2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 config NF_CONNTRACK_IPV4
9 tristate "IPv4 connection tracking support (required for NAT)"
10 depends on NF_CONNTRACK
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
16 This is IPv4 support on Layer 3 independent connection tracking.
17 Layer 3 independent connection tracking is experimental scheme
18 which generalize ip_conntrack to support other layer 3 protocols.
20 To compile it as a module, choose M here. If unsure, say N.
22 config NF_CONNTRACK_PROC_COMPAT
23 bool "proc/sysctl compatibility with old connection tracking"
24 depends on NF_CONNTRACK_IPV4
27 This option enables /proc and sysctl compatibility with the old
28 layer 3 dependant connection tracking. This is needed to keep
29 old programs that have not been adapted to the new names working.
34 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
36 Netfilter has the ability to queue packets to user space: the
37 netlink device can be used to access them using this driver.
39 This option enables the old IPv4-only "ip_queue" implementation
40 which has been obsoleted by the new "nfnetlink_queue" code (see
41 CONFIG_NETFILTER_NETLINK_QUEUE).
43 To compile it as a module, choose M here. If unsure, say N.
46 tristate "Broadcom proprietary NAT support"
47 depends on NF_CONNTRACK && NF_NAT
49 This helps packets pass through netfilter faster when a packet
50 is an established or reply traffic.
53 tristate "IP tables support (required for filtering/masq/NAT)"
54 select NETFILTER_XTABLES
56 iptables is a general, extensible packet identification framework.
57 The packet filtering and full NAT (masquerading, port forwarding,
58 etc) subsystems now use this: say `Y' or `M' here if you want to use
61 To compile it as a module, choose M here. If unsure, say N.
64 config IP_NF_MATCH_TOS
65 tristate "TOS match support"
66 depends on IP_NF_IPTABLES
68 TOS matching allows you to match packets based on the Type Of
69 Service fields of the IP packet.
71 To compile it as a module, choose M here. If unsure, say N.
73 config IP_NF_MATCH_TIME
74 tristate 'TIME match support'
75 depends on IP_NF_IPTABLES
77 This option adds a `time' match, which allows you
78 to match based on the packet arrival time/date
79 (arrival time/date at the machine which netfilter is running on) or
80 departure time/date (for locally generated packets).
82 If you say Y here, try iptables -m time --help for more information.
83 If you want to compile it as a module, say M here and read
85 Documentation/modules.txt. If unsure, say `N'.
87 config IP_NF_MATCH_ECN
88 tristate "ECN match support"
89 depends on IP_NF_IPTABLES
91 This option adds a `ECN' match, which allows you to match against
92 the IPv4 and TCP header ECN fields.
94 To compile it as a module, choose M here. If unsure, say N.
97 tristate "AH match support"
98 depends on IP_NF_IPTABLES
100 This match extension allows you to match a range of SPIs
101 inside AH header of IPSec packets.
103 To compile it as a module, choose M here. If unsure, say N.
105 config IP_NF_MATCH_OWNER
106 tristate "Owner match support"
107 depends on IP_NF_IPTABLES
109 Packet owner matching allows you to match locally-generated packets
110 based on who created them: the user, group, process or session.
112 To compile it as a module, choose M here. If unsure, say N.
114 config IP_NF_MATCH_ADDRTYPE
115 tristate 'address type match support'
116 depends on IP_NF_IPTABLES
118 This option allows you to match what routing thinks of an address,
119 eg. UNICAST, LOCAL, BROADCAST, ...
121 If you want to compile it as a module, say M here and read
122 <file:Documentation/modules.txt>. If unsure, say `N'.
124 config IP_NF_MATCH_MPORT
125 tristate 'Multiple port with ranges match support'
126 depends on IP_NF_IPTABLES
128 Multiple port with ranges match support.
130 To compile it as a module, choose M here. If unsure, say N.
132 # `filter', generic and specific targets
134 tristate "Packet filtering"
135 depends on IP_NF_IPTABLES
137 Packet filtering defines a table `filter', which has a series of
138 rules for simple packet filtering at local input, forwarding and
139 local output. See the man page for iptables(8).
141 To compile it as a module, choose M here. If unsure, say N.
143 config IP_NF_TARGET_REJECT
144 tristate "REJECT target support"
145 depends on IP_NF_FILTER
147 The REJECT target allows a filtering rule to specify that an ICMP
148 error should be issued in response to an incoming packet, rather
149 than silently being dropped.
151 To compile it as a module, choose M here. If unsure, say N.
153 config IP_NF_TARGET_LOG
154 tristate "LOG target support"
155 depends on IP_NF_IPTABLES
157 This option adds a `LOG' target, which allows you to create rules in
158 any iptables table which records the packet header to the syslog.
160 To compile it as a module, choose M here. If unsure, say N.
162 config IP_NF_TARGET_ULOG
163 tristate "ULOG target support"
164 depends on IP_NF_IPTABLES
167 This option enables the old IPv4-only "ipt_ULOG" implementation
168 which has been obsoleted by the new "nfnetlink_log" code (see
169 CONFIG_NETFILTER_NETLINK_LOG).
171 This option adds a `ULOG' target, which allows you to create rules in
172 any iptables table. The packet is passed to a userspace logging
173 daemon using netlink multicast sockets; unlike the LOG target
174 which can only be viewed through syslog.
176 The appropriate userspace logging daemon (ulogd) may be obtained from
177 <http://www.gnumonks.org/projects/ulogd/>
179 To compile it as a module, choose M here. If unsure, say N.
181 # NAT + specific targets: nf_conntrack
184 depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
186 The Full NAT option allows masquerading, port forwarding and other
187 forms of full Network Address Port Translation. It is controlled by
188 the `nat' table in iptables: see the man page for iptables(8).
190 To compile it as a module, choose M here. If unsure, say N.
197 config IP_NF_TARGET_MASQUERADE
198 tristate "MASQUERADE target support"
201 Masquerading is a special case of NAT: all outgoing connections are
202 changed to seem to come from a particular interface's address, and
203 if the interface goes down, those connections are lost. This is
204 only useful for dialup accounts with dynamic IP address (ie. your IP
205 address will be different on next dialup).
207 To compile it as a module, choose M here. If unsure, say N.
209 config IP_NF_TARGET_REDIRECT
210 tristate "REDIRECT target support"
213 REDIRECT is a special case of NAT: all incoming connections are
214 mapped onto the incoming interface's address, causing the packets to
215 come to the local machine instead of passing through. This is
216 useful for transparent proxies.
218 To compile it as a module, choose M here. If unsure, say N.
220 config IP_NF_TARGET_NETMAP
221 tristate "NETMAP target support"
224 NETMAP is an implementation of static 1:1 NAT mapping of network
225 addresses. It maps the network address part, while keeping the host
226 address part intact. It is similar to Fast NAT, except that
227 Netfilter's connection tracking doesn't work well with Fast NAT.
229 To compile it as a module, choose M here. If unsure, say N.
231 config IP_NF_TARGET_SAME
232 tristate "SAME target support"
235 This option adds a `SAME' target, which works like the standard SNAT
236 target, but attempts to give clients the same IP for all connections.
238 To compile it as a module, choose M here. If unsure, say N.
240 config IP_NF_TARGET_TRIGGER
241 tristate "TRIGGER target support (port-trigger)"
244 To compile it as a module, choose M here. If unsure, say N.
246 config NF_NAT_SNMP_BASIC
247 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
248 depends on EXPERIMENTAL && NF_NAT
251 This module implements an Application Layer Gateway (ALG) for
252 SNMP payloads. In conjunction with NAT, it allows a network
253 management system to access multiple private networks with
254 conflicting addresses. It works by modifying IP addresses
255 inside SNMP payloads to match IP-layer NAT mapping.
257 This is the "basic" form of SNMP-ALG, as described in RFC 2962
259 To compile it as a module, choose M here. If unsure, say N.
262 tristate "Automatic port forwarding (autofw) target support"
263 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
265 To compile it as a module, choose M here. If unsure, say N.
267 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
268 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
269 # From kconfig-language.txt:
271 # <expr> '&&' <expr> (6)
273 # (6) Returns the result of min(/expr/, /expr/).
274 config NF_NAT_PROTO_GRE
276 depends on NF_NAT && NF_CT_PROTO_GRE
280 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
281 default NF_NAT && NF_CONNTRACK_FTP
285 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
286 default NF_NAT && NF_CONNTRACK_IRC
290 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
291 default NF_NAT && NF_CONNTRACK_RTSP
295 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
296 default NF_NAT && NF_CONNTRACK_TFTP
300 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
301 default NF_NAT && NF_CONNTRACK_AMANDA
305 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
306 default NF_NAT && NF_CONNTRACK_PPTP
307 select NF_NAT_PROTO_GRE
311 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
312 default NF_NAT && NF_CONNTRACK_H323
316 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
317 default NF_NAT && NF_CONNTRACK_SIP
319 # mangle + specific targets
321 tristate "Packet mangling"
322 depends on IP_NF_IPTABLES
324 This option adds a `mangle' table to iptables: see the man page for
325 iptables(8). This table is used for various packet alterations
326 which can effect how the packet is routed.
328 To compile it as a module, choose M here. If unsure, say N.
330 config IP_NF_TARGET_TOS
331 tristate "TOS target support"
332 depends on IP_NF_MANGLE
334 This option adds a `TOS' target, which allows you to create rules in
335 the `mangle' table which alter the Type Of Service field of an IP
336 packet prior to routing.
338 To compile it as a module, choose M here. If unsure, say N.
340 config IP_NF_TARGET_ECN
341 tristate "ECN target support"
342 depends on IP_NF_MANGLE
344 This option adds a `ECN' target, which can be used in the iptables mangle
347 You can use this target to remove the ECN bits from the IPv4 header of
348 an IP packet. This is particularly useful, if you need to work around
349 existing ECN blackholes on the internet, but don't want to disable
350 ECN support in general.
352 To compile it as a module, choose M here. If unsure, say N.
354 config IP_NF_TARGET_CLUSTERIP
355 tristate "CLUSTERIP target support (EXPERIMENTAL)"
356 depends on IP_NF_MANGLE && EXPERIMENTAL
357 depends on NF_CONNTRACK_IPV4
358 select NF_CONNTRACK_MARK
360 The CLUSTERIP target allows you to build load-balancing clusters of
361 network servers without having a dedicated load-balancing
362 router/server/switch.
364 To compile it as a module, choose M here. If unsure, say N.
366 # raw + specific targets
368 tristate 'raw table support (required for NOTRACK/TRACE)'
369 depends on IP_NF_IPTABLES
371 This option adds a `raw' table to iptables. This table is the very
372 first in the netfilter framework and hooks in at the PREROUTING
375 If you want to compile it as a module, say M here and read
376 <file:Documentation/modules.txt>. If unsure, say `N'.
379 config IP_NF_ARPTABLES
380 tristate "ARP tables support"
381 select NETFILTER_XTABLES
383 arptables is a general, extensible packet identification framework.
384 The ARP packet filtering and mangling (manipulation)subsystems
385 use this: say Y or M here if you want to use either of those.
387 To compile it as a module, choose M here. If unsure, say N.
389 config IP_NF_ARPFILTER
390 tristate "ARP packet filtering"
391 depends on IP_NF_ARPTABLES
393 ARP packet filtering defines a table `filter', which has a series of
394 rules for simple ARP packet filtering at local input and
395 local output. On a bridge, you can also specify filtering rules
396 for forwarded ARP packets. See the man page for arptables(8).
398 To compile it as a module, choose M here. If unsure, say N.
400 config IP_NF_ARP_MANGLE
401 tristate "ARP payload mangling"
402 depends on IP_NF_ARPTABLES
404 Allows altering the ARP packet payload: source and destination
405 hardware and network addresses.
407 config IP_NF_MATCH_U32
408 tristate 'U32 match support'
409 depends on IP_NF_IPTABLES
411 U32 allows you to extract quantities of up to 4 bytes from a packet,
412 AND them with specified masks, shift them by specified amounts and
413 test whether the results are in any of a set of specified ranges.
414 The specification of what to extract is general enough to skip over
415 headers with lengths stored in the packet, as in IP or TCP header
418 Details and examples are in the kernel module source.
420 config IP_NF_TARGET_ROUTE
421 tristate 'ROUTE target support'
422 depends on IP_NF_MANGLE
424 This option adds a `ROUTE' target, which enables you to setup unusual
425 routes. For example, the ROUTE lets you route a received packet through
426 an interface or towards a host, even if the regular destination of the
427 packet is the router itself. The ROUTE target is also able to change the
428 incoming interface of a packet.
430 The target can be or not a final target. It has to be used inside the
433 If you want to compile it as a module, say M here and read
434 Documentation/modules.txt. The module will be called ipt_ROUTE.o.
437 config IP_NF_TARGET_TARPIT
438 tristate 'TARPIT target support'
439 depends on IP_NF_FILTER
441 Adds a TARPIT target to iptables, which captures and holds
442 incoming TCP connections using no local per-connection resources.
443 Connections are accepted, but immediately switched to the persist
444 state (0 byte window), in which the remote side stops sending data
445 and asks to continue every 60-240 seconds. Attempts to close the
446 connection are ignored, forcing the remote side to time out the
447 connection in 12-24 minutes.
449 This offers similar functionality to LaBrea
450 <http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
451 hardware or IPs. Any TCP port that you would normally DROP or REJECT
452 can instead become a tarpit.
454 config IP_NF_MATCH_IPP2P
455 tristate 'IPP2P match support'
456 depends on IP_NF_IPTABLES
458 This option makes possible to match some P2P packets
459 therefore helps controlling such traffic.
461 If you want to compile it as a module, say M here and read
462 <file:Documentation/modules.txt>. If unsure, say `N'.
464 config IP_NF_MATCH_IPV4OPTIONS
465 tristate 'IPV4OPTIONS match support'
466 depends on IP_NF_IPTABLES
468 This option adds a IPV4OPTIONS match.
469 It allows you to filter options like source routing,
470 record route, timestamp and router-altert.
472 If you say Y here, try iptables -m ipv4options --help for more information.
474 If you want to compile it as a module, say M here and read
475 Documentation/modules.txt. If unsure, say `N'.
477 config IP_NF_TARGET_BCOUNT
478 tristate 'BCOUNT target'
479 depends on IP_NF_IPTABLES
481 config IP_NF_MATCH_BCOUNT
482 tristate 'bcount match'
483 depends on IP_NF_TARGET_BCOUNT
485 config IP_NF_TARGET_MACSAVE
486 tristate 'MACSAVE target'
487 depends on IP_NF_IPTABLES
489 config IP_NF_MATCH_MACSAVE
490 tristate 'macsave match'
491 depends on IP_NF_TARGET_MACSAVE
493 config IP_NF_MATCH_EXP
494 tristate 'exp match (experimental rig - do not use)'
495 depends on IP_NF_IPTABLES && EXPERIMENTAL
497 config IP_NF_TOMATOCT
499 depends on NF_CONNTRACK_MARK && EXPERIMENTAL
501 config IP_NF_MATCH_ACCOUNT
502 tristate "account match support"
503 depends on IP_NF_IPTABLES
505 This patch adds the account match
507 The account match provides simple traffic accounting for continuous networks.
508 --aaddr subnet for which enable traffic accounting
509 --aname table name with traffic counters, it can be accessed by reading
510 /proc/net/ipt_account/<table name>
511 --ashort do simple statistics (no tcp/udp/icmp counters)
513 More options can be found on project homepage.
516 http://www.svn.barbara.eu.org/ipt_account/
518 To compile it as a module, choose M here. If unsure, say N.
522 depends on NF_CONNTRACK