_ADVANCED
1397	help
1398	  Multiport matching allows you to match TCP or UDP packets based on
1399	  a series of source or destination ports: normally a rule can only
1400	  match a single range of ports.
1401
1402	  To compile it as a module, choose M here.  If unsure, say N.
1403
1404config NETFILTER_XT_MATCH_NFACCT
1405	tristate '"nfacct" match support'
1406	depends on NETFILTER_ADVANCED
1407	select NETFILTER_NETLINK_ACCT
1408	help
1409	  This option allows you to use the extended accounting through
1410	  nfnetlink_acct.
1411
1412	  To compile it as a module, choose M here.  If unsure, say N.
1413
1414config NETFILTER_XT_MATCH_OSF
1415	tristate '"osf" Passive OS fingerprint match'
1416	depends on NETFILTER_ADVANCED
1417	select NETFILTER_NETLINK_OSF
1418	help
1419	  This option selects the Passive OS Fingerprinting match module
1420	  that allows to passively match the remote operating system by
1421	  analyzing incoming TCP SYN packets.
1422
1423	  Rules and loading software can be downloaded from
1424	  http://www.ioremap.net/projects/osf
1425
1426	  To compile it as a module, choose M here.  If unsure, say N.
1427
1428config NETFILTER_XT_MATCH_OWNER
1429	tristate '"owner" match support'
1430	depends on NETFILTER_ADVANCED
1431	---help---
1432	Socket owner matching allows you to match locally-generated packets
1433	based on who created the socket: the user or group. It is also
1434	possible to check whether a socket actually exists.
1435
1436config NETFILTER_XT_MATCH_POLICY
1437	tristate 'IPsec "policy" match support'
1438	depends on XFRM
1439	default m if NETFILTER_ADVANCED=n
1440	help
1441	  Policy matching allows you to match packets based on the
1442	  IPsec policy that was used during decapsulation/will
1443	  be used during encapsulation.
1444
1445	  To compile it as a module, choose M here.  If unsure, say N.
1446
1447config NETFILTER_XT_MATCH_PHYSDEV
1448	tristate '"physdev" match support'
1449	depends on BRIDGE && BRIDGE_NETFILTER
1450	depends on NETFILTER_ADVANCED
1451	help
1452	  Physdev packet matching matches against the physical bridge ports
1453	  the IP packet arrived on or will leave by.
1454
1455	  To compile it as a module, choose M here.  If unsure, say N.
1456
1457config NETFILTER_XT_MATCH_PKTTYPE
1458	tristate '"pkttype" packet type match support'
1459	depends on NETFILTER_ADVANCED
1460	help
1461	  Packet type matching allows you to match a packet by
1462	  its "class", eg. BROADCAST, MULTICAST, ...
1463
1464	  Typical usage:
1465	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1466
1467	  To compile it as a module, choose M here.  If unsure, say N.
1468
1469config NETFILTER_XT_MATCH_QUOTA
1470	tristate '"quota" match support'
1471	depends on NETFILTER_ADVANCED
1472	help
1473	  This option adds a `quota' match, which allows to match on a
1474	  byte counter.
1475
1476	  If you want to compile it as a module, say M here and read
1477	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1478
1479config NETFILTER_XT_MATCH_RATEEST
1480	tristate '"rateest" match support'
1481	depends on NETFILTER_ADVANCED
1482	select NETFILTER_XT_TARGET_RATEEST
1483	help
1484	  This option adds a `rateest' match, which allows to match on the
1485	  rate estimated by the RATEEST target.
1486
1487	  To compile it as a module, choose M here.  If unsure, say N.
1488
1489config NETFILTER_XT_MATCH_REALM
1490	tristate  '"realm" match support'
1491	depends on NETFILTER_ADVANCED
1492	select IP_ROUTE_CLASSID
1493	help
1494	  This option adds a `realm' match, which allows you to use the realm
1495	  key from the routing subsystem inside iptables.
1496
1497	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1498	  in tc world.
1499
1500	  If you want to compile it as a module, say M here and read
1501	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1502
1503config NETFILTER_XT_MATCH_RECENT
1504	tristate '"recent" match support'
1505	depends on NETFILTER_ADVANCED
1506	---help---
1507	This match is used for creating one or many lists of recently
1508	used addresses and then matching against that/those list(s).
1509
1510	Short options are available by using 'iptables -m recent -h'
1511	Official Website: <http://snowman.net/projects/ipt_recent/>
1512
1513config NETFILTER_XT_MATCH_SCTP
1514	tristate  '"sctp" protocol match support'
1515	depends on NETFILTER_ADVANCED
1516	default IP_SCTP
1517	help
1518	  With this option enabled, you will be able to use the
1519	  `sctp' match in order to match on SCTP source/destination ports
1520	  and SCTP chunk types.
1521
1522	  If you want to compile it as a module, say M here and read
1523	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1524
1525config NETFILTER_XT_MATCH_SOCKET
1526	tristate '"socket" match support'
1527	depends on NETFILTER_XTABLES
1528	depends on NETFILTER_ADVANCED
1529	depends on IPV6 || IPV6=n
1530	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1531	select NF_SOCKET_IPV4
1532	select NF_SOCKET_IPV6 if IP6_NF_IPTABLES
1533	select NF_DEFRAG_IPV4
1534	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1535	help
1536	  This option adds a `socket' match, which can be used to match
1537	  packets for which a TCP or UDP socket lookup finds a valid socket.
1538	  It can be used in combination with the MARK target and policy
1539	  routing to implement full featured non-locally bound sockets.
1540
1541	  To compile it as a module, choose M here.  If unsure, say N.
1542
1543config NETFILTER_XT_MATCH_STATE
1544	tristate '"state" match support'
1545	depends on NF_CONNTRACK
1546	default m if NETFILTER_ADVANCED=n
1547	help
1548	  Connection state matching allows you to match packets based on their
1549	  relationship to a tracked connection (ie. previous packets).  This
1550	  is a powerful tool for packet classification.
1551
1552	  To compile it as a module, choose M here.  If unsure, say N.
1553
1554config NETFILTER_XT_MATCH_STATISTIC
1555	tristate '"statistic" match support'
1556	depends on NETFILTER_ADVANCED
1557	help
1558	  This option adds a `statistic' match, which allows you to match
1559	  on packets periodically or randomly with a given percentage.
1560
1561	  To compile it as a module, choose M here.  If unsure, say N.
1562
1563config NETFILTER_XT_MATCH_STRING
1564	tristate  '"string" match support'
1565	depends on NETFILTER_ADVANCED
1566	select TEXTSEARCH
1567	select TEXTSEARCH_KMP
1568	select TEXTSEARCH_BM
1569	select TEXTSEARCH_FSM
1570	help
1571	  This option adds a `string' match, which allows you to look for
1572	  pattern matchings in packets.
1573
1574	  To compile it as a module, choose M here.  If unsure, say N.
1575
1576config NETFILTER_XT_MATCH_TCPMSS
1577	tristate '"tcpmss" match support'
1578	depends on NETFILTER_ADVANCED
1579	help
1580	  This option adds a `tcpmss' match, which allows you to examine the
1581	  MSS value of TCP SYN packets, which control the maximum packet size
1582	  for that connection.
1583
1584	  To compile it as a module, choose M here.  If unsure, say N.
1585
1586config NETFILTER_XT_MATCH_TIME
1587	tristate '"time" match support'
1588	depends on NETFILTER_ADVANCED
1589	---help---
1590	  This option adds a "time" match, which allows you to match based on
1591	  the packet arrival time (at the machine which netfilter is running)
1592	  on) or departure time/date (for locally generated packets).
1593
1594	  If you say Y here, try `iptables -m time --help` for
1595	  more information.
1596
1597	  If you want to compile it as a module, say M here.
1598	  If unsure, say N.
1599
1600config NETFILTER_XT_MATCH_U32
1601	tristate '"u32" match support'
1602	depends on NETFILTER_ADVANCED
1603	---help---
1604	  u32 allows you to extract quantities of up to 4 bytes from a packet,
1605	  AND them with specified masks, shift them by specified amounts and
1606	  test whether the results are in any of a set of specified ranges.
1607	  The specification of what to extract is general enough to skip over
1608	  headers with lengths stored in the packet, as in IP or TCP header
1609	  lengths.
1610
1611	  Details and examples are in the kernel module source.
1612
1613endif # NETFILTER_XTABLES
1614
1615endmenu
1616
1617source "net/netfilter/ipset/Kconfig"
1618
1619source "net/netfilter/ipvs/Kconfig"
1620