2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
13 tristate "IPv4 socket lookup support"
15 This option enables the IPv4 socket lookup infrastructure. This is
16 is required by the {ip,nf}tables socket match.
19 tristate "IPv4 tproxy support"
24 bool "IPv4 nf_tables support"
26 This option enables the IPv4 support for nf_tables.
30 config NFT_CHAIN_ROUTE_IPV4
31 tristate "IPv4 nf_tables route chain support"
33 This option enables the "route" chain for IPv4 in nf_tables. This
34 chain type is used to force packet re-routing after mangling header
35 fields such as the source, destination, type of service and
38 config NFT_REJECT_IPV4
44 tristate "IPv4 nf_tables packet duplication support"
45 depends on !NF_CONNTRACK || NF_CONNTRACK
48 This module enables IPv4 packet duplication support for nf_tables.
52 tristate "nf_tables fib / ip route lookup support"
54 This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
55 It also allows query of the FIB for the route type, e.g. local, unicast,
56 multicast or blackhole.
58 endif # NF_TABLES_IPV4
61 bool "ARP nf_tables support"
62 select NETFILTER_FAMILY_ARP
64 This option enables the ARP support for nf_tables.
68 config NF_FLOW_TABLE_IPV4
69 tristate "Netfilter flow table IPv4 module"
70 depends on NF_FLOW_TABLE
72 This option adds the flow table IPv4 support.
74 To compile it as a module, choose M here.
77 tristate "Netfilter IPv4 packet duplication to alternate destination"
78 depends on !NF_CONNTRACK || NF_CONNTRACK
80 This option enables the nf_dup_ipv4 core, which duplicates an IPv4
81 packet to be rerouted to another destination.
84 tristate "ARP packet logging"
85 default m if NETFILTER_ADVANCED=n
89 tristate "IPv4 packet logging"
90 default m if NETFILTER_ADVANCED=n
94 tristate "IPv4 packet rejection"
95 default m if NETFILTER_ADVANCED=n
100 config NFT_CHAIN_NAT_IPV4
101 depends on NF_TABLES_IPV4
102 tristate "IPv4 nf_tables nat chain support"
104 This option enables the "nat" chain for IPv4 in nf_tables. This
105 chain type is used to perform Network Address Translation (NAT)
106 packet transformations such as the source, destination address and
107 source and destination ports.
110 tristate "IPv4 masquerading support for nf_tables"
111 depends on NF_TABLES_IPV4
113 select NF_NAT_MASQUERADE
115 This is the expression that provides IPv4 masquerading support for
118 config NFT_REDIR_IPV4
119 tristate "IPv4 redirect support for nf_tables"
120 depends on NF_TABLES_IPV4
122 select NF_NAT_REDIRECT
124 This is the expression that provides IPv4 redirect support for
128 config NF_NAT_SNMP_BASIC
129 tristate "Basic SNMP-ALG support"
130 depends on NF_CONNTRACK_SNMP
131 depends on NETFILTER_ADVANCED
132 default NF_NAT && NF_CONNTRACK_SNMP
136 This module implements an Application Layer Gateway (ALG) for
137 SNMP payloads. In conjunction with NAT, it allows a network
138 management system to access multiple private networks with
139 conflicting addresses. It works by modifying IP addresses
140 inside SNMP payloads to match IP-layer NAT mapping.
142 This is the "basic" form of SNMP-ALG, as described in RFC 2962
144 To compile it as a module, choose M here. If unsure, say N.
148 depends on NF_CONNTRACK
149 default NF_CONNTRACK_PPTP
153 depends on NF_CONNTRACK
154 default NF_CONNTRACK_H323
158 config IP_NF_IPTABLES
159 tristate "IP tables support (required for filtering/masq/NAT)"
160 default m if NETFILTER_ADVANCED=n
161 select NETFILTER_XTABLES
163 iptables is a general, extensible packet identification framework.
164 The packet filtering and full NAT (masquerading, port forwarding,
165 etc) subsystems now use this: say `Y' or `M' here if you want to use
168 To compile it as a module, choose M here. If unsure, say N.
173 config IP_NF_MATCH_AH
174 tristate '"ah" match support'
175 depends on NETFILTER_ADVANCED
177 This match extension allows you to match a range of SPIs
178 inside AH header of IPSec packets.
180 To compile it as a module, choose M here. If unsure, say N.
182 config IP_NF_MATCH_ECN
183 tristate '"ecn" match support'
184 depends on NETFILTER_ADVANCED
185 select NETFILTER_XT_MATCH_ECN
187 This is a backwards-compat option for the user's convenience
188 (e.g. when running oldconfig). It selects
189 CONFIG_NETFILTER_XT_MATCH_ECN.
191 config IP_NF_MATCH_RPFILTER
192 tristate '"rpfilter" reverse path filter match support'
193 depends on NETFILTER_ADVANCED
194 depends on IP_NF_MANGLE || IP_NF_RAW
196 This option allows you to match packets whose replies would
197 go out via the interface the packet came in.
199 To compile it as a module, choose M here. If unsure, say N.
200 The module will be called ipt_rpfilter.
202 config IP_NF_MATCH_TTL
203 tristate '"ttl" match support'
204 depends on NETFILTER_ADVANCED
205 select NETFILTER_XT_MATCH_HL
207 This is a backwards-compat option for the user's convenience
208 (e.g. when running oldconfig). It selects
209 CONFIG_NETFILTER_XT_MATCH_HL.
211 # `filter', generic and specific targets
213 tristate "Packet filtering"
214 default m if NETFILTER_ADVANCED=n
216 Packet filtering defines a table `filter', which has a series of
217 rules for simple packet filtering at local input, forwarding and
218 local output. See the man page for iptables(8).
220 To compile it as a module, choose M here. If unsure, say N.
222 config IP_NF_TARGET_REJECT
223 tristate "REJECT target support"
224 depends on IP_NF_FILTER
225 select NF_REJECT_IPV4
226 default m if NETFILTER_ADVANCED=n
228 The REJECT target allows a filtering rule to specify that an ICMP
229 error should be issued in response to an incoming packet, rather
230 than silently being dropped.
232 To compile it as a module, choose M here. If unsure, say N.
234 config IP_NF_TARGET_SYNPROXY
235 tristate "SYNPROXY target support"
236 depends on NF_CONNTRACK && NETFILTER_ADVANCED
237 select NETFILTER_SYNPROXY
240 The SYNPROXY target allows you to intercept TCP connections and
241 establish them using syncookies before they are passed on to the
242 server. This allows to avoid conntrack and server resource usage
243 during SYN-flood attacks.
245 To compile it as a module, choose M here. If unsure, say N.
247 # NAT + specific targets: nf_conntrack
249 tristate "iptables NAT support"
250 depends on NF_CONNTRACK
251 default m if NETFILTER_ADVANCED=n
253 select NETFILTER_XT_NAT
255 This enables the `nat' table in iptables. This allows masquerading,
256 port forwarding and other forms of full Network Address Port
259 To compile it as a module, choose M here. If unsure, say N.
263 config IP_NF_TARGET_MASQUERADE
264 tristate "MASQUERADE target support"
265 select NF_NAT_MASQUERADE
266 default m if NETFILTER_ADVANCED=n
268 Masquerading is a special case of NAT: all outgoing connections are
269 changed to seem to come from a particular interface's address, and
270 if the interface goes down, those connections are lost. This is
271 only useful for dialup accounts with dynamic IP address (ie. your IP
272 address will be different on next dialup).
274 To compile it as a module, choose M here. If unsure, say N.
276 config IP_NF_TARGET_NETMAP
277 tristate "NETMAP target support"
278 depends on NETFILTER_ADVANCED
279 select NETFILTER_XT_TARGET_NETMAP
281 This is a backwards-compat option for the user's convenience
282 (e.g. when running oldconfig). It selects
283 CONFIG_NETFILTER_XT_TARGET_NETMAP.
285 config IP_NF_TARGET_REDIRECT
286 tristate "REDIRECT target support"
287 depends on NETFILTER_ADVANCED
288 select NETFILTER_XT_TARGET_REDIRECT
290 This is a backwards-compat option for the user's convenience
291 (e.g. when running oldconfig). It selects
292 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
296 # mangle + specific targets
298 tristate "Packet mangling"
299 default m if NETFILTER_ADVANCED=n
301 This option adds a `mangle' table to iptables: see the man page for
302 iptables(8). This table is used for various packet alterations
303 which can effect how the packet is routed.
305 To compile it as a module, choose M here. If unsure, say N.
307 config IP_NF_TARGET_CLUSTERIP
308 tristate "CLUSTERIP target support"
309 depends on IP_NF_MANGLE
310 depends on NF_CONNTRACK
311 depends on NETFILTER_ADVANCED
312 select NF_CONNTRACK_MARK
313 select NETFILTER_FAMILY_ARP
315 The CLUSTERIP target allows you to build load-balancing clusters of
316 network servers without having a dedicated load-balancing
317 router/server/switch.
319 To compile it as a module, choose M here. If unsure, say N.
321 config IP_NF_TARGET_ECN
322 tristate "ECN target support"
323 depends on IP_NF_MANGLE
324 depends on NETFILTER_ADVANCED
326 This option adds a `ECN' target, which can be used in the iptables mangle
329 You can use this target to remove the ECN bits from the IPv4 header of
330 an IP packet. This is particularly useful, if you need to work around
331 existing ECN blackholes on the internet, but don't want to disable
332 ECN support in general.
334 To compile it as a module, choose M here. If unsure, say N.
336 config IP_NF_TARGET_TTL
337 tristate '"TTL" target support'
338 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
339 select NETFILTER_XT_TARGET_HL
341 This is a backwards-compatible option for the user's convenience
342 (e.g. when running oldconfig). It selects
343 CONFIG_NETFILTER_XT_TARGET_HL.
345 # raw + specific targets
347 tristate 'raw table support (required for NOTRACK/TRACE)'
349 This option adds a `raw' table to iptables. This table is the very
350 first in the netfilter framework and hooks in at the PREROUTING
353 If you want to compile it as a module, say M here and read
354 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
356 # security table for MAC policy
357 config IP_NF_SECURITY
358 tristate "Security table"
360 depends on NETFILTER_ADVANCED
362 This option adds a `security' table to iptables, for use
363 with Mandatory Access Control (MAC) policy.
367 endif # IP_NF_IPTABLES
370 config IP_NF_ARPTABLES
371 tristate "ARP tables support"
372 select NETFILTER_XTABLES
373 select NETFILTER_FAMILY_ARP
374 depends on NETFILTER_ADVANCED
376 arptables is a general, extensible packet identification framework.
377 The ARP packet filtering and mangling (manipulation)subsystems
378 use this: say Y or M here if you want to use either of those.
380 To compile it as a module, choose M here. If unsure, say N.
384 config IP_NF_ARPFILTER
385 tristate "ARP packet filtering"
387 ARP packet filtering defines a table `filter', which has a series of
388 rules for simple ARP packet filtering at local input and
389 local output. On a bridge, you can also specify filtering rules
390 for forwarded ARP packets. See the man page for arptables(8).
392 To compile it as a module, choose M here. If unsure, say N.
394 config IP_NF_ARP_MANGLE
395 tristate "ARP payload mangling"
397 Allows altering the ARP packet payload: source and destination
398 hardware and network addresses.
400 endif # IP_NF_ARPTABLES