Rationale:
Reduces attack surface on kernel devs opening the links for MITM
as HTTPS traffic is much harder to manipulate.
Deterministic algorithm:
For each file:
  If not .svg:
    For each line:
      If doesn't contain `\bxmlns\b`:
        For each link, `\bhttp://[^# \t\r\n]*(?:\w|/)`:
	  If neither `\bgnu\.org/license`, nor `\bmozilla\.org/MPL\b`:
            If both the HTTP and HTTPS versions
            return 200 OK and serve the same content:
              Replace HTTP with HTTPS.
Signed-off-by: Alexander A. Klimov <grandmaster@al2klimov.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
		
	
			
		
			
				
	
	
		
			1620 lines
		
	
	
		
			52 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			1620 lines
		
	
	
		
			52 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| # SPDX-License-Identifier: GPL-2.0-only
 | |
| menu "Core Netfilter Configuration"
 | |
| 	depends on NET && INET && NETFILTER
 | |
| 
 | |
| config NETFILTER_INGRESS
 | |
| 	bool "Netfilter ingress support"
 | |
| 	default y
 | |
| 	select NET_INGRESS
 | |
| 	help
 | |
| 	  This allows you to classify packets from ingress using the Netfilter
 | |
| 	  infrastructure.
 | |
| 
 | |
| config NETFILTER_NETLINK
 | |
| 	tristate
 | |
| 
 | |
| config NETFILTER_FAMILY_BRIDGE
 | |
| 	bool
 | |
| 
 | |
| config NETFILTER_FAMILY_ARP
 | |
| 	bool
 | |
| 
 | |
| config NETFILTER_NETLINK_ACCT
 | |
| 	tristate "Netfilter NFACCT over NFNETLINK interface"
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_NETLINK
 | |
| 	help
 | |
| 	  If this option is enabled, the kernel will include support
 | |
| 	  for extended accounting via NFNETLINK.
 | |
| 
 | |
| config NETFILTER_NETLINK_QUEUE
 | |
| 	tristate "Netfilter NFQUEUE over NFNETLINK interface"
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_NETLINK
 | |
| 	help
 | |
| 	  If this option is enabled, the kernel will include support
 | |
| 	  for queueing packets via NFNETLINK.
 | |
| 
 | |
| config NETFILTER_NETLINK_LOG
 | |
| 	tristate "Netfilter LOG over NFNETLINK interface"
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	select NETFILTER_NETLINK
 | |
| 	help
 | |
| 	  If this option is enabled, the kernel will include support
 | |
| 	  for logging packets via NFNETLINK.
 | |
| 
 | |
| 	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
 | |
| 	  and is also scheduled to replace the old syslog-based ipt_LOG
 | |
| 	  and ip6t_LOG modules.
 | |
| 
 | |
| config NETFILTER_NETLINK_OSF
 | |
| 	tristate "Netfilter OSF over NFNETLINK interface"
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_NETLINK
 | |
| 	help
 | |
| 	  If this option is enabled, the kernel will include support
 | |
| 	  for passive OS fingerprint via NFNETLINK.
 | |
| 
 | |
| config NF_CONNTRACK
 | |
| 	tristate "Netfilter connection tracking support"
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	select NF_DEFRAG_IPV4
 | |
| 	select NF_DEFRAG_IPV6 if IPV6 != n
 | |
| 	help
 | |
| 	  Connection tracking keeps a record of what packets have passed
 | |
| 	  through your machine, in order to figure out how they are related
 | |
| 	  into connections.
 | |
| 
 | |
| 	  This is required to do Masquerading or other kinds of Network
 | |
| 	  Address Translation.  It can also be used to enhance packet
 | |
| 	  filtering (see `Connection state match support' below).
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NF_LOG_COMMON
 | |
| 	tristate
 | |
| 
 | |
| config NF_LOG_NETDEV
 | |
| 	tristate "Netdev packet logging"
 | |
| 	select NF_LOG_COMMON
 | |
| 
 | |
| if NF_CONNTRACK
 | |
| config NETFILTER_CONNCOUNT
 | |
| 	tristate
 | |
| 
 | |
| config NF_CONNTRACK_MARK
 | |
| 	bool  'Connection mark tracking support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option enables support for connection marks, used by the
 | |
| 	  `CONNMARK' target and `connmark' match. Similar to the mark value
 | |
| 	  of packets, but this mark value is kept in the conntrack session
 | |
| 	  instead of the individual packets.
 | |
| 
 | |
| config NF_CONNTRACK_SECMARK
 | |
| 	bool  'Connection tracking security mark support'
 | |
| 	depends on NETWORK_SECMARK
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  This option enables security markings to be applied to
 | |
| 	  connections.  Typically they are copied to connections from
 | |
| 	  packets using the CONNSECMARK target and copied back from
 | |
| 	  connections to packets with the same target, with the packets
 | |
| 	  being originally labeled via SECMARK.
 | |
| 
 | |
| 	  If unsure, say 'N'.
 | |
| 
 | |
| config NF_CONNTRACK_ZONES
 | |
| 	bool  'Connection tracking zones'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option enables support for connection tracking zones.
 | |
| 	  Normally, each connection needs to have a unique system wide
 | |
| 	  identity. Connection tracking zones allow to have multiple
 | |
| 	  connections using the same identity, as long as they are
 | |
| 	  contained in different zones.
 | |
| 
 | |
| 	  If unsure, say `N'.
 | |
| 
 | |
| config NF_CONNTRACK_PROCFS
 | |
| 	bool "Supply CT list in procfs (OBSOLETE)"
 | |
| 	default y
 | |
| 	depends on PROC_FS
 | |
| 	help
 | |
| 	This option enables for the list of known conntrack entries
 | |
| 	to be shown in procfs under net/netfilter/nf_conntrack. This
 | |
| 	is considered obsolete in favor of using the conntrack(8)
 | |
| 	tool which uses Netlink.
 | |
| 
 | |
| config NF_CONNTRACK_EVENTS
 | |
| 	bool "Connection tracking events"
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  If this option is enabled, the connection tracking code will
 | |
| 	  provide a notifier chain that can be used by other kernel code
 | |
| 	  to get notified about changes in the connection tracking state.
 | |
| 
 | |
| 	  If unsure, say `N'.
 | |
| 
 | |
| config NF_CONNTRACK_TIMEOUT
 | |
| 	bool  'Connection tracking timeout'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option enables support for connection tracking timeout
 | |
| 	  extension. This allows you to attach timeout policies to flow
 | |
| 	  via the CT target.
 | |
| 
 | |
| 	  If unsure, say `N'.
 | |
| 
 | |
| config NF_CONNTRACK_TIMESTAMP
 | |
| 	bool  'Connection tracking timestamping'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option enables support for connection tracking timestamping.
 | |
| 	  This allows you to store the flow start-time and to obtain
 | |
| 	  the flow-stop time (once it has been destroyed) via Connection
 | |
| 	  tracking events.
 | |
| 
 | |
| 	  If unsure, say `N'.
 | |
| 
 | |
| config NF_CONNTRACK_LABELS
 | |
| 	bool "Connection tracking labels"
 | |
| 	help
 | |
| 	  This option enables support for assigning user-defined flag bits
 | |
| 	  to connection tracking entries.  It can be used with xtables connlabel
 | |
| 	  match and the nftables ct expression.
 | |
| 
 | |
| config NF_CT_PROTO_DCCP
 | |
| 	bool 'DCCP protocol connection tracking support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	default y
 | |
| 	help
 | |
| 	  With this option enabled, the layer 3 independent connection
 | |
| 	  tracking code will be able to do state tracking on DCCP connections.
 | |
| 
 | |
| 	  If unsure, say Y.
 | |
| 
 | |
| config NF_CT_PROTO_GRE
 | |
| 	bool
 | |
| 
 | |
| config NF_CT_PROTO_SCTP
 | |
| 	bool 'SCTP protocol connection tracking support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	default y
 | |
| 	select LIBCRC32C
 | |
| 	help
 | |
| 	  With this option enabled, the layer 3 independent connection
 | |
| 	  tracking code will be able to do state tracking on SCTP connections.
 | |
| 
 | |
| 	  If unsure, say Y.
 | |
| 
 | |
| config NF_CT_PROTO_UDPLITE
 | |
| 	bool 'UDP-Lite protocol connection tracking support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	default y
 | |
| 	help
 | |
| 	  With this option enabled, the layer 3 independent connection
 | |
| 	  tracking code will be able to do state tracking on UDP-Lite
 | |
| 	  connections.
 | |
| 
 | |
| 	  If unsure, say Y.
 | |
| 
 | |
| config NF_CONNTRACK_AMANDA
 | |
| 	tristate "Amanda backup protocol support"
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select TEXTSEARCH
 | |
| 	select TEXTSEARCH_KMP
 | |
| 	help
 | |
| 	  If you are running the Amanda backup package <http://www.amanda.org/>
 | |
| 	  on this machine or machines that will be MASQUERADED through this
 | |
| 	  machine, then you may want to enable this feature.  This allows the
 | |
| 	  connection tracking and natting code to allow the sub-channels that
 | |
| 	  Amanda requires for communication of the backup data, messages and
 | |
| 	  index.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NF_CONNTRACK_FTP
 | |
| 	tristate "FTP protocol support"
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  Tracking FTP connections is problematic: special helpers are
 | |
| 	  required for tracking them, and doing masquerading and other forms
 | |
| 	  of Network Address Translation on them.
 | |
| 
 | |
| 	  This is FTP support on Layer 3 independent connection tracking.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NF_CONNTRACK_H323
 | |
| 	tristate "H.323 protocol support"
 | |
| 	depends on IPV6 || IPV6=n
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
 | |
| 	  important VoIP protocols, it is widely used by voice hardware and
 | |
| 	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
 | |
| 	  Gnomemeeting, etc.
 | |
| 
 | |
| 	  With this module you can support H.323 on a connection tracking/NAT
 | |
| 	  firewall.
 | |
| 
 | |
| 	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
 | |
| 	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
 | |
| 	  whiteboard, file transfer, etc. For more information, please
 | |
| 	  visit http://nath323.sourceforge.net/.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NF_CONNTRACK_IRC
 | |
| 	tristate "IRC protocol support"
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  There is a commonly-used extension to IRC called
 | |
| 	  Direct Client-to-Client Protocol (DCC).  This enables users to send
 | |
| 	  files to each other, and also chat to each other without the need
 | |
| 	  of a server.  DCC Sending is used anywhere you send files over IRC,
 | |
| 	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
 | |
| 	  using NAT, this extension will enable you to send files and initiate
 | |
| 	  chats.  Note that you do NOT need this extension to get files or
 | |
| 	  have others initiate chats, or everything else in IRC.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NF_CONNTRACK_BROADCAST
 | |
| 	tristate
 | |
| 
 | |
| config NF_CONNTRACK_NETBIOS_NS
 | |
| 	tristate "NetBIOS name service protocol support"
 | |
| 	select NF_CONNTRACK_BROADCAST
 | |
| 	help
 | |
| 	  NetBIOS name service requests are sent as broadcast messages from an
 | |
| 	  unprivileged port and responded to with unicast messages to the
 | |
| 	  same port. This make them hard to firewall properly because connection
 | |
| 	  tracking doesn't deal with broadcasts. This helper tracks locally
 | |
| 	  originating NetBIOS name service requests and the corresponding
 | |
| 	  responses. It relies on correct IP address configuration, specifically
 | |
| 	  netmask and broadcast address. When properly configured, the output
 | |
| 	  of "ip address show" should look similar to this:
 | |
| 
 | |
| 	  $ ip -4 address show eth0
 | |
| 	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
 | |
| 	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NF_CONNTRACK_SNMP
 | |
| 	tristate "SNMP service protocol support"
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NF_CONNTRACK_BROADCAST
 | |
| 	help
 | |
| 	  SNMP service requests are sent as broadcast messages from an
 | |
| 	  unprivileged port and responded to with unicast messages to the
 | |
| 	  same port. This make them hard to firewall properly because connection
 | |
| 	  tracking doesn't deal with broadcasts. This helper tracks locally
 | |
| 	  originating SNMP service requests and the corresponding
 | |
| 	  responses. It relies on correct IP address configuration, specifically
 | |
| 	  netmask and broadcast address.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NF_CONNTRACK_PPTP
 | |
| 	tristate "PPtP protocol support"
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NF_CT_PROTO_GRE
 | |
| 	help
 | |
| 	  This module adds support for PPTP (Point to Point Tunnelling
 | |
| 	  Protocol, RFC2637) connection tracking and NAT.
 | |
| 
 | |
| 	  If you are running PPTP sessions over a stateful firewall or NAT
 | |
| 	  box, you may want to enable this feature.
 | |
| 
 | |
| 	  Please note that not all PPTP modes of operation are supported yet.
 | |
| 	  Specifically these limitations exist:
 | |
| 	    - Blindly assumes that control connections are always established
 | |
| 	      in PNS->PAC direction. This is a violation of RFC2637.
 | |
| 	    - Only supports a single call within each session
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NF_CONNTRACK_SANE
 | |
| 	tristate "SANE protocol support"
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  SANE is a protocol for remote access to scanners as implemented
 | |
| 	  by the 'saned' daemon. Like FTP, it uses separate control and
 | |
| 	  data connections.
 | |
| 
 | |
| 	  With this module you can support SANE on a connection tracking
 | |
| 	  firewall.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NF_CONNTRACK_SIP
 | |
| 	tristate "SIP protocol support"
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  SIP is an application-layer control protocol that can establish,
 | |
| 	  modify, and terminate multimedia sessions (conferences) such as
 | |
| 	  Internet telephony calls. With the nf_conntrack_sip and
 | |
| 	  the nf_nat_sip modules you can support the protocol on a connection
 | |
| 	  tracking/NATing firewall.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NF_CONNTRACK_TFTP
 | |
| 	tristate "TFTP protocol support"
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  TFTP connection tracking helper, this is required depending
 | |
| 	  on how restrictive your ruleset is.
 | |
| 	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
 | |
| 	  you will need this.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NF_CT_NETLINK
 | |
| 	tristate 'Connection tracking netlink interface'
 | |
| 	select NETFILTER_NETLINK
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  This option enables support for a netlink-based userspace interface
 | |
| 
 | |
| config NF_CT_NETLINK_TIMEOUT
 | |
| 	tristate  'Connection tracking timeout tuning via Netlink'
 | |
| 	select NETFILTER_NETLINK
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	depends on NF_CONNTRACK_TIMEOUT
 | |
| 	help
 | |
| 	  This option enables support for connection tracking timeout
 | |
| 	  fine-grain tuning. This allows you to attach specific timeout
 | |
| 	  policies to flows, instead of using the global timeout policy.
 | |
| 
 | |
| 	  If unsure, say `N'.
 | |
| 
 | |
| config NF_CT_NETLINK_HELPER
 | |
| 	tristate 'Connection tracking helpers in user-space via Netlink'
 | |
| 	select NETFILTER_NETLINK
 | |
| 	depends on NF_CT_NETLINK
 | |
| 	depends on NETFILTER_NETLINK_QUEUE
 | |
| 	depends on NETFILTER_NETLINK_GLUE_CT
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option enables the user-space connection tracking helpers
 | |
| 	  infrastructure.
 | |
| 
 | |
| 	  If unsure, say `N'.
 | |
| 
 | |
| config NETFILTER_NETLINK_GLUE_CT
 | |
| 	bool "NFQUEUE and NFLOG integration with Connection Tracking"
 | |
| 	default n
 | |
| 	depends on (NETFILTER_NETLINK_QUEUE || NETFILTER_NETLINK_LOG) && NF_CT_NETLINK
 | |
| 	help
 | |
| 	  If this option is enabled, NFQUEUE and NFLOG can include
 | |
| 	  Connection Tracking information together with the packet is
 | |
| 	  the enqueued via NFNETLINK.
 | |
| 
 | |
| config NF_NAT
 | |
| 	tristate "Network Address Translation support"
 | |
| 	depends on NF_CONNTRACK
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  The NAT option allows masquerading, port forwarding and other
 | |
| 	  forms of full Network Address Port Translation. This can be
 | |
| 	  controlled by iptables, ip6tables or nft.
 | |
| 
 | |
| config NF_NAT_AMANDA
 | |
| 	tristate
 | |
| 	depends on NF_CONNTRACK && NF_NAT
 | |
| 	default NF_NAT && NF_CONNTRACK_AMANDA
 | |
| 
 | |
| config NF_NAT_FTP
 | |
| 	tristate
 | |
| 	depends on NF_CONNTRACK && NF_NAT
 | |
| 	default NF_NAT && NF_CONNTRACK_FTP
 | |
| 
 | |
| config NF_NAT_IRC
 | |
| 	tristate
 | |
| 	depends on NF_CONNTRACK && NF_NAT
 | |
| 	default NF_NAT && NF_CONNTRACK_IRC
 | |
| 
 | |
| config NF_NAT_SIP
 | |
| 	tristate
 | |
| 	depends on NF_CONNTRACK && NF_NAT
 | |
| 	default NF_NAT && NF_CONNTRACK_SIP
 | |
| 
 | |
| config NF_NAT_TFTP
 | |
| 	tristate
 | |
| 	depends on NF_CONNTRACK && NF_NAT
 | |
| 	default NF_NAT && NF_CONNTRACK_TFTP
 | |
| 
 | |
| config NF_NAT_REDIRECT
 | |
| 	bool
 | |
| 
 | |
| config NF_NAT_MASQUERADE
 | |
| 	bool
 | |
| 
 | |
| config NETFILTER_SYNPROXY
 | |
| 	tristate
 | |
| 
 | |
| endif # NF_CONNTRACK
 | |
| 
 | |
| config NF_TABLES
 | |
| 	select NETFILTER_NETLINK
 | |
| 	tristate "Netfilter nf_tables support"
 | |
| 	help
 | |
| 	  nftables is the new packet classification framework that intends to
 | |
| 	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
 | |
| 	  provides a pseudo-state machine with an extensible instruction-set
 | |
| 	  (also known as expressions) that the userspace 'nft' utility
 | |
| 	  (https://www.netfilter.org/projects/nftables) uses to build the
 | |
| 	  rule-set. It also comes with the generic set infrastructure that
 | |
| 	  allows you to construct mappings between matchings and actions
 | |
| 	  for performance lookups.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.
 | |
| 
 | |
| if NF_TABLES
 | |
| config NF_TABLES_INET
 | |
| 	depends on IPV6
 | |
| 	select NF_TABLES_IPV4
 | |
| 	select NF_TABLES_IPV6
 | |
| 	bool "Netfilter nf_tables mixed IPv4/IPv6 tables support"
 | |
| 	help
 | |
| 	  This option enables support for a mixed IPv4/IPv6 "inet" table.
 | |
| 
 | |
| config NF_TABLES_NETDEV
 | |
| 	bool "Netfilter nf_tables netdev tables support"
 | |
| 	help
 | |
| 	  This option enables support for the "netdev" table.
 | |
| 
 | |
| config NFT_NUMGEN
 | |
| 	tristate "Netfilter nf_tables number generator module"
 | |
| 	help
 | |
| 	  This option adds the number generator expression used to perform
 | |
| 	  incremental counting and random numbers bound to a upper limit.
 | |
| 
 | |
| config NFT_CT
 | |
| 	depends on NF_CONNTRACK
 | |
| 	tristate "Netfilter nf_tables conntrack module"
 | |
| 	help
 | |
| 	  This option adds the "ct" expression that you can use to match
 | |
| 	  connection tracking information such as the flow state.
 | |
| 
 | |
| config NFT_FLOW_OFFLOAD
 | |
| 	depends on NF_CONNTRACK && NF_FLOW_TABLE
 | |
| 	tristate "Netfilter nf_tables hardware flow offload module"
 | |
| 	help
 | |
| 	  This option adds the "flow_offload" expression that you can use to
 | |
| 	  choose what flows are placed into the hardware.
 | |
| 
 | |
| config NFT_COUNTER
 | |
| 	tristate "Netfilter nf_tables counter module"
 | |
| 	help
 | |
| 	  This option adds the "counter" expression that you can use to
 | |
| 	  include packet and byte counters in a rule.
 | |
| 
 | |
| config NFT_CONNLIMIT
 | |
| 	tristate "Netfilter nf_tables connlimit module"
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_CONNCOUNT
 | |
| 	help
 | |
| 	  This option adds the "connlimit" expression that you can use to
 | |
| 	  ratelimit rule matchings per connections.
 | |
| 
 | |
| config NFT_LOG
 | |
| 	tristate "Netfilter nf_tables log module"
 | |
| 	help
 | |
| 	  This option adds the "log" expression that you can use to log
 | |
| 	  packets matching some criteria.
 | |
| 
 | |
| config NFT_LIMIT
 | |
| 	tristate "Netfilter nf_tables limit module"
 | |
| 	help
 | |
| 	  This option adds the "limit" expression that you can use to
 | |
| 	  ratelimit rule matchings.
 | |
| 
 | |
| config NFT_MASQ
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on NF_NAT
 | |
| 	select NF_NAT_MASQUERADE
 | |
| 	tristate "Netfilter nf_tables masquerade support"
 | |
| 	help
 | |
| 	  This option adds the "masquerade" expression that you can use
 | |
| 	  to perform NAT in the masquerade flavour.
 | |
| 
 | |
| config NFT_REDIR
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on NF_NAT
 | |
| 	tristate "Netfilter nf_tables redirect support"
 | |
| 	select NF_NAT_REDIRECT
 | |
| 	help
 | |
| 	  This options adds the "redirect" expression that you can use
 | |
| 	  to perform NAT in the redirect flavour.
 | |
| 
 | |
| config NFT_NAT
 | |
| 	depends on NF_CONNTRACK
 | |
| 	select NF_NAT
 | |
| 	depends on NF_TABLES_IPV4 || NF_TABLES_IPV6
 | |
| 	tristate "Netfilter nf_tables nat module"
 | |
| 	help
 | |
| 	  This option adds the "nat" expression that you can use to perform
 | |
| 	  typical Network Address Translation (NAT) packet transformations.
 | |
| 
 | |
| config NFT_TUNNEL
 | |
| 	tristate "Netfilter nf_tables tunnel module"
 | |
| 	help
 | |
| 	  This option adds the "tunnel" expression that you can use to set
 | |
| 	  tunneling policies.
 | |
| 
 | |
| config NFT_OBJREF
 | |
| 	tristate "Netfilter nf_tables stateful object reference module"
 | |
| 	help
 | |
| 	  This option adds the "objref" expression that allows you to refer to
 | |
| 	  stateful objects, such as counters and quotas.
 | |
| 
 | |
| config NFT_QUEUE
 | |
| 	depends on NETFILTER_NETLINK_QUEUE
 | |
| 	tristate "Netfilter nf_tables queue module"
 | |
| 	help
 | |
| 	  This is required if you intend to use the userspace queueing
 | |
| 	  infrastructure (also known as NFQUEUE) from nftables.
 | |
| 
 | |
| config NFT_QUOTA
 | |
| 	tristate "Netfilter nf_tables quota module"
 | |
| 	help
 | |
| 	  This option adds the "quota" expression that you can use to match
 | |
| 	  enforce bytes quotas.
 | |
| 
 | |
| config NFT_REJECT
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	tristate "Netfilter nf_tables reject support"
 | |
| 	depends on !NF_TABLES_INET || (IPV6!=m || m)
 | |
| 	help
 | |
| 	  This option adds the "reject" expression that you can use to
 | |
| 	  explicitly deny and notify via TCP reset/ICMP informational errors
 | |
| 	  unallowed traffic.
 | |
| 
 | |
| config NFT_REJECT_INET
 | |
| 	depends on NF_TABLES_INET
 | |
| 	default NFT_REJECT
 | |
| 	tristate
 | |
| 
 | |
| config NFT_COMPAT
 | |
| 	depends on NETFILTER_XTABLES
 | |
| 	tristate "Netfilter x_tables over nf_tables module"
 | |
| 	help
 | |
| 	  This is required if you intend to use any of existing
 | |
| 	  x_tables match/target extensions over the nf_tables
 | |
| 	  framework.
 | |
| 
 | |
| config NFT_HASH
 | |
| 	tristate "Netfilter nf_tables hash module"
 | |
| 	help
 | |
| 	  This option adds the "hash" expression that you can use to perform
 | |
| 	  a hash operation on registers.
 | |
| 
 | |
| config NFT_FIB
 | |
| 	tristate
 | |
| 
 | |
| config NFT_FIB_INET
 | |
| 	depends on NF_TABLES_INET
 | |
| 	depends on NFT_FIB_IPV4
 | |
| 	depends on NFT_FIB_IPV6
 | |
| 	tristate "Netfilter nf_tables fib inet support"
 | |
| 	help
 | |
| 	  This option allows using the FIB expression from the inet table.
 | |
| 	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
 | |
| 	  on the protocol of the packet.
 | |
| 
 | |
| config NFT_XFRM
 | |
| 	tristate "Netfilter nf_tables xfrm/IPSec security association matching"
 | |
| 	depends on XFRM
 | |
| 	help
 | |
| 	  This option adds an expression that you can use to extract properties
 | |
| 	  of a packets security association.
 | |
| 
 | |
| config NFT_SOCKET
 | |
| 	tristate "Netfilter nf_tables socket match support"
 | |
| 	depends on IPV6 || IPV6=n
 | |
| 	select NF_SOCKET_IPV4
 | |
| 	select NF_SOCKET_IPV6 if NF_TABLES_IPV6
 | |
| 	help
 | |
| 	  This option allows matching for the presence or absence of a
 | |
| 	  corresponding socket and its attributes.
 | |
| 
 | |
| config NFT_OSF
 | |
| 	tristate "Netfilter nf_tables passive OS fingerprint support"
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_NETLINK_OSF
 | |
| 	help
 | |
| 	  This option allows matching packets from an specific OS.
 | |
| 
 | |
| config NFT_TPROXY
 | |
| 	tristate "Netfilter nf_tables tproxy support"
 | |
| 	depends on IPV6 || IPV6=n
 | |
| 	select NF_DEFRAG_IPV4
 | |
| 	select NF_DEFRAG_IPV6 if NF_TABLES_IPV6
 | |
| 	select NF_TPROXY_IPV4
 | |
| 	select NF_TPROXY_IPV6 if NF_TABLES_IPV6
 | |
| 	help
 | |
| 	  This makes transparent proxy support available in nftables.
 | |
| 
 | |
| config NFT_SYNPROXY
 | |
| 	tristate "Netfilter nf_tables SYNPROXY expression support"
 | |
| 	depends on NF_CONNTRACK && NETFILTER_ADVANCED
 | |
| 	select NETFILTER_SYNPROXY
 | |
| 	select SYN_COOKIES
 | |
| 	help
 | |
| 	  The SYNPROXY expression allows you to intercept TCP connections and
 | |
| 	  establish them using syncookies before they are passed on to the
 | |
| 	  server. This allows to avoid conntrack and server resource usage
 | |
| 	  during SYN-flood attacks.
 | |
| 
 | |
| if NF_TABLES_NETDEV
 | |
| 
 | |
| config NF_DUP_NETDEV
 | |
| 	tristate "Netfilter packet duplication support"
 | |
| 	help
 | |
| 	  This option enables the generic packet duplication infrastructure
 | |
| 	  for Netfilter.
 | |
| 
 | |
| config NFT_DUP_NETDEV
 | |
| 	tristate "Netfilter nf_tables netdev packet duplication support"
 | |
| 	select NF_DUP_NETDEV
 | |
| 	help
 | |
| 	  This option enables packet duplication for the "netdev" family.
 | |
| 
 | |
| config NFT_FWD_NETDEV
 | |
| 	tristate "Netfilter nf_tables netdev packet forwarding support"
 | |
| 	select NF_DUP_NETDEV
 | |
| 	help
 | |
| 	  This option enables packet forwarding for the "netdev" family.
 | |
| 
 | |
| config NFT_FIB_NETDEV
 | |
| 	depends on NFT_FIB_IPV4
 | |
| 	depends on NFT_FIB_IPV6
 | |
| 	tristate "Netfilter nf_tables netdev fib lookups support"
 | |
| 	help
 | |
| 	  This option allows using the FIB expression from the netdev table.
 | |
| 	  The lookup will be delegated to the IPv4 or IPv6 FIB depending
 | |
| 	  on the protocol of the packet.
 | |
| 
 | |
| endif # NF_TABLES_NETDEV
 | |
| 
 | |
| endif # NF_TABLES
 | |
| 
 | |
| config NF_FLOW_TABLE_INET
 | |
| 	tristate "Netfilter flow table mixed IPv4/IPv6 module"
 | |
| 	depends on NF_FLOW_TABLE
 | |
| 	help
 | |
| 	  This option adds the flow table mixed IPv4/IPv6 support.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.
 | |
| 
 | |
| config NF_FLOW_TABLE
 | |
| 	tristate "Netfilter flow table module"
 | |
| 	depends on NETFILTER_INGRESS
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on NF_TABLES
 | |
| 	help
 | |
| 	  This option adds the flow table core infrastructure.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.
 | |
| 
 | |
| config NETFILTER_XTABLES
 | |
| 	tristate "Netfilter Xtables support (required for ip_tables)"
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  This is required if you intend to use any of ip_tables,
 | |
| 	  ip6_tables or arp_tables.
 | |
| 
 | |
| if NETFILTER_XTABLES
 | |
| 
 | |
| comment "Xtables combined modules"
 | |
| 
 | |
| config NETFILTER_XT_MARK
 | |
| 	tristate 'nfmark target and match support'
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	This option adds the "MARK" target and "mark" match.
 | |
| 
 | |
| 	Netfilter mark matching allows you to match packets based on the
 | |
| 	"nfmark" value in the packet.
 | |
| 	The target allows you to create rules in the "mangle" table which alter
 | |
| 	the netfilter mark (nfmark) field associated with the packet.
 | |
| 
 | |
| 	Prior to routing, the nfmark can influence the routing method and can
 | |
| 	also be used by other subsystems to change their behavior.
 | |
| 
 | |
| config NETFILTER_XT_CONNMARK
 | |
| 	tristate 'ctmark target and match support'
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NF_CONNTRACK_MARK
 | |
| 	help
 | |
| 	This option adds the "CONNMARK" target and "connmark" match.
 | |
| 
 | |
| 	Netfilter allows you to store a mark value per connection (a.k.a.
 | |
| 	ctmark), similarly to the packet mark (nfmark). Using this
 | |
| 	target and match, you can set and match on this mark.
 | |
| 
 | |
| config NETFILTER_XT_SET
 | |
| 	tristate 'set target and match support'
 | |
| 	depends on IP_SET
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds the "SET" target and "set" match.
 | |
| 
 | |
| 	  Using this target and match, you can add/delete and match
 | |
| 	  elements in the sets created by ipset(8).
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| # alphabetically ordered list of targets
 | |
| 
 | |
| comment "Xtables targets"
 | |
| 
 | |
| config NETFILTER_XT_TARGET_AUDIT
 | |
| 	tristate "AUDIT target support"
 | |
| 	depends on AUDIT
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a 'AUDIT' target, which can be used to create
 | |
| 	  audit records for packets dropped/accepted.
 | |
| 
 | |
| 	  To compileit as a module, choose M here. If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_CHECKSUM
 | |
| 	tristate "CHECKSUM target support"
 | |
| 	depends on IP_NF_MANGLE || IP6_NF_MANGLE
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a `CHECKSUM' target, which can be used in the iptables mangle
 | |
| 	  table to work around buggy DHCP clients in virtualized environments.
 | |
| 
 | |
| 	  Some old DHCP clients drop packets because they are not aware
 | |
| 	  that the checksum would normally be offloaded to hardware and
 | |
| 	  thus should be considered valid.
 | |
| 	  This target can be used to fill in the checksum using iptables
 | |
| 	  when such packets are sent via a virtual network device.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_CLASSIFY
 | |
| 	tristate '"CLASSIFY" target support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a `CLASSIFY' target, which enables the user to set
 | |
| 	  the priority of a packet. Some qdiscs can use this value for
 | |
| 	  classification, among these are:
 | |
| 
 | |
|   	  atm, cbq, dsmark, pfifo_fast, htb, prio
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_CONNMARK
 | |
| 	tristate  '"CONNMARK" target support'
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_XT_CONNMARK
 | |
| 	help
 | |
| 	This is a backwards-compat option for the user's convenience
 | |
| 	(e.g. when running oldconfig). It selects
 | |
| 	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
 | |
| 
 | |
| config NETFILTER_XT_TARGET_CONNSECMARK
 | |
| 	tristate '"CONNSECMARK" target support'
 | |
| 	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  The CONNSECMARK target copies security markings from packets
 | |
| 	  to connections, and restores security markings from connections
 | |
| 	  to packets (if the packets are not already marked).  This would
 | |
| 	  normally be used in conjunction with the SECMARK target.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_CT
 | |
| 	tristate '"CT" target support'
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on IP_NF_RAW || IP6_NF_RAW
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This options adds a `CT' target, which allows to specify initial
 | |
| 	  connection tracking parameters like events to be delivered and
 | |
| 	  the helper to be used.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_DSCP
 | |
| 	tristate '"DSCP" and "TOS" target support'
 | |
| 	depends on IP_NF_MANGLE || IP6_NF_MANGLE
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a `DSCP' target, which allows you to manipulate
 | |
| 	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
 | |
| 
 | |
| 	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
 | |
| 
 | |
| 	  It also adds the "TOS" target, which allows you to create rules in
 | |
| 	  the "mangle" table which alter the Type Of Service field of an IPv4
 | |
| 	  or the Priority field of an IPv6 packet, prior to routing.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_HL
 | |
| 	tristate '"HL" hoplimit target support'
 | |
| 	depends on IP_NF_MANGLE || IP6_NF_MANGLE
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
 | |
| 	targets, which enable the user to change the
 | |
| 	hoplimit/time-to-live value of the IP header.
 | |
| 
 | |
| 	While it is safe to decrement the hoplimit/TTL value, the
 | |
| 	modules also allow to increment and set the hoplimit value of
 | |
| 	the header to arbitrary values. This is EXTREMELY DANGEROUS
 | |
| 	since you can easily create immortal packets that loop
 | |
| 	forever on the network.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_HMARK
 | |
| 	tristate '"HMARK" target support'
 | |
| 	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	This option adds the "HMARK" target.
 | |
| 
 | |
| 	The target allows you to create rules in the "raw" and "mangle" tables
 | |
| 	which set the skbuff mark by means of hash calculation within a given
 | |
| 	range. The nfmark can influence the routing method and can also be used
 | |
| 	by other subsystems to change their behaviour.
 | |
| 
 | |
| 	To compile it as a module, choose M here. If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_IDLETIMER
 | |
| 	tristate  "IDLETIMER target support"
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 
 | |
| 	  This option adds the `IDLETIMER' target.  Each matching packet
 | |
| 	  resets the timer associated with label specified when the rule is
 | |
| 	  added.  When the timer expires, it triggers a sysfs notification.
 | |
| 	  The remaining time for expiration can be read via sysfs.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_LED
 | |
| 	tristate '"LED" target support'
 | |
| 	depends on LEDS_CLASS && LEDS_TRIGGERS
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a `LED' target, which allows you to blink LEDs in
 | |
| 	  response to particular packets passing through your machine.
 | |
| 
 | |
| 	  This can be used to turn a spare LED into a network activity LED,
 | |
| 	  which only flashes in response to FTP transfers, for example.  Or
 | |
| 	  you could have an LED which lights up for a minute or two every time
 | |
| 	  somebody connects to your machine via SSH.
 | |
| 
 | |
| 	  You will need support for the "led" class to make this work.
 | |
| 
 | |
| 	  To create an LED trigger for incoming SSH traffic:
 | |
| 	    iptables -A INPUT -p tcp --dport 22 -j LED --led-trigger-id ssh --led-delay 1000
 | |
| 
 | |
| 	  Then attach the new trigger to an LED on your system:
 | |
| 	    echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
 | |
| 
 | |
| 	  For more information on the LEDs available on your system, see
 | |
| 	  Documentation/leds/leds-class.rst
 | |
| 
 | |
| config NETFILTER_XT_TARGET_LOG
 | |
| 	tristate "LOG target support"
 | |
| 	select NF_LOG_COMMON
 | |
| 	select NF_LOG_IPV4
 | |
| 	select NF_LOG_IPV6 if IP6_NF_IPTABLES
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  This option adds a `LOG' target, which allows you to create rules in
 | |
| 	  any iptables table which records the packet header to the syslog.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_MARK
 | |
| 	tristate '"MARK" target support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_XT_MARK
 | |
| 	help
 | |
| 	This is a backwards-compat option for the user's convenience
 | |
| 	(e.g. when running oldconfig). It selects
 | |
| 	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
 | |
| 
 | |
| config NETFILTER_XT_NAT
 | |
| 	tristate '"SNAT and DNAT" targets support'
 | |
| 	depends on NF_NAT
 | |
| 	help
 | |
| 	This option enables the SNAT and DNAT targets.
 | |
| 
 | |
| 	To compile it as a module, choose M here. If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_NETMAP
 | |
| 	tristate '"NETMAP" target support'
 | |
| 	depends on NF_NAT
 | |
| 	help
 | |
| 	NETMAP is an implementation of static 1:1 NAT mapping of network
 | |
| 	addresses. It maps the network address part, while keeping the host
 | |
| 	address part intact.
 | |
| 
 | |
| 	To compile it as a module, choose M here. If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_NFLOG
 | |
| 	tristate '"NFLOG" target support'
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	select NETFILTER_NETLINK_LOG
 | |
| 	help
 | |
| 	  This option enables the NFLOG target, which allows to LOG
 | |
| 	  messages through nfnetlink_log.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_NFQUEUE
 | |
| 	tristate '"NFQUEUE" target Support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_NETLINK_QUEUE
 | |
| 	help
 | |
| 	  This target replaced the old obsolete QUEUE target.
 | |
| 
 | |
| 	  As opposed to QUEUE, it supports 65535 different queues,
 | |
| 	  not just one.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_NOTRACK
 | |
| 	tristate  '"NOTRACK" target support (DEPRECATED)'
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on IP_NF_RAW || IP6_NF_RAW
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_XT_TARGET_CT
 | |
| 
 | |
| config NETFILTER_XT_TARGET_RATEEST
 | |
| 	tristate '"RATEEST" target support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a `RATEEST' target, which allows to measure
 | |
| 	  rates similar to TC estimators. The `rateest' match can be
 | |
| 	  used to match on the measured rates.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_REDIRECT
 | |
| 	tristate "REDIRECT target support"
 | |
| 	depends on NF_NAT
 | |
| 	select NF_NAT_REDIRECT
 | |
| 	help
 | |
| 	REDIRECT is a special case of NAT: all incoming connections are
 | |
| 	mapped onto the incoming interface's address, causing the packets to
 | |
| 	come to the local machine instead of passing through. This is
 | |
| 	useful for transparent proxies.
 | |
| 
 | |
| 	To compile it as a module, choose M here. If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_MASQUERADE
 | |
| 	tristate "MASQUERADE target support"
 | |
| 	depends on NF_NAT
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	select NF_NAT_MASQUERADE
 | |
| 	help
 | |
| 	  Masquerading is a special case of NAT: all outgoing connections are
 | |
| 	  changed to seem to come from a particular interface's address, and
 | |
| 	  if the interface goes down, those connections are lost.  This is
 | |
| 	  only useful for dialup accounts with dynamic IP address (ie. your IP
 | |
| 	  address will be different on next dialup).
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_TEE
 | |
| 	tristate '"TEE" - packet cloning to alternate destination'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	depends on IPV6 || IPV6=n
 | |
| 	depends on !NF_CONNTRACK || NF_CONNTRACK
 | |
| 	depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES
 | |
| 	select NF_DUP_IPV4
 | |
| 	select NF_DUP_IPV6 if IP6_NF_IPTABLES
 | |
| 	help
 | |
| 	This option adds a "TEE" target with which a packet can be cloned and
 | |
| 	this clone be rerouted to another nexthop.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_TPROXY
 | |
| 	tristate '"TPROXY" target transparent proxying support'
 | |
| 	depends on NETFILTER_XTABLES
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	depends on IPV6 || IPV6=n
 | |
| 	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
 | |
| 	depends on IP_NF_MANGLE
 | |
| 	select NF_DEFRAG_IPV4
 | |
| 	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
 | |
| 	select NF_TPROXY_IPV4
 | |
| 	select NF_TPROXY_IPV6 if IP6_NF_IPTABLES
 | |
| 	help
 | |
| 	  This option adds a `TPROXY' target, which is somewhat similar to
 | |
| 	  REDIRECT.  It can only be used in the mangle table and is useful
 | |
| 	  to redirect traffic to a transparent proxy.  It does _not_ depend
 | |
| 	  on Netfilter connection tracking and NAT, unlike REDIRECT.
 | |
| 	  For it to work you will have to configure certain iptables rules
 | |
| 	  and use policy routing. For more information on how to set it up
 | |
| 	  see Documentation/networking/tproxy.rst.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_TRACE
 | |
| 	tristate  '"TRACE" target support'
 | |
| 	depends on IP_NF_RAW || IP6_NF_RAW
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  The TRACE target allows you to mark packets so that the kernel
 | |
| 	  will log every rule which match the packets as those traverse
 | |
| 	  the tables, chains, rules.
 | |
| 
 | |
| 	  If you want to compile it as a module, say M here and read
 | |
| 	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_SECMARK
 | |
| 	tristate '"SECMARK" target support'
 | |
| 	depends on NETWORK_SECMARK
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  The SECMARK target allows security marking of network
 | |
| 	  packets, for use with security subsystems.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_TCPMSS
 | |
| 	tristate '"TCPMSS" target support'
 | |
| 	depends on IPV6 || IPV6=n
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  This option adds a `TCPMSS' target, which allows you to alter the
 | |
| 	  MSS value of TCP SYN packets, to control the maximum size for that
 | |
| 	  connection (usually limiting it to your outgoing interface's MTU
 | |
| 	  minus 40).
 | |
| 
 | |
| 	  This is used to overcome criminally braindead ISPs or servers which
 | |
| 	  block ICMP Fragmentation Needed packets.  The symptoms of this
 | |
| 	  problem are that everything works fine from your Linux
 | |
| 	  firewall/router, but machines behind it can never exchange large
 | |
| 	  packets:
 | |
| 	        1) Web browsers connect, then hang with no data received.
 | |
| 	        2) Small mail works fine, but large emails hang.
 | |
| 	        3) ssh works fine, but scp hangs after initial handshaking.
 | |
| 
 | |
| 	  Workaround: activate this option and add a rule to your firewall
 | |
| 	  configuration like:
 | |
| 
 | |
| 	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
 | |
| 	                 -j TCPMSS --clamp-mss-to-pmtu
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_TARGET_TCPOPTSTRIP
 | |
| 	tristate '"TCPOPTSTRIP" target support'
 | |
| 	depends on IP_NF_MANGLE || IP6_NF_MANGLE
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
 | |
| 	  TCP options from TCP packets.
 | |
| 
 | |
| # alphabetically ordered list of matches
 | |
| 
 | |
| comment "Xtables matches"
 | |
| 
 | |
| config NETFILTER_XT_MATCH_ADDRTYPE
 | |
| 	tristate '"addrtype" address type match support'
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  This option allows you to match what routing thinks of an address,
 | |
| 	  eg. UNICAST, LOCAL, BROADCAST, ...
 | |
| 
 | |
| 	  If you want to compile it as a module, say M here and read
 | |
| 	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_BPF
 | |
| 	tristate '"bpf" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  BPF matching applies a linux socket filter to each packet and
 | |
| 	  accepts those for which the filter returns non-zero.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_CGROUP
 | |
| 	tristate '"control group" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	depends on CGROUPS
 | |
| 	select CGROUP_NET_CLASSID
 | |
| 	help
 | |
| 	Socket/process control group matching allows you to match locally
 | |
| 	generated packets based on which net_cls control group processes
 | |
| 	belong to.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_CLUSTER
 | |
| 	tristate '"cluster" match support'
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option allows you to build work-load-sharing clusters of
 | |
| 	  network servers/stateful firewalls without having a dedicated
 | |
| 	  load-balancing router/server/switch. Basically, this match returns
 | |
| 	  true when the packet must be handled by this cluster node. Thus,
 | |
| 	  all nodes see all packets and this match decides which node handles
 | |
| 	  what packets. The work-load sharing algorithm is based on source
 | |
| 	  address hashing.
 | |
| 
 | |
| 	  If you say Y or M here, try `iptables -m cluster --help` for
 | |
| 	  more information.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_COMMENT
 | |
| 	tristate  '"comment" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a `comment' dummy-match, which allows you to put
 | |
| 	  comments in your iptables ruleset.
 | |
| 
 | |
| 	  If you want to compile it as a module, say M here and read
 | |
| 	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_CONNBYTES
 | |
| 	tristate  '"connbytes" per-connection counter match support'
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a `connbytes' match, which allows you to match the
 | |
| 	  number of bytes and/or packets for each direction within a connection.
 | |
| 
 | |
| 	  If you want to compile it as a module, say M here and read
 | |
| 	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_CONNLABEL
 | |
| 	tristate '"connlabel" match support'
 | |
| 	select NF_CONNTRACK_LABELS
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This match allows you to test and assign userspace-defined labels names
 | |
| 	  to a connection.  The kernel only stores bit values - mapping
 | |
| 	  names to bits is done by userspace.
 | |
| 
 | |
| 	  Unlike connmark, more than 32 flag bits may be assigned to a
 | |
| 	  connection simultaneously.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_CONNLIMIT
 | |
| 	tristate '"connlimit" match support'
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_CONNCOUNT
 | |
| 	help
 | |
| 	  This match allows you to match against the number of parallel
 | |
| 	  connections to a server per client IP address (or address block).
 | |
| 
 | |
| config NETFILTER_XT_MATCH_CONNMARK
 | |
| 	tristate  '"connmark" connection mark match support'
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_XT_CONNMARK
 | |
| 	help
 | |
| 	This is a backwards-compat option for the user's convenience
 | |
| 	(e.g. when running oldconfig). It selects
 | |
| 	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
 | |
| 
 | |
| config NETFILTER_XT_MATCH_CONNTRACK
 | |
| 	tristate '"conntrack" connection tracking match support'
 | |
| 	depends on NF_CONNTRACK
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  This is a general conntrack match module, a superset of the state match.
 | |
| 
 | |
| 	  It allows matching on additional conntrack information, which is
 | |
| 	  useful in complex configurations, such as NAT gateways with multiple
 | |
| 	  internet links or tunnels.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_CPU
 | |
| 	tristate '"cpu" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  CPU matching allows you to match packets based on the CPU
 | |
| 	  currently handling the packet.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_DCCP
 | |
| 	tristate '"dccp" protocol match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	default IP_DCCP
 | |
| 	help
 | |
| 	  With this option enabled, you will be able to use the iptables
 | |
| 	  `dccp' match in order to match on DCCP source/destination ports
 | |
| 	  and DCCP flags.
 | |
| 
 | |
| 	  If you want to compile it as a module, say M here and read
 | |
| 	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_DEVGROUP
 | |
| 	tristate '"devgroup" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This options adds a `devgroup' match, which allows to match on the
 | |
| 	  device group a network device is assigned to.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_DSCP
 | |
| 	tristate '"dscp" and "tos" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a `DSCP' match, which allows you to match against
 | |
| 	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
 | |
| 
 | |
| 	  The DSCP field can have any value between 0x0 and 0x3f inclusive.
 | |
| 
 | |
| 	  It will also add a "tos" match, which allows you to match packets
 | |
| 	  based on the Type Of Service fields of the IPv4 packet (which share
 | |
| 	  the same bits as DSCP).
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_ECN
 | |
| 	tristate '"ecn" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	This option adds an "ECN" match, which allows you to match against
 | |
| 	the IPv4 and TCP header ECN fields.
 | |
| 
 | |
| 	To compile it as a module, choose M here. If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_ESP
 | |
| 	tristate '"esp" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This match extension allows you to match a range of SPIs
 | |
| 	  inside ESP header of IPSec packets.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_HASHLIMIT
 | |
| 	tristate '"hashlimit" match support'
 | |
| 	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a `hashlimit' match.
 | |
| 
 | |
| 	  As opposed to `limit', this match dynamically creates a hash table
 | |
| 	  of limit buckets, based on your selection of source/destination
 | |
| 	  addresses and/or ports.
 | |
| 
 | |
| 	  It enables you to express policies like `10kpps for any given
 | |
| 	  destination address' or `500pps from any given source address'
 | |
| 	  with a single rule.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_HELPER
 | |
| 	tristate '"helper" match support'
 | |
| 	depends on NF_CONNTRACK
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  Helper matching allows you to match packets in dynamic connections
 | |
| 	  tracked by a conntrack-helper, ie. nf_conntrack_ftp
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say Y.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_HL
 | |
| 	tristate '"hl" hoplimit/TTL match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	HL matching allows you to match packets based on the hoplimit
 | |
| 	in the IPv6 header, or the time-to-live field in the IPv4
 | |
| 	header of the packet.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_IPCOMP
 | |
| 	tristate '"ipcomp" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This match extension allows you to match a range of CPIs(16 bits)
 | |
| 	  inside IPComp header of IPSec packets.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_IPRANGE
 | |
| 	tristate '"iprange" address range match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	This option adds a "iprange" match, which allows you to match based on
 | |
| 	an IP address range. (Normal iptables only matches on single addresses
 | |
| 	with an optional mask.)
 | |
| 
 | |
| 	If unsure, say M.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_IPVS
 | |
| 	tristate '"ipvs" match support'
 | |
| 	depends on IP_VS
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	depends on NF_CONNTRACK
 | |
| 	help
 | |
| 	  This option allows you to match against IPVS properties of a packet.
 | |
| 
 | |
| 	  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_L2TP
 | |
| 	tristate '"l2tp" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	default L2TP
 | |
| 	help
 | |
| 	This option adds an "L2TP" match, which allows you to match against
 | |
| 	L2TP protocol header fields.
 | |
| 
 | |
| 	To compile it as a module, choose M here. If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_LENGTH
 | |
| 	tristate '"length" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option allows you to match the length of a packet against a
 | |
| 	  specific value or range of values.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_LIMIT
 | |
| 	tristate '"limit" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  limit matching allows you to control the rate at which a rule can be
 | |
| 	  matched: mainly useful in combination with the LOG target ("LOG
 | |
| 	  target support", below) and to avoid some Denial of Service attacks.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_MAC
 | |
| 	tristate '"mac" address match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  MAC matching allows you to match packets based on the source
 | |
| 	  Ethernet address of the packet.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_MARK
 | |
| 	tristate '"mark" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_XT_MARK
 | |
| 	help
 | |
| 	This is a backwards-compat option for the user's convenience
 | |
| 	(e.g. when running oldconfig). It selects
 | |
| 	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
 | |
| 
 | |
| config NETFILTER_XT_MATCH_MULTIPORT
 | |
| 	tristate '"multiport" Multiple port match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  Multiport matching allows you to match TCP or UDP packets based on
 | |
| 	  a series of source or destination ports: normally a rule can only
 | |
| 	  match a single range of ports.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_NFACCT
 | |
| 	tristate '"nfacct" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_NETLINK_ACCT
 | |
| 	help
 | |
| 	  This option allows you to use the extended accounting through
 | |
| 	  nfnetlink_acct.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_OSF
 | |
| 	tristate '"osf" Passive OS fingerprint match'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_NETLINK_OSF
 | |
| 	help
 | |
| 	  This option selects the Passive OS Fingerprinting match module
 | |
| 	  that allows to passively match the remote operating system by
 | |
| 	  analyzing incoming TCP SYN packets.
 | |
| 
 | |
| 	  Rules and loading software can be downloaded from
 | |
| 	  http://www.ioremap.net/projects/osf
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_OWNER
 | |
| 	tristate '"owner" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	Socket owner matching allows you to match locally-generated packets
 | |
| 	based on who created the socket: the user or group. It is also
 | |
| 	possible to check whether a socket actually exists.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_POLICY
 | |
| 	tristate 'IPsec "policy" match support'
 | |
| 	depends on XFRM
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  Policy matching allows you to match packets based on the
 | |
| 	  IPsec policy that was used during decapsulation/will
 | |
| 	  be used during encapsulation.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_PHYSDEV
 | |
| 	tristate '"physdev" match support'
 | |
| 	depends on BRIDGE && BRIDGE_NETFILTER
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  Physdev packet matching matches against the physical bridge ports
 | |
| 	  the IP packet arrived on or will leave by.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_PKTTYPE
 | |
| 	tristate '"pkttype" packet type match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  Packet type matching allows you to match a packet by
 | |
| 	  its "class", eg. BROADCAST, MULTICAST, ...
 | |
| 
 | |
| 	  Typical usage:
 | |
| 	  iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_QUOTA
 | |
| 	tristate '"quota" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a `quota' match, which allows to match on a
 | |
| 	  byte counter.
 | |
| 
 | |
| 	  If you want to compile it as a module, say M here and read
 | |
| 	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_RATEEST
 | |
| 	tristate '"rateest" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select NETFILTER_XT_TARGET_RATEEST
 | |
| 	help
 | |
| 	  This option adds a `rateest' match, which allows to match on the
 | |
| 	  rate estimated by the RATEEST target.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_REALM
 | |
| 	tristate  '"realm" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select IP_ROUTE_CLASSID
 | |
| 	help
 | |
| 	  This option adds a `realm' match, which allows you to use the realm
 | |
| 	  key from the routing subsystem inside iptables.
 | |
| 
 | |
| 	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
 | |
| 	  in tc world.
 | |
| 
 | |
| 	  If you want to compile it as a module, say M here and read
 | |
| 	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_RECENT
 | |
| 	tristate '"recent" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	This match is used for creating one or many lists of recently
 | |
| 	used addresses and then matching against that/those list(s).
 | |
| 
 | |
| 	Short options are available by using 'iptables -m recent -h'
 | |
| 	Official Website: <http://snowman.net/projects/ipt_recent/>
 | |
| 
 | |
| config NETFILTER_XT_MATCH_SCTP
 | |
| 	tristate  '"sctp" protocol match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	default IP_SCTP
 | |
| 	help
 | |
| 	  With this option enabled, you will be able to use the
 | |
| 	  `sctp' match in order to match on SCTP source/destination ports
 | |
| 	  and SCTP chunk types.
 | |
| 
 | |
| 	  If you want to compile it as a module, say M here and read
 | |
| 	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_SOCKET
 | |
| 	tristate '"socket" match support'
 | |
| 	depends on NETFILTER_XTABLES
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	depends on IPV6 || IPV6=n
 | |
| 	depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
 | |
| 	select NF_SOCKET_IPV4
 | |
| 	select NF_SOCKET_IPV6 if IP6_NF_IPTABLES
 | |
| 	select NF_DEFRAG_IPV4
 | |
| 	select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
 | |
| 	help
 | |
| 	  This option adds a `socket' match, which can be used to match
 | |
| 	  packets for which a TCP or UDP socket lookup finds a valid socket.
 | |
| 	  It can be used in combination with the MARK target and policy
 | |
| 	  routing to implement full featured non-locally bound sockets.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_STATE
 | |
| 	tristate '"state" match support'
 | |
| 	depends on NF_CONNTRACK
 | |
| 	default m if NETFILTER_ADVANCED=n
 | |
| 	help
 | |
| 	  Connection state matching allows you to match packets based on their
 | |
| 	  relationship to a tracked connection (ie. previous packets).  This
 | |
| 	  is a powerful tool for packet classification.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_STATISTIC
 | |
| 	tristate '"statistic" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a `statistic' match, which allows you to match
 | |
| 	  on packets periodically or randomly with a given percentage.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_STRING
 | |
| 	tristate  '"string" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	select TEXTSEARCH
 | |
| 	select TEXTSEARCH_KMP
 | |
| 	select TEXTSEARCH_BM
 | |
| 	select TEXTSEARCH_FSM
 | |
| 	help
 | |
| 	  This option adds a `string' match, which allows you to look for
 | |
| 	  pattern matchings in packets.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_TCPMSS
 | |
| 	tristate '"tcpmss" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a `tcpmss' match, which allows you to examine the
 | |
| 	  MSS value of TCP SYN packets, which control the maximum packet size
 | |
| 	  for that connection.
 | |
| 
 | |
| 	  To compile it as a module, choose M here.  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_TIME
 | |
| 	tristate '"time" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  This option adds a "time" match, which allows you to match based on
 | |
| 	  the packet arrival time (at the machine which netfilter is running)
 | |
| 	  on) or departure time/date (for locally generated packets).
 | |
| 
 | |
| 	  If you say Y here, try `iptables -m time --help` for
 | |
| 	  more information.
 | |
| 
 | |
| 	  If you want to compile it as a module, say M here.
 | |
| 	  If unsure, say N.
 | |
| 
 | |
| config NETFILTER_XT_MATCH_U32
 | |
| 	tristate '"u32" match support'
 | |
| 	depends on NETFILTER_ADVANCED
 | |
| 	help
 | |
| 	  u32 allows you to extract quantities of up to 4 bytes from a packet,
 | |
| 	  AND them with specified masks, shift them by specified amounts and
 | |
| 	  test whether the results are in any of a set of specified ranges.
 | |
| 	  The specification of what to extract is general enough to skip over
 | |
| 	  headers with lengths stored in the packet, as in IP or TCP header
 | |
| 	  lengths.
 | |
| 
 | |
| 	  Details and examples are in the kernel module source.
 | |
| 
 | |
| endif # NETFILTER_XTABLES
 | |
| 
 | |
| endmenu
 | |
| 
 | |
| source "net/netfilter/ipset/Kconfig"
 | |
| 
 | |
| source "net/netfilter/ipvs/Kconfig"
 |