2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependent connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
41 tristate "IPv4 nf_tables support"
43 config NFT_REJECT_IPV4
44 depends on NF_TABLES_IPV4
45 tristate "nf_tables IPv4 reject support"
47 config NFT_CHAIN_ROUTE_IPV4
48 depends on NF_TABLES_IPV4
49 tristate "IPv4 nf_tables route chain support"
51 config NFT_CHAIN_NAT_IPV4
52 depends on NF_TABLES_IPV4
53 depends on NF_NAT_IPV4 && NFT_NAT
54 tristate "IPv4 nf_tables nat chain support"
58 tristate "ARP nf_tables support"
61 tristate "IP tables support (required for filtering/masq/NAT)"
62 default m if NETFILTER_ADVANCED=n
63 select NETFILTER_XTABLES
65 iptables is a general, extensible packet identification framework.
66 The packet filtering and full NAT (masquerading, port forwarding,
67 etc) subsystems now use this: say `Y' or `M' here if you want to use
70 To compile it as a module, choose M here. If unsure, say N.
76 tristate '"ah" match support'
77 depends on NETFILTER_ADVANCED
79 This match extension allows you to match a range of SPIs
80 inside AH header of IPSec packets.
82 To compile it as a module, choose M here. If unsure, say N.
84 config IP_NF_MATCH_ECN
85 tristate '"ecn" match support'
86 depends on NETFILTER_ADVANCED
87 select NETFILTER_XT_MATCH_ECN
89 This is a backwards-compat option for the user's convenience
90 (e.g. when running oldconfig). It selects
91 CONFIG_NETFILTER_XT_MATCH_ECN.
93 config IP_NF_MATCH_RPFILTER
94 tristate '"rpfilter" reverse path filter match support'
95 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
97 This option allows you to match packets whose replies would
98 go out via the interface the packet came in.
100 To compile it as a module, choose M here. If unsure, say N.
101 The module will be called ipt_rpfilter.
103 config IP_NF_MATCH_TTL
104 tristate '"ttl" match support'
105 depends on NETFILTER_ADVANCED
106 select NETFILTER_XT_MATCH_HL
108 This is a backwards-compat option for the user's convenience
109 (e.g. when running oldconfig). It selects
110 CONFIG_NETFILTER_XT_MATCH_HL.
112 # `filter', generic and specific targets
114 tristate "Packet filtering"
115 default m if NETFILTER_ADVANCED=n
117 Packet filtering defines a table `filter', which has a series of
118 rules for simple packet filtering at local input, forwarding and
119 local output. See the man page for iptables(8).
121 To compile it as a module, choose M here. If unsure, say N.
123 config IP_NF_TARGET_REJECT
124 tristate "REJECT target support"
125 depends on IP_NF_FILTER
126 default m if NETFILTER_ADVANCED=n
128 The REJECT target allows a filtering rule to specify that an ICMP
129 error should be issued in response to an incoming packet, rather
130 than silently being dropped.
132 To compile it as a module, choose M here. If unsure, say N.
134 config IP_NF_TARGET_SYNPROXY
135 tristate "SYNPROXY target support"
136 depends on NF_CONNTRACK && NETFILTER_ADVANCED
137 select NETFILTER_SYNPROXY
140 The SYNPROXY target allows you to intercept TCP connections and
141 establish them using syncookies before they are passed on to the
142 server. This allows to avoid conntrack and server resource usage
143 during SYN-flood attacks.
145 To compile it as a module, choose M here. If unsure, say N.
147 config IP_NF_TARGET_ULOG
148 tristate "ULOG target support (obsolete)"
149 default m if NETFILTER_ADVANCED=n
152 This option enables the old IPv4-only "ipt_ULOG" implementation
153 which has been obsoleted by the new "nfnetlink_log" code (see
154 CONFIG_NETFILTER_NETLINK_LOG).
156 This option adds a `ULOG' target, which allows you to create rules in
157 any iptables table. The packet is passed to a userspace logging
158 daemon using netlink multicast sockets; unlike the LOG target
159 which can only be viewed through syslog.
161 The appropriate userspace logging daemon (ulogd) may be obtained from
162 <http://www.netfilter.org/projects/ulogd/index.html>
164 To compile it as a module, choose M here. If unsure, say N.
166 # NAT + specific targets: nf_conntrack
169 depends on NF_CONNTRACK_IPV4
170 default m if NETFILTER_ADVANCED=n
173 The IPv4 NAT option allows masquerading, port forwarding and other
174 forms of full Network Address Port Translation. It is controlled by
175 the `nat' table in iptables: see the man page for iptables(8).
177 To compile it as a module, choose M here. If unsure, say N.
181 config IP_NF_TARGET_MASQUERADE
182 tristate "MASQUERADE target support"
183 default m if NETFILTER_ADVANCED=n
185 Masquerading is a special case of NAT: all outgoing connections are
186 changed to seem to come from a particular interface's address, and
187 if the interface goes down, those connections are lost. This is
188 only useful for dialup accounts with dynamic IP address (ie. your IP
189 address will be different on next dialup).
191 To compile it as a module, choose M here. If unsure, say N.
193 config IP_NF_TARGET_NETMAP
194 tristate "NETMAP target support"
195 depends on NETFILTER_ADVANCED
196 select NETFILTER_XT_TARGET_NETMAP
198 This is a backwards-compat option for the user's convenience
199 (e.g. when running oldconfig). It selects
200 CONFIG_NETFILTER_XT_TARGET_NETMAP.
202 config IP_NF_TARGET_REDIRECT
203 tristate "REDIRECT target support"
204 depends on NETFILTER_ADVANCED
205 select NETFILTER_XT_TARGET_REDIRECT
207 This is a backwards-compat option for the user's convenience
208 (e.g. when running oldconfig). It selects
209 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
213 config NF_NAT_SNMP_BASIC
214 tristate "Basic SNMP-ALG support"
215 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4
216 depends on NETFILTER_ADVANCED
217 default NF_NAT && NF_CONNTRACK_SNMP
220 This module implements an Application Layer Gateway (ALG) for
221 SNMP payloads. In conjunction with NAT, it allows a network
222 management system to access multiple private networks with
223 conflicting addresses. It works by modifying IP addresses
224 inside SNMP payloads to match IP-layer NAT mapping.
226 This is the "basic" form of SNMP-ALG, as described in RFC 2962
228 To compile it as a module, choose M here. If unsure, say N.
230 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
231 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
232 # From kconfig-language.txt:
234 # <expr> '&&' <expr> (6)
236 # (6) Returns the result of min(/expr/, /expr/).
238 config NF_NAT_PROTO_GRE
240 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE
244 depends on NF_CONNTRACK && NF_NAT_IPV4
245 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP
246 select NF_NAT_PROTO_GRE
250 depends on NF_CONNTRACK && NF_NAT_IPV4
251 default NF_NAT_IPV4 && NF_CONNTRACK_H323
253 # mangle + specific targets
255 tristate "Packet mangling"
256 default m if NETFILTER_ADVANCED=n
258 This option adds a `mangle' table to iptables: see the man page for
259 iptables(8). This table is used for various packet alterations
260 which can effect how the packet is routed.
262 To compile it as a module, choose M here. If unsure, say N.
264 config IP_NF_TARGET_CLUSTERIP
265 tristate "CLUSTERIP target support"
266 depends on IP_NF_MANGLE
267 depends on NF_CONNTRACK_IPV4
268 depends on NETFILTER_ADVANCED
269 select NF_CONNTRACK_MARK
271 The CLUSTERIP target allows you to build load-balancing clusters of
272 network servers without having a dedicated load-balancing
273 router/server/switch.
275 To compile it as a module, choose M here. If unsure, say N.
277 config IP_NF_TARGET_ECN
278 tristate "ECN target support"
279 depends on IP_NF_MANGLE
280 depends on NETFILTER_ADVANCED
282 This option adds a `ECN' target, which can be used in the iptables mangle
285 You can use this target to remove the ECN bits from the IPv4 header of
286 an IP packet. This is particularly useful, if you need to work around
287 existing ECN blackholes on the internet, but don't want to disable
288 ECN support in general.
290 To compile it as a module, choose M here. If unsure, say N.
292 config IP_NF_TARGET_TTL
293 tristate '"TTL" target support'
294 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
295 select NETFILTER_XT_TARGET_HL
297 This is a backwards-compatible option for the user's convenience
298 (e.g. when running oldconfig). It selects
299 CONFIG_NETFILTER_XT_TARGET_HL.
301 # raw + specific targets
303 tristate 'raw table support (required for NOTRACK/TRACE)'
305 This option adds a `raw' table to iptables. This table is the very
306 first in the netfilter framework and hooks in at the PREROUTING
309 If you want to compile it as a module, say M here and read
310 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
312 # security table for MAC policy
313 config IP_NF_SECURITY
314 tristate "Security table"
316 depends on NETFILTER_ADVANCED
318 This option adds a `security' table to iptables, for use
319 with Mandatory Access Control (MAC) policy.
323 endif # IP_NF_IPTABLES
326 config IP_NF_ARPTABLES
327 tristate "ARP tables support"
328 select NETFILTER_XTABLES
329 depends on NETFILTER_ADVANCED
331 arptables is a general, extensible packet identification framework.
332 The ARP packet filtering and mangling (manipulation)subsystems
333 use this: say Y or M here if you want to use either of those.
335 To compile it as a module, choose M here. If unsure, say N.
339 config IP_NF_ARPFILTER
340 tristate "ARP packet filtering"
342 ARP packet filtering defines a table `filter', which has a series of
343 rules for simple ARP packet filtering at local input and
344 local output. On a bridge, you can also specify filtering rules
345 for forwarded ARP packets. See the man page for arptables(8).
347 To compile it as a module, choose M here. If unsure, say N.
349 config IP_NF_ARP_MANGLE
350 tristate "ARP payload mangling"
352 Allows altering the ARP packet payload: source and destination
353 hardware and network addresses.
355 endif # IP_NF_ARPTABLES