2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
9 tristate "Connection tracking (required for masq/NAT)"
11 Connection tracking keeps a record of what packets have passed
12 through your machine, in order to figure out how they are related
15 This is required to do Masquerading or other kinds of Network
16 Address Translation (except for Fast NAT). It can also be used to
17 enhance packet filtering (see `Connection state match support'
20 To compile it as a module, choose M here. If unsure, say N.
23 tristate "FTP protocol support"
24 depends on IP_NF_CONNTRACK
26 Tracking FTP connections is problematic: special helpers are
27 required for tracking them, and doing masquerading and other forms
28 of Network Address Translation on them.
30 To compile it as a module, choose M here. If unsure, say Y.
33 tristate "IRC protocol support"
34 depends on IP_NF_CONNTRACK
36 There is a commonly-used extension to IRC called
37 Direct Client-to-Client Protocol (DCC). This enables users to send
38 files to each other, and also chat to each other without the need
39 of a server. DCC Sending is used anywhere you send files over IRC,
40 and DCC Chat is most commonly used by Eggdrop bots. If you are
41 using NAT, this extension will enable you to send files and initiate
42 chats. Note that you do NOT need this extension to get files or
43 have others initiate chats, or everything else in IRC.
45 To compile it as a module, choose M here. If unsure, say Y.
48 tristate "TFTP protocol support"
49 depends on IP_NF_CONNTRACK
51 TFTP connection tracking helper, this is required depending
52 on how restrictive your ruleset is.
53 If you are using a tftp client behind -j SNAT or -j MASQUERADING
56 To compile it as a module, choose M here. If unsure, say Y.
59 tristate "Amanda backup protocol support"
60 depends on IP_NF_CONNTRACK
62 If you are running the Amanda backup package <http://www.amanda.org/>
63 on this machine or machines that will be MASQUERADED through this
64 machine, then you may want to enable this feature. This allows the
65 connection tracking and natting code to allow the sub-channels that
66 Amanda requires for communication of the backup data, messages and
69 To compile it as a module, choose M here. If unsure, say Y.
72 tristate "Userspace queueing via NETLINK"
74 Netfilter has the ability to queue packets to user space: the
75 netlink device can be used to access them using this driver.
77 To compile it as a module, choose M here. If unsure, say N.
80 tristate "IP tables support (required for filtering/masq/NAT)"
82 iptables is a general, extensible packet identification framework.
83 The packet filtering and full NAT (masquerading, port forwarding,
84 etc) subsystems now use this: say `Y' or `M' here if you want to use
87 To compile it as a module, choose M here. If unsure, say N.
90 config IP_NF_MATCH_LIMIT
91 tristate "limit match support"
92 depends on IP_NF_IPTABLES
94 limit matching allows you to control the rate at which a rule can be
95 matched: mainly useful in combination with the LOG target ("LOG
96 target support", below) and to avoid some Denial of Service attacks.
98 To compile it as a module, choose M here. If unsure, say N.
100 config IP_NF_MATCH_IPRANGE
101 tristate "IP range match support"
102 depends on IP_NF_IPTABLES
104 This option makes possible to match IP addresses against IP address
107 To compile it as a module, choose M here. If unsure, say N.
109 config IP_NF_MATCH_MAC
110 tristate "MAC address match support"
111 depends on IP_NF_IPTABLES
113 MAC matching allows you to match packets based on the source
114 Ethernet address of the packet.
116 To compile it as a module, choose M here. If unsure, say N.
118 config IP_NF_MATCH_PKTTYPE
119 tristate "Packet type match support"
120 depends on IP_NF_IPTABLES
122 Packet type matching allows you to match a packet by
123 its "class", eg. BROADCAST, MULTICAST, ...
126 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
128 To compile it as a module, choose M here. If unsure, say N.
130 config IP_NF_MATCH_MARK
131 tristate "netfilter MARK match support"
132 depends on IP_NF_IPTABLES
134 Netfilter mark matching allows you to match packets based on the
135 `nfmark' value in the packet. This can be set by the MARK target
138 To compile it as a module, choose M here. If unsure, say N.
140 config IP_NF_MATCH_MULTIPORT
141 tristate "Multiple port match support"
142 depends on IP_NF_IPTABLES
144 Multiport matching allows you to match TCP or UDP packets based on
145 a series of source or destination ports: normally a rule can only
146 match a single range of ports.
148 To compile it as a module, choose M here. If unsure, say N.
150 config IP_NF_MATCH_TOS
151 tristate "TOS match support"
152 depends on IP_NF_IPTABLES
154 TOS matching allows you to match packets based on the Type Of
155 Service fields of the IP packet.
157 To compile it as a module, choose M here. If unsure, say N.
159 config IP_NF_MATCH_RECENT
160 tristate "recent match support"
161 depends on IP_NF_IPTABLES
163 This match is used for creating one or many lists of recently
164 used addresses and then matching against that/those list(s).
166 Short options are available by using 'iptables -m recent -h'
167 Official Website: <http://snowman.net/projects/ipt_recent/>
169 To compile it as a module, choose M here. If unsure, say N.
171 config IP_NF_MATCH_ECN
172 tristate "ECN match support"
173 depends on IP_NF_IPTABLES
175 This option adds a `ECN' match, which allows you to match against
176 the IPv4 and TCP header ECN fields.
178 To compile it as a module, choose M here. If unsure, say N.
180 config IP_NF_MATCH_DSCP
181 tristate "DSCP match support"
182 depends on IP_NF_IPTABLES
184 This option adds a `DSCP' match, which allows you to match against
185 the IPv4 header DSCP field (DSCP codepoint).
187 The DSCP codepoint can have any value between 0x0 and 0x4f.
189 To compile it as a module, choose M here. If unsure, say N.
191 config IP_NF_MATCH_AH_ESP
192 tristate "AH/ESP match support"
193 depends on IP_NF_IPTABLES
195 These two match extensions (`ah' and `esp') allow you to match a
196 range of SPIs inside AH or ESP headers of IPSec packets.
198 To compile it as a module, choose M here. If unsure, say N.
200 config IP_NF_MATCH_LENGTH
201 tristate "LENGTH match support"
202 depends on IP_NF_IPTABLES
204 This option allows you to match the length of a packet against a
205 specific value or range of values.
207 To compile it as a module, choose M here. If unsure, say N.
209 config IP_NF_MATCH_TTL
210 tristate "TTL match support"
211 depends on IP_NF_IPTABLES
213 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
214 to match packets by their TTL value.
216 To compile it as a module, choose M here. If unsure, say N.
218 config IP_NF_MATCH_TCPMSS
219 tristate "tcpmss match support"
220 depends on IP_NF_IPTABLES
222 This option adds a `tcpmss' match, which allows you to examine the
223 MSS value of TCP SYN packets, which control the maximum packet size
226 To compile it as a module, choose M here. If unsure, say N.
228 config IP_NF_MATCH_HELPER
229 tristate "Helper match support"
230 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
232 Helper matching allows you to match packets in dynamic connections
233 tracked by a conntrack-helper, ie. ip_conntrack_ftp
235 To compile it as a module, choose M here. If unsure, say Y.
237 config IP_NF_MATCH_STATE
238 tristate "Connection state match support"
239 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
241 Connection state matching allows you to match packets based on their
242 relationship to a tracked connection (ie. previous packets). This
243 is a powerful tool for packet classification.
245 To compile it as a module, choose M here. If unsure, say N.
247 config IP_NF_MATCH_CONNTRACK
248 tristate "Connection tracking match support"
249 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
251 This is a general conntrack match module, a superset of the state match.
253 It allows matching on additional conntrack information, which is
254 useful in complex configurations, such as NAT gateways with multiple
255 internet links or tunnels.
257 To compile it as a module, choose M here. If unsure, say N.
259 config IP_NF_MATCH_OWNER
260 tristate "Owner match support"
261 depends on IP_NF_IPTABLES
263 Packet owner matching allows you to match locally-generated packets
264 based on who created them: the user, group, process or session.
266 To compile it as a module, choose M here. If unsure, say N.
268 config IP_NF_MATCH_PHYSDEV
269 tristate "Physdev match support"
270 depends on IP_NF_IPTABLES && BRIDGE_NETFILTER
272 Physdev packet matching matches against the physical bridge ports
273 the IP packet arrived on or will leave by.
275 To compile it as a module, choose M here. If unsure, say N.
279 tristate "Packet filtering"
280 depends on IP_NF_IPTABLES
282 Packet filtering defines a table `filter', which has a series of
283 rules for simple packet filtering at local input, forwarding and
284 local output. See the man page for iptables(8).
286 To compile it as a module, choose M here. If unsure, say N.
288 config IP_NF_TARGET_REJECT
289 tristate "REJECT target support"
290 depends on IP_NF_FILTER
292 The REJECT target allows a filtering rule to specify that an ICMP
293 error should be issued in response to an incoming packet, rather
294 than silently being dropped.
296 To compile it as a module, choose M here. If unsure, say N.
300 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
302 The Full NAT option allows masquerading, port forwarding and other
303 forms of full Network Address Port Translation. It is controlled by
304 the `nat' table in iptables: see the man page for iptables(8).
306 To compile it as a module, choose M here. If unsure, say N.
308 config IP_NF_NAT_NEEDED
310 depends on IP_NF_CONNTRACK!=y && IP_NF_IPTABLES!=y && (IP_NF_COMPAT_IPCHAINS!=y && IP_NF_COMPAT_IPFWADM || IP_NF_COMPAT_IPCHAINS) || IP_NF_IPTABLES && IP_NF_CONNTRACK && IP_NF_NAT
313 config IP_NF_TARGET_MASQUERADE
314 tristate "MASQUERADE target support"
317 Masquerading is a special case of NAT: all outgoing connections are
318 changed to seem to come from a particular interface's address, and
319 if the interface goes down, those connections are lost. This is
320 only useful for dialup accounts with dynamic IP address (ie. your IP
321 address will be different on next dialup).
323 To compile it as a module, choose M here. If unsure, say N.
325 config IP_NF_TARGET_REDIRECT
326 tristate "REDIRECT target support"
329 REDIRECT is a special case of NAT: all incoming connections are
330 mapped onto the incoming interface's address, causing the packets to
331 come to the local machine instead of passing through. This is
332 useful for transparent proxies.
334 To compile it as a module, choose M here. If unsure, say N.
336 config IP_NF_TARGET_NETMAP
337 tristate "NETMAP target support"
340 NETMAP is an implementation of static 1:1 NAT mapping of network
341 addresses. It maps the network address part, while keeping the host
342 address part intact. It is similar to Fast NAT, except that
343 Netfilter's connection tracking doesn't work well with Fast NAT.
345 To compile it as a module, choose M here. If unsure, say N.
347 config IP_NF_TARGET_SAME
348 tristate "SAME target support"
351 This option adds a `SAME' target, which works like the standard SNAT
352 target, but attempts to give clients the same IP for all connections.
354 To compile it as a module, choose M here. If unsure, say N.
356 config IP_NF_NAT_LOCAL
357 bool "NAT of local connections (READ HELP)"
360 This option enables support for NAT of locally originated connections.
361 Enable this if you need to use destination NAT on connections
362 originating from local processes on the nat box itself.
364 Please note that you will need a recent version (>= 1.2.6a)
365 of the iptables userspace program in order to use this feature.
366 See <http://www.iptables.org/> for download instructions.
370 config IP_NF_NAT_SNMP_BASIC
371 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
372 depends on EXPERIMENTAL && IP_NF_NAT
375 This module implements an Application Layer Gateway (ALG) for
376 SNMP payloads. In conjunction with NAT, it allows a network
377 management system to access multiple private networks with
378 conflicting addresses. It works by modifying IP addresses
379 inside SNMP payloads to match IP-layer NAT mapping.
381 This is the "basic" form of SNMP-ALG, as described in RFC 2962
383 To compile it as a module, choose M here. If unsure, say N.
387 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
388 default IP_NF_NAT if IP_NF_IRC=y
389 default m if IP_NF_IRC=m
391 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
392 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
395 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
396 default IP_NF_NAT if IP_NF_FTP=y
397 default m if IP_NF_FTP=m
399 config IP_NF_NAT_TFTP
401 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
402 default IP_NF_NAT if IP_NF_TFTP=y
403 default m if IP_NF_TFTP=m
405 config IP_NF_NAT_AMANDA
407 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
408 default IP_NF_NAT if IP_NF_AMANDA=y
409 default m if IP_NF_AMANDA=m
412 tristate "Packet mangling"
413 depends on IP_NF_IPTABLES
415 This option adds a `mangle' table to iptables: see the man page for
416 iptables(8). This table is used for various packet alterations
417 which can effect how the packet is routed.
419 To compile it as a module, choose M here. If unsure, say N.
421 config IP_NF_TARGET_TOS
422 tristate "TOS target support"
423 depends on IP_NF_MANGLE
425 This option adds a `TOS' target, which allows you to create rules in
426 the `mangle' table which alter the Type Of Service field of an IP
427 packet prior to routing.
429 To compile it as a module, choose M here. If unsure, say N.
431 config IP_NF_TARGET_ECN
432 tristate "ECN target support"
433 depends on IP_NF_MANGLE
435 This option adds a `ECN' target, which can be used in the iptables mangle
438 You can use this target to remove the ECN bits from the IPv4 header of
439 an IP packet. This is particularly useful, if you need to work around
440 existing ECN blackholes on the internet, but don't want to disable
441 ECN support in general.
443 To compile it as a module, choose M here. If unsure, say N.
445 config IP_NF_TARGET_DSCP
446 tristate "DSCP target support"
447 depends on IP_NF_MANGLE
449 This option adds a `DSCP' match, which allows you to match against
450 the IPv4 header DSCP field (DSCP codepoint).
452 The DSCP codepoint can have any value between 0x0 and 0x4f.
454 To compile it as a module, choose M here. If unsure, say N.
456 config IP_NF_TARGET_MARK
457 tristate "MARK target support"
458 depends on IP_NF_MANGLE
460 This option adds a `MARK' target, which allows you to create rules
461 in the `mangle' table which alter the netfilter mark (nfmark) field
462 associated with the packet prior to routing. This can change
463 the routing method (see `Use netfilter MARK value as routing
464 key') and can also be used by other subsystems to change their
467 To compile it as a module, choose M here. If unsure, say N.
469 config IP_NF_TARGET_CLASSIFY
470 tristate "CLASSIFY target support"
471 depends on IP_NF_MANGLE
473 This option adds a `CLASSIFY' target, which enables the user to set
474 the priority of a packet. Some qdiscs can use this value for
475 classification, among these are:
477 atm, cbq, dsmark, pfifo_fast, htb, prio
479 To compile it as a module, choose M here. If unsure, say N.
481 config IP_NF_TARGET_LOG
482 tristate "LOG target support"
483 depends on IP_NF_IPTABLES
485 This option adds a `LOG' target, which allows you to create rules in
486 any iptables table which records the packet header to the syslog.
488 To compile it as a module, choose M here. If unsure, say N.
490 config IP_NF_TARGET_ULOG
491 tristate "ULOG target support"
492 depends on IP_NF_IPTABLES
494 This option adds a `ULOG' target, which allows you to create rules in
495 any iptables table. The packet is passed to a userspace logging
496 daemon using netlink multicast sockets; unlike the LOG target
497 which can only be viewed through syslog.
499 The apropriate userspace logging daemon (ulogd) may be obtained from
500 <http://www.gnumonks.org/projects/ulogd/>
502 To compile it as a module, choose M here. If unsure, say N.
504 config IP_NF_TARGET_TCPMSS
505 tristate "TCPMSS target support"
506 depends on IP_NF_IPTABLES
508 This option adds a `TCPMSS' target, which allows you to alter the
509 MSS value of TCP SYN packets, to control the maximum size for that
510 connection (usually limiting it to your outgoing interface's MTU
513 This is used to overcome criminally braindead ISPs or servers which
514 block ICMP Fragmentation Needed packets. The symptoms of this
515 problem are that everything works fine from your Linux
516 firewall/router, but machines behind it can never exchange large
518 1) Web browsers connect, then hang with no data received.
519 2) Small mail works fine, but large emails hang.
520 3) ssh works fine, but scp hangs after initial handshaking.
522 Workaround: activate this option and add a rule to your firewall
525 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
526 -j TCPMSS --clamp-mss-to-pmtu
528 To compile it as a module, choose M here. If unsure, say N.
530 config IP_NF_ARPTABLES
531 tristate "ARP tables support"
533 arptables is a general, extensible packet identification framework.
534 The ARP packet filtering and mangling (manipulation)subsystems
535 use this: say Y or M here if you want to use either of those.
537 To compile it as a module, choose M here. If unsure, say N.
539 config IP_NF_ARPFILTER
540 tristate "ARP packet filtering"
541 depends on IP_NF_ARPTABLES
543 ARP packet filtering defines a table `filter', which has a series of
544 rules for simple ARP packet filtering at local input and
545 local output. On a bridge, you can also specify filtering rules
546 for forwarded ARP packets. See the man page for arptables(8).
548 To compile it as a module, choose M here. If unsure, say N.
550 config IP_NF_ARP_MANGLE
551 tristate "ARP payload mangling"
552 depends on IP_NF_ARPTABLES
554 Allows altering the ARP packet payload: source and destination
555 hardware and network addresses.
557 # Backwards compatibility modules: only if you don't build in the others.
558 config IP_NF_COMPAT_IPCHAINS
559 tristate "ipchains (2.2-style) support"
560 depends on IP_NF_CONNTRACK!=y && IP_NF_IPTABLES!=y
562 This option places ipchains (with masquerading and redirection
563 support) back into the kernel, using the new netfilter
564 infrastructure. It is not recommended for new installations (see
565 `Packet filtering'). With this enabled, you should be able to use
566 the ipchains tool exactly as in 2.2 kernels.
568 To compile it as a module, choose M here. If unsure, say N.
570 config IP_NF_COMPAT_IPFWADM
571 tristate "ipfwadm (2.0-style) support"
572 depends on IP_NF_CONNTRACK!=y && IP_NF_IPTABLES!=y && IP_NF_COMPAT_IPCHAINS!=y
574 This option places ipfwadm (with masquerading and redirection
575 support) back into the kernel, using the new netfilter
576 infrastructure. It is not recommended for new installations (see
577 `Packet filtering'). With this enabled, you should be able to use
578 the ipfwadm tool exactly as in 2.0 kernels.
580 To compile it as a module, choose M here. If unsure, say N.
582 config IP_NF_TARGET_NOTRACK
583 tristate 'NOTRACK target support'
586 The NOTRACK target allows a select rule to specify
587 which packets *not* to enter the conntrack/NAT
588 subsystem with all the consequences (no ICMP error tracking,
589 no protocol helpers for the selected packets).
591 If you want to compile it as a module, say M here and read
592 <file:Documentation/modules.txt>. If unsure, say `N'.
595 tristate 'raw table support (required for NOTRACK/TRACE)'
596 depends on IP_NF_IPTABLES
598 This option adds a `raw' table to iptables. This table is the very
599 first in the netfilter framework and hooks in at the PREROUTING
602 If you want to compile it as a module, say M here and read
603 <file:Documentation/modules.txt>. If unsure, say `N'.