1# SPDX-License-Identifier: GPL-2.0-only 2menu "Core Netfilter Configuration" 3 depends on INET && NETFILTER 4 5config NETFILTER_INGRESS 6 bool "Netfilter ingress support" 7 default y 8 select NET_INGRESS 9 help 10 This allows you to classify packets from ingress using the Netfilter 11 infrastructure. 12 13config NETFILTER_EGRESS 14 bool "Netfilter egress support" 15 default y 16 select NET_EGRESS 17 help 18 This allows you to classify packets before transmission using the 19 Netfilter infrastructure. 20 21config NETFILTER_SKIP_EGRESS 22 def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB) 23 24config NETFILTER_NETLINK 25 tristate 26 27config NETFILTER_FAMILY_BRIDGE 28 bool 29 30config NETFILTER_FAMILY_ARP 31 bool 32 33config NETFILTER_NETLINK_HOOK 34 tristate "Netfilter base hook dump support" 35 depends on NETFILTER_ADVANCED 36 depends on NF_TABLES 37 select NETFILTER_NETLINK 38 help 39 If this option is enabled, the kernel will include support 40 to list the base netfilter hooks via NFNETLINK. 41 This is helpful for debugging. 42 43config NETFILTER_NETLINK_ACCT 44 tristate "Netfilter NFACCT over NFNETLINK interface" 45 depends on NETFILTER_ADVANCED 46 select NETFILTER_NETLINK 47 help 48 If this option is enabled, the kernel will include support 49 for extended accounting via NFNETLINK. 50 51config NETFILTER_NETLINK_QUEUE 52 tristate "Netfilter NFQUEUE over NFNETLINK interface" 53 depends on NETFILTER_ADVANCED 54 select NETFILTER_NETLINK 55 help 56 If this option is enabled, the kernel will include support 57 for queueing packets via NFNETLINK. 58 59config NETFILTER_NETLINK_LOG 60 tristate "Netfilter LOG over NFNETLINK interface" 61 default m if NETFILTER_ADVANCED=n 62 select NETFILTER_NETLINK 63 help 64 If this option is enabled, the kernel will include support 65 for logging packets via NFNETLINK. 66 67 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, 68 and is also scheduled to replace the old syslog-based ipt_LOG 69 and ip6t_LOG modules. 70 71config NETFILTER_NETLINK_OSF 72 tristate "Netfilter OSF over NFNETLINK interface" 73 depends on NETFILTER_ADVANCED 74 select NETFILTER_NETLINK 75 help 76 If this option is enabled, the kernel will include support 77 for passive OS fingerprint via NFNETLINK. 78 79config NF_CONNTRACK 80 tristate "Netfilter connection tracking support" 81 default m if NETFILTER_ADVANCED=n 82 select NF_DEFRAG_IPV4 83 select NF_DEFRAG_IPV6 if IPV6 != n 84 help 85 Connection tracking keeps a record of what packets have passed 86 through your machine, in order to figure out how they are related 87 into connections. 88 89 This is required to do Masquerading or other kinds of Network 90 Address Translation. It can also be used to enhance packet 91 filtering (see `Connection state match support' below). 92 93 To compile it as a module, choose M here. If unsure, say N. 94 95config NF_LOG_SYSLOG 96 tristate "Syslog packet logging" 97 default m if NETFILTER_ADVANCED=n 98 help 99 This option enable support for packet logging via syslog. 100 It supports IPv4, IPV6, ARP and common transport protocols such 101 as TCP and UDP. 102 This is a simpler but less flexible logging method compared to 103 CONFIG_NETFILTER_NETLINK_LOG. 104 If both are enabled the backend to use can be configured at run-time 105 by means of per-address-family sysctl tunables. 106 107if NF_CONNTRACK 108config NETFILTER_CONNCOUNT 109 tristate 110 111config NF_CONNTRACK_MARK 112 bool 'Connection mark tracking support' 113 depends on NETFILTER_ADVANCED 114 help 115 This option enables support for connection marks, used by the 116 `CONNMARK' target and `connmark' match. Similar to the mark value 117 of packets, but this mark value is kept in the conntrack session 118 instead of the individual packets. 119 120config NF_CONNTRACK_SECMARK 121 bool 'Connection tracking security mark support' 122 depends on NETWORK_SECMARK 123 default y if NETFILTER_ADVANCED=n 124 help 125 This option enables security markings to be applied to 126 connections. Typically they are copied to connections from 127 packets using the CONNSECMARK target and copied back from 128 connections to packets with the same target, with the packets 129 being originally labeled via SECMARK. 130 131 If unsure, say 'N'. 132 133config NF_CONNTRACK_ZONES 134 bool 'Connection tracking zones' 135 depends on NETFILTER_ADVANCED 136 help 137 This option enables support for connection tracking zones. 138 Normally, each connection needs to have a unique system wide 139 identity. Connection tracking zones allow to have multiple 140 connections using the same identity, as long as they are 141 contained in different zones. 142 143 If unsure, say `N'. 144 145config NF_CONNTRACK_PROCFS 146 bool "Supply CT list in procfs (OBSOLETE)" 147 depends on PROC_FS 148 help 149 This option enables for the list of known conntrack entries 150 to be shown in procfs under net/netfilter/nf_conntrack. This 151 is considered obsolete in favor of using the conntrack(8) 152 tool which uses Netlink. 153 154config NF_CONNTRACK_EVENTS 155 bool "Connection tracking events" 156 depends on NETFILTER_ADVANCED 157 help 158 If this option is enabled, the connection tracking code will 159 provide a notifier chain that can be used by other kernel code 160 to get notified about changes in the connection tracking state. 161 162 If unsure, say `N'. 163 164config NF_CONNTRACK_TIMEOUT 165 bool 'Connection tracking timeout' 166 depends on NETFILTER_ADVANCED 167 help 168 This option enables support for connection tracking timeout 169 extension. This allows you to attach timeout policies to flow 170 via the CT target. 171 172 If unsure, say `N'. 173 174config NF_CONNTRACK_TIMESTAMP 175 bool 'Connection tracking timestamping' 176 depends on NETFILTER_ADVANCED 177 help 178 This option enables support for connection tracking timestamping. 179 This allows you to store the flow start-time and to obtain 180 the flow-stop time (once it has been destroyed) via Connection 181 tracking events. 182 183 If unsure, say `N'. 184 185config NF_CONNTRACK_LABELS 186 bool "Connection tracking labels" 187 help 188 This option enables support for assigning user-defined flag bits 189 to connection tracking entries. It can be used with xtables connlabel 190 match and the nftables ct expression. 191 192config NF_CT_PROTO_DCCP 193 bool 'DCCP protocol connection tracking support' 194 depends on NETFILTER_ADVANCED 195 default y 196 help 197 With this option enabled, the layer 3 independent connection 198 tracking code will be able to do state tracking on DCCP connections. 199 200 If unsure, say Y. 201 202config NF_CT_PROTO_GRE 203 bool 204 205config NF_CT_PROTO_SCTP 206 bool 'SCTP protocol connection tracking support' 207 depends on NETFILTER_ADVANCED 208 default y 209 select LIBCRC32C 210 help 211 With this option enabled, the layer 3 independent connection 212 tracking code will be able to do state tracking on SCTP connections. 213 214 If unsure, say Y. 215 216config NF_CT_PROTO_UDPLITE 217 bool 'UDP-Lite protocol connection tracking support' 218 depends on NETFILTER_ADVANCED 219 default y 220 help 221 With this option enabled, the layer 3 independent connection 222 tracking code will be able to do state tracking on UDP-Lite 223 connections. 224 225 If unsure, say Y. 226 227config NF_CONNTRACK_AMANDA 228 tristate "Amanda backup protocol support" 229 depends on NETFILTER_ADVANCED 230 select TEXTSEARCH 231 select TEXTSEARCH_KMP 232 help 233 If you are running the Amanda backup package <http://www.amanda.org/> 234 on this machine or machines that will be MASQUERADED through this 235 machine, then you may want to enable this feature. This allows the 236 connection tracking and natting code to allow the sub-channels that 237 Amanda requires for communication of the backup data, messages and 238 index. 239 240 To compile it as a module, choose M here. If unsure, say N. 241 242config NF_CONNTRACK_FTP 243 tristate "FTP protocol support" 244 default m if NETFILTER_ADVANCED=n 245 help 246 Tracking FTP connections is problematic: special helpers are 247 required for tracking them, and doing masquerading and other forms 248 of Network Address Translation on them. 249 250 This is FTP support on Layer 3 independent connection tracking. 251 252 To compile it as a module, choose M here. If unsure, say N. 253 254config NF_CONNTRACK_H323 255 tristate "H.323 protocol support" 256 depends on IPV6 || IPV6=n 257 depends on NETFILTER_ADVANCED 258 help 259 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 260 important VoIP protocols, it is widely used by voice hardware and 261 software including voice gateways, IP phones, Netmeeting, OpenPhone, 262 Gnomemeeting, etc. 263 264 With this module you can support H.323 on a connection tracking/NAT 265 firewall. 266 267 This module supports RAS, Fast Start, H.245 Tunnelling, Call 268 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, 269 whiteboard, file transfer, etc. For more information, please 270 visit http://nath323.sourceforge.net/. 271 272 To compile it as a module, choose M here. If unsure, say N. 273 274config NF_CONNTRACK_IRC 275 tristate "IRC protocol support" 276 default m if NETFILTER_ADVANCED=n 277 help 278 There is a commonly-used extension to IRC called 279 Direct Client-to-Client Protocol (DCC). This enables users to send 280 files to each other, and also chat to each other without the need 281 of a server. DCC Sending is used anywhere you send files over IRC, 282 and DCC Chat is most commonly used by Eggdrop bots. If you are 283 using NAT, this extension will enable you to send files and initiate 284 chats. Note that you do NOT need this extension to get files or 285 have others initiate chats, or everything else in IRC. 286 287 To compile it as a module, choose M here. If unsure, say N. 288 289config NF_CONNTRACK_BROADCAST 290 tristate 291 292config NF_CONNTRACK_NETBIOS_NS 293 tristate "NetBIOS name service protocol support" 294 select NF_CONNTRACK_BROADCAST 295 help 296 NetBIOS name service requests are sent as broadcast messages from an 297 unprivileged port and responded to with unicast messages to the 298 same port. This make them hard to firewall properly because connection 299 tracking doesn't deal with broadcasts. This helper tracks locally 300 originating NetBIOS name service requests and the corresponding 301 responses. It relies on correct IP address configuration, specifically 302 netmask and broadcast address. When properly configured, the output 303 of "ip address show" should look similar to this: 304 305 $ ip -4 address show eth0 306 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 307 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 308 309 To compile it as a module, choose M here. If unsure, say N. 310 311config NF_CONNTRACK_SNMP 312 tristate "SNMP service protocol support" 313 depends on NETFILTER_ADVANCED 314 select NF_CONNTRACK_BROADCAST 315 help 316 SNMP service requests are sent as broadcast messages from an 317 unprivileged port and responded to with unicast messages to the 318 same port. This make them hard to firewall properly because connection 319 tracking doesn't deal with broadcasts. This helper tracks locally 320 originating SNMP service requests and the corresponding 321 responses. It relies on correct IP address configuration, specifically 322 netmask and broadcast address. 323 324 To compile it as a module, choose M here. If unsure, say N. 325 326config NF_CONNTRACK_PPTP 327 tristate "PPtP protocol support" 328 depends on NETFILTER_ADVANCED 329 select NF_CT_PROTO_GRE 330 help 331 This module adds support for PPTP (Point to Point Tunnelling 332 Protocol, RFC2637) connection tracking and NAT. 333 334 If you are running PPTP sessions over a stateful firewall or NAT 335 box, you may want to enable this feature. 336 337 Please note that not all PPTP modes of operation are supported yet. 338 Specifically these limitations exist: 339 - Blindly assumes that control connections are always established 340 in PNS->PAC direction. This is a violation of RFC2637. 341 - Only supports a single call within each session 342 343 To compile it as a module, choose M here. If unsure, say N. 344 345config NF_CONNTRACK_SANE 346 tristate "SANE protocol support" 347 depends on NETFILTER_ADVANCED 348 help 349 SANE is a protocol for remote access to scanners as implemented 350 by the 'saned' daemon. Like FTP, it uses separate control and 351 data connections. 352 353 With this module you can support SANE on a connection tracking 354 firewall. 355 356 To compile it as a module, choose M here. If unsure, say N. 357 358config NF_CONNTRACK_SIP 359 tristate "SIP protocol support" 360 default m if NETFILTER_ADVANCED=n 361 help 362 SIP is an application-layer control protocol that can establish, 363 modify, and terminate multimedia sessions (conferences) such as 364 Internet telephony calls. With the nf_conntrack_sip and 365 the nf_nat_sip modules you can support the protocol on a connection 366 tracking/NATing firewall. 367 368 To compile it as a module, choose M here. If unsure, say N. 369 370config NF_CONNTRACK_TFTP 371 tristate "TFTP protocol support" 372 depends on NETFILTER_ADVANCED 373 help 374 TFTP connection tracking helper, this is required depending 375 on how restrictive your ruleset is. 376 If you are using a tftp client behind -j SNAT or -j MASQUERADING 377 you will need this. 378 379 To compile it as a module, choose M here. If unsure, say N. 380 381config NF_CT_NETLINK 382 tristate 'Connection tracking netlink interface' 383 select NETFILTER_NETLINK 384 default m if NETFILTER_ADVANCED=n 385 help 386 This option enables support for a netlink-based userspace interface 387 388config NF_CT_NETLINK_TIMEOUT 389 tristate 'Connection tracking timeout tuning via Netlink' 390 select NETFILTER_NETLINK 391 depends on NETFILTER_ADVANCED 392 depends on NF_CONNTRACK_TIMEOUT 393 help 394 This option enables support for connection tracking timeout 395 fine-grain tuning. This allows you to attach specific timeout 396 policies to flows, instead of using the global timeout policy. 397 398 If unsure, say `N'. 399 400config NF_CT_NETLINK_HELPER 401 tristate 'Connection tracking helpers in user-space via Netlink' 402 select NETFILTER_NETLINK 403 depends on NF_CT_NETLINK 404 depends on NETFILTER_NETLINK_QUEUE 405 depends on NETFILTER_NETLINK_GLUE_CT 406 depends on NETFILTER_ADVANCED 407 help 408 This option enables the user-space connection tracking helpers 409 infrastructure. 410 411 If unsure, say `N'. 412 413config NETFILTER_NETLINK_GLUE_CT 414 bool "NFQUEUE and NFLOG integration with Connection Tracking" 415 default n 416 depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK 417 help 418 If this option is enabled, NFQUEUE and NFLOG can include 419 Connection Tracking information together with the packet is 420 the enqueued via NFNETLINK. 421 422config NF_NAT 423 tristate "Network Address Translation support" 424 depends on NF_CONNTRACK 425 default m if NETFILTER_ADVANCED=n 426 help 427 The NAT option allows masquerading, port forwarding and other 428 forms of full Network Address Port Translation. This can be 429 controlled by iptables, ip6tables or nft. 430 431config NF_NAT_AMANDA 432 tristate 433 depends on NF_CONNTRACK && NF_NAT 434 default NF_NAT && NF_CONNTRACK_AMANDA 435 436config NF_NAT_FTP 437 tristate 438 depends on NF_CONNTRACK && NF_NAT 439 default NF_NAT && NF_CONNTRACK_FTP 440 441config NF_NAT_IRC 442 tristate 443 depends on NF_CONNTRACK && NF_NAT 444 default NF_NAT && NF_CONNTRACK_IRC 445 446config NF_NAT_SIP 447 tristate 448 depends on NF_CONNTRACK && NF_NAT 449 default NF_NAT && NF_CONNTRACK_SIP 450 451config NF_NAT_TFTP 452 tristate 453 depends on NF_CONNTRACK && NF_NAT 454 default NF_NAT && NF_CONNTRACK_TFTP 455 456config NF_NAT_REDIRECT 457 bool 458 459config NF_NAT_MASQUERADE 460 bool 461 462config NETFILTER_SYNPROXY 463 tristate 464 465endif # NF_CONNTRACK 466 467config NF_TABLES 468 select NETFILTER_NETLINK 469 select LIBCRC32C 470 tristate "Netfilter nf_tables support" 471 help 472 nftables is the new packet classification framework that intends to 473 replace the existing {ip,ip6,arp,eb}_tables infrastructure. It 474 provides a pseudo-state machine with an extensible instruction-set 475 (also known as expressions) that the userspace 'nft' utility 476 (https://www.netfilter.org/projects/nftables) uses to build the 477 rule-set. It also comes with the generic set infrastructure that 478 allows you to construct mappings between matchings and actions 479 for performance lookups. 480 481 To compile it as a module, choose M here. 482 483if NF_TABLES 484config NF_TABLES_INET 485 depends on IPV6 486 select NF_TABLES_IPV4 487 select NF_TABLES_IPV6 488 bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" 489 help 490 This option enables support for a mixed IPv4/IPv6 "inet" table. 491 492config NF_TABLES_NETDEV 493 bool "Netfilter nf_tables netdev tables support" 494 help 495 This option enables support for the "netdev" table. 496 497config NFT_NUMGEN 498 tristate "Netfilter nf_tables number generator module" 499 help 500 This option adds the number generator expression used to perform 501 incremental counting and random numbers bound to a upper limit. 502 503config NFT_CT 504 depends on NF_CONNTRACK 505 tristate "Netfilter nf_tables conntrack module" 506 help 507 This option adds the "ct" expression that you can use to match 508 connection tracking information such as the flow state. 509 510config NFT_FLOW_OFFLOAD 511 depends on NF_CONNTRACK && NF_FLOW_TABLE 512 tristate "Netfilter nf_tables hardware flow offload module" 513 help 514 This option adds the "flow_offload" expression that you can use to 515 choose what flows are placed into the hardware. 516 517config NFT_CONNLIMIT 518 tristate "Netfilter nf_tables connlimit module" 519 depends on NF_CONNTRACK 520 depends on NETFILTER_ADVANCED 521 select NETFILTER_CONNCOUNT 522 help 523 This option adds the "connlimit" expression that you can use to 524 ratelimit rule matchings per connections. 525 526config NFT_LOG 527 tristate "Netfilter nf_tables log module" 528 help 529 This option adds the "log" expression that you can use to log 530 packets matching some criteria. 531 532config NFT_LIMIT 533 tristate "Netfilter nf_tables limit module" 534 help 535 This option adds the "limit" expression that you can use to 536 ratelimit rule matchings. 537 538config NFT_MASQ 539 depends on NF_CONNTRACK 540 depends on NF_NAT 541 select NF_NAT_MASQUERADE 542 tristate "Netfilter nf_tables masquerade support" 543 help 544 This option adds the "masquerade" expression that you can use 545 to perform NAT in the masquerade flavour. 546 547config NFT_REDIR 548 depends on NF_CONNTRACK 549 depends on NF_NAT 550 tristate "Netfilter nf_tables redirect support" 551 select NF_NAT_REDIRECT 552 help 553 This options adds the "redirect" expression that you can use 554 to perform NAT in the redirect flavour. 555 556config NFT_NAT 557 depends on NF_CONNTRACK 558 select NF_NAT 559 depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 560 tristate "Netfilter nf_tables nat module" 561 help 562 This option adds the "nat" expression that you can use to perform 563 typical Network Address Translation (NAT) packet transformations. 564 565config NFT_TUNNEL 566 tristate "Netfilter nf_tables tunnel module" 567 help 568 This option adds the "tunnel" expression that you can use to set 569 tunneling policies. 570 571config NFT_OBJREF 572 tristate "Netfilter nf_tables stateful object reference module" 573 help 574 This option adds the "objref" expression that allows you to refer to 575 stateful objects, such as counters and quotas. 576 577config NFT_QUEUE 578 depends on NETFILTER_NETLINK_QUEUE 579 tristate "Netfilter nf_tables queue module" 580 help 581 This is required if you intend to use the userspace queueing 582 infrastructure (also known as NFQUEUE) from nftables. 583 584config NFT_QUOTA 585 tristate "Netfilter nf_tables quota module" 586 help 587 This option adds the "quota" expression that you can use to match 588 enforce bytes quotas. 589 590config NFT_REJECT 591 default m if NETFILTER_ADVANCED=n 592 tristate "Netfilter nf_tables reject support" 593 depends on !NF_TABLES_INET || (IPV6!=m || m) 594 help 595 This option adds the "reject" expression that you can use to 596 explicitly deny and notify via TCP reset/ICMP informational errors 597 unallowed traffic. 598 599config NFT_REJECT_INET 600 depends on NF_TABLES_INET 601 default NFT_REJECT 602 tristate 603 604config NFT_COMPAT 605 depends on NETFILTER_XTABLES 606 tristate "Netfilter x_tables over nf_tables module" 607 help 608 This is required if you intend to use any of existing 609 x_tables match/target extensions over the nf_tables 610 framework. 611 612config NFT_HASH 613 tristate "Netfilter nf_tables hash module" 614 help 615 This option adds the "hash" expression that you can use to perform 616 a hash operation on registers. 617 618config NFT_FIB 619 tristate 620 621config NFT_FIB_INET 622 depends on NF_TABLES_INET 623 depends on NFT_FIB_IPV4 624 depends on NFT_FIB_IPV6 625 tristate "Netfilter nf_tables fib inet support" 626 help 627 This option allows using the FIB expression from the inet table. 628 The lookup will be delegated to the IPv4 or IPv6 FIB depending 629 on the protocol of the packet. 630 631config NFT_XFRM 632 tristate "Netfilter nf_tables xfrm/IPSec security association matching" 633 depends on XFRM 634 help 635 This option adds an expression that you can use to extract properties 636 of a packets security association. 637 638config NFT_SOCKET 639 tristate "Netfilter nf_tables socket match support" 640 depends on IPV6 || IPV6=n 641 select NF_SOCKET_IPV4 642 select NF_SOCKET_IPV6 if NF_TABLES_IPV6 643 help 644 This option allows matching for the presence or absence of a 645 corresponding socket and its attributes. 646 647config NFT_OSF 648 tristate "Netfilter nf_tables passive OS fingerprint support" 649 depends on NETFILTER_ADVANCED 650 select NETFILTER_NETLINK_OSF 651 help 652 This option allows matching packets from an specific OS. 653 654config NFT_TPROXY 655 tristate "Netfilter nf_tables tproxy support" 656 depends on IPV6 || IPV6=n 657 select NF_DEFRAG_IPV4 658 select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 659 select NF_TPROXY_IPV4 660 select NF_TPROXY_IPV6 if NF_TABLES_IPV6 661 help 662 This makes transparent proxy support available in nftables. 663 664config NFT_SYNPROXY 665 tristate "Netfilter nf_tables SYNPROXY expression support" 666 depends on NF_CONNTRACK && NETFILTER_ADVANCED 667 select NETFILTER_SYNPROXY 668 select SYN_COOKIES 669 help 670 The SYNPROXY expression allows you to intercept TCP connections and 671 establish them using syncookies before they are passed on to the 672 server. This allows to avoid conntrack and server resource usage 673 during SYN-flood attacks. 674 675if NF_TABLES_NETDEV 676 677config NF_DUP_NETDEV 678 tristate "Netfilter packet duplication support" 679 help 680 This option enables the generic packet duplication infrastructure 681 for Netfilter. 682 683config NFT_DUP_NETDEV 684 tristate "Netfilter nf_tables netdev packet duplication support" 685 select NF_DUP_NETDEV 686 help 687 This option enables packet duplication for the "netdev" family. 688 689config NFT_FWD_NETDEV 690 tristate "Netfilter nf_tables netdev packet forwarding support" 691 select NF_DUP_NETDEV 692 help 693 This option enables packet forwarding for the "netdev" family. 694 695config NFT_FIB_NETDEV 696 depends on NFT_FIB_IPV4 697 depends on NFT_FIB_IPV6 698 tristate "Netfilter nf_tables netdev fib lookups support" 699 help 700 This option allows using the FIB expression from the netdev table. 701 The lookup will be delegated to the IPv4 or IPv6 FIB depending 702 on the protocol of the packet. 703 704config NFT_REJECT_NETDEV 705 depends on NFT_REJECT_IPV4 706 depends on NFT_REJECT_IPV6 707 tristate "Netfilter nf_tables netdev REJECT support" 708 help 709 This option enables the REJECT support from the netdev table. 710 The return packet generation will be delegated to the IPv4 711 or IPv6 ICMP or TCP RST implementation depending on the 712 protocol of the packet. 713 714endif # NF_TABLES_NETDEV 715 716endif # NF_TABLES 717 718config NF_FLOW_TABLE_INET 719 tristate "Netfilter flow table mixed IPv4/IPv6 module" 720 depends on NF_FLOW_TABLE 721 help 722 This option adds the flow table mixed IPv4/IPv6 support. 723 724 To compile it as a module, choose M here. 725 726config NF_FLOW_TABLE 727 tristate "Netfilter flow table module" 728 depends on NETFILTER_INGRESS 729 depends on NF_CONNTRACK 730 depends on NF_TABLES 731 help 732 This option adds the flow table core infrastructure. 733 734 To compile it as a module, choose M here. 735 736config NETFILTER_XTABLES 737 tristate "Netfilter Xtables support (required for ip_tables)" 738 default m if NETFILTER_ADVANCED=n 739 help 740 This is required if you intend to use any of ip_tables, 741 ip6_tables or arp_tables. 742 743if NETFILTER_XTABLES 744 745config NETFILTER_XTABLES_COMPAT 746 bool "Netfilter Xtables 32bit support" 747 depends on COMPAT 748 default y 749 help 750 This option provides a translation layer to run 32bit arp,ip(6),ebtables 751 binaries on 64bit kernels. 752 753 If unsure, say N. 754 755comment "Xtables combined modules" 756 757config NETFILTER_XT_MARK 758 tristate 'nfmark target and match support' 759 default m if NETFILTER_ADVANCED=n 760 help 761 This option adds the "MARK" target and "mark" match. 762 763 Netfilter mark matching allows you to match packets based on the 764 "nfmark" value in the packet. 765 The target allows you to create rules in the "mangle" table which alter 766 the netfilter mark (nfmark) field associated with the packet. 767 768 Prior to routing, the nfmark can influence the routing method and can 769 also be used by other subsystems to change their behavior. 770 771config NETFILTER_XT_CONNMARK 772 tristate 'ctmark target and match support' 773 depends on NF_CONNTRACK 774 depends on NETFILTER_ADVANCED 775 select NF_CONNTRACK_MARK 776 help 777 This option adds the "CONNMARK" target and "connmark" match. 778 779 Netfilter allows you to store a mark value per connection (a.k.a. 780 ctmark), similarly to the packet mark (nfmark). Using this 781 target and match, you can set and match on this mark. 782 783config NETFILTER_XT_SET 784 tristate 'set target and match support' 785 depends on IP_SET 786 depends on NETFILTER_ADVANCED 787 help 788 This option adds the "SET" target and "set" match. 789 790 Using this target and match, you can add/delete and match 791 elements in the sets created by ipset(8). 792 793 To compile it as a module, choose M here. If unsure, say N. 794 795# alphabetically ordered list of targets 796 797comment "Xtables targets" 798 799config NETFILTER_XT_TARGET_AUDIT 800 tristate "AUDIT target support" 801 depends on AUDIT 802 depends on NETFILTER_ADVANCED 803 help 804 This option adds a 'AUDIT' target, which can be used to create 805 audit records for packets dropped/accepted. 806 807 To compileit as a module, choose M here. If unsure, say N. 808 809config NETFILTER_XT_TARGET_CHECKSUM 810 tristate "CHECKSUM target support" 811 depends on IP_NF_MANGLE || IP6_NF_MANGLE 812 depends on NETFILTER_ADVANCED 813 help 814 This option adds a `CHECKSUM' target, which can be used in the iptables mangle 815 table to work around buggy DHCP clients in virtualized environments. 816 817 Some old DHCP clients drop packets because they are not aware 818 that the checksum would normally be offloaded to hardware and 819 thus should be considered valid. 820 This target can be used to fill in the checksum using iptables 821 when such packets are sent via a virtual network device. 822 823 To compile it as a module, choose M here. If unsure, say N. 824 825config NETFILTER_XT_TARGET_CLASSIFY 826 tristate '"CLASSIFY" target support' 827 depends on NETFILTER_ADVANCED 828 help 829 This option adds a `CLASSIFY' target, which enables the user to set 830 the priority of a packet. Some qdiscs can use this value for 831 classification, among these are: 832 833 atm, cbq, dsmark, pfifo_fast, htb, prio 834 835 To compile it as a module, choose M here. If unsure, say N. 836 837config NETFILTER_XT_TARGET_CONNMARK 838 tristate '"CONNMARK" target support' 839 depends on NF_CONNTRACK 840 depends on NETFILTER_ADVANCED 841 select NETFILTER_XT_CONNMARK 842 help 843 This is a backwards-compat option for the user's convenience 844 (e.g. when running oldconfig). It selects 845 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 846 847config NETFILTER_XT_TARGET_CONNSECMARK 848 tristate '"CONNSECMARK" target support' 849 depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK 850 default m if NETFILTER_ADVANCED=n 851 help 852 The CONNSECMARK target copies security markings from packets 853 to connections, and restores security markings from connections 854 to packets (if the packets are not already marked). This would 855 normally be used in conjunction with the SECMARK target. 856 857 To compile it as a module, choose M here. If unsure, say N. 858 859config NETFILTER_XT_TARGET_CT 860 tristate '"CT" target support' 861 depends on NF_CONNTRACK 862 depends on IP_NF_RAW || IP6_NF_RAW 863 depends on NETFILTER_ADVANCED 864 help 865 This options adds a `CT' target, which allows to specify initial 866 connection tracking parameters like events to be delivered and 867 the helper to be used. 868 869 To compile it as a module, choose M here. If unsure, say N. 870 871config NETFILTER_XT_TARGET_DSCP 872 tristate '"DSCP" and "TOS" target support' 873 depends on IP_NF_MANGLE || IP6_NF_MANGLE 874 depends on NETFILTER_ADVANCED 875 help 876 This option adds a `DSCP' target, which allows you to manipulate 877 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 878 879 The DSCP field can have any value between 0x0 and 0x3f inclusive. 880 881 It also adds the "TOS" target, which allows you to create rules in 882 the "mangle" table which alter the Type Of Service field of an IPv4 883 or the Priority field of an IPv6 packet, prior to routing. 884 885 To compile it as a module, choose M here. If unsure, say N. 886 887config NETFILTER_XT_TARGET_HL 888 tristate '"HL" hoplimit target support' 889 depends on IP_NF_MANGLE || IP6_NF_MANGLE 890 depends on NETFILTER_ADVANCED 891 help 892 This option adds the "HL" (for IPv6) and "TTL" (for IPv4) 893 targets, which enable the user to change the 894 hoplimit/time-to-live value of the IP header. 895 896 While it is safe to decrement the hoplimit/TTL value, the 897 modules also allow to increment and set the hoplimit value of 898 the header to arbitrary values. This is EXTREMELY DANGEROUS 899 since you can easily create immortal packets that loop 900 forever on the network. 901 902config NETFILTER_XT_TARGET_HMARK 903 tristate '"HMARK" target support' 904 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 905 depends on NETFILTER_ADVANCED 906 help 907 This option adds the "HMARK" target. 908 909 The target allows you to create rules in the "raw" and "mangle" tables 910 which set the skbuff mark by means of hash calculation within a given 911 range. The nfmark can influence the routing method and can also be used 912 by other subsystems to change their behaviour. 913 914 To compile it as a module, choose M here. If unsure, say N. 915 916config NETFILTER_XT_TARGET_IDLETIMER 917 tristate "IDLETIMER target support" 918 depends on NETFILTER_ADVANCED 919 help 920 921 This option adds the `IDLETIMER' target. Each matching packet 922 resets the timer associated with label specified when the rule is 923 added. When the timer expires, it triggers a sysfs notification. 924 The remaining time for expiration can be read via sysfs. 925 926 To compile it as a module, choose M here. If unsure, say N. 927 928config NETFILTER_XT_TARGET_LED 929 tristate '"LED" target support' 930 depends on LEDS_CLASS && LEDS_TRIGGERS 931 depends on NETFILTER_ADVANCED 932 help 933 This option adds a `LED' target, which allows you to blink LEDs in 934 response to particular packets passing through your machine. 935 936 This can be used to turn a spare LED into a network activity LED, 937 which only flashes in response to FTP transfers, for example. Or 938 you could have an LED which lights up for a minute or two every time 939 somebody connects to your machine via SSH. 940 941 You will need support for the "led" class to make this work. 942 943 To create an LED trigger for incoming SSH traffic: 944 iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 945 946 Then attach the new trigger to an LED on your system: 947 echo netfilter-ssh > /sys/class/leds/<ledname>/trigger 948 949 For more information on the LEDs available on your system, see 950 Documentation/leds/leds-class.rst 951 952config NETFILTER_XT_TARGET_LOG 953 tristate "LOG target support" 954 select NF_LOG_SYSLOG 955 select NF_LOG_IPV6 if IP6_NF_IPTABLES 956 default m if NETFILTER_ADVANCED=n 957 help 958 This option adds a `LOG' target, which allows you to create rules in 959 any iptables table which records the packet header to the syslog. 960 961 To compile it as a module, choose M here. If unsure, say N. 962 963config NETFILTER_XT_TARGET_MARK 964 tristate '"MARK" target support' 965 depends on NETFILTER_ADVANCED 966 select NETFILTER_XT_MARK 967 help 968 This is a backwards-compat option for the user's convenience 969 (e.g. when running oldconfig). It selects 970 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 971 972config NETFILTER_XT_NAT 973 tristate '"SNAT and DNAT" targets support' 974 depends on NF_NAT 975 help 976 This option enables the SNAT and DNAT targets. 977 978 To compile it as a module, choose M here. If unsure, say N. 979 980config NETFILTER_XT_TARGET_NETMAP 981 tristate '"NETMAP" target support' 982 depends on NF_NAT 983 help 984 NETMAP is an implementation of static 1:1 NAT mapping of network 985 addresses. It maps the network address part, while keeping the host 986 address part intact. 987 988 To compile it as a module, choose M here. If unsure, say N. 989 990config NETFILTER_XT_TARGET_NFLOG 991 tristate '"NFLOG" target support' 992 default m if NETFILTER_ADVANCED=n 993 select NETFILTER_NETLINK_LOG 994 help 995 This option enables the NFLOG target, which allows to LOG 996 messages through nfnetlink_log. 997 998 To compile it as a module, choose M here. If unsure, say N. 999 1000config NETFILTER_XT_TARGET_NFQUEUE 1001 tristate '"NFQUEUE" target Support' 1002 depends on NETFILTER_ADVANCED 1003 select NETFILTER_NETLINK_QUEUE 1004 help 1005 This target replaced the old obsolete QUEUE target. 1006 1007 As opposed to QUEUE, it supports 65535 different queues, 1008 not just one. 1009 1010 To compile it as a module, choose M here. If unsure, say N. 1011 1012config NETFILTER_XT_TARGET_NOTRACK 1013 tristate '"NOTRACK" target support (DEPRECATED)' 1014 depends on NF_CONNTRACK 1015 depends on IP_NF_RAW || IP6_NF_RAW 1016 depends on NETFILTER_ADVANCED 1017 select NETFILTER_XT_TARGET_CT 1018 1019config NETFILTER_XT_TARGET_RATEEST 1020 tristate '"RATEEST" target support' 1021 depends on NETFILTER_ADVANCED 1022 help 1023 This option adds a `RATEEST' target, which allows to measure 1024 rates similar to TC estimators. The `rateest' match can be 1025 used to match on the measured rates. 1026 1027 To compile it as a module, choose M here. If unsure, say N. 1028 1029config NETFILTER_XT_TARGET_REDIRECT 1030 tristate "REDIRECT target support" 1031 depends on NF_NAT 1032 select NF_NAT_REDIRECT 1033 help 1034 REDIRECT is a special case of NAT: all incoming connections are 1035 mapped onto the incoming interface's address, causing the packets to 1036 come to the local machine instead of passing through. This is 1037 useful for transparent proxies. 1038 1039 To compile it as a module, choose M here. If unsure, say N. 1040 1041config NETFILTER_XT_TARGET_MASQUERADE 1042 tristate "MASQUERADE target support" 1043 depends on NF_NAT 1044 default m if NETFILTER_ADVANCED=n 1045 select NF_NAT_MASQUERADE 1046 help 1047 Masquerading is a special case of NAT: all outgoing connections are 1048 changed to seem to come from a particular interface's address, and 1049 if the interface goes down, those connections are lost. This is 1050 only useful for dialup accounts with dynamic IP address (ie. your IP 1051 address will be different on next dialup). 1052 1053 To compile it as a module, choose M here. If unsure, say N. 1054 1055config NETFILTER_XT_TARGET_TEE 1056 tristate '"TEE" - packet cloning to alternate destination' 1057 depends on NETFILTER_ADVANCED 1058 depends on IPV6 || IPV6=n 1059 depends on !NF_CONNTRACK || NF_CONNTRACK 1060 depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES 1061 select NF_DUP_IPV4 1062 select NF_DUP_IPV6 if IP6_NF_IPTABLES 1063 help 1064 This option adds a "TEE" target with which a packet can be cloned and 1065 this clone be rerouted to another nexthop. 1066 1067config NETFILTER_XT_TARGET_TPROXY 1068 tristate '"TPROXY" target transparent proxying support' 1069 depends on NETFILTER_XTABLES 1070 depends on NETFILTER_ADVANCED 1071 depends on IPV6 || IPV6=n 1072 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1073 depends on IP_NF_MANGLE 1074 select NF_DEFRAG_IPV4 1075 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1076 select NF_TPROXY_IPV4 1077 select NF_TPROXY_IPV6 if IP6_NF_IPTABLES 1078 help 1079 This option adds a `TPROXY' target, which is somewhat similar to 1080 REDIRECT. It can only be used in the mangle table and is useful 1081 to redirect traffic to a transparent proxy. It does _not_ depend 1082 on Netfilter connection tracking and NAT, unlike REDIRECT. 1083 For it to work you will have to configure certain iptables rules 1084 and use policy routing. For more information on how to set it up 1085 see Documentation/networking/tproxy.rst. 1086 1087 To compile it as a module, choose M here. If unsure, say N. 1088 1089config NETFILTER_XT_TARGET_TRACE 1090 tristate '"TRACE" target support' 1091 depends on IP_NF_RAW || IP6_NF_RAW 1092 depends on NETFILTER_ADVANCED 1093 help 1094 The TRACE target allows you to mark packets so that the kernel 1095 will log every rule which match the packets as those traverse 1096 the tables, chains, rules. 1097 1098 If you want to compile it as a module, say M here and read 1099 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1100 1101config NETFILTER_XT_TARGET_SECMARK 1102 tristate '"SECMARK" target support' 1103 depends on NETWORK_SECMARK 1104 default m if NETFILTER_ADVANCED=n 1105 help 1106 The SECMARK target allows security marking of network 1107 packets, for use with security subsystems. 1108 1109 To compile it as a module, choose M here. If unsure, say N. 1110 1111config NETFILTER_XT_TARGET_TCPMSS 1112 tristate '"TCPMSS" target support' 1113 depends on IPV6 || IPV6=n 1114 default m if NETFILTER_ADVANCED=n 1115 help 1116 This option adds a `TCPMSS' target, which allows you to alter the 1117 MSS value of TCP SYN packets, to control the maximum size for that 1118 connection (usually limiting it to your outgoing interface's MTU 1119 minus 40). 1120 1121 This is used to overcome criminally braindead ISPs or servers which 1122 block ICMP Fragmentation Needed packets. The symptoms of this 1123 problem are that everything works fine from your Linux 1124 firewall/router, but machines behind it can never exchange large 1125 packets: 1126 1) Web browsers connect, then hang with no data received. 1127 2) Small mail works fine, but large emails hang. 1128 3) ssh works fine, but scp hangs after initial handshaking. 1129 1130 Workaround: activate this option and add a rule to your firewall 1131 configuration like: 1132 1133 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 1134 -j TCPMSS --clamp-mss-to-pmtu 1135 1136 To compile it as a module, choose M here. If unsure, say N. 1137 1138config NETFILTER_XT_TARGET_TCPOPTSTRIP 1139 tristate '"TCPOPTSTRIP" target support' 1140 depends on IP_NF_MANGLE || IP6_NF_MANGLE 1141 depends on NETFILTER_ADVANCED 1142 help 1143 This option adds a "TCPOPTSTRIP" target, which allows you to strip 1144 TCP options from TCP packets. 1145 1146# alphabetically ordered list of matches 1147 1148comment "Xtables matches" 1149 1150config NETFILTER_XT_MATCH_ADDRTYPE 1151 tristate '"addrtype" address type match support' 1152 default m if NETFILTER_ADVANCED=n 1153 help 1154 This option allows you to match what routing thinks of an address, 1155 eg. UNICAST, LOCAL, BROADCAST, ... 1156 1157 If you want to compile it as a module, say M here and read 1158 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1159 1160config NETFILTER_XT_MATCH_BPF 1161 tristate '"bpf" match support' 1162 depends on NETFILTER_ADVANCED 1163 help 1164 BPF matching applies a linux socket filter to each packet and 1165 accepts those for which the filter returns non-zero. 1166 1167 To compile it as a module, choose M here. If unsure, say N. 1168 1169config NETFILTER_XT_MATCH_CGROUP 1170 tristate '"control group" match support' 1171 depends on NETFILTER_ADVANCED 1172 depends on CGROUPS 1173 select CGROUP_NET_CLASSID 1174 help 1175 Socket/process control group matching allows you to match locally 1176 generated packets based on which net_cls control group processes 1177 belong to. 1178 1179config NETFILTER_XT_MATCH_CLUSTER 1180 tristate '"cluster" match support' 1181 depends on NF_CONNTRACK 1182 depends on NETFILTER_ADVANCED 1183 help 1184 This option allows you to build work-load-sharing clusters of 1185 network servers/stateful firewalls without having a dedicated 1186 load-balancing router/server/switch. Basically, this match returns 1187 true when the packet must be handled by this cluster node. Thus, 1188 all nodes see all packets and this match decides which node handles 1189 what packets. The work-load sharing algorithm is based on source 1190 address hashing. 1191 1192 If you say Y or M here, try `iptables -m cluster --help` for 1193 more information. 1194 1195config NETFILTER_XT_MATCH_COMMENT 1196 tristate '"comment" match support' 1197 depends on NETFILTER_ADVANCED 1198 help 1199 This option adds a `comment' dummy-match, which allows you to put 1200 comments in your iptables ruleset. 1201 1202 If you want to compile it as a module, say M here and read 1203 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1204 1205config NETFILTER_XT_MATCH_CONNBYTES 1206 tristate '"connbytes" per-connection counter match support' 1207 depends on NF_CONNTRACK 1208 depends on NETFILTER_ADVANCED 1209 help 1210 This option adds a `connbytes' match, which allows you to match the 1211 number of bytes and/or packets for each direction within a connection. 1212 1213 If you want to compile it as a module, say M here and read 1214 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1215 1216config NETFILTER_XT_MATCH_CONNLABEL 1217 tristate '"connlabel" match support' 1218 select NF_CONNTRACK_LABELS 1219 depends on NF_CONNTRACK 1220 depends on NETFILTER_ADVANCED 1221 help 1222 This match allows you to test and assign userspace-defined labels names 1223 to a connection. The kernel only stores bit values - mapping 1224 names to bits is done by userspace. 1225 1226 Unlike connmark, more than 32 flag bits may be assigned to a 1227 connection simultaneously. 1228 1229config NETFILTER_XT_MATCH_CONNLIMIT 1230 tristate '"connlimit" match support' 1231 depends on NF_CONNTRACK 1232 depends on NETFILTER_ADVANCED 1233 select NETFILTER_CONNCOUNT 1234 help 1235 This match allows you to match against the number of parallel 1236 connections to a server per client IP address (or address block). 1237 1238config NETFILTER_XT_MATCH_CONNMARK 1239 tristate '"connmark" connection mark match support' 1240 depends on NF_CONNTRACK 1241 depends on NETFILTER_ADVANCED 1242 select NETFILTER_XT_CONNMARK 1243 help 1244 This is a backwards-compat option for the user's convenience 1245 (e.g. when running oldconfig). It selects 1246 CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). 1247 1248config NETFILTER_XT_MATCH_CONNTRACK 1249 tristate '"conntrack" connection tracking match support' 1250 depends on NF_CONNTRACK 1251 default m if NETFILTER_ADVANCED=n 1252 help 1253 This is a general conntrack match module, a superset of the state match. 1254 1255 It allows matching on additional conntrack information, which is 1256 useful in complex configurations, such as NAT gateways with multiple 1257 internet links or tunnels. 1258 1259 To compile it as a module, choose M here. If unsure, say N. 1260 1261config NETFILTER_XT_MATCH_CPU 1262 tristate '"cpu" match support' 1263 depends on NETFILTER_ADVANCED 1264 help 1265 CPU matching allows you to match packets based on the CPU 1266 currently handling the packet. 1267 1268 To compile it as a module, choose M here. If unsure, say N. 1269 1270config NETFILTER_XT_MATCH_DCCP 1271 tristate '"dccp" protocol match support' 1272 depends on NETFILTER_ADVANCED 1273 default IP_DCCP 1274 help 1275 With this option enabled, you will be able to use the iptables 1276 `dccp' match in order to match on DCCP source/destination ports 1277 and DCCP flags. 1278 1279 If you want to compile it as a module, say M here and read 1280 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1281 1282config NETFILTER_XT_MATCH_DEVGROUP 1283 tristate '"devgroup" match support' 1284 depends on NETFILTER_ADVANCED 1285 help 1286 This options adds a `devgroup' match, which allows to match on the 1287 device group a network device is assigned to. 1288 1289 To compile it as a module, choose M here. If unsure, say N. 1290 1291config NETFILTER_XT_MATCH_DSCP 1292 tristate '"dscp" and "tos" match support' 1293 depends on NETFILTER_ADVANCED 1294 help 1295 This option adds a `DSCP' match, which allows you to match against 1296 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 1297 1298 The DSCP field can have any value between 0x0 and 0x3f inclusive. 1299 1300 It will also add a "tos" match, which allows you to match packets 1301 based on the Type Of Service fields of the IPv4 packet (which share 1302 the same bits as DSCP). 1303 1304 To compile it as a module, choose M here. If unsure, say N. 1305 1306config NETFILTER_XT_MATCH_ECN 1307 tristate '"ecn" match support' 1308 depends on NETFILTER_ADVANCED 1309 help 1310 This option adds an "ECN" match, which allows you to match against 1311 the IPv4 and TCP header ECN fields. 1312 1313 To compile it as a module, choose M here. If unsure, say N. 1314 1315config NETFILTER_XT_MATCH_ESP 1316 tristate '"esp" match support' 1317 depends on NETFILTER_ADVANCED 1318 help 1319 This match extension allows you to match a range of SPIs 1320 inside ESP header of IPSec packets. 1321 1322 To compile it as a module, choose M here. If unsure, say N. 1323 1324config NETFILTER_XT_MATCH_HASHLIMIT 1325 tristate '"hashlimit" match support' 1326 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1327 depends on NETFILTER_ADVANCED 1328 help 1329 This option adds a `hashlimit' match. 1330 1331 As opposed to `limit', this match dynamically creates a hash table 1332 of limit buckets, based on your selection of source/destination 1333 addresses and/or ports. 1334 1335 It enables you to express policies like `10kpps for any given 1336 destination address' or `500pps from any given source address' 1337 with a single rule. 1338 1339config NETFILTER_XT_MATCH_HELPER 1340 tristate '"helper" match support' 1341 depends on NF_CONNTRACK 1342 depends on NETFILTER_ADVANCED 1343 help 1344 Helper matching allows you to match packets in dynamic connections 1345 tracked by a conntrack-helper, ie. nf_conntrack_ftp 1346 1347 To compile it as a module, choose M here. If unsure, say Y. 1348 1349config NETFILTER_XT_MATCH_HL 1350 tristate '"hl" hoplimit/TTL match support' 1351 depends on NETFILTER_ADVANCED 1352 help 1353 HL matching allows you to match packets based on the hoplimit 1354 in the IPv6 header, or the time-to-live field in the IPv4 1355 header of the packet. 1356 1357config NETFILTER_XT_MATCH_IPCOMP 1358 tristate '"ipcomp" match support' 1359 depends on NETFILTER_ADVANCED 1360 help 1361 This match extension allows you to match a range of CPIs(16 bits) 1362 inside IPComp header of IPSec packets. 1363 1364 To compile it as a module, choose M here. If unsure, say N. 1365 1366config NETFILTER_XT_MATCH_IPRANGE 1367 tristate '"iprange" address range match support' 1368 depends on NETFILTER_ADVANCED 1369 help 1370 This option adds a "iprange" match, which allows you to match based on 1371 an IP address range. (Normal iptables only matches on single addresses 1372 with an optional mask.) 1373 1374 If unsure, say M. 1375 1376config NETFILTER_XT_MATCH_IPVS 1377 tristate '"ipvs" match support' 1378 depends on IP_VS 1379 depends on NETFILTER_ADVANCED 1380 depends on NF_CONNTRACK 1381 help 1382 This option allows you to match against IPVS properties of a packet. 1383 1384 If unsure, say N. 1385 1386config NETFILTER_XT_MATCH_L2TP 1387 tristate '"l2tp" match support' 1388 depends on NETFILTER_ADVANCED 1389 default L2TP 1390 help 1391 This option adds an "L2TP" match, which allows you to match against 1392 L2TP protocol header fields. 1393 1394 To compile it as a module, choose M here. If unsure, say N. 1395 1396config NETFILTER_XT_MATCH_LENGTH 1397 tristate '"length" match support' 1398 depends on NETFILTER_ADVANCED 1399 help 1400 This option allows you to match the length of a packet against a 1401 specific value or range of values. 1402 1403 To compile it as a module, choose M here. If unsure, say N. 1404 1405config NETFILTER_XT_MATCH_LIMIT 1406 tristate '"limit" match support' 1407 depends on NETFILTER_ADVANCED 1408 help 1409 limit matching allows you to control the rate at which a rule can be 1410 matched: mainly useful in combination with the LOG target ("LOG 1411 target support", below) and to avoid some Denial of Service attacks. 1412 1413 To compile it as a module, choose M here. If unsure, say N. 1414 1415config NETFILTER_XT_MATCH_MAC 1416 tristate '"mac" address match support' 1417 depends on NETFILTER_ADVANCED 1418 help 1419 MAC matching allows you to match packets based on the source 1420 Ethernet address of the packet. 1421 1422 To compile it as a module, choose M here. If unsure, say N. 1423 1424config NETFILTER_XT_MATCH_MARK 1425 tristate '"mark" match support' 1426 depends on NETFILTER_ADVANCED 1427 select NETFILTER_XT_MARK 1428 help 1429 This is a backwards-compat option for the user's convenience 1430 (e.g. when running oldconfig). It selects 1431 CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). 1432 1433config NETFILTER_XT_MATCH_MULTIPORT 1434 tristate '"multiport" Multiple port match support' 1435 depends on NETFILTER_ADVANCED 1436 help 1437 Multiport matching allows you to match TCP or UDP packets based on 1438 a series of source or destination ports: normally a rule can only 1439 match a single range of ports. 1440 1441 To compile it as a module, choose M here. If unsure, say N. 1442 1443config NETFILTER_XT_MATCH_NFACCT 1444 tristate '"nfacct" match support' 1445 depends on NETFILTER_ADVANCED 1446 select NETFILTER_NETLINK_ACCT 1447 help 1448 This option allows you to use the extended accounting through 1449 nfnetlink_acct. 1450 1451 To compile it as a module, choose M here. If unsure, say N. 1452 1453config NETFILTER_XT_MATCH_OSF 1454 tristate '"osf" Passive OS fingerprint match' 1455 depends on NETFILTER_ADVANCED 1456 select NETFILTER_NETLINK_OSF 1457 help 1458 This option selects the Passive OS Fingerprinting match module 1459 that allows to passively match the remote operating system by 1460 analyzing incoming TCP SYN packets. 1461 1462 Rules and loading software can be downloaded from 1463 http://www.ioremap.net/projects/osf 1464 1465 To compile it as a module, choose M here. If unsure, say N. 1466 1467config NETFILTER_XT_MATCH_OWNER 1468 tristate '"owner" match support' 1469 depends on NETFILTER_ADVANCED 1470 help 1471 Socket owner matching allows you to match locally-generated packets 1472 based on who created the socket: the user or group. It is also 1473 possible to check whether a socket actually exists. 1474 1475config NETFILTER_XT_MATCH_POLICY 1476 tristate 'IPsec "policy" match support' 1477 depends on XFRM 1478 default m if NETFILTER_ADVANCED=n 1479 help 1480 Policy matching allows you to match packets based on the 1481 IPsec policy that was used during decapsulation/will 1482 be used during encapsulation. 1483 1484 To compile it as a module, choose M here. If unsure, say N. 1485 1486config NETFILTER_XT_MATCH_PHYSDEV 1487 tristate '"physdev" match support' 1488 depends on BRIDGE && BRIDGE_NETFILTER 1489 depends on NETFILTER_ADVANCED 1490 help 1491 Physdev packet matching matches against the physical bridge ports 1492 the IP packet arrived on or will leave by. 1493 1494 To compile it as a module, choose M here. If unsure, say N. 1495 1496config NETFILTER_XT_MATCH_PKTTYPE 1497 tristate '"pkttype" packet type match support' 1498 depends on NETFILTER_ADVANCED 1499 help 1500 Packet type matching allows you to match a packet by 1501 its "class", eg. BROADCAST, MULTICAST, ... 1502 1503 Typical usage: 1504 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 1505 1506 To compile it as a module, choose M here. If unsure, say N. 1507 1508config NETFILTER_XT_MATCH_QUOTA 1509 tristate '"quota" match support' 1510 depends on NETFILTER_ADVANCED 1511 help 1512 This option adds a `quota' match, which allows to match on a 1513 byte counter. 1514 1515 If you want to compile it as a module, say M here and read 1516 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1517 1518config NETFILTER_XT_MATCH_RATEEST 1519 tristate '"rateest" match support' 1520 depends on NETFILTER_ADVANCED 1521 select NETFILTER_XT_TARGET_RATEEST 1522 help 1523 This option adds a `rateest' match, which allows to match on the 1524 rate estimated by the RATEEST target. 1525 1526 To compile it as a module, choose M here. If unsure, say N. 1527 1528config NETFILTER_XT_MATCH_REALM 1529 tristate '"realm" match support' 1530 depends on NETFILTER_ADVANCED 1531 select IP_ROUTE_CLASSID 1532 help 1533 This option adds a `realm' match, which allows you to use the realm 1534 key from the routing subsystem inside iptables. 1535 1536 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 1537 in tc world. 1538 1539 If you want to compile it as a module, say M here and read 1540 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1541 1542config NETFILTER_XT_MATCH_RECENT 1543 tristate '"recent" match support' 1544 depends on NETFILTER_ADVANCED 1545 help 1546 This match is used for creating one or many lists of recently 1547 used addresses and then matching against that/those list(s). 1548 1549 Short options are available by using 'iptables -m recent -h' 1550 Official Website: <http://snowman.net/projects/ipt_recent/> 1551 1552config NETFILTER_XT_MATCH_SCTP 1553 tristate '"sctp" protocol match support' 1554 depends on NETFILTER_ADVANCED 1555 default IP_SCTP 1556 help 1557 With this option enabled, you will be able to use the 1558 `sctp' match in order to match on SCTP source/destination ports 1559 and SCTP chunk types. 1560 1561 If you want to compile it as a module, say M here and read 1562 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 1563 1564config NETFILTER_XT_MATCH_SOCKET 1565 tristate '"socket" match support' 1566 depends on NETFILTER_XTABLES 1567 depends on NETFILTER_ADVANCED 1568 depends on IPV6 || IPV6=n 1569 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n 1570 select NF_SOCKET_IPV4 1571 select NF_SOCKET_IPV6 if IP6_NF_IPTABLES 1572 select NF_DEFRAG_IPV4 1573 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n 1574 help 1575 This option adds a `socket' match, which can be used to match 1576 packets for which a TCP or UDP socket lookup finds a valid socket. 1577 It can be used in combination with the MARK target and policy 1578 routing to implement full featured non-locally bound sockets. 1579 1580 To compile it as a module, choose M here. If unsure, say N. 1581 1582config NETFILTER_XT_MATCH_STATE 1583 tristate '"state" match support' 1584 depends on NF_CONNTRACK 1585 default m if NETFILTER_ADVANCED=n 1586 help 1587 Connection state matching allows you to match packets based on their 1588 relationship to a tracked connection (ie. previous packets). This 1589 is a powerful tool for packet classification. 1590 1591 To compile it as a module, choose M here. If unsure, say N. 1592 1593config NETFILTER_XT_MATCH_STATISTIC 1594 tristate '"statistic" match support' 1595 depends on NETFILTER_ADVANCED 1596 help 1597 This option adds a `statistic' match, which allows you to match 1598 on packets periodically or randomly with a given percentage. 1599 1600 To compile it as a module, choose M here. If unsure, say N. 1601 1602config NETFILTER_XT_MATCH_STRING 1603 tristate '"string" match support' 1604 depends on NETFILTER_ADVANCED 1605 select TEXTSEARCH 1606 select TEXTSEARCH_KMP 1607 select TEXTSEARCH_BM 1608 select TEXTSEARCH_FSM 1609 help 1610 This option adds a `string' match, which allows you to look for 1611 pattern matchings in packets. 1612 1613 To compile it as a module, choose M here. If unsure, say N. 1614 1615config NETFILTER_XT_MATCH_TCPMSS 1616 tristate '"tcpmss" match support' 1617 depends on NETFILTER_ADVANCED 1618 help 1619 This option adds a `tcpmss' match, which allows you to examine the 1620 MSS value of TCP SYN packets, which control the maximum packet size 1621 for that connection. 1622 1623 To compile it as a module, choose M here. If unsure, say N. 1624 1625config NETFILTER_XT_MATCH_TIME 1626 tristate '"time" match support' 1627 depends on NETFILTER_ADVANCED 1628 help 1629 This option adds a "time" match, which allows you to match based on 1630 the packet arrival time (at the machine which netfilter is running) 1631 on) or departure time/date (for locally generated packets). 1632 1633 If you say Y here, try `iptables -m time --help` for 1634 more information. 1635 1636 If you want to compile it as a module, say M here. 1637 If unsure, say N. 1638 1639config NETFILTER_XT_MATCH_U32 1640 tristate '"u32" match support' 1641 depends on NETFILTER_ADVANCED 1642 help 1643 u32 allows you to extract quantities of up to 4 bytes from a packet, 1644 AND them with specified masks, shift them by specified amounts and 1645 test whether the results are in any of a set of specified ranges. 1646 The specification of what to extract is general enough to skip over 1647 headers with lengths stored in the packet, as in IP or TCP header 1648 lengths. 1649 1650 Details and examples are in the kernel module source. 1651 1652endif # NETFILTER_XTABLES 1653 1654endmenu 1655 1656source "net/netfilter/ipset/Kconfig" 1657 1658source "net/netfilter/ipvs/Kconfig" 1659