1# SPDX-License-Identifier: GPL-2.0-only 2menu "Core Netfilter Configuration" 3 depends on INET && NETFILTER 4 5config NETFILTER_INGRESS 6 bool "Netfilter ingress support" 7 default y 8 select NET_INGRESS 9 help 10 This allows you to classify packets from ingress using the Netfilter 11 infrastructure. 12 13config NETFILTER_EGRESS 14 bool "Netfilter egress support" 15 default y 16 select NET_EGRESS 17 help 18 This allows you to classify packets before transmission using the 19 Netfilter infrastructure. 20 21config NETFILTER_SKIP_EGRESS 22 def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB) 23 24config NETFILTER_NETLINK 25 tristate 26 27config NETFILTER_FAMILY_BRIDGE 28 bool 29 30config NETFILTER_FAMILY_ARP 31 bool 32 33config NETFILTER_NETLINK_HOOK 34 tristate "Netfilter base hook dump support" 35 depends on NETFILTER_ADVANCED 36 depends on NF_TABLES 37 select NETFILTER_NETLINK 38 help 39 If this option is enabled, the kernel will include support 40 to list the base netfilter hooks via NFNETLINK. 41 This is helpful for debugging. 42 43config NETFILTER_NETLINK_ACCT 44 tristate "Netfilter NFACCT over NFNETLINK interface" 45 depends on NETFILTER_ADVANCED 46 select NETFILTER_NETLINK 47 help 48 If this option is enabled, the kernel will include support 49 for extended accounting via NFNETLINK. 50 51config NETFILTER_NETLINK_QUEUE 52 tristate "Netfilter NFQUEUE over NFNETLINK interface" 53 depends on NETFILTER_ADVANCED 54 select NETFILTER_NETLINK 55 help 56 If this option is enabled, the kernel will include support 57 for queueing packets via NFNETLINK. 58 59config NETFILTER_NETLINK_LOG 60 tristate "Netfilter LOG over NFNETLINK interface" 61 default m if NETFILTER_ADVANCED=n 62 select NETFILTER_NETLINK 63 help 64 If this option is enabled, the kernel will include support 65 for logging packets via NFNETLINK. 66 67 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 68 and is also scheduled to replace the old syslog-based ipt_LOG 69 and ip6t_LOG modules. 70 71config NETFILTER_NETLINK_OSF 72 tristate "Netfilter OSF over NFNETLINK interface" 73 depends on NETFILTER_ADVANCED 74 select NETFILTER_NETLINK 75 help 76 If this option is enabled, the kernel will include support 77 for passive OS fingerprint via NFNETLINK. 78 79config NF_CONNTRACK 80 tristate "Netfilter connection tracking support" 81 default m if NETFILTER_ADVANCED=n 82 select NF_DEFRAG_IPV4 83 select NF_DEFRAG_IPV6 if IPV6 != n 84 help 85 Connection tracking keeps a record of what packets have passed 86 through your machine, in order to figure out how they are related 87 into connections. 88 89 This is required to do Masquerading or other kinds of Network 90 Address Translation. It can also be used to enhance packet 91 filtering (see `Connection state match support' below). 92 93 To compile it as a module, choose M here. If unsure, say N. 94 95config NF_LOG_SYSLOG 96 tristate "Syslog packet logging" 97 default m if NETFILTER_ADVANCED=n 98 help 99 This option enable support for packet logging via syslog. 100 It supports IPv4, IPV6, ARP and common transport protocols such 101 as TCP and UDP. 102 This is a simpler but less flexible logging method compared to 103 CONFIG_NETFILTER_NETLINK_LOG. 104 If both are enabled the backend to use can be configured at run-time 105 by means of per-address-family sysctl tunables. 106 107if NF_CONNTRACK 108config NETFILTER_CONNCOUNT 109 tristate 110 111config NF_CONNTRACK_MARK 112 bool 'Connection mark tracking support' 113 depends on NETFILTER_ADVANCED 114 help 115 This option enables support for connection marks, used by the 116 `CONNMARK' target and `connmark' match. Similar to the mark value 117 of packets, but this mark value is kept in the conntrack session 118 instead of the individual packets. 119 120config NF_CONNTRACK_SECMARK 121 bool 'Connection tracking security mark support' 122 depends on NETWORK_SECMARK 123 default y if NETFILTER_ADVANCED=n 124 help 125 This option enables security markings to be applied to 126 connections. Typically they are copied to connections from 127 packets using the CONNSECMARK target and copied back from 128 connections to packets with the same target, with the packets 129 being originally labeled via SECMARK. 130 131 If unsure, say 'N'. 132 133config NF_CONNTRACK_ZONES 134 bool 'Connection tracking zones' 135 depends on NETFILTER_ADVANCED 136 help 137 This option enables support for connection tracking zones. 138 Normally, each connection needs to have a unique system wide 139 identity. Connection tracking zones allow to have multiple 140 connections using the same identity, as long as they are 141 contained in different zones. 142 143 If unsure, say `N'. 144 145config NF_CONNTRACK_PROCFS 146 bool "Supply CT list in procfs (OBSOLETE)" 147 depends on PROC_FS 148 help 149 This option enables for the list of known conntrack entries 150 to be shown in procfs under net/netfilter/nf_conntrack. This 151 is considered obsolete in favor of using the conntrack(8) 152 tool which uses Netlink. 153 154config NF_CONNTRACK_EVENTS 155 bool "Connection tracking events" 156 depends on NETFILTER_ADVANCED 157 help 158 If this option is enabled, the connection tracking code will 159 provide a notifier chain that can be used by other kernel code 160 to get notified about changes in the connection tracking state. 161 162 If unsure, say `N'. 163 164config NF_CONNTRACK_TIMEOUT 165 bool 'Connection tracking timeout' 166 depends on NETFILTER_ADVANCED 167 help 168 This option enables support for connection tracking timeout 169 extension. This allows you to attach timeout policies to flow 170 via the CT target. 171 172 If unsure, say `N'. 173 174config NF_CONNTRACK_TIMESTAMP 175 bool 'Connection tracking timestamping' 176 depends on NETFILTER_ADVANCED 177 help 178 This option enables support for connection tracking timestamping. 179 This allows you to store the flow start-time and to obtain 180 the flow-stop time (once it has been destroyed) via Connection 181 tracking events. 182 183 If unsure, say `N'. 184 185config NF_CONNTRACK_LABELS 186 bool "Connection tracking labels" 187 help 188 This option enables support for assigning user-defined flag bits 189 to connection tracking entries. It can be used with xtables connlabel 190 match and the nftables ct expression. 191 192config NF_CT_PROTO_DCCP 193 bool 'DCCP protocol connection tracking support' 194 depends on NETFILTER_ADVANCED 195 default y 196 help 197 With this option enabled, the layer 3 independent connection 198 tracking code will be able to do state tracking on DCCP connections. 199 200 If unsure, say Y. 201 202config NF_CT_PROTO_GRE 203 bool 204 205config NF_CT_PROTO_SCTP 206 bool 'SCTP protocol connection tracking support' 207 depends on NETFILTER_ADVANCED 208 default y 209 select LIBCRC32C 210 help 211 With this option enabled, the layer 3 independent connection 212 tracking code will be able to do state tracking on SCTP connections. 213 214 If unsure, say Y. 215 216config NF_CT_PROTO_UDPLITE 217 bool 'UDP-Lite protocol connection tracking support' 218 depends on NETFILTER_ADVANCED 219 default y 220 help 221 With this option enabled, the layer 3 independent connection 222 tracking code will be able to do state tracking on UDP-Lite 223 connections. 224 225 If unsure, say Y. 226 227config NF_CONNTRACK_AMANDA 228 tristate "Amanda backup protocol support" 229 depends on NETFILTER_ADVANCED 230 select TEXTSEARCH 231 select TEXTSEARCH_KMP 232 help 233 If you are running the Amanda backup package <http://www.amanda.org/> 234 on this machine or machines that will be MASQUERADED through this 235 machine, then you may want to enable this feature. This allows the 236 connection tracking and natting code to allow the sub-channels that 237 Amanda requires for communication of the backup data, messages and 238 index. 239 240 To compile it as a module, choose M here. If unsure, say N. 241 242config NF_CONNTRACK_FTP 243 tristate "FTP protocol support" 244 default m if NETFILTER_ADVANCED=n 245 help 246 Tracking FTP connections is problematic: special helpers are 247 required for tracking them, and doing masquerading and other forms 248 of Network Address Translation on them. 249 250 This is FTP support on Layer 3 independent connection tracking. 251 252 To compile it as a module, choose M here. If unsure, say N. 253 254config NF_CONNTRACK_H323 255 tristate "H.323 protocol support" 256 depends on IPV6 || IPV6=n 257 depends on NETFILTER_ADVANCED 258 help 259 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 260 important VoIP protocols, it is widely used by voice hardware and 261 software including voice gateways, IP phones, Netmeeting, OpenPhone, 262 Gnomemeeting, etc. 263 264 With this module you can support H.323 on a connection tracking/NAT 265 firewall. 266 267 This module supports RAS, Fast Start, H.245 Tunnelling, Call 268 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 269 whiteboard, file transfer, etc. For more information, please 270 visit http://nath323.sourceforge.net/. 271 272 To compile it as a module, choose M here. If unsure, say N. 273 274config NF_CONNTRACK_IRC 275 tristate "IRC protocol support" 276 default m if NETFILTER_ADVANCED=n 277 help 278 There is a commonly-used extension to IRC called 279 Direct Client-to-Client Protocol (DCC). This enables users to send 280 files to each other, and also chat to each other without the need 281 of a server. DCC Sending is used anywhere you send files over IRC, 282 and DCC Chat is most commonly used by Eggdrop bots. If you are 283 using NAT, this extension will enable you to send files and initiate 284 chats. Note that you do NOT need this extension to get files or 285 have others initiate chats, or everything else in IRC. 286 287 To compile it as a module, choose M here. If unsure, say N. 288 289config NF_CONNTRACK_BROADCAST 290 tristate 291 292config NF_CONNTRACK_NETBIOS_NS 293 tristate "NetBIOS name service protocol support" 294 select NF_CONNTRACK_BROADCAST 295 help 296 NetBIOS name service requests are sent as broadcast messages from an 297 unprivileged port and responded to with unicast messages to the 298 same port. This make them hard to firewall properly because connection 299 tracking doesn't deal with broadcasts. This helper tracks locally 300 originating NetBIOS name service requests and the corresponding 301 responses. It relies on correct IP address configuration, specifically 302 netmask and broadcast address. When properly configured, the output 303 of "ip address show" should look similar to this: 304 305 $ ip -4 address show eth0 306 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 307 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 308 309 To compile it as a module, choose M here. If unsure, say N. 310 311config NF_CONNTRACK_SNMP 312 tristate "SNMP service protocol support" 313 depends on NETFILTER_ADVANCED 314 select NF_CONNTRACK_BROADCAST 315 help 316 SNMP service requests are sent as broadcast messages from an 317 unprivileged port and responded to with unicast messages to the 318 same port. This make them hard to firewall properly because connection 319 tracking doesn't deal with broadcasts. This helper tracks locally 320 originating SNMP service requests and the corresponding 321 responses. It relies on correct IP address configuration, specifically 322 netmask and broadcast address. 323 324 To compile it as a module, choose M here. If unsure, say N. 325 326config NF_CONNTRACK_PPTP 327 tristate "PPtP protocol support" 328 depends on NETFILTER_ADVANCED 329 select NF_CT_PROTO_GRE 330 help 331 This module adds support for PPTP (Point to Point Tunnelling 332 Protocol, RFC2637) connection tracking and NAT. 333 334 If you are running PPTP sessions over a stateful firewall or NAT 335 box, you may want to enable this feature. 336 337 Please note that not all PPTP modes of operation are supported yet. 338 Specifically these limitations exist: 339 - Blindly assumes that control connections are always established 340 in PNS->PAC direction. This is a violation of RFC2637. 341 - Only supports a single call within each session 342 343 To compile it as a module, choose M here. If unsure, say N. 344 345config NF_CONNTRACK_SANE 346 tristate "SANE protocol support" 347 depends on NETFILTER_ADVANCED 348 help 349 SANE is a protocol for remote access to scanners as implemented 350 by the 'saned' daemon. Like FTP, it uses separate control and 351 data connections. 352 353 With this module you can support SANE on a connection tracking 354 firewall. 355 356 To compile it as a module, choose M here. If unsure, say N. 357 358config NF_CONNTRACK_SIP 359 tristate "SIP protocol support" 360 default m if NETFILTER_ADVANCED=n 361 help 362 SIP is an application-layer control protocol that can establish, 363 modify, and terminate multimedia sessions (conferences) such as 364 Internet telephony calls. With the nf_conntrack_sip and 365 the nf_nat_sip modules you can support the protocol on a connection 366 tracking/NATing firewall. 367 368 To compile it as a module, choose M here. If unsure, say N. 369 370config NF_CONNTRACK_TFTP 371 tristate "TFTP protocol support" 372 depends on NETFILTER_ADVANCED 373 help 374 TFTP connection tracking helper, this is required depending 375 on how restrictive your ruleset is. 376 If you are using a tftp client behind -j SNAT or -j MASQUERADING 377 you will need this. 378 379 To compile it as a module, choose M here. If unsure, say N. 380 381config NF_CT_NETLINK 382 tristate 'Connection tracking netlink interface' 383 select NETFILTER_NETLINK 384 default m if NETFILTER_ADVANCED=n 385 help 386 This option enables support for a netlink-based userspace interface 387 388config NF_CT_NETLINK_TIMEOUT 389 tristate 'Connection tracking timeout tuning via Netlink' 390 select NETFILTER_NETLINK 391 depends on NETFILTER_ADVANCED 392 depends on NF_CONNTRACK_TIMEOUT 393 help 394 This option enables support for connection tracking timeout 395 fine-grain tuning. This allows you to attach specific timeout 396 policies to flows, instead of using the global timeout policy. 397 398 If unsure, say `N'. 399 400config NF_CT_NETLINK_HELPER 401 tristate 'Connection tracking helpers in user-space via Netlink' 402 select NETFILTER_NETLINK 403 depends on NF_CT_NETLINK 404 depends on NETFILTER_NETLINK_QUEUE 405 depends on NETFILTER_NETLINK_GLUE_CT 406 depends on NETFILTER_ADVANCED 407 help 408 This option enables the user-space connection tracking helpers 409 infrastructure. 410 411 If unsure, say `N'. 412 413config NETFILTER_NETLINK_GLUE_CT 414 bool "NFQUEUE and NFLOG integration with Connection Tracking" 415 default n 416 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 417 help 418 If this option is enabled, NFQUEUE and NFLOG can include 419 Connection Tracking information together with the packet is 420 the enqueued via NFNETLINK. 421 422config NF_NAT 423 tristate "Network Address Translation support" 424 depends on NF_CONNTRACK 425 default m if NETFILTER_ADVANCED=n 426 help 427 The NAT option allows masquerading, port forwarding and other 428 forms of full Network Address Port Translation. This can be 429 controlled by iptables, ip6tables or nft. 430 431config NF_NAT_AMANDA 432 tristate 433 depends on NF_CONNTRACK && NF_NAT 434 default NF_NAT && NF_CONNTRACK_AMANDA 435 436config NF_NAT_FTP 437 tristate 438 depends on NF_CONNTRACK && NF_NAT 439 default NF_NAT && NF_CONNTRACK_FTP 440 441config NF_NAT_IRC 442 tristate 443 depends on NF_CONNTRACK && NF_NAT 444 default NF_NAT && NF_CONNTRACK_IRC 445 446config NF_NAT_SIP 447 tristate 448 depends on NF_CONNTRACK && NF_NAT 449 default NF_NAT && NF_CONNTRACK_SIP 450 451config NF_NAT_TFTP 452 tristate 453 depends on NF_CONNTRACK && NF_NAT 454 default NF_NAT && NF_CONNTRACK_TFTP 455 456config NF_NAT_REDIRECT 457 bool 458 459config NF_NAT_MASQUERADE 460 bool 461 462config NETFILTER_SYNPROXY 463 tristate 464 465endif # NF_CONNTRACK 466 467config NF_TABLES 468 select NETFILTER_NETLINK 469 select LIBCRC32C 470 tristate "Netfilter nf_tables support" 471 help 472 nftables is the new packet classification framework that intends to 473 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 474 provides a pseudo-state machine with an extensible instruction-set 475 (also known as expressions) that the userspace 'nft' utility 476 (https://www.netfilter.org/projects/nftables) uses to build the 477 rule-set. It also comes with the generic set infrastructure that 478 allows you to construct mappings between matchings and actions 479 for performance lookups. 480 481 To compile it as a module, choose M here. 482 483if NF_TABLES 484config NF_TABLES_INET 485 depends on IPV6 486 select NF_TABLES_IPV4 487 select NF_TABLES_IPV6 488 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 489 help 490 This option enables support for a mixed IPv4/IPv6 "inet" table. 491 492config NF_TABLES_NETDEV 493 bool "Netfilter nf_tables netdev tables support" 494 help 495 This option enables support for the "netdev" table. 496 497config NFT_NUMGEN 498 tristate "Netfilter nf_tables number generator module" 499 help 500 This option adds the number generator expression used to perform 501 incremental counting and random numbers bound to a upper limit. 502 503config NFT_CT 504 depends on NF_CONNTRACK 505 tristate "Netfilter nf_tables conntrack module" 506 help 507 This option adds the "ct" expression that you can use to match 508 connection tracking information such as the flow state. 509 510config NFT_FLOW_OFFLOAD 511 depends on NF_CONNTRACK && NF_FLOW_TABLE 512 tristate "Netfilter nf_tables hardware flow offload module" 513 help 514 This option adds the "flow_offload" expression that you can use to 515 choose what flows are placed into the hardware. 516 517config NFT_CONNLIMIT 518 tristate "Netfilter nf_tables connlimit module" 519 depends on NF_CONNTRACK 520 depends on NETFILTER_ADVANCED 521 select NETFILTER_CONNCOUNT 522 help 523 This option adds the "connlimit" expression that you can use to 524 ratelimit rule matchings per connections. 525 526config NFT_LOG 527 tristate "Netfilter nf_tables log module" 528 help 529 This option adds the "log" expression that you can use to log 530 packets matching some criteria. 531 532config NFT_LIMIT 533 tristate "Netfilter nf_tables limit module" 534 help 535 This option adds the "limit" expression that you can use to 536 ratelimit rule matchings. 537 538config NFT_MASQ 539 depends on NF_CONNTRACK 540 depends on NF_NAT 541 select NF_NAT_MASQUERADE 542 tristate "Netfilter nf_tables masquerade support" 543 help 544 This option adds the "masquerade" expression that you can use 545 to perform NAT in the masquerade flavour. 546 547config NFT_REDIR 548 depends on NF_CONNTRACK 549 depends on NF_NAT 550 tristate "Netfilter nf_tables redirect support" 551 select NF_NAT_REDIRECT 552 help 553 This options adds the "redirect" expression that you can use 554 to perform NAT in the redirect flavour. 555 556config NFT_NAT 557 depends on NF_CONNTRACK 558 select NF_NAT 559 depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 560 tristate "Netfilter nf_tables nat module" 561 help 562 This option adds the "nat" expression that you can use to perform 563 typical Network Address Translation (NAT) packet transformations. 564 565config NFT_TUNNEL 566 tristate "Netfilter nf_tables tunnel module" 567 help 568 This option adds the "tunnel" expression that you can use to set 569 tunneling policies. 570 571config NFT_QUEUE 572 depends on NETFILTER_NETLINK_QUEUE 573 tristate "Netfilter nf_tables queue module" 574 help 575 This is required if you intend to use the userspace queueing 576 infrastructure (also known as NFQUEUE) from nftables. 577 578config NFT_QUOTA 579 tristate "Netfilter nf_tables quota module" 580 help 581 This option adds the "quota" expression that you can use to match 582 enforce bytes quotas. 583 584config NFT_REJECT 585 default m if NETFILTER_ADVANCED=n 586 tristate "Netfilter nf_tables reject support" 587 depends on !NF_TABLES_INET || (IPV6!=m || m) 588 help 589 This option adds the "reject" expression that you can use to 590 explicitly deny and notify via TCP reset/ICMP informational errors 591 unallowed traffic. 592 593config NFT_REJECT_INET 594 depends on NF_TABLES_INET 595 default NFT_REJECT 596 tristate 597 598config NFT_COMPAT 599 depends on NETFILTER_XTABLES 600 tristate "Netfilter x_tables over nf_tables module" 601 help 602 This is required if you intend to use any of existing 603 x_tables match/target extensions over the nf_tables 604 framework. 605 606config NFT_HASH 607 tristate "Netfilter nf_tables hash module" 608 help 609 This option adds the "hash" expression that you can use to perform 610 a hash operation on registers. 611 612config NFT_FIB 613 tristate 614 615config NFT_FIB_INET 616 depends on NF_TABLES_INET 617 depends on NFT_FIB_IPV4 618 depends on NFT_FIB_IPV6 619 tristate "Netfilter nf_tables fib inet support" 620 help 621 This option allows using the FIB expression from the inet table. 622 The lookup will be delegated to the IPv4 or IPv6 FIB depending 623 on the protocol of the packet. 624 625config NFT_XFRM 626 tristate "Netfilter nf_tables xfrm/IPSec security association matching" 627 depends on XFRM 628 help 629 This option adds an expression that you can use to extract properties 630 of a packets security association. 631 632config NFT_SOCKET 633 tristate "Netfilter nf_tables socket match support" 634 depends on IPV6 || IPV6=n 635 select NF_SOCKET_IPV4 636 select NF_SOCKET_IPV6 if NF_TABLES_IPV6 637 help 638 This option allows matching for the presence or absence of a 639 corresponding socket and its attributes. 640 641config NFT_OSF 642 tristate "Netfilter nf_tables passive OS fingerprint support" 643 depends on NETFILTER_ADVANCED 644 select NETFILTER_NETLINK_OSF 645 help 646 This option allows matching packets from an specific OS. 647 648config NFT_TPROXY 649 tristate "Netfilter nf_tables tproxy support" 650 depends on IPV6 || IPV6=n 651 select NF_DEFRAG_IPV4 652 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 653 select NF_TPROXY_IPV4 654 select NF_TPROXY_IPV6 if NF_TABLES_IPV6 655 help 656 This makes transparent proxy support available in nftables. 657 658config NFT_SYNPROXY 659 tristate "Netfilter nf_tables SYNPROXY expression support" 660 depends on NF_CONNTRACK && NETFILTER_ADVANCED 661 select NETFILTER_SYNPROXY 662 select SYN_COOKIES 663 help 664 The SYNPROXY expression allows you to intercept TCP connections and 665 establish them using syncookies before they are passed on to the 666 server. This allows to avoid conntrack and server resource usage 667 during SYN-flood attacks. 668 669if NF_TABLES_NETDEV 670 671config NF_DUP_NETDEV 672 tristate "Netfilter packet duplication support" 673 help 674 This option enables the generic packet duplication infrastructure 675 for Netfilter. 676 677config NFT_DUP_NETDEV 678 tristate "Netfilter nf_tables netdev packet duplication support" 679 select NF_DUP_NETDEV 680 help 681 This option enables packet duplication for the "netdev" family. 682 683config NFT_FWD_NETDEV 684 tristate "Netfilter nf_tables netdev packet forwarding support" 685 select NF_DUP_NETDEV 686 help 687 This option enables packet forwarding for the "netdev" family. 688 689config NFT_FIB_NETDEV 690 depends on NFT_FIB_IPV4 691 depends on NFT_FIB_IPV6 692 tristate "Netfilter nf_tables netdev fib lookups support" 693 help 694 This option allows using the FIB expression from the netdev table. 695 The lookup will be delegated to the IPv4 or IPv6 FIB depending 696 on the protocol of the packet. 697 698config NFT_REJECT_NETDEV 699 depends on NFT_REJECT_IPV4 700 depends on NFT_REJECT_IPV6 701 tristate "Netfilter nf_tables netdev REJECT support" 702 help 703 This option enables the REJECT support from the netdev table. 704 The return packet generation will be delegated to the IPv4 705 or IPv6 ICMP or TCP RST implementation depending on the 706 protocol of the packet. 707 708endif # NF_TABLES_NETDEV 709 710endif # NF_TABLES 711 712config NF_FLOW_TABLE_INET 713 tristate "Netfilter flow table mixed IPv4/IPv6 module" 714 depends on NF_FLOW_TABLE 715 help 716 This option adds the flow table mixed IPv4/IPv6 support. 717 718 To compile it as a module, choose M here. 719 720config NF_FLOW_TABLE 721 tristate "Netfilter flow table module" 722 depends on NETFILTER_INGRESS 723 depends on NF_CONNTRACK 724 depends on NF_TABLES 725 help 726 This option adds the flow table core infrastructure. 727 728 To compile it as a module, choose M here. 729 730config NF_FLOW_TABLE_PROCFS 731 bool "Supply flow table statistics in procfs" 732 depends on NF_FLOW_TABLE 733 depends on PROC_FS 734 help 735 This option enables for the flow table offload statistics 736 to be shown in procfs under net/netfilter/nf_flowtable. 737 738config NETFILTER_XTABLES 739 tristate "Netfilter Xtables support (required for ip_tables)" 740 default m if NETFILTER_ADVANCED=n 741 help 742 This is required if you intend to use any of ip_tables, 743 ip6_tables or arp_tables. 744 745if NETFILTER_XTABLES 746 747config NETFILTER_XTABLES_COMPAT 748 bool "Netfilter Xtables 32bit support" 749 depends on COMPAT 750 default y 751 help 752 This option provides a translation layer to run 32bit arp,ip(6),ebtables 753 binaries on 64bit kernels. 754 755 If unsure, say N. 756 757comment "Xtables combined modules" 758 759config NETFILTER_XT_MARK 760 tristate 'nfmark target and match support' 761 default m if NETFILTER_ADVANCED=n 762 help 763 This option adds the "MARK" target and "mark" match. 764 765 Netfilter mark matching allows you to match packets based on the 766 "nfmark" value in the packet. 767 The target allows you to create rules in the "mangle" table which alter 768 the netfilter mark (nfmark) field associated with the packet. 769 770 Prior to routing, the nfmark can influence the routing method and can 771 also be used by other subsystems to change their behavior. 772 773config NETFILTER_XT_CONNMARK 774 tristate 'ctmark target and match support' 775 depends on NF_CONNTRACK 776 depends on NETFILTER_ADVANCED 777 select NF_CONNTRACK_MARK 778 help 779 This option adds the "CONNMARK" target and "connmark" match. 780 781 Netfilter allows you to store a mark value per connection (a.k.a. 782 ctmark), similarly to the packet mark (nfmark). Using this 783 target and match, you can set and match on this mark. 784 785config NETFILTER_XT_SET 786 tristate 'set target and match support' 787 depends on IP_SET 788 depends on NETFILTER_ADVANCED 789 help 790 This option adds the "SET" target and "set" match. 791 792 Using this target and match, you can add/delete and match 793 elements in the sets created by ipset(8). 794 795 To compile it as a module, choose M here. If unsure, say N. 796 797# alphabetically ordered list of targets 798 799comment "Xtables targets" 800 801config NETFILTER_XT_TARGET_AUDIT 802 tristate "AUDIT target support" 803 depends on AUDIT 804 depends on NETFILTER_ADVANCED 805 help 806 This option adds a 'AUDIT' target, which can be used to create 807 audit records for packets dropped/accepted. 808 809 To compileit as a module, choose M here. If unsure, say N. 810 811config NETFILTER_XT_TARGET_CHECKSUM 812 tristate "CHECKSUM target support" 813 depends on IP_NF_MANGLE || IP6_NF_MANGLE 814 depends on NETFILTER_ADVANCED 815 help 816 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 817 table to work around buggy DHCP clients in virtualized environments. 818 819 Some old DHCP clients drop packets because they are not aware 820 that the checksum would normally be offloaded to hardware and 821 thus should be considered valid. 822 This target can be used to fill in the checksum using iptables 823 when such packets are sent via a virtual network device. 824 825 To compile it as a module, choose M here. If unsure, say N. 826 827config NETFILTER_XT_TARGET_CLASSIFY 828 tristate '"CLASSIFY" target support' 829 depends on NETFILTER_ADVANCED 830 help 831 This option adds a `CLASSIFY' target, which enables the user to set 832 the priority of a packet. Some qdiscs can use this value for 833 classification, among these are: 834 835 atm, cbq, dsmark, pfifo_fast, htb, prio 836 837 To compile it as a module, choose M here. If unsure, say N. 838 839config NETFILTER_XT_TARGET_CONNMARK 840 tristate '"CONNMARK" target support' 841 depends on NF_CONNTRACK 842 depends on NETFILTER_ADVANCED 843 select NETFILTER_XT_CONNMARK 844 help 845 This is a backwards-compat option for the user's convenience 846 (e.g. when running oldconfig). It selects 847 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 848 849config NETFILTER_XT_TARGET_CONNSECMARK 850 tristate '"CONNSECMARK" target support' 851 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 852 default m if NETFILTER_ADVANCED=n 853 help 854 The CONNSECMARK target copies security markings from packets 855 to connections, and restores security markings from connections 856 to packets (if the packets are not already marked). This would 857 normally be used in conjunction with the SECMARK target. 858 859 To compile it as a module, choose M here. If unsure, say N. 860 861config NETFILTER_XT_TARGET_CT 862 tristate '"CT" target support' 863 depends on NF_CONNTRACK 864 depends on IP_NF_RAW || IP6_NF_RAW 865 depends on NETFILTER_ADVANCED 866 help 867 This options adds a `CT' target, which allows to specify initial 868 connection tracking parameters like events to be delivered and 869 the helper to be used. 870 871 To compile it as a module, choose M here. If unsure, say N. 872 873config NETFILTER_XT_TARGET_DSCP 874 tristate '"DSCP" and "TOS" target support' 875 depends on IP_NF_MANGLE || IP6_NF_MANGLE 876 depends on NETFILTER_ADVANCED 877 help 878 This option adds a `DSCP' target, which allows you to manipulate 879 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 880 881 The DSCP field can have any value between 0x0 and 0x3f inclusive. 882 883 It also adds the "TOS" target, which allows you to create rules in 884 the "mangle" table which alter the Type Of Service field of an IPv4 885 or the Priority field of an IPv6 packet, prior to routing. 886 887 To compile it as a module, choose M here. If unsure, say N. 888 889config NETFILTER_XT_TARGET_HL 890 tristate '"HL" hoplimit target support' 891 depends on IP_NF_MANGLE || IP6_NF_MANGLE 892 depends on NETFILTER_ADVANCED 893 help 894 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 895 targets, which enable the user to change the 896 hoplimit/time-to-live value of the IP header. 897 898 While it is safe to decrement the hoplimit/TTL value, the 899 modules also allow to increment and set the hoplimit value of 900 the header to arbitrary values. This is EXTREMELY DANGEROUS 901 since you can easily create immortal packets that loop 902 forever on the network. 903 904config NETFILTER_XT_TARGET_HMARK 905 tristate '"HMARK" target support' 906 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 907 depends on NETFILTER_ADVANCED 908 help 909 This option adds the "HMARK" target. 910 911 The target allows you to create rules in the "raw" and "mangle" tables 912 which set the skbuff mark by means of hash calculation within a given 913 range. The nfmark can influence the routing method and can also be used 914 by other subsystems to change their behaviour. 915 916 To compile it as a module, choose M here. If unsure, say N. 917 918config NETFILTER_XT_TARGET_IDLETIMER 919 tristate "IDLETIMER target support" 920 depends on NETFILTER_ADVANCED 921 help 922 923 This option adds the `IDLETIMER' target. Each matching packet 924 resets the timer associated with label specified when the rule is 925 added. When the timer expires, it triggers a sysfs notification. 926 The remaining time for expiration can be read via sysfs. 927 928 To compile it as a module, choose M here. If unsure, say N. 929 930config NETFILTER_XT_TARGET_LED 931 tristate '"LED" target support' 932 depends on LEDS_CLASS && LEDS_TRIGGERS 933 depends on NETFILTER_ADVANCED 934 help 935 This option adds a `LED' target, which allows you to blink LEDs in 936 response to particular packets passing through your machine. 937 938 This can be used to turn a spare LED into a network activity LED, 939 which only flashes in response to FTP transfers, for example. Or 940 you could have an LED which lights up for a minute or two every time 941 somebody connects to your machine via SSH. 942 943 You will need support for the "led" class to make this work. 944 945 To create an LED trigger for incoming SSH traffic: 946 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 947 948 Then attach the new trigger to an LED on your system: 949 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 950 951 For more information on the LEDs available on your system, see 952 Documentation/leds/leds-class.rst 953 954config NETFILTER_XT_TARGET_LOG 955 tristate "LOG target support" 956 select NF_LOG_SYSLOG 957 select NF_LOG_IPV6 if IP6_NF_IPTABLES 958 default m if NETFILTER_ADVANCED=n 959 help 960 This option adds a `LOG' target, which allows you to create rules in 961 any iptables table which records the packet header to the syslog. 962 963 To compile it as a module, choose M here. If unsure, say N. 964 965config NETFILTER_XT_TARGET_MARK 966 tristate '"MARK" target support' 967 depends on NETFILTER_ADVANCED 968 select NETFILTER_XT_MARK 969 help 970 This is a backwards-compat option for the user's convenience 971 (e.g. when running oldconfig). It selects 972 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 973 974config NETFILTER_XT_NAT 975 tristate '"SNAT and DNAT" targets support' 976 depends on NF_NAT 977 help 978 This option enables the SNAT and DNAT targets. 979 980 To compile it as a module, choose M here. If unsure, say N. 981 982config NETFILTER_XT_TARGET_NETMAP 983 tristate '"NETMAP" target support' 984 depends on NF_NAT 985 help 986 NETMAP is an implementation of static 1:1 NAT mapping of network 987 addresses. It maps the network address part, while keeping the host 988 address part intact. 989 990 To compile it as a module, choose M here. If unsure, say N. 991 992config NETFILTER_XT_TARGET_NFLOG 993 tristate '"NFLOG" target support' 994 default m if NETFILTER_ADVANCED=n 995 select NETFILTER_NETLINK_LOG 996 help 997 This option enables the NFLOG target, which allows to LOG 998 messages through nfnetlink_log. 999 1000 To compile it as a module, choose M here. If unsure, say N. 1001 1002config NETFILTER_XT_TARGET_NFQUEUE 1003 tristate '"NFQUEUE" target Support' 1004 depends on NETFILTER_ADVANCED 1005 select NETFILTER_NETLINK_QUEUE 1006 help 1007 This target replaced the old obsolete QUEUE target. 1008 1009 As opposed to QUEUE, it supports 65535 different queues, 1010 not just one. 1011 1012 To compile it as a module, choose M here. If unsure, say N. 1013 1014config NETFILTER_XT_TARGET_NOTRACK 1015 tristate '"NOTRACK" target support (DEPRECATED)' 1016 depends on NF_CONNTRACK 1017 depends on IP_NF_RAW || IP6_NF_RAW 1018 depends on NETFILTER_ADVANCED 1019 select NETFILTER_XT_TARGET_CT 1020 1021config NETFILTER_XT_TARGET_RATEEST 1022 tristate '"RATEEST" target support' 1023 depends on NETFILTER_ADVANCED 1024 help 1025 This option adds a `RATEEST' target, which allows to measure 1026 rates similar to TC estimators. The `rateest' match can be 1027 used to match on the measured rates. 1028 1029 To compile it as a module, choose M here. If unsure, say N. 1030 1031config NETFILTER_XT_TARGET_REDIRECT 1032 tristate "REDIRECT target support" 1033 depends on NF_NAT 1034 select NF_NAT_REDIRECT 1035 help 1036 REDIRECT is a special case of NAT: all incoming connections are 1037 mapped onto the incoming interface's address, causing the packets to 1038 come to the local machine instead of passing through. This is 1039 useful for transparent proxies. 1040 1041 To compile it as a module, choose M here. If unsure, say N. 1042 1043config NETFILTER_XT_TARGET_MASQUERADE 1044 tristate "MASQUERADE target support" 1045 depends on NF_NAT 1046 default m if NETFILTER_ADVANCED=n 1047 select NF_NAT_MASQUERADE 1048 help 1049 Masquerading is a special case of NAT: all outgoing connections are 1050 changed to seem to come from a particular interface's address, and 1051 if the interface goes down, those connections are lost. This is 1052 only useful for dialup accounts with dynamic IP address (ie. your IP 1053 address will be different on next dialup). 1054 1055 To compile it as a module, choose M here. If unsure, say N. 1056 1057config NETFILTER_XT_TARGET_TEE 1058 tristate '"TEE" - packet cloning to alternate destination' 1059 depends on NETFILTER_ADVANCED 1060 depends on IPV6 || IPV6=n 1061 depends on !NF_CONNTRACK || NF_CONNTRACK 1062 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES 1063 select NF_DUP_IPV4 1064 select NF_DUP_IPV6 if IP6_NF_IPTABLES 1065 help 1066 This option adds a "TEE" target with which a packet can be cloned and 1067 this clone be rerouted to another nexthop. 1068 1069config NETFILTER_XT_TARGET_TPROXY 1070 tristate '"TPROXY" target transparent proxying support' 1071 depends on NETFILTER_XTABLES 1072 depends on NETFILTER_ADVANCED 1073 depends on IPV6 || IPV6=n 1074 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1075 depends on IP_NF_MANGLE 1076 select NF_DEFRAG_IPV4 1077 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1078 select NF_TPROXY_IPV4 1079 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 1080 help 1081 This option adds a `TPROXY' target, which is somewhat similar to 1082 REDIRECT. It can only be used in the mangle table and is useful 1083 to redirect traffic to a transparent proxy. It does _not_ depend 1084 on Netfilter connection tracking and NAT, unlike REDIRECT. 1085 For it to work you will have to configure certain iptables rules 1086 and use policy routing. For more information on how to set it up 1087 see Documentation/networking/tproxy.rst. 1088 1089 To compile it as a module, choose M here. If unsure, say N. 1090 1091config NETFILTER_XT_TARGET_TRACE 1092 tristate '"TRACE" target support' 1093 depends on IP_NF_RAW || IP6_NF_RAW 1094 depends on NETFILTER_ADVANCED 1095 help 1096 The TRACE target allows you to mark packets so that the kernel 1097 will log every rule which match the packets as those traverse 1098 the tables, chains, rules. 1099 1100 If you want to compile it as a module, say M here and read 1101 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1102 1103config NETFILTER_XT_TARGET_SECMARK 1104 tristate '"SECMARK" target support' 1105 depends on NETWORK_SECMARK 1106 default m if NETFILTER_ADVANCED=n 1107 help 1108 The SECMARK target allows security marking of network 1109 packets, for use with security subsystems. 1110 1111 To compile it as a module, choose M here. If unsure, say N. 1112 1113config NETFILTER_XT_TARGET_TCPMSS 1114 tristate '"TCPMSS" target support' 1115 depends on IPV6 || IPV6=n 1116 default m if NETFILTER_ADVANCED=n 1117 help 1118 This option adds a `TCPMSS' target, which allows you to alter the 1119 MSS value of TCP SYN packets, to control the maximum size for that 1120 connection (usually limiting it to your outgoing interface's MTU 1121 minus 40). 1122 1123 This is used to overcome criminally braindead ISPs or servers which 1124 block ICMP Fragmentation Needed packets. The symptoms of this 1125 problem are that everything works fine from your Linux 1126 firewall/router, but machines behind it can never exchange large 1127 packets: 1128 1) Web browsers connect, then hang with no data received. 1129 2) Small mail works fine, but large emails hang. 1130 3) ssh works fine, but scp hangs after initial handshaking. 1131 1132 Workaround: activate this option and add a rule to your firewall 1133 configuration like: 1134 1135 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1136 -j TCPMSS --clamp-mss-to-pmtu 1137 1138 To compile it as a module, choose M here. If unsure, say N. 1139 1140config NETFILTER_XT_TARGET_TCPOPTSTRIP 1141 tristate '"TCPOPTSTRIP" target support' 1142 depends on IP_NF_MANGLE || IP6_NF_MANGLE 1143 depends on NETFILTER_ADVANCED 1144 help 1145 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1146 TCP options from TCP packets. 1147 1148# alphabetically ordered list of matches 1149 1150comment "Xtables matches" 1151 1152config NETFILTER_XT_MATCH_ADDRTYPE 1153 tristate '"addrtype" address type match support' 1154 default m if NETFILTER_ADVANCED=n 1155 help 1156 This option allows you to match what routing thinks of an address, 1157 eg. UNICAST, LOCAL, BROADCAST, ... 1158 1159 If you want to compile it as a module, say M here and read 1160 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1161 1162config NETFILTER_XT_MATCH_BPF 1163 tristate '"bpf" match support' 1164 depends on NETFILTER_ADVANCED 1165 help 1166 BPF matching applies a linux socket filter to each packet and 1167 accepts those for which the filter returns non-zero. 1168 1169 To compile it as a module, choose M here. If unsure, say N. 1170 1171config NETFILTER_XT_MATCH_CGROUP 1172 tristate '"control group" match support' 1173 depends on NETFILTER_ADVANCED 1174 depends on CGROUPS 1175 select CGROUP_NET_CLASSID 1176 help 1177 Socket/process control group matching allows you to match locally 1178 generated packets based on which net_cls control group processes 1179 belong to. 1180 1181config NETFILTER_XT_MATCH_CLUSTER 1182 tristate '"cluster" match support' 1183 depends on NF_CONNTRACK 1184 depends on NETFILTER_ADVANCED 1185 help 1186 This option allows you to build work-load-sharing clusters of 1187 network servers/stateful firewalls without having a dedicated 1188 load-balancing router/server/switch. Basically, this match returns 1189 true when the packet must be handled by this cluster node. Thus, 1190 all nodes see all packets and this match decides which node handles 1191 what packets. The work-load sharing algorithm is based on source 1192 address hashing. 1193 1194 If you say Y or M here, try `iptables -m cluster --help` for 1195 more information. 1196 1197config NETFILTER_XT_MATCH_COMMENT 1198 tristate '"comment" match support' 1199 depends on NETFILTER_ADVANCED 1200 help 1201 This option adds a `comment' dummy-match, which allows you to put 1202 comments in your iptables ruleset. 1203 1204 If you want to compile it as a module, say M here and read 1205 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1206 1207config NETFILTER_XT_MATCH_CONNBYTES 1208 tristate '"connbytes" per-connection counter match support' 1209 depends on NF_CONNTRACK 1210 depends on NETFILTER_ADVANCED 1211 help 1212 This option adds a `connbytes' match, which allows you to match the 1213 number of bytes and/or packets for each direction within a connection. 1214 1215 If you want to compile it as a module, say M here and read 1216 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1217 1218config NETFILTER_XT_MATCH_CONNLABEL 1219 tristate '"connlabel" match support' 1220 select NF_CONNTRACK_LABELS 1221 depends on NF_CONNTRACK 1222 depends on NETFILTER_ADVANCED 1223 help 1224 This match allows you to test and assign userspace-defined labels names 1225 to a connection. The kernel only stores bit values - mapping 1226 names to bits is done by userspace. 1227 1228 Unlike connmark, more than 32 flag bits may be assigned to a 1229 connection simultaneously. 1230 1231config NETFILTER_XT_MATCH_CONNLIMIT 1232 tristate '"connlimit" match support' 1233 depends on NF_CONNTRACK 1234 depends on NETFILTER_ADVANCED 1235 select NETFILTER_CONNCOUNT 1236 help 1237 This match allows you to match against the number of parallel 1238 connections to a server per client IP address (or address block). 1239 1240config NETFILTER_XT_MATCH_CONNMARK 1241 tristate '"connmark" connection mark match support' 1242 depends on NF_CONNTRACK 1243 depends on NETFILTER_ADVANCED 1244 select NETFILTER_XT_CONNMARK 1245 help 1246 This is a backwards-compat option for the user's convenience 1247 (e.g. when running oldconfig). It selects 1248 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1249 1250config NETFILTER_XT_MATCH_CONNTRACK 1251 tristate '"conntrack" connection tracking match support' 1252 depends on NF_CONNTRACK 1253 default m if NETFILTER_ADVANCED=n 1254 help 1255 This is a general conntrack match module, a superset of the state match. 1256 1257 It allows matching on additional conntrack information, which is 1258 useful in complex configurations, such as NAT gateways with multiple 1259 internet links or tunnels. 1260 1261 To compile it as a module, choose M here. If unsure, say N. 1262 1263config NETFILTER_XT_MATCH_CPU 1264 tristate '"cpu" match support' 1265 depends on NETFILTER_ADVANCED 1266 help 1267 CPU matching allows you to match packets based on the CPU 1268 currently handling the packet. 1269 1270 To compile it as a module, choose M here. If unsure, say N. 1271 1272config NETFILTER_XT_MATCH_DCCP 1273 tristate '"dccp" protocol match support' 1274 depends on NETFILTER_ADVANCED 1275 default IP_DCCP 1276 help 1277 With this option enabled, you will be able to use the iptables 1278 `dccp' match in order to match on DCCP source/destination ports 1279 and DCCP flags. 1280 1281 If you want to compile it as a module, say M here and read 1282 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1283 1284config NETFILTER_XT_MATCH_DEVGROUP 1285 tristate '"devgroup" match support' 1286 depends on NETFILTER_ADVANCED 1287 help 1288 This options adds a `devgroup' match, which allows to match on the 1289 device group a network device is assigned to. 1290 1291 To compile it as a module, choose M here. If unsure, say N. 1292 1293config NETFILTER_XT_MATCH_DSCP 1294 tristate '"dscp" and "tos" match support' 1295 depends on NETFILTER_ADVANCED 1296 help 1297 This option adds a `DSCP' match, which allows you to match against 1298 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1299 1300 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1301 1302 It will also add a "tos" match, which allows you to match packets 1303 based on the Type Of Service fields of the IPv4 packet (which share 1304 the same bits as DSCP). 1305 1306 To compile it as a module, choose M here. If unsure, say N. 1307 1308config NETFILTER_XT_MATCH_ECN 1309 tristate '"ecn" match support' 1310 depends on NETFILTER_ADVANCED 1311 help 1312 This option adds an "ECN" match, which allows you to match against 1313 the IPv4 and TCP header ECN fields. 1314 1315 To compile it as a module, choose M here. If unsure, say N. 1316 1317config NETFILTER_XT_MATCH_ESP 1318 tristate '"esp" match support' 1319 depends on NETFILTER_ADVANCED 1320 help 1321 This match extension allows you to match a range of SPIs 1322 inside ESP header of IPSec packets. 1323 1324 To compile it as a module, choose M here. If unsure, say N. 1325 1326config NETFILTER_XT_MATCH_HASHLIMIT 1327 tristate '"hashlimit" match support' 1328 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1329 depends on NETFILTER_ADVANCED 1330 help 1331 This option adds a `hashlimit' match. 1332 1333 As opposed to `limit', this match dynamically creates a hash table 1334 of limit buckets, based on your selection of source/destination 1335 addresses and/or ports. 1336 1337 It enables you to express policies like `10kpps for any given 1338 destination address' or `500pps from any given source address' 1339 with a single rule. 1340 1341config NETFILTER_XT_MATCH_HELPER 1342 tristate '"helper" match support' 1343 depends on NF_CONNTRACK 1344 depends on NETFILTER_ADVANCED 1345 help 1346 Helper matching allows you to match packets in dynamic connections 1347 tracked by a conntrack-helper, ie. nf_conntrack_ftp 1348 1349 To compile it as a module, choose M here. If unsure, say Y. 1350 1351config NETFILTER_XT_MATCH_HL 1352 tristate '"hl" hoplimit/TTL match support' 1353 depends on NETFILTER_ADVANCED 1354 help 1355 HL matching allows you to match packets based on the hoplimit 1356 in the IPv6 header, or the time-to-live field in the IPv4 1357 header of the packet. 1358 1359config NETFILTER_XT_MATCH_IPCOMP 1360 tristate '"ipcomp" match support' 1361 depends on NETFILTER_ADVANCED 1362 help 1363 This match extension allows you to match a range of CPIs(16 bits) 1364 inside IPComp header of IPSec packets. 1365 1366 To compile it as a module, choose M here. If unsure, say N. 1367 1368config NETFILTER_XT_MATCH_IPRANGE 1369 tristate '"iprange" address range match support' 1370 depends on NETFILTER_ADVANCED 1371 help 1372 This option adds a "iprange" match, which allows you to match based on 1373 an IP address range. (Normal iptables only matches on single addresses 1374 with an optional mask.) 1375 1376 If unsure, say M. 1377 1378config NETFILTER_XT_MATCH_IPVS 1379 tristate '"ipvs" match support' 1380 depends on IP_VS 1381 depends on NETFILTER_ADVANCED 1382 depends on NF_CONNTRACK 1383 help 1384 This option allows you to match against IPVS properties of a packet. 1385 1386 If unsure, say N. 1387 1388config NETFILTER_XT_MATCH_L2TP 1389 tristate '"l2tp" match support' 1390 depends on NETFILTER_ADVANCED 1391 default L2TP 1392 help 1393 This option adds an "L2TP" match, which allows you to match against 1394 L2TP protocol header fields. 1395 1396 To compile it as a module, choose M here. If unsure, say N. 1397 1398config NETFILTER_XT_MATCH_LENGTH 1399 tristate '"length" match support' 1400 depends on NETFILTER_ADVANCED 1401 help 1402 This option allows you to match the length of a packet against a 1403 specific value or range of values. 1404 1405 To compile it as a module, choose M here. If unsure, say N. 1406 1407config NETFILTER_XT_MATCH_LIMIT 1408 tristate '"limit" match support' 1409 depends on NETFILTER_ADVANCED 1410 help 1411 limit matching allows you to control the rate at which a rule can be 1412 matched: mainly useful in combination with the LOG target ("LOG 1413 target support", below) and to avoid some Denial of Service attacks. 1414 1415 To compile it as a module, choose M here. If unsure, say N. 1416 1417config NETFILTER_XT_MATCH_MAC 1418 tristate '"mac" address match support' 1419 depends on NETFILTER_ADVANCED 1420 help 1421 MAC matching allows you to match packets based on the source 1422 Ethernet address of the packet. 1423 1424 To compile it as a module, choose M here. If unsure, say N. 1425 1426config NETFILTER_XT_MATCH_MARK 1427 tristate '"mark" match support' 1428 depends on NETFILTER_ADVANCED 1429 select NETFILTER_XT_MARK 1430 help 1431 This is a backwards-compat option for the user's convenience 1432 (e.g. when running oldconfig). It selects 1433 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1434 1435config NETFILTER_XT_MATCH_MULTIPORT 1436 tristate '"multiport" Multiple port match support' 1437 depends on NETFILTER_ADVANCED 1438 help 1439 Multiport matching allows you to match TCP or UDP packets based on 1440 a series of source or destination ports: normally a rule can only 1441 match a single range of ports. 1442 1443 To compile it as a module, choose M here. If unsure, say N. 1444 1445config NETFILTER_XT_MATCH_NFACCT 1446 tristate '"nfacct" match support' 1447 depends on NETFILTER_ADVANCED 1448 select NETFILTER_NETLINK_ACCT 1449 help 1450 This option allows you to use the extended accounting through 1451 nfnetlink_acct. 1452 1453 To compile it as a module, choose M here. If unsure, say N. 1454 1455config NETFILTER_XT_MATCH_OSF 1456 tristate '"osf" Passive OS fingerprint match' 1457 depends on NETFILTER_ADVANCED 1458 select NETFILTER_NETLINK_OSF 1459 help 1460 This option selects the Passive OS Fingerprinting match module 1461 that allows to passively match the remote operating system by 1462 analyzing incoming TCP SYN packets. 1463 1464 Rules and loading software can be downloaded from 1465 http://www.ioremap.net/projects/osf 1466 1467 To compile it as a module, choose M here. If unsure, say N. 1468 1469config NETFILTER_XT_MATCH_OWNER 1470 tristate '"owner" match support' 1471 depends on NETFILTER_ADVANCED 1472 help 1473 Socket owner matching allows you to match locally-generated packets 1474 based on who created the socket: the user or group. It is also 1475 possible to check whether a socket actually exists. 1476 1477config NETFILTER_XT_MATCH_POLICY 1478 tristate 'IPsec "policy" match support' 1479 depends on XFRM 1480 default m if NETFILTER_ADVANCED=n 1481 help 1482 Policy matching allows you to match packets based on the 1483 IPsec policy that was used during decapsulation/will 1484 be used during encapsulation. 1485 1486 To compile it as a module, choose M here. If unsure, say N. 1487 1488config NETFILTER_XT_MATCH_PHYSDEV 1489 tristate '"physdev" match support' 1490 depends on BRIDGE && BRIDGE_NETFILTER 1491 depends on NETFILTER_ADVANCED 1492 help 1493 Physdev packet matching matches against the physical bridge ports 1494 the IP packet arrived on or will leave by. 1495 1496 To compile it as a module, choose M here. If unsure, say N. 1497 1498config NETFILTER_XT_MATCH_PKTTYPE 1499 tristate '"pkttype" packet type match support' 1500 depends on NETFILTER_ADVANCED 1501 help 1502 Packet type matching allows you to match a packet by 1503 its "class", eg. BROADCAST, MULTICAST, ... 1504 1505 Typical usage: 1506 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1507 1508 To compile it as a module, choose M here. If unsure, say N. 1509 1510config NETFILTER_XT_MATCH_QUOTA 1511 tristate '"quota" match support' 1512 depends on NETFILTER_ADVANCED 1513 help 1514 This option adds a `quota' match, which allows to match on a 1515 byte counter. 1516 1517 If you want to compile it as a module, say M here and read 1518 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1519 1520config NETFILTER_XT_MATCH_RATEEST 1521 tristate '"rateest" match support' 1522 depends on NETFILTER_ADVANCED 1523 select NETFILTER_XT_TARGET_RATEEST 1524 help 1525 This option adds a `rateest' match, which allows to match on the 1526 rate estimated by the RATEEST target. 1527 1528 To compile it as a module, choose M here. If unsure, say N. 1529 1530config NETFILTER_XT_MATCH_REALM 1531 tristate '"realm" match support' 1532 depends on NETFILTER_ADVANCED 1533 select IP_ROUTE_CLASSID 1534 help 1535 This option adds a `realm' match, which allows you to use the realm 1536 key from the routing subsystem inside iptables. 1537 1538 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1539 in tc world. 1540 1541 If you want to compile it as a module, say M here and read 1542 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1543 1544config NETFILTER_XT_MATCH_RECENT 1545 tristate '"recent" match support' 1546 depends on NETFILTER_ADVANCED 1547 help 1548 This match is used for creating one or many lists of recently 1549 used addresses and then matching against that/those list(s). 1550 1551 Short options are available by using 'iptables -m recent -h' 1552 Official Website: <http://snowman.net/projects/ipt_recent/> 1553 1554config NETFILTER_XT_MATCH_SCTP 1555 tristate '"sctp" protocol match support' 1556 depends on NETFILTER_ADVANCED 1557 default IP_SCTP 1558 help 1559 With this option enabled, you will be able to use the 1560 `sctp' match in order to match on SCTP source/destination ports 1561 and SCTP chunk types. 1562 1563 If you want to compile it as a module, say M here and read 1564 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1565 1566config NETFILTER_XT_MATCH_SOCKET 1567 tristate '"socket" match support' 1568 depends on NETFILTER_XTABLES 1569 depends on NETFILTER_ADVANCED 1570 depends on IPV6 || IPV6=n 1571 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1572 select NF_SOCKET_IPV4 1573 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES 1574 select NF_DEFRAG_IPV4 1575 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1576 help 1577 This option adds a `socket' match, which can be used to match 1578 packets for which a TCP or UDP socket lookup finds a valid socket. 1579 It can be used in combination with the MARK target and policy 1580 routing to implement full featured non-locally bound sockets. 1581 1582 To compile it as a module, choose M here. If unsure, say N. 1583 1584config NETFILTER_XT_MATCH_STATE 1585 tristate '"state" match support' 1586 depends on NF_CONNTRACK 1587 default m if NETFILTER_ADVANCED=n 1588 help 1589 Connection state matching allows you to match packets based on their 1590 relationship to a tracked connection (ie. previous packets). This 1591 is a powerful tool for packet classification. 1592 1593 To compile it as a module, choose M here. If unsure, say N. 1594 1595config NETFILTER_XT_MATCH_STATISTIC 1596 tristate '"statistic" match support' 1597 depends on NETFILTER_ADVANCED 1598 help 1599 This option adds a `statistic' match, which allows you to match 1600 on packets periodically or randomly with a given percentage. 1601 1602 To compile it as a module, choose M here. If unsure, say N. 1603 1604config NETFILTER_XT_MATCH_STRING 1605 tristate '"string" match support' 1606 depends on NETFILTER_ADVANCED 1607 select TEXTSEARCH 1608 select TEXTSEARCH_KMP 1609 select TEXTSEARCH_BM 1610 select TEXTSEARCH_FSM 1611 help 1612 This option adds a `string' match, which allows you to look for 1613 pattern matchings in packets. 1614 1615 To compile it as a module, choose M here. If unsure, say N. 1616 1617config NETFILTER_XT_MATCH_TCPMSS 1618 tristate '"tcpmss" match support' 1619 depends on NETFILTER_ADVANCED 1620 help 1621 This option adds a `tcpmss' match, which allows you to examine the 1622 MSS value of TCP SYN packets, which control the maximum packet size 1623 for that connection. 1624 1625 To compile it as a module, choose M here. If unsure, say N. 1626 1627config NETFILTER_XT_MATCH_TIME 1628 tristate '"time" match support' 1629 depends on NETFILTER_ADVANCED 1630 help 1631 This option adds a "time" match, which allows you to match based on 1632 the packet arrival time (at the machine which netfilter is running) 1633 on) or departure time/date (for locally generated packets). 1634 1635 If you say Y here, try `iptables -m time --help` for 1636 more information. 1637 1638 If you want to compile it as a module, say M here. 1639 If unsure, say N. 1640 1641config NETFILTER_XT_MATCH_U32 1642 tristate '"u32" match support' 1643 depends on NETFILTER_ADVANCED 1644 help 1645 u32 allows you to extract quantities of up to 4 bytes from a packet, 1646 AND them with specified masks, shift them by specified amounts and 1647 test whether the results are in any of a set of specified ranges. 1648 The specification of what to extract is general enough to skip over 1649 headers with lengths stored in the packet, as in IP or TCP header 1650 lengths. 1651 1652 Details and examples are in the kernel module source. 1653 1654endif # NETFILTER_XTABLES 1655 1656endmenu 1657 1658source "net/netfilter/ipset/Kconfig" 1659 1660source "net/netfilter/ipvs/Kconfig" 1661