2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 # connection tracking, helpers and protocols
10 tristate "Connection tracking (required for masq/NAT)"
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
16 This is required to do Masquerading or other kinds of Network
17 Address Translation (except for Fast NAT). It can also be used to
18 enhance packet filtering (see `Connection state match support'
21 To compile it as a module, choose M here. If unsure, say N.
24 bool "Connection tracking flow accounting"
25 depends on IP_NF_CONNTRACK
27 If this option is enabled, the connection tracking code will
28 keep per-flow packet and byte counters.
30 Those counters can be used for flow-based accounting or the
35 config IP_NF_CONNTRACK_MARK
36 bool 'Connection mark tracking support'
38 This option enables support for connection marks, used by the
39 `CONNMARK' target and `connmark' match. Similar to the mark value
40 of packets, but this mark value is kept in the conntrack session
41 instead of the individual packets.
43 config IP_NF_CT_PROTO_SCTP
44 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
45 depends on IP_NF_CONNTRACK && EXPERIMENTAL
47 With this option enabled, the connection tracking code will
48 be able to do state tracking on SCTP connections.
50 If you want to compile it as a module, say M here and read
51 Documentation/modules.txt. If unsure, say `N'.
54 tristate "FTP protocol support"
55 depends on IP_NF_CONNTRACK
57 Tracking FTP connections is problematic: special helpers are
58 required for tracking them, and doing masquerading and other forms
59 of Network Address Translation on them.
61 To compile it as a module, choose M here. If unsure, say Y.
64 tristate "IRC protocol support"
65 depends on IP_NF_CONNTRACK
67 There is a commonly-used extension to IRC called
68 Direct Client-to-Client Protocol (DCC). This enables users to send
69 files to each other, and also chat to each other without the need
70 of a server. DCC Sending is used anywhere you send files over IRC,
71 and DCC Chat is most commonly used by Eggdrop bots. If you are
72 using NAT, this extension will enable you to send files and initiate
73 chats. Note that you do NOT need this extension to get files or
74 have others initiate chats, or everything else in IRC.
76 To compile it as a module, choose M here. If unsure, say Y.
79 tristate "TFTP protocol support"
80 depends on IP_NF_CONNTRACK
82 TFTP connection tracking helper, this is required depending
83 on how restrictive your ruleset is.
84 If you are using a tftp client behind -j SNAT or -j MASQUERADING
87 To compile it as a module, choose M here. If unsure, say Y.
90 tristate "Amanda backup protocol support"
91 depends on IP_NF_CONNTRACK
93 If you are running the Amanda backup package <http://www.amanda.org/>
94 on this machine or machines that will be MASQUERADED through this
95 machine, then you may want to enable this feature. This allows the
96 connection tracking and natting code to allow the sub-channels that
97 Amanda requires for communication of the backup data, messages and
100 To compile it as a module, choose M here. If unsure, say Y.
103 tristate "Userspace queueing via NETLINK"
105 Netfilter has the ability to queue packets to user space: the
106 netlink device can be used to access them using this driver.
108 To compile it as a module, choose M here. If unsure, say N.
110 config IP_NF_IPTABLES
111 tristate "IP tables support (required for filtering/masq/NAT)"
113 iptables is a general, extensible packet identification framework.
114 The packet filtering and full NAT (masquerading, port forwarding,
115 etc) subsystems now use this: say `Y' or `M' here if you want to use
118 To compile it as a module, choose M here. If unsure, say N.
121 config IP_NF_MATCH_LIMIT
122 tristate "limit match support"
123 depends on IP_NF_IPTABLES
125 limit matching allows you to control the rate at which a rule can be
126 matched: mainly useful in combination with the LOG target ("LOG
127 target support", below) and to avoid some Denial of Service attacks.
129 To compile it as a module, choose M here. If unsure, say N.
131 config IP_NF_MATCH_IPRANGE
132 tristate "IP range match support"
133 depends on IP_NF_IPTABLES
135 This option makes possible to match IP addresses against IP address
138 To compile it as a module, choose M here. If unsure, say N.
140 config IP_NF_MATCH_MAC
141 tristate "MAC address match support"
142 depends on IP_NF_IPTABLES
144 MAC matching allows you to match packets based on the source
145 Ethernet address of the packet.
147 To compile it as a module, choose M here. If unsure, say N.
149 config IP_NF_MATCH_PKTTYPE
150 tristate "Packet type match support"
151 depends on IP_NF_IPTABLES
153 Packet type matching allows you to match a packet by
154 its "class", eg. BROADCAST, MULTICAST, ...
157 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
159 To compile it as a module, choose M here. If unsure, say N.
161 config IP_NF_MATCH_MARK
162 tristate "netfilter MARK match support"
163 depends on IP_NF_IPTABLES
165 Netfilter mark matching allows you to match packets based on the
166 `nfmark' value in the packet. This can be set by the MARK target
169 To compile it as a module, choose M here. If unsure, say N.
171 config IP_NF_MATCH_MULTIPORT
172 tristate "Multiple port match support"
173 depends on IP_NF_IPTABLES
175 Multiport matching allows you to match TCP or UDP packets based on
176 a series of source or destination ports: normally a rule can only
177 match a single range of ports.
179 To compile it as a module, choose M here. If unsure, say N.
181 config IP_NF_MATCH_TOS
182 tristate "TOS match support"
183 depends on IP_NF_IPTABLES
185 TOS matching allows you to match packets based on the Type Of
186 Service fields of the IP packet.
188 To compile it as a module, choose M here. If unsure, say N.
190 config IP_NF_MATCH_RECENT
191 tristate "recent match support"
192 depends on IP_NF_IPTABLES
194 This match is used for creating one or many lists of recently
195 used addresses and then matching against that/those list(s).
197 Short options are available by using 'iptables -m recent -h'
198 Official Website: <http://snowman.net/projects/ipt_recent/>
200 To compile it as a module, choose M here. If unsure, say N.
202 config IP_NF_MATCH_ECN
203 tristate "ECN match support"
204 depends on IP_NF_IPTABLES
206 This option adds a `ECN' match, which allows you to match against
207 the IPv4 and TCP header ECN fields.
209 To compile it as a module, choose M here. If unsure, say N.
211 config IP_NF_MATCH_DSCP
212 tristate "DSCP match support"
213 depends on IP_NF_IPTABLES
215 This option adds a `DSCP' match, which allows you to match against
216 the IPv4 header DSCP field (DSCP codepoint).
218 The DSCP codepoint can have any value between 0x0 and 0x4f.
220 To compile it as a module, choose M here. If unsure, say N.
222 config IP_NF_MATCH_AH_ESP
223 tristate "AH/ESP match support"
224 depends on IP_NF_IPTABLES
226 These two match extensions (`ah' and `esp') allow you to match a
227 range of SPIs inside AH or ESP headers of IPSec packets.
229 To compile it as a module, choose M here. If unsure, say N.
231 config IP_NF_MATCH_LENGTH
232 tristate "LENGTH match support"
233 depends on IP_NF_IPTABLES
235 This option allows you to match the length of a packet against a
236 specific value or range of values.
238 To compile it as a module, choose M here. If unsure, say N.
240 config IP_NF_MATCH_TTL
241 tristate "TTL match support"
242 depends on IP_NF_IPTABLES
244 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
245 to match packets by their TTL value.
247 To compile it as a module, choose M here. If unsure, say N.
249 config IP_NF_MATCH_TCPMSS
250 tristate "tcpmss match support"
251 depends on IP_NF_IPTABLES
253 This option adds a `tcpmss' match, which allows you to examine the
254 MSS value of TCP SYN packets, which control the maximum packet size
257 To compile it as a module, choose M here. If unsure, say N.
259 config IP_NF_MATCH_HELPER
260 tristate "Helper match support"
261 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
263 Helper matching allows you to match packets in dynamic connections
264 tracked by a conntrack-helper, ie. ip_conntrack_ftp
266 To compile it as a module, choose M here. If unsure, say Y.
268 config IP_NF_MATCH_STATE
269 tristate "Connection state match support"
270 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
272 Connection state matching allows you to match packets based on their
273 relationship to a tracked connection (ie. previous packets). This
274 is a powerful tool for packet classification.
276 To compile it as a module, choose M here. If unsure, say N.
278 config IP_NF_MATCH_CONNTRACK
279 tristate "Connection tracking match support"
280 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
282 This is a general conntrack match module, a superset of the state match.
284 It allows matching on additional conntrack information, which is
285 useful in complex configurations, such as NAT gateways with multiple
286 internet links or tunnels.
288 To compile it as a module, choose M here. If unsure, say N.
290 config IP_NF_MATCH_OWNER
291 tristate "Owner match support"
292 depends on IP_NF_IPTABLES
294 Packet owner matching allows you to match locally-generated packets
295 based on who created them: the user, group, process or session.
297 To compile it as a module, choose M here. If unsure, say N.
299 config IP_NF_MATCH_PHYSDEV
300 tristate "Physdev match support"
301 depends on IP_NF_IPTABLES && BRIDGE_NETFILTER
303 Physdev packet matching matches against the physical bridge ports
304 the IP packet arrived on or will leave by.
306 To compile it as a module, choose M here. If unsure, say N.
308 config IP_NF_MATCH_ADDRTYPE
309 tristate 'address type match support'
310 depends on IP_NF_IPTABLES
312 This option allows you to match what routing thinks of an address,
313 eg. UNICAST, LOCAL, BROADCAST, ...
315 If you want to compile it as a module, say M here and read
316 Documentation/modules.txt. If unsure, say `N'.
318 config IP_NF_MATCH_REALM
319 tristate 'realm match support'
320 depends on IP_NF_IPTABLES
323 This option adds a `realm' match, which allows you to use the realm
324 key from the routing subsytem inside iptables.
326 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
329 If you want to compile it as a module, say M here and read
330 Documentation/modules.txt. If unsure, say `N'.
332 config IP_NF_MATCH_SCTP
333 tristate 'SCTP protocol match support'
334 depends on IP_NF_IPTABLES
336 With this option enabled, you will be able to use the iptables
337 `sctp' match in order to match on SCTP source/destination ports
338 and SCTP chunk types.
340 If you want to compile it as a module, say M here and read
341 Documentation/modules.txt. If unsure, say `N'.
343 config IP_NF_MATCH_COMMENT
344 tristate 'comment match support'
345 depends on IP_NF_IPTABLES
347 This option adds a `comment' dummy-match, which allows you to put
348 comments in your iptables ruleset.
350 If you want to compile it as a module, say M here and read
351 Documentation/modules.txt. If unsure, say `N'.
353 config IP_NF_MATCH_CONNMARK
354 tristate 'Connection mark match support'
355 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES
357 This option adds a `connmark' match, which allows you to match the
358 connection mark value previously set for the session by `CONNMARK'.
360 If you want to compile it as a module, say M here and read
361 Documentation/modules.txt. The module will be called
362 ipt_connmark.o. If unsure, say `N'.
364 config IP_NF_MATCH_HASHLIMIT
365 tristate 'hashlimit match support'
366 depends on IP_NF_IPTABLES
368 This option adds a new iptables `hashlimit' match.
370 As opposed to `limit', this match dynamically crates a hash table
371 of limit buckets, based on your selection of source/destination
372 ip addresses and/or ports.
374 It enables you to express policies like `10kpps for any given
375 destination IP' or `500pps from any given source IP' with a single
378 # `filter', generic and specific targets
380 tristate "Packet filtering"
381 depends on IP_NF_IPTABLES
383 Packet filtering defines a table `filter', which has a series of
384 rules for simple packet filtering at local input, forwarding and
385 local output. See the man page for iptables(8).
387 To compile it as a module, choose M here. If unsure, say N.
389 config IP_NF_TARGET_REJECT
390 tristate "REJECT target support"
391 depends on IP_NF_FILTER
393 The REJECT target allows a filtering rule to specify that an ICMP
394 error should be issued in response to an incoming packet, rather
395 than silently being dropped.
397 To compile it as a module, choose M here. If unsure, say N.
399 config IP_NF_TARGET_LOG
400 tristate "LOG target support"
401 depends on IP_NF_IPTABLES
403 This option adds a `LOG' target, which allows you to create rules in
404 any iptables table which records the packet header to the syslog.
406 To compile it as a module, choose M here. If unsure, say N.
408 config IP_NF_TARGET_ULOG
409 tristate "ULOG target support"
410 depends on IP_NF_IPTABLES
412 This option adds a `ULOG' target, which allows you to create rules in
413 any iptables table. The packet is passed to a userspace logging
414 daemon using netlink multicast sockets; unlike the LOG target
415 which can only be viewed through syslog.
417 The apropriate userspace logging daemon (ulogd) may be obtained from
418 <http://www.gnumonks.org/projects/ulogd/>
420 To compile it as a module, choose M here. If unsure, say N.
422 config IP_NF_TARGET_TCPMSS
423 tristate "TCPMSS target support"
424 depends on IP_NF_IPTABLES
426 This option adds a `TCPMSS' target, which allows you to alter the
427 MSS value of TCP SYN packets, to control the maximum size for that
428 connection (usually limiting it to your outgoing interface's MTU
431 This is used to overcome criminally braindead ISPs or servers which
432 block ICMP Fragmentation Needed packets. The symptoms of this
433 problem are that everything works fine from your Linux
434 firewall/router, but machines behind it can never exchange large
436 1) Web browsers connect, then hang with no data received.
437 2) Small mail works fine, but large emails hang.
438 3) ssh works fine, but scp hangs after initial handshaking.
440 Workaround: activate this option and add a rule to your firewall
443 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
444 -j TCPMSS --clamp-mss-to-pmtu
446 To compile it as a module, choose M here. If unsure, say N.
448 # NAT + specific targets
451 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
453 The Full NAT option allows masquerading, port forwarding and other
454 forms of full Network Address Port Translation. It is controlled by
455 the `nat' table in iptables: see the man page for iptables(8).
457 To compile it as a module, choose M here. If unsure, say N.
459 config IP_NF_NAT_NEEDED
461 depends on IP_NF_CONNTRACK!=y && IP_NF_IPTABLES!=y && (IP_NF_COMPAT_IPCHAINS!=y && IP_NF_COMPAT_IPFWADM || IP_NF_COMPAT_IPCHAINS) || IP_NF_IPTABLES && IP_NF_CONNTRACK && IP_NF_NAT
464 config IP_NF_TARGET_MASQUERADE
465 tristate "MASQUERADE target support"
468 Masquerading is a special case of NAT: all outgoing connections are
469 changed to seem to come from a particular interface's address, and
470 if the interface goes down, those connections are lost. This is
471 only useful for dialup accounts with dynamic IP address (ie. your IP
472 address will be different on next dialup).
474 To compile it as a module, choose M here. If unsure, say N.
476 config IP_NF_TARGET_REDIRECT
477 tristate "REDIRECT target support"
480 REDIRECT is a special case of NAT: all incoming connections are
481 mapped onto the incoming interface's address, causing the packets to
482 come to the local machine instead of passing through. This is
483 useful for transparent proxies.
485 To compile it as a module, choose M here. If unsure, say N.
487 config IP_NF_TARGET_NETMAP
488 tristate "NETMAP target support"
491 NETMAP is an implementation of static 1:1 NAT mapping of network
492 addresses. It maps the network address part, while keeping the host
493 address part intact. It is similar to Fast NAT, except that
494 Netfilter's connection tracking doesn't work well with Fast NAT.
496 To compile it as a module, choose M here. If unsure, say N.
498 config IP_NF_TARGET_SAME
499 tristate "SAME target support"
502 This option adds a `SAME' target, which works like the standard SNAT
503 target, but attempts to give clients the same IP for all connections.
505 To compile it as a module, choose M here. If unsure, say N.
507 config IP_NF_NAT_LOCAL
508 bool "NAT of local connections (READ HELP)"
511 This option enables support for NAT of locally originated connections.
512 Enable this if you need to use destination NAT on connections
513 originating from local processes on the nat box itself.
515 Please note that you will need a recent version (>= 1.2.6a)
516 of the iptables userspace program in order to use this feature.
517 See <http://www.iptables.org/> for download instructions.
521 config IP_NF_NAT_SNMP_BASIC
522 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
523 depends on EXPERIMENTAL && IP_NF_NAT
526 This module implements an Application Layer Gateway (ALG) for
527 SNMP payloads. In conjunction with NAT, it allows a network
528 management system to access multiple private networks with
529 conflicting addresses. It works by modifying IP addresses
530 inside SNMP payloads to match IP-layer NAT mapping.
532 This is the "basic" form of SNMP-ALG, as described in RFC 2962
534 To compile it as a module, choose M here. If unsure, say N.
538 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
539 default IP_NF_NAT if IP_NF_IRC=y
540 default m if IP_NF_IRC=m
542 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
543 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
546 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
547 default IP_NF_NAT if IP_NF_FTP=y
548 default m if IP_NF_FTP=m
550 config IP_NF_NAT_TFTP
552 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
553 default IP_NF_NAT if IP_NF_TFTP=y
554 default m if IP_NF_TFTP=m
556 config IP_NF_NAT_AMANDA
558 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
559 default IP_NF_NAT if IP_NF_AMANDA=y
560 default m if IP_NF_AMANDA=m
562 # mangle + specific targets
564 tristate "Packet mangling"
565 depends on IP_NF_IPTABLES
567 This option adds a `mangle' table to iptables: see the man page for
568 iptables(8). This table is used for various packet alterations
569 which can effect how the packet is routed.
571 To compile it as a module, choose M here. If unsure, say N.
573 config IP_NF_TARGET_TOS
574 tristate "TOS target support"
575 depends on IP_NF_MANGLE
577 This option adds a `TOS' target, which allows you to create rules in
578 the `mangle' table which alter the Type Of Service field of an IP
579 packet prior to routing.
581 To compile it as a module, choose M here. If unsure, say N.
583 config IP_NF_TARGET_ECN
584 tristate "ECN target support"
585 depends on IP_NF_MANGLE
587 This option adds a `ECN' target, which can be used in the iptables mangle
590 You can use this target to remove the ECN bits from the IPv4 header of
591 an IP packet. This is particularly useful, if you need to work around
592 existing ECN blackholes on the internet, but don't want to disable
593 ECN support in general.
595 To compile it as a module, choose M here. If unsure, say N.
597 config IP_NF_TARGET_DSCP
598 tristate "DSCP target support"
599 depends on IP_NF_MANGLE
601 This option adds a `DSCP' match, which allows you to match against
602 the IPv4 header DSCP field (DSCP codepoint).
604 The DSCP codepoint can have any value between 0x0 and 0x4f.
606 To compile it as a module, choose M here. If unsure, say N.
608 config IP_NF_TARGET_MARK
609 tristate "MARK target support"
610 depends on IP_NF_MANGLE
612 This option adds a `MARK' target, which allows you to create rules
613 in the `mangle' table which alter the netfilter mark (nfmark) field
614 associated with the packet prior to routing. This can change
615 the routing method (see `Use netfilter MARK value as routing
616 key') and can also be used by other subsystems to change their
619 To compile it as a module, choose M here. If unsure, say N.
621 config IP_NF_TARGET_CLASSIFY
622 tristate "CLASSIFY target support"
623 depends on IP_NF_MANGLE
625 This option adds a `CLASSIFY' target, which enables the user to set
626 the priority of a packet. Some qdiscs can use this value for
627 classification, among these are:
629 atm, cbq, dsmark, pfifo_fast, htb, prio
631 To compile it as a module, choose M here. If unsure, say N.
633 config IP_NF_TARGET_CONNMARK
634 tristate 'CONNMARK target support'
635 depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE
637 This option adds a `CONNMARK' target, which allows one to manipulate
638 the connection mark value. Similar to the MARK target, but
639 affects the connection mark value rather than the packet mark value.
641 If you want to compile it as a module, say M here and read
642 Documentation/modules.txt. The module will be called
643 ipt_CONNMARK.o. If unsure, say `N'.
645 config IP_NF_TARGET_CLUSTERIP
646 tristate "CLUSTERIP target support (EXPERIMENTAL)"
647 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES && EXPERIMENTAL
649 The CLUSTERIP target allows you to build load-balancing clusters of
650 network servers without having a dedicated load-balancing
651 router/server/switch.
653 To compile it as a module, choose M here. If unsure, say N.
655 # raw + specific targets
657 tristate 'raw table support (required for NOTRACK/TRACE)'
658 depends on IP_NF_IPTABLES
660 This option adds a `raw' table to iptables. This table is the very
661 first in the netfilter framework and hooks in at the PREROUTING
664 If you want to compile it as a module, say M here and read
665 <file:Documentation/modules.txt>. If unsure, say `N'.
668 config IP_NF_TARGET_NOTRACK
669 tristate 'NOTRACK target support'
671 depends on IP_NF_CONNTRACK
673 The NOTRACK target allows a select rule to specify
674 which packets *not* to enter the conntrack/NAT
675 subsystem with all the consequences (no ICMP error tracking,
676 no protocol helpers for the selected packets).
678 If you want to compile it as a module, say M here and read
679 <file:Documentation/modules.txt>. If unsure, say `N'.
683 config IP_NF_ARPTABLES
684 tristate "ARP tables support"
686 arptables is a general, extensible packet identification framework.
687 The ARP packet filtering and mangling (manipulation)subsystems
688 use this: say Y or M here if you want to use either of those.
690 To compile it as a module, choose M here. If unsure, say N.
692 config IP_NF_ARPFILTER
693 tristate "ARP packet filtering"
694 depends on IP_NF_ARPTABLES
696 ARP packet filtering defines a table `filter', which has a series of
697 rules for simple ARP packet filtering at local input and
698 local output. On a bridge, you can also specify filtering rules
699 for forwarded ARP packets. See the man page for arptables(8).
701 To compile it as a module, choose M here. If unsure, say N.
703 config IP_NF_ARP_MANGLE
704 tristate "ARP payload mangling"
705 depends on IP_NF_ARPTABLES
707 Allows altering the ARP packet payload: source and destination
708 hardware and network addresses.
710 # Backwards compatibility modules: only if you don't build in the others.
711 config IP_NF_COMPAT_IPCHAINS
712 tristate "ipchains (2.2-style) support"
713 depends on IP_NF_CONNTRACK!=y && IP_NF_IPTABLES!=y
715 This option places ipchains (with masquerading and redirection
716 support) back into the kernel, using the new netfilter
717 infrastructure. It is not recommended for new installations (see
718 `Packet filtering'). With this enabled, you should be able to use
719 the ipchains tool exactly as in 2.2 kernels.
721 To compile it as a module, choose M here. If unsure, say N.
723 config IP_NF_COMPAT_IPFWADM
724 tristate "ipfwadm (2.0-style) support"
725 depends on IP_NF_CONNTRACK!=y && IP_NF_IPTABLES!=y && IP_NF_COMPAT_IPCHAINS!=y
727 This option places ipfwadm (with masquerading and redirection
728 support) back into the kernel, using the new netfilter
729 infrastructure. It is not recommended for new installations (see
730 `Packet filtering'). With this enabled, you should be able to use
731 the ipfwadm tool exactly as in 2.0 kernels.
733 To compile it as a module, choose M here. If unsure, say N.