2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 # connection tracking, helpers and protocols
10 tristate "Connection tracking (required for masq/NAT)"
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
16 This is required to do Masquerading or other kinds of Network
17 Address Translation (except for Fast NAT). It can also be used to
18 enhance packet filtering (see `Connection state match support'
21 To compile it as a module, choose M here. If unsure, say N.
24 bool "Connection tracking flow accounting"
25 depends on IP_NF_CONNTRACK
27 If this option is enabled, the connection tracking code will
28 keep per-flow packet and byte counters.
30 Those counters can be used for flow-based accounting or the
35 config IP_NF_CONNTRACK_MARK
36 bool 'Connection mark tracking support'
38 This option enables support for connection marks, used by the
39 `CONNMARK' target and `connmark' match. Similar to the mark value
40 of packets, but this mark value is kept in the conntrack session
41 instead of the individual packets.
43 config IP_NF_CONNTRACK_EVENTS
44 bool "Connection tracking events"
45 depends on IP_NF_CONNTRACK
47 If this option is enabled, the connection tracking code will
48 provide a notifier chain that can be used by other kernel code
49 to get notified about changes in the connection tracking state.
53 config IP_NF_CT_PROTO_SCTP
54 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
55 depends on IP_NF_CONNTRACK && EXPERIMENTAL
57 With this option enabled, the connection tracking code will
58 be able to do state tracking on SCTP connections.
60 If you want to compile it as a module, say M here and read
61 <file:Documentation/modules.txt>. If unsure, say `N'.
64 tristate "FTP protocol support"
65 depends on IP_NF_CONNTRACK
67 Tracking FTP connections is problematic: special helpers are
68 required for tracking them, and doing masquerading and other forms
69 of Network Address Translation on them.
71 To compile it as a module, choose M here. If unsure, say Y.
74 tristate "IRC protocol support"
75 depends on IP_NF_CONNTRACK
77 There is a commonly-used extension to IRC called
78 Direct Client-to-Client Protocol (DCC). This enables users to send
79 files to each other, and also chat to each other without the need
80 of a server. DCC Sending is used anywhere you send files over IRC,
81 and DCC Chat is most commonly used by Eggdrop bots. If you are
82 using NAT, this extension will enable you to send files and initiate
83 chats. Note that you do NOT need this extension to get files or
84 have others initiate chats, or everything else in IRC.
86 To compile it as a module, choose M here. If unsure, say Y.
89 tristate "TFTP protocol support"
90 depends on IP_NF_CONNTRACK
92 TFTP connection tracking helper, this is required depending
93 on how restrictive your ruleset is.
94 If you are using a tftp client behind -j SNAT or -j MASQUERADING
97 To compile it as a module, choose M here. If unsure, say Y.
100 tristate "Amanda backup protocol support"
101 depends on IP_NF_CONNTRACK
103 If you are running the Amanda backup package <http://www.amanda.org/>
104 on this machine or machines that will be MASQUERADED through this
105 machine, then you may want to enable this feature. This allows the
106 connection tracking and natting code to allow the sub-channels that
107 Amanda requires for communication of the backup data, messages and
110 To compile it as a module, choose M here. If unsure, say Y.
113 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
115 Netfilter has the ability to queue packets to user space: the
116 netlink device can be used to access them using this driver.
118 This option enables the old IPv4-only "ip_queue" implementation
119 which has been obsoleted by the new "nfnetlink_queue" code (see
120 CONFIG_NETFILTER_NETLINK_QUEUE).
122 To compile it as a module, choose M here. If unsure, say N.
124 config IP_NF_IPTABLES
125 tristate "IP tables support (required for filtering/masq/NAT)"
127 iptables is a general, extensible packet identification framework.
128 The packet filtering and full NAT (masquerading, port forwarding,
129 etc) subsystems now use this: say `Y' or `M' here if you want to use
132 To compile it as a module, choose M here. If unsure, say N.
135 config IP_NF_MATCH_LIMIT
136 tristate "limit match support"
137 depends on IP_NF_IPTABLES
139 limit matching allows you to control the rate at which a rule can be
140 matched: mainly useful in combination with the LOG target ("LOG
141 target support", below) and to avoid some Denial of Service attacks.
143 To compile it as a module, choose M here. If unsure, say N.
145 config IP_NF_MATCH_IPRANGE
146 tristate "IP range match support"
147 depends on IP_NF_IPTABLES
149 This option makes possible to match IP addresses against IP address
152 To compile it as a module, choose M here. If unsure, say N.
154 config IP_NF_MATCH_MAC
155 tristate "MAC address match support"
156 depends on IP_NF_IPTABLES
158 MAC matching allows you to match packets based on the source
159 Ethernet address of the packet.
161 To compile it as a module, choose M here. If unsure, say N.
163 config IP_NF_MATCH_PKTTYPE
164 tristate "Packet type match support"
165 depends on IP_NF_IPTABLES
167 Packet type matching allows you to match a packet by
168 its "class", eg. BROADCAST, MULTICAST, ...
171 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
173 To compile it as a module, choose M here. If unsure, say N.
175 config IP_NF_MATCH_MARK
176 tristate "netfilter MARK match support"
177 depends on IP_NF_IPTABLES
179 Netfilter mark matching allows you to match packets based on the
180 `nfmark' value in the packet. This can be set by the MARK target
183 To compile it as a module, choose M here. If unsure, say N.
185 config IP_NF_MATCH_MULTIPORT
186 tristate "Multiple port match support"
187 depends on IP_NF_IPTABLES
189 Multiport matching allows you to match TCP or UDP packets based on
190 a series of source or destination ports: normally a rule can only
191 match a single range of ports.
193 To compile it as a module, choose M here. If unsure, say N.
195 config IP_NF_MATCH_TOS
196 tristate "TOS match support"
197 depends on IP_NF_IPTABLES
199 TOS matching allows you to match packets based on the Type Of
200 Service fields of the IP packet.
202 To compile it as a module, choose M here. If unsure, say N.
204 config IP_NF_MATCH_RECENT
205 tristate "recent match support"
206 depends on IP_NF_IPTABLES
208 This match is used for creating one or many lists of recently
209 used addresses and then matching against that/those list(s).
211 Short options are available by using 'iptables -m recent -h'
212 Official Website: <http://snowman.net/projects/ipt_recent/>
214 To compile it as a module, choose M here. If unsure, say N.
216 config IP_NF_MATCH_ECN
217 tristate "ECN match support"
218 depends on IP_NF_IPTABLES
220 This option adds a `ECN' match, which allows you to match against
221 the IPv4 and TCP header ECN fields.
223 To compile it as a module, choose M here. If unsure, say N.
225 config IP_NF_MATCH_DSCP
226 tristate "DSCP match support"
227 depends on IP_NF_IPTABLES
229 This option adds a `DSCP' match, which allows you to match against
230 the IPv4 header DSCP field (DSCP codepoint).
232 The DSCP codepoint can have any value between 0x0 and 0x4f.
234 To compile it as a module, choose M here. If unsure, say N.
236 config IP_NF_MATCH_AH_ESP
237 tristate "AH/ESP match support"
238 depends on IP_NF_IPTABLES
240 These two match extensions (`ah' and `esp') allow you to match a
241 range of SPIs inside AH or ESP headers of IPSec packets.
243 To compile it as a module, choose M here. If unsure, say N.
245 config IP_NF_MATCH_LENGTH
246 tristate "LENGTH match support"
247 depends on IP_NF_IPTABLES
249 This option allows you to match the length of a packet against a
250 specific value or range of values.
252 To compile it as a module, choose M here. If unsure, say N.
254 config IP_NF_MATCH_TTL
255 tristate "TTL match support"
256 depends on IP_NF_IPTABLES
258 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
259 to match packets by their TTL value.
261 To compile it as a module, choose M here. If unsure, say N.
263 config IP_NF_MATCH_TCPMSS
264 tristate "tcpmss match support"
265 depends on IP_NF_IPTABLES
267 This option adds a `tcpmss' match, which allows you to examine the
268 MSS value of TCP SYN packets, which control the maximum packet size
271 To compile it as a module, choose M here. If unsure, say N.
273 config IP_NF_MATCH_HELPER
274 tristate "Helper match support"
275 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
277 Helper matching allows you to match packets in dynamic connections
278 tracked by a conntrack-helper, ie. ip_conntrack_ftp
280 To compile it as a module, choose M here. If unsure, say Y.
282 config IP_NF_MATCH_STATE
283 tristate "Connection state match support"
284 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
286 Connection state matching allows you to match packets based on their
287 relationship to a tracked connection (ie. previous packets). This
288 is a powerful tool for packet classification.
290 To compile it as a module, choose M here. If unsure, say N.
292 config IP_NF_MATCH_CONNTRACK
293 tristate "Connection tracking match support"
294 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
296 This is a general conntrack match module, a superset of the state match.
298 It allows matching on additional conntrack information, which is
299 useful in complex configurations, such as NAT gateways with multiple
300 internet links or tunnels.
302 To compile it as a module, choose M here. If unsure, say N.
304 config IP_NF_MATCH_OWNER
305 tristate "Owner match support"
306 depends on IP_NF_IPTABLES
308 Packet owner matching allows you to match locally-generated packets
309 based on who created them: the user, group, process or session.
311 To compile it as a module, choose M here. If unsure, say N.
313 config IP_NF_MATCH_PHYSDEV
314 tristate "Physdev match support"
315 depends on IP_NF_IPTABLES && BRIDGE_NETFILTER
317 Physdev packet matching matches against the physical bridge ports
318 the IP packet arrived on or will leave by.
320 To compile it as a module, choose M here. If unsure, say N.
322 config IP_NF_MATCH_ADDRTYPE
323 tristate 'address type match support'
324 depends on IP_NF_IPTABLES
326 This option allows you to match what routing thinks of an address,
327 eg. UNICAST, LOCAL, BROADCAST, ...
329 If you want to compile it as a module, say M here and read
330 <file:Documentation/modules.txt>. If unsure, say `N'.
332 config IP_NF_MATCH_REALM
333 tristate 'realm match support'
334 depends on IP_NF_IPTABLES
337 This option adds a `realm' match, which allows you to use the realm
338 key from the routing subsystem inside iptables.
340 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
343 If you want to compile it as a module, say M here and read
344 <file:Documentation/modules.txt>. If unsure, say `N'.
346 config IP_NF_MATCH_SCTP
347 tristate 'SCTP protocol match support'
348 depends on IP_NF_IPTABLES
350 With this option enabled, you will be able to use the iptables
351 `sctp' match in order to match on SCTP source/destination ports
352 and SCTP chunk types.
354 If you want to compile it as a module, say M here and read
355 <file:Documentation/modules.txt>. If unsure, say `N'.
357 config IP_NF_MATCH_DCCP
358 tristate 'DCCP protocol match support'
359 depends on IP_NF_IPTABLES
361 With this option enabled, you will be able to use the iptables
362 `dccp' match in order to match on DCCP source/destination ports
365 If you want to compile it as a module, say M here and read
366 <file:Documentation/modules.txt>. If unsure, say `N'.
368 config IP_NF_MATCH_COMMENT
369 tristate 'comment match support'
370 depends on IP_NF_IPTABLES
372 This option adds a `comment' dummy-match, which allows you to put
373 comments in your iptables ruleset.
375 If you want to compile it as a module, say M here and read
376 <file:Documentation/modules.txt>. If unsure, say `N'.
378 config IP_NF_MATCH_CONNMARK
379 tristate 'Connection mark match support'
380 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES
382 This option adds a `connmark' match, which allows you to match the
383 connection mark value previously set for the session by `CONNMARK'.
385 If you want to compile it as a module, say M here and read
386 <file:Documentation/modules.txt>. The module will be called
387 ipt_connmark.o. If unsure, say `N'.
389 config IP_NF_MATCH_CONNBYTES
390 tristate 'Connection byte/packet counter match support'
391 depends on IP_NF_CT_ACCT && IP_NF_IPTABLES
393 This option adds a `connbytes' match, which allows you to match the
394 number of bytes and/or packets for each direction within a connection.
396 If you want to compile it as a module, say M here and read
397 <file:Documentation/modules.txt>. If unsure, say `N'.
399 config IP_NF_MATCH_HASHLIMIT
400 tristate 'hashlimit match support'
401 depends on IP_NF_IPTABLES
403 This option adds a new iptables `hashlimit' match.
405 As opposed to `limit', this match dynamically crates a hash table
406 of limit buckets, based on your selection of source/destination
407 ip addresses and/or ports.
409 It enables you to express policies like `10kpps for any given
410 destination IP' or `500pps from any given source IP' with a single
413 config IP_NF_MATCH_STRING
414 tristate 'string match support'
415 depends on IP_NF_IPTABLES
417 select TEXTSEARCH_KMP
418 select TEXTSEARCH_FSM
420 This option adds a `string' match, which allows you to look for
421 pattern matchings in packets.
423 To compile it as a module, choose M here. If unsure, say N.
425 # `filter', generic and specific targets
427 tristate "Packet filtering"
428 depends on IP_NF_IPTABLES
430 Packet filtering defines a table `filter', which has a series of
431 rules for simple packet filtering at local input, forwarding and
432 local output. See the man page for iptables(8).
434 To compile it as a module, choose M here. If unsure, say N.
436 config IP_NF_TARGET_REJECT
437 tristate "REJECT target support"
438 depends on IP_NF_FILTER
440 The REJECT target allows a filtering rule to specify that an ICMP
441 error should be issued in response to an incoming packet, rather
442 than silently being dropped.
444 To compile it as a module, choose M here. If unsure, say N.
446 config IP_NF_TARGET_LOG
447 tristate "LOG target support"
448 depends on IP_NF_IPTABLES
450 This option adds a `LOG' target, which allows you to create rules in
451 any iptables table which records the packet header to the syslog.
453 To compile it as a module, choose M here. If unsure, say N.
455 config IP_NF_TARGET_ULOG
456 tristate "ULOG target support"
457 depends on IP_NF_IPTABLES
459 This option adds a `ULOG' target, which allows you to create rules in
460 any iptables table. The packet is passed to a userspace logging
461 daemon using netlink multicast sockets; unlike the LOG target
462 which can only be viewed through syslog.
464 The apropriate userspace logging daemon (ulogd) may be obtained from
465 <http://www.gnumonks.org/projects/ulogd/>
467 To compile it as a module, choose M here. If unsure, say N.
469 config IP_NF_TARGET_TCPMSS
470 tristate "TCPMSS target support"
471 depends on IP_NF_IPTABLES
473 This option adds a `TCPMSS' target, which allows you to alter the
474 MSS value of TCP SYN packets, to control the maximum size for that
475 connection (usually limiting it to your outgoing interface's MTU
478 This is used to overcome criminally braindead ISPs or servers which
479 block ICMP Fragmentation Needed packets. The symptoms of this
480 problem are that everything works fine from your Linux
481 firewall/router, but machines behind it can never exchange large
483 1) Web browsers connect, then hang with no data received.
484 2) Small mail works fine, but large emails hang.
485 3) ssh works fine, but scp hangs after initial handshaking.
487 Workaround: activate this option and add a rule to your firewall
490 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
491 -j TCPMSS --clamp-mss-to-pmtu
493 To compile it as a module, choose M here. If unsure, say N.
495 # NAT + specific targets
498 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
500 The Full NAT option allows masquerading, port forwarding and other
501 forms of full Network Address Port Translation. It is controlled by
502 the `nat' table in iptables: see the man page for iptables(8).
504 To compile it as a module, choose M here. If unsure, say N.
506 config IP_NF_NAT_NEEDED
508 depends on IP_NF_NAT != n
511 config IP_NF_TARGET_MASQUERADE
512 tristate "MASQUERADE target support"
515 Masquerading is a special case of NAT: all outgoing connections are
516 changed to seem to come from a particular interface's address, and
517 if the interface goes down, those connections are lost. This is
518 only useful for dialup accounts with dynamic IP address (ie. your IP
519 address will be different on next dialup).
521 To compile it as a module, choose M here. If unsure, say N.
523 config IP_NF_TARGET_REDIRECT
524 tristate "REDIRECT target support"
527 REDIRECT is a special case of NAT: all incoming connections are
528 mapped onto the incoming interface's address, causing the packets to
529 come to the local machine instead of passing through. This is
530 useful for transparent proxies.
532 To compile it as a module, choose M here. If unsure, say N.
534 config IP_NF_TARGET_NETMAP
535 tristate "NETMAP target support"
538 NETMAP is an implementation of static 1:1 NAT mapping of network
539 addresses. It maps the network address part, while keeping the host
540 address part intact. It is similar to Fast NAT, except that
541 Netfilter's connection tracking doesn't work well with Fast NAT.
543 To compile it as a module, choose M here. If unsure, say N.
545 config IP_NF_TARGET_SAME
546 tristate "SAME target support"
549 This option adds a `SAME' target, which works like the standard SNAT
550 target, but attempts to give clients the same IP for all connections.
552 To compile it as a module, choose M here. If unsure, say N.
554 config IP_NF_NAT_SNMP_BASIC
555 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
556 depends on EXPERIMENTAL && IP_NF_NAT
559 This module implements an Application Layer Gateway (ALG) for
560 SNMP payloads. In conjunction with NAT, it allows a network
561 management system to access multiple private networks with
562 conflicting addresses. It works by modifying IP addresses
563 inside SNMP payloads to match IP-layer NAT mapping.
565 This is the "basic" form of SNMP-ALG, as described in RFC 2962
567 To compile it as a module, choose M here. If unsure, say N.
571 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
572 default IP_NF_NAT if IP_NF_IRC=y
573 default m if IP_NF_IRC=m
575 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
576 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
579 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
580 default IP_NF_NAT if IP_NF_FTP=y
581 default m if IP_NF_FTP=m
583 config IP_NF_NAT_TFTP
585 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
586 default IP_NF_NAT if IP_NF_TFTP=y
587 default m if IP_NF_TFTP=m
589 config IP_NF_NAT_AMANDA
591 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
592 default IP_NF_NAT if IP_NF_AMANDA=y
593 default m if IP_NF_AMANDA=m
595 # mangle + specific targets
597 tristate "Packet mangling"
598 depends on IP_NF_IPTABLES
600 This option adds a `mangle' table to iptables: see the man page for
601 iptables(8). This table is used for various packet alterations
602 which can effect how the packet is routed.
604 To compile it as a module, choose M here. If unsure, say N.
606 config IP_NF_TARGET_TOS
607 tristate "TOS target support"
608 depends on IP_NF_MANGLE
610 This option adds a `TOS' target, which allows you to create rules in
611 the `mangle' table which alter the Type Of Service field of an IP
612 packet prior to routing.
614 To compile it as a module, choose M here. If unsure, say N.
616 config IP_NF_TARGET_ECN
617 tristate "ECN target support"
618 depends on IP_NF_MANGLE
620 This option adds a `ECN' target, which can be used in the iptables mangle
623 You can use this target to remove the ECN bits from the IPv4 header of
624 an IP packet. This is particularly useful, if you need to work around
625 existing ECN blackholes on the internet, but don't want to disable
626 ECN support in general.
628 To compile it as a module, choose M here. If unsure, say N.
630 config IP_NF_TARGET_DSCP
631 tristate "DSCP target support"
632 depends on IP_NF_MANGLE
634 This option adds a `DSCP' match, which allows you to match against
635 the IPv4 header DSCP field (DSCP codepoint).
637 The DSCP codepoint can have any value between 0x0 and 0x4f.
639 To compile it as a module, choose M here. If unsure, say N.
641 config IP_NF_TARGET_MARK
642 tristate "MARK target support"
643 depends on IP_NF_MANGLE
645 This option adds a `MARK' target, which allows you to create rules
646 in the `mangle' table which alter the netfilter mark (nfmark) field
647 associated with the packet prior to routing. This can change
648 the routing method (see `Use netfilter MARK value as routing
649 key') and can also be used by other subsystems to change their
652 To compile it as a module, choose M here. If unsure, say N.
654 config IP_NF_TARGET_CLASSIFY
655 tristate "CLASSIFY target support"
656 depends on IP_NF_MANGLE
658 This option adds a `CLASSIFY' target, which enables the user to set
659 the priority of a packet. Some qdiscs can use this value for
660 classification, among these are:
662 atm, cbq, dsmark, pfifo_fast, htb, prio
664 To compile it as a module, choose M here. If unsure, say N.
666 config IP_NF_TARGET_CONNMARK
667 tristate 'CONNMARK target support'
668 depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE
670 This option adds a `CONNMARK' target, which allows one to manipulate
671 the connection mark value. Similar to the MARK target, but
672 affects the connection mark value rather than the packet mark value.
674 If you want to compile it as a module, say M here and read
675 <file:Documentation/modules.txt>. The module will be called
676 ipt_CONNMARK.o. If unsure, say `N'.
678 config IP_NF_TARGET_CLUSTERIP
679 tristate "CLUSTERIP target support (EXPERIMENTAL)"
680 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES && EXPERIMENTAL
682 The CLUSTERIP target allows you to build load-balancing clusters of
683 network servers without having a dedicated load-balancing
684 router/server/switch.
686 To compile it as a module, choose M here. If unsure, say N.
688 # raw + specific targets
690 tristate 'raw table support (required for NOTRACK/TRACE)'
691 depends on IP_NF_IPTABLES
693 This option adds a `raw' table to iptables. This table is the very
694 first in the netfilter framework and hooks in at the PREROUTING
697 If you want to compile it as a module, say M here and read
698 <file:Documentation/modules.txt>. If unsure, say `N'.
700 config IP_NF_TARGET_NOTRACK
701 tristate 'NOTRACK target support'
703 depends on IP_NF_CONNTRACK
705 The NOTRACK target allows a select rule to specify
706 which packets *not* to enter the conntrack/NAT
707 subsystem with all the consequences (no ICMP error tracking,
708 no protocol helpers for the selected packets).
710 If you want to compile it as a module, say M here and read
711 <file:Documentation/modules.txt>. If unsure, say `N'.
715 config IP_NF_ARPTABLES
716 tristate "ARP tables support"
718 arptables is a general, extensible packet identification framework.
719 The ARP packet filtering and mangling (manipulation)subsystems
720 use this: say Y or M here if you want to use either of those.
722 To compile it as a module, choose M here. If unsure, say N.
724 config IP_NF_ARPFILTER
725 tristate "ARP packet filtering"
726 depends on IP_NF_ARPTABLES
728 ARP packet filtering defines a table `filter', which has a series of
729 rules for simple ARP packet filtering at local input and
730 local output. On a bridge, you can also specify filtering rules
731 for forwarded ARP packets. See the man page for arptables(8).
733 To compile it as a module, choose M here. If unsure, say N.
735 config IP_NF_ARP_MANGLE
736 tristate "ARP payload mangling"
737 depends on IP_NF_ARPTABLES
739 Allows altering the ARP packet payload: source and destination
740 hardware and network addresses.
742 config IP_NF_CONNTRACK_NETLINK
743 tristate 'Connection tracking netlink interface'
744 depends on IP_NF_CONNTRACK && NETFILTER_NETLINK
746 This option enables support for a netlink-based userspace interface