2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 config NF_CONNTRACK_IPV4
9 tristate "IPv4 connection tracking support (required for NAT)"
10 depends on NF_CONNTRACK
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
16 This is IPv4 support on Layer 3 independent connection tracking.
17 Layer 3 independent connection tracking is experimental scheme
18 which generalize ip_conntrack to support other layer 3 protocols.
20 To compile it as a module, choose M here. If unsure, say N.
22 config NF_CONNTRACK_PROC_COMPAT
23 bool "proc/sysctl compatibility with old connection tracking"
24 depends on NF_CONNTRACK_IPV4
27 This option enables /proc and sysctl compatibility with the old
28 layer 3 dependant connection tracking. This is needed to keep
29 old programs that have not been adapted to the new names working.
34 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
36 Netfilter has the ability to queue packets to user space: the
37 netlink device can be used to access them using this driver.
39 This option enables the old IPv4-only "ip_queue" implementation
40 which has been obsoleted by the new "nfnetlink_queue" code (see
41 CONFIG_NETFILTER_NETLINK_QUEUE).
43 To compile it as a module, choose M here. If unsure, say N.
46 tristate "IP tables support (required for filtering/masq/NAT)"
47 select NETFILTER_XTABLES
49 iptables is a general, extensible packet identification framework.
50 The packet filtering and full NAT (masquerading, port forwarding,
51 etc) subsystems now use this: say `Y' or `M' here if you want to use
54 To compile it as a module, choose M here. If unsure, say N.
57 config IP_NF_MATCH_IPRANGE
58 tristate "IP range match support"
59 depends on IP_NF_IPTABLES
61 This option makes possible to match IP addresses against IP address
64 To compile it as a module, choose M here. If unsure, say N.
66 config IP_NF_MATCH_TOS
67 tristate "TOS match support"
68 depends on IP_NF_IPTABLES
70 TOS matching allows you to match packets based on the Type Of
71 Service fields of the IP packet.
73 To compile it as a module, choose M here. If unsure, say N.
75 config IP_NF_MATCH_RECENT
76 tristate "recent match support"
77 depends on IP_NF_IPTABLES
79 This match is used for creating one or many lists of recently
80 used addresses and then matching against that/those list(s).
82 Short options are available by using 'iptables -m recent -h'
83 Official Website: <http://snowman.net/projects/ipt_recent/>
85 To compile it as a module, choose M here. If unsure, say N.
87 config IP_NF_MATCH_ECN
88 tristate "ECN match support"
89 depends on IP_NF_IPTABLES
91 This option adds a `ECN' match, which allows you to match against
92 the IPv4 and TCP header ECN fields.
94 To compile it as a module, choose M here. If unsure, say N.
97 tristate "AH match support"
98 depends on IP_NF_IPTABLES
100 This match extension allows you to match a range of SPIs
101 inside AH header of IPSec packets.
103 To compile it as a module, choose M here. If unsure, say N.
105 config IP_NF_MATCH_TTL
106 tristate "TTL match support"
107 depends on IP_NF_IPTABLES
109 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
110 to match packets by their TTL value.
112 To compile it as a module, choose M here. If unsure, say N.
114 config IP_NF_MATCH_OWNER
115 tristate "Owner match support"
116 depends on IP_NF_IPTABLES
118 Packet owner matching allows you to match locally-generated packets
119 based on who created them: the user, group, process or session.
121 To compile it as a module, choose M here. If unsure, say N.
123 config IP_NF_MATCH_ADDRTYPE
124 tristate 'address type match support'
125 depends on IP_NF_IPTABLES
127 This option allows you to match what routing thinks of an address,
128 eg. UNICAST, LOCAL, BROADCAST, ...
130 If you want to compile it as a module, say M here and read
131 <file:Documentation/modules.txt>. If unsure, say `N'.
133 # `filter', generic and specific targets
135 tristate "Packet filtering"
136 depends on IP_NF_IPTABLES
138 Packet filtering defines a table `filter', which has a series of
139 rules for simple packet filtering at local input, forwarding and
140 local output. See the man page for iptables(8).
142 To compile it as a module, choose M here. If unsure, say N.
144 config IP_NF_TARGET_REJECT
145 tristate "REJECT target support"
146 depends on IP_NF_FILTER
148 The REJECT target allows a filtering rule to specify that an ICMP
149 error should be issued in response to an incoming packet, rather
150 than silently being dropped.
152 To compile it as a module, choose M here. If unsure, say N.
154 config IP_NF_TARGET_LOG
155 tristate "LOG target support"
156 depends on IP_NF_IPTABLES
158 This option adds a `LOG' target, which allows you to create rules in
159 any iptables table which records the packet header to the syslog.
161 To compile it as a module, choose M here. If unsure, say N.
163 config IP_NF_TARGET_ULOG
164 tristate "ULOG target support"
165 depends on IP_NF_IPTABLES
168 This option enables the old IPv4-only "ipt_ULOG" implementation
169 which has been obsoleted by the new "nfnetlink_log" code (see
170 CONFIG_NETFILTER_NETLINK_LOG).
172 This option adds a `ULOG' target, which allows you to create rules in
173 any iptables table. The packet is passed to a userspace logging
174 daemon using netlink multicast sockets; unlike the LOG target
175 which can only be viewed through syslog.
177 The appropriate userspace logging daemon (ulogd) may be obtained from
178 <http://www.gnumonks.org/projects/ulogd/>
180 To compile it as a module, choose M here. If unsure, say N.
182 # NAT + specific targets: nf_conntrack
185 depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
187 The Full NAT option allows masquerading, port forwarding and other
188 forms of full Network Address Port Translation. It is controlled by
189 the `nat' table in iptables: see the man page for iptables(8).
191 To compile it as a module, choose M here. If unsure, say N.
198 config IP_NF_TARGET_MASQUERADE
199 tristate "MASQUERADE target support"
202 Masquerading is a special case of NAT: all outgoing connections are
203 changed to seem to come from a particular interface's address, and
204 if the interface goes down, those connections are lost. This is
205 only useful for dialup accounts with dynamic IP address (ie. your IP
206 address will be different on next dialup).
208 To compile it as a module, choose M here. If unsure, say N.
210 config IP_NF_TARGET_REDIRECT
211 tristate "REDIRECT target support"
214 REDIRECT is a special case of NAT: all incoming connections are
215 mapped onto the incoming interface's address, causing the packets to
216 come to the local machine instead of passing through. This is
217 useful for transparent proxies.
219 To compile it as a module, choose M here. If unsure, say N.
221 config IP_NF_TARGET_NETMAP
222 tristate "NETMAP target support"
225 NETMAP is an implementation of static 1:1 NAT mapping of network
226 addresses. It maps the network address part, while keeping the host
227 address part intact. It is similar to Fast NAT, except that
228 Netfilter's connection tracking doesn't work well with Fast NAT.
230 To compile it as a module, choose M here. If unsure, say N.
232 config IP_NF_TARGET_SAME
233 tristate "SAME target support (OBSOLETE)"
236 This option adds a `SAME' target, which works like the standard SNAT
237 target, but attempts to give clients the same IP for all connections.
239 To compile it as a module, choose M here. If unsure, say N.
241 config NF_NAT_SNMP_BASIC
242 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
243 depends on EXPERIMENTAL && NF_NAT
246 This module implements an Application Layer Gateway (ALG) for
247 SNMP payloads. In conjunction with NAT, it allows a network
248 management system to access multiple private networks with
249 conflicting addresses. It works by modifying IP addresses
250 inside SNMP payloads to match IP-layer NAT mapping.
252 This is the "basic" form of SNMP-ALG, as described in RFC 2962
254 To compile it as a module, choose M here. If unsure, say N.
256 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
257 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
258 # From kconfig-language.txt:
260 # <expr> '&&' <expr> (6)
262 # (6) Returns the result of min(/expr/, /expr/).
263 config NF_NAT_PROTO_GRE
265 depends on NF_NAT && NF_CT_PROTO_GRE
269 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
270 default NF_NAT && NF_CONNTRACK_FTP
274 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
275 default NF_NAT && NF_CONNTRACK_IRC
279 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
280 default NF_NAT && NF_CONNTRACK_TFTP
284 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
285 default NF_NAT && NF_CONNTRACK_AMANDA
289 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
290 default NF_NAT && NF_CONNTRACK_PPTP
291 select NF_NAT_PROTO_GRE
295 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
296 default NF_NAT && NF_CONNTRACK_H323
300 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
301 default NF_NAT && NF_CONNTRACK_SIP
303 # mangle + specific targets
305 tristate "Packet mangling"
306 depends on IP_NF_IPTABLES
308 This option adds a `mangle' table to iptables: see the man page for
309 iptables(8). This table is used for various packet alterations
310 which can effect how the packet is routed.
312 To compile it as a module, choose M here. If unsure, say N.
314 config IP_NF_TARGET_TOS
315 tristate "TOS target support"
316 depends on IP_NF_MANGLE
318 This option adds a `TOS' target, which allows you to create rules in
319 the `mangle' table which alter the Type Of Service field of an IP
320 packet prior to routing.
322 To compile it as a module, choose M here. If unsure, say N.
324 config IP_NF_TARGET_ECN
325 tristate "ECN target support"
326 depends on IP_NF_MANGLE
328 This option adds a `ECN' target, which can be used in the iptables mangle
331 You can use this target to remove the ECN bits from the IPv4 header of
332 an IP packet. This is particularly useful, if you need to work around
333 existing ECN blackholes on the internet, but don't want to disable
334 ECN support in general.
336 To compile it as a module, choose M here. If unsure, say N.
338 config IP_NF_TARGET_TTL
339 tristate 'TTL target support'
340 depends on IP_NF_MANGLE
342 This option adds a `TTL' target, which enables the user to modify
343 the TTL value of the IP header.
345 While it is safe to decrement/lower the TTL, this target also enables
346 functionality to increment and set the TTL value of the IP header to
347 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
348 create immortal packets that loop forever on the network.
350 To compile it as a module, choose M here. If unsure, say N.
352 config IP_NF_TARGET_CLUSTERIP
353 tristate "CLUSTERIP target support (EXPERIMENTAL)"
354 depends on IP_NF_MANGLE && EXPERIMENTAL
355 depends on NF_CONNTRACK_IPV4
356 select NF_CONNTRACK_MARK
358 The CLUSTERIP target allows you to build load-balancing clusters of
359 network servers without having a dedicated load-balancing
360 router/server/switch.
362 To compile it as a module, choose M here. If unsure, say N.
364 # raw + specific targets
366 tristate 'raw table support (required for NOTRACK/TRACE)'
367 depends on IP_NF_IPTABLES
369 This option adds a `raw' table to iptables. This table is the very
370 first in the netfilter framework and hooks in at the PREROUTING
373 If you want to compile it as a module, say M here and read
374 <file:Documentation/modules.txt>. If unsure, say `N'.
377 config IP_NF_ARPTABLES
378 tristate "ARP tables support"
379 select NETFILTER_XTABLES
381 arptables is a general, extensible packet identification framework.
382 The ARP packet filtering and mangling (manipulation)subsystems
383 use this: say Y or M here if you want to use either of those.
385 To compile it as a module, choose M here. If unsure, say N.
387 config IP_NF_ARPFILTER
388 tristate "ARP packet filtering"
389 depends on IP_NF_ARPTABLES
391 ARP packet filtering defines a table `filter', which has a series of
392 rules for simple ARP packet filtering at local input and
393 local output. On a bridge, you can also specify filtering rules
394 for forwarded ARP packets. See the man page for arptables(8).
396 To compile it as a module, choose M here. If unsure, say N.
398 config IP_NF_ARP_MANGLE
399 tristate "ARP payload mangling"
400 depends on IP_NF_ARPTABLES
402 Allows altering the ARP packet payload: source and destination
403 hardware and network addresses.