xref: /openbmc/linux/net/netfilter/Kconfig (revision ac73d4bf2cdaf2cb8a43df8ee4a5c066d2c5d7b4)
1# SPDX-License-Identifier: GPL-2.0-only
2menu "Core Netfilter Configuration"
3	depends on INET && NETFILTER
4
5config NETFILTER_INGRESS
6	bool "Netfilter ingress support"
7	default y
8	select NET_INGRESS
9	help
10	  This allows you to classify packets from ingress using the Netfilter
11	  infrastructure.
12
13config NETFILTER_EGRESS
14	bool "Netfilter egress support"
15	default y
16	select NET_EGRESS
17	help
18	  This allows you to classify packets before transmission using the
19	  Netfilter infrastructure.
20
21config NETFILTER_SKIP_EGRESS
22	def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB)
23
24config NETFILTER_NETLINK
25	tristate
26
27config NETFILTER_FAMILY_BRIDGE
28	bool
29
30config NETFILTER_FAMILY_ARP
31	bool
32
33config NETFILTER_NETLINK_HOOK
34	tristate "Netfilter base hook dump support"
35	depends on NETFILTER_ADVANCED
36	depends on NF_TABLES
37	select NETFILTER_NETLINK
38	help
39	  If this option is enabled, the kernel will include support
40	  to list the base netfilter hooks via NFNETLINK.
41	  This is helpful for debugging.
42
43config NETFILTER_NETLINK_ACCT
44	tristate "Netfilter NFACCT over NFNETLINK interface"
45	depends on NETFILTER_ADVANCED
46	select NETFILTER_NETLINK
47	help
48	  If this option is enabled, the kernel will include support
49	  for extended accounting via NFNETLINK.
50
51config NETFILTER_NETLINK_QUEUE
52	tristate "Netfilter NFQUEUE over NFNETLINK interface"
53	depends on NETFILTER_ADVANCED
54	select NETFILTER_NETLINK
55	help
56	  If this option is enabled, the kernel will include support
57	  for queueing packets via NFNETLINK.
58
59config NETFILTER_NETLINK_LOG
60	tristate "Netfilter LOG over NFNETLINK interface"
61	default m if NETFILTER_ADVANCED=n
62	select NETFILTER_NETLINK
63	help
64	  If this option is enabled, the kernel will include support
65	  for logging packets via NFNETLINK.
66
67	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
68	  and is also scheduled to replace the old syslog-based ipt_LOG
69	  and ip6t_LOG modules.
70
71config NETFILTER_NETLINK_OSF
72	tristate "Netfilter OSF over NFNETLINK interface"
73	depends on NETFILTER_ADVANCED
74	select NETFILTER_NETLINK
75	help
76	  If this option is enabled, the kernel will include support
77	  for passive OS fingerprint via NFNETLINK.
78
79config NF_CONNTRACK
80	tristate "Netfilter connection tracking support"
81	default m if NETFILTER_ADVANCED=n
82	select NF_DEFRAG_IPV4
83	select NF_DEFRAG_IPV6 if IPV6 != n
84	help
85	  Connection tracking keeps a record of what packets have passed
86	  through your machine, in order to figure out how they are related
87	  into connections.
88
89	  This is required to do Masquerading or other kinds of Network
90	  Address Translation.  It can also be used to enhance packet
91	  filtering (see `Connection state match support' below).
92
93	  To compile it as a module, choose M here.  If unsure, say N.
94
95config NF_LOG_SYSLOG
96	tristate "Syslog packet logging"
97	default m if NETFILTER_ADVANCED=n
98	help
99	  This option enable support for packet logging via syslog.
100	  It supports IPv4, IPV6, ARP and common transport protocols such
101	  as TCP and UDP.
102	  This is a simpler but less flexible logging method compared to
103	  CONFIG_NETFILTER_NETLINK_LOG.
104	  If both are enabled the backend to use can be configured at run-time
105	  by means of per-address-family sysctl tunables.
106
107if NF_CONNTRACK
108config NETFILTER_CONNCOUNT
109	tristate
110
111config NF_CONNTRACK_MARK
112	bool  'Connection mark tracking support'
113	depends on NETFILTER_ADVANCED
114	help
115	  This option enables support for connection marks, used by the
116	  `CONNMARK' target and `connmark' match. Similar to the mark value
117	  of packets, but this mark value is kept in the conntrack session
118	  instead of the individual packets.
119
120config NF_CONNTRACK_SECMARK
121	bool  'Connection tracking security mark support'
122	depends on NETWORK_SECMARK
123	default y if NETFILTER_ADVANCED=n
124	help
125	  This option enables security markings to be applied to
126	  connections.  Typically they are copied to connections from
127	  packets using the CONNSECMARK target and copied back from
128	  connections to packets with the same target, with the packets
129	  being originally labeled via SECMARK.
130
131	  If unsure, say 'N'.
132
133config NF_CONNTRACK_ZONES
134	bool  'Connection tracking zones'
135	depends on NETFILTER_ADVANCED
136	help
137	  This option enables support for connection tracking zones.
138	  Normally, each connection needs to have a unique system wide
139	  identity. Connection tracking zones allow to have multiple
140	  connections using the same identity, as long as they are
141	  contained in different zones.
142
143	  If unsure, say `N'.
144
145config NF_CONNTRACK_PROCFS
146	bool "Supply CT list in procfs (OBSOLETE)"
147	depends on PROC_FS
148	help
149	This option enables for the list of known conntrack entries
150	to be shown in procfs under net/netfilter/nf_conntrack. This
151	is considered obsolete in favor of using the conntrack(8)
152	tool which uses Netlink.
153
154config NF_CONNTRACK_EVENTS
155	bool "Connection tracking events"
156	depends on NETFILTER_ADVANCED
157	help
158	  If this option is enabled, the connection tracking code will
159	  provide a notifier chain that can be used by other kernel code
160	  to get notified about changes in the connection tracking state.
161
162	  If unsure, say `N'.
163
164config NF_CONNTRACK_TIMEOUT
165	bool  'Connection tracking timeout'
166	depends on NETFILTER_ADVANCED
167	help
168	  This option enables support for connection tracking timeout
169	  extension. This allows you to attach timeout policies to flow
170	  via the CT target.
171
172	  If unsure, say `N'.
173
174config NF_CONNTRACK_TIMESTAMP
175	bool  'Connection tracking timestamping'
176	depends on NETFILTER_ADVANCED
177	help
178	  This option enables support for connection tracking timestamping.
179	  This allows you to store the flow start-time and to obtain
180	  the flow-stop time (once it has been destroyed) via Connection
181	  tracking events.
182
183	  If unsure, say `N'.
184
185config NF_CONNTRACK_LABELS
186	bool "Connection tracking labels"
187	help
188	  This option enables support for assigning user-defined flag bits
189	  to connection tracking entries.  It can be used with xtables connlabel
190	  match and the nftables ct expression.
191
192config NF_CT_PROTO_DCCP
193	bool 'DCCP protocol connection tracking support'
194	depends on NETFILTER_ADVANCED
195	default y
196	help
197	  With this option enabled, the layer 3 independent connection
198	  tracking code will be able to do state tracking on DCCP connections.
199
200	  If unsure, say Y.
201
202config NF_CT_PROTO_GRE
203	bool
204
205config NF_CT_PROTO_SCTP
206	bool 'SCTP protocol connection tracking support'
207	depends on NETFILTER_ADVANCED
208	default y
209	select LIBCRC32C
210	help
211	  With this option enabled, the layer 3 independent connection
212	  tracking code will be able to do state tracking on SCTP connections.
213
214	  If unsure, say Y.
215
216config NF_CT_PROTO_UDPLITE
217	bool 'UDP-Lite protocol connection tracking support'
218	depends on NETFILTER_ADVANCED
219	default y
220	help
221	  With this option enabled, the layer 3 independent connection
222	  tracking code will be able to do state tracking on UDP-Lite
223	  connections.
224
225	  If unsure, say Y.
226
227config NF_CONNTRACK_AMANDA
228	tristate "Amanda backup protocol support"
229	depends on NETFILTER_ADVANCED
230	select TEXTSEARCH
231	select TEXTSEARCH_KMP
232	help
233	  If you are running the Amanda backup package <http://www.amanda.org/>
234	  on this machine or machines that will be MASQUERADED through this
235	  machine, then you may want to enable this feature.  This allows the
236	  connection tracking and natting code to allow the sub-channels that
237	  Amanda requires for communication of the backup data, messages and
238	  index.
239
240	  To compile it as a module, choose M here.  If unsure, say N.
241
242config NF_CONNTRACK_FTP
243	tristate "FTP protocol support"
244	default m if NETFILTER_ADVANCED=n
245	help
246	  Tracking FTP connections is problematic: special helpers are
247	  required for tracking them, and doing masquerading and other forms
248	  of Network Address Translation on them.
249
250	  This is FTP support on Layer 3 independent connection tracking.
251
252	  To compile it as a module, choose M here.  If unsure, say N.
253
254config NF_CONNTRACK_H323
255	tristate "H.323 protocol support"
256	depends on IPV6 || IPV6=n
257	depends on NETFILTER_ADVANCED
258	help
259	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
260	  important VoIP protocols, it is widely used by voice hardware and
261	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
262	  Gnomemeeting, etc.
263
264	  With this module you can support H.323 on a connection tracking/NAT
265	  firewall.
266
267	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
268	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
269	  whiteboard, file transfer, etc. For more information, please
270	  visit http://nath323.sourceforge.net/.
271
272	  To compile it as a module, choose M here.  If unsure, say N.
273
274config NF_CONNTRACK_IRC
275	tristate "IRC protocol support"
276	default m if NETFILTER_ADVANCED=n
277	help
278	  There is a commonly-used extension to IRC called
279	  Direct Client-to-Client Protocol (DCC).  This enables users to send
280	  files to each other, and also chat to each other without the need
281	  of a server.  DCC Sending is used anywhere you send files over IRC,
282	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
283	  using NAT, this extension will enable you to send files and initiate
284	  chats.  Note that you do NOT need this extension to get files or
285	  have others initiate chats, or everything else in IRC.
286
287	  To compile it as a module, choose M here.  If unsure, say N.
288
289config NF_CONNTRACK_BROADCAST
290	tristate
291
292config NF_CONNTRACK_NETBIOS_NS
293	tristate "NetBIOS name service protocol support"
294	select NF_CONNTRACK_BROADCAST
295	help
296	  NetBIOS name service requests are sent as broadcast messages from an
297	  unprivileged port and responded to with unicast messages to the
298	  same port. This make them hard to firewall properly because connection
299	  tracking doesn't deal with broadcasts. This helper tracks locally
300	  originating NetBIOS name service requests and the corresponding
301	  responses. It relies on correct IP address configuration, specifically
302	  netmask and broadcast address. When properly configured, the output
303	  of "ip address show" should look similar to this:
304
305	  $ ip -4 address show eth0
306	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
307	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
308
309	  To compile it as a module, choose M here.  If unsure, say N.
310
311config NF_CONNTRACK_SNMP
312	tristate "SNMP service protocol support"
313	depends on NETFILTER_ADVANCED
314	select NF_CONNTRACK_BROADCAST
315	help
316	  SNMP service requests are sent as broadcast messages from an
317	  unprivileged port and responded to with unicast messages to the
318	  same port. This make them hard to firewall properly because connection
319	  tracking doesn't deal with broadcasts. This helper tracks locally
320	  originating SNMP service requests and the corresponding
321	  responses. It relies on correct IP address configuration, specifically
322	  netmask and broadcast address.
323
324	  To compile it as a module, choose M here.  If unsure, say N.
325
326config NF_CONNTRACK_PPTP
327	tristate "PPtP protocol support"
328	depends on NETFILTER_ADVANCED
329	select NF_CT_PROTO_GRE
330	help
331	  This module adds support for PPTP (Point to Point Tunnelling
332	  Protocol, RFC2637) connection tracking and NAT.
333
334	  If you are running PPTP sessions over a stateful firewall or NAT
335	  box, you may want to enable this feature.
336
337	  Please note that not all PPTP modes of operation are supported yet.
338	  Specifically these limitations exist:
339	    - Blindly assumes that control connections are always established
340	      in PNS->PAC direction. This is a violation of RFC2637.
341	    - Only supports a single call within each session
342
343	  To compile it as a module, choose M here.  If unsure, say N.
344
345config NF_CONNTRACK_SANE
346	tristate "SANE protocol support"
347	depends on NETFILTER_ADVANCED
348	help
349	  SANE is a protocol for remote access to scanners as implemented
350	  by the 'saned' daemon. Like FTP, it uses separate control and
351	  data connections.
352
353	  With this module you can support SANE on a connection tracking
354	  firewall.
355
356	  To compile it as a module, choose M here.  If unsure, say N.
357
358config NF_CONNTRACK_SIP
359	tristate "SIP protocol support"
360	default m if NETFILTER_ADVANCED=n
361	help
362	  SIP is an application-layer control protocol that can establish,
363	  modify, and terminate multimedia sessions (conferences) such as
364	  Internet telephony calls. With the nf_conntrack_sip and
365	  the nf_nat_sip modules you can support the protocol on a connection
366	  tracking/NATing firewall.
367
368	  To compile it as a module, choose M here.  If unsure, say N.
369
370config NF_CONNTRACK_TFTP
371	tristate "TFTP protocol support"
372	depends on NETFILTER_ADVANCED
373	help
374	  TFTP connection tracking helper, this is required depending
375	  on how restrictive your ruleset is.
376	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
377	  you will need this.
378
379	  To compile it as a module, choose M here.  If unsure, say N.
380
381config NF_CT_NETLINK
382	tristate 'Connection tracking netlink interface'
383	select NETFILTER_NETLINK
384	default m if NETFILTER_ADVANCED=n
385	help
386	  This option enables support for a netlink-based userspace interface
387
388config NF_CT_NETLINK_TIMEOUT
389	tristate  'Connection tracking timeout tuning via Netlink'
390	select NETFILTER_NETLINK
391	depends on NETFILTER_ADVANCED
392	depends on NF_CONNTRACK_TIMEOUT
393	help
394	  This option enables support for connection tracking timeout
395	  fine-grain tuning. This allows you to attach specific timeout
396	  policies to flows, instead of using the global timeout policy.
397
398	  If unsure, say `N'.
399
400config NF_CT_NETLINK_HELPER
401	tristate 'Connection tracking helpers in user-space via Netlink'
402	select NETFILTER_NETLINK
403	depends on NF_CT_NETLINK
404	depends on NETFILTER_NETLINK_QUEUE
405	depends on NETFILTER_NETLINK_GLUE_CT
406	depends on NETFILTER_ADVANCED
407	help
408	  This option enables the user-space connection tracking helpers
409	  infrastructure.
410
411	  If unsure, say `N'.
412
413config NETFILTER_NETLINK_GLUE_CT
414	bool "NFQUEUE and NFLOG integration with Connection Tracking"
415	default n
416	depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
417	help
418	  If this option is enabled, NFQUEUE and NFLOG can include
419	  Connection Tracking information together with the packet is
420	  the enqueued via NFNETLINK.
421
422config NF_NAT
423	tristate "Network Address Translation support"
424	depends on NF_CONNTRACK
425	default m if NETFILTER_ADVANCED=n
426	help
427	  The NAT option allows masquerading, port forwarding and other
428	  forms of full Network Address Port Translation. This can be
429	  controlled by iptables, ip6tables or nft.
430
431config NF_NAT_AMANDA
432	tristate
433	depends on NF_CONNTRACK && NF_NAT
434	default NF_NAT && NF_CONNTRACK_AMANDA
435
436config NF_NAT_FTP
437	tristate
438	depends on NF_CONNTRACK && NF_NAT
439	default NF_NAT && NF_CONNTRACK_FTP
440
441config NF_NAT_IRC
442	tristate
443	depends on NF_CONNTRACK && NF_NAT
444	default NF_NAT && NF_CONNTRACK_IRC
445
446config NF_NAT_SIP
447	tristate
448	depends on NF_CONNTRACK && NF_NAT
449	default NF_NAT && NF_CONNTRACK_SIP
450
451config NF_NAT_TFTP
452	tristate
453	depends on NF_CONNTRACK && NF_NAT
454	default NF_NAT && NF_CONNTRACK_TFTP
455
456config NF_NAT_REDIRECT
457	bool
458
459config NF_NAT_MASQUERADE
460	bool
461
462config NETFILTER_SYNPROXY
463	tristate
464
465endif # NF_CONNTRACK
466
467config NF_TABLES
468	select NETFILTER_NETLINK
469	select LIBCRC32C
470	tristate "Netfilter nf_tables support"
471	help
472	  nftables is the new packet classification framework that intends to
473	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
474	  provides a pseudo-state machine with an extensible instruction-set
475	  (also known as expressions) that the userspace 'nft' utility
476	  (https://www.netfilter.org/projects/nftables) uses to build the
477	  rule-set. It also comes with the generic set infrastructure that
478	  allows you to construct mappings between matchings and actions
479	  for performance lookups.
480
481	  To compile it as a module, choose M here.
482
483if NF_TABLES
484config NF_TABLES_INET
485	depends on IPV6
486	select NF_TABLES_IPV4
487	select NF_TABLES_IPV6
488	bool "Netfilter nf_tables mixed IPv4/IPv6 tables support"
489	help
490	  This option enables support for a mixed IPv4/IPv6 "inet" table.
491
492config NF_TABLES_NETDEV
493	bool "Netfilter nf_tables netdev tables support"
494	help
495	  This option enables support for the "netdev" table.
496
497config NFT_NUMGEN
498	tristate "Netfilter nf_tables number generator module"
499	help
500	  This option adds the number generator expression used to perform
501	  incremental counting and random numbers bound to a upper limit.
502
503config NFT_CT
504	depends on NF_CONNTRACK
505	tristate "Netfilter nf_tables conntrack module"
506	help
507	  This option adds the "ct" expression that you can use to match
508	  connection tracking information such as the flow state.
509
510config NFT_FLOW_OFFLOAD
511	depends on NF_CONNTRACK && NF_FLOW_TABLE
512	tristate "Netfilter nf_tables hardware flow offload module"
513	help
514	  This option adds the "flow_offload" expression that you can use to
515	  choose what flows are placed into the hardware.
516
517config NFT_CONNLIMIT
518	tristate "Netfilter nf_tables connlimit module"
519	depends on NF_CONNTRACK
520	depends on NETFILTER_ADVANCED
521	select NETFILTER_CONNCOUNT
522	help
523	  This option adds the "connlimit" expression that you can use to
524	  ratelimit rule matchings per connections.
525
526config NFT_LOG
527	tristate "Netfilter nf_tables log module"
528	help
529	  This option adds the "log" expression that you can use to log
530	  packets matching some criteria.
531
532config NFT_LIMIT
533	tristate "Netfilter nf_tables limit module"
534	help
535	  This option adds the "limit" expression that you can use to
536	  ratelimit rule matchings.
537
538config NFT_MASQ
539	depends on NF_CONNTRACK
540	depends on NF_NAT
541	select NF_NAT_MASQUERADE
542	tristate "Netfilter nf_tables masquerade support"
543	help
544	  This option adds the "masquerade" expression that you can use
545	  to perform NAT in the masquerade flavour.
546
547config NFT_REDIR
548	depends on NF_CONNTRACK
549	depends on NF_NAT
550	tristate "Netfilter nf_tables redirect support"
551	select NF_NAT_REDIRECT
552	help
553	  This options adds the "redirect" expression that you can use
554	  to perform NAT in the redirect flavour.
555
556config NFT_NAT
557	depends on NF_CONNTRACK
558	select NF_NAT
559	depends on NF_TABLES_IPV4 || NF_TABLES_IPV6
560	tristate "Netfilter nf_tables nat module"
561	help
562	  This option adds the "nat" expression that you can use to perform
563	  typical Network Address Translation (NAT) packet transformations.
564
565config NFT_TUNNEL
566	tristate "Netfilter nf_tables tunnel module"
567	help
568	  This option adds the "tunnel" expression that you can use to set
569	  tunneling policies.
570
571config NFT_QUEUE
572	depends on NETFILTER_NETLINK_QUEUE
573	tristate "Netfilter nf_tables queue module"
574	help
575	  This is required if you intend to use the userspace queueing
576	  infrastructure (also known as NFQUEUE) from nftables.
577
578config NFT_QUOTA
579	tristate "Netfilter nf_tables quota module"
580	help
581	  This option adds the "quota" expression that you can use to match
582	  enforce bytes quotas.
583
584config NFT_REJECT
585	default m if NETFILTER_ADVANCED=n
586	tristate "Netfilter nf_tables reject support"
587	depends on !NF_TABLES_INET || (IPV6!=m || m)
588	help
589	  This option adds the "reject" expression that you can use to
590	  explicitly deny and notify via TCP reset/ICMP informational errors
591	  unallowed traffic.
592
593config NFT_REJECT_INET
594	depends on NF_TABLES_INET
595	default NFT_REJECT
596	tristate
597
598config NFT_COMPAT
599	depends on NETFILTER_XTABLES
600	tristate "Netfilter x_tables over nf_tables module"
601	help
602	  This is required if you intend to use any of existing
603	  x_tables match/target extensions over the nf_tables
604	  framework.
605
606config NFT_HASH
607	tristate "Netfilter nf_tables hash module"
608	help
609	  This option adds the "hash" expression that you can use to perform
610	  a hash operation on registers.
611
612config NFT_FIB
613	tristate
614
615config NFT_FIB_INET
616	depends on NF_TABLES_INET
617	depends on NFT_FIB_IPV4
618	depends on NFT_FIB_IPV6
619	tristate "Netfilter nf_tables fib inet support"
620	help
621	  This option allows using the FIB expression from the inet table.
622	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
623	  on the protocol of the packet.
624
625config NFT_XFRM
626	tristate "Netfilter nf_tables xfrm/IPSec security association matching"
627	depends on XFRM
628	help
629	  This option adds an expression that you can use to extract properties
630	  of a packets security association.
631
632config NFT_SOCKET
633	tristate "Netfilter nf_tables socket match support"
634	depends on IPV6 || IPV6=n
635	select NF_SOCKET_IPV4
636	select NF_SOCKET_IPV6 if NF_TABLES_IPV6
637	help
638	  This option allows matching for the presence or absence of a
639	  corresponding socket and its attributes.
640
641config NFT_OSF
642	tristate "Netfilter nf_tables passive OS fingerprint support"
643	depends on NETFILTER_ADVANCED
644	select NETFILTER_NETLINK_OSF
645	help
646	  This option allows matching packets from an specific OS.
647
648config NFT_TPROXY
649	tristate "Netfilter nf_tables tproxy support"
650	depends on IPV6 || IPV6=n
651	select NF_DEFRAG_IPV4
652	select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
653	select NF_TPROXY_IPV4
654	select NF_TPROXY_IPV6 if NF_TABLES_IPV6
655	help
656	  This makes transparent proxy support available in nftables.
657
658config NFT_SYNPROXY
659	tristate "Netfilter nf_tables SYNPROXY expression support"
660	depends on NF_CONNTRACK && NETFILTER_ADVANCED
661	select NETFILTER_SYNPROXY
662	select SYN_COOKIES
663	help
664	  The SYNPROXY expression allows you to intercept TCP connections and
665	  establish them using syncookies before they are passed on to the
666	  server. This allows to avoid conntrack and server resource usage
667	  during SYN-flood attacks.
668
669if NF_TABLES_NETDEV
670
671config NF_DUP_NETDEV
672	tristate "Netfilter packet duplication support"
673	help
674	  This option enables the generic packet duplication infrastructure
675	  for Netfilter.
676
677config NFT_DUP_NETDEV
678	tristate "Netfilter nf_tables netdev packet duplication support"
679	select NF_DUP_NETDEV
680	help
681	  This option enables packet duplication for the "netdev" family.
682
683config NFT_FWD_NETDEV
684	tristate "Netfilter nf_tables netdev packet forwarding support"
685	select NF_DUP_NETDEV
686	help
687	  This option enables packet forwarding for the "netdev" family.
688
689config NFT_FIB_NETDEV
690	depends on NFT_FIB_IPV4
691	depends on NFT_FIB_IPV6
692	tristate "Netfilter nf_tables netdev fib lookups support"
693	help
694	  This option allows using the FIB expression from the netdev table.
695	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
696	  on the protocol of the packet.
697
698config NFT_REJECT_NETDEV
699	depends on NFT_REJECT_IPV4
700	depends on NFT_REJECT_IPV6
701	tristate "Netfilter nf_tables netdev REJECT support"
702	help
703	  This option enables the REJECT support from the netdev table.
704	  The return packet generation will be delegated to the IPv4
705	  or IPv6 ICMP or TCP RST implementation depending on the
706	  protocol of the packet.
707
708endif # NF_TABLES_NETDEV
709
710endif # NF_TABLES
711
712config NF_FLOW_TABLE_INET
713	tristate "Netfilter flow table mixed IPv4/IPv6 module"
714	depends on NF_FLOW_TABLE
715	help
716	  This option adds the flow table mixed IPv4/IPv6 support.
717
718	  To compile it as a module, choose M here.
719
720config NF_FLOW_TABLE
721	tristate "Netfilter flow table module"
722	depends on NETFILTER_INGRESS
723	depends on NF_CONNTRACK
724	depends on NF_TABLES
725	help
726	  This option adds the flow table core infrastructure.
727
728	  To compile it as a module, choose M here.
729
730config NF_FLOW_TABLE_PROCFS
731	bool "Supply flow table statistics in procfs"
732	depends on NF_FLOW_TABLE
733	depends on PROC_FS
734	help
735	  This option enables for the flow table offload statistics
736	  to be shown in procfs under net/netfilter/nf_flowtable.
737
738config NETFILTER_XTABLES
739	tristate "Netfilter Xtables support (required for ip_tables)"
740	default m if NETFILTER_ADVANCED=n
741	help
742	  This is required if you intend to use any of ip_tables,
743	  ip6_tables or arp_tables.
744
745if NETFILTER_XTABLES
746
747config NETFILTER_XTABLES_COMPAT
748	bool "Netfilter Xtables 32bit support"
749	depends on COMPAT
750	default y
751	help
752	   This option provides a translation layer to run 32bit arp,ip(6),ebtables
753	   binaries on 64bit kernels.
754
755	   If unsure, say N.
756
757comment "Xtables combined modules"
758
759config NETFILTER_XT_MARK
760	tristate 'nfmark target and match support'
761	default m if NETFILTER_ADVANCED=n
762	help
763	This option adds the "MARK" target and "mark" match.
764
765	Netfilter mark matching allows you to match packets based on the
766	"nfmark" value in the packet.
767	The target allows you to create rules in the "mangle" table which alter
768	the netfilter mark (nfmark) field associated with the packet.
769
770	Prior to routing, the nfmark can influence the routing method and can
771	also be used by other subsystems to change their behavior.
772
773config NETFILTER_XT_CONNMARK
774	tristate 'ctmark target and match support'
775	depends on NF_CONNTRACK
776	depends on NETFILTER_ADVANCED
777	select NF_CONNTRACK_MARK
778	help
779	This option adds the "CONNMARK" target and "connmark" match.
780
781	Netfilter allows you to store a mark value per connection (a.k.a.
782	ctmark), similarly to the packet mark (nfmark). Using this
783	target and match, you can set and match on this mark.
784
785config NETFILTER_XT_SET
786	tristate 'set target and match support'
787	depends on IP_SET
788	depends on NETFILTER_ADVANCED
789	help
790	  This option adds the "SET" target and "set" match.
791
792	  Using this target and match, you can add/delete and match
793	  elements in the sets created by ipset(8).
794
795	  To compile it as a module, choose M here.  If unsure, say N.
796
797# alphabetically ordered list of targets
798
799comment "Xtables targets"
800
801config NETFILTER_XT_TARGET_AUDIT
802	tristate "AUDIT target support"
803	depends on AUDIT
804	depends on NETFILTER_ADVANCED
805	help
806	  This option adds a 'AUDIT' target, which can be used to create
807	  audit records for packets dropped/accepted.
808
809	  To compileit as a module, choose M here. If unsure, say N.
810
811config NETFILTER_XT_TARGET_CHECKSUM
812	tristate "CHECKSUM target support"
813	depends on IP_NF_MANGLE || IP6_NF_MANGLE
814	depends on NETFILTER_ADVANCED
815	help
816	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle
817	  table to work around buggy DHCP clients in virtualized environments.
818
819	  Some old DHCP clients drop packets because they are not aware
820	  that the checksum would normally be offloaded to hardware and
821	  thus should be considered valid.
822	  This target can be used to fill in the checksum using iptables
823	  when such packets are sent via a virtual network device.
824
825	  To compile it as a module, choose M here.  If unsure, say N.
826
827config NETFILTER_XT_TARGET_CLASSIFY
828	tristate '"CLASSIFY" target support'
829	depends on NETFILTER_ADVANCED
830	help
831	  This option adds a `CLASSIFY' target, which enables the user to set
832	  the priority of a packet. Some qdiscs can use this value for
833	  classification, among these are:
834
835	  atm, cbq, dsmark, pfifo_fast, htb, prio
836
837	  To compile it as a module, choose M here.  If unsure, say N.
838
839config NETFILTER_XT_TARGET_CONNMARK
840	tristate  '"CONNMARK" target support'
841	depends on NF_CONNTRACK
842	depends on NETFILTER_ADVANCED
843	select NETFILTER_XT_CONNMARK
844	help
845	This is a backwards-compat option for the user's convenience
846	(e.g. when running oldconfig). It selects
847	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
848
849config NETFILTER_XT_TARGET_CONNSECMARK
850	tristate '"CONNSECMARK" target support'
851	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
852	default m if NETFILTER_ADVANCED=n
853	help
854	  The CONNSECMARK target copies security markings from packets
855	  to connections, and restores security markings from connections
856	  to packets (if the packets are not already marked).  This would
857	  normally be used in conjunction with the SECMARK target.
858
859	  To compile it as a module, choose M here.  If unsure, say N.
860
861config NETFILTER_XT_TARGET_CT
862	tristate '"CT" target support'
863	depends on NF_CONNTRACK
864	depends on IP_NF_RAW || IP6_NF_RAW
865	depends on NETFILTER_ADVANCED
866	help
867	  This options adds a `CT' target, which allows to specify initial
868	  connection tracking parameters like events to be delivered and
869	  the helper to be used.
870
871	  To compile it as a module, choose M here.  If unsure, say N.
872
873config NETFILTER_XT_TARGET_DSCP
874	tristate '"DSCP" and "TOS" target support'
875	depends on IP_NF_MANGLE || IP6_NF_MANGLE
876	depends on NETFILTER_ADVANCED
877	help
878	  This option adds a `DSCP' target, which allows you to manipulate
879	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
880
881	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
882
883	  It also adds the "TOS" target, which allows you to create rules in
884	  the "mangle" table which alter the Type Of Service field of an IPv4
885	  or the Priority field of an IPv6 packet, prior to routing.
886
887	  To compile it as a module, choose M here.  If unsure, say N.
888
889config NETFILTER_XT_TARGET_HL
890	tristate '"HL" hoplimit target support'
891	depends on IP_NF_MANGLE || IP6_NF_MANGLE
892	depends on NETFILTER_ADVANCED
893	help
894	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
895	targets, which enable the user to change the
896	hoplimit/time-to-live value of the IP header.
897
898	While it is safe to decrement the hoplimit/TTL value, the
899	modules also allow to increment and set the hoplimit value of
900	the header to arbitrary values. This is EXTREMELY DANGEROUS
901	since you can easily create immortal packets that loop
902	forever on the network.
903
904config NETFILTER_XT_TARGET_HMARK
905	tristate '"HMARK" target support'
906	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
907	depends on NETFILTER_ADVANCED
908	help
909	This option adds the "HMARK" target.
910
911	The target allows you to create rules in the "raw" and "mangle" tables
912	which set the skbuff mark by means of hash calculation within a given
913	range. The nfmark can influence the routing method and can also be used
914	by other subsystems to change their behaviour.
915
916	To compile it as a module, choose M here. If unsure, say N.
917
918config NETFILTER_XT_TARGET_IDLETIMER
919	tristate  "IDLETIMER target support"
920	depends on NETFILTER_ADVANCED
921	help
922
923	  This option adds the `IDLETIMER' target.  Each matching packet
924	  resets the timer associated with label specified when the rule is
925	  added.  When the timer expires, it triggers a sysfs notification.
926	  The remaining time for expiration can be read via sysfs.
927
928	  To compile it as a module, choose M here.  If unsure, say N.
929
930config NETFILTER_XT_TARGET_LED
931	tristate '"LED" target support'
932	depends on LEDS_CLASS && LEDS_TRIGGERS
933	depends on NETFILTER_ADVANCED
934	help
935	  This option adds a `LED' target, which allows you to blink LEDs in
936	  response to particular packets passing through your machine.
937
938	  This can be used to turn a spare LED into a network activity LED,
939	  which only flashes in response to FTP transfers, for example.  Or
940	  you could have an LED which lights up for a minute or two every time
941	  somebody connects to your machine via SSH.
942
943	  You will need support for the "led" class to make this work.
944
945	  To create an LED trigger for incoming SSH traffic:
946	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
947
948	  Then attach the new trigger to an LED on your system:
949	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
950
951	  For more information on the LEDs available on your system, see
952	  Documentation/leds/leds-class.rst
953
954config NETFILTER_XT_TARGET_LOG
955	tristate "LOG target support"
956	select NF_LOG_SYSLOG
957	select NF_LOG_IPV6 if IP6_NF_IPTABLES
958	default m if NETFILTER_ADVANCED=n
959	help
960	  This option adds a `LOG' target, which allows you to create rules in
961	  any iptables table which records the packet header to the syslog.
962
963	  To compile it as a module, choose M here.  If unsure, say N.
964
965config NETFILTER_XT_TARGET_MARK
966	tristate '"MARK" target support'
967	depends on NETFILTER_ADVANCED
968	select NETFILTER_XT_MARK
969	help
970	This is a backwards-compat option for the user's convenience
971	(e.g. when running oldconfig). It selects
972	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
973
974config NETFILTER_XT_NAT
975	tristate '"SNAT and DNAT" targets support'
976	depends on NF_NAT
977	help
978	This option enables the SNAT and DNAT targets.
979
980	To compile it as a module, choose M here. If unsure, say N.
981
982config NETFILTER_XT_TARGET_NETMAP
983	tristate '"NETMAP" target support'
984	depends on NF_NAT
985	help
986	NETMAP is an implementation of static 1:1 NAT mapping of network
987	addresses. It maps the network address part, while keeping the host
988	address part intact.
989
990	To compile it as a module, choose M here. If unsure, say N.
991
992config NETFILTER_XT_TARGET_NFLOG
993	tristate '"NFLOG" target support'
994	default m if NETFILTER_ADVANCED=n
995	select NETFILTER_NETLINK_LOG
996	help
997	  This option enables the NFLOG target, which allows to LOG
998	  messages through nfnetlink_log.
999
1000	  To compile it as a module, choose M here.  If unsure, say N.
1001
1002config NETFILTER_XT_TARGET_NFQUEUE
1003	tristate '"NFQUEUE" target Support'
1004	depends on NETFILTER_ADVANCED
1005	select NETFILTER_NETLINK_QUEUE
1006	help
1007	  This target replaced the old obsolete QUEUE target.
1008
1009	  As opposed to QUEUE, it supports 65535 different queues,
1010	  not just one.
1011
1012	  To compile it as a module, choose M here.  If unsure, say N.
1013
1014config NETFILTER_XT_TARGET_NOTRACK
1015	tristate  '"NOTRACK" target support (DEPRECATED)'
1016	depends on NF_CONNTRACK
1017	depends on IP_NF_RAW || IP6_NF_RAW
1018	depends on NETFILTER_ADVANCED
1019	select NETFILTER_XT_TARGET_CT
1020
1021config NETFILTER_XT_TARGET_RATEEST
1022	tristate '"RATEEST" target support'
1023	depends on NETFILTER_ADVANCED
1024	help
1025	  This option adds a `RATEEST' target, which allows to measure
1026	  rates similar to TC estimators. The `rateest' match can be
1027	  used to match on the measured rates.
1028
1029	  To compile it as a module, choose M here.  If unsure, say N.
1030
1031config NETFILTER_XT_TARGET_REDIRECT
1032	tristate "REDIRECT target support"
1033	depends on NF_NAT
1034	select NF_NAT_REDIRECT
1035	help
1036	REDIRECT is a special case of NAT: all incoming connections are
1037	mapped onto the incoming interface's address, causing the packets to
1038	come to the local machine instead of passing through. This is
1039	useful for transparent proxies.
1040
1041	To compile it as a module, choose M here. If unsure, say N.
1042
1043config NETFILTER_XT_TARGET_MASQUERADE
1044	tristate "MASQUERADE target support"
1045	depends on NF_NAT
1046	default m if NETFILTER_ADVANCED=n
1047	select NF_NAT_MASQUERADE
1048	help
1049	  Masquerading is a special case of NAT: all outgoing connections are
1050	  changed to seem to come from a particular interface's address, and
1051	  if the interface goes down, those connections are lost.  This is
1052	  only useful for dialup accounts with dynamic IP address (ie. your IP
1053	  address will be different on next dialup).
1054
1055	  To compile it as a module, choose M here.  If unsure, say N.
1056
1057config NETFILTER_XT_TARGET_TEE
1058	tristate '"TEE" - packet cloning to alternate destination'
1059	depends on NETFILTER_ADVANCED
1060	depends on IPV6 || IPV6=n
1061	depends on !NF_CONNTRACK || NF_CONNTRACK
1062	depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES
1063	select NF_DUP_IPV4
1064	select NF_DUP_IPV6 if IP6_NF_IPTABLES
1065	help
1066	This option adds a "TEE" target with which a packet can be cloned and
1067	this clone be rerouted to another nexthop.
1068
1069config NETFILTER_XT_TARGET_TPROXY
1070	tristate '"TPROXY" target transparent proxying support'
1071	depends on NETFILTER_XTABLES
1072	depends on NETFILTER_ADVANCED
1073	depends on IPV6 || IPV6=n
1074	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1075	depends on IP_NF_MANGLE
1076	select NF_DEFRAG_IPV4
1077	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1078	select NF_TPROXY_IPV4
1079	select NF_TPROXY_IPV6 if IP6_NF_IPTABLES
1080	help
1081	  This option adds a `TPROXY' target, which is somewhat similar to
1082	  REDIRECT.  It can only be used in the mangle table and is useful
1083	  to redirect traffic to a transparent proxy.  It does _not_ depend
1084	  on Netfilter connection tracking and NAT, unlike REDIRECT.
1085	  For it to work you will have to configure certain iptables rules
1086	  and use policy routing. For more information on how to set it up
1087	  see Documentation/networking/tproxy.rst.
1088
1089	  To compile it as a module, choose M here.  If unsure, say N.
1090
1091config NETFILTER_XT_TARGET_TRACE
1092	tristate  '"TRACE" target support'
1093	depends on IP_NF_RAW || IP6_NF_RAW
1094	depends on NETFILTER_ADVANCED
1095	help
1096	  The TRACE target allows you to mark packets so that the kernel
1097	  will log every rule which match the packets as those traverse
1098	  the tables, chains, rules.
1099
1100	  If you want to compile it as a module, say M here and read
1101	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1102
1103config NETFILTER_XT_TARGET_SECMARK
1104	tristate '"SECMARK" target support'
1105	depends on NETWORK_SECMARK
1106	default m if NETFILTER_ADVANCED=n
1107	help
1108	  The SECMARK target allows security marking of network
1109	  packets, for use with security subsystems.
1110
1111	  To compile it as a module, choose M here.  If unsure, say N.
1112
1113config NETFILTER_XT_TARGET_TCPMSS
1114	tristate '"TCPMSS" target support'
1115	depends on IPV6 || IPV6=n
1116	default m if NETFILTER_ADVANCED=n
1117	help
1118	  This option adds a `TCPMSS' target, which allows you to alter the
1119	  MSS value of TCP SYN packets, to control the maximum size for that
1120	  connection (usually limiting it to your outgoing interface's MTU
1121	  minus 40).
1122
1123	  This is used to overcome criminally braindead ISPs or servers which
1124	  block ICMP Fragmentation Needed packets.  The symptoms of this
1125	  problem are that everything works fine from your Linux
1126	  firewall/router, but machines behind it can never exchange large
1127	  packets:
1128	        1) Web browsers connect, then hang with no data received.
1129	        2) Small mail works fine, but large emails hang.
1130	        3) ssh works fine, but scp hangs after initial handshaking.
1131
1132	  Workaround: activate this option and add a rule to your firewall
1133	  configuration like:
1134
1135	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
1136	                 -j TCPMSS --clamp-mss-to-pmtu
1137
1138	  To compile it as a module, choose M here.  If unsure, say N.
1139
1140config NETFILTER_XT_TARGET_TCPOPTSTRIP
1141	tristate '"TCPOPTSTRIP" target support'
1142	depends on IP_NF_MANGLE || IP6_NF_MANGLE
1143	depends on NETFILTER_ADVANCED
1144	help
1145	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
1146	  TCP options from TCP packets.
1147
1148# alphabetically ordered list of matches
1149
1150comment "Xtables matches"
1151
1152config NETFILTER_XT_MATCH_ADDRTYPE
1153	tristate '"addrtype" address type match support'
1154	default m if NETFILTER_ADVANCED=n
1155	help
1156	  This option allows you to match what routing thinks of an address,
1157	  eg. UNICAST, LOCAL, BROADCAST, ...
1158
1159	  If you want to compile it as a module, say M here and read
1160	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1161
1162config NETFILTER_XT_MATCH_BPF
1163	tristate '"bpf" match support'
1164	depends on NETFILTER_ADVANCED
1165	help
1166	  BPF matching applies a linux socket filter to each packet and
1167	  accepts those for which the filter returns non-zero.
1168
1169	  To compile it as a module, choose M here.  If unsure, say N.
1170
1171config NETFILTER_XT_MATCH_CGROUP
1172	tristate '"control group" match support'
1173	depends on NETFILTER_ADVANCED
1174	depends on CGROUPS
1175	select CGROUP_NET_CLASSID
1176	help
1177	Socket/process control group matching allows you to match locally
1178	generated packets based on which net_cls control group processes
1179	belong to.
1180
1181config NETFILTER_XT_MATCH_CLUSTER
1182	tristate '"cluster" match support'
1183	depends on NF_CONNTRACK
1184	depends on NETFILTER_ADVANCED
1185	help
1186	  This option allows you to build work-load-sharing clusters of
1187	  network servers/stateful firewalls without having a dedicated
1188	  load-balancing router/server/switch. Basically, this match returns
1189	  true when the packet must be handled by this cluster node. Thus,
1190	  all nodes see all packets and this match decides which node handles
1191	  what packets. The work-load sharing algorithm is based on source
1192	  address hashing.
1193
1194	  If you say Y or M here, try `iptables -m cluster --help` for
1195	  more information.
1196
1197config NETFILTER_XT_MATCH_COMMENT
1198	tristate  '"comment" match support'
1199	depends on NETFILTER_ADVANCED
1200	help
1201	  This option adds a `comment' dummy-match, which allows you to put
1202	  comments in your iptables ruleset.
1203
1204	  If you want to compile it as a module, say M here and read
1205	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1206
1207config NETFILTER_XT_MATCH_CONNBYTES
1208	tristate  '"connbytes" per-connection counter match support'
1209	depends on NF_CONNTRACK
1210	depends on NETFILTER_ADVANCED
1211	help
1212	  This option adds a `connbytes' match, which allows you to match the
1213	  number of bytes and/or packets for each direction within a connection.
1214
1215	  If you want to compile it as a module, say M here and read
1216	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1217
1218config NETFILTER_XT_MATCH_CONNLABEL
1219	tristate '"connlabel" match support'
1220	select NF_CONNTRACK_LABELS
1221	depends on NF_CONNTRACK
1222	depends on NETFILTER_ADVANCED
1223	help
1224	  This match allows you to test and assign userspace-defined labels names
1225	  to a connection.  The kernel only stores bit values - mapping
1226	  names to bits is done by userspace.
1227
1228	  Unlike connmark, more than 32 flag bits may be assigned to a
1229	  connection simultaneously.
1230
1231config NETFILTER_XT_MATCH_CONNLIMIT
1232	tristate '"connlimit" match support'
1233	depends on NF_CONNTRACK
1234	depends on NETFILTER_ADVANCED
1235	select NETFILTER_CONNCOUNT
1236	help
1237	  This match allows you to match against the number of parallel
1238	  connections to a server per client IP address (or address block).
1239
1240config NETFILTER_XT_MATCH_CONNMARK
1241	tristate  '"connmark" connection mark match support'
1242	depends on NF_CONNTRACK
1243	depends on NETFILTER_ADVANCED
1244	select NETFILTER_XT_CONNMARK
1245	help
1246	This is a backwards-compat option for the user's convenience
1247	(e.g. when running oldconfig). It selects
1248	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
1249
1250config NETFILTER_XT_MATCH_CONNTRACK
1251	tristate '"conntrack" connection tracking match support'
1252	depends on NF_CONNTRACK
1253	default m if NETFILTER_ADVANCED=n
1254	help
1255	  This is a general conntrack match module, a superset of the state match.
1256
1257	  It allows matching on additional conntrack information, which is
1258	  useful in complex configurations, such as NAT gateways with multiple
1259	  internet links or tunnels.
1260
1261	  To compile it as a module, choose M here.  If unsure, say N.
1262
1263config NETFILTER_XT_MATCH_CPU
1264	tristate '"cpu" match support'
1265	depends on NETFILTER_ADVANCED
1266	help
1267	  CPU matching allows you to match packets based on the CPU
1268	  currently handling the packet.
1269
1270	  To compile it as a module, choose M here.  If unsure, say N.
1271
1272config NETFILTER_XT_MATCH_DCCP
1273	tristate '"dccp" protocol match support'
1274	depends on NETFILTER_ADVANCED
1275	default IP_DCCP
1276	help
1277	  With this option enabled, you will be able to use the iptables
1278	  `dccp' match in order to match on DCCP source/destination ports
1279	  and DCCP flags.
1280
1281	  If you want to compile it as a module, say M here and read
1282	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1283
1284config NETFILTER_XT_MATCH_DEVGROUP
1285	tristate '"devgroup" match support'
1286	depends on NETFILTER_ADVANCED
1287	help
1288	  This options adds a `devgroup' match, which allows to match on the
1289	  device group a network device is assigned to.
1290
1291	  To compile it as a module, choose M here.  If unsure, say N.
1292
1293config NETFILTER_XT_MATCH_DSCP
1294	tristate '"dscp" and "tos" match support'
1295	depends on NETFILTER_ADVANCED
1296	help
1297	  This option adds a `DSCP' match, which allows you to match against
1298	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
1299
1300	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
1301
1302	  It will also add a "tos" match, which allows you to match packets
1303	  based on the Type Of Service fields of the IPv4 packet (which share
1304	  the same bits as DSCP).
1305
1306	  To compile it as a module, choose M here.  If unsure, say N.
1307
1308config NETFILTER_XT_MATCH_ECN
1309	tristate '"ecn" match support'
1310	depends on NETFILTER_ADVANCED
1311	help
1312	This option adds an "ECN" match, which allows you to match against
1313	the IPv4 and TCP header ECN fields.
1314
1315	To compile it as a module, choose M here. If unsure, say N.
1316
1317config NETFILTER_XT_MATCH_ESP
1318	tristate '"esp" match support'
1319	depends on NETFILTER_ADVANCED
1320	help
1321	  This match extension allows you to match a range of SPIs
1322	  inside ESP header of IPSec packets.
1323
1324	  To compile it as a module, choose M here.  If unsure, say N.
1325
1326config NETFILTER_XT_MATCH_HASHLIMIT
1327	tristate '"hashlimit" match support'
1328	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1329	depends on NETFILTER_ADVANCED
1330	help
1331	  This option adds a `hashlimit' match.
1332
1333	  As opposed to `limit', this match dynamically creates a hash table
1334	  of limit buckets, based on your selection of source/destination
1335	  addresses and/or ports.
1336
1337	  It enables you to express policies like `10kpps for any given
1338	  destination address' or `500pps from any given source address'
1339	  with a single rule.
1340
1341config NETFILTER_XT_MATCH_HELPER
1342	tristate '"helper" match support'
1343	depends on NF_CONNTRACK
1344	depends on NETFILTER_ADVANCED
1345	help
1346	  Helper matching allows you to match packets in dynamic connections
1347	  tracked by a conntrack-helper, ie. nf_conntrack_ftp
1348
1349	  To compile it as a module, choose M here.  If unsure, say Y.
1350
1351config NETFILTER_XT_MATCH_HL
1352	tristate '"hl" hoplimit/TTL match support'
1353	depends on NETFILTER_ADVANCED
1354	help
1355	HL matching allows you to match packets based on the hoplimit
1356	in the IPv6 header, or the time-to-live field in the IPv4
1357	header of the packet.
1358
1359config NETFILTER_XT_MATCH_IPCOMP
1360	tristate '"ipcomp" match support'
1361	depends on NETFILTER_ADVANCED
1362	help
1363	  This match extension allows you to match a range of CPIs(16 bits)
1364	  inside IPComp header of IPSec packets.
1365
1366	  To compile it as a module, choose M here.  If unsure, say N.
1367
1368config NETFILTER_XT_MATCH_IPRANGE
1369	tristate '"iprange" address range match support'
1370	depends on NETFILTER_ADVANCED
1371	help
1372	This option adds a "iprange" match, which allows you to match based on
1373	an IP address range. (Normal iptables only matches on single addresses
1374	with an optional mask.)
1375
1376	If unsure, say M.
1377
1378config NETFILTER_XT_MATCH_IPVS
1379	tristate '"ipvs" match support'
1380	depends on IP_VS
1381	depends on NETFILTER_ADVANCED
1382	depends on NF_CONNTRACK
1383	help
1384	  This option allows you to match against IPVS properties of a packet.
1385
1386	  If unsure, say N.
1387
1388config NETFILTER_XT_MATCH_L2TP
1389	tristate '"l2tp" match support'
1390	depends on NETFILTER_ADVANCED
1391	default L2TP
1392	help
1393	This option adds an "L2TP" match, which allows you to match against
1394	L2TP protocol header fields.
1395
1396	To compile it as a module, choose M here. If unsure, say N.
1397
1398config NETFILTER_XT_MATCH_LENGTH
1399	tristate '"length" match support'
1400	depends on NETFILTER_ADVANCED
1401	help
1402	  This option allows you to match the length of a packet against a
1403	  specific value or range of values.
1404
1405	  To compile it as a module, choose M here.  If unsure, say N.
1406
1407config NETFILTER_XT_MATCH_LIMIT
1408	tristate '"limit" match support'
1409	depends on NETFILTER_ADVANCED
1410	help
1411	  limit matching allows you to control the rate at which a rule can be
1412	  matched: mainly useful in combination with the LOG target ("LOG
1413	  target support", below) and to avoid some Denial of Service attacks.
1414
1415	  To compile it as a module, choose M here.  If unsure, say N.
1416
1417config NETFILTER_XT_MATCH_MAC
1418	tristate '"mac" address match support'
1419	depends on NETFILTER_ADVANCED
1420	help
1421	  MAC matching allows you to match packets based on the source
1422	  Ethernet address of the packet.
1423
1424	  To compile it as a module, choose M here.  If unsure, say N.
1425
1426config NETFILTER_XT_MATCH_MARK
1427	tristate '"mark" match support'
1428	depends on NETFILTER_ADVANCED
1429	select NETFILTER_XT_MARK
1430	help
1431	This is a backwards-compat option for the user's convenience
1432	(e.g. when running oldconfig). It selects
1433	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
1434
1435config NETFILTER_XT_MATCH_MULTIPORT
1436	tristate '"multiport" Multiple port match support'
1437	depends on NETFILTER_ADVANCED
1438	help
1439	  Multiport matching allows you to match TCP or UDP packets based on
1440	  a series of source or destination ports: normally a rule can only
1441	  match a single range of ports.
1442
1443	  To compile it as a module, choose M here.  If unsure, say N.
1444
1445config NETFILTER_XT_MATCH_NFACCT
1446	tristate '"nfacct" match support'
1447	depends on NETFILTER_ADVANCED
1448	select NETFILTER_NETLINK_ACCT
1449	help
1450	  This option allows you to use the extended accounting through
1451	  nfnetlink_acct.
1452
1453	  To compile it as a module, choose M here.  If unsure, say N.
1454
1455config NETFILTER_XT_MATCH_OSF
1456	tristate '"osf" Passive OS fingerprint match'
1457	depends on NETFILTER_ADVANCED
1458	select NETFILTER_NETLINK_OSF
1459	help
1460	  This option selects the Passive OS Fingerprinting match module
1461	  that allows to passively match the remote operating system by
1462	  analyzing incoming TCP SYN packets.
1463
1464	  Rules and loading software can be downloaded from
1465	  http://www.ioremap.net/projects/osf
1466
1467	  To compile it as a module, choose M here.  If unsure, say N.
1468
1469config NETFILTER_XT_MATCH_OWNER
1470	tristate '"owner" match support'
1471	depends on NETFILTER_ADVANCED
1472	help
1473	Socket owner matching allows you to match locally-generated packets
1474	based on who created the socket: the user or group. It is also
1475	possible to check whether a socket actually exists.
1476
1477config NETFILTER_XT_MATCH_POLICY
1478	tristate 'IPsec "policy" match support'
1479	depends on XFRM
1480	default m if NETFILTER_ADVANCED=n
1481	help
1482	  Policy matching allows you to match packets based on the
1483	  IPsec policy that was used during decapsulation/will
1484	  be used during encapsulation.
1485
1486	  To compile it as a module, choose M here.  If unsure, say N.
1487
1488config NETFILTER_XT_MATCH_PHYSDEV
1489	tristate '"physdev" match support'
1490	depends on BRIDGE && BRIDGE_NETFILTER
1491	depends on NETFILTER_ADVANCED
1492	help
1493	  Physdev packet matching matches against the physical bridge ports
1494	  the IP packet arrived on or will leave by.
1495
1496	  To compile it as a module, choose M here.  If unsure, say N.
1497
1498config NETFILTER_XT_MATCH_PKTTYPE
1499	tristate '"pkttype" packet type match support'
1500	depends on NETFILTER_ADVANCED
1501	help
1502	  Packet type matching allows you to match a packet by
1503	  its "class", eg. BROADCAST, MULTICAST, ...
1504
1505	  Typical usage:
1506	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
1507
1508	  To compile it as a module, choose M here.  If unsure, say N.
1509
1510config NETFILTER_XT_MATCH_QUOTA
1511	tristate '"quota" match support'
1512	depends on NETFILTER_ADVANCED
1513	help
1514	  This option adds a `quota' match, which allows to match on a
1515	  byte counter.
1516
1517	  If you want to compile it as a module, say M here and read
1518	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1519
1520config NETFILTER_XT_MATCH_RATEEST
1521	tristate '"rateest" match support'
1522	depends on NETFILTER_ADVANCED
1523	select NETFILTER_XT_TARGET_RATEEST
1524	help
1525	  This option adds a `rateest' match, which allows to match on the
1526	  rate estimated by the RATEEST target.
1527
1528	  To compile it as a module, choose M here.  If unsure, say N.
1529
1530config NETFILTER_XT_MATCH_REALM
1531	tristate  '"realm" match support'
1532	depends on NETFILTER_ADVANCED
1533	select IP_ROUTE_CLASSID
1534	help
1535	  This option adds a `realm' match, which allows you to use the realm
1536	  key from the routing subsystem inside iptables.
1537
1538	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1539	  in tc world.
1540
1541	  If you want to compile it as a module, say M here and read
1542	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1543
1544config NETFILTER_XT_MATCH_RECENT
1545	tristate '"recent" match support'
1546	depends on NETFILTER_ADVANCED
1547	help
1548	This match is used for creating one or many lists of recently
1549	used addresses and then matching against that/those list(s).
1550
1551	Short options are available by using 'iptables -m recent -h'
1552	Official Website: <http://snowman.net/projects/ipt_recent/>
1553
1554config NETFILTER_XT_MATCH_SCTP
1555	tristate  '"sctp" protocol match support'
1556	depends on NETFILTER_ADVANCED
1557	default IP_SCTP
1558	help
1559	  With this option enabled, you will be able to use the
1560	  `sctp' match in order to match on SCTP source/destination ports
1561	  and SCTP chunk types.
1562
1563	  If you want to compile it as a module, say M here and read
1564	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
1565
1566config NETFILTER_XT_MATCH_SOCKET
1567	tristate '"socket" match support'
1568	depends on NETFILTER_XTABLES
1569	depends on NETFILTER_ADVANCED
1570	depends on IPV6 || IPV6=n
1571	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1572	select NF_SOCKET_IPV4
1573	select NF_SOCKET_IPV6 if IP6_NF_IPTABLES
1574	select NF_DEFRAG_IPV4
1575	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1576	help
1577	  This option adds a `socket' match, which can be used to match
1578	  packets for which a TCP or UDP socket lookup finds a valid socket.
1579	  It can be used in combination with the MARK target and policy
1580	  routing to implement full featured non-locally bound sockets.
1581
1582	  To compile it as a module, choose M here.  If unsure, say N.
1583
1584config NETFILTER_XT_MATCH_STATE
1585	tristate '"state" match support'
1586	depends on NF_CONNTRACK
1587	default m if NETFILTER_ADVANCED=n
1588	help
1589	  Connection state matching allows you to match packets based on their
1590	  relationship to a tracked connection (ie. previous packets).  This
1591	  is a powerful tool for packet classification.
1592
1593	  To compile it as a module, choose M here.  If unsure, say N.
1594
1595config NETFILTER_XT_MATCH_STATISTIC
1596	tristate '"statistic" match support'
1597	depends on NETFILTER_ADVANCED
1598	help
1599	  This option adds a `statistic' match, which allows you to match
1600	  on packets periodically or randomly with a given percentage.
1601
1602	  To compile it as a module, choose M here.  If unsure, say N.
1603
1604config NETFILTER_XT_MATCH_STRING
1605	tristate  '"string" match support'
1606	depends on NETFILTER_ADVANCED
1607	select TEXTSEARCH
1608	select TEXTSEARCH_KMP
1609	select TEXTSEARCH_BM
1610	select TEXTSEARCH_FSM
1611	help
1612	  This option adds a `string' match, which allows you to look for
1613	  pattern matchings in packets.
1614
1615	  To compile it as a module, choose M here.  If unsure, say N.
1616
1617config NETFILTER_XT_MATCH_TCPMSS
1618	tristate '"tcpmss" match support'
1619	depends on NETFILTER_ADVANCED
1620	help
1621	  This option adds a `tcpmss' match, which allows you to examine the
1622	  MSS value of TCP SYN packets, which control the maximum packet size
1623	  for that connection.
1624
1625	  To compile it as a module, choose M here.  If unsure, say N.
1626
1627config NETFILTER_XT_MATCH_TIME
1628	tristate '"time" match support'
1629	depends on NETFILTER_ADVANCED
1630	help
1631	  This option adds a "time" match, which allows you to match based on
1632	  the packet arrival time (at the machine which netfilter is running)
1633	  on) or departure time/date (for locally generated packets).
1634
1635	  If you say Y here, try `iptables -m time --help` for
1636	  more information.
1637
1638	  If you want to compile it as a module, say M here.
1639	  If unsure, say N.
1640
1641config NETFILTER_XT_MATCH_U32
1642	tristate '"u32" match support'
1643	depends on NETFILTER_ADVANCED
1644	help
1645	  u32 allows you to extract quantities of up to 4 bytes from a packet,
1646	  AND them with specified masks, shift them by specified amounts and
1647	  test whether the results are in any of a set of specified ranges.
1648	  The specification of what to extract is general enough to skip over
1649	  headers with lengths stored in the packet, as in IP or TCP header
1650	  lengths.
1651
1652	  Details and examples are in the kernel module source.
1653
1654endif # NETFILTER_XTABLES
1655
1656endmenu
1657
1658source "net/netfilter/ipset/Kconfig"
1659
1660source "net/netfilter/ipvs/Kconfig"
1661