2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 config NF_CONNTRACK_IPV4
9 tristate "IPv4 support for new connection tracking (EXPERIMENTAL)"
10 depends on EXPERIMENTAL && NF_CONNTRACK
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
16 This is IPv4 support on Layer 3 independent connection tracking.
17 Layer 3 independent connection tracking is experimental scheme
18 which generalize ip_conntrack to support other layer 3 protocols.
20 To compile it as a module, choose M here. If unsure, say N.
22 # connection tracking, helpers and protocols
23 config IP_NF_CONNTRACK
24 tristate "Connection tracking (required for masq/NAT)"
26 Connection tracking keeps a record of what packets have passed
27 through your machine, in order to figure out how they are related
30 This is required to do Masquerading or other kinds of Network
31 Address Translation (except for Fast NAT). It can also be used to
32 enhance packet filtering (see `Connection state match support'
35 To compile it as a module, choose M here. If unsure, say N.
38 bool "Connection tracking flow accounting"
39 depends on IP_NF_CONNTRACK
41 If this option is enabled, the connection tracking code will
42 keep per-flow packet and byte counters.
44 Those counters can be used for flow-based accounting or the
49 config IP_NF_CONNTRACK_MARK
50 bool 'Connection mark tracking support'
51 depends on IP_NF_CONNTRACK
53 This option enables support for connection marks, used by the
54 `CONNMARK' target and `connmark' match. Similar to the mark value
55 of packets, but this mark value is kept in the conntrack session
56 instead of the individual packets.
58 config IP_NF_CONNTRACK_SECMARK
59 bool 'Connection tracking security mark support'
60 depends on IP_NF_CONNTRACK && NETWORK_SECMARK
62 This option enables security markings to be applied to
63 connections. Typically they are copied to connections from
64 packets using the CONNSECMARK target and copied back from
65 connections to packets with the same target, with the packets
66 being originally labeled via SECMARK.
70 config IP_NF_CONNTRACK_EVENTS
71 bool "Connection tracking events (EXPERIMENTAL)"
72 depends on EXPERIMENTAL && IP_NF_CONNTRACK
74 If this option is enabled, the connection tracking code will
75 provide a notifier chain that can be used by other kernel code
76 to get notified about changes in the connection tracking state.
80 config IP_NF_CONNTRACK_NETLINK
81 tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
82 depends on EXPERIMENTAL && IP_NF_CONNTRACK && NETFILTER_NETLINK
83 depends on IP_NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
84 depends on IP_NF_NAT=n || IP_NF_NAT
86 This option enables support for a netlink-based userspace interface
89 config IP_NF_CT_PROTO_SCTP
90 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
91 depends on IP_NF_CONNTRACK && EXPERIMENTAL
93 With this option enabled, the connection tracking code will
94 be able to do state tracking on SCTP connections.
96 If you want to compile it as a module, say M here and read
97 <file:Documentation/modules.txt>. If unsure, say `N'.
100 tristate "FTP protocol support"
101 depends on IP_NF_CONNTRACK
103 Tracking FTP connections is problematic: special helpers are
104 required for tracking them, and doing masquerading and other forms
105 of Network Address Translation on them.
107 To compile it as a module, choose M here. If unsure, say Y.
110 tristate "IRC protocol support"
111 depends on IP_NF_CONNTRACK
113 There is a commonly-used extension to IRC called
114 Direct Client-to-Client Protocol (DCC). This enables users to send
115 files to each other, and also chat to each other without the need
116 of a server. DCC Sending is used anywhere you send files over IRC,
117 and DCC Chat is most commonly used by Eggdrop bots. If you are
118 using NAT, this extension will enable you to send files and initiate
119 chats. Note that you do NOT need this extension to get files or
120 have others initiate chats, or everything else in IRC.
122 To compile it as a module, choose M here. If unsure, say Y.
124 config IP_NF_NETBIOS_NS
125 tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
126 depends on IP_NF_CONNTRACK && EXPERIMENTAL
128 NetBIOS name service requests are sent as broadcast messages from an
129 unprivileged port and responded to with unicast messages to the
130 same port. This make them hard to firewall properly because connection
131 tracking doesn't deal with broadcasts. This helper tracks locally
132 originating NetBIOS name service requests and the corresponding
133 responses. It relies on correct IP address configuration, specifically
134 netmask and broadcast address. When properly configured, the output
135 of "ip address show" should look similar to this:
137 $ ip -4 address show eth0
138 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
139 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
141 To compile it as a module, choose M here. If unsure, say N.
144 tristate "TFTP protocol support"
145 depends on IP_NF_CONNTRACK
147 TFTP connection tracking helper, this is required depending
148 on how restrictive your ruleset is.
149 If you are using a tftp client behind -j SNAT or -j MASQUERADING
152 To compile it as a module, choose M here. If unsure, say Y.
155 tristate "Amanda backup protocol support"
156 depends on IP_NF_CONNTRACK
158 select TEXTSEARCH_KMP
160 If you are running the Amanda backup package <http://www.amanda.org/>
161 on this machine or machines that will be MASQUERADED through this
162 machine, then you may want to enable this feature. This allows the
163 connection tracking and natting code to allow the sub-channels that
164 Amanda requires for communication of the backup data, messages and
167 To compile it as a module, choose M here. If unsure, say Y.
170 tristate 'PPTP protocol support'
171 depends on IP_NF_CONNTRACK
173 This module adds support for PPTP (Point to Point Tunnelling
174 Protocol, RFC2637) connection tracking and NAT.
176 If you are running PPTP sessions over a stateful firewall or NAT
177 box, you may want to enable this feature.
179 Please note that not all PPTP modes of operation are supported yet.
180 For more info, read top of the file
181 net/ipv4/netfilter/ip_conntrack_pptp.c
183 If you want to compile it as a module, say M here and read
184 Documentation/modules.txt. If unsure, say `N'.
187 tristate 'H.323 protocol support (EXPERIMENTAL)'
188 depends on IP_NF_CONNTRACK && EXPERIMENTAL
190 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
191 important VoIP protocols, it is widely used by voice hardware and
192 software including voice gateways, IP phones, Netmeeting, OpenPhone,
195 With this module you can support H.323 on a connection tracking/NAT
198 This module supports RAS, Fast Start, H.245 Tunnelling, Call
199 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
200 whiteboard, file transfer, etc. For more information, please
201 visit http://nath323.sourceforge.net/.
203 If you want to compile it as a module, say 'M' here and read
204 Documentation/modules.txt. If unsure, say 'N'.
207 tristate "SIP protocol support (EXPERIMENTAL)"
208 depends on IP_NF_CONNTRACK && EXPERIMENTAL
210 SIP is an application-layer control protocol that can establish,
211 modify, and terminate multimedia sessions (conferences) such as
212 Internet telephony calls. With the ip_conntrack_sip and
213 the ip_nat_sip modules you can support the protocol on a connection
214 tracking/NATing firewall.
216 To compile it as a module, choose M here. If unsure, say Y.
219 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
221 Netfilter has the ability to queue packets to user space: the
222 netlink device can be used to access them using this driver.
224 This option enables the old IPv4-only "ip_queue" implementation
225 which has been obsoleted by the new "nfnetlink_queue" code (see
226 CONFIG_NETFILTER_NETLINK_QUEUE).
228 To compile it as a module, choose M here. If unsure, say N.
230 config IP_NF_IPTABLES
231 tristate "IP tables support (required for filtering/masq/NAT)"
232 depends on NETFILTER_XTABLES
234 iptables is a general, extensible packet identification framework.
235 The packet filtering and full NAT (masquerading, port forwarding,
236 etc) subsystems now use this: say `Y' or `M' here if you want to use
239 To compile it as a module, choose M here. If unsure, say N.
242 config IP_NF_MATCH_IPRANGE
243 tristate "IP range match support"
244 depends on IP_NF_IPTABLES
246 This option makes possible to match IP addresses against IP address
249 To compile it as a module, choose M here. If unsure, say N.
251 config IP_NF_MATCH_LAYER7
252 tristate "Layer 7 match support (EXPERIMENTAL)"
253 depends on IP_NF_IPTABLES && IP_NF_CT_ACCT && IP_NF_CONNTRACK && EXPERIMENTAL
255 Say Y if you want to be able to classify connections (and their
256 packets) based on regular expression matching of their application
257 layer data. This is one way to classify applications such as
258 peer-to-peer filesharing systems that do not always use the same
261 To compile it as a module, choose M here. If unsure, say N.
263 config IP_NF_MATCH_LAYER7_DEBUG
264 bool "Layer 7 debugging output"
265 depends on IP_NF_MATCH_LAYER7
267 Say Y to get lots of debugging output.
269 config IP_NF_MATCH_TOS
270 tristate "TOS match support"
271 depends on IP_NF_IPTABLES
273 TOS matching allows you to match packets based on the Type Of
274 Service fields of the IP packet.
276 To compile it as a module, choose M here. If unsure, say N.
278 config IP_NF_MATCH_RECENT
279 tristate "recent match support"
280 depends on IP_NF_IPTABLES
282 This match is used for creating one or many lists of recently
283 used addresses and then matching against that/those list(s).
285 Short options are available by using 'iptables -m recent -h'
286 Official Website: <http://snowman.net/projects/ipt_recent/>
288 To compile it as a module, choose M here. If unsure, say N.
290 config IP_NF_MATCH_ECN
291 tristate "ECN match support"
292 depends on IP_NF_IPTABLES
294 This option adds a `ECN' match, which allows you to match against
295 the IPv4 and TCP header ECN fields.
297 To compile it as a module, choose M here. If unsure, say N.
299 config IP_NF_MATCH_AH
300 tristate "AH match support"
301 depends on IP_NF_IPTABLES
303 This match extension allows you to match a range of SPIs
304 inside AH header of IPSec packets.
306 To compile it as a module, choose M here. If unsure, say N.
308 config IP_NF_MATCH_TTL
309 tristate "TTL match support"
310 depends on IP_NF_IPTABLES
312 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
313 to match packets by their TTL value.
315 To compile it as a module, choose M here. If unsure, say N.
317 config IP_NF_MATCH_OWNER
318 tristate "Owner match support"
319 depends on IP_NF_IPTABLES
321 Packet owner matching allows you to match locally-generated packets
322 based on who created them: the user, group, process or session.
324 To compile it as a module, choose M here. If unsure, say N.
326 config IP_NF_MATCH_ADDRTYPE
327 tristate 'address type match support'
328 depends on IP_NF_IPTABLES
330 This option allows you to match what routing thinks of an address,
331 eg. UNICAST, LOCAL, BROADCAST, ...
333 If you want to compile it as a module, say M here and read
334 <file:Documentation/modules.txt>. If unsure, say `N'.
336 config IP_NF_MATCH_HASHLIMIT
337 tristate 'hashlimit match support'
338 depends on IP_NF_IPTABLES
340 This option adds a new iptables `hashlimit' match.
342 As opposed to `limit', this match dynamically creates a hash table
343 of limit buckets, based on your selection of source/destination
344 ip addresses and/or ports.
346 It enables you to express policies like `10kpps for any given
347 destination IP' or `500pps from any given source IP' with a single
350 config IP_NF_MATCH_POLICY
351 tristate "IPsec policy match support"
352 depends on IP_NF_IPTABLES && XFRM
354 Policy matching allows you to match packets based on the
355 IPsec policy that was used during decapsulation/will
356 be used during encapsulation.
358 To compile it as a module, choose M here. If unsure, say N.
360 config IP_NF_MATCH_TIME
361 tristate 'TIME match support'
362 depends on IP_NF_IPTABLES
364 This option adds a `time' match, which allows you
365 to match based on the packet arrival time/date
366 (arrival time/date at the machine which netfilter is running on) or
367 departure time/date (for locally generated packets).
369 To compile it as a module, choose M here. If unsure, say N.
371 # `filter', generic and specific targets
373 tristate "Packet filtering"
374 depends on IP_NF_IPTABLES
376 Packet filtering defines a table `filter', which has a series of
377 rules for simple packet filtering at local input, forwarding and
378 local output. See the man page for iptables(8).
380 To compile it as a module, choose M here. If unsure, say N.
382 config IP_NF_TARGET_REJECT
383 tristate "REJECT target support"
384 depends on IP_NF_FILTER
386 The REJECT target allows a filtering rule to specify that an ICMP
387 error should be issued in response to an incoming packet, rather
388 than silently being dropped.
390 To compile it as a module, choose M here. If unsure, say N.
392 config IP_NF_TARGET_LOG
393 tristate "LOG target support"
394 depends on IP_NF_IPTABLES
396 This option adds a `LOG' target, which allows you to create rules in
397 any iptables table which records the packet header to the syslog.
399 To compile it as a module, choose M here. If unsure, say N.
401 config IP_NF_TARGET_ULOG
402 tristate "ULOG target support"
403 depends on IP_NF_IPTABLES
406 This option enables the old IPv4-only "ipt_ULOG" implementation
407 which has been obsoleted by the new "nfnetlink_log" code (see
408 CONFIG_NETFILTER_NETLINK_LOG).
410 This option adds a `ULOG' target, which allows you to create rules in
411 any iptables table. The packet is passed to a userspace logging
412 daemon using netlink multicast sockets; unlike the LOG target
413 which can only be viewed through syslog.
415 The appropriate userspace logging daemon (ulogd) may be obtained from
416 <http://www.gnumonks.org/projects/ulogd/>
418 To compile it as a module, choose M here. If unsure, say N.
420 config IP_NF_TARGET_TCPMSS
421 tristate "TCPMSS target support"
422 depends on IP_NF_IPTABLES
424 This option adds a `TCPMSS' target, which allows you to alter the
425 MSS value of TCP SYN packets, to control the maximum size for that
426 connection (usually limiting it to your outgoing interface's MTU
429 This is used to overcome criminally braindead ISPs or servers which
430 block ICMP Fragmentation Needed packets. The symptoms of this
431 problem are that everything works fine from your Linux
432 firewall/router, but machines behind it can never exchange large
434 1) Web browsers connect, then hang with no data received.
435 2) Small mail works fine, but large emails hang.
436 3) ssh works fine, but scp hangs after initial handshaking.
438 Workaround: activate this option and add a rule to your firewall
441 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
442 -j TCPMSS --clamp-mss-to-pmtu
444 To compile it as a module, choose M here. If unsure, say N.
446 # NAT + specific targets
449 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
451 The Full NAT option allows masquerading, port forwarding and other
452 forms of full Network Address Port Translation. It is controlled by
453 the `nat' table in iptables: see the man page for iptables(8).
455 To compile it as a module, choose M here. If unsure, say N.
457 config IP_NF_NAT_NEEDED
459 depends on IP_NF_NAT != n
462 config IP_NF_TARGET_MASQUERADE
463 tristate "MASQUERADE target support"
466 Masquerading is a special case of NAT: all outgoing connections are
467 changed to seem to come from a particular interface's address, and
468 if the interface goes down, those connections are lost. This is
469 only useful for dialup accounts with dynamic IP address (ie. your IP
470 address will be different on next dialup).
472 To compile it as a module, choose M here. If unsure, say N.
474 config IP_NF_TARGET_REDIRECT
475 tristate "REDIRECT target support"
478 REDIRECT is a special case of NAT: all incoming connections are
479 mapped onto the incoming interface's address, causing the packets to
480 come to the local machine instead of passing through. This is
481 useful for transparent proxies.
483 To compile it as a module, choose M here. If unsure, say N.
485 config IP_NF_TARGET_NETMAP
486 tristate "NETMAP target support"
489 NETMAP is an implementation of static 1:1 NAT mapping of network
490 addresses. It maps the network address part, while keeping the host
491 address part intact. It is similar to Fast NAT, except that
492 Netfilter's connection tracking doesn't work well with Fast NAT.
494 To compile it as a module, choose M here. If unsure, say N.
496 config IP_NF_TARGET_SAME
497 tristate "SAME target support"
500 This option adds a `SAME' target, which works like the standard SNAT
501 target, but attempts to give clients the same IP for all connections.
503 To compile it as a module, choose M here. If unsure, say N.
505 config IP_NF_NAT_SNMP_BASIC
506 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
507 depends on EXPERIMENTAL && IP_NF_NAT
510 This module implements an Application Layer Gateway (ALG) for
511 SNMP payloads. In conjunction with NAT, it allows a network
512 management system to access multiple private networks with
513 conflicting addresses. It works by modifying IP addresses
514 inside SNMP payloads to match IP-layer NAT mapping.
516 This is the "basic" form of SNMP-ALG, as described in RFC 2962
518 To compile it as a module, choose M here. If unsure, say N.
522 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
523 default IP_NF_NAT if IP_NF_IRC=y
524 default m if IP_NF_IRC=m
526 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
527 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
530 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
531 default IP_NF_NAT if IP_NF_FTP=y
532 default m if IP_NF_FTP=m
534 config IP_NF_NAT_TFTP
536 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
537 default IP_NF_NAT if IP_NF_TFTP=y
538 default m if IP_NF_TFTP=m
540 config IP_NF_NAT_AMANDA
542 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
543 default IP_NF_NAT if IP_NF_AMANDA=y
544 default m if IP_NF_AMANDA=m
546 config IP_NF_NAT_PPTP
548 depends on IP_NF_NAT!=n && IP_NF_PPTP!=n
549 default IP_NF_NAT if IP_NF_PPTP=y
550 default m if IP_NF_PPTP=m
552 config IP_NF_NAT_H323
554 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
555 default IP_NF_NAT if IP_NF_H323=y
556 default m if IP_NF_H323=m
560 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
561 default IP_NF_NAT if IP_NF_SIP=y
562 default m if IP_NF_SIP=m
564 # mangle + specific targets
566 tristate "Packet mangling"
567 depends on IP_NF_IPTABLES
569 This option adds a `mangle' table to iptables: see the man page for
570 iptables(8). This table is used for various packet alterations
571 which can effect how the packet is routed.
573 To compile it as a module, choose M here. If unsure, say N.
575 config IP_NF_TARGET_TOS
576 tristate "TOS target support"
577 depends on IP_NF_MANGLE
579 This option adds a `TOS' target, which allows you to create rules in
580 the `mangle' table which alter the Type Of Service field of an IP
581 packet prior to routing.
583 To compile it as a module, choose M here. If unsure, say N.
585 config IP_NF_TARGET_ECN
586 tristate "ECN target support"
587 depends on IP_NF_MANGLE
589 This option adds a `ECN' target, which can be used in the iptables mangle
592 You can use this target to remove the ECN bits from the IPv4 header of
593 an IP packet. This is particularly useful, if you need to work around
594 existing ECN blackholes on the internet, but don't want to disable
595 ECN support in general.
597 To compile it as a module, choose M here. If unsure, say N.
599 config IP_NF_TARGET_TTL
600 tristate 'TTL target support'
601 depends on IP_NF_MANGLE
603 This option adds a `TTL' target, which enables the user to modify
604 the TTL value of the IP header.
606 While it is safe to decrement/lower the TTL, this target also enables
607 functionality to increment and set the TTL value of the IP header to
608 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
609 create immortal packets that loop forever on the network.
611 To compile it as a module, choose M here. If unsure, say N.
613 config IP_NF_TARGET_CLUSTERIP
614 tristate "CLUSTERIP target support (EXPERIMENTAL)"
615 depends on IP_NF_MANGLE && EXPERIMENTAL
616 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4)
618 The CLUSTERIP target allows you to build load-balancing clusters of
619 network servers without having a dedicated load-balancing
620 router/server/switch.
622 To compile it as a module, choose M here. If unsure, say N.
624 # raw + specific targets
626 tristate 'raw table support (required for NOTRACK/TRACE)'
627 depends on IP_NF_IPTABLES
629 This option adds a `raw' table to iptables. This table is the very
630 first in the netfilter framework and hooks in at the PREROUTING
633 If you want to compile it as a module, say M here and read
634 <file:Documentation/modules.txt>. If unsure, say `N'.
637 config IP_NF_ARPTABLES
638 tristate "ARP tables support"
639 depends on NETFILTER_XTABLES
641 arptables is a general, extensible packet identification framework.
642 The ARP packet filtering and mangling (manipulation)subsystems
643 use this: say Y or M here if you want to use either of those.
645 To compile it as a module, choose M here. If unsure, say N.
647 config IP_NF_ARPFILTER
648 tristate "ARP packet filtering"
649 depends on IP_NF_ARPTABLES
651 ARP packet filtering defines a table `filter', which has a series of
652 rules for simple ARP packet filtering at local input and
653 local output. On a bridge, you can also specify filtering rules
654 for forwarded ARP packets. See the man page for arptables(8).
656 To compile it as a module, choose M here. If unsure, say N.
658 config IP_NF_ARP_MANGLE
659 tristate "ARP payload mangling"
660 depends on IP_NF_ARPTABLES
662 Allows altering the ARP packet payload: source and destination
663 hardware and network addresses.