2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependent connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
41 tristate "IPv4 nf_tables support"
43 This option enables the IPv4 support for nf_tables.
45 config NFT_CHAIN_ROUTE_IPV4
46 depends on NF_TABLES_IPV4
47 tristate "IPv4 nf_tables route chain support"
49 This option enables the "route" chain for IPv4 in nf_tables. This
50 chain type is used to force packet re-routing after mangling header
51 fields such as the source, destination, type of service and
54 config NFT_CHAIN_NAT_IPV4
55 depends on NF_TABLES_IPV4
56 depends on NF_NAT_IPV4 && NFT_NAT
57 tristate "IPv4 nf_tables nat chain support"
59 This option enables the "nat" chain for IPv4 in nf_tables. This
60 chain type is used to perform Network Address Translation (NAT)
61 packet transformations such as the source, destination address and
62 source and destination ports.
64 config NFT_REJECT_IPV4
65 depends on NF_TABLES_IPV4
71 tristate "ARP nf_tables support"
73 This option enables the ARP support for nf_tables.
76 tristate "IP tables support (required for filtering/masq/NAT)"
77 default m if NETFILTER_ADVANCED=n
78 select NETFILTER_XTABLES
80 iptables is a general, extensible packet identification framework.
81 The packet filtering and full NAT (masquerading, port forwarding,
82 etc) subsystems now use this: say `Y' or `M' here if you want to use
85 To compile it as a module, choose M here. If unsure, say N.
91 tristate '"ah" match support'
92 depends on NETFILTER_ADVANCED
94 This match extension allows you to match a range of SPIs
95 inside AH header of IPSec packets.
97 To compile it as a module, choose M here. If unsure, say N.
99 config IP_NF_MATCH_ECN
100 tristate '"ecn" match support'
101 depends on NETFILTER_ADVANCED
102 select NETFILTER_XT_MATCH_ECN
104 This is a backwards-compat option for the user's convenience
105 (e.g. when running oldconfig). It selects
106 CONFIG_NETFILTER_XT_MATCH_ECN.
108 config IP_NF_MATCH_RPFILTER
109 tristate '"rpfilter" reverse path filter match support'
110 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
112 This option allows you to match packets whose replies would
113 go out via the interface the packet came in.
115 To compile it as a module, choose M here. If unsure, say N.
116 The module will be called ipt_rpfilter.
118 config IP_NF_MATCH_TTL
119 tristate '"ttl" match support'
120 depends on NETFILTER_ADVANCED
121 select NETFILTER_XT_MATCH_HL
123 This is a backwards-compat option for the user's convenience
124 (e.g. when running oldconfig). It selects
125 CONFIG_NETFILTER_XT_MATCH_HL.
127 # `filter', generic and specific targets
129 tristate "Packet filtering"
130 default m if NETFILTER_ADVANCED=n
132 Packet filtering defines a table `filter', which has a series of
133 rules for simple packet filtering at local input, forwarding and
134 local output. See the man page for iptables(8).
136 To compile it as a module, choose M here. If unsure, say N.
138 config IP_NF_TARGET_REJECT
139 tristate "REJECT target support"
140 depends on IP_NF_FILTER
141 default m if NETFILTER_ADVANCED=n
143 The REJECT target allows a filtering rule to specify that an ICMP
144 error should be issued in response to an incoming packet, rather
145 than silently being dropped.
147 To compile it as a module, choose M here. If unsure, say N.
149 config IP_NF_TARGET_SYNPROXY
150 tristate "SYNPROXY target support"
151 depends on NF_CONNTRACK && NETFILTER_ADVANCED
152 select NETFILTER_SYNPROXY
155 The SYNPROXY target allows you to intercept TCP connections and
156 establish them using syncookies before they are passed on to the
157 server. This allows to avoid conntrack and server resource usage
158 during SYN-flood attacks.
160 To compile it as a module, choose M here. If unsure, say N.
162 # NAT + specific targets: nf_conntrack
165 depends on NF_CONNTRACK_IPV4
166 default m if NETFILTER_ADVANCED=n
169 The IPv4 NAT option allows masquerading, port forwarding and other
170 forms of full Network Address Port Translation. It is controlled by
171 the `nat' table in iptables: see the man page for iptables(8).
173 To compile it as a module, choose M here. If unsure, say N.
177 config IP_NF_TARGET_MASQUERADE
178 tristate "MASQUERADE target support"
179 default m if NETFILTER_ADVANCED=n
181 Masquerading is a special case of NAT: all outgoing connections are
182 changed to seem to come from a particular interface's address, and
183 if the interface goes down, those connections are lost. This is
184 only useful for dialup accounts with dynamic IP address (ie. your IP
185 address will be different on next dialup).
187 To compile it as a module, choose M here. If unsure, say N.
189 config IP_NF_TARGET_NETMAP
190 tristate "NETMAP target support"
191 depends on NETFILTER_ADVANCED
192 select NETFILTER_XT_TARGET_NETMAP
194 This is a backwards-compat option for the user's convenience
195 (e.g. when running oldconfig). It selects
196 CONFIG_NETFILTER_XT_TARGET_NETMAP.
198 config IP_NF_TARGET_REDIRECT
199 tristate "REDIRECT target support"
200 depends on NETFILTER_ADVANCED
201 select NETFILTER_XT_TARGET_REDIRECT
203 This is a backwards-compat option for the user's convenience
204 (e.g. when running oldconfig). It selects
205 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
209 config NF_NAT_SNMP_BASIC
210 tristate "Basic SNMP-ALG support"
211 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4
212 depends on NETFILTER_ADVANCED
213 default NF_NAT && NF_CONNTRACK_SNMP
216 This module implements an Application Layer Gateway (ALG) for
217 SNMP payloads. In conjunction with NAT, it allows a network
218 management system to access multiple private networks with
219 conflicting addresses. It works by modifying IP addresses
220 inside SNMP payloads to match IP-layer NAT mapping.
222 This is the "basic" form of SNMP-ALG, as described in RFC 2962
224 To compile it as a module, choose M here. If unsure, say N.
226 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
227 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
228 # From kconfig-language.txt:
230 # <expr> '&&' <expr> (6)
232 # (6) Returns the result of min(/expr/, /expr/).
234 config NF_NAT_PROTO_GRE
236 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE
240 depends on NF_CONNTRACK && NF_NAT_IPV4
241 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP
242 select NF_NAT_PROTO_GRE
246 depends on NF_CONNTRACK && NF_NAT_IPV4
247 default NF_NAT_IPV4 && NF_CONNTRACK_H323
249 # mangle + specific targets
251 tristate "Packet mangling"
252 default m if NETFILTER_ADVANCED=n
254 This option adds a `mangle' table to iptables: see the man page for
255 iptables(8). This table is used for various packet alterations
256 which can effect how the packet is routed.
258 To compile it as a module, choose M here. If unsure, say N.
260 config IP_NF_TARGET_CLUSTERIP
261 tristate "CLUSTERIP target support"
262 depends on IP_NF_MANGLE
263 depends on NF_CONNTRACK_IPV4
264 depends on NETFILTER_ADVANCED
265 select NF_CONNTRACK_MARK
267 The CLUSTERIP target allows you to build load-balancing clusters of
268 network servers without having a dedicated load-balancing
269 router/server/switch.
271 To compile it as a module, choose M here. If unsure, say N.
273 config IP_NF_TARGET_ECN
274 tristate "ECN target support"
275 depends on IP_NF_MANGLE
276 depends on NETFILTER_ADVANCED
278 This option adds a `ECN' target, which can be used in the iptables mangle
281 You can use this target to remove the ECN bits from the IPv4 header of
282 an IP packet. This is particularly useful, if you need to work around
283 existing ECN blackholes on the internet, but don't want to disable
284 ECN support in general.
286 To compile it as a module, choose M here. If unsure, say N.
288 config IP_NF_TARGET_TTL
289 tristate '"TTL" target support'
290 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
291 select NETFILTER_XT_TARGET_HL
293 This is a backwards-compatible option for the user's convenience
294 (e.g. when running oldconfig). It selects
295 CONFIG_NETFILTER_XT_TARGET_HL.
297 # raw + specific targets
299 tristate 'raw table support (required for NOTRACK/TRACE)'
301 This option adds a `raw' table to iptables. This table is the very
302 first in the netfilter framework and hooks in at the PREROUTING
305 If you want to compile it as a module, say M here and read
306 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
308 # security table for MAC policy
309 config IP_NF_SECURITY
310 tristate "Security table"
312 depends on NETFILTER_ADVANCED
314 This option adds a `security' table to iptables, for use
315 with Mandatory Access Control (MAC) policy.
319 endif # IP_NF_IPTABLES
322 config IP_NF_ARPTABLES
323 tristate "ARP tables support"
324 select NETFILTER_XTABLES
325 depends on NETFILTER_ADVANCED
327 arptables is a general, extensible packet identification framework.
328 The ARP packet filtering and mangling (manipulation)subsystems
329 use this: say Y or M here if you want to use either of those.
331 To compile it as a module, choose M here. If unsure, say N.
335 config IP_NF_ARPFILTER
336 tristate "ARP packet filtering"
338 ARP packet filtering defines a table `filter', which has a series of
339 rules for simple ARP packet filtering at local input and
340 local output. On a bridge, you can also specify filtering rules
341 for forwarded ARP packets. See the man page for arptables(8).
343 To compile it as a module, choose M here. If unsure, say N.
345 config IP_NF_ARP_MANGLE
346 tristate "ARP payload mangling"
348 Allows altering the ARP packet payload: source and destination
349 hardware and network addresses.
351 endif # IP_NF_ARPTABLES