2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 # connection tracking, helpers and protocols
10 tristate "Connection tracking (required for masq/NAT)"
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
16 This is required to do Masquerading or other kinds of Network
17 Address Translation (except for Fast NAT). It can also be used to
18 enhance packet filtering (see `Connection state match support'
21 To compile it as a module, choose M here. If unsure, say N.
24 bool "Connection tracking flow accounting"
25 depends on IP_NF_CONNTRACK
27 If this option is enabled, the connection tracking code will
28 keep per-flow packet and byte counters.
30 Those counters can be used for flow-based accounting or the
35 config IP_NF_CONNTRACK_MARK
36 bool 'Connection mark tracking support'
38 This option enables support for connection marks, used by the
39 `CONNMARK' target and `connmark' match. Similar to the mark value
40 of packets, but this mark value is kept in the conntrack session
41 instead of the individual packets.
43 config IP_NF_CONNTRACK_EVENTS
44 bool "Connection tracking events"
45 depends on IP_NF_CONNTRACK
47 If this option is enabled, the connection tracking code will
48 provide a notifier chain that can be used by other kernel code
49 to get notified about changes in the connection tracking state.
53 config IP_NF_CT_PROTO_SCTP
54 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
55 depends on IP_NF_CONNTRACK && EXPERIMENTAL
57 With this option enabled, the connection tracking code will
58 be able to do state tracking on SCTP connections.
60 If you want to compile it as a module, say M here and read
61 <file:Documentation/modules.txt>. If unsure, say `N'.
64 tristate "FTP protocol support"
65 depends on IP_NF_CONNTRACK
67 Tracking FTP connections is problematic: special helpers are
68 required for tracking them, and doing masquerading and other forms
69 of Network Address Translation on them.
71 To compile it as a module, choose M here. If unsure, say Y.
74 tristate "IRC protocol support"
75 depends on IP_NF_CONNTRACK
77 There is a commonly-used extension to IRC called
78 Direct Client-to-Client Protocol (DCC). This enables users to send
79 files to each other, and also chat to each other without the need
80 of a server. DCC Sending is used anywhere you send files over IRC,
81 and DCC Chat is most commonly used by Eggdrop bots. If you are
82 using NAT, this extension will enable you to send files and initiate
83 chats. Note that you do NOT need this extension to get files or
84 have others initiate chats, or everything else in IRC.
86 To compile it as a module, choose M here. If unsure, say Y.
89 tristate "TFTP protocol support"
90 depends on IP_NF_CONNTRACK
92 TFTP connection tracking helper, this is required depending
93 on how restrictive your ruleset is.
94 If you are using a tftp client behind -j SNAT or -j MASQUERADING
97 To compile it as a module, choose M here. If unsure, say Y.
100 tristate "Amanda backup protocol support"
101 depends on IP_NF_CONNTRACK
103 If you are running the Amanda backup package <http://www.amanda.org/>
104 on this machine or machines that will be MASQUERADED through this
105 machine, then you may want to enable this feature. This allows the
106 connection tracking and natting code to allow the sub-channels that
107 Amanda requires for communication of the backup data, messages and
110 To compile it as a module, choose M here. If unsure, say Y.
113 tristate "Userspace queueing via NETLINK"
115 Netfilter has the ability to queue packets to user space: the
116 netlink device can be used to access them using this driver.
118 To compile it as a module, choose M here. If unsure, say N.
120 config IP_NF_IPTABLES
121 tristate "IP tables support (required for filtering/masq/NAT)"
123 iptables is a general, extensible packet identification framework.
124 The packet filtering and full NAT (masquerading, port forwarding,
125 etc) subsystems now use this: say `Y' or `M' here if you want to use
128 To compile it as a module, choose M here. If unsure, say N.
131 config IP_NF_MATCH_LIMIT
132 tristate "limit match support"
133 depends on IP_NF_IPTABLES
135 limit matching allows you to control the rate at which a rule can be
136 matched: mainly useful in combination with the LOG target ("LOG
137 target support", below) and to avoid some Denial of Service attacks.
139 To compile it as a module, choose M here. If unsure, say N.
141 config IP_NF_MATCH_IPRANGE
142 tristate "IP range match support"
143 depends on IP_NF_IPTABLES
145 This option makes possible to match IP addresses against IP address
148 To compile it as a module, choose M here. If unsure, say N.
150 config IP_NF_MATCH_MAC
151 tristate "MAC address match support"
152 depends on IP_NF_IPTABLES
154 MAC matching allows you to match packets based on the source
155 Ethernet address of the packet.
157 To compile it as a module, choose M here. If unsure, say N.
159 config IP_NF_MATCH_PKTTYPE
160 tristate "Packet type match support"
161 depends on IP_NF_IPTABLES
163 Packet type matching allows you to match a packet by
164 its "class", eg. BROADCAST, MULTICAST, ...
167 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
169 To compile it as a module, choose M here. If unsure, say N.
171 config IP_NF_MATCH_MARK
172 tristate "netfilter MARK match support"
173 depends on IP_NF_IPTABLES
175 Netfilter mark matching allows you to match packets based on the
176 `nfmark' value in the packet. This can be set by the MARK target
179 To compile it as a module, choose M here. If unsure, say N.
181 config IP_NF_MATCH_MULTIPORT
182 tristate "Multiple port match support"
183 depends on IP_NF_IPTABLES
185 Multiport matching allows you to match TCP or UDP packets based on
186 a series of source or destination ports: normally a rule can only
187 match a single range of ports.
189 To compile it as a module, choose M here. If unsure, say N.
191 config IP_NF_MATCH_TOS
192 tristate "TOS match support"
193 depends on IP_NF_IPTABLES
195 TOS matching allows you to match packets based on the Type Of
196 Service fields of the IP packet.
198 To compile it as a module, choose M here. If unsure, say N.
200 config IP_NF_MATCH_RECENT
201 tristate "recent match support"
202 depends on IP_NF_IPTABLES
204 This match is used for creating one or many lists of recently
205 used addresses and then matching against that/those list(s).
207 Short options are available by using 'iptables -m recent -h'
208 Official Website: <http://snowman.net/projects/ipt_recent/>
210 To compile it as a module, choose M here. If unsure, say N.
212 config IP_NF_MATCH_ECN
213 tristate "ECN match support"
214 depends on IP_NF_IPTABLES
216 This option adds a `ECN' match, which allows you to match against
217 the IPv4 and TCP header ECN fields.
219 To compile it as a module, choose M here. If unsure, say N.
221 config IP_NF_MATCH_DSCP
222 tristate "DSCP match support"
223 depends on IP_NF_IPTABLES
225 This option adds a `DSCP' match, which allows you to match against
226 the IPv4 header DSCP field (DSCP codepoint).
228 The DSCP codepoint can have any value between 0x0 and 0x4f.
230 To compile it as a module, choose M here. If unsure, say N.
232 config IP_NF_MATCH_AH_ESP
233 tristate "AH/ESP match support"
234 depends on IP_NF_IPTABLES
236 These two match extensions (`ah' and `esp') allow you to match a
237 range of SPIs inside AH or ESP headers of IPSec packets.
239 To compile it as a module, choose M here. If unsure, say N.
241 config IP_NF_MATCH_LENGTH
242 tristate "LENGTH match support"
243 depends on IP_NF_IPTABLES
245 This option allows you to match the length of a packet against a
246 specific value or range of values.
248 To compile it as a module, choose M here. If unsure, say N.
250 config IP_NF_MATCH_TTL
251 tristate "TTL match support"
252 depends on IP_NF_IPTABLES
254 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
255 to match packets by their TTL value.
257 To compile it as a module, choose M here. If unsure, say N.
259 config IP_NF_MATCH_TCPMSS
260 tristate "tcpmss match support"
261 depends on IP_NF_IPTABLES
263 This option adds a `tcpmss' match, which allows you to examine the
264 MSS value of TCP SYN packets, which control the maximum packet size
267 To compile it as a module, choose M here. If unsure, say N.
269 config IP_NF_MATCH_HELPER
270 tristate "Helper match support"
271 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
273 Helper matching allows you to match packets in dynamic connections
274 tracked by a conntrack-helper, ie. ip_conntrack_ftp
276 To compile it as a module, choose M here. If unsure, say Y.
278 config IP_NF_MATCH_STATE
279 tristate "Connection state match support"
280 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
282 Connection state matching allows you to match packets based on their
283 relationship to a tracked connection (ie. previous packets). This
284 is a powerful tool for packet classification.
286 To compile it as a module, choose M here. If unsure, say N.
288 config IP_NF_MATCH_CONNTRACK
289 tristate "Connection tracking match support"
290 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
292 This is a general conntrack match module, a superset of the state match.
294 It allows matching on additional conntrack information, which is
295 useful in complex configurations, such as NAT gateways with multiple
296 internet links or tunnels.
298 To compile it as a module, choose M here. If unsure, say N.
300 config IP_NF_MATCH_OWNER
301 tristate "Owner match support"
302 depends on IP_NF_IPTABLES
304 Packet owner matching allows you to match locally-generated packets
305 based on who created them: the user, group, process or session.
307 To compile it as a module, choose M here. If unsure, say N.
309 config IP_NF_MATCH_PHYSDEV
310 tristate "Physdev match support"
311 depends on IP_NF_IPTABLES && BRIDGE_NETFILTER
313 Physdev packet matching matches against the physical bridge ports
314 the IP packet arrived on or will leave by.
316 To compile it as a module, choose M here. If unsure, say N.
318 config IP_NF_MATCH_ADDRTYPE
319 tristate 'address type match support'
320 depends on IP_NF_IPTABLES
322 This option allows you to match what routing thinks of an address,
323 eg. UNICAST, LOCAL, BROADCAST, ...
325 If you want to compile it as a module, say M here and read
326 <file:Documentation/modules.txt>. If unsure, say `N'.
328 config IP_NF_MATCH_REALM
329 tristate 'realm match support'
330 depends on IP_NF_IPTABLES
333 This option adds a `realm' match, which allows you to use the realm
334 key from the routing subsystem inside iptables.
336 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
339 If you want to compile it as a module, say M here and read
340 <file:Documentation/modules.txt>. If unsure, say `N'.
342 config IP_NF_MATCH_SCTP
343 tristate 'SCTP protocol match support'
344 depends on IP_NF_IPTABLES
346 With this option enabled, you will be able to use the iptables
347 `sctp' match in order to match on SCTP source/destination ports
348 and SCTP chunk types.
350 If you want to compile it as a module, say M here and read
351 <file:Documentation/modules.txt>. If unsure, say `N'.
353 config IP_NF_MATCH_COMMENT
354 tristate 'comment match support'
355 depends on IP_NF_IPTABLES
357 This option adds a `comment' dummy-match, which allows you to put
358 comments in your iptables ruleset.
360 If you want to compile it as a module, say M here and read
361 <file:Documentation/modules.txt>. If unsure, say `N'.
363 config IP_NF_MATCH_CONNMARK
364 tristate 'Connection mark match support'
365 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES
367 This option adds a `connmark' match, which allows you to match the
368 connection mark value previously set for the session by `CONNMARK'.
370 If you want to compile it as a module, say M here and read
371 <file:Documentation/modules.txt>. The module will be called
372 ipt_connmark.o. If unsure, say `N'.
374 config IP_NF_MATCH_HASHLIMIT
375 tristate 'hashlimit match support'
376 depends on IP_NF_IPTABLES
378 This option adds a new iptables `hashlimit' match.
380 As opposed to `limit', this match dynamically crates a hash table
381 of limit buckets, based on your selection of source/destination
382 ip addresses and/or ports.
384 It enables you to express policies like `10kpps for any given
385 destination IP' or `500pps from any given source IP' with a single
388 # `filter', generic and specific targets
390 tristate "Packet filtering"
391 depends on IP_NF_IPTABLES
393 Packet filtering defines a table `filter', which has a series of
394 rules for simple packet filtering at local input, forwarding and
395 local output. See the man page for iptables(8).
397 To compile it as a module, choose M here. If unsure, say N.
399 config IP_NF_TARGET_REJECT
400 tristate "REJECT target support"
401 depends on IP_NF_FILTER
403 The REJECT target allows a filtering rule to specify that an ICMP
404 error should be issued in response to an incoming packet, rather
405 than silently being dropped.
407 To compile it as a module, choose M here. If unsure, say N.
409 config IP_NF_TARGET_LOG
410 tristate "LOG target support"
411 depends on IP_NF_IPTABLES
413 This option adds a `LOG' target, which allows you to create rules in
414 any iptables table which records the packet header to the syslog.
416 To compile it as a module, choose M here. If unsure, say N.
418 config IP_NF_TARGET_ULOG
419 tristate "ULOG target support"
420 depends on IP_NF_IPTABLES
422 This option adds a `ULOG' target, which allows you to create rules in
423 any iptables table. The packet is passed to a userspace logging
424 daemon using netlink multicast sockets; unlike the LOG target
425 which can only be viewed through syslog.
427 The apropriate userspace logging daemon (ulogd) may be obtained from
428 <http://www.gnumonks.org/projects/ulogd/>
430 To compile it as a module, choose M here. If unsure, say N.
432 config IP_NF_TARGET_TCPMSS
433 tristate "TCPMSS target support"
434 depends on IP_NF_IPTABLES
436 This option adds a `TCPMSS' target, which allows you to alter the
437 MSS value of TCP SYN packets, to control the maximum size for that
438 connection (usually limiting it to your outgoing interface's MTU
441 This is used to overcome criminally braindead ISPs or servers which
442 block ICMP Fragmentation Needed packets. The symptoms of this
443 problem are that everything works fine from your Linux
444 firewall/router, but machines behind it can never exchange large
446 1) Web browsers connect, then hang with no data received.
447 2) Small mail works fine, but large emails hang.
448 3) ssh works fine, but scp hangs after initial handshaking.
450 Workaround: activate this option and add a rule to your firewall
453 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
454 -j TCPMSS --clamp-mss-to-pmtu
456 To compile it as a module, choose M here. If unsure, say N.
458 # NAT + specific targets
461 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
463 The Full NAT option allows masquerading, port forwarding and other
464 forms of full Network Address Port Translation. It is controlled by
465 the `nat' table in iptables: see the man page for iptables(8).
467 To compile it as a module, choose M here. If unsure, say N.
469 config IP_NF_NAT_NEEDED
471 depends on IP_NF_NAT != n
474 config IP_NF_TARGET_MASQUERADE
475 tristate "MASQUERADE target support"
478 Masquerading is a special case of NAT: all outgoing connections are
479 changed to seem to come from a particular interface's address, and
480 if the interface goes down, those connections are lost. This is
481 only useful for dialup accounts with dynamic IP address (ie. your IP
482 address will be different on next dialup).
484 To compile it as a module, choose M here. If unsure, say N.
486 config IP_NF_TARGET_REDIRECT
487 tristate "REDIRECT target support"
490 REDIRECT is a special case of NAT: all incoming connections are
491 mapped onto the incoming interface's address, causing the packets to
492 come to the local machine instead of passing through. This is
493 useful for transparent proxies.
495 To compile it as a module, choose M here. If unsure, say N.
497 config IP_NF_TARGET_NETMAP
498 tristate "NETMAP target support"
501 NETMAP is an implementation of static 1:1 NAT mapping of network
502 addresses. It maps the network address part, while keeping the host
503 address part intact. It is similar to Fast NAT, except that
504 Netfilter's connection tracking doesn't work well with Fast NAT.
506 To compile it as a module, choose M here. If unsure, say N.
508 config IP_NF_TARGET_SAME
509 tristate "SAME target support"
512 This option adds a `SAME' target, which works like the standard SNAT
513 target, but attempts to give clients the same IP for all connections.
515 To compile it as a module, choose M here. If unsure, say N.
517 config IP_NF_NAT_SNMP_BASIC
518 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
519 depends on EXPERIMENTAL && IP_NF_NAT
522 This module implements an Application Layer Gateway (ALG) for
523 SNMP payloads. In conjunction with NAT, it allows a network
524 management system to access multiple private networks with
525 conflicting addresses. It works by modifying IP addresses
526 inside SNMP payloads to match IP-layer NAT mapping.
528 This is the "basic" form of SNMP-ALG, as described in RFC 2962
530 To compile it as a module, choose M here. If unsure, say N.
534 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
535 default IP_NF_NAT if IP_NF_IRC=y
536 default m if IP_NF_IRC=m
538 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
539 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
542 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
543 default IP_NF_NAT if IP_NF_FTP=y
544 default m if IP_NF_FTP=m
546 config IP_NF_NAT_TFTP
548 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
549 default IP_NF_NAT if IP_NF_TFTP=y
550 default m if IP_NF_TFTP=m
552 config IP_NF_NAT_AMANDA
554 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
555 default IP_NF_NAT if IP_NF_AMANDA=y
556 default m if IP_NF_AMANDA=m
558 # mangle + specific targets
560 tristate "Packet mangling"
561 depends on IP_NF_IPTABLES
563 This option adds a `mangle' table to iptables: see the man page for
564 iptables(8). This table is used for various packet alterations
565 which can effect how the packet is routed.
567 To compile it as a module, choose M here. If unsure, say N.
569 config IP_NF_TARGET_TOS
570 tristate "TOS target support"
571 depends on IP_NF_MANGLE
573 This option adds a `TOS' target, which allows you to create rules in
574 the `mangle' table which alter the Type Of Service field of an IP
575 packet prior to routing.
577 To compile it as a module, choose M here. If unsure, say N.
579 config IP_NF_TARGET_ECN
580 tristate "ECN target support"
581 depends on IP_NF_MANGLE
583 This option adds a `ECN' target, which can be used in the iptables mangle
586 You can use this target to remove the ECN bits from the IPv4 header of
587 an IP packet. This is particularly useful, if you need to work around
588 existing ECN blackholes on the internet, but don't want to disable
589 ECN support in general.
591 To compile it as a module, choose M here. If unsure, say N.
593 config IP_NF_TARGET_DSCP
594 tristate "DSCP target support"
595 depends on IP_NF_MANGLE
597 This option adds a `DSCP' match, which allows you to match against
598 the IPv4 header DSCP field (DSCP codepoint).
600 The DSCP codepoint can have any value between 0x0 and 0x4f.
602 To compile it as a module, choose M here. If unsure, say N.
604 config IP_NF_TARGET_MARK
605 tristate "MARK target support"
606 depends on IP_NF_MANGLE
608 This option adds a `MARK' target, which allows you to create rules
609 in the `mangle' table which alter the netfilter mark (nfmark) field
610 associated with the packet prior to routing. This can change
611 the routing method (see `Use netfilter MARK value as routing
612 key') and can also be used by other subsystems to change their
615 To compile it as a module, choose M here. If unsure, say N.
617 config IP_NF_TARGET_CLASSIFY
618 tristate "CLASSIFY target support"
619 depends on IP_NF_MANGLE
621 This option adds a `CLASSIFY' target, which enables the user to set
622 the priority of a packet. Some qdiscs can use this value for
623 classification, among these are:
625 atm, cbq, dsmark, pfifo_fast, htb, prio
627 To compile it as a module, choose M here. If unsure, say N.
629 config IP_NF_TARGET_CONNMARK
630 tristate 'CONNMARK target support'
631 depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE
633 This option adds a `CONNMARK' target, which allows one to manipulate
634 the connection mark value. Similar to the MARK target, but
635 affects the connection mark value rather than the packet mark value.
637 If you want to compile it as a module, say M here and read
638 <file:Documentation/modules.txt>. The module will be called
639 ipt_CONNMARK.o. If unsure, say `N'.
641 config IP_NF_TARGET_CLUSTERIP
642 tristate "CLUSTERIP target support (EXPERIMENTAL)"
643 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES && EXPERIMENTAL
645 The CLUSTERIP target allows you to build load-balancing clusters of
646 network servers without having a dedicated load-balancing
647 router/server/switch.
649 To compile it as a module, choose M here. If unsure, say N.
651 # raw + specific targets
653 tristate 'raw table support (required for NOTRACK/TRACE)'
654 depends on IP_NF_IPTABLES
656 This option adds a `raw' table to iptables. This table is the very
657 first in the netfilter framework and hooks in at the PREROUTING
660 If you want to compile it as a module, say M here and read
661 <file:Documentation/modules.txt>. If unsure, say `N'.
663 config IP_NF_TARGET_NOTRACK
664 tristate 'NOTRACK target support'
666 depends on IP_NF_CONNTRACK
668 The NOTRACK target allows a select rule to specify
669 which packets *not* to enter the conntrack/NAT
670 subsystem with all the consequences (no ICMP error tracking,
671 no protocol helpers for the selected packets).
673 If you want to compile it as a module, say M here and read
674 <file:Documentation/modules.txt>. If unsure, say `N'.
678 config IP_NF_ARPTABLES
679 tristate "ARP tables support"
681 arptables is a general, extensible packet identification framework.
682 The ARP packet filtering and mangling (manipulation)subsystems
683 use this: say Y or M here if you want to use either of those.
685 To compile it as a module, choose M here. If unsure, say N.
687 config IP_NF_ARPFILTER
688 tristate "ARP packet filtering"
689 depends on IP_NF_ARPTABLES
691 ARP packet filtering defines a table `filter', which has a series of
692 rules for simple ARP packet filtering at local input and
693 local output. On a bridge, you can also specify filtering rules
694 for forwarded ARP packets. See the man page for arptables(8).
696 To compile it as a module, choose M here. If unsure, say N.
698 config IP_NF_ARP_MANGLE
699 tristate "ARP payload mangling"
700 depends on IP_NF_ARPTABLES
702 Allows altering the ARP packet payload: source and destination
703 hardware and network addresses.