1 menu "Core Netfilter Configuration"
2 depends on NET && INET && NETFILTER
4 config NETFILTER_NETLINK
5 tristate "Netfilter netlink interface"
7 If this option is enabled, the kernel will include support
8 for the new netfilter netlink interface.
10 config NETFILTER_NETLINK_QUEUE
11 tristate "Netfilter NFQUEUE over NFNETLINK interface"
12 depends on NETFILTER_NETLINK
14 If this option is enabled, the kernel will include support
15 for queueing packets via NFNETLINK.
17 config NETFILTER_NETLINK_LOG
18 tristate "Netfilter LOG over NFNETLINK interface"
19 depends on NETFILTER_NETLINK
21 If this option is enabled, the kernel will include support
22 for logging packets via NFNETLINK.
24 This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
25 and is also scheduled to replace the old syslog-based ipt_LOG
28 # Rename this to NF_CONNTRACK in a 2.6.25
29 config NF_CONNTRACK_ENABLED
30 tristate "Netfilter connection tracking support"
32 Connection tracking keeps a record of what packets have passed
33 through your machine, in order to figure out how they are related
36 This is required to do Masquerading or other kinds of Network
37 Address Translation (except for Fast NAT). It can also be used to
38 enhance packet filtering (see `Connection state match support'
41 To compile it as a module, choose M here. If unsure, say N.
45 default NF_CONNTRACK_ENABLED
48 bool "Connection tracking flow accounting"
49 depends on NF_CONNTRACK
51 If this option is enabled, the connection tracking code will
52 keep per-flow packet and byte counters.
54 Those counters can be used for flow-based accounting or the
59 config NF_CONNTRACK_MARK
60 bool 'Connection mark tracking support'
61 depends on NF_CONNTRACK
63 This option enables support for connection marks, used by the
64 `CONNMARK' target and `connmark' match. Similar to the mark value
65 of packets, but this mark value is kept in the conntrack session
66 instead of the individual packets.
68 config NF_CONNTRACK_SECMARK
69 bool 'Connection tracking security mark support'
70 depends on NF_CONNTRACK && NETWORK_SECMARK
72 This option enables security markings to be applied to
73 connections. Typically they are copied to connections from
74 packets using the CONNSECMARK target and copied back from
75 connections to packets with the same target, with the packets
76 being originally labeled via SECMARK.
80 config NF_CONNTRACK_EVENTS
81 bool "Connection tracking events (EXPERIMENTAL)"
82 depends on EXPERIMENTAL && NF_CONNTRACK
84 If this option is enabled, the connection tracking code will
85 provide a notifier chain that can be used by other kernel code
86 to get notified about changes in the connection tracking state.
90 config NF_CT_PROTO_GRE
92 depends on NF_CONNTRACK
94 config NF_CT_PROTO_SCTP
95 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
96 depends on EXPERIMENTAL && NF_CONNTRACK
99 With this option enabled, the layer 3 independent connection
100 tracking code will be able to do state tracking on SCTP connections.
102 If you want to compile it as a module, say M here and read
103 Documentation/modules.txt. If unsure, say `N'.
105 config NF_CONNTRACK_AMANDA
106 tristate "Amanda backup protocol support"
107 depends on NF_CONNTRACK
109 select TEXTSEARCH_KMP
111 If you are running the Amanda backup package <http://www.amanda.org/>
112 on this machine or machines that will be MASQUERADED through this
113 machine, then you may want to enable this feature. This allows the
114 connection tracking and natting code to allow the sub-channels that
115 Amanda requires for communication of the backup data, messages and
118 To compile it as a module, choose M here. If unsure, say N.
120 config NF_CONNTRACK_FTP
121 tristate "FTP protocol support"
122 depends on NF_CONNTRACK
124 Tracking FTP connections is problematic: special helpers are
125 required for tracking them, and doing masquerading and other forms
126 of Network Address Translation on them.
128 This is FTP support on Layer 3 independent connection tracking.
129 Layer 3 independent connection tracking is experimental scheme
130 which generalize ip_conntrack to support other layer 3 protocols.
132 To compile it as a module, choose M here. If unsure, say N.
134 config NF_CONNTRACK_H323
135 tristate "H.323 protocol support (EXPERIMENTAL)"
136 depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n)
138 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
139 important VoIP protocols, it is widely used by voice hardware and
140 software including voice gateways, IP phones, Netmeeting, OpenPhone,
143 With this module you can support H.323 on a connection tracking/NAT
146 This module supports RAS, Fast Start, H.245 Tunnelling, Call
147 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
148 whiteboard, file transfer, etc. For more information, please
149 visit http://nath323.sourceforge.net/.
151 To compile it as a module, choose M here. If unsure, say N.
153 config NF_CONNTRACK_IRC
154 tristate "IRC protocol support"
155 depends on NF_CONNTRACK
157 There is a commonly-used extension to IRC called
158 Direct Client-to-Client Protocol (DCC). This enables users to send
159 files to each other, and also chat to each other without the need
160 of a server. DCC Sending is used anywhere you send files over IRC,
161 and DCC Chat is most commonly used by Eggdrop bots. If you are
162 using NAT, this extension will enable you to send files and initiate
163 chats. Note that you do NOT need this extension to get files or
164 have others initiate chats, or everything else in IRC.
166 To compile it as a module, choose M here. If unsure, say N.
168 config NF_CONNTRACK_NETBIOS_NS
169 tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
170 depends on EXPERIMENTAL && NF_CONNTRACK
172 NetBIOS name service requests are sent as broadcast messages from an
173 unprivileged port and responded to with unicast messages to the
174 same port. This make them hard to firewall properly because connection
175 tracking doesn't deal with broadcasts. This helper tracks locally
176 originating NetBIOS name service requests and the corresponding
177 responses. It relies on correct IP address configuration, specifically
178 netmask and broadcast address. When properly configured, the output
179 of "ip address show" should look similar to this:
181 $ ip -4 address show eth0
182 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
183 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
185 To compile it as a module, choose M here. If unsure, say N.
187 config NF_CONNTRACK_PPTP
188 tristate "PPtP protocol support"
189 depends on NF_CONNTRACK
190 select NF_CT_PROTO_GRE
192 This module adds support for PPTP (Point to Point Tunnelling
193 Protocol, RFC2637) connection tracking and NAT.
195 If you are running PPTP sessions over a stateful firewall or NAT
196 box, you may want to enable this feature.
198 Please note that not all PPTP modes of operation are supported yet.
199 Specifically these limitations exist:
200 - Blindy assumes that control connections are always established
201 in PNS->PAC direction. This is a violation of RFC2637.
202 - Only supports a single call within each session
204 To compile it as a module, choose M here. If unsure, say N.
206 config NF_CONNTRACK_SANE
207 tristate "SANE protocol support (EXPERIMENTAL)"
208 depends on EXPERIMENTAL && NF_CONNTRACK
210 SANE is a protocol for remote access to scanners as implemented
211 by the 'saned' daemon. Like FTP, it uses separate control and
214 With this module you can support SANE on a connection tracking
217 To compile it as a module, choose M here. If unsure, say N.
219 config NF_CONNTRACK_SIP
220 tristate "SIP protocol support (EXPERIMENTAL)"
221 depends on EXPERIMENTAL && NF_CONNTRACK
223 SIP is an application-layer control protocol that can establish,
224 modify, and terminate multimedia sessions (conferences) such as
225 Internet telephony calls. With the ip_conntrack_sip and
226 the nf_nat_sip modules you can support the protocol on a connection
227 tracking/NATing firewall.
229 To compile it as a module, choose M here. If unsure, say N.
231 config NF_CONNTRACK_TFTP
232 tristate "TFTP protocol support"
233 depends on NF_CONNTRACK
235 TFTP connection tracking helper, this is required depending
236 on how restrictive your ruleset is.
237 If you are using a tftp client behind -j SNAT or -j MASQUERADING
240 To compile it as a module, choose M here. If unsure, say N.
243 tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
244 depends on EXPERIMENTAL && NF_CONNTRACK && NETFILTER_NETLINK
245 depends on NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
246 depends on NF_NAT=n || NF_NAT
248 This option enables support for a netlink-based userspace interface
250 config NETFILTER_XTABLES
251 tristate "Netfilter Xtables support (required for ip_tables)"
253 This is required if you intend to use any of ip_tables,
254 ip6_tables or arp_tables.
256 # alphabetically ordered list of targets
258 config NETFILTER_XT_TARGET_CLASSIFY
259 tristate '"CLASSIFY" target support'
260 depends on NETFILTER_XTABLES
262 This option adds a `CLASSIFY' target, which enables the user to set
263 the priority of a packet. Some qdiscs can use this value for
264 classification, among these are:
266 atm, cbq, dsmark, pfifo_fast, htb, prio
268 To compile it as a module, choose M here. If unsure, say N.
270 config NETFILTER_XT_TARGET_CONNMARK
271 tristate '"CONNMARK" target support'
272 depends on NETFILTER_XTABLES
273 depends on IP_NF_MANGLE || IP6_NF_MANGLE
274 depends on NF_CONNTRACK
275 select NF_CONNTRACK_MARK
277 This option adds a `CONNMARK' target, which allows one to manipulate
278 the connection mark value. Similar to the MARK target, but
279 affects the connection mark value rather than the packet mark value.
281 If you want to compile it as a module, say M here and read
282 <file:Documentation/modules.txt>. The module will be called
283 ipt_CONNMARK.o. If unsure, say `N'.
285 config NETFILTER_XT_TARGET_DSCP
286 tristate '"DSCP" target support'
287 depends on NETFILTER_XTABLES
288 depends on IP_NF_MANGLE || IP6_NF_MANGLE
290 This option adds a `DSCP' target, which allows you to manipulate
291 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
293 The DSCP field can have any value between 0x0 and 0x3f inclusive.
295 To compile it as a module, choose M here. If unsure, say N.
297 config NETFILTER_XT_TARGET_MARK
298 tristate '"MARK" target support'
299 depends on NETFILTER_XTABLES
301 This option adds a `MARK' target, which allows you to create rules
302 in the `mangle' table which alter the netfilter mark (nfmark) field
303 associated with the packet prior to routing. This can change
304 the routing method (see `Use netfilter MARK value as routing
305 key') and can also be used by other subsystems to change their
308 To compile it as a module, choose M here. If unsure, say N.
310 config NETFILTER_XT_TARGET_NFQUEUE
311 tristate '"NFQUEUE" target Support'
312 depends on NETFILTER_XTABLES
314 This target replaced the old obsolete QUEUE target.
316 As opposed to QUEUE, it supports 65535 different queues,
319 To compile it as a module, choose M here. If unsure, say N.
321 config NETFILTER_XT_TARGET_NFLOG
322 tristate '"NFLOG" target support'
323 depends on NETFILTER_XTABLES
325 This option enables the NFLOG target, which allows to LOG
326 messages through the netfilter logging API, which can use
327 either the old LOG target, the old ULOG target or nfnetlink_log
330 To compile it as a module, choose M here. If unsure, say N.
332 config NETFILTER_XT_TARGET_NOTRACK
333 tristate '"NOTRACK" target support'
334 depends on NETFILTER_XTABLES
335 depends on IP_NF_RAW || IP6_NF_RAW
336 depends on NF_CONNTRACK
338 The NOTRACK target allows a select rule to specify
339 which packets *not* to enter the conntrack/NAT
340 subsystem with all the consequences (no ICMP error tracking,
341 no protocol helpers for the selected packets).
343 If you want to compile it as a module, say M here and read
344 <file:Documentation/modules.txt>. If unsure, say `N'.
346 config NETFILTER_XT_TARGET_SECMARK
347 tristate '"SECMARK" target support'
348 depends on NETFILTER_XTABLES && NETWORK_SECMARK
350 The SECMARK target allows security marking of network
351 packets, for use with security subsystems.
353 To compile it as a module, choose M here. If unsure, say N.
355 config NETFILTER_XT_TARGET_CONNSECMARK
356 tristate '"CONNSECMARK" target support'
357 depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK
359 The CONNSECMARK target copies security markings from packets
360 to connections, and restores security markings from connections
361 to packets (if the packets are not already marked). This would
362 normally be used in conjunction with the SECMARK target.
364 To compile it as a module, choose M here. If unsure, say N.
366 config NETFILTER_XT_TARGET_TCPMSS
367 tristate '"TCPMSS" target support'
368 depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)
370 This option adds a `TCPMSS' target, which allows you to alter the
371 MSS value of TCP SYN packets, to control the maximum size for that
372 connection (usually limiting it to your outgoing interface's MTU
375 This is used to overcome criminally braindead ISPs or servers which
376 block ICMP Fragmentation Needed packets. The symptoms of this
377 problem are that everything works fine from your Linux
378 firewall/router, but machines behind it can never exchange large
380 1) Web browsers connect, then hang with no data received.
381 2) Small mail works fine, but large emails hang.
382 3) ssh works fine, but scp hangs after initial handshaking.
384 Workaround: activate this option and add a rule to your firewall
387 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
388 -j TCPMSS --clamp-mss-to-pmtu
390 To compile it as a module, choose M here. If unsure, say N.
392 config NETFILTER_XT_MATCH_COMMENT
393 tristate '"comment" match support'
394 depends on NETFILTER_XTABLES
396 This option adds a `comment' dummy-match, which allows you to put
397 comments in your iptables ruleset.
399 If you want to compile it as a module, say M here and read
400 <file:Documentation/modules.txt>. If unsure, say `N'.
402 config NETFILTER_XT_MATCH_CONNBYTES
403 tristate '"connbytes" per-connection counter match support'
404 depends on NETFILTER_XTABLES
405 depends on NF_CONNTRACK
408 This option adds a `connbytes' match, which allows you to match the
409 number of bytes and/or packets for each direction within a connection.
411 If you want to compile it as a module, say M here and read
412 <file:Documentation/modules.txt>. If unsure, say `N'.
414 config NETFILTER_XT_MATCH_CONNMARK
415 tristate '"connmark" connection mark match support'
416 depends on NETFILTER_XTABLES
417 depends on NF_CONNTRACK
418 select NF_CONNTRACK_MARK
420 This option adds a `connmark' match, which allows you to match the
421 connection mark value previously set for the session by `CONNMARK'.
423 If you want to compile it as a module, say M here and read
424 <file:Documentation/modules.txt>. The module will be called
425 ipt_connmark.o. If unsure, say `N'.
427 config NETFILTER_XT_MATCH_CONNTRACK
428 tristate '"conntrack" connection tracking match support'
429 depends on NETFILTER_XTABLES
430 depends on NF_CONNTRACK
432 This is a general conntrack match module, a superset of the state match.
434 It allows matching on additional conntrack information, which is
435 useful in complex configurations, such as NAT gateways with multiple
436 internet links or tunnels.
438 To compile it as a module, choose M here. If unsure, say N.
440 config NETFILTER_XT_MATCH_DCCP
441 tristate '"DCCP" protocol match support'
442 depends on NETFILTER_XTABLES
444 With this option enabled, you will be able to use the iptables
445 `dccp' match in order to match on DCCP source/destination ports
448 If you want to compile it as a module, say M here and read
449 <file:Documentation/modules.txt>. If unsure, say `N'.
451 config NETFILTER_XT_MATCH_DSCP
452 tristate '"DSCP" match support'
453 depends on NETFILTER_XTABLES
455 This option adds a `DSCP' match, which allows you to match against
456 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
458 The DSCP field can have any value between 0x0 and 0x3f inclusive.
460 To compile it as a module, choose M here. If unsure, say N.
462 config NETFILTER_XT_MATCH_ESP
463 tristate '"ESP" match support'
464 depends on NETFILTER_XTABLES
466 This match extension allows you to match a range of SPIs
467 inside ESP header of IPSec packets.
469 To compile it as a module, choose M here. If unsure, say N.
471 config NETFILTER_XT_MATCH_HELPER
472 tristate '"helper" match support'
473 depends on NETFILTER_XTABLES
474 depends on NF_CONNTRACK
476 Helper matching allows you to match packets in dynamic connections
477 tracked by a conntrack-helper, ie. ip_conntrack_ftp
479 To compile it as a module, choose M here. If unsure, say Y.
481 config NETFILTER_XT_MATCH_LENGTH
482 tristate '"length" match support'
483 depends on NETFILTER_XTABLES
485 This option allows you to match the length of a packet against a
486 specific value or range of values.
488 To compile it as a module, choose M here. If unsure, say N.
490 config NETFILTER_XT_MATCH_LIMIT
491 tristate '"limit" match support'
492 depends on NETFILTER_XTABLES
494 limit matching allows you to control the rate at which a rule can be
495 matched: mainly useful in combination with the LOG target ("LOG
496 target support", below) and to avoid some Denial of Service attacks.
498 To compile it as a module, choose M here. If unsure, say N.
500 config NETFILTER_XT_MATCH_MAC
501 tristate '"mac" address match support'
502 depends on NETFILTER_XTABLES
504 MAC matching allows you to match packets based on the source
505 Ethernet address of the packet.
507 To compile it as a module, choose M here. If unsure, say N.
509 config NETFILTER_XT_MATCH_MARK
510 tristate '"mark" match support'
511 depends on NETFILTER_XTABLES
513 Netfilter mark matching allows you to match packets based on the
514 `nfmark' value in the packet. This can be set by the MARK target
517 To compile it as a module, choose M here. If unsure, say N.
519 config NETFILTER_XT_MATCH_POLICY
520 tristate 'IPsec "policy" match support'
521 depends on NETFILTER_XTABLES && XFRM
523 Policy matching allows you to match packets based on the
524 IPsec policy that was used during decapsulation/will
525 be used during encapsulation.
527 To compile it as a module, choose M here. If unsure, say N.
529 config NETFILTER_XT_MATCH_MULTIPORT
530 tristate "Multiple port match support"
531 depends on NETFILTER_XTABLES
533 Multiport matching allows you to match TCP or UDP packets based on
534 a series of source or destination ports: normally a rule can only
535 match a single range of ports.
537 To compile it as a module, choose M here. If unsure, say N.
539 config NETFILTER_XT_MATCH_PHYSDEV
540 tristate '"physdev" match support'
541 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER
543 Physdev packet matching matches against the physical bridge ports
544 the IP packet arrived on or will leave by.
546 To compile it as a module, choose M here. If unsure, say N.
548 config NETFILTER_XT_MATCH_PKTTYPE
549 tristate '"pkttype" packet type match support'
550 depends on NETFILTER_XTABLES
552 Packet type matching allows you to match a packet by
553 its "class", eg. BROADCAST, MULTICAST, ...
556 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
558 To compile it as a module, choose M here. If unsure, say N.
560 config NETFILTER_XT_MATCH_QUOTA
561 tristate '"quota" match support'
562 depends on NETFILTER_XTABLES
564 This option adds a `quota' match, which allows to match on a
567 If you want to compile it as a module, say M here and read
568 <file:Documentation/modules.txt>. If unsure, say `N'.
570 config NETFILTER_XT_MATCH_REALM
571 tristate '"realm" match support'
572 depends on NETFILTER_XTABLES
575 This option adds a `realm' match, which allows you to use the realm
576 key from the routing subsystem inside iptables.
578 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
581 If you want to compile it as a module, say M here and read
582 <file:Documentation/modules.txt>. If unsure, say `N'.
584 config NETFILTER_XT_MATCH_SCTP
585 tristate '"sctp" protocol match support (EXPERIMENTAL)'
586 depends on NETFILTER_XTABLES && EXPERIMENTAL
588 With this option enabled, you will be able to use the
589 `sctp' match in order to match on SCTP source/destination ports
590 and SCTP chunk types.
592 If you want to compile it as a module, say M here and read
593 <file:Documentation/modules.txt>. If unsure, say `N'.
595 config NETFILTER_XT_MATCH_STATE
596 tristate '"state" match support'
597 depends on NETFILTER_XTABLES
598 depends on NF_CONNTRACK
600 Connection state matching allows you to match packets based on their
601 relationship to a tracked connection (ie. previous packets). This
602 is a powerful tool for packet classification.
604 To compile it as a module, choose M here. If unsure, say N.
606 config NETFILTER_XT_MATCH_STATISTIC
607 tristate '"statistic" match support'
608 depends on NETFILTER_XTABLES
610 This option adds a `statistic' match, which allows you to match
611 on packets periodically or randomly with a given percentage.
613 To compile it as a module, choose M here. If unsure, say N.
615 config NETFILTER_XT_MATCH_STRING
616 tristate '"string" match support'
617 depends on NETFILTER_XTABLES
619 select TEXTSEARCH_KMP
621 select TEXTSEARCH_FSM
623 This option adds a `string' match, which allows you to look for
624 pattern matchings in packets.
626 To compile it as a module, choose M here. If unsure, say N.
628 config NETFILTER_XT_MATCH_TCPMSS
629 tristate '"tcpmss" match support'
630 depends on NETFILTER_XTABLES
632 This option adds a `tcpmss' match, which allows you to examine the
633 MSS value of TCP SYN packets, which control the maximum packet size
636 To compile it as a module, choose M here. If unsure, say N.
638 config NETFILTER_XT_MATCH_HASHLIMIT
639 tristate '"hashlimit" match support'
640 depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
642 This option adds a `hashlimit' match.
644 As opposed to `limit', this match dynamically creates a hash table
645 of limit buckets, based on your selection of source/destination
646 addresses and/or ports.
648 It enables you to express policies like `10kpps for any given
649 destination address' or `500pps from any given source address'