2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependent connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
40 tristate "ARP packet logging"
41 default m if NETFILTER_ADVANCED=n
45 tristate "IPv4 packet logging"
46 default m if NETFILTER_ADVANCED=n
51 tristate "IPv4 nf_tables support"
53 This option enables the IPv4 support for nf_tables.
55 config NFT_CHAIN_ROUTE_IPV4
56 depends on NF_TABLES_IPV4
57 tristate "IPv4 nf_tables route chain support"
59 This option enables the "route" chain for IPv4 in nf_tables. This
60 chain type is used to force packet re-routing after mangling header
61 fields such as the source, destination, type of service and
64 config NFT_CHAIN_NAT_IPV4
65 depends on NF_TABLES_IPV4
66 depends on NF_NAT_IPV4 && NFT_NAT
67 tristate "IPv4 nf_tables nat chain support"
69 This option enables the "nat" chain for IPv4 in nf_tables. This
70 chain type is used to perform Network Address Translation (NAT)
71 packet transformations such as the source, destination address and
72 source and destination ports.
74 config NFT_REJECT_IPV4
75 depends on NF_TABLES_IPV4
81 tristate "ARP nf_tables support"
83 This option enables the ARP support for nf_tables.
87 depends on NF_CONNTRACK_IPV4
88 default m if NETFILTER_ADVANCED=n
91 The IPv4 NAT option allows masquerading, port forwarding and other
92 forms of full Network Address Port Translation. This can be
93 controlled by iptables or nft.
97 config NF_NAT_SNMP_BASIC
98 tristate "Basic SNMP-ALG support"
99 depends on NF_CONNTRACK_SNMP
100 depends on NETFILTER_ADVANCED
101 default NF_NAT && NF_CONNTRACK_SNMP
104 This module implements an Application Layer Gateway (ALG) for
105 SNMP payloads. In conjunction with NAT, it allows a network
106 management system to access multiple private networks with
107 conflicting addresses. It works by modifying IP addresses
108 inside SNMP payloads to match IP-layer NAT mapping.
110 This is the "basic" form of SNMP-ALG, as described in RFC 2962
112 To compile it as a module, choose M here. If unsure, say N.
114 config NF_NAT_PROTO_GRE
116 depends on NF_CT_PROTO_GRE
120 depends on NF_CONNTRACK
121 default NF_CONNTRACK_PPTP
122 select NF_NAT_PROTO_GRE
126 depends on NF_CONNTRACK
127 default NF_CONNTRACK_H323
131 config IP_NF_IPTABLES
132 tristate "IP tables support (required for filtering/masq/NAT)"
133 default m if NETFILTER_ADVANCED=n
134 select NETFILTER_XTABLES
136 iptables is a general, extensible packet identification framework.
137 The packet filtering and full NAT (masquerading, port forwarding,
138 etc) subsystems now use this: say `Y' or `M' here if you want to use
141 To compile it as a module, choose M here. If unsure, say N.
146 config IP_NF_MATCH_AH
147 tristate '"ah" match support'
148 depends on NETFILTER_ADVANCED
150 This match extension allows you to match a range of SPIs
151 inside AH header of IPSec packets.
153 To compile it as a module, choose M here. If unsure, say N.
155 config IP_NF_MATCH_ECN
156 tristate '"ecn" match support'
157 depends on NETFILTER_ADVANCED
158 select NETFILTER_XT_MATCH_ECN
160 This is a backwards-compat option for the user's convenience
161 (e.g. when running oldconfig). It selects
162 CONFIG_NETFILTER_XT_MATCH_ECN.
164 config IP_NF_MATCH_RPFILTER
165 tristate '"rpfilter" reverse path filter match support'
166 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
168 This option allows you to match packets whose replies would
169 go out via the interface the packet came in.
171 To compile it as a module, choose M here. If unsure, say N.
172 The module will be called ipt_rpfilter.
174 config IP_NF_MATCH_TTL
175 tristate '"ttl" match support'
176 depends on NETFILTER_ADVANCED
177 select NETFILTER_XT_MATCH_HL
179 This is a backwards-compat option for the user's convenience
180 (e.g. when running oldconfig). It selects
181 CONFIG_NETFILTER_XT_MATCH_HL.
183 # `filter', generic and specific targets
185 tristate "Packet filtering"
186 default m if NETFILTER_ADVANCED=n
188 Packet filtering defines a table `filter', which has a series of
189 rules for simple packet filtering at local input, forwarding and
190 local output. See the man page for iptables(8).
192 To compile it as a module, choose M here. If unsure, say N.
194 config IP_NF_TARGET_REJECT
195 tristate "REJECT target support"
196 depends on IP_NF_FILTER
197 default m if NETFILTER_ADVANCED=n
199 The REJECT target allows a filtering rule to specify that an ICMP
200 error should be issued in response to an incoming packet, rather
201 than silently being dropped.
203 To compile it as a module, choose M here. If unsure, say N.
205 config IP_NF_TARGET_SYNPROXY
206 tristate "SYNPROXY target support"
207 depends on NF_CONNTRACK && NETFILTER_ADVANCED
208 select NETFILTER_SYNPROXY
211 The SYNPROXY target allows you to intercept TCP connections and
212 establish them using syncookies before they are passed on to the
213 server. This allows to avoid conntrack and server resource usage
214 during SYN-flood attacks.
216 To compile it as a module, choose M here. If unsure, say N.
218 # NAT + specific targets: nf_conntrack
220 tristate "iptables NAT support"
221 depends on NF_CONNTRACK_IPV4
222 default m if NETFILTER_ADVANCED=n
225 select NETFILTER_XT_NAT
227 This enables the `nat' table in iptables. This allows masquerading,
228 port forwarding and other forms of full Network Address Port
231 To compile it as a module, choose M here. If unsure, say N.
235 config IP_NF_TARGET_MASQUERADE
236 tristate "MASQUERADE target support"
237 default m if NETFILTER_ADVANCED=n
239 Masquerading is a special case of NAT: all outgoing connections are
240 changed to seem to come from a particular interface's address, and
241 if the interface goes down, those connections are lost. This is
242 only useful for dialup accounts with dynamic IP address (ie. your IP
243 address will be different on next dialup).
245 To compile it as a module, choose M here. If unsure, say N.
247 config IP_NF_TARGET_NETMAP
248 tristate "NETMAP target support"
249 depends on NETFILTER_ADVANCED
250 select NETFILTER_XT_TARGET_NETMAP
252 This is a backwards-compat option for the user's convenience
253 (e.g. when running oldconfig). It selects
254 CONFIG_NETFILTER_XT_TARGET_NETMAP.
256 config IP_NF_TARGET_REDIRECT
257 tristate "REDIRECT target support"
258 depends on NETFILTER_ADVANCED
259 select NETFILTER_XT_TARGET_REDIRECT
261 This is a backwards-compat option for the user's convenience
262 (e.g. when running oldconfig). It selects
263 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
267 # mangle + specific targets
269 tristate "Packet mangling"
270 default m if NETFILTER_ADVANCED=n
272 This option adds a `mangle' table to iptables: see the man page for
273 iptables(8). This table is used for various packet alterations
274 which can effect how the packet is routed.
276 To compile it as a module, choose M here. If unsure, say N.
278 config IP_NF_TARGET_CLUSTERIP
279 tristate "CLUSTERIP target support"
280 depends on IP_NF_MANGLE
281 depends on NF_CONNTRACK_IPV4
282 depends on NETFILTER_ADVANCED
283 select NF_CONNTRACK_MARK
285 The CLUSTERIP target allows you to build load-balancing clusters of
286 network servers without having a dedicated load-balancing
287 router/server/switch.
289 To compile it as a module, choose M here. If unsure, say N.
291 config IP_NF_TARGET_ECN
292 tristate "ECN target support"
293 depends on IP_NF_MANGLE
294 depends on NETFILTER_ADVANCED
296 This option adds a `ECN' target, which can be used in the iptables mangle
299 You can use this target to remove the ECN bits from the IPv4 header of
300 an IP packet. This is particularly useful, if you need to work around
301 existing ECN blackholes on the internet, but don't want to disable
302 ECN support in general.
304 To compile it as a module, choose M here. If unsure, say N.
306 config IP_NF_TARGET_TTL
307 tristate '"TTL" target support'
308 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
309 select NETFILTER_XT_TARGET_HL
311 This is a backwards-compatible option for the user's convenience
312 (e.g. when running oldconfig). It selects
313 CONFIG_NETFILTER_XT_TARGET_HL.
315 # raw + specific targets
317 tristate 'raw table support (required for NOTRACK/TRACE)'
319 This option adds a `raw' table to iptables. This table is the very
320 first in the netfilter framework and hooks in at the PREROUTING
323 If you want to compile it as a module, say M here and read
324 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
326 # security table for MAC policy
327 config IP_NF_SECURITY
328 tristate "Security table"
330 depends on NETFILTER_ADVANCED
332 This option adds a `security' table to iptables, for use
333 with Mandatory Access Control (MAC) policy.
337 endif # IP_NF_IPTABLES
340 config IP_NF_ARPTABLES
341 tristate "ARP tables support"
342 select NETFILTER_XTABLES
343 depends on NETFILTER_ADVANCED
345 arptables is a general, extensible packet identification framework.
346 The ARP packet filtering and mangling (manipulation)subsystems
347 use this: say Y or M here if you want to use either of those.
349 To compile it as a module, choose M here. If unsure, say N.
353 config IP_NF_ARPFILTER
354 tristate "ARP packet filtering"
356 ARP packet filtering defines a table `filter', which has a series of
357 rules for simple ARP packet filtering at local input and
358 local output. On a bridge, you can also specify filtering rules
359 for forwarded ARP packets. See the man page for arptables(8).
361 To compile it as a module, choose M here. If unsure, say N.
363 config IP_NF_ARP_MANGLE
364 tristate "ARP payload mangling"
366 Allows altering the ARP packet payload: source and destination
367 hardware and network addresses.
369 endif # IP_NF_ARPTABLES