2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependent connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
42 tristate "IPv4 nf_tables support"
44 This option enables the IPv4 support for nf_tables.
48 config NFT_CHAIN_ROUTE_IPV4
49 tristate "IPv4 nf_tables route chain support"
51 This option enables the "route" chain for IPv4 in nf_tables. This
52 chain type is used to force packet re-routing after mangling header
53 fields such as the source, destination, type of service and
56 config NFT_REJECT_IPV4
61 endif # NF_TABLES_IPV4
64 tristate "ARP nf_tables support"
66 This option enables the ARP support for nf_tables.
71 tristate "ARP packet logging"
72 default m if NETFILTER_ADVANCED=n
76 tristate "IPv4 packet logging"
77 default m if NETFILTER_ADVANCED=n
81 tristate "IPv4 packet rejection"
82 default m if NETFILTER_ADVANCED=n
86 depends on NF_CONNTRACK_IPV4
87 default m if NETFILTER_ADVANCED=n
90 The IPv4 NAT option allows masquerading, port forwarding and other
91 forms of full Network Address Port Translation. This can be
92 controlled by iptables or nft.
96 config NFT_CHAIN_NAT_IPV4
97 depends on NF_TABLES_IPV4
98 tristate "IPv4 nf_tables nat chain support"
100 This option enables the "nat" chain for IPv4 in nf_tables. This
101 chain type is used to perform Network Address Translation (NAT)
102 packet transformations such as the source, destination address and
103 source and destination ports.
105 config NF_NAT_MASQUERADE_IPV4
106 tristate "IPv4 masquerade support"
108 This is the kernel functionality to provide NAT in the masquerade
109 flavour (automatic source address selection).
112 tristate "IPv4 masquerading support for nf_tables"
113 depends on NF_TABLES_IPV4
115 select NF_NAT_MASQUERADE_IPV4
117 This is the expression that provides IPv4 masquerading support for
120 config NFT_REDIR_IPV4
121 tristate "IPv4 redirect support for nf_tables"
122 depends on NF_TABLES_IPV4
124 select NF_NAT_REDIRECT
126 This is the expression that provides IPv4 redirect support for
129 config NF_NAT_SNMP_BASIC
130 tristate "Basic SNMP-ALG support"
131 depends on NF_CONNTRACK_SNMP
132 depends on NETFILTER_ADVANCED
133 default NF_NAT && NF_CONNTRACK_SNMP
136 This module implements an Application Layer Gateway (ALG) for
137 SNMP payloads. In conjunction with NAT, it allows a network
138 management system to access multiple private networks with
139 conflicting addresses. It works by modifying IP addresses
140 inside SNMP payloads to match IP-layer NAT mapping.
142 This is the "basic" form of SNMP-ALG, as described in RFC 2962
144 To compile it as a module, choose M here. If unsure, say N.
146 config NF_NAT_PROTO_GRE
148 depends on NF_CT_PROTO_GRE
152 depends on NF_CONNTRACK
153 default NF_CONNTRACK_PPTP
154 select NF_NAT_PROTO_GRE
158 depends on NF_CONNTRACK
159 default NF_CONNTRACK_H323
163 config IP_NF_IPTABLES
164 tristate "IP tables support (required for filtering/masq/NAT)"
165 default m if NETFILTER_ADVANCED=n
166 select NETFILTER_XTABLES
168 iptables is a general, extensible packet identification framework.
169 The packet filtering and full NAT (masquerading, port forwarding,
170 etc) subsystems now use this: say `Y' or `M' here if you want to use
173 To compile it as a module, choose M here. If unsure, say N.
178 config IP_NF_MATCH_AH
179 tristate '"ah" match support'
180 depends on NETFILTER_ADVANCED
182 This match extension allows you to match a range of SPIs
183 inside AH header of IPSec packets.
185 To compile it as a module, choose M here. If unsure, say N.
187 config IP_NF_MATCH_ECN
188 tristate '"ecn" match support'
189 depends on NETFILTER_ADVANCED
190 select NETFILTER_XT_MATCH_ECN
192 This is a backwards-compat option for the user's convenience
193 (e.g. when running oldconfig). It selects
194 CONFIG_NETFILTER_XT_MATCH_ECN.
196 config IP_NF_MATCH_RPFILTER
197 tristate '"rpfilter" reverse path filter match support'
198 depends on NETFILTER_ADVANCED
199 depends on IP_NF_MANGLE || IP_NF_RAW
201 This option allows you to match packets whose replies would
202 go out via the interface the packet came in.
204 To compile it as a module, choose M here. If unsure, say N.
205 The module will be called ipt_rpfilter.
207 config IP_NF_MATCH_TTL
208 tristate '"ttl" match support'
209 depends on NETFILTER_ADVANCED
210 select NETFILTER_XT_MATCH_HL
212 This is a backwards-compat option for the user's convenience
213 (e.g. when running oldconfig). It selects
214 CONFIG_NETFILTER_XT_MATCH_HL.
216 # `filter', generic and specific targets
218 tristate "Packet filtering"
219 default m if NETFILTER_ADVANCED=n
221 Packet filtering defines a table `filter', which has a series of
222 rules for simple packet filtering at local input, forwarding and
223 local output. See the man page for iptables(8).
225 To compile it as a module, choose M here. If unsure, say N.
227 config IP_NF_TARGET_REJECT
228 tristate "REJECT target support"
229 depends on IP_NF_FILTER
230 select NF_REJECT_IPV4
231 default m if NETFILTER_ADVANCED=n
233 The REJECT target allows a filtering rule to specify that an ICMP
234 error should be issued in response to an incoming packet, rather
235 than silently being dropped.
237 To compile it as a module, choose M here. If unsure, say N.
239 config IP_NF_TARGET_SYNPROXY
240 tristate "SYNPROXY target support"
241 depends on NF_CONNTRACK && NETFILTER_ADVANCED
242 select NETFILTER_SYNPROXY
245 The SYNPROXY target allows you to intercept TCP connections and
246 establish them using syncookies before they are passed on to the
247 server. This allows to avoid conntrack and server resource usage
248 during SYN-flood attacks.
250 To compile it as a module, choose M here. If unsure, say N.
252 # NAT + specific targets: nf_conntrack
254 tristate "iptables NAT support"
255 depends on NF_CONNTRACK_IPV4
256 default m if NETFILTER_ADVANCED=n
259 select NETFILTER_XT_NAT
261 This enables the `nat' table in iptables. This allows masquerading,
262 port forwarding and other forms of full Network Address Port
265 To compile it as a module, choose M here. If unsure, say N.
269 config IP_NF_TARGET_MASQUERADE
270 tristate "MASQUERADE target support"
271 select NF_NAT_MASQUERADE_IPV4
272 default m if NETFILTER_ADVANCED=n
274 Masquerading is a special case of NAT: all outgoing connections are
275 changed to seem to come from a particular interface's address, and
276 if the interface goes down, those connections are lost. This is
277 only useful for dialup accounts with dynamic IP address (ie. your IP
278 address will be different on next dialup).
280 To compile it as a module, choose M here. If unsure, say N.
282 config IP_NF_TARGET_NETMAP
283 tristate "NETMAP target support"
284 depends on NETFILTER_ADVANCED
285 select NETFILTER_XT_TARGET_NETMAP
287 This is a backwards-compat option for the user's convenience
288 (e.g. when running oldconfig). It selects
289 CONFIG_NETFILTER_XT_TARGET_NETMAP.
291 config IP_NF_TARGET_REDIRECT
292 tristate "REDIRECT target support"
293 depends on NETFILTER_ADVANCED
294 select NETFILTER_XT_TARGET_REDIRECT
296 This is a backwards-compat option for the user's convenience
297 (e.g. when running oldconfig). It selects
298 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
302 # mangle + specific targets
304 tristate "Packet mangling"
305 default m if NETFILTER_ADVANCED=n
307 This option adds a `mangle' table to iptables: see the man page for
308 iptables(8). This table is used for various packet alterations
309 which can effect how the packet is routed.
311 To compile it as a module, choose M here. If unsure, say N.
313 config IP_NF_TARGET_CLUSTERIP
314 tristate "CLUSTERIP target support"
315 depends on IP_NF_MANGLE
316 depends on NF_CONNTRACK_IPV4
317 depends on NETFILTER_ADVANCED
318 select NF_CONNTRACK_MARK
320 The CLUSTERIP target allows you to build load-balancing clusters of
321 network servers without having a dedicated load-balancing
322 router/server/switch.
324 To compile it as a module, choose M here. If unsure, say N.
326 config IP_NF_TARGET_ECN
327 tristate "ECN target support"
328 depends on IP_NF_MANGLE
329 depends on NETFILTER_ADVANCED
331 This option adds a `ECN' target, which can be used in the iptables mangle
334 You can use this target to remove the ECN bits from the IPv4 header of
335 an IP packet. This is particularly useful, if you need to work around
336 existing ECN blackholes on the internet, but don't want to disable
337 ECN support in general.
339 To compile it as a module, choose M here. If unsure, say N.
341 config IP_NF_TARGET_TTL
342 tristate '"TTL" target support'
343 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
344 select NETFILTER_XT_TARGET_HL
346 This is a backwards-compatible option for the user's convenience
347 (e.g. when running oldconfig). It selects
348 CONFIG_NETFILTER_XT_TARGET_HL.
350 # raw + specific targets
352 tristate 'raw table support (required for NOTRACK/TRACE)'
354 This option adds a `raw' table to iptables. This table is the very
355 first in the netfilter framework and hooks in at the PREROUTING
358 If you want to compile it as a module, say M here and read
359 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
361 # security table for MAC policy
362 config IP_NF_SECURITY
363 tristate "Security table"
365 depends on NETFILTER_ADVANCED
367 This option adds a `security' table to iptables, for use
368 with Mandatory Access Control (MAC) policy.
372 endif # IP_NF_IPTABLES
375 config IP_NF_ARPTABLES
376 tristate "ARP tables support"
377 select NETFILTER_XTABLES
378 depends on NETFILTER_ADVANCED
380 arptables is a general, extensible packet identification framework.
381 The ARP packet filtering and mangling (manipulation)subsystems
382 use this: say Y or M here if you want to use either of those.
384 To compile it as a module, choose M here. If unsure, say N.
388 config IP_NF_ARPFILTER
389 tristate "ARP packet filtering"
391 ARP packet filtering defines a table `filter', which has a series of
392 rules for simple ARP packet filtering at local input and
393 local output. On a bridge, you can also specify filtering rules
394 for forwarded ARP packets. See the man page for arptables(8).
396 To compile it as a module, choose M here. If unsure, say N.
398 config IP_NF_ARP_MANGLE
399 tristate "ARP payload mangling"
401 Allows altering the ARP packet payload: source and destination
402 hardware and network addresses.
404 endif # IP_NF_ARPTABLES