2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependent connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
42 tristate "IPv4 nf_tables support"
44 This option enables the IPv4 support for nf_tables.
48 config NFT_CHAIN_ROUTE_IPV4
49 tristate "IPv4 nf_tables route chain support"
51 This option enables the "route" chain for IPv4 in nf_tables. This
52 chain type is used to force packet re-routing after mangling header
53 fields such as the source, destination, type of service and
56 config NFT_REJECT_IPV4
61 endif # NF_TABLES_IPV4
64 tristate "ARP nf_tables support"
66 This option enables the ARP support for nf_tables.
71 tristate "ARP packet logging"
72 default m if NETFILTER_ADVANCED=n
76 tristate "IPv4 packet logging"
77 default m if NETFILTER_ADVANCED=n
81 tristate "IPv4 packet rejection"
82 default m if NETFILTER_ADVANCED=n
86 depends on NF_CONNTRACK_IPV4
87 default m if NETFILTER_ADVANCED=n
90 The IPv4 NAT option allows masquerading, port forwarding and other
91 forms of full Network Address Port Translation. This can be
92 controlled by iptables or nft.
96 config NFT_CHAIN_NAT_IPV4
97 depends on NF_TABLES_IPV4
98 tristate "IPv4 nf_tables nat chain support"
100 This option enables the "nat" chain for IPv4 in nf_tables. This
101 chain type is used to perform Network Address Translation (NAT)
102 packet transformations such as the source, destination address and
103 source and destination ports.
105 config NF_NAT_MASQUERADE_IPV4
106 tristate "IPv4 masquerade support"
108 This is the kernel functionality to provide NAT in the masquerade
109 flavour (automatic source address selection).
112 tristate "IPv4 masquerading support for nf_tables"
113 depends on NF_TABLES_IPV4
115 select NF_NAT_MASQUERADE_IPV4
117 This is the expression that provides IPv4 masquerading support for
120 config NFT_REDIR_IPV4
121 tristate "IPv4 redirect support for nf_tables"
122 depends on NF_TABLES_IPV4
124 select NF_NAT_REDIRECT
126 This is the expression that provides IPv4 redirect support for
129 config NF_NAT_SNMP_BASIC
130 tristate "Basic SNMP-ALG support"
131 depends on NF_CONNTRACK_SNMP
132 depends on NETFILTER_ADVANCED
133 default NF_NAT && NF_CONNTRACK_SNMP
136 This module implements an Application Layer Gateway (ALG) for
137 SNMP payloads. In conjunction with NAT, it allows a network
138 management system to access multiple private networks with
139 conflicting addresses. It works by modifying IP addresses
140 inside SNMP payloads to match IP-layer NAT mapping.
142 This is the "basic" form of SNMP-ALG, as described in RFC 2962
144 To compile it as a module, choose M here. If unsure, say N.
146 config NF_NAT_PROTO_GRE
148 depends on NF_CT_PROTO_GRE
152 depends on NF_CONNTRACK
153 default NF_CONNTRACK_PPTP
154 select NF_NAT_PROTO_GRE
158 depends on NF_CONNTRACK
159 default NF_CONNTRACK_H323
163 config IP_NF_IPTABLES
164 tristate "IP tables support (required for filtering/masq/NAT)"
165 default m if NETFILTER_ADVANCED=n
166 select NETFILTER_XTABLES
168 iptables is a general, extensible packet identification framework.
169 The packet filtering and full NAT (masquerading, port forwarding,
170 etc) subsystems now use this: say `Y' or `M' here if you want to use
173 To compile it as a module, choose M here. If unsure, say N.
178 config IP_NF_MATCH_AH
179 tristate '"ah" match support'
180 depends on NETFILTER_ADVANCED
182 This match extension allows you to match a range of SPIs
183 inside AH header of IPSec packets.
185 To compile it as a module, choose M here. If unsure, say N.
187 config IP_NF_MATCH_ECN
188 tristate '"ecn" match support'
189 depends on NETFILTER_ADVANCED
190 select NETFILTER_XT_MATCH_ECN
192 This is a backwards-compat option for the user's convenience
193 (e.g. when running oldconfig). It selects
194 CONFIG_NETFILTER_XT_MATCH_ECN.
196 config IP_NF_MATCH_RPFILTER
197 tristate '"rpfilter" reverse path filter match support'
198 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
200 This option allows you to match packets whose replies would
201 go out via the interface the packet came in.
203 To compile it as a module, choose M here. If unsure, say N.
204 The module will be called ipt_rpfilter.
206 config IP_NF_MATCH_TTL
207 tristate '"ttl" match support'
208 depends on NETFILTER_ADVANCED
209 select NETFILTER_XT_MATCH_HL
211 This is a backwards-compat option for the user's convenience
212 (e.g. when running oldconfig). It selects
213 CONFIG_NETFILTER_XT_MATCH_HL.
215 # `filter', generic and specific targets
217 tristate "Packet filtering"
218 default m if NETFILTER_ADVANCED=n
220 Packet filtering defines a table `filter', which has a series of
221 rules for simple packet filtering at local input, forwarding and
222 local output. See the man page for iptables(8).
224 To compile it as a module, choose M here. If unsure, say N.
226 config IP_NF_TARGET_REJECT
227 tristate "REJECT target support"
228 depends on IP_NF_FILTER
229 select NF_REJECT_IPV4
230 default m if NETFILTER_ADVANCED=n
232 The REJECT target allows a filtering rule to specify that an ICMP
233 error should be issued in response to an incoming packet, rather
234 than silently being dropped.
236 To compile it as a module, choose M here. If unsure, say N.
238 config IP_NF_TARGET_SYNPROXY
239 tristate "SYNPROXY target support"
240 depends on NF_CONNTRACK && NETFILTER_ADVANCED
241 select NETFILTER_SYNPROXY
244 The SYNPROXY target allows you to intercept TCP connections and
245 establish them using syncookies before they are passed on to the
246 server. This allows to avoid conntrack and server resource usage
247 during SYN-flood attacks.
249 To compile it as a module, choose M here. If unsure, say N.
251 # NAT + specific targets: nf_conntrack
253 tristate "iptables NAT support"
254 depends on NF_CONNTRACK_IPV4
255 default m if NETFILTER_ADVANCED=n
258 select NETFILTER_XT_NAT
260 This enables the `nat' table in iptables. This allows masquerading,
261 port forwarding and other forms of full Network Address Port
264 To compile it as a module, choose M here. If unsure, say N.
268 config IP_NF_TARGET_MASQUERADE
269 tristate "MASQUERADE target support"
270 select NF_NAT_MASQUERADE_IPV4
271 default m if NETFILTER_ADVANCED=n
273 Masquerading is a special case of NAT: all outgoing connections are
274 changed to seem to come from a particular interface's address, and
275 if the interface goes down, those connections are lost. This is
276 only useful for dialup accounts with dynamic IP address (ie. your IP
277 address will be different on next dialup).
279 To compile it as a module, choose M here. If unsure, say N.
281 config IP_NF_TARGET_NETMAP
282 tristate "NETMAP target support"
283 depends on NETFILTER_ADVANCED
284 select NETFILTER_XT_TARGET_NETMAP
286 This is a backwards-compat option for the user's convenience
287 (e.g. when running oldconfig). It selects
288 CONFIG_NETFILTER_XT_TARGET_NETMAP.
290 config IP_NF_TARGET_REDIRECT
291 tristate "REDIRECT target support"
292 depends on NETFILTER_ADVANCED
293 select NETFILTER_XT_TARGET_REDIRECT
295 This is a backwards-compat option for the user's convenience
296 (e.g. when running oldconfig). It selects
297 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
301 # mangle + specific targets
303 tristate "Packet mangling"
304 default m if NETFILTER_ADVANCED=n
306 This option adds a `mangle' table to iptables: see the man page for
307 iptables(8). This table is used for various packet alterations
308 which can effect how the packet is routed.
310 To compile it as a module, choose M here. If unsure, say N.
312 config IP_NF_TARGET_CLUSTERIP
313 tristate "CLUSTERIP target support"
314 depends on IP_NF_MANGLE
315 depends on NF_CONNTRACK_IPV4
316 depends on NETFILTER_ADVANCED
317 select NF_CONNTRACK_MARK
319 The CLUSTERIP target allows you to build load-balancing clusters of
320 network servers without having a dedicated load-balancing
321 router/server/switch.
323 To compile it as a module, choose M here. If unsure, say N.
325 config IP_NF_TARGET_ECN
326 tristate "ECN target support"
327 depends on IP_NF_MANGLE
328 depends on NETFILTER_ADVANCED
330 This option adds a `ECN' target, which can be used in the iptables mangle
333 You can use this target to remove the ECN bits from the IPv4 header of
334 an IP packet. This is particularly useful, if you need to work around
335 existing ECN blackholes on the internet, but don't want to disable
336 ECN support in general.
338 To compile it as a module, choose M here. If unsure, say N.
340 config IP_NF_TARGET_TTL
341 tristate '"TTL" target support'
342 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
343 select NETFILTER_XT_TARGET_HL
345 This is a backwards-compatible option for the user's convenience
346 (e.g. when running oldconfig). It selects
347 CONFIG_NETFILTER_XT_TARGET_HL.
349 # raw + specific targets
351 tristate 'raw table support (required for NOTRACK/TRACE)'
353 This option adds a `raw' table to iptables. This table is the very
354 first in the netfilter framework and hooks in at the PREROUTING
357 If you want to compile it as a module, say M here and read
358 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
360 # security table for MAC policy
361 config IP_NF_SECURITY
362 tristate "Security table"
364 depends on NETFILTER_ADVANCED
366 This option adds a `security' table to iptables, for use
367 with Mandatory Access Control (MAC) policy.
371 endif # IP_NF_IPTABLES
374 config IP_NF_ARPTABLES
375 tristate "ARP tables support"
376 select NETFILTER_XTABLES
377 depends on NETFILTER_ADVANCED
379 arptables is a general, extensible packet identification framework.
380 The ARP packet filtering and mangling (manipulation)subsystems
381 use this: say Y or M here if you want to use either of those.
383 To compile it as a module, choose M here. If unsure, say N.
387 config IP_NF_ARPFILTER
388 tristate "ARP packet filtering"
390 ARP packet filtering defines a table `filter', which has a series of
391 rules for simple ARP packet filtering at local input and
392 local output. On a bridge, you can also specify filtering rules
393 for forwarded ARP packets. See the man page for arptables(8).
395 To compile it as a module, choose M here. If unsure, say N.
397 config IP_NF_ARP_MANGLE
398 tristate "ARP payload mangling"
400 Allows altering the ARP packet payload: source and destination
401 hardware and network addresses.
403 endif # IP_NF_ARPTABLES