# # IP netfilter configuration # menu "IP: Netfilter Configuration" depends on INET && NETFILTER config NF_DEFRAG_IPV4 tristate default n config NF_CONNTRACK_IPV4 tristate "IPv4 connection tracking support (required for NAT)" depends on NF_CONNTRACK default m if NETFILTER_ADVANCED=n select NF_DEFRAG_IPV4 ---help--- Connection tracking keeps a record of what packets have passed through your machine, in order to figure out how they are related into connections. This is IPv4 support on Layer 3 independent connection tracking. Layer 3 independent connection tracking is experimental scheme which generalize ip_conntrack to support other layer 3 protocols. To compile it as a module, choose M here. If unsure, say N. config NF_CONNTRACK_PROC_COMPAT bool "proc/sysctl compatibility with old connection tracking" depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 default y help This option enables /proc and sysctl compatibility with the old layer 3 dependent connection tracking. This is needed to keep old programs that have not been adapted to the new names working. If unsure, say Y. config IP_NF_QUEUE tristate "IP Userspace queueing via NETLINK (OBSOLETE)" depends on NETFILTER_ADVANCED help Netfilter has the ability to queue packets to user space: the netlink device can be used to access them using this driver. This option enables the old IPv4-only "ip_queue" implementation which has been obsoleted by the new "nfnetlink_queue" code (see CONFIG_NETFILTER_NETLINK_QUEUE). To compile it as a module, choose M here. If unsure, say N. config IP_NF_IPTABLES tristate "IP tables support (required for filtering/masq/NAT)" default m if NETFILTER_ADVANCED=n select NETFILTER_XTABLES help iptables is a general, extensible packet identification framework. The packet filtering and full NAT (masquerading, port forwarding, etc) subsystems now use this: say `Y' or `M' here if you want to use either of those. To compile it as a module, choose M here. If unsure, say N. if IP_NF_IPTABLES # The matches. config IP_NF_MATCH_AH tristate '"ah" match support' depends on NETFILTER_ADVANCED help This match extension allows you to match a range of SPIs inside AH header of IPSec packets. To compile it as a module, choose M here. If unsure, say N. config IP_NF_MATCH_ECN tristate '"ecn" match support' depends on NETFILTER_ADVANCED select NETFILTER_XT_MATCH_ECN ---help--- This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_MATCH_ECN. config IP_NF_MATCH_RPFILTER tristate '"rpfilter" reverse path filter match support' depends on NETFILTER_ADVANCED ---help--- This option allows you to match packets whose replies would go out via the interface the packet came in. To compile it as a module, choose M here. If unsure, say N. The module will be called ipt_rpfilter. config IP_NF_MATCH_TTL tristate '"ttl" match support' depends on NETFILTER_ADVANCED select NETFILTER_XT_MATCH_HL ---help--- This is a backwards-compat option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_MATCH_HL. # `filter', generic and specific targets config IP_NF_FILTER tristate "Packet filtering" default m if NETFILTER_ADVANCED=n help Packet filtering defines a table `filter', which has a series of rules for simple packet filtering at local input, forwarding and local output. See the man page for iptables(8). To compile it as a module, choose M here. If unsure, say N. config IP_NF_TARGET_REJECT tristate "REJECT target support" depends on IP_NF_FILTER default m if NETFILTER_ADVANCED=n help The REJECT target allows a filtering rule to specify that an ICMP error should be issued in response to an incoming packet, rather than silently being dropped. To compile it as a module, choose M here. If unsure, say N. config IP_NF_TARGET_REJECT_SKERR bool "Force socket error when rejecting with icmp*" depends on IP_NF_TARGET_REJECT default n help This option enables turning a "--reject-with icmp*" into a matching socket error also. The REJECT target normally allows sending an ICMP message. But it leaves the local socket unaware of any ingress rejects. If unsure, say N. config IP_NF_TARGET_LOG tristate "LOG target support" default m if NETFILTER_ADVANCED=n help This option adds a `LOG' target, which allows you to create rules in any iptables table which records the packet header to the syslog. To compile it as a module, choose M here. If unsure, say N. config IP_NF_TARGET_ULOG tristate "ULOG target support" default m if NETFILTER_ADVANCED=n ---help--- This option enables the old IPv4-only "ipt_ULOG" implementation which has been obsoleted by the new "nfnetlink_log" code (see CONFIG_NETFILTER_NETLINK_LOG). This option adds a `ULOG' target, which allows you to create rules in any iptables table. The packet is passed to a userspace logging daemon using netlink multicast sockets; unlike the LOG target which can only be viewed through syslog. The appropriate userspace logging daemon (ulogd) may be obtained from <http://www.netfilter.org/projects/ulogd/index.html> To compile it as a module, choose M here. If unsure, say N. # NAT + specific targets: nf_conntrack config NF_NAT tristate "Full NAT" depends on NF_CONNTRACK_IPV4 default m if NETFILTER_ADVANCED=n help The Full NAT option allows masquerading, port forwarding and other forms of full Network Address Port Translation. It is controlled by the `nat' table in iptables: see the man page for iptables(8). To compile it as a module, choose M here. If unsure, say N. config NF_NAT_NEEDED bool depends on NF_NAT default y config IP_NF_TARGET_MASQUERADE tristate "MASQUERADE target support" depends on NF_NAT default m if NETFILTER_ADVANCED=n help Masquerading is a special case of NAT: all outgoing connections are changed to seem to come from a particular interface's address, and if the interface goes down, those connections are lost. This is only useful for dialup accounts with dynamic IP address (ie. your IP address will be different on next dialup). To compile it as a module, choose M here. If unsure, say N. config IP_NF_TARGET_NETMAP tristate "NETMAP target support" depends on NF_NAT depends on NETFILTER_ADVANCED help NETMAP is an implementation of static 1:1 NAT mapping of network addresses. It maps the network address part, while keeping the host address part intact. To compile it as a module, choose M here. If unsure, say N. config IP_NF_TARGET_REDIRECT tristate "REDIRECT target support" depends on NF_NAT depends on NETFILTER_ADVANCED help REDIRECT is a special case of NAT: all incoming connections are mapped onto the incoming interface's address, causing the packets to come to the local machine instead of passing through. This is useful for transparent proxies. To compile it as a module, choose M here. If unsure, say N. config NF_NAT_SNMP_BASIC tristate "Basic SNMP-ALG support" depends on NF_CONNTRACK_SNMP && NF_NAT depends on NETFILTER_ADVANCED default NF_NAT && NF_CONNTRACK_SNMP ---help--- This module implements an Application Layer Gateway (ALG) for SNMP payloads. In conjunction with NAT, it allows a network management system to access multiple private networks with conflicting addresses. It works by modifying IP addresses inside SNMP payloads to match IP-layer NAT mapping. This is the "basic" form of SNMP-ALG, as described in RFC 2962 To compile it as a module, choose M here. If unsure, say N. # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. # From kconfig-language.txt: # # <expr> '&&' <expr> (6) # # (6) Returns the result of min(/expr/, /expr/). config NF_NAT_PROTO_DCCP tristate depends on NF_NAT && NF_CT_PROTO_DCCP default NF_NAT && NF_CT_PROTO_DCCP config NF_NAT_PROTO_GRE tristate depends on NF_NAT && NF_CT_PROTO_GRE config NF_NAT_PROTO_UDPLITE tristate depends on NF_NAT && NF_CT_PROTO_UDPLITE default NF_NAT && NF_CT_PROTO_UDPLITE config NF_NAT_PROTO_SCTP tristate default NF_NAT && NF_CT_PROTO_SCTP depends on NF_NAT && NF_CT_PROTO_SCTP select LIBCRC32C config NF_NAT_FTP tristate depends on NF_CONNTRACK && NF_NAT default NF_NAT && NF_CONNTRACK_FTP config NF_NAT_IRC tristate depends on NF_CONNTRACK && NF_NAT default NF_NAT && NF_CONNTRACK_IRC config NF_NAT_TFTP tristate depends on NF_CONNTRACK && NF_NAT default NF_NAT && NF_CONNTRACK_TFTP config NF_NAT_AMANDA tristate depends on NF_CONNTRACK && NF_NAT default NF_NAT && NF_CONNTRACK_AMANDA config NF_NAT_PPTP tristate depends on NF_CONNTRACK && NF_NAT default NF_NAT && NF_CONNTRACK_PPTP select NF_NAT_PROTO_GRE config NF_NAT_H323 tristate depends on NF_CONNTRACK && NF_NAT default NF_NAT && NF_CONNTRACK_H323 config NF_NAT_SIP tristate depends on NF_CONNTRACK && NF_NAT default NF_NAT && NF_CONNTRACK_SIP # mangle + specific targets config IP_NF_MANGLE tristate "Packet mangling" default m if NETFILTER_ADVANCED=n help This option adds a `mangle' table to iptables: see the man page for iptables(8). This table is used for various packet alterations which can effect how the packet is routed. To compile it as a module, choose M here. If unsure, say N. config IP_NF_TARGET_CLUSTERIP tristate "CLUSTERIP target support (EXPERIMENTAL)" depends on IP_NF_MANGLE && EXPERIMENTAL depends on NF_CONNTRACK_IPV4 depends on NETFILTER_ADVANCED select NF_CONNTRACK_MARK help The CLUSTERIP target allows you to build load-balancing clusters of network servers without having a dedicated load-balancing router/server/switch. To compile it as a module, choose M here. If unsure, say N. config IP_NF_TARGET_ECN tristate "ECN target support" depends on IP_NF_MANGLE depends on NETFILTER_ADVANCED ---help--- This option adds a `ECN' target, which can be used in the iptables mangle table. You can use this target to remove the ECN bits from the IPv4 header of an IP packet. This is particularly useful, if you need to work around existing ECN blackholes on the internet, but don't want to disable ECN support in general. To compile it as a module, choose M here. If unsure, say N. config IP_NF_TARGET_TTL tristate '"TTL" target support' depends on NETFILTER_ADVANCED && IP_NF_MANGLE select NETFILTER_XT_TARGET_HL ---help--- This is a backwards-compatible option for the user's convenience (e.g. when running oldconfig). It selects CONFIG_NETFILTER_XT_TARGET_HL. # raw + specific targets config IP_NF_RAW tristate 'raw table support (required for NOTRACK/TRACE)' help This option adds a `raw' table to iptables. This table is the very first in the netfilter framework and hooks in at the PREROUTING and OUTPUT chains. If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. # security table for MAC policy config IP_NF_SECURITY tristate "Security table" depends on SECURITY depends on NETFILTER_ADVANCED help This option adds a `security' table to iptables, for use with Mandatory Access Control (MAC) policy. If unsure, say N. endif # IP_NF_IPTABLES # ARP tables config IP_NF_ARPTABLES tristate "ARP tables support" select NETFILTER_XTABLES depends on NETFILTER_ADVANCED help arptables is a general, extensible packet identification framework. The ARP packet filtering and mangling (manipulation)subsystems use this: say Y or M here if you want to use either of those. To compile it as a module, choose M here. If unsure, say N. if IP_NF_ARPTABLES config IP_NF_ARPFILTER tristate "ARP packet filtering" help ARP packet filtering defines a table `filter', which has a series of rules for simple ARP packet filtering at local input and local output. On a bridge, you can also specify filtering rules for forwarded ARP packets. See the man page for arptables(8). To compile it as a module, choose M here. If unsure, say N. config IP_NF_ARP_MANGLE tristate "ARP payload mangling" help Allows altering the ARP packet payload: source and destination hardware and network addresses. endif # IP_NF_ARPTABLES endmenu