1# SPDX-License-Identifier: GPL-2.0-only 2menu "Core Netfilter Configuration" 3 depends on INET && NETFILTER 4 5config NETFILTER_INGRESS 6 bool "Netfilter ingress support" 7 default y 8 select NET_INGRESS 9 help 10 This allows you to classify packets from ingress using the Netfilter 11 infrastructure. 12 13config NETFILTER_EGRESS 14 bool "Netfilter egress support" 15 default y 16 select NET_EGRESS 17 help 18 This allows you to classify packets before transmission using the 19 Netfilter infrastructure. 20 21config NETFILTER_SKIP_EGRESS 22 def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB) 23 24config NETFILTER_NETLINK 25 tristate 26 27config NETFILTER_FAMILY_BRIDGE 28 bool 29 30config NETFILTER_FAMILY_ARP 31 bool 32 33config NETFILTER_NETLINK_HOOK 34 tristate "Netfilter base hook dump support" 35 depends on NETFILTER_ADVANCED 36 depends on NF_TABLES 37 select NETFILTER_NETLINK 38 help 39 If this option is enabled, the kernel will include support 40 to list the base netfilter hooks via NFNETLINK. 41 This is helpful for debugging. 42 43config NETFILTER_NETLINK_ACCT 44 tristate "Netfilter NFACCT over NFNETLINK interface" 45 depends on NETFILTER_ADVANCED 46 select NETFILTER_NETLINK 47 help 48 If this option is enabled, the kernel will include support 49 for extended accounting via NFNETLINK. 50 51config NETFILTER_NETLINK_QUEUE 52 tristate "Netfilter NFQUEUE over NFNETLINK interface" 53 depends on NETFILTER_ADVANCED 54 select NETFILTER_NETLINK 55 help 56 If this option is enabled, the kernel will include support 57 for queueing packets via NFNETLINK. 58 59config NETFILTER_NETLINK_LOG 60 tristate "Netfilter LOG over NFNETLINK interface" 61 default m if NETFILTER_ADVANCED=n 62 select NETFILTER_NETLINK 63 help 64 If this option is enabled, the kernel will include support 65 for logging packets via NFNETLINK. 66 67 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 68 and is also scheduled to replace the old syslog-based ipt_LOG 69 and ip6t_LOG modules. 70 71config NETFILTER_NETLINK_OSF 72 tristate "Netfilter OSF over NFNETLINK interface" 73 depends on NETFILTER_ADVANCED 74 select NETFILTER_NETLINK 75 help 76 If this option is enabled, the kernel will include support 77 for passive OS fingerprint via NFNETLINK. 78 79config NF_CONNTRACK 80 tristate "Netfilter connection tracking support" 81 default m if NETFILTER_ADVANCED=n 82 select NF_DEFRAG_IPV4 83 select NF_DEFRAG_IPV6 if IPV6 != n 84 help 85 Connection tracking keeps a record of what packets have passed 86 through your machine, in order to figure out how they are related 87 into connections. 88 89 This is required to do Masquerading or other kinds of Network 90 Address Translation. It can also be used to enhance packet 91 filtering (see `Connection state match support' below). 92 93 To compile it as a module, choose M here. If unsure, say N. 94 95config NF_LOG_SYSLOG 96 tristate "Syslog packet logging" 97 default m if NETFILTER_ADVANCED=n 98 help 99 This option enable support for packet logging via syslog. 100 It supports IPv4, IPV6, ARP and common transport protocols such 101 as TCP and UDP. 102 This is a simpler but less flexible logging method compared to 103 CONFIG_NETFILTER_NETLINK_LOG. 104 If both are enabled the backend to use can be configured at run-time 105 by means of per-address-family sysctl tunables. 106 107if NF_CONNTRACK 108config NETFILTER_CONNCOUNT 109 tristate 110 111config NF_CONNTRACK_MARK 112 bool 'Connection mark tracking support' 113 depends on NETFILTER_ADVANCED 114 help 115 This option enables support for connection marks, used by the 116 `CONNMARK' target and `connmark' match. Similar to the mark value 117 of packets, but this mark value is kept in the conntrack session 118 instead of the individual packets. 119 120config NF_CONNTRACK_SECMARK 121 bool 'Connection tracking security mark support' 122 depends on NETWORK_SECMARK 123 default y if NETFILTER_ADVANCED=n 124 help 125 This option enables security markings to be applied to 126 connections. Typically they are copied to connections from 127 packets using the CONNSECMARK target and copied back from 128 connections to packets with the same target, with the packets 129 being originally labeled via SECMARK. 130 131 If unsure, say 'N'. 132 133config NF_CONNTRACK_ZONES 134 bool 'Connection tracking zones' 135 depends on NETFILTER_ADVANCED 136 help 137 This option enables support for connection tracking zones. 138 Normally, each connection needs to have a unique system wide 139 identity. Connection tracking zones allow to have multiple 140 connections using the same identity, as long as they are 141 contained in different zones. 142 143 If unsure, say `N'. 144 145config NF_CONNTRACK_PROCFS 146 bool "Supply CT list in procfs (OBSOLETE)" 147 depends on PROC_FS 148 help 149 This option enables for the list of known conntrack entries 150 to be shown in procfs under net/netfilter/nf_conntrack. This 151 is considered obsolete in favor of using the conntrack(8) 152 tool which uses Netlink. 153 154config NF_CONNTRACK_EVENTS 155 bool "Connection tracking events" 156 depends on NETFILTER_ADVANCED 157 help 158 If this option is enabled, the connection tracking code will 159 provide a notifier chain that can be used by other kernel code 160 to get notified about changes in the connection tracking state. 161 162 If unsure, say `N'. 163 164config NF_CONNTRACK_TIMEOUT 165 bool 'Connection tracking timeout' 166 depends on NETFILTER_ADVANCED 167 help 168 This option enables support for connection tracking timeout 169 extension. This allows you to attach timeout policies to flow 170 via the CT target. 171 172 If unsure, say `N'. 173 174config NF_CONNTRACK_TIMESTAMP 175 bool 'Connection tracking timestamping' 176 depends on NETFILTER_ADVANCED 177 help 178 This option enables support for connection tracking timestamping. 179 This allows you to store the flow start-time and to obtain 180 the flow-stop time (once it has been destroyed) via Connection 181 tracking events. 182 183 If unsure, say `N'. 184 185config NF_CONNTRACK_LABELS 186 bool "Connection tracking labels" 187 help 188 This option enables support for assigning user-defined flag bits 189 to connection tracking entries. It can be used with xtables connlabel 190 match and the nftables ct expression. 191 192config NF_CT_PROTO_DCCP 193 bool 'DCCP protocol connection tracking support' 194 depends on NETFILTER_ADVANCED 195 default y 196 help 197 With this option enabled, the layer 3 independent connection 198 tracking code will be able to do state tracking on DCCP connections. 199 200 If unsure, say Y. 201 202config NF_CT_PROTO_GRE 203 bool 204 205config NF_CT_PROTO_SCTP 206 bool 'SCTP protocol connection tracking support' 207 depends on NETFILTER_ADVANCED 208 default y 209 select LIBCRC32C 210 help 211 With this option enabled, the layer 3 independent connection 212 tracking code will be able to do state tracking on SCTP connections. 213 214 If unsure, say Y. 215 216config NF_CT_PROTO_UDPLITE 217 bool 'UDP-Lite protocol connection tracking support' 218 depends on NETFILTER_ADVANCED 219 default y 220 help 221 With this option enabled, the layer 3 independent connection 222 tracking code will be able to do state tracking on UDP-Lite 223 connections. 224 225 If unsure, say Y. 226 227config NF_CONNTRACK_AMANDA 228 tristate "Amanda backup protocol support" 229 depends on NETFILTER_ADVANCED 230 select TEXTSEARCH 231 select TEXTSEARCH_KMP 232 help 233 If you are running the Amanda backup package <http://www.amanda.org/> 234 on this machine or machines that will be MASQUERADED through this 235 machine, then you may want to enable this feature. This allows the 236 connection tracking and natting code to allow the sub-channels that 237 Amanda requires for communication of the backup data, messages and 238 index. 239 240 To compile it as a module, choose M here. If unsure, say N. 241 242config NF_CONNTRACK_FTP 243 tristate "FTP protocol support" 244 default m if NETFILTER_ADVANCED=n 245 help 246 Tracking FTP connections is problematic: special helpers are 247 required for tracking them, and doing masquerading and other forms 248 of Network Address Translation on them. 249 250 This is FTP support on Layer 3 independent connection tracking. 251 252 To compile it as a module, choose M here. If unsure, say N. 253 254config NF_CONNTRACK_H323 255 tristate "H.323 protocol support" 256 depends on IPV6 || IPV6=n 257 depends on NETFILTER_ADVANCED 258 help 259 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 260 important VoIP protocols, it is widely used by voice hardware and 261 software including voice gateways, IP phones, Netmeeting, OpenPhone, 262 Gnomemeeting, etc. 263 264 With this module you can support H.323 on a connection tracking/NAT 265 firewall. 266 267 This module supports RAS, Fast Start, H.245 Tunnelling, Call 268 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 269 whiteboard, file transfer, etc. For more information, please 270 visit http://nath323.sourceforge.net/. 271 272 To compile it as a module, choose M here. If unsure, say N. 273 274config NF_CONNTRACK_IRC 275 tristate "IRC protocol support" 276 default m if NETFILTER_ADVANCED=n 277 help 278 There is a commonly-used extension to IRC called 279 Direct Client-to-Client Protocol (DCC). This enables users to send 280 files to each other, and also chat to each other without the need 281 of a server. DCC Sending is used anywhere you send files over IRC, 282 and DCC Chat is most commonly used by Eggdrop bots. If you are 283 using NAT, this extension will enable you to send files and initiate 284 chats. Note that you do NOT need this extension to get files or 285 have others initiate chats, or everything else in IRC. 286 287 To compile it as a module, choose M here. If unsure, say N. 288 289config NF_CONNTRACK_BROADCAST 290 tristate 291 292config NF_CONNTRACK_NETBIOS_NS 293 tristate "NetBIOS name service protocol support" 294 select NF_CONNTRACK_BROADCAST 295 help 296 NetBIOS name service requests are sent as broadcast messages from an 297 unprivileged port and responded to with unicast messages to the 298 same port. This make them hard to firewall properly because connection 299 tracking doesn't deal with broadcasts. This helper tracks locally 300 originating NetBIOS name service requests and the corresponding 301 responses. It relies on correct IP address configuration, specifically 302 netmask and broadcast address. When properly configured, the output 303 of "ip address show" should look similar to this: 304 305 $ ip -4 address show eth0 306 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 307 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 308 309 To compile it as a module, choose M here. If unsure, say N. 310 311config NF_CONNTRACK_SNMP 312 tristate "SNMP service protocol support" 313 depends on NETFILTER_ADVANCED 314 select NF_CONNTRACK_BROADCAST 315 help 316 SNMP service requests are sent as broadcast messages from an 317 unprivileged port and responded to with unicast messages to the 318 same port. This make them hard to firewall properly because connection 319 tracking doesn't deal with broadcasts. This helper tracks locally 320 originating SNMP service requests and the corresponding 321 responses. It relies on correct IP address configuration, specifically 322 netmask and broadcast address. 323 324 To compile it as a module, choose M here. If unsure, say N. 325 326config NF_CONNTRACK_PPTP 327 tristate "PPtP protocol support" 328 depends on NETFILTER_ADVANCED 329 select NF_CT_PROTO_GRE 330 help 331 This module adds support for PPTP (Point to Point Tunnelling 332 Protocol, RFC2637) connection tracking and NAT. 333 334 If you are running PPTP sessions over a stateful firewall or NAT 335 box, you may want to enable this feature. 336 337 Please note that not all PPTP modes of operation are supported yet. 338 Specifically these limitations exist: 339 - Blindly assumes that control connections are always established 340 in PNS->PAC direction. This is a violation of RFC2637. 341 - Only supports a single call within each session 342 343 To compile it as a module, choose M here. If unsure, say N. 344 345config NF_CONNTRACK_SANE 346 tristate "SANE protocol support" 347 depends on NETFILTER_ADVANCED 348 help 349 SANE is a protocol for remote access to scanners as implemented 350 by the 'saned' daemon. Like FTP, it uses separate control and 351 data connections. 352 353 With this module you can support SANE on a connection tracking 354 firewall. 355 356 To compile it as a module, choose M here. If unsure, say N. 357 358config NF_CONNTRACK_SIP 359 tristate "SIP protocol support" 360 default m if NETFILTER_ADVANCED=n 361 help 362 SIP is an application-layer control protocol that can establish, 363 modify, and terminate multimedia sessions (conferences) such as 364 Internet telephony calls. With the nf_conntrack_sip and 365 the nf_nat_sip modules you can support the protocol on a connection 366 tracking/NATing firewall. 367 368 To compile it as a module, choose M here. If unsure, say N. 369 370config NF_CONNTRACK_TFTP 371 tristate "TFTP protocol support" 372 depends on NETFILTER_ADVANCED 373 help 374 TFTP connection tracking helper, this is required depending 375 on how restrictive your ruleset is. 376 If you are using a tftp client behind -j SNAT or -j MASQUERADING 377 you will need this. 378 379 To compile it as a module, choose M here. If unsure, say N. 380 381config NF_CT_NETLINK 382 tristate 'Connection tracking netlink interface' 383 select NETFILTER_NETLINK 384 default m if NETFILTER_ADVANCED=n 385 help 386 This option enables support for a netlink-based userspace interface 387 388config NF_CT_NETLINK_TIMEOUT 389 tristate 'Connection tracking timeout tuning via Netlink' 390 select NETFILTER_NETLINK 391 depends on NETFILTER_ADVANCED 392 depends on NF_CONNTRACK_TIMEOUT 393 help 394 This option enables support for connection tracking timeout 395 fine-grain tuning. This allows you to attach specific timeout 396 policies to flows, instead of using the global timeout policy. 397 398 If unsure, say `N'. 399 400config NF_CT_NETLINK_HELPER 401 tristate 'Connection tracking helpers in user-space via Netlink' 402 select NETFILTER_NETLINK 403 depends on NF_CT_NETLINK 404 depends on NETFILTER_NETLINK_QUEUE 405 depends on NETFILTER_NETLINK_GLUE_CT 406 depends on NETFILTER_ADVANCED 407 help 408 This option enables the user-space connection tracking helpers 409 infrastructure. 410 411 If unsure, say `N'. 412 413config NETFILTER_NETLINK_GLUE_CT 414 bool "NFQUEUE and NFLOG integration with Connection Tracking" 415 default n 416 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 417 help 418 If this option is enabled, NFQUEUE and NFLOG can include 419 Connection Tracking information together with the packet is 420 the enqueued via NFNETLINK. 421 422config NF_NAT 423 tristate "Network Address Translation support" 424 depends on NF_CONNTRACK 425 default m if NETFILTER_ADVANCED=n 426 help 427 The NAT option allows masquerading, port forwarding and other 428 forms of full Network Address Port Translation. This can be 429 controlled by iptables, ip6tables or nft. 430 431config NF_NAT_AMANDA 432 tristate 433 depends on NF_CONNTRACK && NF_NAT 434 default NF_NAT && NF_CONNTRACK_AMANDA 435 436config NF_NAT_FTP 437 tristate 438 depends on NF_CONNTRACK && NF_NAT 439 default NF_NAT && NF_CONNTRACK_FTP 440 441config NF_NAT_IRC 442 tristate 443 depends on NF_CONNTRACK && NF_NAT 444 default NF_NAT && NF_CONNTRACK_IRC 445 446config NF_NAT_SIP 447 tristate 448 depends on NF_CONNTRACK && NF_NAT 449 default NF_NAT && NF_CONNTRACK_SIP 450 451config NF_NAT_TFTP 452 tristate 453 depends on NF_CONNTRACK && NF_NAT 454 default NF_NAT && NF_CONNTRACK_TFTP 455 456config NF_NAT_REDIRECT 457 bool 458 459config NF_NAT_MASQUERADE 460 bool 461 462config NF_NAT_OVS 463 bool 464 465config NETFILTER_SYNPROXY 466 tristate 467 468endif # NF_CONNTRACK 469 470config NF_TABLES 471 select NETFILTER_NETLINK 472 select LIBCRC32C 473 tristate "Netfilter nf_tables support" 474 help 475 nftables is the new packet classification framework that intends to 476 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 477 provides a pseudo-state machine with an extensible instruction-set 478 (also known as expressions) that the userspace 'nft' utility 479 (https://www.netfilter.org/projects/nftables) uses to build the 480 rule-set. It also comes with the generic set infrastructure that 481 allows you to construct mappings between matchings and actions 482 for performance lookups. 483 484 To compile it as a module, choose M here. 485 486if NF_TABLES 487config NF_TABLES_INET 488 depends on IPV6 489 select NF_TABLES_IPV4 490 select NF_TABLES_IPV6 491 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 492 help 493 This option enables support for a mixed IPv4/IPv6 "inet" table. 494 495config NF_TABLES_NETDEV 496 bool "Netfilter nf_tables netdev tables support" 497 help 498 This option enables support for the "netdev" table. 499 500config NFT_NUMGEN 501 tristate "Netfilter nf_tables number generator module" 502 help 503 This option adds the number generator expression used to perform 504 incremental counting and random numbers bound to a upper limit. 505 506config NFT_CT 507 depends on NF_CONNTRACK 508 tristate "Netfilter nf_tables conntrack module" 509 help 510 This option adds the "ct" expression that you can use to match 511 connection tracking information such as the flow state. 512 513config NFT_FLOW_OFFLOAD 514 depends on NF_CONNTRACK && NF_FLOW_TABLE 515 tristate "Netfilter nf_tables hardware flow offload module" 516 help 517 This option adds the "flow_offload" expression that you can use to 518 choose what flows are placed into the hardware. 519 520config NFT_CONNLIMIT 521 tristate "Netfilter nf_tables connlimit module" 522 depends on NF_CONNTRACK 523 depends on NETFILTER_ADVANCED 524 select NETFILTER_CONNCOUNT 525 help 526 This option adds the "connlimit" expression that you can use to 527 ratelimit rule matchings per connections. 528 529config NFT_LOG 530 tristate "Netfilter nf_tables log module" 531 help 532 This option adds the "log" expression that you can use to log 533 packets matching some criteria. 534 535config NFT_LIMIT 536 tristate "Netfilter nf_tables limit module" 537 help 538 This option adds the "limit" expression that you can use to 539 ratelimit rule matchings. 540 541config NFT_MASQ 542 depends on NF_CONNTRACK 543 depends on NF_NAT 544 select NF_NAT_MASQUERADE 545 tristate "Netfilter nf_tables masquerade support" 546 help 547 This option adds the "masquerade" expression that you can use 548 to perform NAT in the masquerade flavour. 549 550config NFT_REDIR 551 depends on NF_CONNTRACK 552 depends on NF_NAT 553 tristate "Netfilter nf_tables redirect support" 554 select NF_NAT_REDIRECT 555 help 556 This options adds the "redirect" expression that you can use 557 to perform NAT in the redirect flavour. 558 559config NFT_NAT 560 depends on NF_CONNTRACK 561 select NF_NAT 562 depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 563 tristate "Netfilter nf_tables nat module" 564 help 565 This option adds the "nat" expression that you can use to perform 566 typical Network Address Translation (NAT) packet transformations. 567 568config NFT_TUNNEL 569 tristate "Netfilter nf_tables tunnel module" 570 help 571 This option adds the "tunnel" expression that you can use to set 572 tunneling policies. 573 574config NFT_QUEUE 575 depends on NETFILTER_NETLINK_QUEUE 576 tristate "Netfilter nf_tables queue module" 577 help 578 This is required if you intend to use the userspace queueing 579 infrastructure (also known as NFQUEUE) from nftables. 580 581config NFT_QUOTA 582 tristate "Netfilter nf_tables quota module" 583 help 584 This option adds the "quota" expression that you can use to match 585 enforce bytes quotas. 586 587config NFT_REJECT 588 default m if NETFILTER_ADVANCED=n 589 tristate "Netfilter nf_tables reject support" 590 depends on !NF_TABLES_INET || (IPV6!=m || m) 591 help 592 This option adds the "reject" expression that you can use to 593 explicitly deny and notify via TCP reset/ICMP informational errors 594 unallowed traffic. 595 596config NFT_REJECT_INET 597 depends on NF_TABLES_INET 598 default NFT_REJECT 599 tristate 600 601config NFT_COMPAT 602 depends on NETFILTER_XTABLES 603 tristate "Netfilter x_tables over nf_tables module" 604 help 605 This is required if you intend to use any of existing 606 x_tables match/target extensions over the nf_tables 607 framework. 608 609config NFT_HASH 610 tristate "Netfilter nf_tables hash module" 611 help 612 This option adds the "hash" expression that you can use to perform 613 a hash operation on registers. 614 615config NFT_FIB 616 tristate 617 618config NFT_FIB_INET 619 depends on NF_TABLES_INET 620 depends on NFT_FIB_IPV4 621 depends on NFT_FIB_IPV6 622 tristate "Netfilter nf_tables fib inet support" 623 help 624 This option allows using the FIB expression from the inet table. 625 The lookup will be delegated to the IPv4 or IPv6 FIB depending 626 on the protocol of the packet. 627 628config NFT_XFRM 629 tristate "Netfilter nf_tables xfrm/IPSec security association matching" 630 depends on XFRM 631 help 632 This option adds an expression that you can use to extract properties 633 of a packets security association. 634 635config NFT_SOCKET 636 tristate "Netfilter nf_tables socket match support" 637 depends on IPV6 || IPV6=n 638 select NF_SOCKET_IPV4 639 select NF_SOCKET_IPV6 if NF_TABLES_IPV6 640 help 641 This option allows matching for the presence or absence of a 642 corresponding socket and its attributes. 643 644config NFT_OSF 645 tristate "Netfilter nf_tables passive OS fingerprint support" 646 depends on NETFILTER_ADVANCED 647 select NETFILTER_NETLINK_OSF 648 help 649 This option allows matching packets from an specific OS. 650 651config NFT_TPROXY 652 tristate "Netfilter nf_tables tproxy support" 653 depends on IPV6 || IPV6=n 654 select NF_DEFRAG_IPV4 655 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 656 select NF_TPROXY_IPV4 657 select NF_TPROXY_IPV6 if NF_TABLES_IPV6 658 help 659 This makes transparent proxy support available in nftables. 660 661config NFT_SYNPROXY 662 tristate "Netfilter nf_tables SYNPROXY expression support" 663 depends on NF_CONNTRACK && NETFILTER_ADVANCED 664 select NETFILTER_SYNPROXY 665 select SYN_COOKIES 666 help 667 The SYNPROXY expression allows you to intercept TCP connections and 668 establish them using syncookies before they are passed on to the 669 server. This allows to avoid conntrack and server resource usage 670 during SYN-flood attacks. 671 672if NF_TABLES_NETDEV 673 674config NF_DUP_NETDEV 675 tristate "Netfilter packet duplication support" 676 help 677 This option enables the generic packet duplication infrastructure 678 for Netfilter. 679 680config NFT_DUP_NETDEV 681 tristate "Netfilter nf_tables netdev packet duplication support" 682 select NF_DUP_NETDEV 683 help 684 This option enables packet duplication for the "netdev" family. 685 686config NFT_FWD_NETDEV 687 tristate "Netfilter nf_tables netdev packet forwarding support" 688 select NF_DUP_NETDEV 689 help 690 This option enables packet forwarding for the "netdev" family. 691 692config NFT_FIB_NETDEV 693 depends on NFT_FIB_IPV4 694 depends on NFT_FIB_IPV6 695 tristate "Netfilter nf_tables netdev fib lookups support" 696 help 697 This option allows using the FIB expression from the netdev table. 698 The lookup will be delegated to the IPv4 or IPv6 FIB depending 699 on the protocol of the packet. 700 701config NFT_REJECT_NETDEV 702 depends on NFT_REJECT_IPV4 703 depends on NFT_REJECT_IPV6 704 tristate "Netfilter nf_tables netdev REJECT support" 705 help 706 This option enables the REJECT support from the netdev table. 707 The return packet generation will be delegated to the IPv4 708 or IPv6 ICMP or TCP RST implementation depending on the 709 protocol of the packet. 710 711endif # NF_TABLES_NETDEV 712 713endif # NF_TABLES 714 715config NF_FLOW_TABLE_INET 716 tristate "Netfilter flow table mixed IPv4/IPv6 module" 717 depends on NF_FLOW_TABLE 718 help 719 This option adds the flow table mixed IPv4/IPv6 support. 720 721 To compile it as a module, choose M here. 722 723config NF_FLOW_TABLE 724 tristate "Netfilter flow table module" 725 depends on NETFILTER_INGRESS 726 depends on NF_CONNTRACK 727 depends on NF_TABLES 728 help 729 This option adds the flow table core infrastructure. 730 731 To compile it as a module, choose M here. 732 733config NF_FLOW_TABLE_PROCFS 734 bool "Supply flow table statistics in procfs" 735 depends on NF_FLOW_TABLE 736 depends on PROC_FS 737 help 738 This option enables for the flow table offload statistics 739 to be shown in procfs under net/netfilter/nf_flowtable. 740 741config NETFILTER_XTABLES 742 tristate "Netfilter Xtables support (required for ip_tables)" 743 default m if NETFILTER_ADVANCED=n 744 help 745 This is required if you intend to use any of ip_tables, 746 ip6_tables or arp_tables. 747 748if NETFILTER_XTABLES 749 750config NETFILTER_XTABLES_COMPAT 751 bool "Netfilter Xtables 32bit support" 752 depends on COMPAT 753 default y 754 help 755 This option provides a translation layer to run 32bit arp,ip(6),ebtables 756 binaries on 64bit kernels. 757 758 If unsure, say N. 759 760comment "Xtables combined modules" 761 762config NETFILTER_XT_MARK 763 tristate 'nfmark target and match support' 764 default m if NETFILTER_ADVANCED=n 765 help 766 This option adds the "MARK" target and "mark" match. 767 768 Netfilter mark matching allows you to match packets based on the 769 "nfmark" value in the packet. 770 The target allows you to create rules in the "mangle" table which alter 771 the netfilter mark (nfmark) field associated with the packet. 772 773 Prior to routing, the nfmark can influence the routing method and can 774 also be used by other subsystems to change their behavior. 775 776config NETFILTER_XT_CONNMARK 777 tristate 'ctmark target and match support' 778 depends on NF_CONNTRACK 779 depends on NETFILTER_ADVANCED 780 select NF_CONNTRACK_MARK 781 help 782 This option adds the "CONNMARK" target and "connmark" match. 783 784 Netfilter allows you to store a mark value per connection (a.k.a. 785 ctmark), similarly to the packet mark (nfmark). Using this 786 target and match, you can set and match on this mark. 787 788config NETFILTER_XT_SET 789 tristate 'set target and match support' 790 depends on IP_SET 791 depends on NETFILTER_ADVANCED 792 help 793 This option adds the "SET" target and "set" match. 794 795 Using this target and match, you can add/delete and match 796 elements in the sets created by ipset(8). 797 798 To compile it as a module, choose M here. If unsure, say N. 799 800# alphabetically ordered list of targets 801 802comment "Xtables targets" 803 804config NETFILTER_XT_TARGET_AUDIT 805 tristate "AUDIT target support" 806 depends on AUDIT 807 depends on NETFILTER_ADVANCED 808 help 809 This option adds a 'AUDIT' target, which can be used to create 810 audit records for packets dropped/accepted. 811 812 To compileit as a module, choose M here. If unsure, say N. 813 814config NETFILTER_XT_TARGET_CHECKSUM 815 tristate "CHECKSUM target support" 816 depends on IP_NF_MANGLE || IP6_NF_MANGLE 817 depends on NETFILTER_ADVANCED 818 help 819 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 820 table to work around buggy DHCP clients in virtualized environments. 821 822 Some old DHCP clients drop packets because they are not aware 823 that the checksum would normally be offloaded to hardware and 824 thus should be considered valid. 825 This target can be used to fill in the checksum using iptables 826 when such packets are sent via a virtual network device. 827 828 To compile it as a module, choose M here. If unsure, say N. 829 830config NETFILTER_XT_TARGET_CLASSIFY 831 tristate '"CLASSIFY" target support' 832 depends on NETFILTER_ADVANCED 833 help 834 This option adds a `CLASSIFY' target, which enables the user to set 835 the priority of a packet. Some qdiscs can use this value for 836 classification, among these are: 837 838 atm, cbq, dsmark, pfifo_fast, htb, prio 839 840 To compile it as a module, choose M here. If unsure, say N. 841 842config NETFILTER_XT_TARGET_CONNMARK 843 tristate '"CONNMARK" target support' 844 depends on NF_CONNTRACK 845 depends on NETFILTER_ADVANCED 846 select NETFILTER_XT_CONNMARK 847 help 848 This is a backwards-compat option for the user's convenience 849 (e.g. when running oldconfig). It selects 850 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 851 852config NETFILTER_XT_TARGET_CONNSECMARK 853 tristate '"CONNSECMARK" target support' 854 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 855 default m if NETFILTER_ADVANCED=n 856 help 857 The CONNSECMARK target copies security markings from packets 858 to connections, and restores security markings from connections 859 to packets (if the packets are not already marked). This would 860 normally be used in conjunction with the SECMARK target. 861 862 To compile it as a module, choose M here. If unsure, say N. 863 864config NETFILTER_XT_TARGET_CT 865 tristate '"CT" target support' 866 depends on NF_CONNTRACK 867 depends on IP_NF_RAW || IP6_NF_RAW 868 depends on NETFILTER_ADVANCED 869 help 870 This options adds a `CT' target, which allows to specify initial 871 connection tracking parameters like events to be delivered and 872 the helper to be used. 873 874 To compile it as a module, choose M here. If unsure, say N. 875 876config NETFILTER_XT_TARGET_DSCP 877 tristate '"DSCP" and "TOS" target support' 878 depends on IP_NF_MANGLE || IP6_NF_MANGLE 879 depends on NETFILTER_ADVANCED 880 help 881 This option adds a `DSCP' target, which allows you to manipulate 882 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 883 884 The DSCP field can have any value between 0x0 and 0x3f inclusive. 885 886 It also adds the "TOS" target, which allows you to create rules in 887 the "mangle" table which alter the Type Of Service field of an IPv4 888 or the Priority field of an IPv6 packet, prior to routing. 889 890 To compile it as a module, choose M here. If unsure, say N. 891 892config NETFILTER_XT_TARGET_HL 893 tristate '"HL" hoplimit target support' 894 depends on IP_NF_MANGLE || IP6_NF_MANGLE 895 depends on NETFILTER_ADVANCED 896 help 897 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 898 targets, which enable the user to change the 899 hoplimit/time-to-live value of the IP header. 900 901 While it is safe to decrement the hoplimit/TTL value, the 902 modules also allow to increment and set the hoplimit value of 903 the header to arbitrary values. This is EXTREMELY DANGEROUS 904 since you can easily create immortal packets that loop 905 forever on the network. 906 907config NETFILTER_XT_TARGET_HMARK 908 tristate '"HMARK" target support' 909 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 910 depends on NETFILTER_ADVANCED 911 help 912 This option adds the "HMARK" target. 913 914 The target allows you to create rules in the "raw" and "mangle" tables 915 which set the skbuff mark by means of hash calculation within a given 916 range. The nfmark can influence the routing method and can also be used 917 by other subsystems to change their behaviour. 918 919 To compile it as a module, choose M here. If unsure, say N. 920 921config NETFILTER_XT_TARGET_IDLETIMER 922 tristate "IDLETIMER target support" 923 depends on NETFILTER_ADVANCED 924 help 925 926 This option adds the `IDLETIMER' target. Each matching packet 927 resets the timer associated with label specified when the rule is 928 added. When the timer expires, it triggers a sysfs notification. 929 The remaining time for expiration can be read via sysfs. 930 931 To compile it as a module, choose M here. If unsure, say N. 932 933config NETFILTER_XT_TARGET_LED 934 tristate '"LED" target support' 935 depends on LEDS_CLASS && LEDS_TRIGGERS 936 depends on NETFILTER_ADVANCED 937 help 938 This option adds a `LED' target, which allows you to blink LEDs in 939 response to particular packets passing through your machine. 940 941 This can be used to turn a spare LED into a network activity LED, 942 which only flashes in response to FTP transfers, for example. Or 943 you could have an LED which lights up for a minute or two every time 944 somebody connects to your machine via SSH. 945 946 You will need support for the "led" class to make this work. 947 948 To create an LED trigger for incoming SSH traffic: 949 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 950 951 Then attach the new trigger to an LED on your system: 952 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 953 954 For more information on the LEDs available on your system, see 955 Documentation/leds/leds-class.rst 956 957config NETFILTER_XT_TARGET_LOG 958 tristate "LOG target support" 959 select NF_LOG_SYSLOG 960 select NF_LOG_IPV6 if IP6_NF_IPTABLES 961 default m if NETFILTER_ADVANCED=n 962 help 963 This option adds a `LOG' target, which allows you to create rules in 964 any iptables table which records the packet header to the syslog. 965 966 To compile it as a module, choose M here. If unsure, say N. 967 968config NETFILTER_XT_TARGET_MARK 969 tristate '"MARK" target support' 970 depends on NETFILTER_ADVANCED 971 select NETFILTER_XT_MARK 972 help 973 This is a backwards-compat option for the user's convenience 974 (e.g. when running oldconfig). It selects 975 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 976 977config NETFILTER_XT_NAT 978 tristate '"SNAT and DNAT" targets support' 979 depends on NF_NAT 980 help 981 This option enables the SNAT and DNAT targets. 982 983 To compile it as a module, choose M here. If unsure, say N. 984 985config NETFILTER_XT_TARGET_NETMAP 986 tristate '"NETMAP" target support' 987 depends on NF_NAT 988 help 989 NETMAP is an implementation of static 1:1 NAT mapping of network 990 addresses. It maps the network address part, while keeping the host 991 address part intact. 992 993 To compile it as a module, choose M here. If unsure, say N. 994 995config NETFILTER_XT_TARGET_NFLOG 996 tristate '"NFLOG" target support' 997 default m if NETFILTER_ADVANCED=n 998 select NETFILTER_NETLINK_LOG 999 help 1000 This option enables the NFLOG target, which allows to LOG 1001 messages through nfnetlink_log. 1002 1003 To compile it as a module, choose M here. If unsure, say N. 1004 1005config NETFILTER_XT_TARGET_NFQUEUE 1006 tristate '"NFQUEUE" target Support' 1007 depends on NETFILTER_ADVANCED 1008 select NETFILTER_NETLINK_QUEUE 1009 help 1010 This target replaced the old obsolete QUEUE target. 1011 1012 As opposed to QUEUE, it supports 65535 different queues, 1013 not just one. 1014 1015 To compile it as a module, choose M here. If unsure, say N. 1016 1017config NETFILTER_XT_TARGET_NOTRACK 1018 tristate '"NOTRACK" target support (DEPRECATED)' 1019 depends on NF_CONNTRACK 1020 depends on IP_NF_RAW || IP6_NF_RAW 1021 depends on NETFILTER_ADVANCED 1022 select NETFILTER_XT_TARGET_CT 1023 1024config NETFILTER_XT_TARGET_RATEEST 1025 tristate '"RATEEST" target support' 1026 depends on NETFILTER_ADVANCED 1027 help 1028 This option adds a `RATEEST' target, which allows to measure 1029 rates similar to TC estimators. The `rateest' match can be 1030 used to match on the measured rates. 1031 1032 To compile it as a module, choose M here. If unsure, say N. 1033 1034config NETFILTER_XT_TARGET_REDIRECT 1035 tristate "REDIRECT target support" 1036 depends on NF_NAT 1037 select NF_NAT_REDIRECT 1038 help 1039 REDIRECT is a special case of NAT: all incoming connections are 1040 mapped onto the incoming interface's address, causing the packets to 1041 come to the local machine instead of passing through. This is 1042 useful for transparent proxies. 1043 1044 To compile it as a module, choose M here. If unsure, say N. 1045 1046config NETFILTER_XT_TARGET_MASQUERADE 1047 tristate "MASQUERADE target support" 1048 depends on NF_NAT 1049 default m if NETFILTER_ADVANCED=n 1050 select NF_NAT_MASQUERADE 1051 help 1052 Masquerading is a special case of NAT: all outgoing connections are 1053 changed to seem to come from a particular interface's address, and 1054 if the interface goes down, those connections are lost. This is 1055 only useful for dialup accounts with dynamic IP address (ie. your IP 1056 address will be different on next dialup). 1057 1058 To compile it as a module, choose M here. If unsure, say N. 1059 1060config NETFILTER_XT_TARGET_TEE 1061 tristate '"TEE" - packet cloning to alternate destination' 1062 depends on NETFILTER_ADVANCED 1063 depends on IPV6 || IPV6=n 1064 depends on !NF_CONNTRACK || NF_CONNTRACK 1065 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES 1066 select NF_DUP_IPV4 1067 select NF_DUP_IPV6 if IP6_NF_IPTABLES 1068 help 1069 This option adds a "TEE" target with which a packet can be cloned and 1070 this clone be rerouted to another nexthop. 1071 1072config NETFILTER_XT_TARGET_TPROXY 1073 tristate '"TPROXY" target transparent proxying support' 1074 depends on NETFILTER_XTABLES 1075 depends on NETFILTER_ADVANCED 1076 depends on IPV6 || IPV6=n 1077 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1078 depends on IP_NF_MANGLE 1079 select NF_DEFRAG_IPV4 1080 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1081 select NF_TPROXY_IPV4 1082 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 1083 help 1084 This option adds a `TPROXY' target, which is somewhat similar to 1085 REDIRECT. It can only be used in the mangle table and is useful 1086 to redirect traffic to a transparent proxy. It does _not_ depend 1087 on Netfilter connection tracking and NAT, unlike REDIRECT. 1088 For it to work you will have to configure certain iptables rules 1089 and use policy routing. For more information on how to set it up 1090 see Documentation/networking/tproxy.rst. 1091 1092 To compile it as a module, choose M here. If unsure, say N. 1093 1094config NETFILTER_XT_TARGET_TRACE 1095 tristate '"TRACE" target support' 1096 depends on IP_NF_RAW || IP6_NF_RAW 1097 depends on NETFILTER_ADVANCED 1098 help 1099 The TRACE target allows you to mark packets so that the kernel 1100 will log every rule which match the packets as those traverse 1101 the tables, chains, rules. 1102 1103 If you want to compile it as a module, say M here and read 1104 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1105 1106config NETFILTER_XT_TARGET_SECMARK 1107 tristate '"SECMARK" target support' 1108 depends on NETWORK_SECMARK 1109 default m if NETFILTER_ADVANCED=n 1110 help 1111 The SECMARK target allows security marking of network 1112 packets, for use with security subsystems. 1113 1114 To compile it as a module, choose M here. If unsure, say N. 1115 1116config NETFILTER_XT_TARGET_TCPMSS 1117 tristate '"TCPMSS" target support' 1118 depends on IPV6 || IPV6=n 1119 default m if NETFILTER_ADVANCED=n 1120 help 1121 This option adds a `TCPMSS' target, which allows you to alter the 1122 MSS value of TCP SYN packets, to control the maximum size for that 1123 connection (usually limiting it to your outgoing interface's MTU 1124 minus 40). 1125 1126 This is used to overcome criminally braindead ISPs or servers which 1127 block ICMP Fragmentation Needed packets. The symptoms of this 1128 problem are that everything works fine from your Linux 1129 firewall/router, but machines behind it can never exchange large 1130 packets: 1131 1) Web browsers connect, then hang with no data received. 1132 2) Small mail works fine, but large emails hang. 1133 3) ssh works fine, but scp hangs after initial handshaking. 1134 1135 Workaround: activate this option and add a rule to your firewall 1136 configuration like: 1137 1138 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1139 -j TCPMSS --clamp-mss-to-pmtu 1140 1141 To compile it as a module, choose M here. If unsure, say N. 1142 1143config NETFILTER_XT_TARGET_TCPOPTSTRIP 1144 tristate '"TCPOPTSTRIP" target support' 1145 depends on IP_NF_MANGLE || IP6_NF_MANGLE 1146 depends on NETFILTER_ADVANCED 1147 help 1148 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1149 TCP options from TCP packets. 1150 1151# alphabetically ordered list of matches 1152 1153comment "Xtables matches" 1154 1155config NETFILTER_XT_MATCH_ADDRTYPE 1156 tristate '"addrtype" address type match support' 1157 default m if NETFILTER_ADVANCED=n 1158 help 1159 This option allows you to match what routing thinks of an address, 1160 eg. UNICAST, LOCAL, BROADCAST, ... 1161 1162 If you want to compile it as a module, say M here and read 1163 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1164 1165config NETFILTER_XT_MATCH_BPF 1166 tristate '"bpf" match support' 1167 depends on NETFILTER_ADVANCED 1168 help 1169 BPF matching applies a linux socket filter to each packet and 1170 accepts those for which the filter returns non-zero. 1171 1172 To compile it as a module, choose M here. If unsure, say N. 1173 1174config NETFILTER_XT_MATCH_CGROUP 1175 tristate '"control group" match support' 1176 depends on NETFILTER_ADVANCED 1177 depends on CGROUPS 1178 select CGROUP_NET_CLASSID 1179 help 1180 Socket/process control group matching allows you to match locally 1181 generated packets based on which net_cls control group processes 1182 belong to. 1183 1184config NETFILTER_XT_MATCH_CLUSTER 1185 tristate '"cluster" match support' 1186 depends on NF_CONNTRACK 1187 depends on NETFILTER_ADVANCED 1188 help 1189 This option allows you to build work-load-sharing clusters of 1190 network servers/stateful firewalls without having a dedicated 1191 load-balancing router/server/switch. Basically, this match returns 1192 true when the packet must be handled by this cluster node. Thus, 1193 all nodes see all packets and this match decides which node handles 1194 what packets. The work-load sharing algorithm is based on source 1195 address hashing. 1196 1197 If you say Y or M here, try `iptables -m cluster --help` for 1198 more information. 1199 1200config NETFILTER_XT_MATCH_COMMENT 1201 tristate '"comment" match support' 1202 depends on NETFILTER_ADVANCED 1203 help 1204 This option adds a `comment' dummy-match, which allows you to put 1205 comments in your iptables ruleset. 1206 1207 If you want to compile it as a module, say M here and read 1208 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1209 1210config NETFILTER_XT_MATCH_CONNBYTES 1211 tristate '"connbytes" per-connection counter match support' 1212 depends on NF_CONNTRACK 1213 depends on NETFILTER_ADVANCED 1214 help 1215 This option adds a `connbytes' match, which allows you to match the 1216 number of bytes and/or packets for each direction within a connection. 1217 1218 If you want to compile it as a module, say M here and read 1219 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1220 1221config NETFILTER_XT_MATCH_CONNLABEL 1222 tristate '"connlabel" match support' 1223 select NF_CONNTRACK_LABELS 1224 depends on NF_CONNTRACK 1225 depends on NETFILTER_ADVANCED 1226 help 1227 This match allows you to test and assign userspace-defined labels names 1228 to a connection. The kernel only stores bit values - mapping 1229 names to bits is done by userspace. 1230 1231 Unlike connmark, more than 32 flag bits may be assigned to a 1232 connection simultaneously. 1233 1234config NETFILTER_XT_MATCH_CONNLIMIT 1235 tristate '"connlimit" match support' 1236 depends on NF_CONNTRACK 1237 depends on NETFILTER_ADVANCED 1238 select NETFILTER_CONNCOUNT 1239 help 1240 This match allows you to match against the number of parallel 1241 connections to a server per client IP address (or address block). 1242 1243config NETFILTER_XT_MATCH_CONNMARK 1244 tristate '"connmark" connection mark match support' 1245 depends on NF_CONNTRACK 1246 depends on NETFILTER_ADVANCED 1247 select NETFILTER_XT_CONNMARK 1248 help 1249 This is a backwards-compat option for the user's convenience 1250 (e.g. when running oldconfig). It selects 1251 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1252 1253config NETFILTER_XT_MATCH_CONNTRACK 1254 tristate '"conntrack" connection tracking match support' 1255 depends on NF_CONNTRACK 1256 default m if NETFILTER_ADVANCED=n 1257 help 1258 This is a general conntrack match module, a superset of the state match. 1259 1260 It allows matching on additional conntrack information, which is 1261 useful in complex configurations, such as NAT gateways with multiple 1262 internet links or tunnels. 1263 1264 To compile it as a module, choose M here. If unsure, say N. 1265 1266config NETFILTER_XT_MATCH_CPU 1267 tristate '"cpu" match support' 1268 depends on NETFILTER_ADVANCED 1269 help 1270 CPU matching allows you to match packets based on the CPU 1271 currently handling the packet. 1272 1273 To compile it as a module, choose M here. If unsure, say N. 1274 1275config NETFILTER_XT_MATCH_DCCP 1276 tristate '"dccp" protocol match support' 1277 depends on NETFILTER_ADVANCED 1278 default IP_DCCP 1279 help 1280 With this option enabled, you will be able to use the iptables 1281 `dccp' match in order to match on DCCP source/destination ports 1282 and DCCP flags. 1283 1284 If you want to compile it as a module, say M here and read 1285 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1286 1287config NETFILTER_XT_MATCH_DEVGROUP 1288 tristate '"devgroup" match support' 1289 depends on NETFILTER_ADVANCED 1290 help 1291 This options adds a `devgroup' match, which allows to match on the 1292 device group a network device is assigned to. 1293 1294 To compile it as a module, choose M here. If unsure, say N. 1295 1296config NETFILTER_XT_MATCH_DSCP 1297 tristate '"dscp" and "tos" match support' 1298 depends on NETFILTER_ADVANCED 1299 help 1300 This option adds a `DSCP' match, which allows you to match against 1301 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1302 1303 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1304 1305 It will also add a "tos" match, which allows you to match packets 1306 based on the Type Of Service fields of the IPv4 packet (which share 1307 the same bits as DSCP). 1308 1309 To compile it as a module, choose M here. If unsure, say N. 1310 1311config NETFILTER_XT_MATCH_ECN 1312 tristate '"ecn" match support' 1313 depends on NETFILTER_ADVANCED 1314 help 1315 This option adds an "ECN" match, which allows you to match against 1316 the IPv4 and TCP header ECN fields. 1317 1318 To compile it as a module, choose M here. If unsure, say N. 1319 1320config NETFILTER_XT_MATCH_ESP 1321 tristate '"esp" match support' 1322 depends on NETFILTER_ADVANCED 1323 help 1324 This match extension allows you to match a range of SPIs 1325 inside ESP header of IPSec packets. 1326 1327 To compile it as a module, choose M here. If unsure, say N. 1328 1329config NETFILTER_XT_MATCH_HASHLIMIT 1330 tristate '"hashlimit" match support' 1331 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1332 depends on NETFILTER_ADVANCED 1333 help 1334 This option adds a `hashlimit' match. 1335 1336 As opposed to `limit', this match dynamically creates a hash table 1337 of limit buckets, based on your selection of source/destination 1338 addresses and/or ports. 1339 1340 It enables you to express policies like `10kpps for any given 1341 destination address' or `500pps from any given source address' 1342 with a single rule. 1343 1344config NETFILTER_XT_MATCH_HELPER 1345 tristate '"helper" match support' 1346 depends on NF_CONNTRACK 1347 depends on NETFILTER_ADVANCED 1348 help 1349 Helper matching allows you to match packets in dynamic connections 1350 tracked by a conntrack-helper, ie. nf_conntrack_ftp 1351 1352 To compile it as a module, choose M here. If unsure, say Y. 1353 1354config NETFILTER_XT_MATCH_HL 1355 tristate '"hl" hoplimit/TTL match support' 1356 depends on NETFILTER_ADVANCED 1357 help 1358 HL matching allows you to match packets based on the hoplimit 1359 in the IPv6 header, or the time-to-live field in the IPv4 1360 header of the packet. 1361 1362config NETFILTER_XT_MATCH_IPCOMP 1363 tristate '"ipcomp" match support' 1364 depends on NETFILTER_ADVANCED 1365 help 1366 This match extension allows you to match a range of CPIs(16 bits) 1367 inside IPComp header of IPSec packets. 1368 1369 To compile it as a module, choose M here. If unsure, say N. 1370 1371config NETFILTER_XT_MATCH_IPRANGE 1372 tristate '"iprange" address range match support' 1373 depends on NETFILTER_ADVANCED 1374 help 1375 This option adds a "iprange" match, which allows you to match based on 1376 an IP address range. (Normal iptables only matches on single addresses 1377 with an optional mask.) 1378 1379 If unsure, say M. 1380 1381config NETFILTER_XT_MATCH_IPVS 1382 tristate '"ipvs" match support' 1383 depends on IP_VS 1384 depends on NETFILTER_ADVANCED 1385 depends on NF_CONNTRACK 1386 help 1387 This option allows you to match against IPVS properties of a packet. 1388 1389 If unsure, say N. 1390 1391config NETFILTER_XT_MATCH_L2TP 1392 tristate '"l2tp" match support' 1393 depends on NETFILTER_ADVANCED 1394 default L2TP 1395 help 1396 This option adds an "L2TP" match, which allows you to match against 1397 L2TP protocol header fields. 1398 1399 To compile it as a module, choose M here. If unsure, say N. 1400 1401config NETFILTER_XT_MATCH_LENGTH 1402 tristate '"length" match support' 1403 depends on NETFILTER_ADVANCED 1404 help 1405 This option allows you to match the length of a packet against a 1406 specific value or range of values. 1407 1408 To compile it as a module, choose M here. If unsure, say N. 1409 1410config NETFILTER_XT_MATCH_LIMIT 1411 tristate '"limit" match support' 1412 depends on NETFILTER_ADVANCED 1413 help 1414 limit matching allows you to control the rate at which a rule can be 1415 matched: mainly useful in combination with the LOG target ("LOG 1416 target support", below) and to avoid some Denial of Service attacks. 1417 1418 To compile it as a module, choose M here. If unsure, say N. 1419 1420config NETFILTER_XT_MATCH_MAC 1421 tristate '"mac" address match support' 1422 depends on NETFILTER_ADVANCED 1423 help 1424 MAC matching allows you to match packets based on the source 1425 Ethernet address of the packet. 1426 1427 To compile it as a module, choose M here. If unsure, say N. 1428 1429config NETFILTER_XT_MATCH_MARK 1430 tristate '"mark" match support' 1431 depends on NETFILTER_ADVANCED 1432 select NETFILTER_XT_MARK 1433 help 1434 This is a backwards-compat option for the user's convenience 1435 (e.g. when running oldconfig). It selects 1436 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1437 1438config NETFILTER_XT_MATCH_MULTIPORT 1439 tristate '"multiport" Multiple port match support' 1440 depends on NETFILTER_ADVANCED 1441 help 1442 Multiport matching allows you to match TCP or UDP packets based on 1443 a series of source or destination ports: normally a rule can only 1444 match a single range of ports. 1445 1446 To compile it as a module, choose M here. If unsure, say N. 1447 1448config NETFILTER_XT_MATCH_NFACCT 1449 tristate '"nfacct" match support' 1450 depends on NETFILTER_ADVANCED 1451 select NETFILTER_NETLINK_ACCT 1452 help 1453 This option allows you to use the extended accounting through 1454 nfnetlink_acct. 1455 1456 To compile it as a module, choose M here. If unsure, say N. 1457 1458config NETFILTER_XT_MATCH_OSF 1459 tristate '"osf" Passive OS fingerprint match' 1460 depends on NETFILTER_ADVANCED 1461 select NETFILTER_NETLINK_OSF 1462 help 1463 This option selects the Passive OS Fingerprinting match module 1464 that allows to passively match the remote operating system by 1465 analyzing incoming TCP SYN packets. 1466 1467 Rules and loading software can be downloaded from 1468 http://www.ioremap.net/projects/osf 1469 1470 To compile it as a module, choose M here. If unsure, say N. 1471 1472config NETFILTER_XT_MATCH_OWNER 1473 tristate '"owner" match support' 1474 depends on NETFILTER_ADVANCED 1475 help 1476 Socket owner matching allows you to match locally-generated packets 1477 based on who created the socket: the user or group. It is also 1478 possible to check whether a socket actually exists. 1479 1480config NETFILTER_XT_MATCH_POLICY 1481 tristate 'IPsec "policy" match support' 1482 depends on XFRM 1483 default m if NETFILTER_ADVANCED=n 1484 help 1485 Policy matching allows you to match packets based on the 1486 IPsec policy that was used during decapsulation/will 1487 be used during encapsulation. 1488 1489 To compile it as a module, choose M here. If unsure, say N. 1490 1491config NETFILTER_XT_MATCH_PHYSDEV 1492 tristate '"physdev" match support' 1493 depends on BRIDGE && BRIDGE_NETFILTER 1494 depends on NETFILTER_ADVANCED 1495 help 1496 Physdev packet matching matches against the physical bridge ports 1497 the IP packet arrived on or will leave by. 1498 1499 To compile it as a module, choose M here. If unsure, say N. 1500 1501config NETFILTER_XT_MATCH_PKTTYPE 1502 tristate '"pkttype" packet type match support' 1503 depends on NETFILTER_ADVANCED 1504 help 1505 Packet type matching allows you to match a packet by 1506 its "class", eg. BROADCAST, MULTICAST, ... 1507 1508 Typical usage: 1509 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1510 1511 To compile it as a module, choose M here. If unsure, say N. 1512 1513config NETFILTER_XT_MATCH_QUOTA 1514 tristate '"quota" match support' 1515 depends on NETFILTER_ADVANCED 1516 help 1517 This option adds a `quota' match, which allows to match on a 1518 byte counter. 1519 1520 If you want to compile it as a module, say M here and read 1521 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1522 1523config NETFILTER_XT_MATCH_RATEEST 1524 tristate '"rateest" match support' 1525 depends on NETFILTER_ADVANCED 1526 select NETFILTER_XT_TARGET_RATEEST 1527 help 1528 This option adds a `rateest' match, which allows to match on the 1529 rate estimated by the RATEEST target. 1530 1531 To compile it as a module, choose M here. If unsure, say N. 1532 1533config NETFILTER_XT_MATCH_REALM 1534 tristate '"realm" match support' 1535 depends on NETFILTER_ADVANCED 1536 select IP_ROUTE_CLASSID 1537 help 1538 This option adds a `realm' match, which allows you to use the realm 1539 key from the routing subsystem inside iptables. 1540 1541 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1542 in tc world. 1543 1544 If you want to compile it as a module, say M here and read 1545 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1546 1547config NETFILTER_XT_MATCH_RECENT 1548 tristate '"recent" match support' 1549 depends on NETFILTER_ADVANCED 1550 help 1551 This match is used for creating one or many lists of recently 1552 used addresses and then matching against that/those list(s). 1553 1554 Short options are available by using 'iptables -m recent -h' 1555 Official Website: <http://snowman.net/projects/ipt_recent/> 1556 1557config NETFILTER_XT_MATCH_SCTP 1558 tristate '"sctp" protocol match support' 1559 depends on NETFILTER_ADVANCED 1560 default IP_SCTP 1561 help 1562 With this option enabled, you will be able to use the 1563 `sctp' match in order to match on SCTP source/destination ports 1564 and SCTP chunk types. 1565 1566 If you want to compile it as a module, say M here and read 1567 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1568 1569config NETFILTER_XT_MATCH_SOCKET 1570 tristate '"socket" match support' 1571 depends on NETFILTER_XTABLES 1572 depends on NETFILTER_ADVANCED 1573 depends on IPV6 || IPV6=n 1574 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1575 select NF_SOCKET_IPV4 1576 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES 1577 select NF_DEFRAG_IPV4 1578 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1579 help 1580 This option adds a `socket' match, which can be used to match 1581 packets for which a TCP or UDP socket lookup finds a valid socket. 1582 It can be used in combination with the MARK target and policy 1583 routing to implement full featured non-locally bound sockets. 1584 1585 To compile it as a module, choose M here. If unsure, say N. 1586 1587config NETFILTER_XT_MATCH_STATE 1588 tristate '"state" match support' 1589 depends on NF_CONNTRACK 1590 default m if NETFILTER_ADVANCED=n 1591 help 1592 Connection state matching allows you to match packets based on their 1593 relationship to a tracked connection (ie. previous packets). This 1594 is a powerful tool for packet classification. 1595 1596 To compile it as a module, choose M here. If unsure, say N. 1597 1598config NETFILTER_XT_MATCH_STATISTIC 1599 tristate '"statistic" match support' 1600 depends on NETFILTER_ADVANCED 1601 help 1602 This option adds a `statistic' match, which allows you to match 1603 on packets periodically or randomly with a given percentage. 1604 1605 To compile it as a module, choose M here. If unsure, say N. 1606 1607config NETFILTER_XT_MATCH_STRING 1608 tristate '"string" match support' 1609 depends on NETFILTER_ADVANCED 1610 select TEXTSEARCH 1611 select TEXTSEARCH_KMP 1612 select TEXTSEARCH_BM 1613 select TEXTSEARCH_FSM 1614 help 1615 This option adds a `string' match, which allows you to look for 1616 pattern matchings in packets. 1617 1618 To compile it as a module, choose M here. If unsure, say N. 1619 1620config NETFILTER_XT_MATCH_TCPMSS 1621 tristate '"tcpmss" match support' 1622 depends on NETFILTER_ADVANCED 1623 help 1624 This option adds a `tcpmss' match, which allows you to examine the 1625 MSS value of TCP SYN packets, which control the maximum packet size 1626 for that connection. 1627 1628 To compile it as a module, choose M here. If unsure, say N. 1629 1630config NETFILTER_XT_MATCH_TIME 1631 tristate '"time" match support' 1632 depends on NETFILTER_ADVANCED 1633 help 1634 This option adds a "time" match, which allows you to match based on 1635 the packet arrival time (at the machine which netfilter is running) 1636 on) or departure time/date (for locally generated packets). 1637 1638 If you say Y here, try `iptables -m time --help` for 1639 more information. 1640 1641 If you want to compile it as a module, say M here. 1642 If unsure, say N. 1643 1644config NETFILTER_XT_MATCH_U32 1645 tristate '"u32" match support' 1646 depends on NETFILTER_ADVANCED 1647 help 1648 u32 allows you to extract quantities of up to 4 bytes from a packet, 1649 AND them with specified masks, shift them by specified amounts and 1650 test whether the results are in any of a set of specified ranges. 1651 The specification of what to extract is general enough to skip over 1652 headers with lengths stored in the packet, as in IP or TCP header 1653 lengths. 1654 1655 Details and examples are in the kernel module source. 1656 1657endif # NETFILTER_XTABLES 1658 1659endmenu 1660 1661source "net/netfilter/ipset/Kconfig" 1662 1663source "net/netfilter/ipvs/Kconfig" 1664