2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 config NF_CONNTRACK_IPV4
9 tristate "IPv4 connection tracking support (required for NAT)"
10 depends on NF_CONNTRACK
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
16 This is IPv4 support on Layer 3 independent connection tracking.
17 Layer 3 independent connection tracking is experimental scheme
18 which generalize ip_conntrack to support other layer 3 protocols.
20 To compile it as a module, choose M here. If unsure, say N.
22 config NF_CONNTRACK_PROC_COMPAT
23 bool "proc/sysctl compatibility with old connection tracking"
24 depends on NF_CONNTRACK_IPV4
27 This option enables /proc and sysctl compatibility with the old
28 layer 3 dependant connection tracking. This is needed to keep
29 old programs that have not been adapted to the new names working.
34 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
36 Netfilter has the ability to queue packets to user space: the
37 netlink device can be used to access them using this driver.
39 This option enables the old IPv4-only "ip_queue" implementation
40 which has been obsoleted by the new "nfnetlink_queue" code (see
41 CONFIG_NETFILTER_NETLINK_QUEUE).
43 To compile it as a module, choose M here. If unsure, say N.
46 tristate "IP tables support (required for filtering/masq/NAT)"
47 select NETFILTER_XTABLES
49 iptables is a general, extensible packet identification framework.
50 The packet filtering and full NAT (masquerading, port forwarding,
51 etc) subsystems now use this: say `Y' or `M' here if you want to use
54 To compile it as a module, choose M here. If unsure, say N.
57 config IP_NF_MATCH_IPRANGE
58 tristate '"iprange" match support'
59 depends on IP_NF_IPTABLES
61 This option makes possible to match IP addresses against IP address
64 To compile it as a module, choose M here. If unsure, say N.
66 config IP_NF_MATCH_RECENT
67 tristate '"recent" match support'
68 depends on IP_NF_IPTABLES
70 This match is used for creating one or many lists of recently
71 used addresses and then matching against that/those list(s).
73 Short options are available by using 'iptables -m recent -h'
74 Official Website: <http://snowman.net/projects/ipt_recent/>
76 To compile it as a module, choose M here. If unsure, say N.
78 config IP_NF_MATCH_ECN
79 tristate '"ecn" match support'
80 depends on IP_NF_IPTABLES
82 This option adds a `ECN' match, which allows you to match against
83 the IPv4 and TCP header ECN fields.
85 To compile it as a module, choose M here. If unsure, say N.
88 tristate '"ah" match support'
89 depends on IP_NF_IPTABLES
91 This match extension allows you to match a range of SPIs
92 inside AH header of IPSec packets.
94 To compile it as a module, choose M here. If unsure, say N.
96 config IP_NF_MATCH_TTL
97 tristate '"ttl" match support'
98 depends on IP_NF_IPTABLES
100 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
101 to match packets by their TTL value.
103 To compile it as a module, choose M here. If unsure, say N.
105 config IP_NF_MATCH_ADDRTYPE
106 tristate '"addrtype" address type match support'
107 depends on IP_NF_IPTABLES
109 This option allows you to match what routing thinks of an address,
110 eg. UNICAST, LOCAL, BROADCAST, ...
112 If you want to compile it as a module, say M here and read
113 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
115 # `filter', generic and specific targets
117 tristate "Packet filtering"
118 depends on IP_NF_IPTABLES
120 Packet filtering defines a table `filter', which has a series of
121 rules for simple packet filtering at local input, forwarding and
122 local output. See the man page for iptables(8).
124 To compile it as a module, choose M here. If unsure, say N.
126 config IP_NF_TARGET_REJECT
127 tristate "REJECT target support"
128 depends on IP_NF_FILTER
130 The REJECT target allows a filtering rule to specify that an ICMP
131 error should be issued in response to an incoming packet, rather
132 than silently being dropped.
134 To compile it as a module, choose M here. If unsure, say N.
136 config IP_NF_TARGET_LOG
137 tristate "LOG target support"
138 depends on IP_NF_IPTABLES
140 This option adds a `LOG' target, which allows you to create rules in
141 any iptables table which records the packet header to the syslog.
143 To compile it as a module, choose M here. If unsure, say N.
145 config IP_NF_TARGET_ULOG
146 tristate "ULOG target support"
147 depends on IP_NF_IPTABLES
150 This option enables the old IPv4-only "ipt_ULOG" implementation
151 which has been obsoleted by the new "nfnetlink_log" code (see
152 CONFIG_NETFILTER_NETLINK_LOG).
154 This option adds a `ULOG' target, which allows you to create rules in
155 any iptables table. The packet is passed to a userspace logging
156 daemon using netlink multicast sockets; unlike the LOG target
157 which can only be viewed through syslog.
159 The appropriate userspace logging daemon (ulogd) may be obtained from
160 <http://www.gnumonks.org/projects/ulogd/>
162 To compile it as a module, choose M here. If unsure, say N.
164 # NAT + specific targets: nf_conntrack
167 depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
169 The Full NAT option allows masquerading, port forwarding and other
170 forms of full Network Address Port Translation. It is controlled by
171 the `nat' table in iptables: see the man page for iptables(8).
173 To compile it as a module, choose M here. If unsure, say N.
180 config IP_NF_TARGET_MASQUERADE
181 tristate "MASQUERADE target support"
184 Masquerading is a special case of NAT: all outgoing connections are
185 changed to seem to come from a particular interface's address, and
186 if the interface goes down, those connections are lost. This is
187 only useful for dialup accounts with dynamic IP address (ie. your IP
188 address will be different on next dialup).
190 To compile it as a module, choose M here. If unsure, say N.
192 config IP_NF_TARGET_REDIRECT
193 tristate "REDIRECT target support"
196 REDIRECT is a special case of NAT: all incoming connections are
197 mapped onto the incoming interface's address, causing the packets to
198 come to the local machine instead of passing through. This is
199 useful for transparent proxies.
201 To compile it as a module, choose M here. If unsure, say N.
203 config IP_NF_TARGET_NETMAP
204 tristate "NETMAP target support"
207 NETMAP is an implementation of static 1:1 NAT mapping of network
208 addresses. It maps the network address part, while keeping the host
209 address part intact. It is similar to Fast NAT, except that
210 Netfilter's connection tracking doesn't work well with Fast NAT.
212 To compile it as a module, choose M here. If unsure, say N.
214 config IP_NF_TARGET_SAME
215 tristate "SAME target support (OBSOLETE)"
218 This option adds a `SAME' target, which works like the standard SNAT
219 target, but attempts to give clients the same IP for all connections.
221 To compile it as a module, choose M here. If unsure, say N.
223 config NF_NAT_SNMP_BASIC
224 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
225 depends on EXPERIMENTAL && NF_NAT
228 This module implements an Application Layer Gateway (ALG) for
229 SNMP payloads. In conjunction with NAT, it allows a network
230 management system to access multiple private networks with
231 conflicting addresses. It works by modifying IP addresses
232 inside SNMP payloads to match IP-layer NAT mapping.
234 This is the "basic" form of SNMP-ALG, as described in RFC 2962
236 To compile it as a module, choose M here. If unsure, say N.
238 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
239 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
240 # From kconfig-language.txt:
242 # <expr> '&&' <expr> (6)
244 # (6) Returns the result of min(/expr/, /expr/).
245 config NF_NAT_PROTO_GRE
247 depends on NF_NAT && NF_CT_PROTO_GRE
251 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
252 default NF_NAT && NF_CONNTRACK_FTP
256 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
257 default NF_NAT && NF_CONNTRACK_IRC
261 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
262 default NF_NAT && NF_CONNTRACK_TFTP
266 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
267 default NF_NAT && NF_CONNTRACK_AMANDA
271 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
272 default NF_NAT && NF_CONNTRACK_PPTP
273 select NF_NAT_PROTO_GRE
277 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
278 default NF_NAT && NF_CONNTRACK_H323
282 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
283 default NF_NAT && NF_CONNTRACK_SIP
285 # mangle + specific targets
287 tristate "Packet mangling"
288 depends on IP_NF_IPTABLES
290 This option adds a `mangle' table to iptables: see the man page for
291 iptables(8). This table is used for various packet alterations
292 which can effect how the packet is routed.
294 To compile it as a module, choose M here. If unsure, say N.
296 config IP_NF_TARGET_TOS
297 tristate "TOS target support"
298 depends on IP_NF_MANGLE
300 This option adds a `TOS' target, which allows you to create rules in
301 the `mangle' table which alter the Type Of Service field of an IP
302 packet prior to routing.
304 To compile it as a module, choose M here. If unsure, say N.
306 config IP_NF_TARGET_ECN
307 tristate "ECN target support"
308 depends on IP_NF_MANGLE
310 This option adds a `ECN' target, which can be used in the iptables mangle
313 You can use this target to remove the ECN bits from the IPv4 header of
314 an IP packet. This is particularly useful, if you need to work around
315 existing ECN blackholes on the internet, but don't want to disable
316 ECN support in general.
318 To compile it as a module, choose M here. If unsure, say N.
320 config IP_NF_TARGET_TTL
321 tristate 'TTL target support'
322 depends on IP_NF_MANGLE
324 This option adds a `TTL' target, which enables the user to modify
325 the TTL value of the IP header.
327 While it is safe to decrement/lower the TTL, this target also enables
328 functionality to increment and set the TTL value of the IP header to
329 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
330 create immortal packets that loop forever on the network.
332 To compile it as a module, choose M here. If unsure, say N.
334 config IP_NF_TARGET_CLUSTERIP
335 tristate "CLUSTERIP target support (EXPERIMENTAL)"
336 depends on IP_NF_MANGLE && EXPERIMENTAL
337 depends on NF_CONNTRACK_IPV4
338 select NF_CONNTRACK_MARK
340 The CLUSTERIP target allows you to build load-balancing clusters of
341 network servers without having a dedicated load-balancing
342 router/server/switch.
344 To compile it as a module, choose M here. If unsure, say N.
346 # raw + specific targets
348 tristate 'raw table support (required for NOTRACK/TRACE)'
349 depends on IP_NF_IPTABLES
351 This option adds a `raw' table to iptables. This table is the very
352 first in the netfilter framework and hooks in at the PREROUTING
355 If you want to compile it as a module, say M here and read
356 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
359 config IP_NF_ARPTABLES
360 tristate "ARP tables support"
361 select NETFILTER_XTABLES
363 arptables is a general, extensible packet identification framework.
364 The ARP packet filtering and mangling (manipulation)subsystems
365 use this: say Y or M here if you want to use either of those.
367 To compile it as a module, choose M here. If unsure, say N.
369 config IP_NF_ARPFILTER
370 tristate "ARP packet filtering"
371 depends on IP_NF_ARPTABLES
373 ARP packet filtering defines a table `filter', which has a series of
374 rules for simple ARP packet filtering at local input and
375 local output. On a bridge, you can also specify filtering rules
376 for forwarded ARP packets. See the man page for arptables(8).
378 To compile it as a module, choose M here. If unsure, say N.
380 config IP_NF_ARP_MANGLE
381 tristate "ARP payload mangling"
382 depends on IP_NF_ARPTABLES
384 Allows altering the ARP packet payload: source and destination
385 hardware and network addresses.