2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 config NF_CONNTRACK_IPV4
9 tristate "IPv4 connection tracking support (required for NAT)"
10 depends on NF_CONNTRACK
11 default m if NETFILTER_ADVANCED=n
13 Connection tracking keeps a record of what packets have passed
14 through your machine, in order to figure out how they are related
17 This is IPv4 support on Layer 3 independent connection tracking.
18 Layer 3 independent connection tracking is experimental scheme
19 which generalize ip_conntrack to support other layer 3 protocols.
21 To compile it as a module, choose M here. If unsure, say N.
23 config NF_CONNTRACK_PROC_COMPAT
24 bool "proc/sysctl compatibility with old connection tracking"
25 depends on NF_CONNTRACK_IPV4
28 This option enables /proc and sysctl compatibility with the old
29 layer 3 dependant connection tracking. This is needed to keep
30 old programs that have not been adapted to the new names working.
35 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
36 depends on NETFILTER_ADVANCED
38 Netfilter has the ability to queue packets to user space: the
39 netlink device can be used to access them using this driver.
41 This option enables the old IPv4-only "ip_queue" implementation
42 which has been obsoleted by the new "nfnetlink_queue" code (see
43 CONFIG_NETFILTER_NETLINK_QUEUE).
45 To compile it as a module, choose M here. If unsure, say N.
48 tristate "IP tables support (required for filtering/masq/NAT)"
49 default m if NETFILTER_ADVANCED=n
50 select NETFILTER_XTABLES
52 iptables is a general, extensible packet identification framework.
53 The packet filtering and full NAT (masquerading, port forwarding,
54 etc) subsystems now use this: say `Y' or `M' here if you want to use
57 To compile it as a module, choose M here. If unsure, say N.
60 config IP_NF_MATCH_RECENT
61 tristate '"recent" match support'
62 depends on IP_NF_IPTABLES
63 depends on NETFILTER_ADVANCED
65 This match is used for creating one or many lists of recently
66 used addresses and then matching against that/those list(s).
68 Short options are available by using 'iptables -m recent -h'
69 Official Website: <http://snowman.net/projects/ipt_recent/>
71 To compile it as a module, choose M here. If unsure, say N.
73 config IP_NF_MATCH_ECN
74 tristate '"ecn" match support'
75 depends on IP_NF_IPTABLES
76 depends on NETFILTER_ADVANCED
78 This option adds a `ECN' match, which allows you to match against
79 the IPv4 and TCP header ECN fields.
81 To compile it as a module, choose M here. If unsure, say N.
84 tristate '"ah" match support'
85 depends on IP_NF_IPTABLES
86 depends on NETFILTER_ADVANCED
88 This match extension allows you to match a range of SPIs
89 inside AH header of IPSec packets.
91 To compile it as a module, choose M here. If unsure, say N.
93 config IP_NF_MATCH_TTL
94 tristate '"ttl" match support'
95 depends on IP_NF_IPTABLES
96 depends on NETFILTER_ADVANCED
98 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
99 to match packets by their TTL value.
101 To compile it as a module, choose M here. If unsure, say N.
103 config IP_NF_MATCH_ADDRTYPE
104 tristate '"addrtype" address type match support'
105 depends on IP_NF_IPTABLES
106 depends on NETFILTER_ADVANCED
108 This option allows you to match what routing thinks of an address,
109 eg. UNICAST, LOCAL, BROADCAST, ...
111 If you want to compile it as a module, say M here and read
112 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
114 # `filter', generic and specific targets
116 tristate "Packet filtering"
117 depends on IP_NF_IPTABLES
118 default m if NETFILTER_ADVANCED=n
120 Packet filtering defines a table `filter', which has a series of
121 rules for simple packet filtering at local input, forwarding and
122 local output. See the man page for iptables(8).
124 To compile it as a module, choose M here. If unsure, say N.
126 config IP_NF_TARGET_REJECT
127 tristate "REJECT target support"
128 depends on IP_NF_FILTER
129 default m if NETFILTER_ADVANCED=n
131 The REJECT target allows a filtering rule to specify that an ICMP
132 error should be issued in response to an incoming packet, rather
133 than silently being dropped.
135 To compile it as a module, choose M here. If unsure, say N.
137 config IP_NF_TARGET_LOG
138 tristate "LOG target support"
139 depends on IP_NF_IPTABLES
140 default m if NETFILTER_ADVANCED=n
142 This option adds a `LOG' target, which allows you to create rules in
143 any iptables table which records the packet header to the syslog.
145 To compile it as a module, choose M here. If unsure, say N.
147 config IP_NF_TARGET_ULOG
148 tristate "ULOG target support"
149 depends on IP_NF_IPTABLES
150 default m if NETFILTER_ADVANCED=n
153 This option enables the old IPv4-only "ipt_ULOG" implementation
154 which has been obsoleted by the new "nfnetlink_log" code (see
155 CONFIG_NETFILTER_NETLINK_LOG).
157 This option adds a `ULOG' target, which allows you to create rules in
158 any iptables table. The packet is passed to a userspace logging
159 daemon using netlink multicast sockets; unlike the LOG target
160 which can only be viewed through syslog.
162 The appropriate userspace logging daemon (ulogd) may be obtained from
163 <http://www.gnumonks.org/projects/ulogd/>
165 To compile it as a module, choose M here. If unsure, say N.
167 # NAT + specific targets: nf_conntrack
170 depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
171 default m if NETFILTER_ADVANCED=n
173 The Full NAT option allows masquerading, port forwarding and other
174 forms of full Network Address Port Translation. It is controlled by
175 the `nat' table in iptables: see the man page for iptables(8).
177 To compile it as a module, choose M here. If unsure, say N.
184 config IP_NF_TARGET_MASQUERADE
185 tristate "MASQUERADE target support"
187 default m if NETFILTER_ADVANCED=n
189 Masquerading is a special case of NAT: all outgoing connections are
190 changed to seem to come from a particular interface's address, and
191 if the interface goes down, those connections are lost. This is
192 only useful for dialup accounts with dynamic IP address (ie. your IP
193 address will be different on next dialup).
195 To compile it as a module, choose M here. If unsure, say N.
197 config IP_NF_TARGET_REDIRECT
198 tristate "REDIRECT target support"
200 depends on NETFILTER_ADVANCED
202 REDIRECT is a special case of NAT: all incoming connections are
203 mapped onto the incoming interface's address, causing the packets to
204 come to the local machine instead of passing through. This is
205 useful for transparent proxies.
207 To compile it as a module, choose M here. If unsure, say N.
209 config IP_NF_TARGET_NETMAP
210 tristate "NETMAP target support"
212 depends on NETFILTER_ADVANCED
214 NETMAP is an implementation of static 1:1 NAT mapping of network
215 addresses. It maps the network address part, while keeping the host
218 To compile it as a module, choose M here. If unsure, say N.
220 config IP_NF_TARGET_IDLETIMER
221 tristate "IDLETIMER target support"
222 depends on IP_NF_IPTABLES
224 This option adds a `IDLETIMER' target. Each matching packet resets
225 the timer associated with input and/or output interfaces. Timer
226 expiry causes kobject uevent. Idle timer can be read via sysfs.
228 To compile it as a module, choose M here. If unsure, say N.
231 To compile it as a module, choose M here. If unsure, say N.
233 config NF_NAT_SNMP_BASIC
234 tristate "Basic SNMP-ALG support"
236 depends on NETFILTER_ADVANCED
239 This module implements an Application Layer Gateway (ALG) for
240 SNMP payloads. In conjunction with NAT, it allows a network
241 management system to access multiple private networks with
242 conflicting addresses. It works by modifying IP addresses
243 inside SNMP payloads to match IP-layer NAT mapping.
245 This is the "basic" form of SNMP-ALG, as described in RFC 2962
247 To compile it as a module, choose M here. If unsure, say N.
249 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
250 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
251 # From kconfig-language.txt:
253 # <expr> '&&' <expr> (6)
255 # (6) Returns the result of min(/expr/, /expr/).
256 config NF_NAT_PROTO_DCCP
258 depends on NF_NAT && NF_CT_PROTO_DCCP
259 default NF_NAT && NF_CT_PROTO_DCCP
261 config NF_NAT_PROTO_GRE
263 depends on NF_NAT && NF_CT_PROTO_GRE
265 config NF_NAT_PROTO_UDPLITE
267 depends on NF_NAT && NF_CT_PROTO_UDPLITE
268 default NF_NAT && NF_CT_PROTO_UDPLITE
270 config NF_NAT_PROTO_SCTP
272 default NF_NAT && NF_CT_PROTO_SCTP
273 depends on NF_NAT && NF_CT_PROTO_SCTP
278 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
279 default NF_NAT && NF_CONNTRACK_FTP
283 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
284 default NF_NAT && NF_CONNTRACK_IRC
288 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
289 default NF_NAT && NF_CONNTRACK_TFTP
293 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
294 default NF_NAT && NF_CONNTRACK_AMANDA
298 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
299 default NF_NAT && NF_CONNTRACK_PPTP
300 select NF_NAT_PROTO_GRE
304 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
305 default NF_NAT && NF_CONNTRACK_H323
309 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
310 default NF_NAT && NF_CONNTRACK_SIP
312 # mangle + specific targets
314 tristate "Packet mangling"
315 depends on IP_NF_IPTABLES
316 default m if NETFILTER_ADVANCED=n
318 This option adds a `mangle' table to iptables: see the man page for
319 iptables(8). This table is used for various packet alterations
320 which can effect how the packet is routed.
322 To compile it as a module, choose M here. If unsure, say N.
324 config IP_NF_TARGET_ECN
325 tristate "ECN target support"
326 depends on IP_NF_MANGLE
327 depends on NETFILTER_ADVANCED
329 This option adds a `ECN' target, which can be used in the iptables mangle
332 You can use this target to remove the ECN bits from the IPv4 header of
333 an IP packet. This is particularly useful, if you need to work around
334 existing ECN blackholes on the internet, but don't want to disable
335 ECN support in general.
337 To compile it as a module, choose M here. If unsure, say N.
339 config IP_NF_TARGET_TTL
340 tristate 'TTL target support'
341 depends on IP_NF_MANGLE
342 depends on NETFILTER_ADVANCED
344 This option adds a `TTL' target, which enables the user to modify
345 the TTL value of the IP header.
347 While it is safe to decrement/lower the TTL, this target also enables
348 functionality to increment and set the TTL value of the IP header to
349 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
350 create immortal packets that loop forever on the network.
352 To compile it as a module, choose M here. If unsure, say N.
354 config IP_NF_TARGET_CLUSTERIP
355 tristate "CLUSTERIP target support (EXPERIMENTAL)"
356 depends on IP_NF_MANGLE && EXPERIMENTAL
357 depends on NF_CONNTRACK_IPV4
358 depends on NETFILTER_ADVANCED
359 select NF_CONNTRACK_MARK
361 The CLUSTERIP target allows you to build load-balancing clusters of
362 network servers without having a dedicated load-balancing
363 router/server/switch.
365 To compile it as a module, choose M here. If unsure, say N.
367 # raw + specific targets
369 tristate 'raw table support (required for NOTRACK/TRACE)'
370 depends on IP_NF_IPTABLES
371 depends on NETFILTER_ADVANCED
373 This option adds a `raw' table to iptables. This table is the very
374 first in the netfilter framework and hooks in at the PREROUTING
377 If you want to compile it as a module, say M here and read
378 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
380 # security table for MAC policy
381 config IP_NF_SECURITY
382 tristate "Security table"
383 depends on IP_NF_IPTABLES
385 depends on NETFILTER_ADVANCED
387 This option adds a `security' table to iptables, for use
388 with Mandatory Access Control (MAC) policy.
393 config IP_NF_ARPTABLES
394 tristate "ARP tables support"
395 select NETFILTER_XTABLES
396 depends on NETFILTER_ADVANCED
398 arptables is a general, extensible packet identification framework.
399 The ARP packet filtering and mangling (manipulation)subsystems
400 use this: say Y or M here if you want to use either of those.
402 To compile it as a module, choose M here. If unsure, say N.
404 config IP_NF_ARPFILTER
405 tristate "ARP packet filtering"
406 depends on IP_NF_ARPTABLES
408 ARP packet filtering defines a table `filter', which has a series of
409 rules for simple ARP packet filtering at local input and
410 local output. On a bridge, you can also specify filtering rules
411 for forwarded ARP packets. See the man page for arptables(8).
413 To compile it as a module, choose M here. If unsure, say N.
415 config IP_NF_ARP_MANGLE
416 tristate "ARP payload mangling"
417 depends on IP_NF_ARPTABLES
419 Allows altering the ARP packet payload: source and destination
420 hardware and network addresses.