# SPDX-License-Identifier: GPL-2.0-only
menu "Core Netfilter Configuration"
depends on INET && NETFILTER
config NETFILTER_INGRESS
bool "Netfilter ingress support"
default y
select NET_INGRESS
help
This allows you to classify packets from ingress using the Netfilter
infrastructure.
config NETFILTER_EGRESS
bool "Netfilter egress support"
default y
select NET_EGRESS
help
This allows you to classify packets before transmission using the
Netfilter infrastructure.
config NETFILTER_SKIP_EGRESS
def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB)
config NETFILTER_NETLINK
tristate
config NETFILTER_FAMILY_BRIDGE
bool
config NETFILTER_FAMILY_ARP
bool
config NETFILTER_BPF_LINK
def_bool BPF_SYSCALL
config NETFILTER_NETLINK_HOOK
tristate "Netfilter base hook dump support"
depends on NETFILTER_ADVANCED
depends on NF_TABLES
select NETFILTER_NETLINK
help
If this option is enabled, the kernel will include support
to list the base netfilter hooks via NFNETLINK.
This is helpful for debugging.
config NETFILTER_NETLINK_ACCT
tristate "Netfilter NFACCT over NFNETLINK interface"
depends on NETFILTER_ADVANCED
select NETFILTER_NETLINK
help
If this option is enabled, the kernel will include support
for extended accounting via NFNETLINK.
config NETFILTER_NETLINK_QUEUE
tristate "Netfilter NFQUEUE over NFNETLINK interface"
depends on NETFILTER_ADVANCED
select NETFILTER_NETLINK
help
If this option is enabled, the kernel will include support
for queueing packets via NFNETLINK.
config NETFILTER_NETLINK_LOG
tristate "Netfilter LOG over NFNETLINK interface"
default m if NETFILTER_ADVANCED=n
select NETFILTER_NETLINK
help
If this option is enabled, the kernel will include support
for logging packets via NFNETLINK.
This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
and is also scheduled to replace the old syslog-based ipt_LOG
and ip6t_LOG modules.
config NETFILTER_NETLINK_OSF
tristate "Netfilter OSF over NFNETLINK interface"
depends on NETFILTER_ADVANCED
select NETFILTER_NETLINK
help
If this option is enabled, the kernel will include support
for passive OS fingerprint via NFNETLINK.
config NF_CONNTRACK
tristate "Netfilter connection tracking support"
default m if NETFILTER_ADVANCED=n
select NF_DEFRAG_IPV4
select NF_DEFRAG_IPV6 if IPV6 != n
help
Connection tracking keeps a record of what packets have passed
through your machine, in order to figure out how they are related
into connections.
This is required to do Masquerading or other kinds of Network
Address Translation. It can also be used to enhance packet
filtering (see `Connection state match support' below).
To compile it as a module, choose M here. If unsure, say N.
config NF_LOG_SYSLOG
tristate "Syslog packet logging"
default m if NETFILTER_ADVANCED=n
help
This option enable support for packet logging via syslog.
It supports IPv4, IPV6, ARP and common transport pro
| 