2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 config NF_CONNTRACK_IPV4
9 tristate "IPv4 connection tracking support (required for NAT)"
10 depends on NF_CONNTRACK
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
16 This is IPv4 support on Layer 3 independent connection tracking.
17 Layer 3 independent connection tracking is experimental scheme
18 which generalize ip_conntrack to support other layer 3 protocols.
20 To compile it as a module, choose M here. If unsure, say N.
22 config NF_CONNTRACK_PROC_COMPAT
23 bool "proc/sysctl compatibility with old connection tracking"
24 depends on NF_CONNTRACK_IPV4
27 This option enables /proc and sysctl compatibility with the old
28 layer 3 dependant connection tracking. This is needed to keep
29 old programs that have not been adapted to the new names working.
34 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
36 Netfilter has the ability to queue packets to user space: the
37 netlink device can be used to access them using this driver.
39 This option enables the old IPv4-only "ip_queue" implementation
40 which has been obsoleted by the new "nfnetlink_queue" code (see
41 CONFIG_NETFILTER_NETLINK_QUEUE).
43 To compile it as a module, choose M here. If unsure, say N.
46 tristate "IP tables support (required for filtering/masq/NAT)"
47 select NETFILTER_XTABLES
49 iptables is a general, extensible packet identification framework.
50 The packet filtering and full NAT (masquerading, port forwarding,
51 etc) subsystems now use this: say `Y' or `M' here if you want to use
54 To compile it as a module, choose M here. If unsure, say N.
57 config IP_NF_MATCH_IPRANGE
58 tristate "IP range match support"
59 depends on IP_NF_IPTABLES
61 This option makes possible to match IP addresses against IP address
64 To compile it as a module, choose M here. If unsure, say N.
66 config IP_NF_MATCH_TOS
67 tristate "TOS match support"
68 depends on IP_NF_IPTABLES
70 TOS matching allows you to match packets based on the Type Of
71 Service fields of the IP packet.
73 To compile it as a module, choose M here. If unsure, say N.
75 config IP_NF_MATCH_RECENT
76 tristate "recent match support"
77 depends on IP_NF_IPTABLES
79 This match is used for creating one or many lists of recently
80 used addresses and then matching against that/those list(s).
82 Short options are available by using 'iptables -m recent -h'
83 Official Website: <http://snowman.net/projects/ipt_recent/>
85 To compile it as a module, choose M here. If unsure, say N.
87 config IP_NF_MATCH_ECN
88 tristate "ECN match support"
89 depends on IP_NF_IPTABLES
91 This option adds a `ECN' match, which allows you to match against
92 the IPv4 and TCP header ECN fields.
94 To compile it as a module, choose M here. If unsure, say N.
97 tristate "AH match support"
98 depends on IP_NF_IPTABLES
100 This match extension allows you to match a range of SPIs
101 inside AH header of IPSec packets.
103 To compile it as a module, choose M here. If unsure, say N.
105 config IP_NF_MATCH_TTL
106 tristate "TTL match support"
107 depends on IP_NF_IPTABLES
109 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
110 to match packets by their TTL value.
112 To compile it as a module, choose M here. If unsure, say N.
114 config IP_NF_MATCH_OWNER
115 tristate "Owner match support"
116 depends on IP_NF_IPTABLES
118 Packet owner matching allows you to match locally-generated packets
119 based on who created them: the user, group, process or session.
121 To compile it as a module, choose M here. If unsure, say N.
123 config IP_NF_MATCH_ADDRTYPE
124 tristate 'address type match support'
125 depends on IP_NF_IPTABLES
127 This option allows you to match what routing thinks of an address,
128 eg. UNICAST, LOCAL, BROADCAST, ...
130 If you want to compile it as a module, say M here and read
131 <file:Documentation/modules.txt>. If unsure, say `N'.
133 # `filter', generic and specific targets
135 tristate "Packet filtering"
136 depends on IP_NF_IPTABLES
138 Packet filtering defines a table `filter', which has a series of
139 rules for simple packet filtering at local input, forwarding and
140 local output. See the man page for iptables(8).
142 To compile it as a module, choose M here. If unsure, say N.
144 config IP_NF_TARGET_REJECT
145 tristate "REJECT target support"
146 depends on IP_NF_FILTER
148 The REJECT target allows a filtering rule to specify that an ICMP
149 error should be issued in response to an incoming packet, rather
150 than silently being dropped.
152 To compile it as a module, choose M here. If unsure, say N.
154 config IP_NF_TARGET_LOG
155 tristate "LOG target support"
156 depends on IP_NF_IPTABLES
158 This option adds a `LOG' target, which allows you to create rules in
159 any iptables table which records the packet header to the syslog.
161 To compile it as a module, choose M here. If unsure, say N.
163 config IP_NF_TARGET_ULOG
164 tristate "ULOG target support"
165 depends on IP_NF_IPTABLES
168 This option enables the old IPv4-only "ipt_ULOG" implementation
169 which has been obsoleted by the new "nfnetlink_log" code (see
170 CONFIG_NETFILTER_NETLINK_LOG).
172 This option adds a `ULOG' target, which allows you to create rules in
173 any iptables table. The packet is passed to a userspace logging
174 daemon using netlink multicast sockets; unlike the LOG target
175 which can only be viewed through syslog.
177 The appropriate userspace logging daemon (ulogd) may be obtained from
178 <http://www.gnumonks.org/projects/ulogd/>
180 To compile it as a module, choose M here. If unsure, say N.
182 # NAT + specific targets: nf_conntrack
185 depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
187 The Full NAT option allows masquerading, port forwarding and other
188 forms of full Network Address Port Translation. It is controlled by
189 the `nat' table in iptables: see the man page for iptables(8).
191 To compile it as a module, choose M here. If unsure, say N.
198 config IP_NF_TARGET_MASQUERADE
199 tristate "MASQUERADE target support"
202 Masquerading is a special case of NAT: all outgoing connections are
203 changed to seem to come from a particular interface's address, and
204 if the interface goes down, those connections are lost. This is
205 only useful for dialup accounts with dynamic IP address (ie. your IP
206 address will be different on next dialup).
208 To compile it as a module, choose M here. If unsure, say N.
210 config IP_NF_TARGET_REDIRECT
211 tristate "REDIRECT target support"
214 REDIRECT is a special case of NAT: all incoming connections are
215 mapped onto the incoming interface's address, causing the packets to
216 come to the local machine instead of passing through. This is
217 useful for transparent proxies.
219 To compile it as a module, choose M here. If unsure, say N.
221 config IP_NF_TARGET_NETMAP
222 tristate "NETMAP target support"
225 NETMAP is an implementation of static 1:1 NAT mapping of network
226 addresses. It maps the network address part, while keeping the host
227 address part intact. It is similar to Fast NAT, except that
228 Netfilter's connection tracking doesn't work well with Fast NAT.
230 To compile it as a module, choose M here. If unsure, say N.
232 config IP_NF_TARGET_SAME
233 tristate "SAME target support"
236 This option adds a `SAME' target, which works like the standard SNAT
237 target, but attempts to give clients the same IP for all connections.
239 To compile it as a module, choose M here. If unsure, say N.
241 config IP_NF_TARGET_IDLETIMER
242 tristate "IDLETIMER target support"
243 depends on IP_NF_IPTABLES
245 This option adds a `IDLETIMER' target. Each matching packet resets
246 the timer associated with input and/or output interfaces. Timer
247 expiry causes kobject uevent. Idle timer can be read via sysfs.
249 To compile it as a module, choose M here. If unsure, say N.
251 config NF_NAT_SNMP_BASIC
252 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
253 depends on EXPERIMENTAL && NF_NAT
256 This module implements an Application Layer Gateway (ALG) for
257 SNMP payloads. In conjunction with NAT, it allows a network
258 management system to access multiple private networks with
259 conflicting addresses. It works by modifying IP addresses
260 inside SNMP payloads to match IP-layer NAT mapping.
262 This is the "basic" form of SNMP-ALG, as described in RFC 2962
264 To compile it as a module, choose M here. If unsure, say N.
266 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
267 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
268 # From kconfig-language.txt:
270 # <expr> '&&' <expr> (6)
272 # (6) Returns the result of min(/expr/, /expr/).
273 config NF_NAT_PROTO_GRE
275 depends on NF_NAT && NF_CT_PROTO_GRE
279 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
280 default NF_NAT && NF_CONNTRACK_FTP
284 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
285 default NF_NAT && NF_CONNTRACK_IRC
289 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
290 default NF_NAT && NF_CONNTRACK_TFTP
294 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
295 default NF_NAT && NF_CONNTRACK_AMANDA
299 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
300 default NF_NAT && NF_CONNTRACK_PPTP
301 select NF_NAT_PROTO_GRE
305 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
306 default NF_NAT && NF_CONNTRACK_H323
310 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
311 default NF_NAT && NF_CONNTRACK_SIP
313 # mangle + specific targets
315 tristate "Packet mangling"
316 depends on IP_NF_IPTABLES
318 This option adds a `mangle' table to iptables: see the man page for
319 iptables(8). This table is used for various packet alterations
320 which can effect how the packet is routed.
322 To compile it as a module, choose M here. If unsure, say N.
324 config IP_NF_TARGET_TOS
325 tristate "TOS target support"
326 depends on IP_NF_MANGLE
328 This option adds a `TOS' target, which allows you to create rules in
329 the `mangle' table which alter the Type Of Service field of an IP
330 packet prior to routing.
332 To compile it as a module, choose M here. If unsure, say N.
334 config IP_NF_TARGET_ECN
335 tristate "ECN target support"
336 depends on IP_NF_MANGLE
338 This option adds a `ECN' target, which can be used in the iptables mangle
341 You can use this target to remove the ECN bits from the IPv4 header of
342 an IP packet. This is particularly useful, if you need to work around
343 existing ECN blackholes on the internet, but don't want to disable
344 ECN support in general.
346 To compile it as a module, choose M here. If unsure, say N.
348 config IP_NF_TARGET_TTL
349 tristate 'TTL target support'
350 depends on IP_NF_MANGLE
352 This option adds a `TTL' target, which enables the user to modify
353 the TTL value of the IP header.
355 While it is safe to decrement/lower the TTL, this target also enables
356 functionality to increment and set the TTL value of the IP header to
357 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
358 create immortal packets that loop forever on the network.
360 To compile it as a module, choose M here. If unsure, say N.
362 config IP_NF_TARGET_CLUSTERIP
363 tristate "CLUSTERIP target support (EXPERIMENTAL)"
364 depends on IP_NF_MANGLE && EXPERIMENTAL
365 depends on NF_CONNTRACK_IPV4
366 select NF_CONNTRACK_MARK
368 The CLUSTERIP target allows you to build load-balancing clusters of
369 network servers without having a dedicated load-balancing
370 router/server/switch.
372 To compile it as a module, choose M here. If unsure, say N.
374 # raw + specific targets
376 tristate 'raw table support (required for NOTRACK/TRACE)'
377 depends on IP_NF_IPTABLES
379 This option adds a `raw' table to iptables. This table is the very
380 first in the netfilter framework and hooks in at the PREROUTING
383 If you want to compile it as a module, say M here and read
384 <file:Documentation/modules.txt>. If unsure, say `N'.
387 config IP_NF_ARPTABLES
388 tristate "ARP tables support"
389 select NETFILTER_XTABLES
391 arptables is a general, extensible packet identification framework.
392 The ARP packet filtering and mangling (manipulation)subsystems
393 use this: say Y or M here if you want to use either of those.
395 To compile it as a module, choose M here. If unsure, say N.
397 config IP_NF_ARPFILTER
398 tristate "ARP packet filtering"
399 depends on IP_NF_ARPTABLES
401 ARP packet filtering defines a table `filter', which has a series of
402 rules for simple ARP packet filtering at local input and
403 local output. On a bridge, you can also specify filtering rules
404 for forwarded ARP packets. See the man page for arptables(8).
406 To compile it as a module, choose M here. If unsure, say N.
408 config IP_NF_ARP_MANGLE
409 tristate "ARP payload mangling"
410 depends on IP_NF_ARPTABLES
412 Allows altering the ARP packet payload: source and destination
413 hardware and network addresses.