2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependent connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
42 tristate "IPv4 nf_tables support"
44 This option enables the IPv4 support for nf_tables.
48 config NFT_CHAIN_ROUTE_IPV4
49 tristate "IPv4 nf_tables route chain support"
51 This option enables the "route" chain for IPv4 in nf_tables. This
52 chain type is used to force packet re-routing after mangling header
53 fields such as the source, destination, type of service and
56 config NFT_REJECT_IPV4
61 endif # NF_TABLES_IPV4
64 tristate "ARP nf_tables support"
66 This option enables the ARP support for nf_tables.
71 tristate "Netfilter IPv4 packet duplication to alternate destination"
73 This option enables the nf_dup_ipv4 core, which duplicates an IPv4
74 packet to be rerouted to another destination.
77 tristate "ARP packet logging"
78 default m if NETFILTER_ADVANCED=n
82 tristate "IPv4 packet logging"
83 default m if NETFILTER_ADVANCED=n
87 tristate "IPv4 packet rejection"
88 default m if NETFILTER_ADVANCED=n
92 depends on NF_CONNTRACK_IPV4
93 default m if NETFILTER_ADVANCED=n
96 The IPv4 NAT option allows masquerading, port forwarding and other
97 forms of full Network Address Port Translation. This can be
98 controlled by iptables or nft.
102 config NFT_CHAIN_NAT_IPV4
103 depends on NF_TABLES_IPV4
104 tristate "IPv4 nf_tables nat chain support"
106 This option enables the "nat" chain for IPv4 in nf_tables. This
107 chain type is used to perform Network Address Translation (NAT)
108 packet transformations such as the source, destination address and
109 source and destination ports.
111 config NF_NAT_MASQUERADE_IPV4
112 tristate "IPv4 masquerade support"
114 This is the kernel functionality to provide NAT in the masquerade
115 flavour (automatic source address selection).
118 tristate "IPv4 masquerading support for nf_tables"
119 depends on NF_TABLES_IPV4
121 select NF_NAT_MASQUERADE_IPV4
123 This is the expression that provides IPv4 masquerading support for
126 config NFT_REDIR_IPV4
127 tristate "IPv4 redirect support for nf_tables"
128 depends on NF_TABLES_IPV4
130 select NF_NAT_REDIRECT
132 This is the expression that provides IPv4 redirect support for
135 config NF_NAT_SNMP_BASIC
136 tristate "Basic SNMP-ALG support"
137 depends on NF_CONNTRACK_SNMP
138 depends on NETFILTER_ADVANCED
139 default NF_NAT && NF_CONNTRACK_SNMP
142 This module implements an Application Layer Gateway (ALG) for
143 SNMP payloads. In conjunction with NAT, it allows a network
144 management system to access multiple private networks with
145 conflicting addresses. It works by modifying IP addresses
146 inside SNMP payloads to match IP-layer NAT mapping.
148 This is the "basic" form of SNMP-ALG, as described in RFC 2962
150 To compile it as a module, choose M here. If unsure, say N.
152 config NF_NAT_PROTO_GRE
154 depends on NF_CT_PROTO_GRE
158 depends on NF_CONNTRACK
159 default NF_CONNTRACK_PPTP
160 select NF_NAT_PROTO_GRE
164 depends on NF_CONNTRACK
165 default NF_CONNTRACK_H323
169 config IP_NF_IPTABLES
170 tristate "IP tables support (required for filtering/masq/NAT)"
171 default m if NETFILTER_ADVANCED=n
172 select NETFILTER_XTABLES
174 iptables is a general, extensible packet identification framework.
175 The packet filtering and full NAT (masquerading, port forwarding,
176 etc) subsystems now use this: say `Y' or `M' here if you want to use
179 To compile it as a module, choose M here. If unsure, say N.
184 config IP_NF_MATCH_AH
185 tristate '"ah" match support'
186 depends on NETFILTER_ADVANCED
188 This match extension allows you to match a range of SPIs
189 inside AH header of IPSec packets.
191 To compile it as a module, choose M here. If unsure, say N.
193 config IP_NF_MATCH_ECN
194 tristate '"ecn" match support'
195 depends on NETFILTER_ADVANCED
196 select NETFILTER_XT_MATCH_ECN
198 This is a backwards-compat option for the user's convenience
199 (e.g. when running oldconfig). It selects
200 CONFIG_NETFILTER_XT_MATCH_ECN.
202 config IP_NF_MATCH_RPFILTER
203 tristate '"rpfilter" reverse path filter match support'
204 depends on NETFILTER_ADVANCED
205 depends on IP_NF_MANGLE || IP_NF_RAW
207 This option allows you to match packets whose replies would
208 go out via the interface the packet came in.
210 To compile it as a module, choose M here. If unsure, say N.
211 The module will be called ipt_rpfilter.
213 config IP_NF_MATCH_TTL
214 tristate '"ttl" match support'
215 depends on NETFILTER_ADVANCED
216 select NETFILTER_XT_MATCH_HL
218 This is a backwards-compat option for the user's convenience
219 (e.g. when running oldconfig). It selects
220 CONFIG_NETFILTER_XT_MATCH_HL.
222 # `filter', generic and specific targets
224 tristate "Packet filtering"
225 default m if NETFILTER_ADVANCED=n
227 Packet filtering defines a table `filter', which has a series of
228 rules for simple packet filtering at local input, forwarding and
229 local output. See the man page for iptables(8).
231 To compile it as a module, choose M here. If unsure, say N.
233 config IP_NF_TARGET_REJECT
234 tristate "REJECT target support"
235 depends on IP_NF_FILTER
236 select NF_REJECT_IPV4
237 default m if NETFILTER_ADVANCED=n
239 The REJECT target allows a filtering rule to specify that an ICMP
240 error should be issued in response to an incoming packet, rather
241 than silently being dropped.
243 To compile it as a module, choose M here. If unsure, say N.
245 config IP_NF_TARGET_SYNPROXY
246 tristate "SYNPROXY target support"
247 depends on NF_CONNTRACK && NETFILTER_ADVANCED
248 select NETFILTER_SYNPROXY
251 The SYNPROXY target allows you to intercept TCP connections and
252 establish them using syncookies before they are passed on to the
253 server. This allows to avoid conntrack and server resource usage
254 during SYN-flood attacks.
256 To compile it as a module, choose M here. If unsure, say N.
258 # NAT + specific targets: nf_conntrack
260 tristate "iptables NAT support"
261 depends on NF_CONNTRACK_IPV4
262 default m if NETFILTER_ADVANCED=n
265 select NETFILTER_XT_NAT
267 This enables the `nat' table in iptables. This allows masquerading,
268 port forwarding and other forms of full Network Address Port
271 To compile it as a module, choose M here. If unsure, say N.
275 config IP_NF_TARGET_MASQUERADE
276 tristate "MASQUERADE target support"
277 select NF_NAT_MASQUERADE_IPV4
278 default m if NETFILTER_ADVANCED=n
280 Masquerading is a special case of NAT: all outgoing connections are
281 changed to seem to come from a particular interface's address, and
282 if the interface goes down, those connections are lost. This is
283 only useful for dialup accounts with dynamic IP address (ie. your IP
284 address will be different on next dialup).
286 To compile it as a module, choose M here. If unsure, say N.
288 config IP_NF_TARGET_NETMAP
289 tristate "NETMAP target support"
290 depends on NETFILTER_ADVANCED
291 select NETFILTER_XT_TARGET_NETMAP
293 This is a backwards-compat option for the user's convenience
294 (e.g. when running oldconfig). It selects
295 CONFIG_NETFILTER_XT_TARGET_NETMAP.
297 config IP_NF_TARGET_REDIRECT
298 tristate "REDIRECT target support"
299 depends on NETFILTER_ADVANCED
300 select NETFILTER_XT_TARGET_REDIRECT
302 This is a backwards-compat option for the user's convenience
303 (e.g. when running oldconfig). It selects
304 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
308 # mangle + specific targets
310 tristate "Packet mangling"
311 default m if NETFILTER_ADVANCED=n
313 This option adds a `mangle' table to iptables: see the man page for
314 iptables(8). This table is used for various packet alterations
315 which can effect how the packet is routed.
317 To compile it as a module, choose M here. If unsure, say N.
319 config IP_NF_TARGET_CLUSTERIP
320 tristate "CLUSTERIP target support"
321 depends on IP_NF_MANGLE
322 depends on NF_CONNTRACK_IPV4
323 depends on NETFILTER_ADVANCED
324 select NF_CONNTRACK_MARK
326 The CLUSTERIP target allows you to build load-balancing clusters of
327 network servers without having a dedicated load-balancing
328 router/server/switch.
330 To compile it as a module, choose M here. If unsure, say N.
332 config IP_NF_TARGET_ECN
333 tristate "ECN target support"
334 depends on IP_NF_MANGLE
335 depends on NETFILTER_ADVANCED
337 This option adds a `ECN' target, which can be used in the iptables mangle
340 You can use this target to remove the ECN bits from the IPv4 header of
341 an IP packet. This is particularly useful, if you need to work around
342 existing ECN blackholes on the internet, but don't want to disable
343 ECN support in general.
345 To compile it as a module, choose M here. If unsure, say N.
347 config IP_NF_TARGET_TTL
348 tristate '"TTL" target support'
349 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
350 select NETFILTER_XT_TARGET_HL
352 This is a backwards-compatible option for the user's convenience
353 (e.g. when running oldconfig). It selects
354 CONFIG_NETFILTER_XT_TARGET_HL.
356 # raw + specific targets
358 tristate 'raw table support (required for NOTRACK/TRACE)'
360 This option adds a `raw' table to iptables. This table is the very
361 first in the netfilter framework and hooks in at the PREROUTING
364 If you want to compile it as a module, say M here and read
365 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
367 # security table for MAC policy
368 config IP_NF_SECURITY
369 tristate "Security table"
371 depends on NETFILTER_ADVANCED
373 This option adds a `security' table to iptables, for use
374 with Mandatory Access Control (MAC) policy.
378 endif # IP_NF_IPTABLES
381 config IP_NF_ARPTABLES
382 tristate "ARP tables support"
383 select NETFILTER_XTABLES
384 depends on NETFILTER_ADVANCED
386 arptables is a general, extensible packet identification framework.
387 The ARP packet filtering and mangling (manipulation)subsystems
388 use this: say Y or M here if you want to use either of those.
390 To compile it as a module, choose M here. If unsure, say N.
394 config IP_NF_ARPFILTER
395 tristate "ARP packet filtering"
397 ARP packet filtering defines a table `filter', which has a series of
398 rules for simple ARP packet filtering at local input and
399 local output. On a bridge, you can also specify filtering rules
400 for forwarded ARP packets. See the man page for arptables(8).
402 To compile it as a module, choose M here. If unsure, say N.
404 config IP_NF_ARP_MANGLE
405 tristate "ARP payload mangling"
407 Allows altering the ARP packet payload: source and destination
408 hardware and network addresses.
410 endif # IP_NF_ARPTABLES