2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
9 tristate "Connection tracking (required for masq/NAT)"
11 Connection tracking keeps a record of what packets have passed
12 through your machine, in order to figure out how they are related
15 This is required to do Masquerading or other kinds of Network
16 Address Translation (except for Fast NAT). It can also be used to
17 enhance packet filtering (see `Connection state match support'
20 To compile it as a module, choose M here. If unsure, say N.
23 tristate "FTP protocol support"
24 depends on IP_NF_CONNTRACK
26 Tracking FTP connections is problematic: special helpers are
27 required for tracking them, and doing masquerading and other forms
28 of Network Address Translation on them.
30 To compile it as a module, choose M here. If unsure, say Y.
33 tristate "H323 protocol support"
34 depends on IP_NF_CONNTRACK
36 Tracking H323 connections is problematic: special helpers are
37 required for tracking them, and doing masquerading and other forms
38 of Network Address Translation on them.
40 To compile it as a module, choose M here. If unsure, say Y.
43 tristate "IRC protocol support"
44 depends on IP_NF_CONNTRACK
46 There is a commonly-used extension to IRC called
47 Direct Client-to-Client Protocol (DCC). This enables users to send
48 files to each other, and also chat to each other without the need
49 of a server. DCC Sending is used anywhere you send files over IRC,
50 and DCC Chat is most commonly used by Eggdrop bots. If you are
51 using NAT, this extension will enable you to send files and initiate
52 chats. Note that you do NOT need this extension to get files or
53 have others initiate chats, or everything else in IRC.
55 To compile it as a module, choose M here. If unsure, say Y.
58 tristate "TFTP protocol support"
59 depends on IP_NF_CONNTRACK
61 TFTP connection tracking helper, this is required depending
62 on how restrictive your ruleset is.
63 If you are using a tftp client behind -j SNAT or -j MASQUERADING
66 To compile it as a module, choose M here. If unsure, say Y.
69 tristate "Amanda backup protocol support"
70 depends on IP_NF_CONNTRACK
72 If you are running the Amanda backup package <http://www.amanda.org/>
73 on this machine or machines that will be MASQUERADED through this
74 machine, then you may want to enable this feature. This allows the
75 connection tracking and natting code to allow the sub-channels that
76 Amanda requires for communication of the backup data, messages and
79 To compile it as a module, choose M here. If unsure, say Y.
81 # CONFIG_MIPS_BRCM Begin Broadcom changed code.
83 tristate "DirectX8 protocol support"
84 depends on IP_NF_CONNTRACK
86 Microsoft DirectX support.
88 To compile it as a module, choose M here. If unsure, say Y.
91 tristate "Windows MMS protocol support"
92 depends on IP_NF_CONNTRACK
94 Microsoft Windows Media Player support.
96 To compile it as a module, choose M here. If unsure, say Y.
99 tristate "Port Triggering support"
100 depends on IP_NF_CONNTRACK
102 Port Triggering support
104 To compile it as a module, choose M here. If unsure, say Y.
107 tristate "IPSec support"
108 depends on IP_NF_CONNTRACK
112 To compile it as a module, choose M here. If unsure, say Y.
114 # CONFIG_MIPS_BRCM End Broadcom changed code.
117 tristate "RTSP protocol support"
118 depends on IP_NF_CONNTRACK
120 Support the RTSP protocol. This allows UDP transports to be setup
121 properly, including RTP and RDT.
123 If you want to compile it as a module, say M here and read
124 <file:Documentation/modules.txt>. If unsure, say `Y'.
127 tristate "Userspace queueing via NETLINK"
129 Netfilter has the ability to queue packets to user space: the
130 netlink device can be used to access them using this driver.
132 To compile it as a module, choose M here. If unsure, say N.
134 config IP_NF_TECOM_TRAFFIC
135 tristate "Traffic(budget) control support"
137 Support the budget controlling. This allows user configure complicated
140 To compile it as module, choose M here. If unsure, say N.
142 config IP_NF_IPTABLES
143 tristate "IP tables support (required for filtering/masq/NAT)"
145 iptables is a general, extensible packet identification framework.
146 The packet filtering and full NAT (masquerading, port forwarding,
147 etc) subsystems now use this: say `Y' or `M' here if you want to use
150 To compile it as a module, choose M here. If unsure, say N.
152 # The simple matches.
153 config IP_NF_MATCH_LIMIT
154 tristate "limit match support"
155 depends on IP_NF_IPTABLES
157 limit matching allows you to control the rate at which a rule can be
158 matched: mainly useful in combination with the LOG target ("LOG
159 target support", below) and to avoid some Denial of Service attacks.
161 To compile it as a module, choose M here. If unsure, say N.
163 config IP_NF_MATCH_IPRANGE
164 tristate "IP range match support"
165 depends on IP_NF_IPTABLES
167 This option makes possible to match IP addresses against IP address
170 To compile it as a module, choose M here. If unsure, say N.
172 config IP_NF_MATCH_MAC
173 tristate "MAC address match support"
174 depends on IP_NF_IPTABLES
176 MAC matching allows you to match packets based on the source
177 Ethernet address of the packet.
179 To compile it as a module, choose M here. If unsure, say N.
181 config IP_NF_MATCH_PKTTYPE
182 tristate "Packet type match support"
183 depends on IP_NF_IPTABLES
185 Packet type matching allows you to match a packet by
186 its "class", eg. BROADCAST, MULTICAST, ...
189 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
191 To compile it as a module, choose M here. If unsure, say N.
193 config IP_NF_MATCH_MARK
194 tristate "netfilter MARK match support"
195 depends on IP_NF_IPTABLES
197 Netfilter mark matching allows you to match packets based on the
198 `nfmark' value in the packet. This can be set by the MARK target
201 To compile it as a module, choose M here. If unsure, say N.
203 config IP_NF_MATCH_MULTIPORT
204 tristate "Multiple port match support"
205 depends on IP_NF_IPTABLES
207 Multiport matching allows you to match TCP or UDP packets based on
208 a series of source or destination ports: normally a rule can only
209 match a single range of ports.
211 To compile it as a module, choose M here. If unsure, say N.
213 config IP_NF_MATCH_TOS
214 tristate "TOS match support"
215 depends on IP_NF_IPTABLES
217 TOS matching allows you to match packets based on the Type Of
218 Service fields of the IP packet.
220 To compile it as a module, choose M here. If unsure, say N.
222 config IP_NF_MATCH_RECENT
223 tristate "recent match support"
224 depends on IP_NF_IPTABLES
226 This match is used for creating one or many lists of recently
227 used addresses and then matching against that/those list(s).
229 Short options are available by using 'iptables -m recent -h'
230 Official Website: <http://snowman.net/projects/ipt_recent/>
232 To compile it as a module, choose M here. If unsure, say N.
234 config IP_NF_MATCH_ECN
235 tristate "ECN match support"
236 depends on IP_NF_IPTABLES
238 This option adds a `ECN' match, which allows you to match against
239 the IPv4 and TCP header ECN fields.
241 To compile it as a module, choose M here. If unsure, say N.
243 config IP_NF_MATCH_DSCP
244 tristate "DSCP match support"
245 depends on IP_NF_IPTABLES
247 This option adds a `DSCP' match, which allows you to match against
248 the IPv4 header DSCP field (DSCP codepoint).
250 The DSCP codepoint can have any value between 0x0 and 0x4f.
252 To compile it as a module, choose M here. If unsure, say N.
254 config IP_NF_MATCH_AH_ESP
255 tristate "AH/ESP match support"
256 depends on IP_NF_IPTABLES
258 These two match extensions (`ah' and `esp') allow you to match a
259 range of SPIs inside AH or ESP headers of IPSec packets.
261 To compile it as a module, choose M here. If unsure, say N.
263 config IP_NF_MATCH_LENGTH
264 tristate "LENGTH match support"
265 depends on IP_NF_IPTABLES
267 This option allows you to match the length of a packet against a
268 specific value or range of values.
270 To compile it as a module, choose M here. If unsure, say N.
272 config IP_NF_MATCH_TTL
273 tristate "TTL match support"
274 depends on IP_NF_IPTABLES
276 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
277 to match packets by their TTL value.
279 To compile it as a module, choose M here. If unsure, say N.
281 config IP_NF_MATCH_TCPMSS
282 tristate "tcpmss match support"
283 depends on IP_NF_IPTABLES
285 This option adds a `tcpmss' match, which allows you to examine the
286 MSS value of TCP SYN packets, which control the maximum packet size
289 To compile it as a module, choose M here. If unsure, say N.
291 config IP_NF_MATCH_HELPER
292 tristate "Helper match support"
293 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
295 Helper matching allows you to match packets in dynamic connections
296 tracked by a conntrack-helper, ie. ip_conntrack_ftp
298 To compile it as a module, choose M here. If unsure, say Y.
300 config IP_NF_MATCH_STATE
301 tristate "Connection state match support"
302 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
304 Connection state matching allows you to match packets based on their
305 relationship to a tracked connection (ie. previous packets). This
306 is a powerful tool for packet classification.
308 To compile it as a module, choose M here. If unsure, say N.
310 config IP_NF_MATCH_CONNTRACK
311 tristate "Connection tracking match support"
312 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
314 This is a general conntrack match module, a superset of the state match.
316 It allows matching on additional conntrack information, which is
317 useful in complex configurations, such as NAT gateways with multiple
318 internet links or tunnels.
320 To compile it as a module, choose M here. If unsure, say N.
322 config IP_NF_MATCH_OWNER
323 tristate "Owner match support"
324 depends on IP_NF_IPTABLES
326 Packet owner matching allows you to match locally-generated packets
327 based on who created them: the user, group, process or session.
329 To compile it as a module, choose M here. If unsure, say N.
331 config IP_NF_MATCH_PHYSDEV
332 tristate "Physdev match support"
333 depends on IP_NF_IPTABLES && BRIDGE_NETFILTER
335 Physdev packet matching matches against the physical bridge ports
336 the IP packet arrived on or will leave by.
338 To compile it as a module, choose M here. If unsure, say N.
342 tristate "Packet filtering"
343 depends on IP_NF_IPTABLES
345 Packet filtering defines a table `filter', which has a series of
346 rules for simple packet filtering at local input, forwarding and
347 local output. See the man page for iptables(8).
349 To compile it as a module, choose M here. If unsure, say N.
351 config IP_NF_TARGET_REJECT
352 tristate "REJECT target support"
353 depends on IP_NF_FILTER
355 The REJECT target allows a filtering rule to specify that an ICMP
356 error should be issued in response to an incoming packet, rather
357 than silently being dropped.
359 To compile it as a module, choose M here. If unsure, say N.
363 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
365 The Full NAT option allows masquerading, port forwarding and other
366 forms of full Network Address Port Translation. It is controlled by
367 the `nat' table in iptables: see the man page for iptables(8).
369 To compile it as a module, choose M here. If unsure, say N.
371 config IP_NF_NAT_NEEDED
373 depends on IP_NF_CONNTRACK!=y && IP_NF_IPTABLES!=y && (IP_NF_COMPAT_IPCHAINS!=y && IP_NF_COMPAT_IPFWADM || IP_NF_COMPAT_IPCHAINS) || IP_NF_IPTABLES && IP_NF_CONNTRACK && IP_NF_NAT
376 config IP_NF_TARGET_MASQUERADE
377 tristate "MASQUERADE target support"
380 Masquerading is a special case of NAT: all outgoing connections are
381 changed to seem to come from a particular interface's address, and
382 if the interface goes down, those connections are lost. This is
383 only useful for dialup accounts with dynamic IP address (ie. your IP
384 address will be different on next dialup).
386 To compile it as a module, choose M here. If unsure, say N.
388 config IP_NF_TARGET_REDIRECT
389 tristate "REDIRECT target support"
392 REDIRECT is a special case of NAT: all incoming connections are
393 mapped onto the incoming interface's address, causing the packets to
394 come to the local machine instead of passing through. This is
395 useful for transparent proxies.
397 To compile it as a module, choose M here. If unsure, say N.
399 config IP_NF_TARGET_NETMAP
400 tristate "NETMAP target support"
403 NETMAP is an implementation of static 1:1 NAT mapping of network
404 addresses. It maps the network address part, while keeping the host
405 address part intact. It is similar to Fast NAT, except that
406 Netfilter's connection tracking doesn't work well with Fast NAT.
408 To compile it as a module, choose M here. If unsure, say N.
410 config IP_NF_TARGET_SAME
411 tristate "SAME target support"
414 This option adds a `SAME' target, which works like the standard SNAT
415 target, but attempts to give clients the same IP for all connections.
417 To compile it as a module, choose M here. If unsure, say N.
419 config IP_NF_NAT_LOCAL
420 bool "NAT of local connections (READ HELP)"
423 This option enables support for NAT of locally originated connections.
424 Enable this if you need to use destination NAT on connections
425 originating from local processes on the nat box itself.
427 Please note that you will need a recent version (>= 1.2.6a)
428 of the iptables userspace program in order to use this feature.
429 See <http://www.iptables.org/> for download instructions.
433 config IP_NF_NAT_SNMP_BASIC
434 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
435 depends on EXPERIMENTAL && IP_NF_NAT
438 This module implements an Application Layer Gateway (ALG) for
439 SNMP payloads. In conjunction with NAT, it allows a network
440 management system to access multiple private networks with
441 conflicting addresses. It works by modifying IP addresses
442 inside SNMP payloads to match IP-layer NAT mapping.
444 This is the "basic" form of SNMP-ALG, as described in RFC 2962
446 To compile it as a module, choose M here. If unsure, say N.
450 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
451 default IP_NF_NAT if IP_NF_IRC=y
452 default m if IP_NF_IRC=m
454 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
455 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
458 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
459 default IP_NF_NAT if IP_NF_FTP=y
460 default m if IP_NF_FTP=m
462 config IP_NF_NAT_H323
464 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
465 default IP_NF_NAT if IP_NF_H323=y
466 default m if IP_NF_H323=m
468 config IP_NF_NAT_TFTP
470 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
471 default IP_NF_NAT if IP_NF_TFTP=y
472 default m if IP_NF_TFTP=m
474 config IP_NF_NAT_AMANDA
476 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
477 default IP_NF_NAT if IP_NF_AMANDA=y
478 default m if IP_NF_AMANDA=m
480 # CONFIG_MIPS_BRCM Begin Broadcom changed code.
481 config IP_NF_NAT_IPSEC
483 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
484 default IP_NF_NAT if IP_NF_IPSEC=y
485 default m if IP_NF_IPSEC=m
486 # CONFIG_MIPS_BRCM End Broadcom changed code.
488 config IP_NF_NAT_RTSP
490 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
491 default IP_NF_NAT if IP_NF_RTSP=y
492 default m if IP_NF_RTSP=m
495 tristate "Packet mangling"
496 depends on IP_NF_IPTABLES
498 This option adds a `mangle' table to iptables: see the man page for
499 iptables(8). This table is used for various packet alterations
500 which can effect how the packet is routed.
502 To compile it as a module, choose M here. If unsure, say N.
504 config IP_NF_TARGET_TOS
505 tristate "TOS target support"
506 depends on IP_NF_MANGLE
508 This option adds a `TOS' target, which allows you to create rules in
509 the `mangle' table which alter the Type Of Service field of an IP
510 packet prior to routing.
512 To compile it as a module, choose M here. If unsure, say N.
514 config IP_NF_TARGET_ECN
515 tristate "ECN target support"
516 depends on IP_NF_MANGLE
518 This option adds a `ECN' target, which can be used in the iptables mangle
521 You can use this target to remove the ECN bits from the IPv4 header of
522 an IP packet. This is particularly useful, if you need to work around
523 existing ECN blackholes on the internet, but don't want to disable
524 ECN support in general.
526 To compile it as a module, choose M here. If unsure, say N.
528 config IP_NF_TARGET_DSCP
529 tristate "DSCP target support"
530 depends on IP_NF_MANGLE
532 This option adds a `DSCP' match, which allows you to match against
533 the IPv4 header DSCP field (DSCP codepoint).
535 The DSCP codepoint can have any value between 0x0 and 0x4f.
537 To compile it as a module, choose M here. If unsure, say N.
539 config IP_NF_TARGET_MARK
540 tristate "MARK target support"
541 depends on IP_NF_MANGLE
543 This option adds a `MARK' target, which allows you to create rules
544 in the `mangle' table which alter the netfilter mark (nfmark) field
545 associated with the packet prior to routing. This can change
546 the routing method (see `Use netfilter MARK value as routing
547 key') and can also be used by other subsystems to change their
550 To compile it as a module, choose M here. If unsure, say N.
552 config IP_NF_TARGET_CLASSIFY
553 tristate "CLASSIFY target support"
554 depends on IP_NF_MANGLE
556 This option adds a `CLASSIFY' target, which enables the user to set
557 the priority of a packet. Some qdiscs can use this value for
558 classification, among these are:
560 atm, cbq, dsmark, pfifo_fast, htb, prio
562 To compile it as a module, choose M here. If unsure, say N.
564 config IP_NF_TARGET_LOG
565 tristate "LOG target support"
566 depends on IP_NF_IPTABLES
568 This option adds a `LOG' target, which allows you to create rules in
569 any iptables table which records the packet header to the syslog.
571 To compile it as a module, choose M here. If unsure, say N.
573 config IP_NF_TARGET_ULOG
574 tristate "ULOG target support"
575 depends on IP_NF_IPTABLES
577 This option adds a `ULOG' target, which allows you to create rules in
578 any iptables table. The packet is passed to a userspace logging
579 daemon using netlink multicast sockets; unlike the LOG target
580 which can only be viewed through syslog.
582 The apropriate userspace logging daemon (ulogd) may be obtained from
583 <http://www.gnumonks.org/projects/ulogd/>
585 To compile it as a module, choose M here. If unsure, say N.
587 config IP_NF_TARGET_TCPMSS
588 tristate "TCPMSS target support"
589 depends on IP_NF_IPTABLES
591 This option adds a `TCPMSS' target, which allows you to alter the
592 MSS value of TCP SYN packets, to control the maximum size for that
593 connection (usually limiting it to your outgoing interface's MTU
596 This is used to overcome criminally braindead ISPs or servers which
597 block ICMP Fragmentation Needed packets. The symptoms of this
598 problem are that everything works fine from your Linux
599 firewall/router, but machines behind it can never exchange large
601 1) Web browsers connect, then hang with no data received.
602 2) Small mail works fine, but large emails hang.
603 3) ssh works fine, but scp hangs after initial handshaking.
605 Workaround: activate this option and add a rule to your firewall
608 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
609 -j TCPMSS --clamp-mss-to-pmtu
611 To compile it as a module, choose M here. If unsure, say N.
613 config IP_NF_ARPTABLES
614 tristate "ARP tables support"
616 arptables is a general, extensible packet identification framework.
617 The ARP packet filtering and mangling (manipulation)subsystems
618 use this: say Y or M here if you want to use either of those.
620 To compile it as a module, choose M here. If unsure, say N.
622 config IP_NF_ARPFILTER
623 tristate "ARP packet filtering"
624 depends on IP_NF_ARPTABLES
626 ARP packet filtering defines a table `filter', which has a series of
627 rules for simple ARP packet filtering at local input and
628 local output. On a bridge, you can also specify filtering rules
629 for forwarded ARP packets. See the man page for arptables(8).
631 To compile it as a module, choose M here. If unsure, say N.
633 config IP_NF_ARP_MANGLE
634 tristate "ARP payload mangling"
635 depends on IP_NF_ARPTABLES
637 Allows altering the ARP packet payload: source and destination
638 hardware and network addresses.
640 # Backwards compatibility modules: only if you don't build in the others.
641 config IP_NF_COMPAT_IPCHAINS
642 tristate "ipchains (2.2-style) support"
643 depends on IP_NF_CONNTRACK!=y && IP_NF_IPTABLES!=y
645 This option places ipchains (with masquerading and redirection
646 support) back into the kernel, using the new netfilter
647 infrastructure. It is not recommended for new installations (see
648 `Packet filtering'). With this enabled, you should be able to use
649 the ipchains tool exactly as in 2.2 kernels.
651 To compile it as a module, choose M here. If unsure, say N.
653 config IP_NF_COMPAT_IPFWADM
654 tristate "ipfwadm (2.0-style) support"
655 depends on IP_NF_CONNTRACK!=y && IP_NF_IPTABLES!=y && IP_NF_COMPAT_IPCHAINS!=y
657 This option places ipfwadm (with masquerading and redirection
658 support) back into the kernel, using the new netfilter
659 infrastructure. It is not recommended for new installations (see
660 `Packet filtering'). With this enabled, you should be able to use
661 the ipfwadm tool exactly as in 2.0 kernels.
663 To compile it as a module, choose M here. If unsure, say N.
665 config IP_NF_TARGET_NOTRACK
666 tristate 'NOTRACK target support'
668 depends on IP_NF_CONNTRACK
670 The NOTRACK target allows a select rule to specify
671 which packets *not* to enter the conntrack/NAT
672 subsystem with all the consequences (no ICMP error tracking,
673 no protocol helpers for the selected packets).
675 If you want to compile it as a module, say M here and read
676 <file:Documentation/modules.txt>. If unsure, say `N'.
679 tristate 'raw table support (required for NOTRACK/TRACE)'
680 depends on IP_NF_IPTABLES
682 This option adds a `raw' table to iptables. This table is the very
683 first in the netfilter framework and hooks in at the PREROUTING
686 If you want to compile it as a module, say M here and read
687 <file:Documentation/modules.txt>. If unsure, say `N'.
690 config IP_NF_MATCH_ADDRTYPE
691 tristate 'address type match support'
692 depends on IP_NF_IPTABLES
694 This option allows you to match what routing thinks of an address,
695 eg. UNICAST, LOCAL, BROADCAST, ...
697 If you want to compile it as a module, say M here and read
698 Documentation/modules.txt. If unsure, say `N'.
700 config IP_NF_MATCH_REALM
701 tristate 'realm match support'
702 depends on IP_NF_IPTABLES
705 This option adds a `realm' match, which allows you to use the realm
706 key from the routing subsytem inside iptables.
708 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
711 If you want to compile it as a module, say M here and read
712 Documentation/modules.txt. If unsure, say `N'.
715 tristate 'PPTP protocol support'
717 This module adds support for PPTP (Point to Point Tunnelling Protocol,
718 RFC2637) conncection tracking and NAT.
720 If you are running PPTP sessions over a stateful firewall or NAT box,
721 you may want to enable this feature.
723 Please note that not all PPTP modes of operation are supported yet.
724 For more info, read top of the file net/ipv4/netfilter/ip_conntrack_pptp.c
726 If you want to compile it as a module, say M here and read
727 Documentation/modules.txt. If unsure, say `N'.
729 config IP_NF_NAT_PPTP
731 depends on IP_NF_NAT!=n && IP_NF_PPTP!=n
732 default IP_NF_NAT if IP_NF_PPTP=y
733 default m if IP_NF_PPTP=m