2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 # connection tracking, helpers and protocols
10 tristate "Connection tracking (required for masq/NAT)"
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
16 This is required to do Masquerading or other kinds of Network
17 Address Translation (except for Fast NAT). It can also be used to
18 enhance packet filtering (see `Connection state match support'
21 To compile it as a module, choose M here. If unsure, say N.
24 bool "Connection tracking flow accounting"
25 depends on IP_NF_CONNTRACK
27 If this option is enabled, the connection tracking code will
28 keep per-flow packet and byte counters.
30 Those counters can be used for flow-based accounting or the
35 config IP_NF_CT_PROTO_SCTP
36 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
37 depends on IP_NF_CONNTRACK && EXPERIMENTAL
39 With this option enabled, the connection tracking code will
40 be able to do state tracking on SCTP connections.
42 If you want to compile it as a module, say M here and read
43 Documentation/modules.txt. If unsure, say `N'.
46 tristate "FTP protocol support"
47 depends on IP_NF_CONNTRACK
49 Tracking FTP connections is problematic: special helpers are
50 required for tracking them, and doing masquerading and other forms
51 of Network Address Translation on them.
53 To compile it as a module, choose M here. If unsure, say Y.
56 tristate "IRC protocol support"
57 depends on IP_NF_CONNTRACK
59 There is a commonly-used extension to IRC called
60 Direct Client-to-Client Protocol (DCC). This enables users to send
61 files to each other, and also chat to each other without the need
62 of a server. DCC Sending is used anywhere you send files over IRC,
63 and DCC Chat is most commonly used by Eggdrop bots. If you are
64 using NAT, this extension will enable you to send files and initiate
65 chats. Note that you do NOT need this extension to get files or
66 have others initiate chats, or everything else in IRC.
68 To compile it as a module, choose M here. If unsure, say Y.
71 tristate "TFTP protocol support"
72 depends on IP_NF_CONNTRACK
74 TFTP connection tracking helper, this is required depending
75 on how restrictive your ruleset is.
76 If you are using a tftp client behind -j SNAT or -j MASQUERADING
79 To compile it as a module, choose M here. If unsure, say Y.
82 tristate "Amanda backup protocol support"
83 depends on IP_NF_CONNTRACK
85 If you are running the Amanda backup package <http://www.amanda.org/>
86 on this machine or machines that will be MASQUERADED through this
87 machine, then you may want to enable this feature. This allows the
88 connection tracking and natting code to allow the sub-channels that
89 Amanda requires for communication of the backup data, messages and
92 To compile it as a module, choose M here. If unsure, say Y.
95 tristate "Userspace queueing via NETLINK"
97 Netfilter has the ability to queue packets to user space: the
98 netlink device can be used to access them using this driver.
100 To compile it as a module, choose M here. If unsure, say N.
102 config IP_NF_IPTABLES
103 tristate "IP tables support (required for filtering/masq/NAT)"
105 iptables is a general, extensible packet identification framework.
106 The packet filtering and full NAT (masquerading, port forwarding,
107 etc) subsystems now use this: say `Y' or `M' here if you want to use
110 To compile it as a module, choose M here. If unsure, say N.
113 config IP_NF_MATCH_LIMIT
114 tristate "limit match support"
115 depends on IP_NF_IPTABLES
117 limit matching allows you to control the rate at which a rule can be
118 matched: mainly useful in combination with the LOG target ("LOG
119 target support", below) and to avoid some Denial of Service attacks.
121 To compile it as a module, choose M here. If unsure, say N.
123 config IP_NF_MATCH_IPRANGE
124 tristate "IP range match support"
125 depends on IP_NF_IPTABLES
127 This option makes possible to match IP addresses against IP address
130 To compile it as a module, choose M here. If unsure, say N.
132 config IP_NF_MATCH_MAC
133 tristate "MAC address match support"
134 depends on IP_NF_IPTABLES
136 MAC matching allows you to match packets based on the source
137 Ethernet address of the packet.
139 To compile it as a module, choose M here. If unsure, say N.
141 config IP_NF_MATCH_PKTTYPE
142 tristate "Packet type match support"
143 depends on IP_NF_IPTABLES
145 Packet type matching allows you to match a packet by
146 its "class", eg. BROADCAST, MULTICAST, ...
149 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
151 To compile it as a module, choose M here. If unsure, say N.
153 config IP_NF_MATCH_MARK
154 tristate "netfilter MARK match support"
155 depends on IP_NF_IPTABLES
157 Netfilter mark matching allows you to match packets based on the
158 `nfmark' value in the packet. This can be set by the MARK target
161 To compile it as a module, choose M here. If unsure, say N.
163 config IP_NF_MATCH_MULTIPORT
164 tristate "Multiple port match support"
165 depends on IP_NF_IPTABLES
167 Multiport matching allows you to match TCP or UDP packets based on
168 a series of source or destination ports: normally a rule can only
169 match a single range of ports.
171 To compile it as a module, choose M here. If unsure, say N.
173 config IP_NF_MATCH_TOS
174 tristate "TOS match support"
175 depends on IP_NF_IPTABLES
177 TOS matching allows you to match packets based on the Type Of
178 Service fields of the IP packet.
180 To compile it as a module, choose M here. If unsure, say N.
182 config IP_NF_MATCH_RECENT
183 tristate "recent match support"
184 depends on IP_NF_IPTABLES
186 This match is used for creating one or many lists of recently
187 used addresses and then matching against that/those list(s).
189 Short options are available by using 'iptables -m recent -h'
190 Official Website: <http://snowman.net/projects/ipt_recent/>
192 To compile it as a module, choose M here. If unsure, say N.
194 config IP_NF_MATCH_ECN
195 tristate "ECN match support"
196 depends on IP_NF_IPTABLES
198 This option adds a `ECN' match, which allows you to match against
199 the IPv4 and TCP header ECN fields.
201 To compile it as a module, choose M here. If unsure, say N.
203 config IP_NF_MATCH_DSCP
204 tristate "DSCP match support"
205 depends on IP_NF_IPTABLES
207 This option adds a `DSCP' match, which allows you to match against
208 the IPv4 header DSCP field (DSCP codepoint).
210 The DSCP codepoint can have any value between 0x0 and 0x4f.
212 To compile it as a module, choose M here. If unsure, say N.
214 config IP_NF_MATCH_AH_ESP
215 tristate "AH/ESP match support"
216 depends on IP_NF_IPTABLES
218 These two match extensions (`ah' and `esp') allow you to match a
219 range of SPIs inside AH or ESP headers of IPSec packets.
221 To compile it as a module, choose M here. If unsure, say N.
223 config IP_NF_MATCH_LENGTH
224 tristate "LENGTH match support"
225 depends on IP_NF_IPTABLES
227 This option allows you to match the length of a packet against a
228 specific value or range of values.
230 To compile it as a module, choose M here. If unsure, say N.
232 config IP_NF_MATCH_TTL
233 tristate "TTL match support"
234 depends on IP_NF_IPTABLES
236 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
237 to match packets by their TTL value.
239 To compile it as a module, choose M here. If unsure, say N.
241 config IP_NF_MATCH_TCPMSS
242 tristate "tcpmss match support"
243 depends on IP_NF_IPTABLES
245 This option adds a `tcpmss' match, which allows you to examine the
246 MSS value of TCP SYN packets, which control the maximum packet size
249 To compile it as a module, choose M here. If unsure, say N.
251 config IP_NF_MATCH_HELPER
252 tristate "Helper match support"
253 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
255 Helper matching allows you to match packets in dynamic connections
256 tracked by a conntrack-helper, ie. ip_conntrack_ftp
258 To compile it as a module, choose M here. If unsure, say Y.
260 config IP_NF_MATCH_STATE
261 tristate "Connection state match support"
262 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
264 Connection state matching allows you to match packets based on their
265 relationship to a tracked connection (ie. previous packets). This
266 is a powerful tool for packet classification.
268 To compile it as a module, choose M here. If unsure, say N.
270 config IP_NF_MATCH_CONNTRACK
271 tristate "Connection tracking match support"
272 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
274 This is a general conntrack match module, a superset of the state match.
276 It allows matching on additional conntrack information, which is
277 useful in complex configurations, such as NAT gateways with multiple
278 internet links or tunnels.
280 To compile it as a module, choose M here. If unsure, say N.
282 config IP_NF_MATCH_OWNER
283 tristate "Owner match support"
284 depends on IP_NF_IPTABLES
286 Packet owner matching allows you to match locally-generated packets
287 based on who created them: the user, group, process or session.
289 To compile it as a module, choose M here. If unsure, say N.
291 config IP_NF_MATCH_PHYSDEV
292 tristate "Physdev match support"
293 depends on IP_NF_IPTABLES && BRIDGE_NETFILTER
295 Physdev packet matching matches against the physical bridge ports
296 the IP packet arrived on or will leave by.
298 To compile it as a module, choose M here. If unsure, say N.
300 config IP_NF_MATCH_ADDRTYPE
301 tristate 'address type match support'
302 depends on IP_NF_IPTABLES
304 This option allows you to match what routing thinks of an address,
305 eg. UNICAST, LOCAL, BROADCAST, ...
307 If you want to compile it as a module, say M here and read
308 Documentation/modules.txt. If unsure, say `N'.
310 config IP_NF_MATCH_REALM
311 tristate 'realm match support'
312 depends on IP_NF_IPTABLES
315 This option adds a `realm' match, which allows you to use the realm
316 key from the routing subsytem inside iptables.
318 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
321 If you want to compile it as a module, say M here and read
322 Documentation/modules.txt. If unsure, say `N'.
324 config IP_NF_MATCH_SCTP
325 tristate 'SCTP protocol match support'
326 depends on IP_NF_IPTABLES
328 With this option enabled, you will be able to use the iptables
329 `sctp' match in order to match on SCTP source/destination ports
330 and SCTP chunk types.
332 If you want to compile it as a module, say M here and read
333 Documentation/modules.txt. If unsure, say `N'.
335 config IP_NF_MATCH_COMMENT
336 tristate 'comment match support'
337 depends on IP_NF_IPTABLES
339 This option adds a `comment' dummy-match, which allows you to put
340 comments in your iptables ruleset.
342 If you want to compile it as a module, say M here and read
343 Documentation/modules.txt. If unsure, say `N'.
345 # `filter', generic and specific targets
347 tristate "Packet filtering"
348 depends on IP_NF_IPTABLES
350 Packet filtering defines a table `filter', which has a series of
351 rules for simple packet filtering at local input, forwarding and
352 local output. See the man page for iptables(8).
354 To compile it as a module, choose M here. If unsure, say N.
356 config IP_NF_TARGET_REJECT
357 tristate "REJECT target support"
358 depends on IP_NF_FILTER
360 The REJECT target allows a filtering rule to specify that an ICMP
361 error should be issued in response to an incoming packet, rather
362 than silently being dropped.
364 To compile it as a module, choose M here. If unsure, say N.
366 config IP_NF_TARGET_LOG
367 tristate "LOG target support"
368 depends on IP_NF_IPTABLES
370 This option adds a `LOG' target, which allows you to create rules in
371 any iptables table which records the packet header to the syslog.
373 To compile it as a module, choose M here. If unsure, say N.
375 config IP_NF_TARGET_ULOG
376 tristate "ULOG target support"
377 depends on IP_NF_IPTABLES
379 This option adds a `ULOG' target, which allows you to create rules in
380 any iptables table. The packet is passed to a userspace logging
381 daemon using netlink multicast sockets; unlike the LOG target
382 which can only be viewed through syslog.
384 The apropriate userspace logging daemon (ulogd) may be obtained from
385 <http://www.gnumonks.org/projects/ulogd/>
387 To compile it as a module, choose M here. If unsure, say N.
389 config IP_NF_TARGET_TCPMSS
390 tristate "TCPMSS target support"
391 depends on IP_NF_IPTABLES
393 This option adds a `TCPMSS' target, which allows you to alter the
394 MSS value of TCP SYN packets, to control the maximum size for that
395 connection (usually limiting it to your outgoing interface's MTU
398 This is used to overcome criminally braindead ISPs or servers which
399 block ICMP Fragmentation Needed packets. The symptoms of this
400 problem are that everything works fine from your Linux
401 firewall/router, but machines behind it can never exchange large
403 1) Web browsers connect, then hang with no data received.
404 2) Small mail works fine, but large emails hang.
405 3) ssh works fine, but scp hangs after initial handshaking.
407 Workaround: activate this option and add a rule to your firewall
410 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
411 -j TCPMSS --clamp-mss-to-pmtu
413 To compile it as a module, choose M here. If unsure, say N.
415 # NAT + specific targets
418 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
420 The Full NAT option allows masquerading, port forwarding and other
421 forms of full Network Address Port Translation. It is controlled by
422 the `nat' table in iptables: see the man page for iptables(8).
424 To compile it as a module, choose M here. If unsure, say N.
426 config IP_NF_NAT_NEEDED
428 depends on IP_NF_CONNTRACK!=y && IP_NF_IPTABLES!=y && (IP_NF_COMPAT_IPCHAINS!=y && IP_NF_COMPAT_IPFWADM || IP_NF_COMPAT_IPCHAINS) || IP_NF_IPTABLES && IP_NF_CONNTRACK && IP_NF_NAT
431 config IP_NF_TARGET_MASQUERADE
432 tristate "MASQUERADE target support"
435 Masquerading is a special case of NAT: all outgoing connections are
436 changed to seem to come from a particular interface's address, and
437 if the interface goes down, those connections are lost. This is
438 only useful for dialup accounts with dynamic IP address (ie. your IP
439 address will be different on next dialup).
441 To compile it as a module, choose M here. If unsure, say N.
443 config IP_NF_TARGET_REDIRECT
444 tristate "REDIRECT target support"
447 REDIRECT is a special case of NAT: all incoming connections are
448 mapped onto the incoming interface's address, causing the packets to
449 come to the local machine instead of passing through. This is
450 useful for transparent proxies.
452 To compile it as a module, choose M here. If unsure, say N.
454 config IP_NF_TARGET_NETMAP
455 tristate "NETMAP target support"
458 NETMAP is an implementation of static 1:1 NAT mapping of network
459 addresses. It maps the network address part, while keeping the host
460 address part intact. It is similar to Fast NAT, except that
461 Netfilter's connection tracking doesn't work well with Fast NAT.
463 To compile it as a module, choose M here. If unsure, say N.
465 config IP_NF_TARGET_SAME
466 tristate "SAME target support"
469 This option adds a `SAME' target, which works like the standard SNAT
470 target, but attempts to give clients the same IP for all connections.
472 To compile it as a module, choose M here. If unsure, say N.
474 config IP_NF_NAT_LOCAL
475 bool "NAT of local connections (READ HELP)"
478 This option enables support for NAT of locally originated connections.
479 Enable this if you need to use destination NAT on connections
480 originating from local processes on the nat box itself.
482 Please note that you will need a recent version (>= 1.2.6a)
483 of the iptables userspace program in order to use this feature.
484 See <http://www.iptables.org/> for download instructions.
488 config IP_NF_NAT_SNMP_BASIC
489 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
490 depends on EXPERIMENTAL && IP_NF_NAT
493 This module implements an Application Layer Gateway (ALG) for
494 SNMP payloads. In conjunction with NAT, it allows a network
495 management system to access multiple private networks with
496 conflicting addresses. It works by modifying IP addresses
497 inside SNMP payloads to match IP-layer NAT mapping.
499 This is the "basic" form of SNMP-ALG, as described in RFC 2962
501 To compile it as a module, choose M here. If unsure, say N.
505 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
506 default IP_NF_NAT if IP_NF_IRC=y
507 default m if IP_NF_IRC=m
509 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
510 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
513 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
514 default IP_NF_NAT if IP_NF_FTP=y
515 default m if IP_NF_FTP=m
517 config IP_NF_NAT_TFTP
519 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
520 default IP_NF_NAT if IP_NF_TFTP=y
521 default m if IP_NF_TFTP=m
523 config IP_NF_NAT_AMANDA
525 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
526 default IP_NF_NAT if IP_NF_AMANDA=y
527 default m if IP_NF_AMANDA=m
529 # mangle + specific targets
531 tristate "Packet mangling"
532 depends on IP_NF_IPTABLES
534 This option adds a `mangle' table to iptables: see the man page for
535 iptables(8). This table is used for various packet alterations
536 which can effect how the packet is routed.
538 To compile it as a module, choose M here. If unsure, say N.
540 config IP_NF_TARGET_TOS
541 tristate "TOS target support"
542 depends on IP_NF_MANGLE
544 This option adds a `TOS' target, which allows you to create rules in
545 the `mangle' table which alter the Type Of Service field of an IP
546 packet prior to routing.
548 To compile it as a module, choose M here. If unsure, say N.
550 config IP_NF_TARGET_ECN
551 tristate "ECN target support"
552 depends on IP_NF_MANGLE
554 This option adds a `ECN' target, which can be used in the iptables mangle
557 You can use this target to remove the ECN bits from the IPv4 header of
558 an IP packet. This is particularly useful, if you need to work around
559 existing ECN blackholes on the internet, but don't want to disable
560 ECN support in general.
562 To compile it as a module, choose M here. If unsure, say N.
564 config IP_NF_TARGET_DSCP
565 tristate "DSCP target support"
566 depends on IP_NF_MANGLE
568 This option adds a `DSCP' match, which allows you to match against
569 the IPv4 header DSCP field (DSCP codepoint).
571 The DSCP codepoint can have any value between 0x0 and 0x4f.
573 To compile it as a module, choose M here. If unsure, say N.
575 config IP_NF_TARGET_MARK
576 tristate "MARK target support"
577 depends on IP_NF_MANGLE
579 This option adds a `MARK' target, which allows you to create rules
580 in the `mangle' table which alter the netfilter mark (nfmark) field
581 associated with the packet prior to routing. This can change
582 the routing method (see `Use netfilter MARK value as routing
583 key') and can also be used by other subsystems to change their
586 To compile it as a module, choose M here. If unsure, say N.
588 config IP_NF_TARGET_CLASSIFY
589 tristate "CLASSIFY target support"
590 depends on IP_NF_MANGLE
592 This option adds a `CLASSIFY' target, which enables the user to set
593 the priority of a packet. Some qdiscs can use this value for
594 classification, among these are:
596 atm, cbq, dsmark, pfifo_fast, htb, prio
598 To compile it as a module, choose M here. If unsure, say N.
600 # raw + specific targets
602 tristate 'raw table support (required for NOTRACK/TRACE)'
603 depends on IP_NF_IPTABLES
605 This option adds a `raw' table to iptables. This table is the very
606 first in the netfilter framework and hooks in at the PREROUTING
609 If you want to compile it as a module, say M here and read
610 <file:Documentation/modules.txt>. If unsure, say `N'.
613 config IP_NF_TARGET_NOTRACK
614 tristate 'NOTRACK target support'
616 depends on IP_NF_CONNTRACK
618 The NOTRACK target allows a select rule to specify
619 which packets *not* to enter the conntrack/NAT
620 subsystem with all the consequences (no ICMP error tracking,
621 no protocol helpers for the selected packets).
623 If you want to compile it as a module, say M here and read
624 <file:Documentation/modules.txt>. If unsure, say `N'.
628 config IP_NF_ARPTABLES
629 tristate "ARP tables support"
631 arptables is a general, extensible packet identification framework.
632 The ARP packet filtering and mangling (manipulation)subsystems
633 use this: say Y or M here if you want to use either of those.
635 To compile it as a module, choose M here. If unsure, say N.
637 config IP_NF_ARPFILTER
638 tristate "ARP packet filtering"
639 depends on IP_NF_ARPTABLES
641 ARP packet filtering defines a table `filter', which has a series of
642 rules for simple ARP packet filtering at local input and
643 local output. On a bridge, you can also specify filtering rules
644 for forwarded ARP packets. See the man page for arptables(8).
646 To compile it as a module, choose M here. If unsure, say N.
648 config IP_NF_ARP_MANGLE
649 tristate "ARP payload mangling"
650 depends on IP_NF_ARPTABLES
652 Allows altering the ARP packet payload: source and destination
653 hardware and network addresses.
655 # Backwards compatibility modules: only if you don't build in the others.
656 config IP_NF_COMPAT_IPCHAINS
657 tristate "ipchains (2.2-style) support"
658 depends on IP_NF_CONNTRACK!=y && IP_NF_IPTABLES!=y
660 This option places ipchains (with masquerading and redirection
661 support) back into the kernel, using the new netfilter
662 infrastructure. It is not recommended for new installations (see
663 `Packet filtering'). With this enabled, you should be able to use
664 the ipchains tool exactly as in 2.2 kernels.
666 To compile it as a module, choose M here. If unsure, say N.
668 config IP_NF_COMPAT_IPFWADM
669 tristate "ipfwadm (2.0-style) support"
670 depends on IP_NF_CONNTRACK!=y && IP_NF_IPTABLES!=y && IP_NF_COMPAT_IPCHAINS!=y
672 This option places ipfwadm (with masquerading and redirection
673 support) back into the kernel, using the new netfilter
674 infrastructure. It is not recommended for new installations (see
675 `Packet filtering'). With this enabled, you should be able to use
676 the ipfwadm tool exactly as in 2.0 kernels.
678 To compile it as a module, choose M here. If unsure, say N.