2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 config NF_CONNTRACK_IPV4
9 tristate "IPv4 support for new connection tracking (EXPERIMENTAL)"
10 depends on EXPERIMENTAL && NF_CONNTRACK
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
16 This is IPv4 support on Layer 3 independent connection tracking.
17 Layer 3 independent connection tracking is experimental scheme
18 which generalize ip_conntrack to support other layer 3 protocols.
20 To compile it as a module, choose M here. If unsure, say N.
22 # connection tracking, helpers and protocols
23 config IP_NF_CONNTRACK
24 tristate "Connection tracking (required for masq/NAT)"
26 Connection tracking keeps a record of what packets have passed
27 through your machine, in order to figure out how they are related
30 This is required to do Masquerading or other kinds of Network
31 Address Translation (except for Fast NAT). It can also be used to
32 enhance packet filtering (see `Connection state match support'
35 To compile it as a module, choose M here. If unsure, say N.
38 bool "Connection tracking flow accounting"
39 depends on IP_NF_CONNTRACK
41 If this option is enabled, the connection tracking code will
42 keep per-flow packet and byte counters.
44 Those counters can be used for flow-based accounting or the
49 config IP_NF_CONNTRACK_MARK
50 bool 'Connection mark tracking support'
51 depends on IP_NF_CONNTRACK
53 This option enables support for connection marks, used by the
54 `CONNMARK' target and `connmark' match. Similar to the mark value
55 of packets, but this mark value is kept in the conntrack session
56 instead of the individual packets.
58 config IP_NF_CONNTRACK_EVENTS
59 bool "Connection tracking events (EXPERIMENTAL)"
60 depends on EXPERIMENTAL && IP_NF_CONNTRACK
62 If this option is enabled, the connection tracking code will
63 provide a notifier chain that can be used by other kernel code
64 to get notified about changes in the connection tracking state.
68 config IP_NF_CONNTRACK_NETLINK
69 tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
70 depends on EXPERIMENTAL && IP_NF_CONNTRACK && NETFILTER_NETLINK
71 depends on IP_NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
72 depends on IP_NF_NAT=n || IP_NF_NAT
74 This option enables support for a netlink-based userspace interface
77 config IP_NF_CT_PROTO_SCTP
78 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
79 depends on IP_NF_CONNTRACK && EXPERIMENTAL
81 With this option enabled, the connection tracking code will
82 be able to do state tracking on SCTP connections.
84 If you want to compile it as a module, say M here and read
85 <file:Documentation/modules.txt>. If unsure, say `N'.
88 tristate "FTP protocol support"
89 depends on IP_NF_CONNTRACK
91 Tracking FTP connections is problematic: special helpers are
92 required for tracking them, and doing masquerading and other forms
93 of Network Address Translation on them.
95 To compile it as a module, choose M here. If unsure, say Y.
98 tristate "IRC protocol support"
99 depends on IP_NF_CONNTRACK
101 There is a commonly-used extension to IRC called
102 Direct Client-to-Client Protocol (DCC). This enables users to send
103 files to each other, and also chat to each other without the need
104 of a server. DCC Sending is used anywhere you send files over IRC,
105 and DCC Chat is most commonly used by Eggdrop bots. If you are
106 using NAT, this extension will enable you to send files and initiate
107 chats. Note that you do NOT need this extension to get files or
108 have others initiate chats, or everything else in IRC.
110 To compile it as a module, choose M here. If unsure, say Y.
112 config IP_NF_NETBIOS_NS
113 tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
114 depends on IP_NF_CONNTRACK && EXPERIMENTAL
116 NetBIOS name service requests are sent as broadcast messages from an
117 unprivileged port and responded to with unicast messages to the
118 same port. This make them hard to firewall properly because connection
119 tracking doesn't deal with broadcasts. This helper tracks locally
120 originating NetBIOS name service requests and the corresponding
121 responses. It relies on correct IP address configuration, specifically
122 netmask and broadcast address. When properly configured, the output
123 of "ip address show" should look similar to this:
125 $ ip -4 address show eth0
126 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
127 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
129 To compile it as a module, choose M here. If unsure, say N.
132 tristate "TFTP protocol support"
133 depends on IP_NF_CONNTRACK
135 TFTP connection tracking helper, this is required depending
136 on how restrictive your ruleset is.
137 If you are using a tftp client behind -j SNAT or -j MASQUERADING
140 To compile it as a module, choose M here. If unsure, say Y.
143 tristate "Amanda backup protocol support"
144 depends on IP_NF_CONNTRACK
146 select TEXTSEARCH_KMP
148 If you are running the Amanda backup package <http://www.amanda.org/>
149 on this machine or machines that will be MASQUERADED through this
150 machine, then you may want to enable this feature. This allows the
151 connection tracking and natting code to allow the sub-channels that
152 Amanda requires for communication of the backup data, messages and
155 To compile it as a module, choose M here. If unsure, say Y.
158 tristate 'PPTP protocol support'
159 depends on IP_NF_CONNTRACK
161 This module adds support for PPTP (Point to Point Tunnelling
162 Protocol, RFC2637) connection tracking and NAT.
164 If you are running PPTP sessions over a stateful firewall or NAT
165 box, you may want to enable this feature.
167 Please note that not all PPTP modes of operation are supported yet.
168 For more info, read top of the file
169 net/ipv4/netfilter/ip_conntrack_pptp.c
171 If you want to compile it as a module, say M here and read
172 Documentation/modules.txt. If unsure, say `N'.
175 tristate 'H.323 protocol support (EXPERIMENTAL)'
176 depends on IP_NF_CONNTRACK && EXPERIMENTAL
178 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
179 important VoIP protocols, it is widely used by voice hardware and
180 software including voice gateways, IP phones, Netmeeting, OpenPhone,
183 With this module you can support H.323 on a connection tracking/NAT
186 This module supports RAS, Fast Start, H.245 Tunnelling, Call
187 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
188 whiteboard, file transfer, etc. For more information, please
189 visit http://nath323.sourceforge.net/.
191 If you want to compile it as a module, say 'M' here and read
192 Documentation/modules.txt. If unsure, say 'N'.
195 tristate "SIP protocol support (EXPERIMENTAL)"
196 depends on IP_NF_CONNTRACK && EXPERIMENTAL
198 SIP is an application-layer control protocol that can establish,
199 modify, and terminate multimedia sessions (conferences) such as
200 Internet telephony calls. With the ip_conntrack_sip and
201 the ip_nat_sip modules you can support the protocol on a connection
202 tracking/NATing firewall.
204 To compile it as a module, choose M here. If unsure, say Y.
207 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
209 Netfilter has the ability to queue packets to user space: the
210 netlink device can be used to access them using this driver.
212 This option enables the old IPv4-only "ip_queue" implementation
213 which has been obsoleted by the new "nfnetlink_queue" code (see
214 CONFIG_NETFILTER_NETLINK_QUEUE).
216 To compile it as a module, choose M here. If unsure, say N.
218 config IP_NF_IPTABLES
219 tristate "IP tables support (required for filtering/masq/NAT)"
220 depends on NETFILTER_XTABLES
222 iptables is a general, extensible packet identification framework.
223 The packet filtering and full NAT (masquerading, port forwarding,
224 etc) subsystems now use this: say `Y' or `M' here if you want to use
227 To compile it as a module, choose M here. If unsure, say N.
230 config IP_NF_MATCH_IPRANGE
231 tristate "IP range match support"
232 depends on IP_NF_IPTABLES
234 This option makes possible to match IP addresses against IP address
237 To compile it as a module, choose M here. If unsure, say N.
239 config IP_NF_MATCH_TOS
240 tristate "TOS match support"
241 depends on IP_NF_IPTABLES
243 TOS matching allows you to match packets based on the Type Of
244 Service fields of the IP packet.
246 To compile it as a module, choose M here. If unsure, say N.
248 config IP_NF_MATCH_RECENT
249 tristate "recent match support"
250 depends on IP_NF_IPTABLES
252 This match is used for creating one or many lists of recently
253 used addresses and then matching against that/those list(s).
255 Short options are available by using 'iptables -m recent -h'
256 Official Website: <http://snowman.net/projects/ipt_recent/>
258 To compile it as a module, choose M here. If unsure, say N.
260 config IP_NF_MATCH_ECN
261 tristate "ECN match support"
262 depends on IP_NF_IPTABLES
264 This option adds a `ECN' match, which allows you to match against
265 the IPv4 and TCP header ECN fields.
267 To compile it as a module, choose M here. If unsure, say N.
269 config IP_NF_MATCH_DSCP
270 tristate "DSCP match support"
271 depends on IP_NF_IPTABLES
273 This option adds a `DSCP' match, which allows you to match against
274 the IPv4 header DSCP field (DSCP codepoint).
276 The DSCP codepoint can have any value between 0x0 and 0x4f.
278 To compile it as a module, choose M here. If unsure, say N.
280 config IP_NF_MATCH_AH
281 tristate "AH match support"
282 depends on IP_NF_IPTABLES
284 This match extension allows you to match a range of SPIs
285 inside AH header of IPSec packets.
287 To compile it as a module, choose M here. If unsure, say N.
289 config IP_NF_MATCH_TTL
290 tristate "TTL match support"
291 depends on IP_NF_IPTABLES
293 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
294 to match packets by their TTL value.
296 To compile it as a module, choose M here. If unsure, say N.
298 config IP_NF_MATCH_OWNER
299 tristate "Owner match support"
300 depends on IP_NF_IPTABLES
302 Packet owner matching allows you to match locally-generated packets
303 based on who created them: the user, group, process or session.
305 To compile it as a module, choose M here. If unsure, say N.
307 config IP_NF_MATCH_ADDRTYPE
308 tristate 'address type match support'
309 depends on IP_NF_IPTABLES
311 This option allows you to match what routing thinks of an address,
312 eg. UNICAST, LOCAL, BROADCAST, ...
314 If you want to compile it as a module, say M here and read
315 <file:Documentation/modules.txt>. If unsure, say `N'.
317 config IP_NF_MATCH_HASHLIMIT
318 tristate 'hashlimit match support'
319 depends on IP_NF_IPTABLES
321 This option adds a new iptables `hashlimit' match.
323 As opposed to `limit', this match dynamically crates a hash table
324 of limit buckets, based on your selection of source/destination
325 ip addresses and/or ports.
327 It enables you to express policies like `10kpps for any given
328 destination IP' or `500pps from any given source IP' with a single
331 # `filter', generic and specific targets
333 tristate "Packet filtering"
334 depends on IP_NF_IPTABLES
336 Packet filtering defines a table `filter', which has a series of
337 rules for simple packet filtering at local input, forwarding and
338 local output. See the man page for iptables(8).
340 To compile it as a module, choose M here. If unsure, say N.
342 config IP_NF_TARGET_REJECT
343 tristate "REJECT target support"
344 depends on IP_NF_FILTER
346 The REJECT target allows a filtering rule to specify that an ICMP
347 error should be issued in response to an incoming packet, rather
348 than silently being dropped.
350 To compile it as a module, choose M here. If unsure, say N.
352 config IP_NF_TARGET_LOG
353 tristate "LOG target support"
354 depends on IP_NF_IPTABLES
356 This option adds a `LOG' target, which allows you to create rules in
357 any iptables table which records the packet header to the syslog.
359 To compile it as a module, choose M here. If unsure, say N.
361 config IP_NF_TARGET_ULOG
362 tristate "ULOG target support"
363 depends on IP_NF_IPTABLES
366 This option enables the old IPv4-only "ipt_ULOG" implementation
367 which has been obsoleted by the new "nfnetlink_log" code (see
368 CONFIG_NETFILTER_NETLINK_LOG).
370 This option adds a `ULOG' target, which allows you to create rules in
371 any iptables table. The packet is passed to a userspace logging
372 daemon using netlink multicast sockets; unlike the LOG target
373 which can only be viewed through syslog.
375 The apropriate userspace logging daemon (ulogd) may be obtained from
376 <http://www.gnumonks.org/projects/ulogd/>
378 To compile it as a module, choose M here. If unsure, say N.
380 config IP_NF_TARGET_TCPMSS
381 tristate "TCPMSS target support"
382 depends on IP_NF_IPTABLES
384 This option adds a `TCPMSS' target, which allows you to alter the
385 MSS value of TCP SYN packets, to control the maximum size for that
386 connection (usually limiting it to your outgoing interface's MTU
389 This is used to overcome criminally braindead ISPs or servers which
390 block ICMP Fragmentation Needed packets. The symptoms of this
391 problem are that everything works fine from your Linux
392 firewall/router, but machines behind it can never exchange large
394 1) Web browsers connect, then hang with no data received.
395 2) Small mail works fine, but large emails hang.
396 3) ssh works fine, but scp hangs after initial handshaking.
398 Workaround: activate this option and add a rule to your firewall
401 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
402 -j TCPMSS --clamp-mss-to-pmtu
404 To compile it as a module, choose M here. If unsure, say N.
406 # NAT + specific targets
409 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
411 The Full NAT option allows masquerading, port forwarding and other
412 forms of full Network Address Port Translation. It is controlled by
413 the `nat' table in iptables: see the man page for iptables(8).
415 To compile it as a module, choose M here. If unsure, say N.
417 config IP_NF_NAT_NEEDED
419 depends on IP_NF_NAT != n
422 config IP_NF_TARGET_MASQUERADE
423 tristate "MASQUERADE target support"
426 Masquerading is a special case of NAT: all outgoing connections are
427 changed to seem to come from a particular interface's address, and
428 if the interface goes down, those connections are lost. This is
429 only useful for dialup accounts with dynamic IP address (ie. your IP
430 address will be different on next dialup).
432 To compile it as a module, choose M here. If unsure, say N.
434 config IP_NF_TARGET_REDIRECT
435 tristate "REDIRECT target support"
438 REDIRECT is a special case of NAT: all incoming connections are
439 mapped onto the incoming interface's address, causing the packets to
440 come to the local machine instead of passing through. This is
441 useful for transparent proxies.
443 To compile it as a module, choose M here. If unsure, say N.
445 config IP_NF_TARGET_NETMAP
446 tristate "NETMAP target support"
449 NETMAP is an implementation of static 1:1 NAT mapping of network
450 addresses. It maps the network address part, while keeping the host
451 address part intact. It is similar to Fast NAT, except that
452 Netfilter's connection tracking doesn't work well with Fast NAT.
454 To compile it as a module, choose M here. If unsure, say N.
456 config IP_NF_TARGET_SAME
457 tristate "SAME target support"
460 This option adds a `SAME' target, which works like the standard SNAT
461 target, but attempts to give clients the same IP for all connections.
463 To compile it as a module, choose M here. If unsure, say N.
465 config IP_NF_NAT_SNMP_BASIC
466 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
467 depends on EXPERIMENTAL && IP_NF_NAT
470 This module implements an Application Layer Gateway (ALG) for
471 SNMP payloads. In conjunction with NAT, it allows a network
472 management system to access multiple private networks with
473 conflicting addresses. It works by modifying IP addresses
474 inside SNMP payloads to match IP-layer NAT mapping.
476 This is the "basic" form of SNMP-ALG, as described in RFC 2962
478 To compile it as a module, choose M here. If unsure, say N.
482 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
483 default IP_NF_NAT if IP_NF_IRC=y
484 default m if IP_NF_IRC=m
486 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
487 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
490 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
491 default IP_NF_NAT if IP_NF_FTP=y
492 default m if IP_NF_FTP=m
494 config IP_NF_NAT_TFTP
496 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
497 default IP_NF_NAT if IP_NF_TFTP=y
498 default m if IP_NF_TFTP=m
500 config IP_NF_NAT_AMANDA
502 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
503 default IP_NF_NAT if IP_NF_AMANDA=y
504 default m if IP_NF_AMANDA=m
506 config IP_NF_NAT_PPTP
508 depends on IP_NF_NAT!=n && IP_NF_PPTP!=n
509 default IP_NF_NAT if IP_NF_PPTP=y
510 default m if IP_NF_PPTP=m
512 config IP_NF_NAT_H323
514 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
515 default IP_NF_NAT if IP_NF_H323=y
516 default m if IP_NF_H323=m
520 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
521 default IP_NF_NAT if IP_NF_SIP=y
522 default m if IP_NF_SIP=m
524 # mangle + specific targets
526 tristate "Packet mangling"
527 depends on IP_NF_IPTABLES
529 This option adds a `mangle' table to iptables: see the man page for
530 iptables(8). This table is used for various packet alterations
531 which can effect how the packet is routed.
533 To compile it as a module, choose M here. If unsure, say N.
535 config IP_NF_TARGET_TOS
536 tristate "TOS target support"
537 depends on IP_NF_MANGLE
539 This option adds a `TOS' target, which allows you to create rules in
540 the `mangle' table which alter the Type Of Service field of an IP
541 packet prior to routing.
543 To compile it as a module, choose M here. If unsure, say N.
545 config IP_NF_TARGET_ECN
546 tristate "ECN target support"
547 depends on IP_NF_MANGLE
549 This option adds a `ECN' target, which can be used in the iptables mangle
552 You can use this target to remove the ECN bits from the IPv4 header of
553 an IP packet. This is particularly useful, if you need to work around
554 existing ECN blackholes on the internet, but don't want to disable
555 ECN support in general.
557 To compile it as a module, choose M here. If unsure, say N.
559 config IP_NF_TARGET_DSCP
560 tristate "DSCP target support"
561 depends on IP_NF_MANGLE
563 This option adds a `DSCP' match, which allows you to match against
564 the IPv4 header DSCP field (DSCP codepoint).
566 The DSCP codepoint can have any value between 0x0 and 0x4f.
568 To compile it as a module, choose M here. If unsure, say N.
570 config IP_NF_TARGET_TTL
571 tristate 'TTL target support'
572 depends on IP_NF_MANGLE
574 This option adds a `TTL' target, which enables the user to modify
575 the TTL value of the IP header.
577 While it is safe to decrement/lower the TTL, this target also enables
578 functionality to increment and set the TTL value of the IP header to
579 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
580 create immortal packets that loop forever on the network.
582 To compile it as a module, choose M here. If unsure, say N.
584 config IP_NF_TARGET_CLUSTERIP
585 tristate "CLUSTERIP target support (EXPERIMENTAL)"
586 depends on IP_NF_MANGLE && EXPERIMENTAL
587 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4)
589 The CLUSTERIP target allows you to build load-balancing clusters of
590 network servers without having a dedicated load-balancing
591 router/server/switch.
593 To compile it as a module, choose M here. If unsure, say N.
595 # raw + specific targets
597 tristate 'raw table support (required for NOTRACK/TRACE)'
598 depends on IP_NF_IPTABLES
600 This option adds a `raw' table to iptables. This table is the very
601 first in the netfilter framework and hooks in at the PREROUTING
604 If you want to compile it as a module, say M here and read
605 <file:Documentation/modules.txt>. If unsure, say `N'.
608 config IP_NF_ARPTABLES
609 tristate "ARP tables support"
610 depends on NETFILTER_XTABLES
612 arptables is a general, extensible packet identification framework.
613 The ARP packet filtering and mangling (manipulation)subsystems
614 use this: say Y or M here if you want to use either of those.
616 To compile it as a module, choose M here. If unsure, say N.
618 config IP_NF_ARPFILTER
619 tristate "ARP packet filtering"
620 depends on IP_NF_ARPTABLES
622 ARP packet filtering defines a table `filter', which has a series of
623 rules for simple ARP packet filtering at local input and
624 local output. On a bridge, you can also specify filtering rules
625 for forwarded ARP packets. See the man page for arptables(8).
627 To compile it as a module, choose M here. If unsure, say N.
629 config IP_NF_ARP_MANGLE
630 tristate "ARP payload mangling"
631 depends on IP_NF_ARPTABLES
633 Allows altering the ARP packet payload: source and destination
634 hardware and network addresses.