| # SPDX-License-Identifier: GPL-2.0-only |
| menu "Core Netfilter Configuration" |
| depends on INET && NETFILTER |
| |
| config NETFILTER_INGRESS |
| bool "Netfilter ingress support" |
| default y |
| select NET_INGRESS |
| help |
| This allows you to classify packets from ingress using the Netfilter |
| infrastructure. |
| |
| config NETFILTER_EGRESS |
| bool "Netfilter egress support" |
| default y |
| select NET_EGRESS |
| help |
| This allows you to classify packets before transmission using the |
| Netfilter infrastructure. |
| |
| config NETFILTER_SKIP_EGRESS |
| def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB) |
| |
| config NETFILTER_NETLINK |
| tristate |
| |
| config NETFILTER_FAMILY_BRIDGE |
| bool |
| |
| config NETFILTER_FAMILY_ARP |
| bool |
| |
| config NETFILTER_BPF_LINK |
| def_bool BPF_SYSCALL |
| |
| config NETFILTER_NETLINK_HOOK |
| tristate "Netfilter base hook dump support" |
| depends on NETFILTER_ADVANCED |
| depends on NF_TABLES |
| select NETFILTER_NETLINK |
| help |
| If this option is enabled, the kernel will include support |
| to list the base netfilter hooks via NFNETLINK. |
| This is helpful for debugging. |
| |
| config NETFILTER_NETLINK_ACCT |
| tristate "Netfilter NFACCT over NFNETLINK interface" |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_NETLINK |
| help |
| If this option is enabled, the kernel will include support |
| for extended accounting via NFNETLINK. |
| |
| config NETFILTER_NETLINK_QUEUE |
| tristate "Netfilter NFQUEUE over NFNETLINK interface" |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_NETLINK |
| help |
| If this option is enabled, the kernel will include support |
| for queueing packets via NFNETLINK. |
| |
| config NETFILTER_NETLINK_LOG |
| tristate "Netfilter LOG over NFNETLINK interface" |
| default m if NETFILTER_ADVANCED=n |
| select NETFILTER_NETLINK |
| help |
| If this option is enabled, the kernel will include support |
| for logging packets via NFNETLINK. |
| |
| This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms, |
| and is also scheduled to replace the old syslog-based ipt_LOG |
| and ip6t_LOG modules. |
| |
| config NETFILTER_NETLINK_OSF |
| tristate "Netfilter OSF over NFNETLINK interface" |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_NETLINK |
| help |
| If this option is enabled, the kernel will include support |
| for passive OS fingerprint via NFNETLINK. |
| |
| config NF_CONNTRACK |
| tristate "Netfilter connection tracking support" |
| default m if NETFILTER_ADVANCED=n |
| select NF_DEFRAG_IPV4 |
| select NF_DEFRAG_IPV6 if IPV6 != n |
| help |
| Connection tracking keeps a record of what packets have passed |
| through your machine, in order to figure out how they are related |
| into connections. |
| |
| This is required to do Masquerading or other kinds of Network |
| Address Translation. It can also be used to enhance packet |
| filtering (see `Connection state match support' below). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_LOG_SYSLOG |
| tristate "Syslog packet logging" |
| default m if NETFILTER_ADVANCED=n |
| help |
| This option enable support for packet logging via syslog. |
| It supports IPv4, IPV6, ARP and common transport protocols such |
| as TCP and UDP. |
| This is a simpler but less flexible logging method compared to |
| CONFIG_NETFILTER_NETLINK_LOG. |
| If both are enabled the backend to use can be configured at run-time |
| by means of per-address-family sysctl tunables. |
| |
| if NF_CONNTRACK |
| config NETFILTER_CONNCOUNT |
| tristate |
| |
| config NF_CONNTRACK_MARK |
| bool 'Connection mark tracking support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option enables support for connection marks, used by the |
| `CONNMARK' target and `connmark' match. Similar to the mark value |
| of packets, but this mark value is kept in the conntrack session |
| instead of the individual packets. |
| |
| config NF_CONNTRACK_SECMARK |
| bool 'Connection tracking security mark support' |
| depends on NETWORK_SECMARK |
| default y if NETFILTER_ADVANCED=n |
| help |
| This option enables security markings to be applied to |
| connections. Typically they are copied to connections from |
| packets using the CONNSECMARK target and copied back from |
| connections to packets with the same target, with the packets |
| being originally labeled via SECMARK. |
| |
| If unsure, say 'N'. |
| |
| config NF_CONNTRACK_ZONES |
| bool 'Connection tracking zones' |
| depends on NETFILTER_ADVANCED |
| help |
| This option enables support for connection tracking zones. |
| Normally, each connection needs to have a unique system wide |
| identity. Connection tracking zones allow to have multiple |
| connections using the same identity, as long as they are |
| contained in different zones. |
| |
| If unsure, say `N'. |
| |
| config NF_CONNTRACK_PROCFS |
| bool "Supply CT list in procfs (OBSOLETE)" |
| depends on PROC_FS |
| help |
| This option enables for the list of known conntrack entries |
| to be shown in procfs under net/netfilter/nf_conntrack. This |
| is considered obsolete in favor of using the conntrack(8) |
| tool which uses Netlink. |
| |
| config NF_CONNTRACK_EVENTS |
| bool "Connection tracking events" |
| depends on NETFILTER_ADVANCED |
| help |
| If this option is enabled, the connection tracking code will |
| provide a notifier chain that can be used by other kernel code |
| to get notified about changes in the connection tracking state. |
| |
| If unsure, say `N'. |
| |
| config NF_CONNTRACK_TIMEOUT |
| bool 'Connection tracking timeout' |
| depends on NETFILTER_ADVANCED |
| help |
| This option enables support for connection tracking timeout |
| extension. This allows you to attach timeout policies to flow |
| via the CT target. |
| |
| If unsure, say `N'. |
| |
| config NF_CONNTRACK_TIMESTAMP |
| bool 'Connection tracking timestamping' |
| depends on NETFILTER_ADVANCED |
| help |
| This option enables support for connection tracking timestamping. |
| This allows you to store the flow start-time and to obtain |
| the flow-stop time (once it has been destroyed) via Connection |
| tracking events. |
| |
| If unsure, say `N'. |
| |
| config NF_CONNTRACK_LABELS |
| bool "Connection tracking labels" |
| help |
| This option enables support for assigning user-defined flag bits |
| to connection tracking entries. It can be used with xtables connlabel |
| match and the nftables ct expression. |
| |
| config NF_CONNTRACK_OVS |
| bool |
| |
| config NF_CT_PROTO_DCCP |
| bool 'DCCP protocol connection tracking support' |
| depends on NETFILTER_ADVANCED |
| default y |
| help |
| With this option enabled, the layer 3 independent connection |
| tracking code will be able to do state tracking on DCCP connections. |
| |
| If unsure, say Y. |
| |
| config NF_CT_PROTO_GRE |
| bool |
| |
| config NF_CT_PROTO_SCTP |
| bool 'SCTP protocol connection tracking support' |
| depends on NETFILTER_ADVANCED |
| default y |
| select LIBCRC32C |
| help |
| With this option enabled, the layer 3 independent connection |
| tracking code will be able to do state tracking on SCTP connections. |
| |
| If unsure, say Y. |
| |
| config NF_CT_PROTO_UDPLITE |
| bool 'UDP-Lite protocol connection tracking support' |
| depends on NETFILTER_ADVANCED |
| default y |
| help |
| With this option enabled, the layer 3 independent connection |
| tracking code will be able to do state tracking on UDP-Lite |
| connections. |
| |
| If unsure, say Y. |
| |
| config NF_CONNTRACK_AMANDA |
| tristate "Amanda backup protocol support" |
| depends on NETFILTER_ADVANCED |
| select TEXTSEARCH |
| select TEXTSEARCH_KMP |
| help |
| If you are running the Amanda backup package <http://www.amanda.org/> |
| on this machine or machines that will be MASQUERADED through this |
| machine, then you may want to enable this feature. This allows the |
| connection tracking and natting code to allow the sub-channels that |
| Amanda requires for communication of the backup data, messages and |
| index. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_FTP |
| tristate "FTP protocol support" |
| default m if NETFILTER_ADVANCED=n |
| help |
| Tracking FTP connections is problematic: special helpers are |
| required for tracking them, and doing masquerading and other forms |
| of Network Address Translation on them. |
| |
| This is FTP support on Layer 3 independent connection tracking. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_H323 |
| tristate "H.323 protocol support" |
| depends on IPV6 || IPV6=n |
| depends on NETFILTER_ADVANCED |
| help |
| H.323 is a VoIP signalling protocol from ITU-T. As one of the most |
| important VoIP protocols, it is widely used by voice hardware and |
| software including voice gateways, IP phones, Netmeeting, OpenPhone, |
| Gnomemeeting, etc. |
| |
| With this module you can support H.323 on a connection tracking/NAT |
| firewall. |
| |
| This module supports RAS, Fast Start, H.245 Tunnelling, Call |
| Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat, |
| whiteboard, file transfer, etc. For more information, please |
| visit http://nath323.sourceforge.net/. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_IRC |
| tristate "IRC protocol support" |
| default m if NETFILTER_ADVANCED=n |
| help |
| There is a commonly-used extension to IRC called |
| Direct Client-to-Client Protocol (DCC). This enables users to send |
| files to each other, and also chat to each other without the need |
| of a server. DCC Sending is used anywhere you send files over IRC, |
| and DCC Chat is most commonly used by Eggdrop bots. If you are |
| using NAT, this extension will enable you to send files and initiate |
| chats. Note that you do NOT need this extension to get files or |
| have others initiate chats, or everything else in IRC. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_BROADCAST |
| tristate |
| |
| config NF_CONNTRACK_NETBIOS_NS |
| tristate "NetBIOS name service protocol support" |
| select NF_CONNTRACK_BROADCAST |
| help |
| NetBIOS name service requests are sent as broadcast messages from an |
| unprivileged port and responded to with unicast messages to the |
| same port. This make them hard to firewall properly because connection |
| tracking doesn't deal with broadcasts. This helper tracks locally |
| originating NetBIOS name service requests and the corresponding |
| responses. It relies on correct IP address configuration, specifically |
| netmask and broadcast address. When properly configured, the output |
| of "ip address show" should look similar to this: |
| |
| $ ip -4 address show eth0 |
| 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 |
| inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_SNMP |
| tristate "SNMP service protocol support" |
| depends on NETFILTER_ADVANCED |
| select NF_CONNTRACK_BROADCAST |
| help |
| SNMP service requests are sent as broadcast messages from an |
| unprivileged port and responded to with unicast messages to the |
| same port. This make them hard to firewall properly because connection |
| tracking doesn't deal with broadcasts. This helper tracks locally |
| originating SNMP service requests and the corresponding |
| responses. It relies on correct IP address configuration, specifically |
| netmask and broadcast address. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_PPTP |
| tristate "PPtP protocol support" |
| depends on NETFILTER_ADVANCED |
| select NF_CT_PROTO_GRE |
| help |
| This module adds support for PPTP (Point to Point Tunnelling |
| Protocol, RFC2637) connection tracking and NAT. |
| |
| If you are running PPTP sessions over a stateful firewall or NAT |
| box, you may want to enable this feature. |
| |
| Please note that not all PPTP modes of operation are supported yet. |
| Specifically these limitations exist: |
| - Blindly assumes that control connections are always established |
| in PNS->PAC direction. This is a violation of RFC2637. |
| - Only supports a single call within each session |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_SANE |
| tristate "SANE protocol support" |
| depends on NETFILTER_ADVANCED |
| help |
| SANE is a protocol for remote access to scanners as implemented |
| by the 'saned' daemon. Like FTP, it uses separate control and |
| data connections. |
| |
| With this module you can support SANE on a connection tracking |
| firewall. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_SIP |
| tristate "SIP protocol support" |
| default m if NETFILTER_ADVANCED=n |
| help |
| SIP is an application-layer control protocol that can establish, |
| modify, and terminate multimedia sessions (conferences) such as |
| Internet telephony calls. With the nf_conntrack_sip and |
| the nf_nat_sip modules you can support the protocol on a connection |
| tracking/NATing firewall. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_TFTP |
| tristate "TFTP protocol support" |
| depends on NETFILTER_ADVANCED |
| help |
| TFTP connection tracking helper, this is required depending |
| on how restrictive your ruleset is. |
| If you are using a tftp client behind -j SNAT or -j MASQUERADING |
| you will need this. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CT_NETLINK |
| tristate 'Connection tracking netlink interface' |
| select NETFILTER_NETLINK |
| default m if NETFILTER_ADVANCED=n |
| help |
| This option enables support for a netlink-based userspace interface |
| |
| config NF_CT_NETLINK_TIMEOUT |
| tristate 'Connection tracking timeout tuning via Netlink' |
| select NETFILTER_NETLINK |
| depends on NETFILTER_ADVANCED |
| depends on NF_CONNTRACK_TIMEOUT |
| help |
| This option enables support for connection tracking timeout |
| fine-grain tuning. This allows you to attach specific timeout |
| policies to flows, instead of using the global timeout policy. |
| |
| If unsure, say `N'. |
| |
| config NF_CT_NETLINK_HELPER |
| tristate 'Connection tracking helpers in user-space via Netlink' |
| select NETFILTER_NETLINK |
| depends on NF_CT_NETLINK |
| depends on NETFILTER_NETLINK_QUEUE |
| depends on NETFILTER_NETLINK_GLUE_CT |
| depends on NETFILTER_ADVANCED |
| help |
| This option enables the user-space connection tracking helpers |
| infrastructure. |
| |
| If unsure, say `N'. |
| |
| config NETFILTER_NETLINK_GLUE_CT |
| bool "NFQUEUE and NFLOG integration with Connection Tracking" |
| default n |
| depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK |
| help |
| If this option is enabled, NFQUEUE and NFLOG can include |
| Connection Tracking information together with the packet is |
| the enqueued via NFNETLINK. |
| |
| config NF_NAT |
| tristate "Network Address Translation support" |
| depends on NF_CONNTRACK |
| default m if NETFILTER_ADVANCED=n |
| help |
| The NAT option allows masquerading, port forwarding and other |
| forms of full Network Address Port Translation. This can be |
| controlled by iptables, ip6tables or nft. |
| |
| config NF_NAT_AMANDA |
| tristate |
| depends on NF_CONNTRACK && NF_NAT |
| default NF_NAT && NF_CONNTRACK_AMANDA |
| |
| config NF_NAT_FTP |
| tristate |
| depends on NF_CONNTRACK && NF_NAT |
| default NF_NAT && NF_CONNTRACK_FTP |
| |
| config NF_NAT_IRC |
| tristate |
| depends on NF_CONNTRACK && NF_NAT |
| default NF_NAT && NF_CONNTRACK_IRC |
| |
| config NF_NAT_SIP |
| tristate |
| depends on NF_CONNTRACK && NF_NAT |
| default NF_NAT && NF_CONNTRACK_SIP |
| |
| config NF_NAT_TFTP |
| tristate |
| depends on NF_CONNTRACK && NF_NAT |
| default NF_NAT && NF_CONNTRACK_TFTP |
| |
| config NF_NAT_REDIRECT |
| bool |
| |
| config NF_NAT_MASQUERADE |
| bool |
| |
| config NF_NAT_OVS |
| bool |
| |
| config NETFILTER_SYNPROXY |
| tristate |
| |
| endif # NF_CONNTRACK |
| |
| config NF_TABLES |
| select NETFILTER_NETLINK |
| select LIBCRC32C |
| tristate "Netfilter nf_tables support" |
| help |
| nftables is the new packet classification framework that intends to |
| replace the existing {ip,ip6,arp,eb}_tables infrastructure. It |
| provides a pseudo-state machine with an extensible instruction-set |
| (also known as expressions) that the userspace 'nft' utility |
| (https://www.netfilter.org/projects/nftables) uses to build the |
| rule-set. It also comes with the generic set infrastructure that |
| allows you to construct mappings between matchings and actions |
| for performance lookups. |
| |
| To compile it as a module, choose M here. |
| |
| if NF_TABLES |
| config NF_TABLES_INET |
| depends on IPV6 |
| select NF_TABLES_IPV4 |
| select NF_TABLES_IPV6 |
| bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" |
| help |
| This option enables support for a mixed IPv4/IPv6 "inet" table. |
| |
| config NF_TABLES_NETDEV |
| bool "Netfilter nf_tables netdev tables support" |
| help |
| This option enables support for the "netdev" table. |
| |
| config NFT_NUMGEN |
| tristate "Netfilter nf_tables number generator module" |
| help |
| This option adds the number generator expression used to perform |
| incremental counting and random numbers bound to a upper limit. |
| |
| config NFT_CT |
| depends on NF_CONNTRACK |
| tristate "Netfilter nf_tables conntrack module" |
| help |
| This option adds the "ct" expression that you can use to match |
| connection tracking information such as the flow state. |
| |
| config NFT_FLOW_OFFLOAD |
| depends on NF_CONNTRACK && NF_FLOW_TABLE |
| tristate "Netfilter nf_tables hardware flow offload module" |
| help |
| This option adds the "flow_offload" expression that you can use to |
| choose what flows are placed into the hardware. |
| |
| config NFT_CONNLIMIT |
| tristate "Netfilter nf_tables connlimit module" |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_CONNCOUNT |
| help |
| This option adds the "connlimit" expression that you can use to |
| ratelimit rule matchings per connections. |
| |
| config NFT_LOG |
| tristate "Netfilter nf_tables log module" |
| help |
| This option adds the "log" expression that you can use to log |
| packets matching some criteria. |
| |
| config NFT_LIMIT |
| tristate "Netfilter nf_tables limit module" |
| help |
| This option adds the "limit" expression that you can use to |
| ratelimit rule matchings. |
| |
| config NFT_MASQ |
| depends on NF_CONNTRACK |
| depends on NF_NAT |
| select NF_NAT_MASQUERADE |
| tristate "Netfilter nf_tables masquerade support" |
| help |
| This option adds the "masquerade" expression that you can use |
| to perform NAT in the masquerade flavour. |
| |
| config NFT_REDIR |
| depends on NF_CONNTRACK |
| depends on NF_NAT |
| tristate "Netfilter nf_tables redirect support" |
| select NF_NAT_REDIRECT |
| help |
| This options adds the "redirect" expression that you can use |
| to perform NAT in the redirect flavour. |
| |
| config NFT_NAT |
| depends on NF_CONNTRACK |
| select NF_NAT |
| depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 |
| tristate "Netfilter nf_tables nat module" |
| help |
| This option adds the "nat" expression that you can use to perform |
| typical Network Address Translation (NAT) packet transformations. |
| |
| config NFT_TUNNEL |
| tristate "Netfilter nf_tables tunnel module" |
| help |
| This option adds the "tunnel" expression that you can use to set |
| tunneling policies. |
| |
| config NFT_QUEUE |
| depends on NETFILTER_NETLINK_QUEUE |
| tristate "Netfilter nf_tables queue module" |
| help |
| This is required if you intend to use the userspace queueing |
| infrastructure (also known as NFQUEUE) from nftables. |
| |
| config NFT_QUOTA |
| tristate "Netfilter nf_tables quota module" |
| help |
| This option adds the "quota" expression that you can use to match |
| enforce bytes quotas. |
| |
| config NFT_REJECT |
| default m if NETFILTER_ADVANCED=n |
| tristate "Netfilter nf_tables reject support" |
| depends on !NF_TABLES_INET || (IPV6!=m || m) |
| help |
| This option adds the "reject" expression that you can use to |
| explicitly deny and notify via TCP reset/ICMP informational errors |
| unallowed traffic. |
| |
| config NFT_REJECT_INET |
| depends on NF_TABLES_INET |
| default NFT_REJECT |
| tristate |
| |
| config NFT_COMPAT |
| depends on NETFILTER_XTABLES |
| tristate "Netfilter x_tables over nf_tables module" |
| help |
| This is required if you intend to use any of existing |
| x_tables match/target extensions over the nf_tables |
| framework. |
| |
| config NFT_HASH |
| tristate "Netfilter nf_tables hash module" |
| help |
| This option adds the "hash" expression that you can use to perform |
| a hash operation on registers. |
| |
| config NFT_FIB |
| tristate |
| |
| config NFT_FIB_INET |
| depends on NF_TABLES_INET |
| depends on NFT_FIB_IPV4 |
| depends on NFT_FIB_IPV6 |
| tristate "Netfilter nf_tables fib inet support" |
| help |
| This option allows using the FIB expression from the inet table. |
| The lookup will be delegated to the IPv4 or IPv6 FIB depending |
| on the protocol of the packet. |
| |
| config NFT_XFRM |
| tristate "Netfilter nf_tables xfrm/IPSec security association matching" |
| depends on XFRM |
| help |
| This option adds an expression that you can use to extract properties |
| of a packets security association. |
| |
| config NFT_SOCKET |
| tristate "Netfilter nf_tables socket match support" |
| depends on IPV6 || IPV6=n |
| select NF_SOCKET_IPV4 |
| select NF_SOCKET_IPV6 if NF_TABLES_IPV6 |
| help |
| This option allows matching for the presence or absence of a |
| corresponding socket and its attributes. |
| |
| config NFT_OSF |
| tristate "Netfilter nf_tables passive OS fingerprint support" |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_NETLINK_OSF |
| help |
| This option allows matching packets from an specific OS. |
| |
| config NFT_TPROXY |
| tristate "Netfilter nf_tables tproxy support" |
| depends on IPV6 || IPV6=n |
| select NF_DEFRAG_IPV4 |
| select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 |
| select NF_TPROXY_IPV4 |
| select NF_TPROXY_IPV6 if NF_TABLES_IPV6 |
| help |
| This makes transparent proxy support available in nftables. |
| |
| config NFT_SYNPROXY |
| tristate "Netfilter nf_tables SYNPROXY expression support" |
| depends on NF_CONNTRACK && NETFILTER_ADVANCED |
| select NETFILTER_SYNPROXY |
| select SYN_COOKIES |
| help |
| The SYNPROXY expression allows you to intercept TCP connections and |
| establish them using syncookies before they are passed on to the |
| server. This allows to avoid conntrack and server resource usage |
| during SYN-flood attacks. |
| |
| if NF_TABLES_NETDEV |
| |
| config NF_DUP_NETDEV |
| tristate "Netfilter packet duplication support" |
| help |
| This option enables the generic packet duplication infrastructure |
| for Netfilter. |
| |
| config NFT_DUP_NETDEV |
| tristate "Netfilter nf_tables netdev packet duplication support" |
| select NF_DUP_NETDEV |
| help |
| This option enables packet duplication for the "netdev" family. |
| |
| config NFT_FWD_NETDEV |
| tristate "Netfilter nf_tables netdev packet forwarding support" |
| select NF_DUP_NETDEV |
| help |
| This option enables packet forwarding for the "netdev" family. |
| |
| config NFT_FIB_NETDEV |
| depends on NFT_FIB_IPV4 |
| depends on NFT_FIB_IPV6 |
| tristate "Netfilter nf_tables netdev fib lookups support" |
| help |
| This option allows using the FIB expression from the netdev table. |
| The lookup will be delegated to the IPv4 or IPv6 FIB depending |
| on the protocol of the packet. |
| |
| config NFT_REJECT_NETDEV |
| depends on NFT_REJECT_IPV4 |
| depends on NFT_REJECT_IPV6 |
| tristate "Netfilter nf_tables netdev REJECT support" |
| help |
| This option enables the REJECT support from the netdev table. |
| The return packet generation will be delegated to the IPv4 |
| or IPv6 ICMP or TCP RST implementation depending on the |
| protocol of the packet. |
| |
| endif # NF_TABLES_NETDEV |
| |
| endif # NF_TABLES |
| |
| config NF_FLOW_TABLE_INET |
| tristate "Netfilter flow table mixed IPv4/IPv6 module" |
| depends on NF_FLOW_TABLE |
| help |
| This option adds the flow table mixed IPv4/IPv6 support. |
| |
| To compile it as a module, choose M here. |
| |
| config NF_FLOW_TABLE |
| tristate "Netfilter flow table module" |
| depends on NETFILTER_INGRESS |
| depends on NF_CONNTRACK |
| depends on NF_TABLES |
| help |
| This option adds the flow table core infrastructure. |
| |
| To compile it as a module, choose M here. |
| |
| config NF_FLOW_TABLE_PROCFS |
| bool "Supply flow table statistics in procfs" |
| depends on NF_FLOW_TABLE |
| depends on PROC_FS |
| help |
| This option enables for the flow table offload statistics |
| to be shown in procfs under net/netfilter/nf_flowtable. |
| |
| config NETFILTER_XTABLES |
| tristate "Netfilter Xtables support (required for ip_tables)" |
| default m if NETFILTER_ADVANCED=n |
| help |
| This is required if you intend to use any of ip_tables, |
| ip6_tables or arp_tables. |
| |
| if NETFILTER_XTABLES |
| |
| config NETFILTER_XTABLES_COMPAT |
| bool "Netfilter Xtables 32bit support" |
| depends on COMPAT |
| help |
| This option provides a translation layer to run 32bit arp,ip(6),ebtables |
| binaries on 64bit kernels. |
| |
| If unsure, say N. |
| |
| comment "Xtables combined modules" |
| |
| config NETFILTER_XT_MARK |
| tristate 'nfmark target and match support' |
| default m if NETFILTER_ADVANCED=n |
| help |
| This option adds the "MARK" target and "mark" match. |
| |
| Netfilter mark matching allows you to match packets based on the |
| "nfmark" value in the packet. |
| The target allows you to create rules in the "mangle" table which alter |
| the netfilter mark (nfmark) field associated with the packet. |
| |
| Prior to routing, the nfmark can influence the routing method and can |
| also be used by other subsystems to change their behavior. |
| |
| config NETFILTER_XT_CONNMARK |
| tristate 'ctmark target and match support' |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| select NF_CONNTRACK_MARK |
| help |
| This option adds the "CONNMARK" target and "connmark" match. |
| |
| Netfilter allows you to store a mark value per connection (a.k.a. |
| ctmark), similarly to the packet mark (nfmark). Using this |
| target and match, you can set and match on this mark. |
| |
| config NETFILTER_XT_SET |
| tristate 'set target and match support' |
| depends on IP_SET |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds the "SET" target and "set" match. |
| |
| Using this target and match, you can add/delete and match |
| elements in the sets created by ipset(8). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| # alphabetically ordered list of targets |
| |
| comment "Xtables targets" |
| |
| config NETFILTER_XT_TARGET_AUDIT |
| tristate "AUDIT target support" |
| depends on AUDIT |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a 'AUDIT' target, which can be used to create |
| audit records for packets dropped/accepted. |
| |
| To compileit as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_CHECKSUM |
| tristate "CHECKSUM target support" |
| depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `CHECKSUM' target, which can be used in the iptables mangle |
| table to work around buggy DHCP clients in virtualized environments. |
| |
| Some old DHCP clients drop packets because they are not aware |
| that the checksum would normally be offloaded to hardware and |
| thus should be considered valid. |
| This target can be used to fill in the checksum using iptables |
| when such packets are sent via a virtual network device. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_CLASSIFY |
| tristate '"CLASSIFY" target support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `CLASSIFY' target, which enables the user to set |
| the priority of a packet. Some qdiscs can use this value for |
| classification, among these are: |
| |
| atm, cbq, dsmark, pfifo_fast, htb, prio |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_CONNMARK |
| tristate '"CONNMARK" target support' |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_XT_CONNMARK |
| help |
| This is a backwards-compat option for the user's convenience |
| (e.g. when running oldconfig). It selects |
| CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). |
| |
| config NETFILTER_XT_TARGET_CONNSECMARK |
| tristate '"CONNSECMARK" target support' |
| depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK |
| default m if NETFILTER_ADVANCED=n |
| help |
| The CONNSECMARK target copies security markings from packets |
| to connections, and restores security markings from connections |
| to packets (if the packets are not already marked). This would |
| normally be used in conjunction with the SECMARK target. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_CT |
| tristate '"CT" target support' |
| depends on NF_CONNTRACK |
| depends on IP_NF_RAW || IP6_NF_RAW || NFT_COMPAT |
| depends on NETFILTER_ADVANCED |
| help |
| This options adds a `CT' target, which allows to specify initial |
| connection tracking parameters like events to be delivered and |
| the helper to be used. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_DSCP |
| tristate '"DSCP" and "TOS" target support' |
| depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `DSCP' target, which allows you to manipulate |
| the IPv4/IPv6 header DSCP field (differentiated services codepoint). |
| |
| The DSCP field can have any value between 0x0 and 0x3f inclusive. |
| |
| It also adds the "TOS" target, which allows you to create rules in |
| the "mangle" table which alter the Type Of Service field of an IPv4 |
| or the Priority field of an IPv6 packet, prior to routing. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_HL |
| tristate '"HL" hoplimit target support' |
| depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds the "HL" (for IPv6) and "TTL" (for IPv4) |
| targets, which enable the user to change the |
| hoplimit/time-to-live value of the IP header. |
| |
| While it is safe to decrement the hoplimit/TTL value, the |
| modules also allow to increment and set the hoplimit value of |
| the header to arbitrary values. This is EXTREMELY DANGEROUS |
| since you can easily create immortal packets that loop |
| forever on the network. |
| |
| config NETFILTER_XT_TARGET_HMARK |
| tristate '"HMARK" target support' |
| depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds the "HMARK" target. |
| |
| The target allows you to create rules in the "raw" and "mangle" tables |
| which set the skbuff mark by means of hash calculation within a given |
| range. The nfmark can influence the routing method and can also be used |
| by other subsystems to change their behaviour. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_IDLETIMER |
| tristate "IDLETIMER target support" |
| depends on NETFILTER_ADVANCED |
| help |
| |
| This option adds the `IDLETIMER' target. Each matching packet |
| resets the timer associated with label specified when the rule is |
| added. When the timer expires, it triggers a sysfs notification. |
| The remaining time for expiration can be read via sysfs. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_LED |
| tristate '"LED" target support' |
| depends on LEDS_CLASS && LEDS_TRIGGERS |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `LED' target, which allows you to blink LEDs in |
| response to particular packets passing through your machine. |
| |
| This can be used to turn a spare LED into a network activity LED, |
| which only flashes in response to FTP transfers, for example. Or |
| you could have an LED which lights up for a minute or two every time |
| somebody connects to your machine via SSH. |
| |
| You will need support for the "led" class to make this work. |
| |
| To create an LED trigger for incoming SSH traffic: |
| iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000 |
| |
| Then attach the new trigger to an LED on your system: |
| echo netfilter-ssh > /sys/class/leds/<ledname>/trigger |
| |
| For more information on the LEDs available on your system, see |
| Documentation/leds/leds-class.rst |
| |
| config NETFILTER_XT_TARGET_LOG |
| tristate "LOG target support" |
| select NF_LOG_SYSLOG |
| select NF_LOG_IPV6 if IP6_NF_IPTABLES |
| default m if NETFILTER_ADVANCED=n |
| help |
| This option adds a `LOG' target, which allows you to create rules in |
| any iptables table which records the packet header to the syslog. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_MARK |
| tristate '"MARK" target support' |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_XT_MARK |
| help |
| This is a backwards-compat option for the user's convenience |
| (e.g. when running oldconfig). It selects |
| CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). |
| |
| config NETFILTER_XT_NAT |
| tristate '"SNAT and DNAT" targets support' |
| depends on NF_NAT |
| help |
| This option enables the SNAT and DNAT targets. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_NETMAP |
| tristate '"NETMAP" target support' |
| depends on NF_NAT |
| help |
| NETMAP is an implementation of static 1:1 NAT mapping of network |
| addresses. It maps the network address part, while keeping the host |
| address part intact. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_NFLOG |
| tristate '"NFLOG" target support' |
| default m if NETFILTER_ADVANCED=n |
| select NETFILTER_NETLINK_LOG |
| help |
| This option enables the NFLOG target, which allows to LOG |
| messages through nfnetlink_log. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_NFQUEUE |
| tristate '"NFQUEUE" target Support' |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_NETLINK_QUEUE |
| help |
| This target replaced the old obsolete QUEUE target. |
| |
| As opposed to QUEUE, it supports 65535 different queues, |
| not just one. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_NOTRACK |
| tristate '"NOTRACK" target support (DEPRECATED)' |
| depends on NF_CONNTRACK |
| depends on IP_NF_RAW || IP6_NF_RAW |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_XT_TARGET_CT |
| |
| config NETFILTER_XT_TARGET_RATEEST |
| tristate '"RATEEST" target support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `RATEEST' target, which allows to measure |
| rates similar to TC estimators. The `rateest' match can be |
| used to match on the measured rates. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_REDIRECT |
| tristate "REDIRECT target support" |
| depends on NF_NAT |
| select NF_NAT_REDIRECT |
| help |
| REDIRECT is a special case of NAT: all incoming connections are |
| mapped onto the incoming interface's address, causing the packets to |
| come to the local machine instead of passing through. This is |
| useful for transparent proxies. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_MASQUERADE |
| tristate "MASQUERADE target support" |
| depends on NF_NAT |
| default m if NETFILTER_ADVANCED=n |
| select NF_NAT_MASQUERADE |
| help |
| Masquerading is a special case of NAT: all outgoing connections are |
| changed to seem to come from a particular interface's address, and |
| if the interface goes down, those connections are lost. This is |
| only useful for dialup accounts with dynamic IP address (ie. your IP |
| address will be different on next dialup). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_TEE |
| tristate '"TEE" - packet cloning to alternate destination' |
| depends on NETFILTER_ADVANCED |
| depends on IPV6 || IPV6=n |
| depends on !NF_CONNTRACK || NF_CONNTRACK |
| depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES |
| select NF_DUP_IPV4 |
| select NF_DUP_IPV6 if IP6_NF_IPTABLES |
| help |
| This option adds a "TEE" target with which a packet can be cloned and |
| this clone be rerouted to another nexthop. |
| |
| config NETFILTER_XT_TARGET_TPROXY |
| tristate '"TPROXY" target transparent proxying support' |
| depends on NETFILTER_XTABLES |
| depends on NETFILTER_ADVANCED |
| depends on IPV6 || IPV6=n |
| depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n |
| depends on IP_NF_MANGLE || NFT_COMPAT |
| select NF_DEFRAG_IPV4 |
| select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n |
| select NF_TPROXY_IPV4 |
| select NF_TPROXY_IPV6 if IP6_NF_IPTABLES |
| help |
| This option adds a `TPROXY' target, which is somewhat similar to |
| REDIRECT. It can only be used in the mangle table and is useful |
| to redirect traffic to a transparent proxy. It does _not_ depend |
| on Netfilter connection tracking and NAT, unlike REDIRECT. |
| For it to work you will have to configure certain iptables rules |
| and use policy routing. For more information on how to set it up |
| see Documentation/networking/tproxy.rst. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_TRACE |
| tristate '"TRACE" target support' |
| depends on IP_NF_RAW || IP6_NF_RAW |
| depends on NETFILTER_ADVANCED |
| help |
| The TRACE target allows you to mark packets so that the kernel |
| will log every rule which match the packets as those traverse |
| the tables, chains, rules. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. |
| |
| config NETFILTER_XT_TARGET_SECMARK |
| tristate '"SECMARK" target support' |
| depends on NETWORK_SECMARK |
| default m if NETFILTER_ADVANCED=n |
| help |
| The SECMARK target allows security marking of network |
| packets, for use with security subsystems. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_TCPMSS |
| tristate '"TCPMSS" target support' |
| depends on IPV6 || IPV6=n |
| default m if NETFILTER_ADVANCED=n |
| help |
| This option adds a `TCPMSS' target, which allows you to alter the |
| MSS value of TCP SYN packets, to control the maximum size for that |
| connection (usually limiting it to your outgoing interface's MTU |
| minus 40). |
| |
| This is used to overcome criminally braindead ISPs or servers which |
| block ICMP Fragmentation Needed packets. The symptoms of this |
| problem are that everything works fine from your Linux |
| firewall/router, but machines behind it can never exchange large |
| packets: |
| 1) Web browsers connect, then hang with no data received. |
| 2) Small mail works fine, but large emails hang. |
| 3) ssh works fine, but scp hangs after initial handshaking. |
| |
| Workaround: activate this option and add a rule to your firewall |
| configuration like: |
| |
| iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ |
| -j TCPMSS --clamp-mss-to-pmtu |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_TARGET_TCPOPTSTRIP |
| tristate '"TCPOPTSTRIP" target support' |
| depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a "TCPOPTSTRIP" target, which allows you to strip |
| TCP options from TCP packets. |
| |
| # alphabetically ordered list of matches |
| |
| comment "Xtables matches" |
| |
| config NETFILTER_XT_MATCH_ADDRTYPE |
| tristate '"addrtype" address type match support' |
| default m if NETFILTER_ADVANCED=n |
| help |
| This option allows you to match what routing thinks of an address, |
| eg. UNICAST, LOCAL, BROADCAST, ... |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_BPF |
| tristate '"bpf" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| BPF matching applies a linux socket filter to each packet and |
| accepts those for which the filter returns non-zero. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_CGROUP |
| tristate '"control group" match support' |
| depends on NETFILTER_ADVANCED |
| depends on CGROUPS |
| select CGROUP_NET_CLASSID |
| help |
| Socket/process control group matching allows you to match locally |
| generated packets based on which net_cls control group processes |
| belong to. |
| |
| config NETFILTER_XT_MATCH_CLUSTER |
| tristate '"cluster" match support' |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| help |
| This option allows you to build work-load-sharing clusters of |
| network servers/stateful firewalls without having a dedicated |
| load-balancing router/server/switch. Basically, this match returns |
| true when the packet must be handled by this cluster node. Thus, |
| all nodes see all packets and this match decides which node handles |
| what packets. The work-load sharing algorithm is based on source |
| address hashing. |
| |
| If you say Y or M here, try `iptables -m cluster --help` for |
| more information. |
| |
| config NETFILTER_XT_MATCH_COMMENT |
| tristate '"comment" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `comment' dummy-match, which allows you to put |
| comments in your iptables ruleset. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_CONNBYTES |
| tristate '"connbytes" per-connection counter match support' |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `connbytes' match, which allows you to match the |
| number of bytes and/or packets for each direction within a connection. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_CONNLABEL |
| tristate '"connlabel" match support' |
| select NF_CONNTRACK_LABELS |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| help |
| This match allows you to test and assign userspace-defined labels names |
| to a connection. The kernel only stores bit values - mapping |
| names to bits is done by userspace. |
| |
| Unlike connmark, more than 32 flag bits may be assigned to a |
| connection simultaneously. |
| |
| config NETFILTER_XT_MATCH_CONNLIMIT |
| tristate '"connlimit" match support' |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_CONNCOUNT |
| help |
| This match allows you to match against the number of parallel |
| connections to a server per client IP address (or address block). |
| |
| config NETFILTER_XT_MATCH_CONNMARK |
| tristate '"connmark" connection mark match support' |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_XT_CONNMARK |
| help |
| This is a backwards-compat option for the user's convenience |
| (e.g. when running oldconfig). It selects |
| CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). |
| |
| config NETFILTER_XT_MATCH_CONNTRACK |
| tristate '"conntrack" connection tracking match support' |
| depends on NF_CONNTRACK |
| default m if NETFILTER_ADVANCED=n |
| help |
| This is a general conntrack match module, a superset of the state match. |
| |
| It allows matching on additional conntrack information, which is |
| useful in complex configurations, such as NAT gateways with multiple |
| internet links or tunnels. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_CPU |
| tristate '"cpu" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| CPU matching allows you to match packets based on the CPU |
| currently handling the packet. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_DCCP |
| tristate '"dccp" protocol match support' |
| depends on NETFILTER_ADVANCED |
| default IP_DCCP |
| help |
| With this option enabled, you will be able to use the iptables |
| `dccp' match in order to match on DCCP source/destination ports |
| and DCCP flags. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_DEVGROUP |
| tristate '"devgroup" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This options adds a `devgroup' match, which allows to match on the |
| device group a network device is assigned to. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_DSCP |
| tristate '"dscp" and "tos" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `DSCP' match, which allows you to match against |
| the IPv4/IPv6 header DSCP field (differentiated services codepoint). |
| |
| The DSCP field can have any value between 0x0 and 0x3f inclusive. |
| |
| It will also add a "tos" match, which allows you to match packets |
| based on the Type Of Service fields of the IPv4 packet (which share |
| the same bits as DSCP). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_ECN |
| tristate '"ecn" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds an "ECN" match, which allows you to match against |
| the IPv4 and TCP header ECN fields. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_ESP |
| tristate '"esp" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This match extension allows you to match a range of SPIs |
| inside ESP header of IPSec packets. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_HASHLIMIT |
| tristate '"hashlimit" match support' |
| depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `hashlimit' match. |
| |
| As opposed to `limit', this match dynamically creates a hash table |
| of limit buckets, based on your selection of source/destination |
| addresses and/or ports. |
| |
| It enables you to express policies like `10kpps for any given |
| destination address' or `500pps from any given source address' |
| with a single rule. |
| |
| config NETFILTER_XT_MATCH_HELPER |
| tristate '"helper" match support' |
| depends on NF_CONNTRACK |
| depends on NETFILTER_ADVANCED |
| help |
| Helper matching allows you to match packets in dynamic connections |
| tracked by a conntrack-helper, ie. nf_conntrack_ftp |
| |
| To compile it as a module, choose M here. If unsure, say Y. |
| |
| config NETFILTER_XT_MATCH_HL |
| tristate '"hl" hoplimit/TTL match support' |
| depends on NETFILTER_ADVANCED |
| help |
| HL matching allows you to match packets based on the hoplimit |
| in the IPv6 header, or the time-to-live field in the IPv4 |
| header of the packet. |
| |
| config NETFILTER_XT_MATCH_IPCOMP |
| tristate '"ipcomp" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This match extension allows you to match a range of CPIs(16 bits) |
| inside IPComp header of IPSec packets. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_IPRANGE |
| tristate '"iprange" address range match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a "iprange" match, which allows you to match based on |
| an IP address range. (Normal iptables only matches on single addresses |
| with an optional mask.) |
| |
| If unsure, say M. |
| |
| config NETFILTER_XT_MATCH_IPVS |
| tristate '"ipvs" match support' |
| depends on IP_VS |
| depends on NETFILTER_ADVANCED |
| depends on NF_CONNTRACK |
| help |
| This option allows you to match against IPVS properties of a packet. |
| |
| If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_L2TP |
| tristate '"l2tp" match support' |
| depends on NETFILTER_ADVANCED |
| default L2TP |
| help |
| This option adds an "L2TP" match, which allows you to match against |
| L2TP protocol header fields. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_LENGTH |
| tristate '"length" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option allows you to match the length of a packet against a |
| specific value or range of values. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_LIMIT |
| tristate '"limit" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| limit matching allows you to control the rate at which a rule can be |
| matched: mainly useful in combination with the LOG target ("LOG |
| target support", below) and to avoid some Denial of Service attacks. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_MAC |
| tristate '"mac" address match support' |
| depends on NETFILTER_ADVANCED |
| help |
| MAC matching allows you to match packets based on the source |
| Ethernet address of the packet. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_MARK |
| tristate '"mark" match support' |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_XT_MARK |
| help |
| This is a backwards-compat option for the user's convenience |
| (e.g. when running oldconfig). It selects |
| CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). |
| |
| config NETFILTER_XT_MATCH_MULTIPORT |
| tristate '"multiport" Multiple port match support' |
| depends on NETFILTER_ADVANCED |
| help |
| Multiport matching allows you to match TCP or UDP packets based on |
| a series of source or destination ports: normally a rule can only |
| match a single range of ports. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_NFACCT |
| tristate '"nfacct" match support' |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_NETLINK_ACCT |
| help |
| This option allows you to use the extended accounting through |
| nfnetlink_acct. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_OSF |
| tristate '"osf" Passive OS fingerprint match' |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_NETLINK_OSF |
| help |
| This option selects the Passive OS Fingerprinting match module |
| that allows to passively match the remote operating system by |
| analyzing incoming TCP SYN packets. |
| |
| Rules and loading software can be downloaded from |
| http://www.ioremap.net/projects/osf |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_OWNER |
| tristate '"owner" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| Socket owner matching allows you to match locally-generated packets |
| based on who created the socket: the user or group. It is also |
| possible to check whether a socket actually exists. |
| |
| config NETFILTER_XT_MATCH_POLICY |
| tristate 'IPsec "policy" match support' |
| depends on XFRM |
| default m if NETFILTER_ADVANCED=n |
| help |
| Policy matching allows you to match packets based on the |
| IPsec policy that was used during decapsulation/will |
| be used during encapsulation. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_PHYSDEV |
| tristate '"physdev" match support' |
| depends on BRIDGE && BRIDGE_NETFILTER |
| depends on NETFILTER_ADVANCED |
| help |
| Physdev packet matching matches against the physical bridge ports |
| the IP packet arrived on or will leave by. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_PKTTYPE |
| tristate '"pkttype" packet type match support' |
| depends on NETFILTER_ADVANCED |
| help |
| Packet type matching allows you to match a packet by |
| its "class", eg. BROADCAST, MULTICAST, ... |
| |
| Typical usage: |
| iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_QUOTA |
| tristate '"quota" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `quota' match, which allows to match on a |
| byte counter. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_RATEEST |
| tristate '"rateest" match support' |
| depends on NETFILTER_ADVANCED |
| select NETFILTER_XT_TARGET_RATEEST |
| help |
| This option adds a `rateest' match, which allows to match on the |
| rate estimated by the RATEEST target. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_REALM |
| tristate '"realm" match support' |
| depends on NETFILTER_ADVANCED |
| select IP_ROUTE_CLASSID |
| help |
| This option adds a `realm' match, which allows you to use the realm |
| key from the routing subsystem inside iptables. |
| |
| This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option |
| in tc world. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_RECENT |
| tristate '"recent" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This match is used for creating one or many lists of recently |
| used addresses and then matching against that/those list(s). |
| |
| Short options are available by using 'iptables -m recent -h' |
| Official Website: <http://snowman.net/projects/ipt_recent/> |
| |
| config NETFILTER_XT_MATCH_SCTP |
| tristate '"sctp" protocol match support' |
| depends on NETFILTER_ADVANCED |
| default IP_SCTP |
| help |
| With this option enabled, you will be able to use the |
| `sctp' match in order to match on SCTP source/destination ports |
| and SCTP chunk types. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. |
| |
| config NETFILTER_XT_MATCH_SOCKET |
| tristate '"socket" match support' |
| depends on NETFILTER_XTABLES |
| depends on NETFILTER_ADVANCED |
| depends on IPV6 || IPV6=n |
| depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n |
| select NF_SOCKET_IPV4 |
| select NF_SOCKET_IPV6 if IP6_NF_IPTABLES |
| select NF_DEFRAG_IPV4 |
| select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n |
| help |
| This option adds a `socket' match, which can be used to match |
| packets for which a TCP or UDP socket lookup finds a valid socket. |
| It can be used in combination with the MARK target and policy |
| routing to implement full featured non-locally bound sockets. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_STATE |
| tristate '"state" match support' |
| depends on NF_CONNTRACK |
| default m if NETFILTER_ADVANCED=n |
| help |
| Connection state matching allows you to match packets based on their |
| relationship to a tracked connection (ie. previous packets). This |
| is a powerful tool for packet classification. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_STATISTIC |
| tristate '"statistic" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `statistic' match, which allows you to match |
| on packets periodically or randomly with a given percentage. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_STRING |
| tristate '"string" match support' |
| depends on NETFILTER_ADVANCED |
| select TEXTSEARCH |
| select TEXTSEARCH_KMP |
| select TEXTSEARCH_BM |
| select TEXTSEARCH_FSM |
| help |
| This option adds a `string' match, which allows you to look for |
| pattern matchings in packets. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_TCPMSS |
| tristate '"tcpmss" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `tcpmss' match, which allows you to examine the |
| MSS value of TCP SYN packets, which control the maximum packet size |
| for that connection. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_TIME |
| tristate '"time" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a "time" match, which allows you to match based on |
| the packet arrival time (at the machine which netfilter is running) |
| on) or departure time/date (for locally generated packets). |
| |
| If you say Y here, try `iptables -m time --help` for |
| more information. |
| |
| If you want to compile it as a module, say M here. |
| If unsure, say N. |
| |
| config NETFILTER_XT_MATCH_U32 |
| tristate '"u32" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| u32 allows you to extract quantities of up to 4 bytes from a packet, |
| AND them with specified masks, shift them by specified amounts and |
| test whether the results are in any of a set of specified ranges. |
| The specification of what to extract is general enough to skip over |
| headers with lengths stored in the packet, as in IP or TCP header |
| lengths. |
| |
| Details and examples are in the kernel module source. |
| |
| endif # NETFILTER_XTABLES |
| |
| endmenu |
| |
| source "net/netfilter/ipset/Kconfig" |
| |
| source "net/netfilter/ipvs/Kconfig" |
