2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependent connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
42 tristate "IPv4 nf_tables support"
44 This option enables the IPv4 support for nf_tables.
48 config NFT_CHAIN_ROUTE_IPV4
49 tristate "IPv4 nf_tables route chain support"
51 This option enables the "route" chain for IPv4 in nf_tables. This
52 chain type is used to force packet re-routing after mangling header
53 fields such as the source, destination, type of service and
56 config NFT_REJECT_IPV4
62 tristate "IPv4 nf_tables packet duplication support"
65 This module enables IPv4 packet duplication support for nf_tables.
67 endif # NF_TABLES_IPV4
70 tristate "ARP nf_tables support"
72 This option enables the ARP support for nf_tables.
77 tristate "Netfilter IPv4 packet duplication to alternate destination"
79 This option enables the nf_dup_ipv4 core, which duplicates an IPv4
80 packet to be rerouted to another destination.
83 tristate "ARP packet logging"
84 default m if NETFILTER_ADVANCED=n
88 tristate "IPv4 packet logging"
89 default m if NETFILTER_ADVANCED=n
93 tristate "IPv4 packet rejection"
94 default m if NETFILTER_ADVANCED=n
98 depends on NF_CONNTRACK_IPV4
99 default m if NETFILTER_ADVANCED=n
102 The IPv4 NAT option allows masquerading, port forwarding and other
103 forms of full Network Address Port Translation. This can be
104 controlled by iptables or nft.
108 config NFT_CHAIN_NAT_IPV4
109 depends on NF_TABLES_IPV4
110 tristate "IPv4 nf_tables nat chain support"
112 This option enables the "nat" chain for IPv4 in nf_tables. This
113 chain type is used to perform Network Address Translation (NAT)
114 packet transformations such as the source, destination address and
115 source and destination ports.
117 config NF_NAT_MASQUERADE_IPV4
118 tristate "IPv4 masquerade support"
120 This is the kernel functionality to provide NAT in the masquerade
121 flavour (automatic source address selection).
124 tristate "IPv4 masquerading support for nf_tables"
125 depends on NF_TABLES_IPV4
127 select NF_NAT_MASQUERADE_IPV4
129 This is the expression that provides IPv4 masquerading support for
132 config NFT_REDIR_IPV4
133 tristate "IPv4 redirect support for nf_tables"
134 depends on NF_TABLES_IPV4
136 select NF_NAT_REDIRECT
138 This is the expression that provides IPv4 redirect support for
141 config NF_NAT_SNMP_BASIC
142 tristate "Basic SNMP-ALG support"
143 depends on NF_CONNTRACK_SNMP
144 depends on NETFILTER_ADVANCED
145 default NF_NAT && NF_CONNTRACK_SNMP
148 This module implements an Application Layer Gateway (ALG) for
149 SNMP payloads. In conjunction with NAT, it allows a network
150 management system to access multiple private networks with
151 conflicting addresses. It works by modifying IP addresses
152 inside SNMP payloads to match IP-layer NAT mapping.
154 This is the "basic" form of SNMP-ALG, as described in RFC 2962
156 To compile it as a module, choose M here. If unsure, say N.
158 config NF_NAT_PROTO_GRE
160 depends on NF_CT_PROTO_GRE
164 depends on NF_CONNTRACK
165 default NF_CONNTRACK_PPTP
166 select NF_NAT_PROTO_GRE
170 depends on NF_CONNTRACK
171 default NF_CONNTRACK_H323
175 config IP_NF_IPTABLES
176 tristate "IP tables support (required for filtering/masq/NAT)"
177 default m if NETFILTER_ADVANCED=n
178 select NETFILTER_XTABLES
180 iptables is a general, extensible packet identification framework.
181 The packet filtering and full NAT (masquerading, port forwarding,
182 etc) subsystems now use this: say `Y' or `M' here if you want to use
185 To compile it as a module, choose M here. If unsure, say N.
190 config IP_NF_MATCH_AH
191 tristate '"ah" match support'
192 depends on NETFILTER_ADVANCED
194 This match extension allows you to match a range of SPIs
195 inside AH header of IPSec packets.
197 To compile it as a module, choose M here. If unsure, say N.
199 config IP_NF_MATCH_ECN
200 tristate '"ecn" match support'
201 depends on NETFILTER_ADVANCED
202 select NETFILTER_XT_MATCH_ECN
204 This is a backwards-compat option for the user's convenience
205 (e.g. when running oldconfig). It selects
206 CONFIG_NETFILTER_XT_MATCH_ECN.
208 config IP_NF_MATCH_RPFILTER
209 tristate '"rpfilter" reverse path filter match support'
210 depends on NETFILTER_ADVANCED
211 depends on IP_NF_MANGLE || IP_NF_RAW
213 This option allows you to match packets whose replies would
214 go out via the interface the packet came in.
216 To compile it as a module, choose M here. If unsure, say N.
217 The module will be called ipt_rpfilter.
219 config IP_NF_MATCH_TTL
220 tristate '"ttl" match support'
221 depends on NETFILTER_ADVANCED
222 select NETFILTER_XT_MATCH_HL
224 This is a backwards-compat option for the user's convenience
225 (e.g. when running oldconfig). It selects
226 CONFIG_NETFILTER_XT_MATCH_HL.
228 # `filter', generic and specific targets
230 tristate "Packet filtering"
231 default m if NETFILTER_ADVANCED=n
233 Packet filtering defines a table `filter', which has a series of
234 rules for simple packet filtering at local input, forwarding and
235 local output. See the man page for iptables(8).
237 To compile it as a module, choose M here. If unsure, say N.
239 config IP_NF_TARGET_REJECT
240 tristate "REJECT target support"
241 depends on IP_NF_FILTER
242 select NF_REJECT_IPV4
243 default m if NETFILTER_ADVANCED=n
245 The REJECT target allows a filtering rule to specify that an ICMP
246 error should be issued in response to an incoming packet, rather
247 than silently being dropped.
249 To compile it as a module, choose M here. If unsure, say N.
251 config IP_NF_TARGET_SYNPROXY
252 tristate "SYNPROXY target support"
253 depends on NF_CONNTRACK && NETFILTER_ADVANCED
254 select NETFILTER_SYNPROXY
257 The SYNPROXY target allows you to intercept TCP connections and
258 establish them using syncookies before they are passed on to the
259 server. This allows to avoid conntrack and server resource usage
260 during SYN-flood attacks.
262 To compile it as a module, choose M here. If unsure, say N.
264 # NAT + specific targets: nf_conntrack
266 tristate "iptables NAT support"
267 depends on NF_CONNTRACK_IPV4
268 default m if NETFILTER_ADVANCED=n
271 select NETFILTER_XT_NAT
273 This enables the `nat' table in iptables. This allows masquerading,
274 port forwarding and other forms of full Network Address Port
277 To compile it as a module, choose M here. If unsure, say N.
281 config IP_NF_TARGET_MASQUERADE
282 tristate "MASQUERADE target support"
283 select NF_NAT_MASQUERADE_IPV4
284 default m if NETFILTER_ADVANCED=n
286 Masquerading is a special case of NAT: all outgoing connections are
287 changed to seem to come from a particular interface's address, and
288 if the interface goes down, those connections are lost. This is
289 only useful for dialup accounts with dynamic IP address (ie. your IP
290 address will be different on next dialup).
292 To compile it as a module, choose M here. If unsure, say N.
294 config IP_NF_TARGET_NETMAP
295 tristate "NETMAP target support"
296 depends on NETFILTER_ADVANCED
297 select NETFILTER_XT_TARGET_NETMAP
299 This is a backwards-compat option for the user's convenience
300 (e.g. when running oldconfig). It selects
301 CONFIG_NETFILTER_XT_TARGET_NETMAP.
303 config IP_NF_TARGET_REDIRECT
304 tristate "REDIRECT target support"
305 depends on NETFILTER_ADVANCED
306 select NETFILTER_XT_TARGET_REDIRECT
308 This is a backwards-compat option for the user's convenience
309 (e.g. when running oldconfig). It selects
310 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
314 # mangle + specific targets
316 tristate "Packet mangling"
317 default m if NETFILTER_ADVANCED=n
319 This option adds a `mangle' table to iptables: see the man page for
320 iptables(8). This table is used for various packet alterations
321 which can effect how the packet is routed.
323 To compile it as a module, choose M here. If unsure, say N.
325 config IP_NF_TARGET_CLUSTERIP
326 tristate "CLUSTERIP target support"
327 depends on IP_NF_MANGLE
328 depends on NF_CONNTRACK_IPV4
329 depends on NETFILTER_ADVANCED
330 select NF_CONNTRACK_MARK
332 The CLUSTERIP target allows you to build load-balancing clusters of
333 network servers without having a dedicated load-balancing
334 router/server/switch.
336 To compile it as a module, choose M here. If unsure, say N.
338 config IP_NF_TARGET_ECN
339 tristate "ECN target support"
340 depends on IP_NF_MANGLE
341 depends on NETFILTER_ADVANCED
343 This option adds a `ECN' target, which can be used in the iptables mangle
346 You can use this target to remove the ECN bits from the IPv4 header of
347 an IP packet. This is particularly useful, if you need to work around
348 existing ECN blackholes on the internet, but don't want to disable
349 ECN support in general.
351 To compile it as a module, choose M here. If unsure, say N.
353 config IP_NF_TARGET_TTL
354 tristate '"TTL" target support'
355 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
356 select NETFILTER_XT_TARGET_HL
358 This is a backwards-compatible option for the user's convenience
359 (e.g. when running oldconfig). It selects
360 CONFIG_NETFILTER_XT_TARGET_HL.
362 # raw + specific targets
364 tristate 'raw table support (required for NOTRACK/TRACE)'
366 This option adds a `raw' table to iptables. This table is the very
367 first in the netfilter framework and hooks in at the PREROUTING
370 If you want to compile it as a module, say M here and read
371 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
373 # security table for MAC policy
374 config IP_NF_SECURITY
375 tristate "Security table"
377 depends on NETFILTER_ADVANCED
379 This option adds a `security' table to iptables, for use
380 with Mandatory Access Control (MAC) policy.
384 endif # IP_NF_IPTABLES
387 config IP_NF_ARPTABLES
388 tristate "ARP tables support"
389 select NETFILTER_XTABLES
390 depends on NETFILTER_ADVANCED
392 arptables is a general, extensible packet identification framework.
393 The ARP packet filtering and mangling (manipulation)subsystems
394 use this: say Y or M here if you want to use either of those.
396 To compile it as a module, choose M here. If unsure, say N.
400 config IP_NF_ARPFILTER
401 tristate "ARP packet filtering"
403 ARP packet filtering defines a table `filter', which has a series of
404 rules for simple ARP packet filtering at local input and
405 local output. On a bridge, you can also specify filtering rules
406 for forwarded ARP packets. See the man page for arptables(8).
408 To compile it as a module, choose M here. If unsure, say N.
410 config IP_NF_ARP_MANGLE
411 tristate "ARP payload mangling"
413 Allows altering the ARP packet payload: source and destination
414 hardware and network addresses.
416 endif # IP_NF_ARPTABLES