2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 config NF_CONNTRACK_IPV4
9 tristate "IPv4 connection tracking support (required for NAT)"
10 depends on NF_CONNTRACK
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
16 This is IPv4 support on Layer 3 independent connection tracking.
17 Layer 3 independent connection tracking is experimental scheme
18 which generalize ip_conntrack to support other layer 3 protocols.
20 To compile it as a module, choose M here. If unsure, say N.
22 config NF_CONNTRACK_PROC_COMPAT
23 bool "proc/sysctl compatibility with old connection tracking"
24 depends on NF_CONNTRACK_IPV4
27 This option enables /proc and sysctl compatibility with the old
28 layer 3 dependant connection tracking. This is needed to keep
29 old programs that have not been adapted to the new names working.
34 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
36 Netfilter has the ability to queue packets to user space: the
37 netlink device can be used to access them using this driver.
39 This option enables the old IPv4-only "ip_queue" implementation
40 which has been obsoleted by the new "nfnetlink_queue" code (see
41 CONFIG_NETFILTER_NETLINK_QUEUE).
43 To compile it as a module, choose M here. If unsure, say N.
46 tristate "IP tables support (required for filtering/masq/NAT)"
47 select NETFILTER_XTABLES
49 iptables is a general, extensible packet identification framework.
50 The packet filtering and full NAT (masquerading, port forwarding,
51 etc) subsystems now use this: say `Y' or `M' here if you want to use
54 To compile it as a module, choose M here. If unsure, say N.
57 config IP_NF_MATCH_IPRANGE
58 tristate "IP range match support"
59 depends on IP_NF_IPTABLES
61 This option makes possible to match IP addresses against IP address
64 To compile it as a module, choose M here. If unsure, say N.
66 config IP_NF_MATCH_TOS
67 tristate "TOS match support"
68 depends on IP_NF_IPTABLES
70 TOS matching allows you to match packets based on the Type Of
71 Service fields of the IP packet.
73 To compile it as a module, choose M here. If unsure, say N.
75 config IP_NF_MATCH_RECENT
76 tristate "recent match support"
77 depends on IP_NF_IPTABLES
79 This match is used for creating one or many lists of recently
80 used addresses and then matching against that/those list(s).
82 Short options are available by using 'iptables -m recent -h'
83 Official Website: <http://snowman.net/projects/ipt_recent/>
85 To compile it as a module, choose M here. If unsure, say N.
87 config IP_NF_MATCH_ECN
88 tristate "ECN match support"
89 depends on IP_NF_IPTABLES
91 This option adds a `ECN' match, which allows you to match against
92 the IPv4 and TCP header ECN fields.
94 To compile it as a module, choose M here. If unsure, say N.
97 tristate "AH match support"
98 depends on IP_NF_IPTABLES
100 This match extension allows you to match a range of SPIs
101 inside AH header of IPSec packets.
103 To compile it as a module, choose M here. If unsure, say N.
105 config IP_NF_MATCH_TTL
106 tristate "TTL match support"
107 depends on IP_NF_IPTABLES
109 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
110 to match packets by their TTL value.
112 To compile it as a module, choose M here. If unsure, say N.
114 config IP_NF_MATCH_ADDRTYPE
115 tristate 'address type match support'
116 depends on IP_NF_IPTABLES
118 This option allows you to match what routing thinks of an address,
119 eg. UNICAST, LOCAL, BROADCAST, ...
121 If you want to compile it as a module, say M here and read
122 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
124 # `filter', generic and specific targets
126 tristate "Packet filtering"
127 depends on IP_NF_IPTABLES
129 Packet filtering defines a table `filter', which has a series of
130 rules for simple packet filtering at local input, forwarding and
131 local output. See the man page for iptables(8).
133 To compile it as a module, choose M here. If unsure, say N.
135 config IP_NF_TARGET_REJECT
136 tristate "REJECT target support"
137 depends on IP_NF_FILTER
139 The REJECT target allows a filtering rule to specify that an ICMP
140 error should be issued in response to an incoming packet, rather
141 than silently being dropped.
143 To compile it as a module, choose M here. If unsure, say N.
145 config IP_NF_TARGET_LOG
146 tristate "LOG target support"
147 depends on IP_NF_IPTABLES
149 This option adds a `LOG' target, which allows you to create rules in
150 any iptables table which records the packet header to the syslog.
152 To compile it as a module, choose M here. If unsure, say N.
154 config IP_NF_TARGET_ULOG
155 tristate "ULOG target support"
156 depends on IP_NF_IPTABLES
159 This option enables the old IPv4-only "ipt_ULOG" implementation
160 which has been obsoleted by the new "nfnetlink_log" code (see
161 CONFIG_NETFILTER_NETLINK_LOG).
163 This option adds a `ULOG' target, which allows you to create rules in
164 any iptables table. The packet is passed to a userspace logging
165 daemon using netlink multicast sockets; unlike the LOG target
166 which can only be viewed through syslog.
168 The appropriate userspace logging daemon (ulogd) may be obtained from
169 <http://www.gnumonks.org/projects/ulogd/>
171 To compile it as a module, choose M here. If unsure, say N.
173 # NAT + specific targets: nf_conntrack
176 depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
178 The Full NAT option allows masquerading, port forwarding and other
179 forms of full Network Address Port Translation. It is controlled by
180 the `nat' table in iptables: see the man page for iptables(8).
182 To compile it as a module, choose M here. If unsure, say N.
189 config IP_NF_TARGET_MASQUERADE
190 tristate "MASQUERADE target support"
193 Masquerading is a special case of NAT: all outgoing connections are
194 changed to seem to come from a particular interface's address, and
195 if the interface goes down, those connections are lost. This is
196 only useful for dialup accounts with dynamic IP address (ie. your IP
197 address will be different on next dialup).
199 To compile it as a module, choose M here. If unsure, say N.
201 config IP_NF_TARGET_REDIRECT
202 tristate "REDIRECT target support"
205 REDIRECT is a special case of NAT: all incoming connections are
206 mapped onto the incoming interface's address, causing the packets to
207 come to the local machine instead of passing through. This is
208 useful for transparent proxies.
210 To compile it as a module, choose M here. If unsure, say N.
212 config IP_NF_TARGET_NETMAP
213 tristate "NETMAP target support"
216 NETMAP is an implementation of static 1:1 NAT mapping of network
217 addresses. It maps the network address part, while keeping the host
218 address part intact. It is similar to Fast NAT, except that
219 Netfilter's connection tracking doesn't work well with Fast NAT.
221 To compile it as a module, choose M here. If unsure, say N.
223 config IP_NF_TARGET_SAME
224 tristate "SAME target support (OBSOLETE)"
227 This option adds a `SAME' target, which works like the standard SNAT
228 target, but attempts to give clients the same IP for all connections.
230 To compile it as a module, choose M here. If unsure, say N.
232 config NF_NAT_SNMP_BASIC
233 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
234 depends on EXPERIMENTAL && NF_NAT
237 This module implements an Application Layer Gateway (ALG) for
238 SNMP payloads. In conjunction with NAT, it allows a network
239 management system to access multiple private networks with
240 conflicting addresses. It works by modifying IP addresses
241 inside SNMP payloads to match IP-layer NAT mapping.
243 This is the "basic" form of SNMP-ALG, as described in RFC 2962
245 To compile it as a module, choose M here. If unsure, say N.
247 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
248 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
249 # From kconfig-language.txt:
251 # <expr> '&&' <expr> (6)
253 # (6) Returns the result of min(/expr/, /expr/).
254 config NF_NAT_PROTO_GRE
256 depends on NF_NAT && NF_CT_PROTO_GRE
260 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
261 default NF_NAT && NF_CONNTRACK_FTP
265 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
266 default NF_NAT && NF_CONNTRACK_IRC
270 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
271 default NF_NAT && NF_CONNTRACK_TFTP
275 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
276 default NF_NAT && NF_CONNTRACK_AMANDA
280 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
281 default NF_NAT && NF_CONNTRACK_PPTP
282 select NF_NAT_PROTO_GRE
286 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
287 default NF_NAT && NF_CONNTRACK_H323
291 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
292 default NF_NAT && NF_CONNTRACK_SIP
294 # mangle + specific targets
296 tristate "Packet mangling"
297 depends on IP_NF_IPTABLES
299 This option adds a `mangle' table to iptables: see the man page for
300 iptables(8). This table is used for various packet alterations
301 which can effect how the packet is routed.
303 To compile it as a module, choose M here. If unsure, say N.
305 config IP_NF_TARGET_TOS
306 tristate "TOS target support"
307 depends on IP_NF_MANGLE
309 This option adds a `TOS' target, which allows you to create rules in
310 the `mangle' table which alter the Type Of Service field of an IP
311 packet prior to routing.
313 To compile it as a module, choose M here. If unsure, say N.
315 config IP_NF_TARGET_ECN
316 tristate "ECN target support"
317 depends on IP_NF_MANGLE
319 This option adds a `ECN' target, which can be used in the iptables mangle
322 You can use this target to remove the ECN bits from the IPv4 header of
323 an IP packet. This is particularly useful, if you need to work around
324 existing ECN blackholes on the internet, but don't want to disable
325 ECN support in general.
327 To compile it as a module, choose M here. If unsure, say N.
329 config IP_NF_TARGET_TTL
330 tristate 'TTL target support'
331 depends on IP_NF_MANGLE
333 This option adds a `TTL' target, which enables the user to modify
334 the TTL value of the IP header.
336 While it is safe to decrement/lower the TTL, this target also enables
337 functionality to increment and set the TTL value of the IP header to
338 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
339 create immortal packets that loop forever on the network.
341 To compile it as a module, choose M here. If unsure, say N.
343 config IP_NF_TARGET_CLUSTERIP
344 tristate "CLUSTERIP target support (EXPERIMENTAL)"
345 depends on IP_NF_MANGLE && EXPERIMENTAL
346 depends on NF_CONNTRACK_IPV4
347 select NF_CONNTRACK_MARK
349 The CLUSTERIP target allows you to build load-balancing clusters of
350 network servers without having a dedicated load-balancing
351 router/server/switch.
353 To compile it as a module, choose M here. If unsure, say N.
355 # raw + specific targets
357 tristate 'raw table support (required for NOTRACK/TRACE)'
358 depends on IP_NF_IPTABLES
360 This option adds a `raw' table to iptables. This table is the very
361 first in the netfilter framework and hooks in at the PREROUTING
364 If you want to compile it as a module, say M here and read
365 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
368 config IP_NF_ARPTABLES
369 tristate "ARP tables support"
370 select NETFILTER_XTABLES
372 arptables is a general, extensible packet identification framework.
373 The ARP packet filtering and mangling (manipulation)subsystems
374 use this: say Y or M here if you want to use either of those.
376 To compile it as a module, choose M here. If unsure, say N.
378 config IP_NF_ARPFILTER
379 tristate "ARP packet filtering"
380 depends on IP_NF_ARPTABLES
382 ARP packet filtering defines a table `filter', which has a series of
383 rules for simple ARP packet filtering at local input and
384 local output. On a bridge, you can also specify filtering rules
385 for forwarded ARP packets. See the man page for arptables(8).
387 To compile it as a module, choose M here. If unsure, say N.
389 config IP_NF_ARP_MANGLE
390 tristate "ARP payload mangling"
391 depends on IP_NF_ARPTABLES
393 Allows altering the ARP packet payload: source and destination
394 hardware and network addresses.