1# SPDX-License-Identifier: GPL-2.0-only 2menu "Core Netfilter Configuration" 3 depends on INET && NETFILTER 4 5config NETFILTER_INGRESS 6 bool "Netfilter ingress support" 7 default y 8 select NET_INGRESS 9 help 10 This allows you to classify packets from ingress using the Netfilter 11 infrastructure. 12 13config NETFILTER_EGRESS 14 bool "Netfilter egress support" 15 default y 16 select NET_EGRESS 17 help 18 This allows you to classify packets before transmission using the 19 Netfilter infrastructure. 20 21config NETFILTER_SKIP_EGRESS 22 def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB) 23 24config NETFILTER_NETLINK 25 tristate 26 27config NETFILTER_FAMILY_BRIDGE 28 bool 29 30config NETFILTER_FAMILY_ARP 31 bool 32 33config NETFILTER_BPF_LINK 34 def_bool BPF_SYSCALL 35 36config NETFILTER_NETLINK_HOOK 37 tristate "Netfilter base hook dump support" 38 depends on NETFILTER_ADVANCED 39 depends on NF_TABLES 40 select NETFILTER_NETLINK 41 help 42 If this option is enabled, the kernel will include support 43 to list the base netfilter hooks via NFNETLINK. 44 This is helpful for debugging. 45 46config NETFILTER_NETLINK_ACCT 47 tristate "Netfilter NFACCT over NFNETLINK interface" 48 depends on NETFILTER_ADVANCED 49 select NETFILTER_NETLINK 50 help 51 If this option is enabled, the kernel will include support 52 for extended accounting via NFNETLINK. 53 54config NETFILTER_NETLINK_QUEUE 55 tristate "Netfilter NFQUEUE over NFNETLINK interface" 56 depends on NETFILTER_ADVANCED 57 select NETFILTER_NETLINK 58 help 59 If this option is enabled, the kernel will include support 60 for queueing packets via NFNETLINK. 61 62config NETFILTER_NETLINK_LOG 63 tristate "Netfilter LOG over NFNETLINK interface" 64 default m if NETFILTER_ADVANCED=n 65 select NETFILTER_NETLINK 66 help 67 If this option is enabled, the kernel will include support 68 for logging packets via NFNETLINK. 69 70 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 71 and is also scheduled to replace the old syslog-based ipt_LOG 72 and ip6t_LOG modules. 73 74config NETFILTER_NETLINK_OSF 75 tristate "Netfilter OSF over NFNETLINK interface" 76 depends on NETFILTER_ADVANCED 77 select NETFILTER_NETLINK 78 help 79 If this option is enabled, the kernel will include support 80 for passive OS fingerprint via NFNETLINK. 81 82config NF_CONNTRACK 83 tristate "Netfilter connection tracking support" 84 default m if NETFILTER_ADVANCED=n 85 select NF_DEFRAG_IPV4 86 select NF_DEFRAG_IPV6 if IPV6 != n 87 help 88 Connection tracking keeps a record of what packets have passed 89 through your machine, in order to figure out how they are related 90 into connections. 91 92 This is required to do Masquerading or other kinds of Network 93 Address Translation. It can also be used to enhance packet 94 filtering (see `Connection state match support' below). 95 96 To compile it as a module, choose M here. If unsure, say N. 97 98config NF_LOG_SYSLOG 99 tristate "Syslog packet logging" 100 default m if NETFILTER_ADVANCED=n 101 help 102 This option enable support for packet logging via syslog. 103 It supports IPv4, IPV6, ARP and common transport protocols such 104 as TCP and UDP. 105 This is a simpler but less flexible logging method compared to 106 CONFIG_NETFILTER_NETLINK_LOG. 107 If both are enabled the backend to use can be configured at run-time 108 by means of per-address-family sysctl tunables. 109 110if NF_CONNTRACK 111config NETFILTER_CONNCOUNT 112 tristate 113 114config NF_CONNTRACK_MARK 115 bool 'Connection mark tracking support' 116 depends on NETFILTER_ADVANCED 117 help 118 This option enables support for connection marks, used by the 119 `CONNMARK' target and `connmark' match. Similar to the mark value 120 of packets, but this mark value is kept in the conntrack session 121 instead of the individual packets. 122 123config NF_CONNTRACK_SECMARK 124 bool 'Connection tracking security mark support' 125 depends on NETWORK_SECMARK 126 default y if NETFILTER_ADVANCED=n 127 help 128 This option enables security markings to be applied to 129 connections. Typically they are copied to connections from 130 packets using the CONNSECMARK target and copied back from 131 connections to packets with the same target, with the packets 132 being originally labeled via SECMARK. 133 134 If unsure, say 'N'. 135 136config NF_CONNTRACK_ZONES 137 bool 'Connection tracking zones' 138 depends on NETFILTER_ADVANCED 139 help 140 This option enables support for connection tracking zones. 141 Normally, each connection needs to have a unique system wide 142 identity. Connection tracking zones allow to have multiple 143 connections using the same identity, as long as they are 144 contained in different zones. 145 146 If unsure, say `N'. 147 148config NF_CONNTRACK_PROCFS 149 bool "Supply CT list in procfs (OBSOLETE)" 150 depends on PROC_FS 151 help 152 This option enables for the list of known conntrack entries 153 to be shown in procfs under net/netfilter/nf_conntrack. This 154 is considered obsolete in favor of using the conntrack(8) 155 tool which uses Netlink. 156 157config NF_CONNTRACK_EVENTS 158 bool "Connection tracking events" 159 depends on NETFILTER_ADVANCED 160 help 161 If this option is enabled, the connection tracking code will 162 provide a notifier chain that can be used by other kernel code 163 to get notified about changes in the connection tracking state. 164 165 If unsure, say `N'. 166 167config NF_CONNTRACK_TIMEOUT 168 bool 'Connection tracking timeout' 169 depends on NETFILTER_ADVANCED 170 help 171 This option enables support for connection tracking timeout 172 extension. This allows you to attach timeout policies to flow 173 via the CT target. 174 175 If unsure, say `N'. 176 177config NF_CONNTRACK_TIMESTAMP 178 bool 'Connection tracking timestamping' 179 depends on NETFILTER_ADVANCED 180 help 181 This option enables support for connection tracking timestamping. 182 This allows you to store the flow start-time and to obtain 183 the flow-stop time (once it has been destroyed) via Connection 184 tracking events. 185 186 If unsure, say `N'. 187 188config NF_CONNTRACK_LABELS 189 bool "Connection tracking labels" 190 help 191 This option enables support for assigning user-defined flag bits 192 to connection tracking entries. It can be used with xtables connlabel 193 match and the nftables ct expression. 194 195config NF_CONNTRACK_OVS 196 bool 197 198config NF_CT_PROTO_GRE 199 bool 200 201config NF_CT_PROTO_SCTP 202 bool 'SCTP protocol connection tracking support' 203 depends on NETFILTER_ADVANCED 204 default y 205 select NET_CRC32C 206 help 207 With this option enabled, the layer 3 independent connection 208 tracking code will be able to do state tracking on SCTP connections. 209 210 If unsure, say Y. 211 212config NF_CONNTRACK_AMANDA 213 tristate "Amanda backup protocol support" 214 depends on NETFILTER_ADVANCED 215 select TEXTSEARCH 216 select TEXTSEARCH_KMP 217 help 218 If you are running the Amanda backup package <http://www.amanda.org/> 219 on this machine or machines that will be MASQUERADED through this 220 machine, then you may want to enable this feature. This allows the 221 connection tracking and natting code to allow the sub-channels that 222 Amanda requires for communication of the backup data, messages and 223 index. 224 225 To compile it as a module, choose M here. If unsure, say N. 226 227config NF_CONNTRACK_FTP 228 tristate "FTP protocol support" 229 default m if NETFILTER_ADVANCED=n 230 help 231 Tracking FTP connections is problematic: special helpers are 232 required for tracking them, and doing masquerading and other forms 233 of Network Address Translation on them. 234 235 This is FTP support on Layer 3 independent connection tracking. 236 237 To compile it as a module, choose M here. If unsure, say N. 238 239config NF_CONNTRACK_H323 240 tristate "H.323 protocol support" 241 depends on NETFILTER_ADVANCED 242 help 243 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 244 important VoIP protocols, it is widely used by voice hardware and 245 software including voice gateways, IP phones, Netmeeting, OpenPhone, 246 Gnomemeeting, etc. 247 248 With this module you can support H.323 on a connection tracking/NAT 249 firewall. 250 251 This module supports RAS, Fast Start, H.245 Tunnelling, Call 252 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 253 whiteboard, file transfer, etc. For more information, please 254 visit http://nath323.sourceforge.net/. 255 256 To compile it as a module, choose M here. If unsure, say N. 257 258config NF_CONNTRACK_IRC 259 tristate "IRC protocol support" 260 default m if NETFILTER_ADVANCED=n 261 help 262 There is a commonly-used extension to IRC called 263 Direct Client-to-Client Protocol (DCC). This enables users to send 264 files to each other, and also chat to each other without the need 265 of a server. DCC Sending is used anywhere you send files over IRC, 266 and DCC Chat is most commonly used by Eggdrop bots. If you are 267 using NAT, this extension will enable you to send files and initiate 268 chats. Note that you do NOT need this extension to get files or 269 have others initiate chats, or everything else in IRC. 270 271 To compile it as a module, choose M here. If unsure, say N. 272 273config NF_CONNTRACK_BROADCAST 274 tristate 275 276config NF_CONNTRACK_NETBIOS_NS 277 tristate "NetBIOS name service protocol support" 278 select NF_CONNTRACK_BROADCAST 279 help 280 NetBIOS name service requests are sent as broadcast messages from an 281 unprivileged port and responded to with unicast messages to the 282 same port. This make them hard to firewall properly because connection 283 tracking doesn't deal with broadcasts. This helper tracks locally 284 originating NetBIOS name service requests and the corresponding 285 responses. It relies on correct IP address configuration, specifically 286 netmask and broadcast address. When properly configured, the output 287 of "ip address show" should look similar to this: 288 289 $ ip -4 address show eth0 290 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 291 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 292 293 To compile it as a module, choose M here. If unsure, say N. 294 295config NF_CONNTRACK_SNMP 296 tristate "SNMP service protocol support" 297 depends on NETFILTER_ADVANCED 298 select NF_CONNTRACK_BROADCAST 299 help 300 SNMP service requests are sent as broadcast messages from an 301 unprivileged port and responded to with unicast messages to the 302 same port. This make them hard to firewall properly because connection 303 tracking doesn't deal with broadcasts. This helper tracks locally 304 originating SNMP service requests and the corresponding 305 responses. It relies on correct IP address configuration, specifically 306 netmask and broadcast address. 307 308 To compile it as a module, choose M here. If unsure, say N. 309 310config NF_CONNTRACK_PPTP 311 tristate "PPtP protocol support" 312 depends on NETFILTER_ADVANCED 313 select NF_CT_PROTO_GRE 314 help 315 This module adds support for PPTP (Point to Point Tunnelling 316 Protocol, RFC2637) connection tracking and NAT. 317 318 If you are running PPTP sessions over a stateful firewall or NAT 319 box, you may want to enable this feature. 320 321 Please note that not all PPTP modes of operation are supported yet. 322 Specifically these limitations exist: 323 - Blindly assumes that control connections are always established 324 in PNS->PAC direction. This is a violation of RFC2637. 325 - Only supports a single call within each session 326 327 To compile it as a module, choose M here. If unsure, say N. 328 329config NF_CONNTRACK_SANE 330 tristate "SANE protocol support" 331 depends on NETFILTER_ADVANCED 332 help 333 SANE is a protocol for remote access to scanners as implemented 334 by the 'saned' daemon. Like FTP, it uses separate control and 335 data connections. 336 337 With this module you can support SANE on a connection tracking 338 firewall. 339 340 To compile it as a module, choose M here. If unsure, say N. 341 342config NF_CONNTRACK_SIP 343 tristate "SIP protocol support" 344 default m if NETFILTER_ADVANCED=n 345 help 346 SIP is an application-layer control protocol that can establish, 347 modify, and terminate multimedia sessions (conferences) such as 348 Internet telephony calls. With the nf_conntrack_sip and 349 the nf_nat_sip modules you can support the protocol on a connection 350 tracking/NATing firewall. 351 352 To compile it as a module, choose M here. If unsure, say N. 353 354config NF_CONNTRACK_TFTP 355 tristate "TFTP protocol support" 356 depends on NETFILTER_ADVANCED 357 help 358 TFTP connection tracking helper, this is required depending 359 on how restrictive your ruleset is. 360 If you are using a tftp client behind -j SNAT or -j MASQUERADING 361 you will need this. 362 363 To compile it as a module, choose M here. If unsure, say N. 364 365config NF_CT_NETLINK 366 tristate 'Connection tracking netlink interface' 367 select NETFILTER_NETLINK 368 default m if NETFILTER_ADVANCED=n 369 help 370 This option enables support for a netlink-based userspace interface 371 372config NF_CT_NETLINK_TIMEOUT 373 tristate 'Connection tracking timeout tuning via Netlink' 374 select NETFILTER_NETLINK 375 depends on NETFILTER_ADVANCED 376 depends on NF_CONNTRACK_TIMEOUT 377 help 378 This option enables support for connection tracking timeout 379 fine-grain tuning. This allows you to attach specific timeout 380 policies to flows, instead of using the global timeout policy. 381 382 If unsure, say `N'. 383 384config NF_CT_NETLINK_HELPER 385 tristate 'Connection tracking helpers in user-space via Netlink' 386 select NETFILTER_NETLINK 387 depends on NF_CT_NETLINK 388 depends on NETFILTER_NETLINK_QUEUE 389 depends on NETFILTER_NETLINK_GLUE_CT 390 depends on NETFILTER_ADVANCED 391 help 392 This option enables the user-space connection tracking helpers 393 infrastructure. 394 395 If unsure, say `N'. 396 397config NETFILTER_NETLINK_GLUE_CT 398 bool "NFQUEUE and NFLOG integration with Connection Tracking" 399 default n 400 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 401 help 402 If this option is enabled, NFQUEUE and NFLOG can include 403 Connection Tracking information together with the packet is 404 the enqueued via NFNETLINK. 405 406config NF_NAT 407 tristate "Network Address Translation support" 408 depends on NF_CONNTRACK 409 default m if NETFILTER_ADVANCED=n 410 help 411 The NAT option allows masquerading, port forwarding and other 412 forms of full Network Address Port Translation. This can be 413 controlled by iptables, ip6tables or nft. 414 415config NF_NAT_AMANDA 416 tristate 417 depends on NF_CONNTRACK && NF_NAT 418 default NF_NAT && NF_CONNTRACK_AMANDA 419 420config NF_NAT_FTP 421 tristate 422 depends on NF_CONNTRACK && NF_NAT 423 default NF_NAT && NF_CONNTRACK_FTP 424 425config NF_NAT_IRC 426 tristate 427 depends on NF_CONNTRACK && NF_NAT 428 default NF_NAT && NF_CONNTRACK_IRC 429 430config NF_NAT_SIP 431 tristate 432 depends on NF_CONNTRACK && NF_NAT 433 default NF_NAT && NF_CONNTRACK_SIP 434 435config NF_NAT_TFTP 436 tristate 437 depends on NF_CONNTRACK && NF_NAT 438 default NF_NAT && NF_CONNTRACK_TFTP 439 440config NF_NAT_REDIRECT 441 bool 442 443config NF_NAT_MASQUERADE 444 bool 445 446config NF_NAT_OVS 447 bool 448 449config NETFILTER_SYNPROXY 450 tristate 451 452endif # NF_CONNTRACK 453 454config NF_TABLES 455 select NETFILTER_NETLINK 456 select NET_CRC32C 457 tristate "Netfilter nf_tables support" 458 help 459 nftables is the new packet classification framework that intends to 460 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 461 provides a pseudo-state machine with an extensible instruction-set 462 (also known as expressions) that the userspace 'nft' utility 463 (https://www.netfilter.org/projects/nftables) uses to build the 464 rule-set. It also comes with the generic set infrastructure that 465 allows you to construct mappings between matchings and actions 466 for performance lookups. 467 468 To compile it as a module, choose M here. 469 470if NF_TABLES 471config NF_TABLES_INET 472 depends on IPV6 473 select NF_TABLES_IPV4 474 select NF_TABLES_IPV6 475 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 476 help 477 This option enables support for a mixed IPv4/IPv6 "inet" table. 478 479config NF_TABLES_NETDEV 480 bool "Netfilter nf_tables netdev tables support" 481 help 482 This option enables support for the "netdev" table. 483 484config NFT_NUMGEN 485 tristate "Netfilter nf_tables number generator module" 486 help 487 This option adds the number generator expression used to perform 488 incremental counting and random numbers bound to a upper limit. 489 490config NFT_CT 491 depends on NF_CONNTRACK 492 tristate "Netfilter nf_tables conntrack module" 493 help 494 This option adds the "ct" expression that you can use to match 495 connection tracking information such as the flow state. 496 497config NFT_EXTHDR_DCCP 498 bool "Netfilter nf_tables exthdr DCCP support (DEPRECATED)" 499 default n 500 help 501 This option adds support for matching on DCCP extension headers. 502 503config NFT_FLOW_OFFLOAD 504 depends on NF_CONNTRACK && NF_FLOW_TABLE 505 tristate "Netfilter nf_tables hardware flow offload module" 506 help 507 This option adds the "flow_offload" expression that you can use to 508 choose what flows are placed into the hardware. 509 510config NFT_CONNLIMIT 511 tristate "Netfilter nf_tables connlimit module" 512 depends on NF_CONNTRACK 513 depends on NETFILTER_ADVANCED 514 select NETFILTER_CONNCOUNT 515 help 516 This option adds the "connlimit" expression that you can use to 517 ratelimit rule matchings per connections. 518 519config NFT_LOG 520 tristate "Netfilter nf_tables log module" 521 help 522 This option adds the "log" expression that you can use to log 523 packets matching some criteria. 524 525config NFT_LIMIT 526 tristate "Netfilter nf_tables limit module" 527 help 528 This option adds the "limit" expression that you can use to 529 ratelimit rule matchings. 530 531config NFT_MASQ 532 depends on NF_CONNTRACK 533 depends on NF_NAT 534 select NF_NAT_MASQUERADE 535 tristate "Netfilter nf_tables masquerade support" 536 help 537 This option adds the "masquerade" expression that you can use 538 to perform NAT in the masquerade flavour. 539 540config NFT_REDIR 541 depends on NF_CONNTRACK 542 depends on NF_NAT 543 tristate "Netfilter nf_tables redirect support" 544 select NF_NAT_REDIRECT 545 help 546 This options adds the "redirect" expression that you can use 547 to perform NAT in the redirect flavour. 548 549config NFT_NAT 550 depends on NF_CONNTRACK 551 select NF_NAT 552 depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 553 tristate "Netfilter nf_tables nat module" 554 help 555 This option adds the "nat" expression that you can use to perform 556 typical Network Address Translation (NAT) packet transformations. 557 558config NFT_TUNNEL 559 tristate "Netfilter nf_tables tunnel module" 560 help 561 This option adds the "tunnel" expression that you can use to set 562 tunneling policies. 563 564config NFT_QUEUE 565 depends on NETFILTER_NETLINK_QUEUE 566 tristate "Netfilter nf_tables queue module" 567 help 568 This is required if you intend to use the userspace queueing 569 infrastructure (also known as NFQUEUE) from nftables. 570 571config NFT_QUOTA 572 tristate "Netfilter nf_tables quota module" 573 help 574 This option adds the "quota" expression that you can use to match 575 enforce bytes quotas. 576 577config NFT_REJECT 578 default m if NETFILTER_ADVANCED=n 579 tristate "Netfilter nf_tables reject support" 580 help 581 This option adds the "reject" expression that you can use to 582 explicitly deny and notify via TCP reset/ICMP informational errors 583 unallowed traffic. 584 585config NFT_REJECT_INET 586 depends on NF_TABLES_INET 587 default NFT_REJECT 588 tristate 589 590config NFT_COMPAT 591 depends on NETFILTER_XTABLES 592 tristate "Netfilter x_tables over nf_tables module" 593 help 594 This is required if you intend to use any of existing 595 x_tables match/target extensions over the nf_tables 596 framework. 597 598config NFT_HASH 599 tristate "Netfilter nf_tables hash module" 600 help 601 This option adds the "hash" expression that you can use to perform 602 a hash operation on registers. 603 604config NFT_FIB 605 tristate 606 607config NFT_FIB_INET 608 depends on NF_TABLES_INET 609 depends on NFT_FIB_IPV4 610 depends on NFT_FIB_IPV6 611 tristate "Netfilter nf_tables fib inet support" 612 help 613 This option allows using the FIB expression from the inet table. 614 The lookup will be delegated to the IPv4 or IPv6 FIB depending 615 on the protocol of the packet. 616 617config NFT_XFRM 618 tristate "Netfilter nf_tables xfrm/IPSec security association matching" 619 depends on XFRM 620 help 621 This option adds an expression that you can use to extract properties 622 of a packets security association. 623 624config NFT_SOCKET 625 tristate "Netfilter nf_tables socket match support" 626 select NF_SOCKET_IPV4 627 select NF_SOCKET_IPV6 if NF_TABLES_IPV6 628 help 629 This option allows matching for the presence or absence of a 630 corresponding socket and its attributes. 631 632config NFT_OSF 633 tristate "Netfilter nf_tables passive OS fingerprint support" 634 depends on NETFILTER_ADVANCED 635 select NETFILTER_NETLINK_OSF 636 help 637 This option allows matching packets from an specific OS. 638 639config NFT_TPROXY 640 tristate "Netfilter nf_tables tproxy support" 641 select NF_DEFRAG_IPV4 642 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 643 select NF_TPROXY_IPV4 644 select NF_TPROXY_IPV6 if NF_TABLES_IPV6 645 help 646 This makes transparent proxy support available in nftables. 647 648config NFT_SYNPROXY 649 tristate "Netfilter nf_tables SYNPROXY expression support" 650 depends on NF_CONNTRACK && NETFILTER_ADVANCED 651 select NETFILTER_SYNPROXY 652 select SYN_COOKIES 653 help 654 The SYNPROXY expression allows you to intercept TCP connections and 655 establish them using syncookies before they are passed on to the 656 server. This allows to avoid conntrack and server resource usage 657 during SYN-flood attacks. 658 659if NF_TABLES_NETDEV 660 661config NF_DUP_NETDEV 662 tristate "Netfilter packet duplication support" 663 help 664 This option enables the generic packet duplication infrastructure 665 for Netfilter. 666 667config NFT_DUP_NETDEV 668 tristate "Netfilter nf_tables netdev packet duplication support" 669 select NF_DUP_NETDEV 670 help 671 This option enables packet duplication for the "netdev" family. 672 673config NFT_FWD_NETDEV 674 tristate "Netfilter nf_tables netdev packet forwarding support" 675 select NF_DUP_NETDEV 676 help 677 This option enables packet forwarding for the "netdev" family. 678 679config NFT_FIB_NETDEV 680 depends on NFT_FIB_IPV4 681 depends on NFT_FIB_IPV6 682 tristate "Netfilter nf_tables netdev fib lookups support" 683 help 684 This option allows using the FIB expression from the netdev table. 685 The lookup will be delegated to the IPv4 or IPv6 FIB depending 686 on the protocol of the packet. 687 688config NFT_REJECT_NETDEV 689 depends on NFT_REJECT_IPV4 690 depends on NFT_REJECT_IPV6 691 tristate "Netfilter nf_tables netdev REJECT support" 692 help 693 This option enables the REJECT support from the netdev table. 694 The return packet generation will be delegated to the IPv4 695 or IPv6 ICMP or TCP RST implementation depending on the 696 protocol of the packet. 697 698endif # NF_TABLES_NETDEV 699 700endif # NF_TABLES 701 702config NF_FLOW_TABLE_INET 703 tristate "Netfilter flow table mixed IPv4/IPv6 module" 704 depends on NF_FLOW_TABLE 705 help 706 This option adds the flow table mixed IPv4/IPv6 support. 707 708 To compile it as a module, choose M here. 709 710config NF_FLOW_TABLE 711 tristate "Netfilter flow table module" 712 depends on NETFILTER_INGRESS 713 depends on NF_CONNTRACK 714 depends on NF_TABLES 715 help 716 This option adds the flow table core infrastructure. 717 718 To compile it as a module, choose M here. 719 720config NF_FLOW_TABLE_PROCFS 721 bool "Supply flow table statistics in procfs" 722 depends on NF_FLOW_TABLE 723 depends on PROC_FS 724 help 725 This option enables for the flow table offload statistics 726 to be shown in procfs under net/netfilter/nf_flowtable. 727 728config NETFILTER_XTABLES 729 tristate "Netfilter Xtables support (required for ip_tables)" 730 default m if NETFILTER_ADVANCED=n 731 help 732 This is required if you intend to use any of ip_tables, 733 ip6_tables or arp_tables. 734 735if NETFILTER_XTABLES 736 737config NETFILTER_XTABLES_COMPAT 738 bool "Netfilter Xtables 32bit support" 739 depends on COMPAT 740 help 741 This option provides a translation layer to run 32bit arp,ip(6),ebtables 742 binaries on 64bit kernels. 743 744 If unsure, say N. 745 746config NETFILTER_XTABLES_LEGACY 747 bool "Netfilter legacy tables support" 748 depends on !PREEMPT_RT 749 help 750 Say Y here if you still require support for legacy tables. This is 751 required by the legacy tools (iptables-legacy) and is not needed if 752 you use iptables over nftables (iptables-nft). 753 Legacy support is not limited to IP, it also includes EBTABLES and 754 ARPTABLES. 755 756comment "Xtables combined modules" 757 758config NETFILTER_XT_MARK 759 tristate 'nfmark target and match support' 760 default m if NETFILTER_ADVANCED=n 761 help 762 This option adds the "MARK" target and "mark" match. 763 764 Netfilter mark matching allows you to match packets based on the 765 "nfmark" value in the packet. 766 The target allows you to create rules in the "mangle" table which alter 767 the netfilter mark (nfmark) field associated with the packet. 768 769 Prior to routing, the nfmark can influence the routing method and can 770 also be used by other subsystems to change their behavior. 771 772config NETFILTER_XT_CONNMARK 773 tristate 'ctmark target and match support' 774 depends on NF_CONNTRACK 775 depends on NETFILTER_ADVANCED 776 select NF_CONNTRACK_MARK 777 help 778 This option adds the "CONNMARK" target and "connmark" match. 779 780 Netfilter allows you to store a mark value per connection (a.k.a. 781 ctmark), similarly to the packet mark (nfmark). Using this 782 target and match, you can set and match on this mark. 783 784config NETFILTER_XT_SET 785 tristate 'set target and match support' 786 depends on IP_SET 787 depends on NETFILTER_ADVANCED 788 help 789 This option adds the "SET" target and "set" match. 790 791 Using this target and match, you can add/delete and match 792 elements in the sets created by ipset(8). 793 794 To compile it as a module, choose M here. If unsure, say N. 795 796# alphabetically ordered list of targets 797 798comment "Xtables targets" 799 800config NETFILTER_XT_TARGET_AUDIT 801 tristate "AUDIT target support" 802 depends on AUDIT 803 depends on NETFILTER_ADVANCED 804 help 805 This option adds a 'AUDIT' target, which can be used to create 806 audit records for packets dropped/accepted. 807 808 To compileit as a module, choose M here. If unsure, say N. 809 810config NETFILTER_XT_TARGET_CHECKSUM 811 tristate "CHECKSUM target support" 812 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 813 depends on NETFILTER_ADVANCED 814 help 815 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 816 table to work around buggy DHCP clients in virtualized environments. 817 818 Some old DHCP clients drop packets because they are not aware 819 that the checksum would normally be offloaded to hardware and 820 thus should be considered valid. 821 This target can be used to fill in the checksum using iptables 822 when such packets are sent via a virtual network device. 823 824 To compile it as a module, choose M here. If unsure, say N. 825 826config NETFILTER_XT_TARGET_CLASSIFY 827 tristate '"CLASSIFY" target support' 828 depends on NETFILTER_ADVANCED 829 help 830 This option adds a `CLASSIFY' target, which enables the user to set 831 the priority of a packet. Some qdiscs can use this value for 832 classification, among these are: 833 834 atm, cbq, dsmark, pfifo_fast, htb, prio 835 836 To compile it as a module, choose M here. If unsure, say N. 837 838config NETFILTER_XT_TARGET_CONNMARK 839 tristate '"CONNMARK" target support' 840 depends on NF_CONNTRACK 841 depends on NETFILTER_ADVANCED 842 select NETFILTER_XT_CONNMARK 843 help 844 This is a backwards-compat option for the user's convenience 845 (e.g. when running oldconfig). It selects 846 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 847 848config NETFILTER_XT_TARGET_CONNSECMARK 849 tristate '"CONNSECMARK" target support' 850 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 851 default m if NETFILTER_ADVANCED=n 852 help 853 The CONNSECMARK target copies security markings from packets 854 to connections, and restores security markings from connections 855 to packets (if the packets are not already marked). This would 856 normally be used in conjunction with the SECMARK target. 857 858 To compile it as a module, choose M here. If unsure, say N. 859 860config NETFILTER_XT_TARGET_CT 861 tristate '"CT" target support' 862 depends on NF_CONNTRACK 863 depends on IP_NF_RAW || IP6_NF_RAW || NFT_COMPAT 864 depends on NETFILTER_ADVANCED 865 help 866 This options adds a `CT' target, which allows to specify initial 867 connection tracking parameters like events to be delivered and 868 the helper to be used. 869 870 To compile it as a module, choose M here. If unsure, say N. 871 872config NETFILTER_XT_TARGET_DSCP 873 tristate '"DSCP" and "TOS" target support' 874 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 875 depends on NETFILTER_ADVANCED 876 help 877 This option adds a `DSCP' target, which allows you to manipulate 878 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 879 880 The DSCP field can have any value between 0x0 and 0x3f inclusive. 881 882 It also adds the "TOS" target, which allows you to create rules in 883 the "mangle" table which alter the Type Of Service field of an IPv4 884 or the Priority field of an IPv6 packet, prior to routing. 885 886 To compile it as a module, choose M here. If unsure, say N. 887 888config NETFILTER_XT_TARGET_HL 889 tristate '"HL" hoplimit target support' 890 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 891 depends on NETFILTER_ADVANCED 892 help 893 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 894 targets, which enable the user to change the 895 hoplimit/time-to-live value of the IP header. 896 897 While it is safe to decrement the hoplimit/TTL value, the 898 modules also allow to increment and set the hoplimit value of 899 the header to arbitrary values. This is EXTREMELY DANGEROUS 900 since you can easily create immortal packets that loop 901 forever on the network. 902 903config NETFILTER_XT_TARGET_HMARK 904 tristate '"HMARK" target support' 905 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 906 depends on NETFILTER_ADVANCED 907 help 908 This option adds the "HMARK" target. 909 910 The target allows you to create rules in the "raw" and "mangle" tables 911 which set the skbuff mark by means of hash calculation within a given 912 range. The nfmark can influence the routing method and can also be used 913 by other subsystems to change their behaviour. 914 915 To compile it as a module, choose M here. If unsure, say N. 916 917config NETFILTER_XT_TARGET_IDLETIMER 918 tristate "IDLETIMER target support" 919 depends on NETFILTER_ADVANCED 920 help 921 922 This option adds the `IDLETIMER' target. Each matching packet 923 resets the timer associated with label specified when the rule is 924 added. When the timer expires, it triggers a sysfs notification. 925 The remaining time for expiration can be read via sysfs. 926 927 To compile it as a module, choose M here. If unsure, say N. 928 929config NETFILTER_XT_TARGET_LED 930 tristate '"LED" target support' 931 depends on LEDS_CLASS && LEDS_TRIGGERS 932 depends on NETFILTER_ADVANCED 933 help 934 This option adds a `LED' target, which allows you to blink LEDs in 935 response to particular packets passing through your machine. 936 937 This can be used to turn a spare LED into a network activity LED, 938 which only flashes in response to FTP transfers, for example. Or 939 you could have an LED which lights up for a minute or two every time 940 somebody connects to your machine via SSH. 941 942 You will need support for the "led" class to make this work. 943 944 To create an LED trigger for incoming SSH traffic: 945 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 946 947 Then attach the new trigger to an LED on your system: 948 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 949 950 For more information on the LEDs available on your system, see 951 Documentation/leds/leds-class.rst 952 953config NETFILTER_XT_TARGET_LOG 954 tristate "LOG target support" 955 select NF_LOG_SYSLOG 956 select NF_LOG_IPV6 if IP6_NF_IPTABLES 957 default m if NETFILTER_ADVANCED=n 958 help 959 This option adds a `LOG' target, which allows you to create rules in 960 any iptables table which records the packet header to the syslog. 961 962 To compile it as a module, choose M here. If unsure, say N. 963 964config NETFILTER_XT_TARGET_MARK 965 tristate '"MARK" target support' 966 depends on NETFILTER_ADVANCED 967 select NETFILTER_XT_MARK 968 help 969 This is a backwards-compat option for the user's convenience 970 (e.g. when running oldconfig). It selects 971 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 972 973config NETFILTER_XT_NAT 974 tristate '"SNAT and DNAT" targets support' 975 depends on NF_NAT 976 help 977 This option enables the SNAT and DNAT targets. 978 979 To compile it as a module, choose M here. If unsure, say N. 980 981config NETFILTER_XT_TARGET_NETMAP 982 tristate '"NETMAP" target support' 983 depends on NF_NAT 984 help 985 NETMAP is an implementation of static 1:1 NAT mapping of network 986 addresses. It maps the network address part, while keeping the host 987 address part intact. 988 989 To compile it as a module, choose M here. If unsure, say N. 990 991config NETFILTER_XT_TARGET_NFLOG 992 tristate '"NFLOG" target support' 993 default m if NETFILTER_ADVANCED=n 994 select NETFILTER_NETLINK_LOG 995 help 996 This option enables the NFLOG target, which allows to LOG 997 messages through nfnetlink_log. 998 999 To compile it as a module, choose M here. If unsure, say N. 1000 1001config NETFILTER_XT_TARGET_NFQUEUE 1002 tristate '"NFQUEUE" target Support' 1003 depends on NETFILTER_ADVANCED 1004 select NETFILTER_NETLINK_QUEUE 1005 help 1006 This target replaced the old obsolete QUEUE target. 1007 1008 As opposed to QUEUE, it supports 65535 different queues, 1009 not just one. 1010 1011 To compile it as a module, choose M here. If unsure, say N. 1012 1013config NETFILTER_XT_TARGET_NOTRACK 1014 tristate '"NOTRACK" target support (DEPRECATED)' 1015 depends on NF_CONNTRACK 1016 depends on IP_NF_RAW || IP6_NF_RAW 1017 depends on NETFILTER_ADVANCED 1018 select NETFILTER_XT_TARGET_CT 1019 1020config NETFILTER_XT_TARGET_RATEEST 1021 tristate '"RATEEST" target support' 1022 depends on NETFILTER_ADVANCED 1023 help 1024 This option adds a `RATEEST' target, which allows to measure 1025 rates similar to TC estimators. The `rateest' match can be 1026 used to match on the measured rates. 1027 1028 To compile it as a module, choose M here. If unsure, say N. 1029 1030config NETFILTER_XT_TARGET_REDIRECT 1031 tristate "REDIRECT target support" 1032 depends on NF_NAT 1033 select NF_NAT_REDIRECT 1034 help 1035 REDIRECT is a special case of NAT: all incoming connections are 1036 mapped onto the incoming interface's address, causing the packets to 1037 come to the local machine instead of passing through. This is 1038 useful for transparent proxies. 1039 1040 To compile it as a module, choose M here. If unsure, say N. 1041 1042config NETFILTER_XT_TARGET_MASQUERADE 1043 tristate "MASQUERADE target support" 1044 depends on NF_NAT 1045 default m if NETFILTER_ADVANCED=n 1046 select NF_NAT_MASQUERADE 1047 help 1048 Masquerading is a special case of NAT: all outgoing connections are 1049 changed to seem to come from a particular interface's address, and 1050 if the interface goes down, those connections are lost. This is 1051 only useful for dialup accounts with dynamic IP address (ie. your IP 1052 address will be different on next dialup). 1053 1054 To compile it as a module, choose M here. If unsure, say N. 1055 1056config NETFILTER_XT_TARGET_TEE 1057 tristate '"TEE" - packet cloning to alternate destination' 1058 depends on NETFILTER_ADVANCED 1059 depends on !NF_CONNTRACK || NF_CONNTRACK 1060 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES 1061 select NF_DUP_IPV4 1062 select NF_DUP_IPV6 if IP6_NF_IPTABLES 1063 help 1064 This option adds a "TEE" target with which a packet can be cloned and 1065 this clone be rerouted to another nexthop. 1066 1067config NETFILTER_XT_TARGET_TPROXY 1068 tristate '"TPROXY" target transparent proxying support' 1069 depends on NETFILTER_XTABLES 1070 depends on NETFILTER_ADVANCED 1071 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1072 depends on IP_NF_MANGLE || NFT_COMPAT 1073 select NF_DEFRAG_IPV4 1074 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1075 select NF_TPROXY_IPV4 1076 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 1077 help 1078 This option adds a `TPROXY' target, which is somewhat similar to 1079 REDIRECT. It can only be used in the mangle table and is useful 1080 to redirect traffic to a transparent proxy. It does _not_ depend 1081 on Netfilter connection tracking and NAT, unlike REDIRECT. 1082 For it to work you will have to configure certain iptables rules 1083 and use policy routing. For more information on how to set it up 1084 see Documentation/networking/tproxy.rst. 1085 1086 To compile it as a module, choose M here. If unsure, say N. 1087 1088config NETFILTER_XT_TARGET_TRACE 1089 tristate '"TRACE" target support' 1090 depends on IP_NF_RAW || IP6_NF_RAW 1091 depends on NETFILTER_ADVANCED 1092 help 1093 The TRACE target allows you to mark packets so that the kernel 1094 will log every rule which match the packets as those traverse 1095 the tables, chains, rules. 1096 1097 If you want to compile it as a module, say M here and read 1098 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1099 1100config NETFILTER_XT_TARGET_SECMARK 1101 tristate '"SECMARK" target support' 1102 depends on NETWORK_SECMARK 1103 default m if NETFILTER_ADVANCED=n 1104 help 1105 The SECMARK target allows security marking of network 1106 packets, for use with security subsystems. 1107 1108 To compile it as a module, choose M here. If unsure, say N. 1109 1110config NETFILTER_XT_TARGET_TCPMSS 1111 tristate '"TCPMSS" target support' 1112 default m if NETFILTER_ADVANCED=n 1113 help 1114 This option adds a `TCPMSS' target, which allows you to alter the 1115 MSS value of TCP SYN packets, to control the maximum size for that 1116 connection (usually limiting it to your outgoing interface's MTU 1117 minus 40). 1118 1119 This is used to overcome criminally braindead ISPs or servers which 1120 block ICMP Fragmentation Needed packets. The symptoms of this 1121 problem are that everything works fine from your Linux 1122 firewall/router, but machines behind it can never exchange large 1123 packets: 1124 1) Web browsers connect, then hang with no data received. 1125 2) Small mail works fine, but large emails hang. 1126 3) ssh works fine, but scp hangs after initial handshaking. 1127 1128 Workaround: activate this option and add a rule to your firewall 1129 configuration like: 1130 1131 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1132 -j TCPMSS --clamp-mss-to-pmtu 1133 1134 To compile it as a module, choose M here. If unsure, say N. 1135 1136config NETFILTER_XT_TARGET_TCPOPTSTRIP 1137 tristate '"TCPOPTSTRIP" target support' 1138 depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT 1139 depends on NETFILTER_ADVANCED 1140 help 1141 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1142 TCP options from TCP packets. 1143 1144# alphabetically ordered list of matches 1145 1146comment "Xtables matches" 1147 1148config NETFILTER_XT_MATCH_ADDRTYPE 1149 tristate '"addrtype" address type match support' 1150 default m if NETFILTER_ADVANCED=n 1151 help 1152 This option allows you to match what routing thinks of an address, 1153 eg. UNICAST, LOCAL, BROADCAST, ... 1154 1155 If you want to compile it as a module, say M here and read 1156 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1157 1158config NETFILTER_XT_MATCH_BPF 1159 tristate '"bpf" match support' 1160 depends on NETFILTER_ADVANCED 1161 help 1162 BPF matching applies a linux socket filter to each packet and 1163 accepts those for which the filter returns non-zero. 1164 1165 To compile it as a module, choose M here. If unsure, say N. 1166 1167config NETFILTER_XT_MATCH_CGROUP 1168 tristate '"control group" match support' 1169 depends on NETFILTER_ADVANCED 1170 depends on CGROUPS 1171 select SOCK_CGROUP_DATA 1172 help 1173 Socket/process control group matching allows you to match locally 1174 generated packets based on which net_cls control group processes 1175 belong to. 1176 1177config NETFILTER_XT_MATCH_CLUSTER 1178 tristate '"cluster" match support' 1179 depends on NF_CONNTRACK 1180 depends on NETFILTER_ADVANCED 1181 help 1182 This option allows you to build work-load-sharing clusters of 1183 network servers/stateful firewalls without having a dedicated 1184 load-balancing router/server/switch. Basically, this match returns 1185 true when the packet must be handled by this cluster node. Thus, 1186 all nodes see all packets and this match decides which node handles 1187 what packets. The work-load sharing algorithm is based on source 1188 address hashing. 1189 1190 If you say Y or M here, try `iptables -m cluster --help` for 1191 more information. 1192 1193config NETFILTER_XT_MATCH_COMMENT 1194 tristate '"comment" match support' 1195 depends on NETFILTER_ADVANCED 1196 help 1197 This option adds a `comment' dummy-match, which allows you to put 1198 comments in your iptables ruleset. 1199 1200 If you want to compile it as a module, say M here and read 1201 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1202 1203config NETFILTER_XT_MATCH_CONNBYTES 1204 tristate '"connbytes" per-connection counter match support' 1205 depends on NF_CONNTRACK 1206 depends on NETFILTER_ADVANCED 1207 help 1208 This option adds a `connbytes' match, which allows you to match the 1209 number of bytes and/or packets for each direction within a connection. 1210 1211 If you want to compile it as a module, say M here and read 1212 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1213 1214config NETFILTER_XT_MATCH_CONNLABEL 1215 tristate '"connlabel" match support' 1216 select NF_CONNTRACK_LABELS 1217 depends on NF_CONNTRACK 1218 depends on NETFILTER_ADVANCED 1219 help 1220 This match allows you to test and assign userspace-defined labels names 1221 to a connection. The kernel only stores bit values - mapping 1222 names to bits is done by userspace. 1223 1224 Unlike connmark, more than 32 flag bits may be assigned to a 1225 connection simultaneously. 1226 1227config NETFILTER_XT_MATCH_CONNLIMIT 1228 tristate '"connlimit" match support' 1229 depends on NF_CONNTRACK 1230 depends on NETFILTER_ADVANCED 1231 select NETFILTER_CONNCOUNT 1232 help 1233 This match allows you to match against the number of parallel 1234 connections to a server per client IP address (or address block). 1235 1236config NETFILTER_XT_MATCH_CONNMARK 1237 tristate '"connmark" connection mark match support' 1238 depends on NF_CONNTRACK 1239 depends on NETFILTER_ADVANCED 1240 select NETFILTER_XT_CONNMARK 1241 help 1242 This is a backwards-compat option for the user's convenience 1243 (e.g. when running oldconfig). It selects 1244 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1245 1246config NETFILTER_XT_MATCH_CONNTRACK 1247 tristate '"conntrack" connection tracking match support' 1248 depends on NF_CONNTRACK 1249 default m if NETFILTER_ADVANCED=n 1250 help 1251 This is a general conntrack match module, a superset of the state match. 1252 1253 It allows matching on additional conntrack information, which is 1254 useful in complex configurations, such as NAT gateways with multiple 1255 internet links or tunnels. 1256 1257 To compile it as a module, choose M here. If unsure, say N. 1258 1259config NETFILTER_XT_MATCH_CPU 1260 tristate '"cpu" match support' 1261 depends on NETFILTER_ADVANCED 1262 help 1263 CPU matching allows you to match packets based on the CPU 1264 currently handling the packet. 1265 1266 To compile it as a module, choose M here. If unsure, say N. 1267 1268config NETFILTER_XT_MATCH_DCCP 1269 tristate '"dccp" protocol match support (DEPRECATED)' 1270 depends on NETFILTER_ADVANCED 1271 default n 1272 help 1273 With this option enabled, you will be able to use the iptables 1274 `dccp' match in order to match on DCCP source/destination ports 1275 and DCCP flags. 1276 1277 If you want to compile it as a module, say M here and read 1278 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1279 1280config NETFILTER_XT_MATCH_DEVGROUP 1281 tristate '"devgroup" match support' 1282 depends on NETFILTER_ADVANCED 1283 help 1284 This options adds a `devgroup' match, which allows to match on the 1285 device group a network device is assigned to. 1286 1287 To compile it as a module, choose M here. If unsure, say N. 1288 1289config NETFILTER_XT_MATCH_DSCP 1290 tristate '"dscp" and "tos" match support' 1291 depends on NETFILTER_ADVANCED 1292 help 1293 This option adds a `DSCP' match, which allows you to match against 1294 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1295 1296 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1297 1298 It will also add a "tos" match, which allows you to match packets 1299 based on the Type Of Service fields of the IPv4 packet (which share 1300 the same bits as DSCP). 1301 1302 To compile it as a module, choose M here. If unsure, say N. 1303 1304config NETFILTER_XT_MATCH_ECN 1305 tristate '"ecn" match support' 1306 depends on NETFILTER_ADVANCED 1307 help 1308 This option adds an "ECN" match, which allows you to match against 1309 the IPv4 and TCP header ECN fields. 1310 1311 To compile it as a module, choose M here. If unsure, say N. 1312 1313config NETFILTER_XT_MATCH_ESP 1314 tristate '"esp" match support' 1315 depends on NETFILTER_ADVANCED 1316 help 1317 This match extension allows you to match a range of SPIs 1318 inside ESP header of IPSec packets. 1319 1320 To compile it as a module, choose M here. If unsure, say N. 1321 1322config NETFILTER_XT_MATCH_HASHLIMIT 1323 tristate '"hashlimit" match support' 1324 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1325 depends on NETFILTER_ADVANCED 1326 help 1327 This option adds a `hashlimit' match. 1328 1329 As opposed to `limit', this match dynamically creates a hash table 1330 of limit buckets, based on your selection of source/destination 1331 addresses and/or ports. 1332 1333 It enables you to express policies like `10kpps for any given 1334 destination address' or `500pps from any given source address' 1335 with a single rule. 1336 1337config NETFILTER_XT_MATCH_HELPER 1338 tristate '"helper" match support' 1339 depends on NF_CONNTRACK 1340 depends on NETFILTER_ADVANCED 1341 help 1342 Helper matching allows you to match packets in dynamic connections 1343 tracked by a conntrack-helper, ie. nf_conntrack_ftp 1344 1345 To compile it as a module, choose M here. If unsure, say Y. 1346 1347config NETFILTER_XT_MATCH_HL 1348 tristate '"hl" hoplimit/TTL match support' 1349 depends on NETFILTER_ADVANCED 1350 help 1351 HL matching allows you to match packets based on the hoplimit 1352 in the IPv6 header, or the time-to-live field in the IPv4 1353 header of the packet. 1354 1355config NETFILTER_XT_MATCH_IPCOMP 1356 tristate '"ipcomp" match support' 1357 depends on NETFILTER_ADVANCED 1358 help 1359 This match extension allows you to match a range of CPIs(16 bits) 1360 inside IPComp header of IPSec packets. 1361 1362 To compile it as a module, choose M here. If unsure, say N. 1363 1364config NETFILTER_XT_MATCH_IPRANGE 1365 tristate '"iprange" address range match support' 1366 depends on NETFILTER_ADVANCED 1367 help 1368 This option adds a "iprange" match, which allows you to match based on 1369 an IP address range. (Normal iptables only matches on single addresses 1370 with an optional mask.) 1371 1372 If unsure, say M. 1373 1374config NETFILTER_XT_MATCH_IPVS 1375 tristate '"ipvs" match support' 1376 depends on IP_VS 1377 depends on NETFILTER_ADVANCED 1378 depends on NF_CONNTRACK 1379 help 1380 This option allows you to match against IPVS properties of a packet. 1381 1382 If unsure, say N. 1383 1384config NETFILTER_XT_MATCH_L2TP 1385 tristate '"l2tp" match support' 1386 depends on NETFILTER_ADVANCED 1387 default L2TP 1388 help 1389 This option adds an "L2TP" match, which allows you to match against 1390 L2TP protocol header fields. 1391 1392 To compile it as a module, choose M here. If unsure, say N. 1393 1394config NETFILTER_XT_MATCH_LENGTH 1395 tristate '"length" match support' 1396 depends on NETFILTER_ADVANCED 1397 help 1398 This option allows you to match the length of a packet against a 1399 specific value or range of values. 1400 1401 To compile it as a module, choose M here. If unsure, say N. 1402 1403config NETFILTER_XT_MATCH_LIMIT 1404 tristate '"limit" match support' 1405 depends on NETFILTER_ADVANCED 1406 help 1407 limit matching allows you to control the rate at which a rule can be 1408 matched: mainly useful in combination with the LOG target ("LOG 1409 target support", below) and to avoid some Denial of Service attacks. 1410 1411 To compile it as a module, choose M here. If unsure, say N. 1412 1413config NETFILTER_XT_MATCH_MAC 1414 tristate '"mac" address match support' 1415 depends on NETFILTER_ADVANCED 1416 help 1417 MAC matching allows you to match packets based on the source 1418 Ethernet address of the packet. 1419 1420 To compile it as a module, choose M here. If unsure, say N. 1421 1422config NETFILTER_XT_MATCH_MARK 1423 tristate '"mark" match support' 1424 depends on NETFILTER_ADVANCED 1425 select NETFILTER_XT_MARK 1426 help 1427 This is a backwards-compat option for the user's convenience 1428 (e.g. when running oldconfig). It selects 1429 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1430 1431config NETFILTER_XT_MATCH_MULTIPORT 1432 tristate '"multiport" Multiple port match support' 1433 depends on NETFILTER_ADVANCED 1434 help 1435 Multiport matching allows you to match TCP or UDP packets based on 1436 a series of source or destination ports: normally a rule can only 1437 match a single range of ports. 1438 1439 To compile it as a module, choose M here. If unsure, say N. 1440 1441config NETFILTER_XT_MATCH_NFACCT 1442 tristate '"nfacct" match support' 1443 depends on NETFILTER_ADVANCED 1444 select NETFILTER_NETLINK_ACCT 1445 help 1446 This option allows you to use the extended accounting through 1447 nfnetlink_acct. 1448 1449 To compile it as a module, choose M here. If unsure, say N. 1450 1451config NETFILTER_XT_MATCH_OSF 1452 tristate '"osf" Passive OS fingerprint match' 1453 depends on NETFILTER_ADVANCED 1454 select NETFILTER_NETLINK_OSF 1455 help 1456 This option selects the Passive OS Fingerprinting match module 1457 that allows to passively match the remote operating system by 1458 analyzing incoming TCP SYN packets. 1459 1460 Rules and loading software can be downloaded from 1461 http://www.ioremap.net/projects/osf 1462 1463 To compile it as a module, choose M here. If unsure, say N. 1464 1465config NETFILTER_XT_MATCH_OWNER 1466 tristate '"owner" match support' 1467 depends on NETFILTER_ADVANCED 1468 help 1469 Socket owner matching allows you to match locally-generated packets 1470 based on who created the socket: the user or group. It is also 1471 possible to check whether a socket actually exists. 1472 1473config NETFILTER_XT_MATCH_POLICY 1474 tristate 'IPsec "policy" match support' 1475 depends on XFRM 1476 default m if NETFILTER_ADVANCED=n 1477 help 1478 Policy matching allows you to match packets based on the 1479 IPsec policy that was used during decapsulation/will 1480 be used during encapsulation. 1481 1482 To compile it as a module, choose M here. If unsure, say N. 1483 1484config NETFILTER_XT_MATCH_PHYSDEV 1485 tristate '"physdev" match support' 1486 depends on BRIDGE && BRIDGE_NETFILTER 1487 depends on NETFILTER_ADVANCED 1488 help 1489 Physdev packet matching matches against the physical bridge ports 1490 the IP packet arrived on or will leave by. 1491 1492 To compile it as a module, choose M here. If unsure, say N. 1493 1494config NETFILTER_XT_MATCH_PKTTYPE 1495 tristate '"pkttype" packet type match support' 1496 depends on NETFILTER_ADVANCED 1497 help 1498 Packet type matching allows you to match a packet by 1499 its "class", eg. BROADCAST, MULTICAST, ... 1500 1501 Typical usage: 1502 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1503 1504 To compile it as a module, choose M here. If unsure, say N. 1505 1506config NETFILTER_XT_MATCH_QUOTA 1507 tristate '"quota" match support' 1508 depends on NETFILTER_ADVANCED 1509 help 1510 This option adds a `quota' match, which allows to match on a 1511 byte counter. 1512 1513 If you want to compile it as a module, say M here and read 1514 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1515 1516config NETFILTER_XT_MATCH_RATEEST 1517 tristate '"rateest" match support' 1518 depends on NETFILTER_ADVANCED 1519 select NETFILTER_XT_TARGET_RATEEST 1520 help 1521 This option adds a `rateest' match, which allows to match on the 1522 rate estimated by the RATEEST target. 1523 1524 To compile it as a module, choose M here. If unsure, say N. 1525 1526config NETFILTER_XT_MATCH_REALM 1527 tristate '"realm" match support' 1528 depends on NETFILTER_ADVANCED 1529 select IP_ROUTE_CLASSID 1530 help 1531 This option adds a `realm' match, which allows you to use the realm 1532 key from the routing subsystem inside iptables. 1533 1534 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1535 in tc world. 1536 1537 If you want to compile it as a module, say M here and read 1538 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1539 1540config NETFILTER_XT_MATCH_RECENT 1541 tristate '"recent" match support' 1542 depends on NETFILTER_ADVANCED 1543 help 1544 This match is used for creating one or many lists of recently 1545 used addresses and then matching against that/those list(s). 1546 1547 Short options are available by using 'iptables -m recent -h' 1548 Official Website: <http://snowman.net/projects/ipt_recent/> 1549 1550config NETFILTER_XT_MATCH_SCTP 1551 tristate '"sctp" protocol match support' 1552 depends on NETFILTER_ADVANCED 1553 default IP_SCTP 1554 help 1555 With this option enabled, you will be able to use the 1556 `sctp' match in order to match on SCTP source/destination ports 1557 and SCTP chunk types. 1558 1559 If you want to compile it as a module, say M here and read 1560 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1561 1562config NETFILTER_XT_MATCH_SOCKET 1563 tristate '"socket" match support' 1564 depends on NETFILTER_XTABLES 1565 depends on NETFILTER_ADVANCED 1566 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1567 select NF_SOCKET_IPV4 1568 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES 1569 select NF_DEFRAG_IPV4 1570 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1571 help 1572 This option adds a `socket' match, which can be used to match 1573 packets for which a TCP or UDP socket lookup finds a valid socket. 1574 It can be used in combination with the MARK target and policy 1575 routing to implement full featured non-locally bound sockets. 1576 1577 To compile it as a module, choose M here. If unsure, say N. 1578 1579config NETFILTER_XT_MATCH_STATE 1580 tristate '"state" match support' 1581 depends on NF_CONNTRACK 1582 default m if NETFILTER_ADVANCED=n 1583 help 1584 Connection state matching allows you to match packets based on their 1585 relationship to a tracked connection (ie. previous packets). This 1586 is a powerful tool for packet classification. 1587 1588 To compile it as a module, choose M here. If unsure, say N. 1589 1590config NETFILTER_XT_MATCH_STATISTIC 1591 tristate '"statistic" match support' 1592 depends on NETFILTER_ADVANCED 1593 help 1594 This option adds a `statistic' match, which allows you to match 1595 on packets periodically or randomly with a given percentage. 1596 1597 To compile it as a module, choose M here. If unsure, say N. 1598 1599config NETFILTER_XT_MATCH_STRING 1600 tristate '"string" match support' 1601 depends on NETFILTER_ADVANCED 1602 select TEXTSEARCH 1603 select TEXTSEARCH_KMP 1604 select TEXTSEARCH_BM 1605 select TEXTSEARCH_FSM 1606 help 1607 This option adds a `string' match, which allows you to look for 1608 pattern matchings in packets. 1609 1610 To compile it as a module, choose M here. If unsure, say N. 1611 1612config NETFILTER_XT_MATCH_TCPMSS 1613 tristate '"tcpmss" match support' 1614 depends on NETFILTER_ADVANCED 1615 help 1616 This option adds a `tcpmss' match, which allows you to examine the 1617 MSS value of TCP SYN packets, which control the maximum packet size 1618 for that connection. 1619 1620 To compile it as a module, choose M here. If unsure, say N. 1621 1622config NETFILTER_XT_MATCH_TIME 1623 tristate '"time" match support' 1624 depends on NETFILTER_ADVANCED 1625 help 1626 This option adds a "time" match, which allows you to match based on 1627 the packet arrival time (at the machine which netfilter is running) 1628 on) or departure time/date (for locally generated packets). 1629 1630 If you say Y here, try `iptables -m time --help` for 1631 more information. 1632 1633 If you want to compile it as a module, say M here. 1634 If unsure, say N. 1635 1636config NETFILTER_XT_MATCH_U32 1637 tristate '"u32" match support' 1638 depends on NETFILTER_ADVANCED 1639 help 1640 u32 allows you to extract quantities of up to 4 bytes from a packet, 1641 AND them with specified masks, shift them by specified amounts and 1642 test whether the results are in any of a set of specified ranges. 1643 The specification of what to extract is general enough to skip over 1644 headers with lengths stored in the packet, as in IP or TCP header 1645 lengths. 1646 1647 Details and examples are in the kernel module source. 1648 1649endif # NETFILTER_XTABLES 1650 1651endmenu 1652 1653source "net/netfilter/ipset/Kconfig" 1654 1655source "net/netfilter/ipvs/Kconfig" 1656