2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependent connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
40 tristate "ARP packet logging"
41 default m if NETFILTER_ADVANCED=n
45 tristate "IPv4 packet logging"
46 default m if NETFILTER_ADVANCED=n
51 tristate "IPv4 nf_tables support"
53 This option enables the IPv4 support for nf_tables.
55 config NFT_CHAIN_ROUTE_IPV4
56 depends on NF_TABLES_IPV4
57 tristate "IPv4 nf_tables route chain support"
59 This option enables the "route" chain for IPv4 in nf_tables. This
60 chain type is used to force packet re-routing after mangling header
61 fields such as the source, destination, type of service and
64 config NFT_CHAIN_NAT_IPV4
65 depends on NF_TABLES_IPV4
66 depends on NF_NAT_IPV4 && NFT_NAT
67 tristate "IPv4 nf_tables nat chain support"
69 This option enables the "nat" chain for IPv4 in nf_tables. This
70 chain type is used to perform Network Address Translation (NAT)
71 packet transformations such as the source, destination address and
72 source and destination ports.
74 config NFT_REJECT_IPV4
75 depends on NF_TABLES_IPV4
81 tristate "ARP nf_tables support"
83 This option enables the ARP support for nf_tables.
87 depends on NF_CONNTRACK_IPV4
88 default m if NETFILTER_ADVANCED=n
91 The IPv4 NAT option allows masquerading, port forwarding and other
92 forms of full Network Address Port Translation. This can be
93 controlled by iptables or nft.
97 config NF_NAT_SNMP_BASIC
98 tristate "Basic SNMP-ALG support"
99 depends on NF_CONNTRACK_SNMP
100 depends on NETFILTER_ADVANCED
101 default NF_NAT && NF_CONNTRACK_SNMP
104 This module implements an Application Layer Gateway (ALG) for
105 SNMP payloads. In conjunction with NAT, it allows a network
106 management system to access multiple private networks with
107 conflicting addresses. It works by modifying IP addresses
108 inside SNMP payloads to match IP-layer NAT mapping.
110 This is the "basic" form of SNMP-ALG, as described in RFC 2962
112 To compile it as a module, choose M here. If unsure, say N.
114 config NF_NAT_PROTO_GRE
116 depends on NF_CT_PROTO_GRE
120 depends on NF_CONNTRACK
121 default NF_CONNTRACK_PPTP
122 select NF_NAT_PROTO_GRE
126 depends on NF_CONNTRACK
127 default NF_CONNTRACK_H323
131 config IP_NF_IPTABLES
132 tristate "IP tables support (required for filtering/masq/NAT)"
133 default m if NETFILTER_ADVANCED=n
134 select NETFILTER_XTABLES
136 iptables is a general, extensible packet identification framework.
137 The packet filtering and full NAT (masquerading, port forwarding,
138 etc) subsystems now use this: say `Y' or `M' here if you want to use
141 To compile it as a module, choose M here. If unsure, say N.
146 config IP_NF_MATCH_AH
147 tristate '"ah" match support'
148 depends on NETFILTER_ADVANCED
150 This match extension allows you to match a range of SPIs
151 inside AH header of IPSec packets.
153 To compile it as a module, choose M here. If unsure, say N.
155 config IP_NF_MATCH_ECN
156 tristate '"ecn" match support'
157 depends on NETFILTER_ADVANCED
158 select NETFILTER_XT_MATCH_ECN
160 This is a backwards-compat option for the user's convenience
161 (e.g. when running oldconfig). It selects
162 CONFIG_NETFILTER_XT_MATCH_ECN.
164 config IP_NF_MATCH_RPFILTER
165 tristate '"rpfilter" reverse path filter match support'
166 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
168 This option allows you to match packets whose replies would
169 go out via the interface the packet came in.
171 To compile it as a module, choose M here. If unsure, say N.
172 The module will be called ipt_rpfilter.
174 config IP_NF_MATCH_TTL
175 tristate '"ttl" match support'
176 depends on NETFILTER_ADVANCED
177 select NETFILTER_XT_MATCH_HL
179 This is a backwards-compat option for the user's convenience
180 (e.g. when running oldconfig). It selects
181 CONFIG_NETFILTER_XT_MATCH_HL.
183 # `filter', generic and specific targets
185 tristate "Packet filtering"
186 default m if NETFILTER_ADVANCED=n
188 Packet filtering defines a table `filter', which has a series of
189 rules for simple packet filtering at local input, forwarding and
190 local output. See the man page for iptables(8).
192 To compile it as a module, choose M here. If unsure, say N.
194 config IP_NF_TARGET_REJECT
195 tristate "REJECT target support"
196 depends on IP_NF_FILTER
197 default m if NETFILTER_ADVANCED=n
199 The REJECT target allows a filtering rule to specify that an ICMP
200 error should be issued in response to an incoming packet, rather
201 than silently being dropped.
203 To compile it as a module, choose M here. If unsure, say N.
205 config IP_NF_TARGET_SYNPROXY
206 tristate "SYNPROXY target support"
207 depends on NF_CONNTRACK && NETFILTER_ADVANCED
208 select NETFILTER_SYNPROXY
211 The SYNPROXY target allows you to intercept TCP connections and
212 establish them using syncookies before they are passed on to the
213 server. This allows to avoid conntrack and server resource usage
214 during SYN-flood attacks.
216 To compile it as a module, choose M here. If unsure, say N.
218 # NAT + specific targets: nf_conntrack
220 tristate "iptables NAT support"
221 depends on NF_CONNTRACK_IPV4
222 default m if NETFILTER_ADVANCED=n
225 select NETFILTER_XT_NAT
227 This enables the `nat' table in iptables. This allows masquerading,
228 port forwarding and other forms of full Network Address Port
231 To compile it as a module, choose M here. If unsure, say N.
235 config NF_NAT_MASQUERADE_IPV4
236 tristate "IPv4 masquerade support"
238 This is the kernel functionality to provide NAT in the masquerade
239 flavour (automatic source address selection).
242 tristate "IPv4 masquerading support for nf_tables"
243 depends on NF_TABLES_IPV4
245 select NF_NAT_MASQUERADE_IPV4
247 config IP_NF_TARGET_MASQUERADE
248 tristate "MASQUERADE target support"
249 select NF_NAT_MASQUERADE_IPV4
250 default m if NETFILTER_ADVANCED=n
252 Masquerading is a special case of NAT: all outgoing connections are
253 changed to seem to come from a particular interface's address, and
254 if the interface goes down, those connections are lost. This is
255 only useful for dialup accounts with dynamic IP address (ie. your IP
256 address will be different on next dialup).
258 To compile it as a module, choose M here. If unsure, say N.
260 config IP_NF_TARGET_NETMAP
261 tristate "NETMAP target support"
262 depends on NETFILTER_ADVANCED
263 select NETFILTER_XT_TARGET_NETMAP
265 This is a backwards-compat option for the user's convenience
266 (e.g. when running oldconfig). It selects
267 CONFIG_NETFILTER_XT_TARGET_NETMAP.
269 config IP_NF_TARGET_REDIRECT
270 tristate "REDIRECT target support"
271 depends on NETFILTER_ADVANCED
272 select NETFILTER_XT_TARGET_REDIRECT
274 This is a backwards-compat option for the user's convenience
275 (e.g. when running oldconfig). It selects
276 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
280 # mangle + specific targets
282 tristate "Packet mangling"
283 default m if NETFILTER_ADVANCED=n
285 This option adds a `mangle' table to iptables: see the man page for
286 iptables(8). This table is used for various packet alterations
287 which can effect how the packet is routed.
289 To compile it as a module, choose M here. If unsure, say N.
291 config IP_NF_TARGET_CLUSTERIP
292 tristate "CLUSTERIP target support"
293 depends on IP_NF_MANGLE
294 depends on NF_CONNTRACK_IPV4
295 depends on NETFILTER_ADVANCED
296 select NF_CONNTRACK_MARK
298 The CLUSTERIP target allows you to build load-balancing clusters of
299 network servers without having a dedicated load-balancing
300 router/server/switch.
302 To compile it as a module, choose M here. If unsure, say N.
304 config IP_NF_TARGET_ECN
305 tristate "ECN target support"
306 depends on IP_NF_MANGLE
307 depends on NETFILTER_ADVANCED
309 This option adds a `ECN' target, which can be used in the iptables mangle
312 You can use this target to remove the ECN bits from the IPv4 header of
313 an IP packet. This is particularly useful, if you need to work around
314 existing ECN blackholes on the internet, but don't want to disable
315 ECN support in general.
317 To compile it as a module, choose M here. If unsure, say N.
319 config IP_NF_TARGET_TTL
320 tristate '"TTL" target support'
321 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
322 select NETFILTER_XT_TARGET_HL
324 This is a backwards-compatible option for the user's convenience
325 (e.g. when running oldconfig). It selects
326 CONFIG_NETFILTER_XT_TARGET_HL.
328 # raw + specific targets
330 tristate 'raw table support (required for NOTRACK/TRACE)'
332 This option adds a `raw' table to iptables. This table is the very
333 first in the netfilter framework and hooks in at the PREROUTING
336 If you want to compile it as a module, say M here and read
337 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
339 # security table for MAC policy
340 config IP_NF_SECURITY
341 tristate "Security table"
343 depends on NETFILTER_ADVANCED
345 This option adds a `security' table to iptables, for use
346 with Mandatory Access Control (MAC) policy.
350 endif # IP_NF_IPTABLES
353 config IP_NF_ARPTABLES
354 tristate "ARP tables support"
355 select NETFILTER_XTABLES
356 depends on NETFILTER_ADVANCED
358 arptables is a general, extensible packet identification framework.
359 The ARP packet filtering and mangling (manipulation)subsystems
360 use this: say Y or M here if you want to use either of those.
362 To compile it as a module, choose M here. If unsure, say N.
366 config IP_NF_ARPFILTER
367 tristate "ARP packet filtering"
369 ARP packet filtering defines a table `filter', which has a series of
370 rules for simple ARP packet filtering at local input and
371 local output. On a bridge, you can also specify filtering rules
372 for forwarded ARP packets. See the man page for arptables(8).
374 To compile it as a module, choose M here. If unsure, say N.
376 config IP_NF_ARP_MANGLE
377 tristate "ARP payload mangling"
379 Allows altering the ARP packet payload: source and destination
380 hardware and network addresses.
382 endif # IP_NF_ARPTABLES