2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependent connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
40 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
41 depends on NETFILTER_ADVANCED
43 Netfilter has the ability to queue packets to user space: the
44 netlink device can be used to access them using this driver.
46 This option enables the old IPv4-only "ip_queue" implementation
47 which has been obsoleted by the new "nfnetlink_queue" code (see
48 CONFIG_NETFILTER_NETLINK_QUEUE).
50 To compile it as a module, choose M here. If unsure, say N.
53 tristate "IP tables support (required for filtering/masq/NAT)"
54 default m if NETFILTER_ADVANCED=n
55 select NETFILTER_XTABLES
57 iptables is a general, extensible packet identification framework.
58 The packet filtering and full NAT (masquerading, port forwarding,
59 etc) subsystems now use this: say `Y' or `M' here if you want to use
62 To compile it as a module, choose M here. If unsure, say N.
68 tristate '"ah" match support'
69 depends on NETFILTER_ADVANCED
71 This match extension allows you to match a range of SPIs
72 inside AH header of IPSec packets.
74 To compile it as a module, choose M here. If unsure, say N.
76 config IP_NF_MATCH_ECN
77 tristate '"ecn" match support'
78 depends on NETFILTER_ADVANCED
79 select NETFILTER_XT_MATCH_ECN
81 This is a backwards-compat option for the user's convenience
82 (e.g. when running oldconfig). It selects
83 CONFIG_NETFILTER_XT_MATCH_ECN.
85 config IP_NF_MATCH_RPFILTER
86 tristate '"rpfilter" reverse path filter match support'
87 depends on NETFILTER_ADVANCED
89 This option allows you to match packets whose replies would
90 go out via the interface the packet came in.
92 To compile it as a module, choose M here. If unsure, say N.
93 The module will be called ipt_rpfilter.
95 config IP_NF_MATCH_TTL
96 tristate '"ttl" match support'
97 depends on NETFILTER_ADVANCED
98 select NETFILTER_XT_MATCH_HL
100 This is a backwards-compat option for the user's convenience
101 (e.g. when running oldconfig). It selects
102 CONFIG_NETFILTER_XT_MATCH_HL.
104 # `filter', generic and specific targets
106 tristate "Packet filtering"
107 default m if NETFILTER_ADVANCED=n
109 Packet filtering defines a table `filter', which has a series of
110 rules for simple packet filtering at local input, forwarding and
111 local output. See the man page for iptables(8).
113 To compile it as a module, choose M here. If unsure, say N.
115 config IP_NF_TARGET_REJECT
116 tristate "REJECT target support"
117 depends on IP_NF_FILTER
118 default m if NETFILTER_ADVANCED=n
120 The REJECT target allows a filtering rule to specify that an ICMP
121 error should be issued in response to an incoming packet, rather
122 than silently being dropped.
124 To compile it as a module, choose M here. If unsure, say N.
126 config IP_NF_TARGET_ULOG
127 tristate "ULOG target support"
128 default m if NETFILTER_ADVANCED=n
131 This option enables the old IPv4-only "ipt_ULOG" implementation
132 which has been obsoleted by the new "nfnetlink_log" code (see
133 CONFIG_NETFILTER_NETLINK_LOG).
135 This option adds a `ULOG' target, which allows you to create rules in
136 any iptables table. The packet is passed to a userspace logging
137 daemon using netlink multicast sockets; unlike the LOG target
138 which can only be viewed through syslog.
140 The appropriate userspace logging daemon (ulogd) may be obtained from
141 <http://www.netfilter.org/projects/ulogd/index.html>
143 To compile it as a module, choose M here. If unsure, say N.
145 # NAT + specific targets: nf_conntrack
148 depends on NF_CONNTRACK_IPV4
149 default m if NETFILTER_ADVANCED=n
152 The IPv4 NAT option allows masquerading, port forwarding and other
153 forms of full Network Address Port Translation. It is controlled by
154 the `nat' table in iptables: see the man page for iptables(8).
156 To compile it as a module, choose M here. If unsure, say N.
160 config IP_NF_TARGET_MASQUERADE
161 tristate "MASQUERADE target support"
162 default m if NETFILTER_ADVANCED=n
164 Masquerading is a special case of NAT: all outgoing connections are
165 changed to seem to come from a particular interface's address, and
166 if the interface goes down, those connections are lost. This is
167 only useful for dialup accounts with dynamic IP address (ie. your IP
168 address will be different on next dialup).
170 To compile it as a module, choose M here. If unsure, say N.
172 config IP_NF_TARGET_NETMAP
173 tristate "NETMAP target support"
174 depends on NETFILTER_ADVANCED
176 NETMAP is an implementation of static 1:1 NAT mapping of network
177 addresses. It maps the network address part, while keeping the host
180 To compile it as a module, choose M here. If unsure, say N.
182 config IP_NF_TARGET_REDIRECT
183 tristate "REDIRECT target support"
184 depends on NETFILTER_ADVANCED
186 REDIRECT is a special case of NAT: all incoming connections are
187 mapped onto the incoming interface's address, causing the packets to
188 come to the local machine instead of passing through. This is
189 useful for transparent proxies.
191 To compile it as a module, choose M here. If unsure, say N.
195 config NF_NAT_SNMP_BASIC
196 tristate "Basic SNMP-ALG support"
197 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4
198 depends on NETFILTER_ADVANCED
199 default NF_NAT && NF_CONNTRACK_SNMP
202 This module implements an Application Layer Gateway (ALG) for
203 SNMP payloads. In conjunction with NAT, it allows a network
204 management system to access multiple private networks with
205 conflicting addresses. It works by modifying IP addresses
206 inside SNMP payloads to match IP-layer NAT mapping.
208 This is the "basic" form of SNMP-ALG, as described in RFC 2962
210 To compile it as a module, choose M here. If unsure, say N.
212 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
213 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
214 # From kconfig-language.txt:
216 # <expr> '&&' <expr> (6)
218 # (6) Returns the result of min(/expr/, /expr/).
220 config NF_NAT_PROTO_GRE
222 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE
226 depends on NF_CONNTRACK && NF_NAT_IPV4
227 default NF_NAT_IPV4 && NF_CONNTRACK_IRC
231 depends on NF_CONNTRACK && NF_NAT_IPV4
232 default NF_NAT_IPV4 && NF_CONNTRACK_TFTP
236 depends on NF_CONNTRACK && NF_NAT_IPV4
237 default NF_NAT_IPV4 && NF_CONNTRACK_AMANDA
241 depends on NF_CONNTRACK && NF_NAT_IPV4
242 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP
243 select NF_NAT_PROTO_GRE
247 depends on NF_CONNTRACK && NF_NAT_IPV4
248 default NF_NAT_IPV4 && NF_CONNTRACK_H323
252 depends on NF_CONNTRACK && NF_NAT_IPV4
253 default NF_NAT_IPV4 && NF_CONNTRACK_SIP
255 # mangle + specific targets
257 tristate "Packet mangling"
258 default m if NETFILTER_ADVANCED=n
260 This option adds a `mangle' table to iptables: see the man page for
261 iptables(8). This table is used for various packet alterations
262 which can effect how the packet is routed.
264 To compile it as a module, choose M here. If unsure, say N.
266 config IP_NF_TARGET_CLUSTERIP
267 tristate "CLUSTERIP target support (EXPERIMENTAL)"
268 depends on IP_NF_MANGLE && EXPERIMENTAL
269 depends on NF_CONNTRACK_IPV4
270 depends on NETFILTER_ADVANCED
271 select NF_CONNTRACK_MARK
273 The CLUSTERIP target allows you to build load-balancing clusters of
274 network servers without having a dedicated load-balancing
275 router/server/switch.
277 To compile it as a module, choose M here. If unsure, say N.
279 config IP_NF_TARGET_ECN
280 tristate "ECN target support"
281 depends on IP_NF_MANGLE
282 depends on NETFILTER_ADVANCED
284 This option adds a `ECN' target, which can be used in the iptables mangle
287 You can use this target to remove the ECN bits from the IPv4 header of
288 an IP packet. This is particularly useful, if you need to work around
289 existing ECN blackholes on the internet, but don't want to disable
290 ECN support in general.
292 To compile it as a module, choose M here. If unsure, say N.
294 config IP_NF_TARGET_TTL
295 tristate '"TTL" target support'
296 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
297 select NETFILTER_XT_TARGET_HL
299 This is a backwards-compatible option for the user's convenience
300 (e.g. when running oldconfig). It selects
301 CONFIG_NETFILTER_XT_TARGET_HL.
303 # raw + specific targets
305 tristate 'raw table support (required for NOTRACK/TRACE)'
307 This option adds a `raw' table to iptables. This table is the very
308 first in the netfilter framework and hooks in at the PREROUTING
311 If you want to compile it as a module, say M here and read
312 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
314 # security table for MAC policy
315 config IP_NF_SECURITY
316 tristate "Security table"
318 depends on NETFILTER_ADVANCED
320 This option adds a `security' table to iptables, for use
321 with Mandatory Access Control (MAC) policy.
325 endif # IP_NF_IPTABLES
328 config IP_NF_ARPTABLES
329 tristate "ARP tables support"
330 select NETFILTER_XTABLES
331 depends on NETFILTER_ADVANCED
333 arptables is a general, extensible packet identification framework.
334 The ARP packet filtering and mangling (manipulation)subsystems
335 use this: say Y or M here if you want to use either of those.
337 To compile it as a module, choose M here. If unsure, say N.
341 config IP_NF_ARPFILTER
342 tristate "ARP packet filtering"
344 ARP packet filtering defines a table `filter', which has a series of
345 rules for simple ARP packet filtering at local input and
346 local output. On a bridge, you can also specify filtering rules
347 for forwarded ARP packets. See the man page for arptables(8).
349 To compile it as a module, choose M here. If unsure, say N.
351 config IP_NF_ARP_MANGLE
352 tristate "ARP payload mangling"
354 Allows altering the ARP packet payload: source and destination
355 hardware and network addresses.
357 endif # IP_NF_ARPTABLES