2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependant connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
40 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
41 depends on NETFILTER_ADVANCED
43 Netfilter has the ability to queue packets to user space: the
44 netlink device can be used to access them using this driver.
46 This option enables the old IPv4-only "ip_queue" implementation
47 which has been obsoleted by the new "nfnetlink_queue" code (see
48 CONFIG_NETFILTER_NETLINK_QUEUE).
50 To compile it as a module, choose M here. If unsure, say N.
53 tristate "IP tables support (required for filtering/masq/NAT)"
54 default m if NETFILTER_ADVANCED=n
55 select NETFILTER_XTABLES
57 iptables is a general, extensible packet identification framework.
58 The packet filtering and full NAT (masquerading, port forwarding,
59 etc) subsystems now use this: say `Y' or `M' here if you want to use
62 To compile it as a module, choose M here. If unsure, say N.
65 config IP_NF_MATCH_ECN
66 tristate '"ecn" match support'
67 depends on IP_NF_IPTABLES
68 depends on NETFILTER_ADVANCED
70 This option adds a `ECN' match, which allows you to match against
71 the IPv4 and TCP header ECN fields.
73 To compile it as a module, choose M here. If unsure, say N.
76 tristate '"ah" match support'
77 depends on IP_NF_IPTABLES
78 depends on NETFILTER_ADVANCED
80 This match extension allows you to match a range of SPIs
81 inside AH header of IPSec packets.
83 To compile it as a module, choose M here. If unsure, say N.
85 config IP_NF_MATCH_TTL
86 tristate '"ttl" match support'
87 depends on IP_NF_IPTABLES
88 depends on NETFILTER_ADVANCED
90 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
91 to match packets by their TTL value.
93 To compile it as a module, choose M here. If unsure, say N.
95 config IP_NF_MATCH_ADDRTYPE
96 tristate '"addrtype" address type match support'
97 depends on IP_NF_IPTABLES
98 depends on NETFILTER_ADVANCED
100 This option allows you to match what routing thinks of an address,
101 eg. UNICAST, LOCAL, BROADCAST, ...
103 If you want to compile it as a module, say M here and read
104 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
106 # `filter', generic and specific targets
108 tristate "Packet filtering"
109 depends on IP_NF_IPTABLES
110 default m if NETFILTER_ADVANCED=n
112 Packet filtering defines a table `filter', which has a series of
113 rules for simple packet filtering at local input, forwarding and
114 local output. See the man page for iptables(8).
116 To compile it as a module, choose M here. If unsure, say N.
118 config IP_NF_TARGET_REJECT
119 tristate "REJECT target support"
120 depends on IP_NF_FILTER
121 default m if NETFILTER_ADVANCED=n
123 The REJECT target allows a filtering rule to specify that an ICMP
124 error should be issued in response to an incoming packet, rather
125 than silently being dropped.
127 To compile it as a module, choose M here. If unsure, say N.
129 config IP_NF_TARGET_LOG
130 tristate "LOG target support"
131 depends on IP_NF_IPTABLES
132 default m if NETFILTER_ADVANCED=n
134 This option adds a `LOG' target, which allows you to create rules in
135 any iptables table which records the packet header to the syslog.
137 To compile it as a module, choose M here. If unsure, say N.
139 config IP_NF_TARGET_ULOG
140 tristate "ULOG target support"
141 depends on IP_NF_IPTABLES
142 default m if NETFILTER_ADVANCED=n
145 This option enables the old IPv4-only "ipt_ULOG" implementation
146 which has been obsoleted by the new "nfnetlink_log" code (see
147 CONFIG_NETFILTER_NETLINK_LOG).
149 This option adds a `ULOG' target, which allows you to create rules in
150 any iptables table. The packet is passed to a userspace logging
151 daemon using netlink multicast sockets; unlike the LOG target
152 which can only be viewed through syslog.
154 The appropriate userspace logging daemon (ulogd) may be obtained from
155 <http://www.gnumonks.org/projects/ulogd/>
157 To compile it as a module, choose M here. If unsure, say N.
159 # NAT + specific targets: nf_conntrack
162 depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
163 default m if NETFILTER_ADVANCED=n
165 The Full NAT option allows masquerading, port forwarding and other
166 forms of full Network Address Port Translation. It is controlled by
167 the `nat' table in iptables: see the man page for iptables(8).
169 To compile it as a module, choose M here. If unsure, say N.
176 config IP_NF_TARGET_MASQUERADE
177 tristate "MASQUERADE target support"
179 default m if NETFILTER_ADVANCED=n
181 Masquerading is a special case of NAT: all outgoing connections are
182 changed to seem to come from a particular interface's address, and
183 if the interface goes down, those connections are lost. This is
184 only useful for dialup accounts with dynamic IP address (ie. your IP
185 address will be different on next dialup).
187 To compile it as a module, choose M here. If unsure, say N.
189 config IP_NF_TARGET_REDIRECT
190 tristate "REDIRECT target support"
192 depends on NETFILTER_ADVANCED
194 REDIRECT is a special case of NAT: all incoming connections are
195 mapped onto the incoming interface's address, causing the packets to
196 come to the local machine instead of passing through. This is
197 useful for transparent proxies.
199 To compile it as a module, choose M here. If unsure, say N.
201 config IP_NF_TARGET_NETMAP
202 tristate "NETMAP target support"
204 depends on NETFILTER_ADVANCED
206 NETMAP is an implementation of static 1:1 NAT mapping of network
207 addresses. It maps the network address part, while keeping the host
210 To compile it as a module, choose M here. If unsure, say N.
212 config NF_NAT_SNMP_BASIC
213 tristate "Basic SNMP-ALG support"
215 depends on NETFILTER_ADVANCED
218 This module implements an Application Layer Gateway (ALG) for
219 SNMP payloads. In conjunction with NAT, it allows a network
220 management system to access multiple private networks with
221 conflicting addresses. It works by modifying IP addresses
222 inside SNMP payloads to match IP-layer NAT mapping.
224 This is the "basic" form of SNMP-ALG, as described in RFC 2962
226 To compile it as a module, choose M here. If unsure, say N.
228 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
229 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
230 # From kconfig-language.txt:
232 # <expr> '&&' <expr> (6)
234 # (6) Returns the result of min(/expr/, /expr/).
235 config NF_NAT_PROTO_DCCP
237 depends on NF_NAT && NF_CT_PROTO_DCCP
238 default NF_NAT && NF_CT_PROTO_DCCP
240 config NF_NAT_PROTO_GRE
242 depends on NF_NAT && NF_CT_PROTO_GRE
244 config NF_NAT_PROTO_UDPLITE
246 depends on NF_NAT && NF_CT_PROTO_UDPLITE
247 default NF_NAT && NF_CT_PROTO_UDPLITE
249 config NF_NAT_PROTO_SCTP
251 default NF_NAT && NF_CT_PROTO_SCTP
252 depends on NF_NAT && NF_CT_PROTO_SCTP
257 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
258 default NF_NAT && NF_CONNTRACK_FTP
262 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
263 default NF_NAT && NF_CONNTRACK_IRC
267 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
268 default NF_NAT && NF_CONNTRACK_TFTP
272 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
273 default NF_NAT && NF_CONNTRACK_AMANDA
277 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
278 default NF_NAT && NF_CONNTRACK_PPTP
279 select NF_NAT_PROTO_GRE
283 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
284 default NF_NAT && NF_CONNTRACK_H323
288 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
289 default NF_NAT && NF_CONNTRACK_SIP
291 # mangle + specific targets
293 tristate "Packet mangling"
294 depends on IP_NF_IPTABLES
295 default m if NETFILTER_ADVANCED=n
297 This option adds a `mangle' table to iptables: see the man page for
298 iptables(8). This table is used for various packet alterations
299 which can effect how the packet is routed.
301 To compile it as a module, choose M here. If unsure, say N.
303 config IP_NF_TARGET_ECN
304 tristate "ECN target support"
305 depends on IP_NF_MANGLE
306 depends on NETFILTER_ADVANCED
308 This option adds a `ECN' target, which can be used in the iptables mangle
311 You can use this target to remove the ECN bits from the IPv4 header of
312 an IP packet. This is particularly useful, if you need to work around
313 existing ECN blackholes on the internet, but don't want to disable
314 ECN support in general.
316 To compile it as a module, choose M here. If unsure, say N.
318 config IP_NF_TARGET_TTL
319 tristate 'TTL target support'
320 depends on IP_NF_MANGLE
321 depends on NETFILTER_ADVANCED
323 This option adds a `TTL' target, which enables the user to modify
324 the TTL value of the IP header.
326 While it is safe to decrement/lower the TTL, this target also enables
327 functionality to increment and set the TTL value of the IP header to
328 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
329 create immortal packets that loop forever on the network.
331 To compile it as a module, choose M here. If unsure, say N.
333 config IP_NF_TARGET_CLUSTERIP
334 tristate "CLUSTERIP target support (EXPERIMENTAL)"
335 depends on IP_NF_MANGLE && EXPERIMENTAL
336 depends on NF_CONNTRACK_IPV4
337 depends on NETFILTER_ADVANCED
338 select NF_CONNTRACK_MARK
340 The CLUSTERIP target allows you to build load-balancing clusters of
341 network servers without having a dedicated load-balancing
342 router/server/switch.
344 To compile it as a module, choose M here. If unsure, say N.
346 # raw + specific targets
348 tristate 'raw table support (required for NOTRACK/TRACE)'
349 depends on IP_NF_IPTABLES
350 depends on NETFILTER_ADVANCED
352 This option adds a `raw' table to iptables. This table is the very
353 first in the netfilter framework and hooks in at the PREROUTING
356 If you want to compile it as a module, say M here and read
357 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
359 # security table for MAC policy
360 config IP_NF_SECURITY
361 tristate "Security table"
362 depends on IP_NF_IPTABLES
364 depends on NETFILTER_ADVANCED
366 This option adds a `security' table to iptables, for use
367 with Mandatory Access Control (MAC) policy.
372 config IP_NF_ARPTABLES
373 tristate "ARP tables support"
374 select NETFILTER_XTABLES
375 depends on NETFILTER_ADVANCED
377 arptables is a general, extensible packet identification framework.
378 The ARP packet filtering and mangling (manipulation)subsystems
379 use this: say Y or M here if you want to use either of those.
381 To compile it as a module, choose M here. If unsure, say N.
383 config IP_NF_ARPFILTER
384 tristate "ARP packet filtering"
385 depends on IP_NF_ARPTABLES
387 ARP packet filtering defines a table `filter', which has a series of
388 rules for simple ARP packet filtering at local input and
389 local output. On a bridge, you can also specify filtering rules
390 for forwarded ARP packets. See the man page for arptables(8).
392 To compile it as a module, choose M here. If unsure, say N.
394 config IP_NF_ARP_MANGLE
395 tristate "ARP payload mangling"
396 depends on IP_NF_ARPTABLES
398 Allows altering the ARP packet payload: source and destination
399 hardware and network addresses.