diff options
Diffstat (limited to 'net/netfilter/Kconfig')
| -rw-r--r-- | net/netfilter/Kconfig | 463 |
1 files changed, 300 insertions, 163 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 9b28864cc36a..6cdc994fdc8a 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -1,5 +1,6 @@ +# SPDX-License-Identifier: GPL-2.0-only menu "Core Netfilter Configuration" - depends on NET && INET && NETFILTER + depends on INET && NETFILTER config NETFILTER_INGRESS bool "Netfilter ingress support" @@ -9,11 +10,41 @@ config NETFILTER_INGRESS This allows you to classify packets from ingress using the Netfilter infrastructure. +config NETFILTER_EGRESS + bool "Netfilter egress support" + default y + select NET_EGRESS + help + This allows you to classify packets before transmission using the + Netfilter infrastructure. + +config NETFILTER_SKIP_EGRESS + def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB) + config NETFILTER_NETLINK tristate +config NETFILTER_FAMILY_BRIDGE + bool + +config NETFILTER_FAMILY_ARP + bool + +config NETFILTER_BPF_LINK + def_bool BPF_SYSCALL + +config NETFILTER_NETLINK_HOOK + tristate "Netfilter base hook dump support" + depends on NETFILTER_ADVANCED + depends on NF_TABLES + select NETFILTER_NETLINK + help + If this option is enabled, the kernel will include support + to list the base netfilter hooks via NFNETLINK. + This is helpful for debugging. + config NETFILTER_NETLINK_ACCT -tristate "Netfilter NFACCT over NFNETLINK interface" + tristate "Netfilter NFACCT over NFNETLINK interface" depends on NETFILTER_ADVANCED select NETFILTER_NETLINK help @@ -27,7 +58,7 @@ config NETFILTER_NETLINK_QUEUE help If this option is enabled, the kernel will include support for queueing packets via NFNETLINK. - + config NETFILTER_NETLINK_LOG tristate "Netfilter LOG over NFNETLINK interface" default m if NETFILTER_ADVANCED=n @@ -40,9 +71,19 @@ config NETFILTER_NETLINK_LOG and is also scheduled to replace the old syslog-based ipt_LOG and ip6t_LOG modules. +config NETFILTER_NETLINK_OSF + tristate "Netfilter OSF over NFNETLINK interface" + depends on NETFILTER_ADVANCED + select NETFILTER_NETLINK + help + If this option is enabled, the kernel will include support + for passive OS fingerprint via NFNETLINK. + config NF_CONNTRACK tristate "Netfilter connection tracking support" default m if NETFILTER_ADVANCED=n + select NF_DEFRAG_IPV4 + select NF_DEFRAG_IPV6 if IPV6 != n help Connection tracking keeps a record of what packets have passed through your machine, in order to figure out how they are related @@ -54,14 +95,21 @@ config NF_CONNTRACK To compile it as a module, choose M here. If unsure, say N. -config NF_LOG_COMMON - tristate - -config NF_LOG_NETDEV - tristate "Netdev packet logging" - select NF_LOG_COMMON +config NF_LOG_SYSLOG + tristate "Syslog packet logging" + default m if NETFILTER_ADVANCED=n + help + This option enable support for packet logging via syslog. + It supports IPv4, IPV6, ARP and common transport protocols such + as TCP and UDP. + This is a simpler but less flexible logging method compared to + CONFIG_NETFILTER_NETLINK_LOG. + If both are enabled the backend to use can be configured at run-time + by means of per-address-family sysctl tunables. if NF_CONNTRACK +config NETFILTER_CONNCOUNT + tristate config NF_CONNTRACK_MARK bool 'Connection mark tracking support' @@ -75,7 +123,7 @@ config NF_CONNTRACK_MARK config NF_CONNTRACK_SECMARK bool 'Connection tracking security mark support' depends on NETWORK_SECMARK - default m if NETFILTER_ADVANCED=n + default y if NETFILTER_ADVANCED=n help This option enables security markings to be applied to connections. Typically they are copied to connections from @@ -88,7 +136,6 @@ config NF_CONNTRACK_SECMARK config NF_CONNTRACK_ZONES bool 'Connection tracking zones' depends on NETFILTER_ADVANCED - depends on NETFILTER_XT_TARGET_CT help This option enables support for connection tracking zones. Normally, each connection needs to have a unique system wide @@ -100,9 +147,8 @@ config NF_CONNTRACK_ZONES config NF_CONNTRACK_PROCFS bool "Supply CT list in procfs (OBSOLETE)" - default y depends on PROC_FS - ---help--- + help This option enables for the list of known conntrack entries to be shown in procfs under net/netfilter/nf_conntrack. This is considered obsolete in favor of using the conntrack(8) @@ -140,29 +186,23 @@ config NF_CONNTRACK_TIMESTAMP If unsure, say `N'. config NF_CONNTRACK_LABELS - bool + bool "Connection tracking labels" help This option enables support for assigning user-defined flag bits - to connection tracking entries. It selected by the connlabel match. + to connection tracking entries. It can be used with xtables connlabel + match and the nftables ct expression. -config NF_CT_PROTO_DCCP - bool 'DCCP protocol connection tracking support' - depends on NETFILTER_ADVANCED - default y - help - With this option enabled, the layer 3 independent connection - tracking code will be able to do state tracking on DCCP connections. - - If unsure, say Y. +config NF_CONNTRACK_OVS + bool config NF_CT_PROTO_GRE - tristate + bool config NF_CT_PROTO_SCTP bool 'SCTP protocol connection tracking support' depends on NETFILTER_ADVANCED default y - select LIBCRC32C + select NET_CRC32C help With this option enabled, the layer 3 independent connection tracking code will be able to do state tracking on SCTP connections. @@ -204,8 +244,6 @@ config NF_CONNTRACK_FTP of Network Address Translation on them. This is FTP support on Layer 3 independent connection tracking. - Layer 3 independent connection tracking is experimental scheme - which generalize ip_conntrack to support other layer 3 protocols. To compile it as a module, choose M here. If unsure, say N. @@ -319,7 +357,7 @@ config NF_CONNTRACK_SIP help SIP is an application-layer control protocol that can establish, modify, and terminate multimedia sessions (conferences) such as - Internet telephony calls. With the ip_conntrack_sip and + Internet telephony calls. With the nf_conntrack_sip and the nf_nat_sip modules you can support the protocol on a connection tracking/NATing firewall. @@ -347,6 +385,7 @@ config NF_CT_NETLINK_TIMEOUT tristate 'Connection tracking timeout tuning via Netlink' select NETFILTER_NETLINK depends on NETFILTER_ADVANCED + depends on NF_CONNTRACK_TIMEOUT help This option enables support for connection tracking timeout fine-grain tuning. This allows you to attach specific timeout @@ -377,27 +416,13 @@ config NETFILTER_NETLINK_GLUE_CT the enqueued via NFNETLINK. config NF_NAT - tristate - -config NF_NAT_NEEDED - bool - depends on NF_NAT - default y - -config NF_NAT_PROTO_DCCP - bool - depends on NF_NAT && NF_CT_PROTO_DCCP - default NF_NAT && NF_CT_PROTO_DCCP - -config NF_NAT_PROTO_UDPLITE - bool - depends on NF_NAT && NF_CT_PROTO_UDPLITE - default NF_NAT && NF_CT_PROTO_UDPLITE - -config NF_NAT_PROTO_SCTP - bool - default NF_NAT && NF_CT_PROTO_SCTP - depends on NF_NAT && NF_CT_PROTO_SCTP + tristate "Network Address Translation support" + depends on NF_CONNTRACK + default m if NETFILTER_ADVANCED=n + help + The NAT option allows masquerading, port forwarding and other + forms of full Network Address Port Translation. This can be + controlled by iptables, ip6tables or nft. config NF_NAT_AMANDA tristate @@ -425,11 +450,13 @@ config NF_NAT_TFTP default NF_NAT && NF_CONNTRACK_TFTP config NF_NAT_REDIRECT - tristate "IPv4/IPv6 redirect support" - depends on NF_NAT - help - This is the kernel functionality to redirect packets to local - machine through NAT. + bool + +config NF_NAT_MASQUERADE + bool + +config NF_NAT_OVS + bool config NETFILTER_SYNPROXY tristate @@ -438,13 +465,14 @@ endif # NF_CONNTRACK config NF_TABLES select NETFILTER_NETLINK + select NET_CRC32C tristate "Netfilter nf_tables support" help nftables is the new packet classification framework that intends to replace the existing {ip,ip6,arp,eb}_tables infrastructure. It provides a pseudo-state machine with an extensible instruction-set (also known as expressions) that the userspace 'nft' utility - (http://www.netfilter.org/projects/nftables) uses to build the + (https://www.netfilter.org/projects/nftables) uses to build the rule-set. It also comes with the generic set infrastructure that allows you to construct mappings between matchings and actions for performance lookups. @@ -452,38 +480,19 @@ config NF_TABLES To compile it as a module, choose M here. if NF_TABLES - config NF_TABLES_INET depends on IPV6 select NF_TABLES_IPV4 select NF_TABLES_IPV6 - tristate "Netfilter nf_tables mixed IPv4/IPv6 tables support" + bool "Netfilter nf_tables mixed IPv4/IPv6 tables support" help This option enables support for a mixed IPv4/IPv6 "inet" table. config NF_TABLES_NETDEV - tristate "Netfilter nf_tables netdev tables support" + bool "Netfilter nf_tables netdev tables support" help This option enables support for the "netdev" table. -config NFT_EXTHDR - tristate "Netfilter nf_tables exthdr module" - help - This option adds the "exthdr" expression that you can use to match - IPv6 extension headers and tcp options. - -config NFT_META - tristate "Netfilter nf_tables meta module" - help - This option adds the "meta" expression that you can use to match and - to set packet metainformation such as the packet mark. - -config NFT_RT - tristate "Netfilter nf_tables routing module" - help - This option adds the "rt" expression that you can use to match - packet routing information such as the packet nexthop. - config NFT_NUMGEN tristate "Netfilter nf_tables number generator module" help @@ -497,29 +506,27 @@ config NFT_CT This option adds the "ct" expression that you can use to match connection tracking information such as the flow state. -config NFT_SET_RBTREE - tristate "Netfilter nf_tables rbtree set module" - help - This option adds the "rbtree" set type (Red Black tree) that is used - to build interval-based sets. - -config NFT_SET_HASH - tristate "Netfilter nf_tables hash set module" +config NFT_EXTHDR_DCCP + bool "Netfilter nf_tables exthdr DCCP support (DEPRECATED)" + default n help - This option adds the "hash" set type that is used to build one-way - mappings between matchings and actions. + This option adds support for matching on DCCP extension headers. -config NFT_SET_BITMAP - tristate "Netfilter nf_tables bitmap set module" +config NFT_FLOW_OFFLOAD + depends on NF_CONNTRACK && NF_FLOW_TABLE + tristate "Netfilter nf_tables hardware flow offload module" help - This option adds the "bitmap" set type that is used to build sets - whose keys are smaller or equal to 16 bits. + This option adds the "flow_offload" expression that you can use to + choose what flows are placed into the hardware. -config NFT_COUNTER - tristate "Netfilter nf_tables counter module" +config NFT_CONNLIMIT + tristate "Netfilter nf_tables connlimit module" + depends on NF_CONNTRACK + depends on NETFILTER_ADVANCED + select NETFILTER_CONNCOUNT help - This option adds the "counter" expression that you can use to - include packet and byte counters in a rule. + This option adds the "connlimit" expression that you can use to + ratelimit rule matchings per connections. config NFT_LOG tristate "Netfilter nf_tables log module" @@ -536,6 +543,7 @@ config NFT_LIMIT config NFT_MASQ depends on NF_CONNTRACK depends on NF_NAT + select NF_NAT_MASQUERADE tristate "Netfilter nf_tables masquerade support" help This option adds the "masquerade" expression that you can use @@ -545,6 +553,7 @@ config NFT_REDIR depends on NF_CONNTRACK depends on NF_NAT tristate "Netfilter nf_tables redirect support" + select NF_NAT_REDIRECT help This options adds the "redirect" expression that you can use to perform NAT in the redirect flavour. @@ -552,16 +561,17 @@ config NFT_REDIR config NFT_NAT depends on NF_CONNTRACK select NF_NAT + depends on NF_TABLES_IPV4 || NF_TABLES_IPV6 tristate "Netfilter nf_tables nat module" help This option adds the "nat" expression that you can use to perform typical Network Address Translation (NAT) packet transformations. -config NFT_OBJREF - tristate "Netfilter nf_tables stateful object reference module" +config NFT_TUNNEL + tristate "Netfilter nf_tables tunnel module" help - This option adds the "objref" expression that allows you to refer to - stateful objects, such as counters and quotas. + This option adds the "tunnel" expression that you can use to set + tunneling policies. config NFT_QUEUE depends on NETFILTER_NETLINK_QUEUE @@ -579,6 +589,7 @@ config NFT_QUOTA config NFT_REJECT default m if NETFILTER_ADVANCED=n tristate "Netfilter nf_tables reject support" + depends on !NF_TABLES_INET || (IPV6!=m || m) help This option adds the "reject" expression that you can use to explicitly deny and notify via TCP reset/ICMP informational errors @@ -616,6 +627,50 @@ config NFT_FIB_INET The lookup will be delegated to the IPv4 or IPv6 FIB depending on the protocol of the packet. +config NFT_XFRM + tristate "Netfilter nf_tables xfrm/IPSec security association matching" + depends on XFRM + help + This option adds an expression that you can use to extract properties + of a packets security association. + +config NFT_SOCKET + tristate "Netfilter nf_tables socket match support" + depends on IPV6 || IPV6=n + select NF_SOCKET_IPV4 + select NF_SOCKET_IPV6 if NF_TABLES_IPV6 + help + This option allows matching for the presence or absence of a + corresponding socket and its attributes. + +config NFT_OSF + tristate "Netfilter nf_tables passive OS fingerprint support" + depends on NETFILTER_ADVANCED + select NETFILTER_NETLINK_OSF + help + This option allows matching packets from an specific OS. + +config NFT_TPROXY + tristate "Netfilter nf_tables tproxy support" + depends on IPV6 || IPV6=n + select NF_DEFRAG_IPV4 + select NF_DEFRAG_IPV6 if NF_TABLES_IPV6 + select NF_TPROXY_IPV4 + select NF_TPROXY_IPV6 if NF_TABLES_IPV6 + help + This makes transparent proxy support available in nftables. + +config NFT_SYNPROXY + tristate "Netfilter nf_tables SYNPROXY expression support" + depends on NF_CONNTRACK && NETFILTER_ADVANCED + select NETFILTER_SYNPROXY + select SYN_COOKIES + help + The SYNPROXY expression allows you to intercept TCP connections and + establish them using syncookies before they are passed on to the + server. This allows to avoid conntrack and server resource usage + during SYN-flood attacks. + if NF_TABLES_NETDEV config NF_DUP_NETDEV @@ -636,10 +691,55 @@ config NFT_FWD_NETDEV help This option enables packet forwarding for the "netdev" family. +config NFT_FIB_NETDEV + depends on NFT_FIB_IPV4 + depends on NFT_FIB_IPV6 + tristate "Netfilter nf_tables netdev fib lookups support" + help + This option allows using the FIB expression from the netdev table. + The lookup will be delegated to the IPv4 or IPv6 FIB depending + on the protocol of the packet. + +config NFT_REJECT_NETDEV + depends on NFT_REJECT_IPV4 + depends on NFT_REJECT_IPV6 + tristate "Netfilter nf_tables netdev REJECT support" + help + This option enables the REJECT support from the netdev table. + The return packet generation will be delegated to the IPv4 + or IPv6 ICMP or TCP RST implementation depending on the + protocol of the packet. + endif # NF_TABLES_NETDEV endif # NF_TABLES +config NF_FLOW_TABLE_INET + tristate "Netfilter flow table mixed IPv4/IPv6 module" + depends on NF_FLOW_TABLE + help + This option adds the flow table mixed IPv4/IPv6 support. + + To compile it as a module, choose M here. + +config NF_FLOW_TABLE + tristate "Netfilter flow table module" + depends on NETFILTER_INGRESS + depends on NF_CONNTRACK + depends on NF_TABLES + help + This option adds the flow table core infrastructure. + + To compile it as a module, choose M here. + +config NF_FLOW_TABLE_PROCFS + bool "Supply flow table statistics in procfs" + depends on NF_FLOW_TABLE + depends on PROC_FS + help + This option enables for the flow table offload statistics + to be shown in procfs under net/netfilter/nf_flowtable. + config NETFILTER_XTABLES tristate "Netfilter Xtables support (required for ip_tables)" default m if NETFILTER_ADVANCED=n @@ -649,12 +749,31 @@ config NETFILTER_XTABLES if NETFILTER_XTABLES +config NETFILTER_XTABLES_COMPAT + bool "Netfilter Xtables 32bit support" + depends on COMPAT + help + This option provides a translation layer to run 32bit arp,ip(6),ebtables + binaries on 64bit kernels. + + If unsure, say N. + +config NETFILTER_XTABLES_LEGACY + bool "Netfilter legacy tables support" + depends on !PREEMPT_RT + help + Say Y here if you still require support for legacy tables. This is + required by the legacy tools (iptables-legacy) and is not needed if + you use iptables over nftables (iptables-nft). + Legacy support is not limited to IP, it also includes EBTABLES and + ARPTABLES. + comment "Xtables combined modules" config NETFILTER_XT_MARK tristate 'nfmark target and match support' default m if NETFILTER_ADVANCED=n - ---help--- + help This option adds the "MARK" target and "mark" match. Netfilter mark matching allows you to match packets based on the @@ -670,7 +789,7 @@ config NETFILTER_XT_CONNMARK depends on NF_CONNTRACK depends on NETFILTER_ADVANCED select NF_CONNTRACK_MARK - ---help--- + help This option adds the "CONNMARK" target and "connmark" match. Netfilter allows you to store a mark value per connection (a.k.a. @@ -697,7 +816,7 @@ config NETFILTER_XT_TARGET_AUDIT tristate "AUDIT target support" depends on AUDIT depends on NETFILTER_ADVANCED - ---help--- + help This option adds a 'AUDIT' target, which can be used to create audit records for packets dropped/accepted. @@ -705,17 +824,17 @@ config NETFILTER_XT_TARGET_AUDIT config NETFILTER_XT_TARGET_CHECKSUM tristate "CHECKSUM target support" - depends on IP_NF_MANGLE || IP6_NF_MANGLE + depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT depends on NETFILTER_ADVANCED - ---help--- + help This option adds a `CHECKSUM' target, which can be used in the iptables mangle - table. + table to work around buggy DHCP clients in virtualized environments. - You can use this target to compute and fill in the checksum in - a packet that lacks a checksum. This is particularly useful, - if you need to work around old applications such as dhcp clients, - that do not work well with checksum offloads, but don't want to disable - checksum offload in your device. + Some old DHCP clients drop packets because they are not aware + that the checksum would normally be offloaded to hardware and + thus should be considered valid. + This target can be used to fill in the checksum using iptables + when such packets are sent via a virtual network device. To compile it as a module, choose M here. If unsure, say N. @@ -727,7 +846,7 @@ config NETFILTER_XT_TARGET_CLASSIFY the priority of a packet. Some qdiscs can use this value for classification, among these are: - atm, cbq, dsmark, pfifo_fast, htb, prio + atm, cbq, dsmark, pfifo_fast, htb, prio To compile it as a module, choose M here. If unsure, say N. @@ -736,7 +855,7 @@ config NETFILTER_XT_TARGET_CONNMARK depends on NF_CONNTRACK depends on NETFILTER_ADVANCED select NETFILTER_XT_CONNMARK - ---help--- + help This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). @@ -756,7 +875,7 @@ config NETFILTER_XT_TARGET_CONNSECMARK config NETFILTER_XT_TARGET_CT tristate '"CT" target support' depends on NF_CONNTRACK - depends on IP_NF_RAW || IP6_NF_RAW + depends on IP_NF_RAW || IP6_NF_RAW || NFT_COMPAT depends on NETFILTER_ADVANCED help This options adds a `CT' target, which allows to specify initial @@ -767,7 +886,7 @@ config NETFILTER_XT_TARGET_CT config NETFILTER_XT_TARGET_DSCP tristate '"DSCP" and "TOS" target support' - depends on IP_NF_MANGLE || IP6_NF_MANGLE + depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT depends on NETFILTER_ADVANCED help This option adds a `DSCP' target, which allows you to manipulate @@ -783,9 +902,9 @@ config NETFILTER_XT_TARGET_DSCP config NETFILTER_XT_TARGET_HL tristate '"HL" hoplimit target support' - depends on IP_NF_MANGLE || IP6_NF_MANGLE + depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT depends on NETFILTER_ADVANCED - ---help--- + help This option adds the "HL" (for IPv6) and "TTL" (for IPv4) targets, which enable the user to change the hoplimit/time-to-live value of the IP header. @@ -800,7 +919,7 @@ config NETFILTER_XT_TARGET_HMARK tristate '"HMARK" target support' depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n depends on NETFILTER_ADVANCED - ---help--- + help This option adds the "HMARK" target. The target allows you to create rules in the "raw" and "mangle" tables @@ -844,13 +963,12 @@ config NETFILTER_XT_TARGET_LED echo netfilter-ssh > /sys/class/leds/<ledname>/trigger For more information on the LEDs available on your system, see - Documentation/leds/leds-class.txt + Documentation/leds/leds-class.rst config NETFILTER_XT_TARGET_LOG tristate "LOG target support" - select NF_LOG_COMMON - select NF_LOG_IPV4 - select NF_LOG_IPV6 if IPV6 + select NF_LOG_SYSLOG + select NF_LOG_IPV6 if IP6_NF_IPTABLES default m if NETFILTER_ADVANCED=n help This option adds a `LOG' target, which allows you to create rules in @@ -862,7 +980,7 @@ config NETFILTER_XT_TARGET_MARK tristate '"MARK" target support' depends on NETFILTER_ADVANCED select NETFILTER_XT_MARK - ---help--- + help This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). @@ -870,7 +988,7 @@ config NETFILTER_XT_TARGET_MARK config NETFILTER_XT_NAT tristate '"SNAT and DNAT" targets support' depends on NF_NAT - ---help--- + help This option enables the SNAT and DNAT targets. To compile it as a module, choose M here. If unsure, say N. @@ -878,7 +996,7 @@ config NETFILTER_XT_NAT config NETFILTER_XT_TARGET_NETMAP tristate '"NETMAP" target support' depends on NF_NAT - ---help--- + help NETMAP is an implementation of static 1:1 NAT mapping of network addresses. It maps the network address part, while keeping the host address part intact. @@ -928,7 +1046,7 @@ config NETFILTER_XT_TARGET_REDIRECT tristate "REDIRECT target support" depends on NF_NAT select NF_NAT_REDIRECT - ---help--- + help REDIRECT is a special case of NAT: all incoming connections are mapped onto the incoming interface's address, causing the packets to come to the local machine instead of passing through. This is @@ -936,14 +1054,29 @@ config NETFILTER_XT_TARGET_REDIRECT To compile it as a module, choose M here. If unsure, say N. +config NETFILTER_XT_TARGET_MASQUERADE + tristate "MASQUERADE target support" + depends on NF_NAT + default m if NETFILTER_ADVANCED=n + select NF_NAT_MASQUERADE + help + Masquerading is a special case of NAT: all outgoing connections are + changed to seem to come from a particular interface's address, and + if the interface goes down, those connections are lost. This is + only useful for dialup accounts with dynamic IP address (ie. your IP + address will be different on next dialup). + + To compile it as a module, choose M here. If unsure, say N. + config NETFILTER_XT_TARGET_TEE tristate '"TEE" - packet cloning to alternate destination' depends on NETFILTER_ADVANCED depends on IPV6 || IPV6=n depends on !NF_CONNTRACK || NF_CONNTRACK + depends on IP6_NF_IPTABLES || !IP6_NF_IPTABLES select NF_DUP_IPV4 - select NF_DUP_IPV6 if IPV6 - ---help--- + select NF_DUP_IPV6 if IP6_NF_IPTABLES + help This option adds a "TEE" target with which a packet can be cloned and this clone be rerouted to another nexthop. @@ -953,9 +1086,11 @@ config NETFILTER_XT_TARGET_TPROXY depends on NETFILTER_ADVANCED depends on IPV6 || IPV6=n depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n - depends on IP_NF_MANGLE + depends on IP_NF_MANGLE || NFT_COMPAT select NF_DEFRAG_IPV4 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n + select NF_TPROXY_IPV4 + select NF_TPROXY_IPV6 if IP6_NF_IPTABLES help This option adds a `TPROXY' target, which is somewhat similar to REDIRECT. It can only be used in the mangle table and is useful @@ -963,7 +1098,7 @@ config NETFILTER_XT_TARGET_TPROXY on Netfilter connection tracking and NAT, unlike REDIRECT. For it to work you will have to configure certain iptables rules and use policy routing. For more information on how to set it up - see Documentation/networking/tproxy.txt. + see Documentation/networking/tproxy.rst. To compile it as a module, choose M here. If unsure, say N. @@ -977,7 +1112,7 @@ config NETFILTER_XT_TARGET_TRACE the tables, chains, rules. If you want to compile it as a module, say M here and read - <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. + <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. config NETFILTER_XT_TARGET_SECMARK tristate '"SECMARK" target support' @@ -993,7 +1128,7 @@ config NETFILTER_XT_TARGET_TCPMSS tristate '"TCPMSS" target support' depends on IPV6 || IPV6=n default m if NETFILTER_ADVANCED=n - ---help--- + help This option adds a `TCPMSS' target, which allows you to alter the MSS value of TCP SYN packets, to control the maximum size for that connection (usually limiting it to your outgoing interface's MTU @@ -1018,7 +1153,7 @@ config NETFILTER_XT_TARGET_TCPMSS config NETFILTER_XT_TARGET_TCPOPTSTRIP tristate '"TCPOPTSTRIP" target support' - depends on IP_NF_MANGLE || IP6_NF_MANGLE + depends on IP_NF_MANGLE || IP6_NF_MANGLE || NFT_COMPAT depends on NETFILTER_ADVANCED help This option adds a "TCPOPTSTRIP" target, which allows you to strip @@ -1031,12 +1166,12 @@ comment "Xtables matches" config NETFILTER_XT_MATCH_ADDRTYPE tristate '"addrtype" address type match support' default m if NETFILTER_ADVANCED=n - ---help--- + help This option allows you to match what routing thinks of an address, eg. UNICAST, LOCAL, BROADCAST, ... If you want to compile it as a module, say M here and read - <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. + <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. config NETFILTER_XT_MATCH_BPF tristate '"bpf" match support' @@ -1051,8 +1186,8 @@ config NETFILTER_XT_MATCH_CGROUP tristate '"control group" match support' depends on NETFILTER_ADVANCED depends on CGROUPS - select CGROUP_NET_CLASSID - ---help--- + select SOCK_CGROUP_DATA + help Socket/process control group matching allows you to match locally generated packets based on which net_cls control group processes belong to. @@ -1061,7 +1196,7 @@ config NETFILTER_XT_MATCH_CLUSTER tristate '"cluster" match support' depends on NF_CONNTRACK depends on NETFILTER_ADVANCED - ---help--- + help This option allows you to build work-load-sharing clusters of network servers/stateful firewalls without having a dedicated load-balancing router/server/switch. Basically, this match returns @@ -1081,7 +1216,7 @@ config NETFILTER_XT_MATCH_COMMENT comments in your iptables ruleset. If you want to compile it as a module, say M here and read - <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. + <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. config NETFILTER_XT_MATCH_CONNBYTES tristate '"connbytes" per-connection counter match support' @@ -1092,14 +1227,14 @@ config NETFILTER_XT_MATCH_CONNBYTES number of bytes and/or packets for each direction within a connection. If you want to compile it as a module, say M here and read - <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. + <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. config NETFILTER_XT_MATCH_CONNLABEL tristate '"connlabel" match support' select NF_CONNTRACK_LABELS depends on NF_CONNTRACK depends on NETFILTER_ADVANCED - ---help--- + help This match allows you to test and assign userspace-defined labels names to a connection. The kernel only stores bit values - mapping names to bits is done by userspace. @@ -1111,7 +1246,8 @@ config NETFILTER_XT_MATCH_CONNLIMIT tristate '"connlimit" match support' depends on NF_CONNTRACK depends on NETFILTER_ADVANCED - ---help--- + select NETFILTER_CONNCOUNT + help This match allows you to match against the number of parallel connections to a server per client IP address (or address block). @@ -1120,7 +1256,7 @@ config NETFILTER_XT_MATCH_CONNMARK depends on NF_CONNTRACK depends on NETFILTER_ADVANCED select NETFILTER_XT_CONNMARK - ---help--- + help This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module). @@ -1148,16 +1284,16 @@ config NETFILTER_XT_MATCH_CPU To compile it as a module, choose M here. If unsure, say N. config NETFILTER_XT_MATCH_DCCP - tristate '"dccp" protocol match support' + tristate '"dccp" protocol match support (DEPRECATED)' depends on NETFILTER_ADVANCED - default IP_DCCP + default n help With this option enabled, you will be able to use the iptables `dccp' match in order to match on DCCP source/destination ports and DCCP flags. If you want to compile it as a module, say M here and read - <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. + <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. config NETFILTER_XT_MATCH_DEVGROUP tristate '"devgroup" match support' @@ -1186,7 +1322,7 @@ config NETFILTER_XT_MATCH_DSCP config NETFILTER_XT_MATCH_ECN tristate '"ecn" match support' depends on NETFILTER_ADVANCED - ---help--- + help This option adds an "ECN" match, which allows you to match against the IPv4 and TCP header ECN fields. @@ -1222,14 +1358,14 @@ config NETFILTER_XT_MATCH_HELPER depends on NETFILTER_ADVANCED help Helper matching allows you to match packets in dynamic connections - tracked by a conntrack-helper, ie. ip_conntrack_ftp + tracked by a conntrack-helper, ie. nf_conntrack_ftp To compile it as a module, choose M here. If unsure, say Y. config NETFILTER_XT_MATCH_HL tristate '"hl" hoplimit/TTL match support' depends on NETFILTER_ADVANCED - ---help--- + help HL matching allows you to match packets based on the hoplimit in the IPv6 header, or the time-to-live field in the IPv4 header of the packet. @@ -1246,7 +1382,7 @@ config NETFILTER_XT_MATCH_IPCOMP config NETFILTER_XT_MATCH_IPRANGE tristate '"iprange" address range match support' depends on NETFILTER_ADVANCED - ---help--- + help This option adds a "iprange" match, which allows you to match based on an IP address range. (Normal iptables only matches on single addresses with an optional mask.) @@ -1267,7 +1403,7 @@ config NETFILTER_XT_MATCH_L2TP tristate '"l2tp" match support' depends on NETFILTER_ADVANCED default L2TP - ---help--- + help This option adds an "L2TP" match, which allows you to match against L2TP protocol header fields. @@ -1305,7 +1441,7 @@ config NETFILTER_XT_MATCH_MARK tristate '"mark" match support' depends on NETFILTER_ADVANCED select NETFILTER_XT_MARK - ---help--- + help This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_MARK (combined mark/MARK module). @@ -1332,7 +1468,8 @@ config NETFILTER_XT_MATCH_NFACCT config NETFILTER_XT_MATCH_OSF tristate '"osf" Passive OS fingerprint match' - depends on NETFILTER_ADVANCED && NETFILTER_NETLINK + depends on NETFILTER_ADVANCED + select NETFILTER_NETLINK_OSF help This option selects the Passive OS Fingerprinting match module that allows to passively match the remote operating system by @@ -1346,7 +1483,7 @@ config NETFILTER_XT_MATCH_OSF config NETFILTER_XT_MATCH_OWNER tristate '"owner" match support' depends on NETFILTER_ADVANCED - ---help--- + help Socket owner matching allows you to match locally-generated packets based on who created the socket: the user or group. It is also possible to check whether a socket actually exists. @@ -1392,7 +1529,7 @@ config NETFILTER_XT_MATCH_QUOTA byte counter. If you want to compile it as a module, say M here and read - <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. + <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. config NETFILTER_XT_MATCH_RATEEST tristate '"rateest" match support' @@ -1412,16 +1549,16 @@ config NETFILTER_XT_MATCH_REALM This option adds a `realm' match, which allows you to use the realm key from the routing subsystem inside iptables. - This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option + This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option in tc world. If you want to compile it as a module, say M here and read - <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. + <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. config NETFILTER_XT_MATCH_RECENT tristate '"recent" match support' depends on NETFILTER_ADVANCED - ---help--- + help This match is used for creating one or many lists of recently used addresses and then matching against that/those list(s). @@ -1433,12 +1570,12 @@ config NETFILTER_XT_MATCH_SCTP depends on NETFILTER_ADVANCED default IP_SCTP help - With this option enabled, you will be able to use the + With this option enabled, you will be able to use the `sctp' match in order to match on SCTP source/destination ports and SCTP chunk types. If you want to compile it as a module, say M here and read - <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. + <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. config NETFILTER_XT_MATCH_SOCKET tristate '"socket" match support' @@ -1446,8 +1583,8 @@ config NETFILTER_XT_MATCH_SOCKET depends on NETFILTER_ADVANCED depends on IPV6 || IPV6=n depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n - depends on NF_SOCKET_IPV4 - depends on NF_SOCKET_IPV6 + select NF_SOCKET_IPV4 + select NF_SOCKET_IPV6 if IP6_NF_IPTABLES select NF_DEFRAG_IPV4 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n help @@ -1504,7 +1641,7 @@ config NETFILTER_XT_MATCH_TCPMSS config NETFILTER_XT_MATCH_TIME tristate '"time" match support' depends on NETFILTER_ADVANCED - ---help--- + help This option adds a "time" match, which allows you to match based on the packet arrival time (at the machine which netfilter is running) on) or departure time/date (for locally generated packets). @@ -1518,7 +1655,7 @@ config NETFILTER_XT_MATCH_TIME config NETFILTER_XT_MATCH_U32 tristate '"u32" match support' depends on NETFILTER_ADVANCED - ---help--- + help u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and test whether the results are in any of a set of specified ranges. |