Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | # |
2 | # IP netfilter configuration | |
3 | # | |
4 | ||
5 | menu "IP: Netfilter Configuration" | |
6 | depends on INET && NETFILTER | |
7 | ||
8 | # connection tracking, helpers and protocols | |
9 | config IP_NF_CONNTRACK | |
10 | tristate "Connection tracking (required for masq/NAT)" | |
11 | ---help--- | |
12 | Connection tracking keeps a record of what packets have passed | |
13 | through your machine, in order to figure out how they are related | |
14 | into connections. | |
15 | ||
16 | This is required to do Masquerading or other kinds of Network | |
17 | Address Translation (except for Fast NAT). It can also be used to | |
18 | enhance packet filtering (see `Connection state match support' | |
19 | below). | |
20 | ||
21 | To compile it as a module, choose M here. If unsure, say N. | |
22 | ||
23 | config IP_NF_CT_ACCT | |
24 | bool "Connection tracking flow accounting" | |
25 | depends on IP_NF_CONNTRACK | |
26 | help | |
27 | If this option is enabled, the connection tracking code will | |
28 | keep per-flow packet and byte counters. | |
29 | ||
30 | Those counters can be used for flow-based accounting or the | |
31 | `connbytes' match. | |
32 | ||
33 | If unsure, say `N'. | |
34 | ||
35 | config IP_NF_CONNTRACK_MARK | |
36 | bool 'Connection mark tracking support' | |
37 | help | |
38 | This option enables support for connection marks, used by the | |
39 | `CONNMARK' target and `connmark' match. Similar to the mark value | |
40 | of packets, but this mark value is kept in the conntrack session | |
41 | instead of the individual packets. | |
42 | ||
ac3247ba HW |
43 | config IP_NF_CONNTRACK_EVENTS |
44 | bool "Connection tracking events" | |
45 | depends on IP_NF_CONNTRACK | |
46 | help | |
47 | If this option is enabled, the connection tracking code will | |
48 | provide a notifier chain that can be used by other kernel code | |
49 | to get notified about changes in the connection tracking state. | |
50 | ||
51 | IF unsure, say `N'. | |
52 | ||
1da177e4 LT |
53 | config IP_NF_CT_PROTO_SCTP |
54 | tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' | |
55 | depends on IP_NF_CONNTRACK && EXPERIMENTAL | |
56 | help | |
57 | With this option enabled, the connection tracking code will | |
58 | be able to do state tracking on SCTP connections. | |
59 | ||
60 | If you want to compile it as a module, say M here and read | |
61 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
62 | ||
63 | config IP_NF_FTP | |
64 | tristate "FTP protocol support" | |
65 | depends on IP_NF_CONNTRACK | |
66 | help | |
67 | Tracking FTP connections is problematic: special helpers are | |
68 | required for tracking them, and doing masquerading and other forms | |
69 | of Network Address Translation on them. | |
70 | ||
71 | To compile it as a module, choose M here. If unsure, say Y. | |
72 | ||
73 | config IP_NF_IRC | |
74 | tristate "IRC protocol support" | |
75 | depends on IP_NF_CONNTRACK | |
76 | ---help--- | |
77 | There is a commonly-used extension to IRC called | |
78 | Direct Client-to-Client Protocol (DCC). This enables users to send | |
79 | files to each other, and also chat to each other without the need | |
80 | of a server. DCC Sending is used anywhere you send files over IRC, | |
81 | and DCC Chat is most commonly used by Eggdrop bots. If you are | |
82 | using NAT, this extension will enable you to send files and initiate | |
83 | chats. Note that you do NOT need this extension to get files or | |
84 | have others initiate chats, or everything else in IRC. | |
85 | ||
86 | To compile it as a module, choose M here. If unsure, say Y. | |
87 | ||
88 | config IP_NF_TFTP | |
89 | tristate "TFTP protocol support" | |
90 | depends on IP_NF_CONNTRACK | |
91 | help | |
92 | TFTP connection tracking helper, this is required depending | |
93 | on how restrictive your ruleset is. | |
94 | If you are using a tftp client behind -j SNAT or -j MASQUERADING | |
95 | you will need this. | |
96 | ||
97 | To compile it as a module, choose M here. If unsure, say Y. | |
98 | ||
99 | config IP_NF_AMANDA | |
100 | tristate "Amanda backup protocol support" | |
101 | depends on IP_NF_CONNTRACK | |
102 | help | |
103 | If you are running the Amanda backup package <http://www.amanda.org/> | |
104 | on this machine or machines that will be MASQUERADED through this | |
105 | machine, then you may want to enable this feature. This allows the | |
106 | connection tracking and natting code to allow the sub-channels that | |
107 | Amanda requires for communication of the backup data, messages and | |
108 | index. | |
109 | ||
110 | To compile it as a module, choose M here. If unsure, say Y. | |
111 | ||
112 | config IP_NF_QUEUE | |
7af4cc3f | 113 | tristate "IP Userspace queueing via NETLINK (OBSOLETE)" |
1da177e4 LT |
114 | help |
115 | Netfilter has the ability to queue packets to user space: the | |
116 | netlink device can be used to access them using this driver. | |
117 | ||
7af4cc3f HW |
118 | This option enables the old IPv4-only "ip_queue" implementation |
119 | which has been obsoleted by the new "nfnetlink_queue" code (see | |
120 | CONFIG_NETFILTER_NETLINK_QUEUE). | |
121 | ||
1da177e4 LT |
122 | To compile it as a module, choose M here. If unsure, say N. |
123 | ||
124 | config IP_NF_IPTABLES | |
125 | tristate "IP tables support (required for filtering/masq/NAT)" | |
126 | help | |
127 | iptables is a general, extensible packet identification framework. | |
128 | The packet filtering and full NAT (masquerading, port forwarding, | |
129 | etc) subsystems now use this: say `Y' or `M' here if you want to use | |
130 | either of those. | |
131 | ||
132 | To compile it as a module, choose M here. If unsure, say N. | |
133 | ||
134 | # The matches. | |
135 | config IP_NF_MATCH_LIMIT | |
136 | tristate "limit match support" | |
137 | depends on IP_NF_IPTABLES | |
138 | help | |
139 | limit matching allows you to control the rate at which a rule can be | |
140 | matched: mainly useful in combination with the LOG target ("LOG | |
141 | target support", below) and to avoid some Denial of Service attacks. | |
142 | ||
143 | To compile it as a module, choose M here. If unsure, say N. | |
144 | ||
145 | config IP_NF_MATCH_IPRANGE | |
146 | tristate "IP range match support" | |
147 | depends on IP_NF_IPTABLES | |
148 | help | |
149 | This option makes possible to match IP addresses against IP address | |
150 | ranges. | |
151 | ||
152 | To compile it as a module, choose M here. If unsure, say N. | |
153 | ||
154 | config IP_NF_MATCH_MAC | |
155 | tristate "MAC address match support" | |
156 | depends on IP_NF_IPTABLES | |
157 | help | |
158 | MAC matching allows you to match packets based on the source | |
159 | Ethernet address of the packet. | |
160 | ||
161 | To compile it as a module, choose M here. If unsure, say N. | |
162 | ||
163 | config IP_NF_MATCH_PKTTYPE | |
164 | tristate "Packet type match support" | |
165 | depends on IP_NF_IPTABLES | |
166 | help | |
167 | Packet type matching allows you to match a packet by | |
168 | its "class", eg. BROADCAST, MULTICAST, ... | |
169 | ||
170 | Typical usage: | |
171 | iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG | |
172 | ||
173 | To compile it as a module, choose M here. If unsure, say N. | |
174 | ||
175 | config IP_NF_MATCH_MARK | |
176 | tristate "netfilter MARK match support" | |
177 | depends on IP_NF_IPTABLES | |
178 | help | |
179 | Netfilter mark matching allows you to match packets based on the | |
180 | `nfmark' value in the packet. This can be set by the MARK target | |
181 | (see below). | |
182 | ||
183 | To compile it as a module, choose M here. If unsure, say N. | |
184 | ||
185 | config IP_NF_MATCH_MULTIPORT | |
186 | tristate "Multiple port match support" | |
187 | depends on IP_NF_IPTABLES | |
188 | help | |
189 | Multiport matching allows you to match TCP or UDP packets based on | |
190 | a series of source or destination ports: normally a rule can only | |
191 | match a single range of ports. | |
192 | ||
193 | To compile it as a module, choose M here. If unsure, say N. | |
194 | ||
195 | config IP_NF_MATCH_TOS | |
196 | tristate "TOS match support" | |
197 | depends on IP_NF_IPTABLES | |
198 | help | |
199 | TOS matching allows you to match packets based on the Type Of | |
200 | Service fields of the IP packet. | |
201 | ||
202 | To compile it as a module, choose M here. If unsure, say N. | |
203 | ||
204 | config IP_NF_MATCH_RECENT | |
205 | tristate "recent match support" | |
206 | depends on IP_NF_IPTABLES | |
207 | help | |
208 | This match is used for creating one or many lists of recently | |
209 | used addresses and then matching against that/those list(s). | |
210 | ||
211 | Short options are available by using 'iptables -m recent -h' | |
212 | Official Website: <http://snowman.net/projects/ipt_recent/> | |
213 | ||
214 | To compile it as a module, choose M here. If unsure, say N. | |
215 | ||
216 | config IP_NF_MATCH_ECN | |
217 | tristate "ECN match support" | |
218 | depends on IP_NF_IPTABLES | |
219 | help | |
220 | This option adds a `ECN' match, which allows you to match against | |
221 | the IPv4 and TCP header ECN fields. | |
222 | ||
223 | To compile it as a module, choose M here. If unsure, say N. | |
224 | ||
225 | config IP_NF_MATCH_DSCP | |
226 | tristate "DSCP match support" | |
227 | depends on IP_NF_IPTABLES | |
228 | help | |
229 | This option adds a `DSCP' match, which allows you to match against | |
230 | the IPv4 header DSCP field (DSCP codepoint). | |
231 | ||
232 | The DSCP codepoint can have any value between 0x0 and 0x4f. | |
233 | ||
234 | To compile it as a module, choose M here. If unsure, say N. | |
235 | ||
236 | config IP_NF_MATCH_AH_ESP | |
237 | tristate "AH/ESP match support" | |
238 | depends on IP_NF_IPTABLES | |
239 | help | |
240 | These two match extensions (`ah' and `esp') allow you to match a | |
241 | range of SPIs inside AH or ESP headers of IPSec packets. | |
242 | ||
243 | To compile it as a module, choose M here. If unsure, say N. | |
244 | ||
245 | config IP_NF_MATCH_LENGTH | |
246 | tristate "LENGTH match support" | |
247 | depends on IP_NF_IPTABLES | |
248 | help | |
249 | This option allows you to match the length of a packet against a | |
250 | specific value or range of values. | |
251 | ||
252 | To compile it as a module, choose M here. If unsure, say N. | |
253 | ||
254 | config IP_NF_MATCH_TTL | |
255 | tristate "TTL match support" | |
256 | depends on IP_NF_IPTABLES | |
257 | help | |
258 | This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user | |
259 | to match packets by their TTL value. | |
260 | ||
261 | To compile it as a module, choose M here. If unsure, say N. | |
262 | ||
263 | config IP_NF_MATCH_TCPMSS | |
264 | tristate "tcpmss match support" | |
265 | depends on IP_NF_IPTABLES | |
266 | help | |
267 | This option adds a `tcpmss' match, which allows you to examine the | |
268 | MSS value of TCP SYN packets, which control the maximum packet size | |
269 | for that connection. | |
270 | ||
271 | To compile it as a module, choose M here. If unsure, say N. | |
272 | ||
273 | config IP_NF_MATCH_HELPER | |
274 | tristate "Helper match support" | |
275 | depends on IP_NF_CONNTRACK && IP_NF_IPTABLES | |
276 | help | |
277 | Helper matching allows you to match packets in dynamic connections | |
278 | tracked by a conntrack-helper, ie. ip_conntrack_ftp | |
279 | ||
280 | To compile it as a module, choose M here. If unsure, say Y. | |
281 | ||
282 | config IP_NF_MATCH_STATE | |
283 | tristate "Connection state match support" | |
284 | depends on IP_NF_CONNTRACK && IP_NF_IPTABLES | |
285 | help | |
286 | Connection state matching allows you to match packets based on their | |
287 | relationship to a tracked connection (ie. previous packets). This | |
288 | is a powerful tool for packet classification. | |
289 | ||
290 | To compile it as a module, choose M here. If unsure, say N. | |
291 | ||
292 | config IP_NF_MATCH_CONNTRACK | |
293 | tristate "Connection tracking match support" | |
294 | depends on IP_NF_CONNTRACK && IP_NF_IPTABLES | |
295 | help | |
296 | This is a general conntrack match module, a superset of the state match. | |
297 | ||
298 | It allows matching on additional conntrack information, which is | |
299 | useful in complex configurations, such as NAT gateways with multiple | |
300 | internet links or tunnels. | |
301 | ||
302 | To compile it as a module, choose M here. If unsure, say N. | |
303 | ||
304 | config IP_NF_MATCH_OWNER | |
305 | tristate "Owner match support" | |
306 | depends on IP_NF_IPTABLES | |
307 | help | |
308 | Packet owner matching allows you to match locally-generated packets | |
309 | based on who created them: the user, group, process or session. | |
310 | ||
311 | To compile it as a module, choose M here. If unsure, say N. | |
312 | ||
313 | config IP_NF_MATCH_PHYSDEV | |
314 | tristate "Physdev match support" | |
315 | depends on IP_NF_IPTABLES && BRIDGE_NETFILTER | |
316 | help | |
317 | Physdev packet matching matches against the physical bridge ports | |
318 | the IP packet arrived on or will leave by. | |
319 | ||
320 | To compile it as a module, choose M here. If unsure, say N. | |
321 | ||
322 | config IP_NF_MATCH_ADDRTYPE | |
323 | tristate 'address type match support' | |
324 | depends on IP_NF_IPTABLES | |
325 | help | |
326 | This option allows you to match what routing thinks of an address, | |
327 | eg. UNICAST, LOCAL, BROADCAST, ... | |
328 | ||
329 | If you want to compile it as a module, say M here and read | |
330 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
331 | ||
332 | config IP_NF_MATCH_REALM | |
333 | tristate 'realm match support' | |
334 | depends on IP_NF_IPTABLES | |
335 | select NET_CLS_ROUTE | |
336 | help | |
337 | This option adds a `realm' match, which allows you to use the realm | |
338 | key from the routing subsystem inside iptables. | |
339 | ||
340 | This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option | |
341 | in tc world. | |
342 | ||
343 | If you want to compile it as a module, say M here and read | |
344 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
345 | ||
346 | config IP_NF_MATCH_SCTP | |
347 | tristate 'SCTP protocol match support' | |
348 | depends on IP_NF_IPTABLES | |
349 | help | |
350 | With this option enabled, you will be able to use the iptables | |
351 | `sctp' match in order to match on SCTP source/destination ports | |
352 | and SCTP chunk types. | |
353 | ||
354 | If you want to compile it as a module, say M here and read | |
355 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
356 | ||
1d3de414 HW |
357 | config IP_NF_MATCH_DCCP |
358 | tristate 'DCCP protocol match support' | |
359 | depends on IP_NF_IPTABLES | |
360 | help | |
361 | With this option enabled, you will be able to use the iptables | |
362 | `dccp' match in order to match on DCCP source/destination ports | |
363 | and DCCP flags. | |
364 | ||
365 | If you want to compile it as a module, say M here and read | |
366 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
367 | ||
1da177e4 LT |
368 | config IP_NF_MATCH_COMMENT |
369 | tristate 'comment match support' | |
370 | depends on IP_NF_IPTABLES | |
371 | help | |
372 | This option adds a `comment' dummy-match, which allows you to put | |
373 | comments in your iptables ruleset. | |
374 | ||
375 | If you want to compile it as a module, say M here and read | |
376 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
377 | ||
378 | config IP_NF_MATCH_CONNMARK | |
379 | tristate 'Connection mark match support' | |
380 | depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES | |
381 | help | |
382 | This option adds a `connmark' match, which allows you to match the | |
383 | connection mark value previously set for the session by `CONNMARK'. | |
384 | ||
385 | If you want to compile it as a module, say M here and read | |
386 | <file:Documentation/modules.txt>. The module will be called | |
387 | ipt_connmark.o. If unsure, say `N'. | |
388 | ||
9d810fd2 HW |
389 | config IP_NF_MATCH_CONNBYTES |
390 | tristate 'Connection byte/packet counter match support' | |
391 | depends on IP_NF_CT_ACCT && IP_NF_IPTABLES | |
392 | help | |
393 | This option adds a `connbytes' match, which allows you to match the | |
394 | number of bytes and/or packets for each direction within a connection. | |
395 | ||
396 | If you want to compile it as a module, say M here and read | |
397 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
398 | ||
1da177e4 LT |
399 | config IP_NF_MATCH_HASHLIMIT |
400 | tristate 'hashlimit match support' | |
401 | depends on IP_NF_IPTABLES | |
402 | help | |
403 | This option adds a new iptables `hashlimit' match. | |
404 | ||
405 | As opposed to `limit', this match dynamically crates a hash table | |
406 | of limit buckets, based on your selection of source/destination | |
407 | ip addresses and/or ports. | |
408 | ||
409 | It enables you to express policies like `10kpps for any given | |
410 | destination IP' or `500pps from any given source IP' with a single | |
411 | IPtables rule. | |
412 | ||
7567662b PNA |
413 | config IP_NF_MATCH_STRING |
414 | tristate 'string match support' | |
415 | depends on IP_NF_IPTABLES | |
416 | select TEXTSEARCH | |
417 | select TEXTSEARCH_KMP | |
29cb9f9c | 418 | select TEXTSEARCH_BM |
7567662b PNA |
419 | select TEXTSEARCH_FSM |
420 | help | |
421 | This option adds a `string' match, which allows you to look for | |
422 | pattern matchings in packets. | |
423 | ||
424 | To compile it as a module, choose M here. If unsure, say N. | |
425 | ||
1da177e4 LT |
426 | # `filter', generic and specific targets |
427 | config IP_NF_FILTER | |
428 | tristate "Packet filtering" | |
429 | depends on IP_NF_IPTABLES | |
430 | help | |
431 | Packet filtering defines a table `filter', which has a series of | |
432 | rules for simple packet filtering at local input, forwarding and | |
433 | local output. See the man page for iptables(8). | |
434 | ||
435 | To compile it as a module, choose M here. If unsure, say N. | |
436 | ||
437 | config IP_NF_TARGET_REJECT | |
438 | tristate "REJECT target support" | |
439 | depends on IP_NF_FILTER | |
440 | help | |
441 | The REJECT target allows a filtering rule to specify that an ICMP | |
442 | error should be issued in response to an incoming packet, rather | |
443 | than silently being dropped. | |
444 | ||
445 | To compile it as a module, choose M here. If unsure, say N. | |
446 | ||
447 | config IP_NF_TARGET_LOG | |
448 | tristate "LOG target support" | |
449 | depends on IP_NF_IPTABLES | |
450 | help | |
451 | This option adds a `LOG' target, which allows you to create rules in | |
452 | any iptables table which records the packet header to the syslog. | |
453 | ||
454 | To compile it as a module, choose M here. If unsure, say N. | |
455 | ||
456 | config IP_NF_TARGET_ULOG | |
457 | tristate "ULOG target support" | |
458 | depends on IP_NF_IPTABLES | |
459 | ---help--- | |
460 | This option adds a `ULOG' target, which allows you to create rules in | |
461 | any iptables table. The packet is passed to a userspace logging | |
462 | daemon using netlink multicast sockets; unlike the LOG target | |
463 | which can only be viewed through syslog. | |
464 | ||
465 | The apropriate userspace logging daemon (ulogd) may be obtained from | |
466 | <http://www.gnumonks.org/projects/ulogd/> | |
467 | ||
468 | To compile it as a module, choose M here. If unsure, say N. | |
469 | ||
470 | config IP_NF_TARGET_TCPMSS | |
471 | tristate "TCPMSS target support" | |
472 | depends on IP_NF_IPTABLES | |
473 | ---help--- | |
474 | This option adds a `TCPMSS' target, which allows you to alter the | |
475 | MSS value of TCP SYN packets, to control the maximum size for that | |
476 | connection (usually limiting it to your outgoing interface's MTU | |
477 | minus 40). | |
478 | ||
479 | This is used to overcome criminally braindead ISPs or servers which | |
480 | block ICMP Fragmentation Needed packets. The symptoms of this | |
481 | problem are that everything works fine from your Linux | |
482 | firewall/router, but machines behind it can never exchange large | |
483 | packets: | |
484 | 1) Web browsers connect, then hang with no data received. | |
485 | 2) Small mail works fine, but large emails hang. | |
486 | 3) ssh works fine, but scp hangs after initial handshaking. | |
487 | ||
488 | Workaround: activate this option and add a rule to your firewall | |
489 | configuration like: | |
490 | ||
491 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ | |
492 | -j TCPMSS --clamp-mss-to-pmtu | |
493 | ||
494 | To compile it as a module, choose M here. If unsure, say N. | |
495 | ||
496 | # NAT + specific targets | |
497 | config IP_NF_NAT | |
498 | tristate "Full NAT" | |
499 | depends on IP_NF_IPTABLES && IP_NF_CONNTRACK | |
500 | help | |
501 | The Full NAT option allows masquerading, port forwarding and other | |
502 | forms of full Network Address Port Translation. It is controlled by | |
503 | the `nat' table in iptables: see the man page for iptables(8). | |
504 | ||
505 | To compile it as a module, choose M here. If unsure, say N. | |
506 | ||
507 | config IP_NF_NAT_NEEDED | |
508 | bool | |
509 | depends on IP_NF_NAT != n | |
510 | default y | |
511 | ||
512 | config IP_NF_TARGET_MASQUERADE | |
513 | tristate "MASQUERADE target support" | |
514 | depends on IP_NF_NAT | |
515 | help | |
516 | Masquerading is a special case of NAT: all outgoing connections are | |
517 | changed to seem to come from a particular interface's address, and | |
518 | if the interface goes down, those connections are lost. This is | |
519 | only useful for dialup accounts with dynamic IP address (ie. your IP | |
520 | address will be different on next dialup). | |
521 | ||
522 | To compile it as a module, choose M here. If unsure, say N. | |
523 | ||
524 | config IP_NF_TARGET_REDIRECT | |
525 | tristate "REDIRECT target support" | |
526 | depends on IP_NF_NAT | |
527 | help | |
528 | REDIRECT is a special case of NAT: all incoming connections are | |
529 | mapped onto the incoming interface's address, causing the packets to | |
530 | come to the local machine instead of passing through. This is | |
531 | useful for transparent proxies. | |
532 | ||
533 | To compile it as a module, choose M here. If unsure, say N. | |
534 | ||
535 | config IP_NF_TARGET_NETMAP | |
536 | tristate "NETMAP target support" | |
537 | depends on IP_NF_NAT | |
538 | help | |
539 | NETMAP is an implementation of static 1:1 NAT mapping of network | |
540 | addresses. It maps the network address part, while keeping the host | |
541 | address part intact. It is similar to Fast NAT, except that | |
542 | Netfilter's connection tracking doesn't work well with Fast NAT. | |
543 | ||
544 | To compile it as a module, choose M here. If unsure, say N. | |
545 | ||
546 | config IP_NF_TARGET_SAME | |
547 | tristate "SAME target support" | |
548 | depends on IP_NF_NAT | |
549 | help | |
550 | This option adds a `SAME' target, which works like the standard SNAT | |
551 | target, but attempts to give clients the same IP for all connections. | |
552 | ||
553 | To compile it as a module, choose M here. If unsure, say N. | |
554 | ||
555 | config IP_NF_NAT_SNMP_BASIC | |
556 | tristate "Basic SNMP-ALG support (EXPERIMENTAL)" | |
557 | depends on EXPERIMENTAL && IP_NF_NAT | |
558 | ---help--- | |
559 | ||
560 | This module implements an Application Layer Gateway (ALG) for | |
561 | SNMP payloads. In conjunction with NAT, it allows a network | |
562 | management system to access multiple private networks with | |
563 | conflicting addresses. It works by modifying IP addresses | |
564 | inside SNMP payloads to match IP-layer NAT mapping. | |
565 | ||
566 | This is the "basic" form of SNMP-ALG, as described in RFC 2962 | |
567 | ||
568 | To compile it as a module, choose M here. If unsure, say N. | |
569 | ||
570 | config IP_NF_NAT_IRC | |
571 | tristate | |
572 | depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n | |
573 | default IP_NF_NAT if IP_NF_IRC=y | |
574 | default m if IP_NF_IRC=m | |
575 | ||
576 | # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), | |
577 | # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh. | |
578 | config IP_NF_NAT_FTP | |
579 | tristate | |
580 | depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n | |
581 | default IP_NF_NAT if IP_NF_FTP=y | |
582 | default m if IP_NF_FTP=m | |
583 | ||
584 | config IP_NF_NAT_TFTP | |
585 | tristate | |
586 | depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n | |
587 | default IP_NF_NAT if IP_NF_TFTP=y | |
588 | default m if IP_NF_TFTP=m | |
589 | ||
590 | config IP_NF_NAT_AMANDA | |
591 | tristate | |
592 | depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n | |
593 | default IP_NF_NAT if IP_NF_AMANDA=y | |
594 | default m if IP_NF_AMANDA=m | |
595 | ||
596 | # mangle + specific targets | |
597 | config IP_NF_MANGLE | |
598 | tristate "Packet mangling" | |
599 | depends on IP_NF_IPTABLES | |
600 | help | |
601 | This option adds a `mangle' table to iptables: see the man page for | |
602 | iptables(8). This table is used for various packet alterations | |
603 | which can effect how the packet is routed. | |
604 | ||
605 | To compile it as a module, choose M here. If unsure, say N. | |
606 | ||
607 | config IP_NF_TARGET_TOS | |
608 | tristate "TOS target support" | |
609 | depends on IP_NF_MANGLE | |
610 | help | |
611 | This option adds a `TOS' target, which allows you to create rules in | |
612 | the `mangle' table which alter the Type Of Service field of an IP | |
613 | packet prior to routing. | |
614 | ||
615 | To compile it as a module, choose M here. If unsure, say N. | |
616 | ||
617 | config IP_NF_TARGET_ECN | |
618 | tristate "ECN target support" | |
619 | depends on IP_NF_MANGLE | |
620 | ---help--- | |
621 | This option adds a `ECN' target, which can be used in the iptables mangle | |
622 | table. | |
623 | ||
624 | You can use this target to remove the ECN bits from the IPv4 header of | |
625 | an IP packet. This is particularly useful, if you need to work around | |
626 | existing ECN blackholes on the internet, but don't want to disable | |
627 | ECN support in general. | |
628 | ||
629 | To compile it as a module, choose M here. If unsure, say N. | |
630 | ||
631 | config IP_NF_TARGET_DSCP | |
632 | tristate "DSCP target support" | |
633 | depends on IP_NF_MANGLE | |
634 | help | |
635 | This option adds a `DSCP' match, which allows you to match against | |
636 | the IPv4 header DSCP field (DSCP codepoint). | |
637 | ||
638 | The DSCP codepoint can have any value between 0x0 and 0x4f. | |
639 | ||
640 | To compile it as a module, choose M here. If unsure, say N. | |
641 | ||
642 | config IP_NF_TARGET_MARK | |
643 | tristate "MARK target support" | |
644 | depends on IP_NF_MANGLE | |
645 | help | |
646 | This option adds a `MARK' target, which allows you to create rules | |
647 | in the `mangle' table which alter the netfilter mark (nfmark) field | |
648 | associated with the packet prior to routing. This can change | |
649 | the routing method (see `Use netfilter MARK value as routing | |
650 | key') and can also be used by other subsystems to change their | |
651 | behavior. | |
652 | ||
653 | To compile it as a module, choose M here. If unsure, say N. | |
654 | ||
655 | config IP_NF_TARGET_CLASSIFY | |
656 | tristate "CLASSIFY target support" | |
657 | depends on IP_NF_MANGLE | |
658 | help | |
659 | This option adds a `CLASSIFY' target, which enables the user to set | |
660 | the priority of a packet. Some qdiscs can use this value for | |
661 | classification, among these are: | |
662 | ||
663 | atm, cbq, dsmark, pfifo_fast, htb, prio | |
664 | ||
665 | To compile it as a module, choose M here. If unsure, say N. | |
666 | ||
5f2c3b91 HW |
667 | config IP_NF_TARGET_TTL |
668 | tristate 'TTL target support' | |
669 | depends on IP_NF_MANGLE | |
670 | help | |
671 | This option adds a `TTL' target, which enables the user to modify | |
672 | the TTL value of the IP header. | |
673 | ||
674 | While it is safe to decrement/lower the TTL, this target also enables | |
675 | functionality to increment and set the TTL value of the IP header to | |
676 | arbitrary values. This is EXTREMELY DANGEROUS since you can easily | |
677 | create immortal packets that loop forever on the network. | |
678 | ||
679 | To compile it as a module, choose M here. If unsure, say N. | |
680 | ||
1da177e4 LT |
681 | config IP_NF_TARGET_CONNMARK |
682 | tristate 'CONNMARK target support' | |
683 | depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE | |
684 | help | |
685 | This option adds a `CONNMARK' target, which allows one to manipulate | |
686 | the connection mark value. Similar to the MARK target, but | |
687 | affects the connection mark value rather than the packet mark value. | |
688 | ||
689 | If you want to compile it as a module, say M here and read | |
690 | <file:Documentation/modules.txt>. The module will be called | |
691 | ipt_CONNMARK.o. If unsure, say `N'. | |
692 | ||
693 | config IP_NF_TARGET_CLUSTERIP | |
694 | tristate "CLUSTERIP target support (EXPERIMENTAL)" | |
695 | depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES && EXPERIMENTAL | |
696 | help | |
697 | The CLUSTERIP target allows you to build load-balancing clusters of | |
698 | network servers without having a dedicated load-balancing | |
699 | router/server/switch. | |
700 | ||
701 | To compile it as a module, choose M here. If unsure, say N. | |
702 | ||
703 | # raw + specific targets | |
704 | config IP_NF_RAW | |
705 | tristate 'raw table support (required for NOTRACK/TRACE)' | |
706 | depends on IP_NF_IPTABLES | |
707 | help | |
708 | This option adds a `raw' table to iptables. This table is the very | |
709 | first in the netfilter framework and hooks in at the PREROUTING | |
710 | and OUTPUT chains. | |
711 | ||
712 | If you want to compile it as a module, say M here and read | |
713 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
714 | ||
715 | config IP_NF_TARGET_NOTRACK | |
716 | tristate 'NOTRACK target support' | |
717 | depends on IP_NF_RAW | |
718 | depends on IP_NF_CONNTRACK | |
719 | help | |
720 | The NOTRACK target allows a select rule to specify | |
721 | which packets *not* to enter the conntrack/NAT | |
722 | subsystem with all the consequences (no ICMP error tracking, | |
723 | no protocol helpers for the selected packets). | |
724 | ||
725 | If you want to compile it as a module, say M here and read | |
726 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
727 | ||
728 | ||
729 | # ARP tables | |
730 | config IP_NF_ARPTABLES | |
731 | tristate "ARP tables support" | |
732 | help | |
733 | arptables is a general, extensible packet identification framework. | |
734 | The ARP packet filtering and mangling (manipulation)subsystems | |
735 | use this: say Y or M here if you want to use either of those. | |
736 | ||
737 | To compile it as a module, choose M here. If unsure, say N. | |
738 | ||
739 | config IP_NF_ARPFILTER | |
740 | tristate "ARP packet filtering" | |
741 | depends on IP_NF_ARPTABLES | |
742 | help | |
743 | ARP packet filtering defines a table `filter', which has a series of | |
744 | rules for simple ARP packet filtering at local input and | |
745 | local output. On a bridge, you can also specify filtering rules | |
746 | for forwarded ARP packets. See the man page for arptables(8). | |
747 | ||
748 | To compile it as a module, choose M here. If unsure, say N. | |
749 | ||
750 | config IP_NF_ARP_MANGLE | |
751 | tristate "ARP payload mangling" | |
752 | depends on IP_NF_ARPTABLES | |
753 | help | |
754 | Allows altering the ARP packet payload: source and destination | |
755 | hardware and network addresses. | |
756 | ||
080774a2 HW |
757 | config IP_NF_CONNTRACK_NETLINK |
758 | tristate 'Connection tracking netlink interface' | |
759 | depends on IP_NF_CONNTRACK && NETFILTER_NETLINK | |
760 | help | |
761 | This option enables support for a netlink-based userspace interface | |
762 | ||
1da177e4 LT |
763 | endmenu |
764 |