2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependant connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
40 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
41 depends on NETFILTER_ADVANCED
43 Netfilter has the ability to queue packets to user space: the
44 netlink device can be used to access them using this driver.
46 This option enables the old IPv4-only "ip_queue" implementation
47 which has been obsoleted by the new "nfnetlink_queue" code (see
48 CONFIG_NETFILTER_NETLINK_QUEUE).
50 To compile it as a module, choose M here. If unsure, say N.
53 tristate "IP tables support (required for filtering/masq/NAT)"
54 default m if NETFILTER_ADVANCED=n
55 select NETFILTER_XTABLES
57 iptables is a general, extensible packet identification framework.
58 The packet filtering and full NAT (masquerading, port forwarding,
59 etc) subsystems now use this: say `Y' or `M' here if you want to use
62 To compile it as a module, choose M here. If unsure, say N.
67 config IP_NF_MATCH_ADDRTYPE
68 tristate '"addrtype" address type match support'
69 depends on NETFILTER_ADVANCED
71 This option allows you to match what routing thinks of an address,
72 eg. UNICAST, LOCAL, BROADCAST, ...
74 If you want to compile it as a module, say M here and read
75 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
78 tristate '"ah" match support'
79 depends on NETFILTER_ADVANCED
81 This match extension allows you to match a range of SPIs
82 inside AH header of IPSec packets.
84 To compile it as a module, choose M here. If unsure, say N.
86 config IP_NF_MATCH_ECN
87 tristate '"ecn" match support'
88 depends on NETFILTER_ADVANCED
90 This option adds a `ECN' match, which allows you to match against
91 the IPv4 and TCP header ECN fields.
93 To compile it as a module, choose M here. If unsure, say N.
95 # `filter', generic and specific targets
97 tristate "Packet filtering"
98 default m if NETFILTER_ADVANCED=n
100 Packet filtering defines a table `filter', which has a series of
101 rules for simple packet filtering at local input, forwarding and
102 local output. See the man page for iptables(8).
104 To compile it as a module, choose M here. If unsure, say N.
106 config IP_NF_TARGET_REJECT
107 tristate "REJECT target support"
108 depends on IP_NF_FILTER
109 default m if NETFILTER_ADVANCED=n
111 The REJECT target allows a filtering rule to specify that an ICMP
112 error should be issued in response to an incoming packet, rather
113 than silently being dropped.
115 To compile it as a module, choose M here. If unsure, say N.
117 config IP_NF_TARGET_LOG
118 tristate "LOG target support"
119 default m if NETFILTER_ADVANCED=n
121 This option adds a `LOG' target, which allows you to create rules in
122 any iptables table which records the packet header to the syslog.
124 To compile it as a module, choose M here. If unsure, say N.
126 config IP_NF_TARGET_ULOG
127 tristate "ULOG target support"
128 default m if NETFILTER_ADVANCED=n
131 This option enables the old IPv4-only "ipt_ULOG" implementation
132 which has been obsoleted by the new "nfnetlink_log" code (see
133 CONFIG_NETFILTER_NETLINK_LOG).
135 This option adds a `ULOG' target, which allows you to create rules in
136 any iptables table. The packet is passed to a userspace logging
137 daemon using netlink multicast sockets; unlike the LOG target
138 which can only be viewed through syslog.
140 The appropriate userspace logging daemon (ulogd) may be obtained from
141 <http://www.gnumonks.org/projects/ulogd/>
143 To compile it as a module, choose M here. If unsure, say N.
145 # NAT + specific targets: nf_conntrack
148 depends on NF_CONNTRACK_IPV4
149 default m if NETFILTER_ADVANCED=n
151 The Full NAT option allows masquerading, port forwarding and other
152 forms of full Network Address Port Translation. It is controlled by
153 the `nat' table in iptables: see the man page for iptables(8).
155 To compile it as a module, choose M here. If unsure, say N.
162 config IP_NF_TARGET_MASQUERADE
163 tristate "MASQUERADE target support"
165 default m if NETFILTER_ADVANCED=n
167 Masquerading is a special case of NAT: all outgoing connections are
168 changed to seem to come from a particular interface's address, and
169 if the interface goes down, those connections are lost. This is
170 only useful for dialup accounts with dynamic IP address (ie. your IP
171 address will be different on next dialup).
173 To compile it as a module, choose M here. If unsure, say N.
175 config IP_NF_TARGET_NETMAP
176 tristate "NETMAP target support"
178 depends on NETFILTER_ADVANCED
180 NETMAP is an implementation of static 1:1 NAT mapping of network
181 addresses. It maps the network address part, while keeping the host
184 To compile it as a module, choose M here. If unsure, say N.
186 config IP_NF_TARGET_REDIRECT
187 tristate "REDIRECT target support"
189 depends on NETFILTER_ADVANCED
191 REDIRECT is a special case of NAT: all incoming connections are
192 mapped onto the incoming interface's address, causing the packets to
193 come to the local machine instead of passing through. This is
194 useful for transparent proxies.
196 To compile it as a module, choose M here. If unsure, say N.
198 config NF_NAT_SNMP_BASIC
199 tristate "Basic SNMP-ALG support"
201 depends on NETFILTER_ADVANCED
204 This module implements an Application Layer Gateway (ALG) for
205 SNMP payloads. In conjunction with NAT, it allows a network
206 management system to access multiple private networks with
207 conflicting addresses. It works by modifying IP addresses
208 inside SNMP payloads to match IP-layer NAT mapping.
210 This is the "basic" form of SNMP-ALG, as described in RFC 2962
212 To compile it as a module, choose M here. If unsure, say N.
214 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
215 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
216 # From kconfig-language.txt:
218 # <expr> '&&' <expr> (6)
220 # (6) Returns the result of min(/expr/, /expr/).
221 config NF_NAT_PROTO_DCCP
223 depends on NF_NAT && NF_CT_PROTO_DCCP
224 default NF_NAT && NF_CT_PROTO_DCCP
226 config NF_NAT_PROTO_GRE
228 depends on NF_NAT && NF_CT_PROTO_GRE
230 config NF_NAT_PROTO_UDPLITE
232 depends on NF_NAT && NF_CT_PROTO_UDPLITE
233 default NF_NAT && NF_CT_PROTO_UDPLITE
235 config NF_NAT_PROTO_SCTP
237 default NF_NAT && NF_CT_PROTO_SCTP
238 depends on NF_NAT && NF_CT_PROTO_SCTP
243 depends on NF_CONNTRACK && NF_NAT
244 default NF_NAT && NF_CONNTRACK_FTP
248 depends on NF_CONNTRACK && NF_NAT
249 default NF_NAT && NF_CONNTRACK_IRC
253 depends on NF_CONNTRACK && NF_NAT
254 default NF_NAT && NF_CONNTRACK_TFTP
258 depends on NF_CONNTRACK && NF_NAT
259 default NF_NAT && NF_CONNTRACK_AMANDA
263 depends on NF_CONNTRACK && NF_NAT
264 default NF_NAT && NF_CONNTRACK_PPTP
265 select NF_NAT_PROTO_GRE
269 depends on NF_CONNTRACK && NF_NAT
270 default NF_NAT && NF_CONNTRACK_H323
274 depends on NF_CONNTRACK && NF_NAT
275 default NF_NAT && NF_CONNTRACK_SIP
277 # mangle + specific targets
279 tristate "Packet mangling"
280 default m if NETFILTER_ADVANCED=n
282 This option adds a `mangle' table to iptables: see the man page for
283 iptables(8). This table is used for various packet alterations
284 which can effect how the packet is routed.
286 To compile it as a module, choose M here. If unsure, say N.
288 config IP_NF_TARGET_CLUSTERIP
289 tristate "CLUSTERIP target support (EXPERIMENTAL)"
290 depends on IP_NF_MANGLE && EXPERIMENTAL
291 depends on NF_CONNTRACK_IPV4
292 depends on NETFILTER_ADVANCED
293 select NF_CONNTRACK_MARK
295 The CLUSTERIP target allows you to build load-balancing clusters of
296 network servers without having a dedicated load-balancing
297 router/server/switch.
299 To compile it as a module, choose M here. If unsure, say N.
301 config IP_NF_TARGET_ECN
302 tristate "ECN target support"
303 depends on IP_NF_MANGLE
304 depends on NETFILTER_ADVANCED
306 This option adds a `ECN' target, which can be used in the iptables mangle
309 You can use this target to remove the ECN bits from the IPv4 header of
310 an IP packet. This is particularly useful, if you need to work around
311 existing ECN blackholes on the internet, but don't want to disable
312 ECN support in general.
314 To compile it as a module, choose M here. If unsure, say N.
316 # raw + specific targets
318 tristate 'raw table support (required for NOTRACK/TRACE)'
319 depends on NETFILTER_ADVANCED
321 This option adds a `raw' table to iptables. This table is the very
322 first in the netfilter framework and hooks in at the PREROUTING
325 If you want to compile it as a module, say M here and read
326 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
328 # security table for MAC policy
329 config IP_NF_SECURITY
330 tristate "Security table"
332 depends on NETFILTER_ADVANCED
334 This option adds a `security' table to iptables, for use
335 with Mandatory Access Control (MAC) policy.
339 endif # IP_NF_IPTABLES
342 config IP_NF_ARPTABLES
343 tristate "ARP tables support"
344 select NETFILTER_XTABLES
345 depends on NETFILTER_ADVANCED
347 arptables is a general, extensible packet identification framework.
348 The ARP packet filtering and mangling (manipulation)subsystems
349 use this: say Y or M here if you want to use either of those.
351 To compile it as a module, choose M here. If unsure, say N.
355 config IP_NF_ARPFILTER
356 tristate "ARP packet filtering"
358 ARP packet filtering defines a table `filter', which has a series of
359 rules for simple ARP packet filtering at local input and
360 local output. On a bridge, you can also specify filtering rules
361 for forwarded ARP packets. See the man page for arptables(8).
363 To compile it as a module, choose M here. If unsure, say N.
365 config IP_NF_ARP_MANGLE
366 tristate "ARP payload mangling"
368 Allows altering the ARP packet payload: source and destination
369 hardware and network addresses.
371 endif # IP_NF_ARPTABLES