2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 config NF_CONNTRACK_IPV4
9 tristate "IPv4 connection tracking support (required for NAT)"
10 depends on NF_CONNTRACK
11 default m if NETFILTER_ADVANCED=n
13 Connection tracking keeps a record of what packets have passed
14 through your machine, in order to figure out how they are related
17 This is IPv4 support on Layer 3 independent connection tracking.
18 Layer 3 independent connection tracking is experimental scheme
19 which generalize ip_conntrack to support other layer 3 protocols.
21 To compile it as a module, choose M here. If unsure, say N.
23 config NF_CONNTRACK_PROC_COMPAT
24 bool "proc/sysctl compatibility with old connection tracking"
25 depends on NF_CONNTRACK_IPV4
28 This option enables /proc and sysctl compatibility with the old
29 layer 3 dependant connection tracking. This is needed to keep
30 old programs that have not been adapted to the new names working.
35 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
36 depends on NETFILTER_ADVANCED
38 Netfilter has the ability to queue packets to user space: the
39 netlink device can be used to access them using this driver.
41 This option enables the old IPv4-only "ip_queue" implementation
42 which has been obsoleted by the new "nfnetlink_queue" code (see
43 CONFIG_NETFILTER_NETLINK_QUEUE).
45 To compile it as a module, choose M here. If unsure, say N.
48 tristate "IP tables support (required for filtering/masq/NAT)"
49 default m if NETFILTER_ADVANCED=n
50 select NETFILTER_XTABLES
52 iptables is a general, extensible packet identification framework.
53 The packet filtering and full NAT (masquerading, port forwarding,
54 etc) subsystems now use this: say `Y' or `M' here if you want to use
57 To compile it as a module, choose M here. If unsure, say N.
60 config IP_NF_MATCH_IPRANGE
61 tristate '"iprange" match support'
62 depends on IP_NF_IPTABLES
63 depends on NETFILTER_ADVANCED
65 This option makes possible to match IP addresses against IP address
68 To compile it as a module, choose M here. If unsure, say N.
70 config IP_NF_MATCH_RECENT
71 tristate '"recent" match support'
72 depends on IP_NF_IPTABLES
73 depends on NETFILTER_ADVANCED
75 This match is used for creating one or many lists of recently
76 used addresses and then matching against that/those list(s).
78 Short options are available by using 'iptables -m recent -h'
79 Official Website: <http://snowman.net/projects/ipt_recent/>
81 To compile it as a module, choose M here. If unsure, say N.
83 config IP_NF_MATCH_ECN
84 tristate '"ecn" match support'
85 depends on IP_NF_IPTABLES
86 depends on NETFILTER_ADVANCED
88 This option adds a `ECN' match, which allows you to match against
89 the IPv4 and TCP header ECN fields.
91 To compile it as a module, choose M here. If unsure, say N.
94 tristate '"ah" match support'
95 depends on IP_NF_IPTABLES
96 depends on NETFILTER_ADVANCED
98 This match extension allows you to match a range of SPIs
99 inside AH header of IPSec packets.
101 To compile it as a module, choose M here. If unsure, say N.
103 config IP_NF_MATCH_TTL
104 tristate '"ttl" match support'
105 depends on IP_NF_IPTABLES
106 depends on NETFILTER_ADVANCED
108 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
109 to match packets by their TTL value.
111 To compile it as a module, choose M here. If unsure, say N.
113 config IP_NF_MATCH_ADDRTYPE
114 tristate '"addrtype" address type match support'
115 depends on IP_NF_IPTABLES
116 depends on NETFILTER_ADVANCED
118 This option allows you to match what routing thinks of an address,
119 eg. UNICAST, LOCAL, BROADCAST, ...
121 If you want to compile it as a module, say M here and read
122 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
124 # `filter', generic and specific targets
126 tristate "Packet filtering"
127 depends on IP_NF_IPTABLES
128 default m if NETFILTER_ADVANCED=n
130 Packet filtering defines a table `filter', which has a series of
131 rules for simple packet filtering at local input, forwarding and
132 local output. See the man page for iptables(8).
134 To compile it as a module, choose M here. If unsure, say N.
136 config IP_NF_TARGET_REJECT
137 tristate "REJECT target support"
138 depends on IP_NF_FILTER
139 default m if NETFILTER_ADVANCED=n
141 The REJECT target allows a filtering rule to specify that an ICMP
142 error should be issued in response to an incoming packet, rather
143 than silently being dropped.
145 To compile it as a module, choose M here. If unsure, say N.
147 config IP_NF_TARGET_LOG
148 tristate "LOG target support"
149 depends on IP_NF_IPTABLES
150 default m if NETFILTER_ADVANCED=n
152 This option adds a `LOG' target, which allows you to create rules in
153 any iptables table which records the packet header to the syslog.
155 To compile it as a module, choose M here. If unsure, say N.
157 config IP_NF_TARGET_ULOG
158 tristate "ULOG target support"
159 depends on IP_NF_IPTABLES
160 default m if NETFILTER_ADVANCED=n
163 This option enables the old IPv4-only "ipt_ULOG" implementation
164 which has been obsoleted by the new "nfnetlink_log" code (see
165 CONFIG_NETFILTER_NETLINK_LOG).
167 This option adds a `ULOG' target, which allows you to create rules in
168 any iptables table. The packet is passed to a userspace logging
169 daemon using netlink multicast sockets; unlike the LOG target
170 which can only be viewed through syslog.
172 The appropriate userspace logging daemon (ulogd) may be obtained from
173 <http://www.gnumonks.org/projects/ulogd/>
175 To compile it as a module, choose M here. If unsure, say N.
177 # NAT + specific targets: nf_conntrack
180 depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
181 default m if NETFILTER_ADVANCED=n
183 The Full NAT option allows masquerading, port forwarding and other
184 forms of full Network Address Port Translation. It is controlled by
185 the `nat' table in iptables: see the man page for iptables(8).
187 To compile it as a module, choose M here. If unsure, say N.
194 config IP_NF_TARGET_MASQUERADE
195 tristate "MASQUERADE target support"
197 default m if NETFILTER_ADVANCED=n
199 Masquerading is a special case of NAT: all outgoing connections are
200 changed to seem to come from a particular interface's address, and
201 if the interface goes down, those connections are lost. This is
202 only useful for dialup accounts with dynamic IP address (ie. your IP
203 address will be different on next dialup).
205 To compile it as a module, choose M here. If unsure, say N.
207 config IP_NF_TARGET_REDIRECT
208 tristate "REDIRECT target support"
210 depends on NETFILTER_ADVANCED
212 REDIRECT is a special case of NAT: all incoming connections are
213 mapped onto the incoming interface's address, causing the packets to
214 come to the local machine instead of passing through. This is
215 useful for transparent proxies.
217 To compile it as a module, choose M here. If unsure, say N.
219 config IP_NF_TARGET_NETMAP
220 tristate "NETMAP target support"
222 depends on NETFILTER_ADVANCED
224 NETMAP is an implementation of static 1:1 NAT mapping of network
225 addresses. It maps the network address part, while keeping the host
226 address part intact. It is similar to Fast NAT, except that
227 Netfilter's connection tracking doesn't work well with Fast NAT.
229 To compile it as a module, choose M here. If unsure, say N.
231 config NF_NAT_SNMP_BASIC
232 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
233 depends on EXPERIMENTAL && NF_NAT
234 depends on NETFILTER_ADVANCED
237 This module implements an Application Layer Gateway (ALG) for
238 SNMP payloads. In conjunction with NAT, it allows a network
239 management system to access multiple private networks with
240 conflicting addresses. It works by modifying IP addresses
241 inside SNMP payloads to match IP-layer NAT mapping.
243 This is the "basic" form of SNMP-ALG, as described in RFC 2962
245 To compile it as a module, choose M here. If unsure, say N.
247 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
248 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
249 # From kconfig-language.txt:
251 # <expr> '&&' <expr> (6)
253 # (6) Returns the result of min(/expr/, /expr/).
254 config NF_NAT_PROTO_GRE
256 depends on NF_NAT && NF_CT_PROTO_GRE
260 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
261 default NF_NAT && NF_CONNTRACK_FTP
265 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
266 default NF_NAT && NF_CONNTRACK_IRC
270 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
271 default NF_NAT && NF_CONNTRACK_TFTP
275 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
276 default NF_NAT && NF_CONNTRACK_AMANDA
280 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
281 default NF_NAT && NF_CONNTRACK_PPTP
282 select NF_NAT_PROTO_GRE
286 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
287 default NF_NAT && NF_CONNTRACK_H323
291 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
292 default NF_NAT && NF_CONNTRACK_SIP
294 # mangle + specific targets
296 tristate "Packet mangling"
297 depends on IP_NF_IPTABLES
298 default m if NETFILTER_ADVANCED=n
300 This option adds a `mangle' table to iptables: see the man page for
301 iptables(8). This table is used for various packet alterations
302 which can effect how the packet is routed.
304 To compile it as a module, choose M here. If unsure, say N.
306 config IP_NF_TARGET_ECN
307 tristate "ECN target support"
308 depends on IP_NF_MANGLE
309 depends on NETFILTER_ADVANCED
311 This option adds a `ECN' target, which can be used in the iptables mangle
314 You can use this target to remove the ECN bits from the IPv4 header of
315 an IP packet. This is particularly useful, if you need to work around
316 existing ECN blackholes on the internet, but don't want to disable
317 ECN support in general.
319 To compile it as a module, choose M here. If unsure, say N.
321 config IP_NF_TARGET_TTL
322 tristate 'TTL target support'
323 depends on IP_NF_MANGLE
324 depends on NETFILTER_ADVANCED
326 This option adds a `TTL' target, which enables the user to modify
327 the TTL value of the IP header.
329 While it is safe to decrement/lower the TTL, this target also enables
330 functionality to increment and set the TTL value of the IP header to
331 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
332 create immortal packets that loop forever on the network.
334 To compile it as a module, choose M here. If unsure, say N.
336 config IP_NF_TARGET_CLUSTERIP
337 tristate "CLUSTERIP target support (EXPERIMENTAL)"
338 depends on IP_NF_MANGLE && EXPERIMENTAL
339 depends on NF_CONNTRACK_IPV4
340 depends on NETFILTER_ADVANCED
341 select NF_CONNTRACK_MARK
343 The CLUSTERIP target allows you to build load-balancing clusters of
344 network servers without having a dedicated load-balancing
345 router/server/switch.
347 To compile it as a module, choose M here. If unsure, say N.
349 # raw + specific targets
351 tristate 'raw table support (required for NOTRACK/TRACE)'
352 depends on IP_NF_IPTABLES
353 depends on NETFILTER_ADVANCED
355 This option adds a `raw' table to iptables. This table is the very
356 first in the netfilter framework and hooks in at the PREROUTING
359 If you want to compile it as a module, say M here and read
360 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
363 config IP_NF_ARPTABLES
364 tristate "ARP tables support"
365 select NETFILTER_XTABLES
366 depends on NETFILTER_ADVANCED
368 arptables is a general, extensible packet identification framework.
369 The ARP packet filtering and mangling (manipulation)subsystems
370 use this: say Y or M here if you want to use either of those.
372 To compile it as a module, choose M here. If unsure, say N.
374 config IP_NF_ARPFILTER
375 tristate "ARP packet filtering"
376 depends on IP_NF_ARPTABLES
378 ARP packet filtering defines a table `filter', which has a series of
379 rules for simple ARP packet filtering at local input and
380 local output. On a bridge, you can also specify filtering rules
381 for forwarded ARP packets. See the man page for arptables(8).
383 To compile it as a module, choose M here. If unsure, say N.
385 config IP_NF_ARP_MANGLE
386 tristate "ARP payload mangling"
387 depends on IP_NF_ARPTABLES
389 Allows altering the ARP packet payload: source and destination
390 hardware and network addresses.