2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependent connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
40 tristate "ARP packet logging"
41 default m if NETFILTER_ADVANCED=n
45 tristate "IPv4 packet logging"
46 default m if NETFILTER_ADVANCED=n
51 tristate "IPv4 nf_tables support"
53 This option enables the IPv4 support for nf_tables.
55 config NFT_CHAIN_ROUTE_IPV4
56 depends on NF_TABLES_IPV4
57 tristate "IPv4 nf_tables route chain support"
59 This option enables the "route" chain for IPv4 in nf_tables. This
60 chain type is used to force packet re-routing after mangling header
61 fields such as the source, destination, type of service and
65 tristate "IPv4 packet rejection"
66 default m if NETFILTER_ADVANCED=n
68 config NFT_REJECT_IPV4
69 depends on NF_TABLES_IPV4
76 tristate "ARP nf_tables support"
78 This option enables the ARP support for nf_tables.
82 depends on NF_CONNTRACK_IPV4
83 default m if NETFILTER_ADVANCED=n
86 The IPv4 NAT option allows masquerading, port forwarding and other
87 forms of full Network Address Port Translation. This can be
88 controlled by iptables or nft.
92 config NFT_CHAIN_NAT_IPV4
93 depends on NF_TABLES_IPV4
94 tristate "IPv4 nf_tables nat chain support"
96 This option enables the "nat" chain for IPv4 in nf_tables. This
97 chain type is used to perform Network Address Translation (NAT)
98 packet transformations such as the source, destination address and
99 source and destination ports.
101 config NF_NAT_MASQUERADE_IPV4
102 tristate "IPv4 masquerade support"
104 This is the kernel functionality to provide NAT in the masquerade
105 flavour (automatic source address selection).
108 tristate "IPv4 masquerading support for nf_tables"
109 depends on NF_TABLES_IPV4
111 select NF_NAT_MASQUERADE_IPV4
113 This is the expression that provides IPv4 masquerading support for
116 config NFT_REDIR_IPV4
117 tristate "IPv4 redirect support for nf_tables"
118 depends on NF_TABLES_IPV4
120 select NF_NAT_REDIRECT
122 This is the expression that provides IPv4 redirect support for
125 config NF_NAT_SNMP_BASIC
126 tristate "Basic SNMP-ALG support"
127 depends on NF_CONNTRACK_SNMP
128 depends on NETFILTER_ADVANCED
129 default NF_NAT && NF_CONNTRACK_SNMP
132 This module implements an Application Layer Gateway (ALG) for
133 SNMP payloads. In conjunction with NAT, it allows a network
134 management system to access multiple private networks with
135 conflicting addresses. It works by modifying IP addresses
136 inside SNMP payloads to match IP-layer NAT mapping.
138 This is the "basic" form of SNMP-ALG, as described in RFC 2962
140 To compile it as a module, choose M here. If unsure, say N.
142 config NF_NAT_PROTO_GRE
144 depends on NF_CT_PROTO_GRE
148 depends on NF_CONNTRACK
149 default NF_CONNTRACK_PPTP
150 select NF_NAT_PROTO_GRE
154 depends on NF_CONNTRACK
155 default NF_CONNTRACK_H323
159 config IP_NF_IPTABLES
160 tristate "IP tables support (required for filtering/masq/NAT)"
161 default m if NETFILTER_ADVANCED=n
162 select NETFILTER_XTABLES
164 iptables is a general, extensible packet identification framework.
165 The packet filtering and full NAT (masquerading, port forwarding,
166 etc) subsystems now use this: say `Y' or `M' here if you want to use
169 To compile it as a module, choose M here. If unsure, say N.
174 config IP_NF_MATCH_AH
175 tristate '"ah" match support'
176 depends on NETFILTER_ADVANCED
178 This match extension allows you to match a range of SPIs
179 inside AH header of IPSec packets.
181 To compile it as a module, choose M here. If unsure, say N.
183 config IP_NF_MATCH_ECN
184 tristate '"ecn" match support'
185 depends on NETFILTER_ADVANCED
186 select NETFILTER_XT_MATCH_ECN
188 This is a backwards-compat option for the user's convenience
189 (e.g. when running oldconfig). It selects
190 CONFIG_NETFILTER_XT_MATCH_ECN.
192 config IP_NF_MATCH_RPFILTER
193 tristate '"rpfilter" reverse path filter match support'
194 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
196 This option allows you to match packets whose replies would
197 go out via the interface the packet came in.
199 To compile it as a module, choose M here. If unsure, say N.
200 The module will be called ipt_rpfilter.
202 config IP_NF_MATCH_TTL
203 tristate '"ttl" match support'
204 depends on NETFILTER_ADVANCED
205 select NETFILTER_XT_MATCH_HL
207 This is a backwards-compat option for the user's convenience
208 (e.g. when running oldconfig). It selects
209 CONFIG_NETFILTER_XT_MATCH_HL.
211 # `filter', generic and specific targets
213 tristate "Packet filtering"
214 default m if NETFILTER_ADVANCED=n
216 Packet filtering defines a table `filter', which has a series of
217 rules for simple packet filtering at local input, forwarding and
218 local output. See the man page for iptables(8).
220 To compile it as a module, choose M here. If unsure, say N.
222 config IP_NF_TARGET_REJECT
223 tristate "REJECT target support"
224 depends on IP_NF_FILTER
225 select NF_REJECT_IPV4
226 default m if NETFILTER_ADVANCED=n
228 The REJECT target allows a filtering rule to specify that an ICMP
229 error should be issued in response to an incoming packet, rather
230 than silently being dropped.
232 To compile it as a module, choose M here. If unsure, say N.
234 config IP_NF_TARGET_SYNPROXY
235 tristate "SYNPROXY target support"
236 depends on NF_CONNTRACK && NETFILTER_ADVANCED
237 select NETFILTER_SYNPROXY
240 The SYNPROXY target allows you to intercept TCP connections and
241 establish them using syncookies before they are passed on to the
242 server. This allows to avoid conntrack and server resource usage
243 during SYN-flood attacks.
245 To compile it as a module, choose M here. If unsure, say N.
247 # NAT + specific targets: nf_conntrack
249 tristate "iptables NAT support"
250 depends on NF_CONNTRACK_IPV4
251 default m if NETFILTER_ADVANCED=n
254 select NETFILTER_XT_NAT
256 This enables the `nat' table in iptables. This allows masquerading,
257 port forwarding and other forms of full Network Address Port
260 To compile it as a module, choose M here. If unsure, say N.
264 config IP_NF_TARGET_MASQUERADE
265 tristate "MASQUERADE target support"
266 select NF_NAT_MASQUERADE_IPV4
267 default m if NETFILTER_ADVANCED=n
269 Masquerading is a special case of NAT: all outgoing connections are
270 changed to seem to come from a particular interface's address, and
271 if the interface goes down, those connections are lost. This is
272 only useful for dialup accounts with dynamic IP address (ie. your IP
273 address will be different on next dialup).
275 To compile it as a module, choose M here. If unsure, say N.
277 config IP_NF_TARGET_NETMAP
278 tristate "NETMAP target support"
279 depends on NETFILTER_ADVANCED
280 select NETFILTER_XT_TARGET_NETMAP
282 This is a backwards-compat option for the user's convenience
283 (e.g. when running oldconfig). It selects
284 CONFIG_NETFILTER_XT_TARGET_NETMAP.
286 config IP_NF_TARGET_REDIRECT
287 tristate "REDIRECT target support"
288 depends on NETFILTER_ADVANCED
289 select NETFILTER_XT_TARGET_REDIRECT
291 This is a backwards-compat option for the user's convenience
292 (e.g. when running oldconfig). It selects
293 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
297 # mangle + specific targets
299 tristate "Packet mangling"
300 default m if NETFILTER_ADVANCED=n
302 This option adds a `mangle' table to iptables: see the man page for
303 iptables(8). This table is used for various packet alterations
304 which can effect how the packet is routed.
306 To compile it as a module, choose M here. If unsure, say N.
308 config IP_NF_TARGET_CLUSTERIP
309 tristate "CLUSTERIP target support"
310 depends on IP_NF_MANGLE
311 depends on NF_CONNTRACK_IPV4
312 depends on NETFILTER_ADVANCED
313 select NF_CONNTRACK_MARK
315 The CLUSTERIP target allows you to build load-balancing clusters of
316 network servers without having a dedicated load-balancing
317 router/server/switch.
319 To compile it as a module, choose M here. If unsure, say N.
321 config IP_NF_TARGET_ECN
322 tristate "ECN target support"
323 depends on IP_NF_MANGLE
324 depends on NETFILTER_ADVANCED
326 This option adds a `ECN' target, which can be used in the iptables mangle
329 You can use this target to remove the ECN bits from the IPv4 header of
330 an IP packet. This is particularly useful, if you need to work around
331 existing ECN blackholes on the internet, but don't want to disable
332 ECN support in general.
334 To compile it as a module, choose M here. If unsure, say N.
336 config IP_NF_TARGET_TTL
337 tristate '"TTL" target support'
338 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
339 select NETFILTER_XT_TARGET_HL
341 This is a backwards-compatible option for the user's convenience
342 (e.g. when running oldconfig). It selects
343 CONFIG_NETFILTER_XT_TARGET_HL.
345 # raw + specific targets
347 tristate 'raw table support (required for NOTRACK/TRACE)'
349 This option adds a `raw' table to iptables. This table is the very
350 first in the netfilter framework and hooks in at the PREROUTING
353 If you want to compile it as a module, say M here and read
354 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
356 # security table for MAC policy
357 config IP_NF_SECURITY
358 tristate "Security table"
360 depends on NETFILTER_ADVANCED
362 This option adds a `security' table to iptables, for use
363 with Mandatory Access Control (MAC) policy.
367 endif # IP_NF_IPTABLES
370 config IP_NF_ARPTABLES
371 tristate "ARP tables support"
372 select NETFILTER_XTABLES
373 depends on NETFILTER_ADVANCED
375 arptables is a general, extensible packet identification framework.
376 The ARP packet filtering and mangling (manipulation)subsystems
377 use this: say Y or M here if you want to use either of those.
379 To compile it as a module, choose M here. If unsure, say N.
383 config IP_NF_ARPFILTER
384 tristate "ARP packet filtering"
386 ARP packet filtering defines a table `filter', which has a series of
387 rules for simple ARP packet filtering at local input and
388 local output. On a bridge, you can also specify filtering rules
389 for forwarded ARP packets. See the man page for arptables(8).
391 To compile it as a module, choose M here. If unsure, say N.
393 config IP_NF_ARP_MANGLE
394 tristate "ARP payload mangling"
396 Allows altering the ARP packet payload: source and destination
397 hardware and network addresses.
399 endif # IP_NF_ARPTABLES