2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
13 tristate "IPv4 socket lookup support"
15 This option enables the IPv4 socket lookup infrastructure. This is
16 is required by the {ip,nf}tables socket match.
19 tristate "IPv4 tproxy support"
24 bool "IPv4 nf_tables support"
26 This option enables the IPv4 support for nf_tables.
30 config NFT_CHAIN_ROUTE_IPV4
31 tristate "IPv4 nf_tables route chain support"
33 This option enables the "route" chain for IPv4 in nf_tables. This
34 chain type is used to force packet re-routing after mangling header
35 fields such as the source, destination, type of service and
38 config NFT_REJECT_IPV4
44 tristate "IPv4 nf_tables packet duplication support"
45 depends on !NF_CONNTRACK || NF_CONNTRACK
48 This module enables IPv4 packet duplication support for nf_tables.
52 tristate "nf_tables fib / ip route lookup support"
54 This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
55 It also allows query of the FIB for the route type, e.g. local, unicast,
56 multicast or blackhole.
58 endif # NF_TABLES_IPV4
61 bool "ARP nf_tables support"
62 select NETFILTER_FAMILY_ARP
64 This option enables the ARP support for nf_tables.
68 config NF_FLOW_TABLE_IPV4
69 tristate "Netfilter flow table IPv4 module"
70 depends on NF_FLOW_TABLE
72 This option adds the flow table IPv4 support.
74 To compile it as a module, choose M here.
77 tristate "Netfilter IPv4 packet duplication to alternate destination"
78 depends on !NF_CONNTRACK || NF_CONNTRACK
80 This option enables the nf_dup_ipv4 core, which duplicates an IPv4
81 packet to be rerouted to another destination.
84 tristate "ARP packet logging"
85 default m if NETFILTER_ADVANCED=n
89 tristate "IPv4 packet logging"
90 default m if NETFILTER_ADVANCED=n
94 tristate "IPv4 packet rejection"
95 default m if NETFILTER_ADVANCED=n
98 config NF_NAT_SNMP_BASIC
99 tristate "Basic SNMP-ALG support"
100 depends on NF_CONNTRACK_SNMP
101 depends on NETFILTER_ADVANCED
102 default NF_NAT && NF_CONNTRACK_SNMP
106 This module implements an Application Layer Gateway (ALG) for
107 SNMP payloads. In conjunction with NAT, it allows a network
108 management system to access multiple private networks with
109 conflicting addresses. It works by modifying IP addresses
110 inside SNMP payloads to match IP-layer NAT mapping.
112 This is the "basic" form of SNMP-ALG, as described in RFC 2962
114 To compile it as a module, choose M here. If unsure, say N.
118 depends on NF_CONNTRACK
119 default NF_CONNTRACK_PPTP
123 depends on NF_CONNTRACK
124 default NF_CONNTRACK_H323
128 config IP_NF_IPTABLES
129 tristate "IP tables support (required for filtering/masq/NAT)"
130 default m if NETFILTER_ADVANCED=n
131 select NETFILTER_XTABLES
133 iptables is a general, extensible packet identification framework.
134 The packet filtering and full NAT (masquerading, port forwarding,
135 etc) subsystems now use this: say `Y' or `M' here if you want to use
138 To compile it as a module, choose M here. If unsure, say N.
143 config IP_NF_MATCH_AH
144 tristate '"ah" match support'
145 depends on NETFILTER_ADVANCED
147 This match extension allows you to match a range of SPIs
148 inside AH header of IPSec packets.
150 To compile it as a module, choose M here. If unsure, say N.
152 config IP_NF_MATCH_ECN
153 tristate '"ecn" match support'
154 depends on NETFILTER_ADVANCED
155 select NETFILTER_XT_MATCH_ECN
157 This is a backwards-compat option for the user's convenience
158 (e.g. when running oldconfig). It selects
159 CONFIG_NETFILTER_XT_MATCH_ECN.
161 config IP_NF_MATCH_RPFILTER
162 tristate '"rpfilter" reverse path filter match support'
163 depends on NETFILTER_ADVANCED
164 depends on IP_NF_MANGLE || IP_NF_RAW
166 This option allows you to match packets whose replies would
167 go out via the interface the packet came in.
169 To compile it as a module, choose M here. If unsure, say N.
170 The module will be called ipt_rpfilter.
172 config IP_NF_MATCH_TTL
173 tristate '"ttl" match support'
174 depends on NETFILTER_ADVANCED
175 select NETFILTER_XT_MATCH_HL
177 This is a backwards-compat option for the user's convenience
178 (e.g. when running oldconfig). It selects
179 CONFIG_NETFILTER_XT_MATCH_HL.
181 # `filter', generic and specific targets
183 tristate "Packet filtering"
184 default m if NETFILTER_ADVANCED=n
186 Packet filtering defines a table `filter', which has a series of
187 rules for simple packet filtering at local input, forwarding and
188 local output. See the man page for iptables(8).
190 To compile it as a module, choose M here. If unsure, say N.
192 config IP_NF_TARGET_REJECT
193 tristate "REJECT target support"
194 depends on IP_NF_FILTER
195 select NF_REJECT_IPV4
196 default m if NETFILTER_ADVANCED=n
198 The REJECT target allows a filtering rule to specify that an ICMP
199 error should be issued in response to an incoming packet, rather
200 than silently being dropped.
202 To compile it as a module, choose M here. If unsure, say N.
204 config IP_NF_TARGET_SYNPROXY
205 tristate "SYNPROXY target support"
206 depends on NF_CONNTRACK && NETFILTER_ADVANCED
207 select NETFILTER_SYNPROXY
210 The SYNPROXY target allows you to intercept TCP connections and
211 establish them using syncookies before they are passed on to the
212 server. This allows to avoid conntrack and server resource usage
213 during SYN-flood attacks.
215 To compile it as a module, choose M here. If unsure, say N.
217 # NAT + specific targets: nf_conntrack
219 tristate "iptables NAT support"
220 depends on NF_CONNTRACK
221 default m if NETFILTER_ADVANCED=n
223 select NETFILTER_XT_NAT
225 This enables the `nat' table in iptables. This allows masquerading,
226 port forwarding and other forms of full Network Address Port
229 To compile it as a module, choose M here. If unsure, say N.
233 config IP_NF_TARGET_MASQUERADE
234 tristate "MASQUERADE target support"
235 select NF_NAT_MASQUERADE
236 default m if NETFILTER_ADVANCED=n
238 Masquerading is a special case of NAT: all outgoing connections are
239 changed to seem to come from a particular interface's address, and
240 if the interface goes down, those connections are lost. This is
241 only useful for dialup accounts with dynamic IP address (ie. your IP
242 address will be different on next dialup).
244 To compile it as a module, choose M here. If unsure, say N.
246 config IP_NF_TARGET_NETMAP
247 tristate "NETMAP target support"
248 depends on NETFILTER_ADVANCED
249 select NETFILTER_XT_TARGET_NETMAP
251 This is a backwards-compat option for the user's convenience
252 (e.g. when running oldconfig). It selects
253 CONFIG_NETFILTER_XT_TARGET_NETMAP.
255 config IP_NF_TARGET_REDIRECT
256 tristate "REDIRECT target support"
257 depends on NETFILTER_ADVANCED
258 select NETFILTER_XT_TARGET_REDIRECT
260 This is a backwards-compat option for the user's convenience
261 (e.g. when running oldconfig). It selects
262 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
266 # mangle + specific targets
268 tristate "Packet mangling"
269 default m if NETFILTER_ADVANCED=n
271 This option adds a `mangle' table to iptables: see the man page for
272 iptables(8). This table is used for various packet alterations
273 which can effect how the packet is routed.
275 To compile it as a module, choose M here. If unsure, say N.
277 config IP_NF_TARGET_CLUSTERIP
278 tristate "CLUSTERIP target support"
279 depends on IP_NF_MANGLE
280 depends on NF_CONNTRACK
281 depends on NETFILTER_ADVANCED
282 select NF_CONNTRACK_MARK
283 select NETFILTER_FAMILY_ARP
285 The CLUSTERIP target allows you to build load-balancing clusters of
286 network servers without having a dedicated load-balancing
287 router/server/switch.
289 To compile it as a module, choose M here. If unsure, say N.
291 config IP_NF_TARGET_ECN
292 tristate "ECN target support"
293 depends on IP_NF_MANGLE
294 depends on NETFILTER_ADVANCED
296 This option adds a `ECN' target, which can be used in the iptables mangle
299 You can use this target to remove the ECN bits from the IPv4 header of
300 an IP packet. This is particularly useful, if you need to work around
301 existing ECN blackholes on the internet, but don't want to disable
302 ECN support in general.
304 To compile it as a module, choose M here. If unsure, say N.
306 config IP_NF_TARGET_TTL
307 tristate '"TTL" target support'
308 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
309 select NETFILTER_XT_TARGET_HL
311 This is a backwards-compatible option for the user's convenience
312 (e.g. when running oldconfig). It selects
313 CONFIG_NETFILTER_XT_TARGET_HL.
315 # raw + specific targets
317 tristate 'raw table support (required for NOTRACK/TRACE)'
319 This option adds a `raw' table to iptables. This table is the very
320 first in the netfilter framework and hooks in at the PREROUTING
323 If you want to compile it as a module, say M here and read
324 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
326 # security table for MAC policy
327 config IP_NF_SECURITY
328 tristate "Security table"
330 depends on NETFILTER_ADVANCED
332 This option adds a `security' table to iptables, for use
333 with Mandatory Access Control (MAC) policy.
337 endif # IP_NF_IPTABLES
340 config IP_NF_ARPTABLES
341 tristate "ARP tables support"
342 select NETFILTER_XTABLES
343 select NETFILTER_FAMILY_ARP
344 depends on NETFILTER_ADVANCED
346 arptables is a general, extensible packet identification framework.
347 The ARP packet filtering and mangling (manipulation)subsystems
348 use this: say Y or M here if you want to use either of those.
350 To compile it as a module, choose M here. If unsure, say N.
354 config IP_NF_ARPFILTER
355 tristate "ARP packet filtering"
357 ARP packet filtering defines a table `filter', which has a series of
358 rules for simple ARP packet filtering at local input and
359 local output. On a bridge, you can also specify filtering rules
360 for forwarded ARP packets. See the man page for arptables(8).
362 To compile it as a module, choose M here. If unsure, say N.
364 config IP_NF_ARP_MANGLE
365 tristate "ARP payload mangling"
367 Allows altering the ARP packet payload: source and destination
368 hardware and network addresses.
370 endif # IP_NF_ARPTABLES