2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependent connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
40 tristate "IP tables support (required for filtering/masq/NAT)"
41 default m if NETFILTER_ADVANCED=n
42 select NETFILTER_XTABLES
44 iptables is a general, extensible packet identification framework.
45 The packet filtering and full NAT (masquerading, port forwarding,
46 etc) subsystems now use this: say `Y' or `M' here if you want to use
49 To compile it as a module, choose M here. If unsure, say N.
55 tristate '"ah" match support'
56 depends on NETFILTER_ADVANCED
58 This match extension allows you to match a range of SPIs
59 inside AH header of IPSec packets.
61 To compile it as a module, choose M here. If unsure, say N.
63 config IP_NF_MATCH_ECN
64 tristate '"ecn" match support'
65 depends on NETFILTER_ADVANCED
66 select NETFILTER_XT_MATCH_ECN
68 This is a backwards-compat option for the user's convenience
69 (e.g. when running oldconfig). It selects
70 CONFIG_NETFILTER_XT_MATCH_ECN.
72 config IP_NF_MATCH_RPFILTER
73 tristate '"rpfilter" reverse path filter match support'
74 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
76 This option allows you to match packets whose replies would
77 go out via the interface the packet came in.
79 To compile it as a module, choose M here. If unsure, say N.
80 The module will be called ipt_rpfilter.
82 config IP_NF_MATCH_TTL
83 tristate '"ttl" match support'
84 depends on NETFILTER_ADVANCED
85 select NETFILTER_XT_MATCH_HL
87 This is a backwards-compat option for the user's convenience
88 (e.g. when running oldconfig). It selects
89 CONFIG_NETFILTER_XT_MATCH_HL.
91 # `filter', generic and specific targets
93 tristate "Packet filtering"
94 default m if NETFILTER_ADVANCED=n
96 Packet filtering defines a table `filter', which has a series of
97 rules for simple packet filtering at local input, forwarding and
98 local output. See the man page for iptables(8).
100 To compile it as a module, choose M here. If unsure, say N.
102 config IP_NF_TARGET_REJECT
103 tristate "REJECT target support"
104 depends on IP_NF_FILTER
105 default m if NETFILTER_ADVANCED=n
107 The REJECT target allows a filtering rule to specify that an ICMP
108 error should be issued in response to an incoming packet, rather
109 than silently being dropped.
111 To compile it as a module, choose M here. If unsure, say N.
113 config IP_NF_TARGET_REJECT_SKERR
114 bool "Force socket error when rejecting with icmp*"
115 depends on IP_NF_TARGET_REJECT
118 This option enables turning a "--reject-with icmp*" into a matching
120 The REJECT target normally allows sending an ICMP message. But it
121 leaves the local socket unaware of any ingress rejects.
125 config IP_NF_TARGET_ULOG
126 tristate "ULOG target support"
127 default m if NETFILTER_ADVANCED=n
130 This option enables the old IPv4-only "ipt_ULOG" implementation
131 which has been obsoleted by the new "nfnetlink_log" code (see
132 CONFIG_NETFILTER_NETLINK_LOG).
134 This option adds a `ULOG' target, which allows you to create rules in
135 any iptables table. The packet is passed to a userspace logging
136 daemon using netlink multicast sockets; unlike the LOG target
137 which can only be viewed through syslog.
139 The appropriate userspace logging daemon (ulogd) may be obtained from
140 <http://www.netfilter.org/projects/ulogd/index.html>
142 To compile it as a module, choose M here. If unsure, say N.
144 # NAT + specific targets: nf_conntrack
147 depends on NF_CONNTRACK_IPV4
148 default m if NETFILTER_ADVANCED=n
151 The IPv4 NAT option allows masquerading, port forwarding and other
152 forms of full Network Address Port Translation. It is controlled by
153 the `nat' table in iptables: see the man page for iptables(8).
155 To compile it as a module, choose M here. If unsure, say N.
159 config IP_NF_TARGET_MASQUERADE
160 tristate "MASQUERADE target support"
161 default m if NETFILTER_ADVANCED=n
163 Masquerading is a special case of NAT: all outgoing connections are
164 changed to seem to come from a particular interface's address, and
165 if the interface goes down, those connections are lost. This is
166 only useful for dialup accounts with dynamic IP address (ie. your IP
167 address will be different on next dialup).
169 To compile it as a module, choose M here. If unsure, say N.
171 config IP_NF_TARGET_NETMAP
172 tristate "NETMAP target support"
173 depends on NETFILTER_ADVANCED
174 select NETFILTER_XT_TARGET_NETMAP
176 This is a backwards-compat option for the user's convenience
177 (e.g. when running oldconfig). It selects
178 CONFIG_NETFILTER_XT_TARGET_NETMAP.
180 config IP_NF_TARGET_REDIRECT
181 tristate "REDIRECT target support"
182 depends on NETFILTER_ADVANCED
183 select NETFILTER_XT_TARGET_REDIRECT
185 This is a backwards-compat option for the user's convenience
186 (e.g. when running oldconfig). It selects
187 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
191 config NF_NAT_SNMP_BASIC
192 tristate "Basic SNMP-ALG support"
193 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4
194 depends on NETFILTER_ADVANCED
195 default NF_NAT && NF_CONNTRACK_SNMP
198 This module implements an Application Layer Gateway (ALG) for
199 SNMP payloads. In conjunction with NAT, it allows a network
200 management system to access multiple private networks with
201 conflicting addresses. It works by modifying IP addresses
202 inside SNMP payloads to match IP-layer NAT mapping.
204 This is the "basic" form of SNMP-ALG, as described in RFC 2962
206 To compile it as a module, choose M here. If unsure, say N.
208 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
209 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
210 # From kconfig-language.txt:
212 # <expr> '&&' <expr> (6)
214 # (6) Returns the result of min(/expr/, /expr/).
216 config NF_NAT_PROTO_GRE
218 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE
222 depends on NF_CONNTRACK && NF_NAT_IPV4
223 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP
224 select NF_NAT_PROTO_GRE
228 depends on NF_CONNTRACK && NF_NAT_IPV4
229 default NF_NAT_IPV4 && NF_CONNTRACK_H323
231 # mangle + specific targets
233 tristate "Packet mangling"
234 default m if NETFILTER_ADVANCED=n
236 This option adds a `mangle' table to iptables: see the man page for
237 iptables(8). This table is used for various packet alterations
238 which can effect how the packet is routed.
240 To compile it as a module, choose M here. If unsure, say N.
242 config IP_NF_TARGET_CLUSTERIP
243 tristate "CLUSTERIP target support"
244 depends on IP_NF_MANGLE
245 depends on NF_CONNTRACK_IPV4
246 depends on NETFILTER_ADVANCED
247 select NF_CONNTRACK_MARK
249 The CLUSTERIP target allows you to build load-balancing clusters of
250 network servers without having a dedicated load-balancing
251 router/server/switch.
253 To compile it as a module, choose M here. If unsure, say N.
255 config IP_NF_TARGET_ECN
256 tristate "ECN target support"
257 depends on IP_NF_MANGLE
258 depends on NETFILTER_ADVANCED
260 This option adds a `ECN' target, which can be used in the iptables mangle
263 You can use this target to remove the ECN bits from the IPv4 header of
264 an IP packet. This is particularly useful, if you need to work around
265 existing ECN blackholes on the internet, but don't want to disable
266 ECN support in general.
268 To compile it as a module, choose M here. If unsure, say N.
270 config IP_NF_TARGET_TTL
271 tristate '"TTL" target support'
272 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
273 select NETFILTER_XT_TARGET_HL
275 This is a backwards-compatible option for the user's convenience
276 (e.g. when running oldconfig). It selects
277 CONFIG_NETFILTER_XT_TARGET_HL.
279 # raw + specific targets
281 tristate 'raw table support (required for NOTRACK/TRACE)'
283 This option adds a `raw' table to iptables. This table is the very
284 first in the netfilter framework and hooks in at the PREROUTING
287 If you want to compile it as a module, say M here and read
288 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
290 # security table for MAC policy
291 config IP_NF_SECURITY
292 tristate "Security table"
294 depends on NETFILTER_ADVANCED
296 This option adds a `security' table to iptables, for use
297 with Mandatory Access Control (MAC) policy.
301 endif # IP_NF_IPTABLES
304 config IP_NF_ARPTABLES
305 tristate "ARP tables support"
306 select NETFILTER_XTABLES
307 depends on NETFILTER_ADVANCED
309 arptables is a general, extensible packet identification framework.
310 The ARP packet filtering and mangling (manipulation)subsystems
311 use this: say Y or M here if you want to use either of those.
313 To compile it as a module, choose M here. If unsure, say N.
317 config IP_NF_ARPFILTER
318 tristate "ARP packet filtering"
320 ARP packet filtering defines a table `filter', which has a series of
321 rules for simple ARP packet filtering at local input and
322 local output. On a bridge, you can also specify filtering rules
323 for forwarded ARP packets. See the man page for arptables(8).
325 To compile it as a module, choose M here. If unsure, say N.
327 config IP_NF_ARP_MANGLE
328 tristate "ARP payload mangling"
330 Allows altering the ARP packet payload: source and destination
331 hardware and network addresses.
333 endif # IP_NF_ARPTABLES