tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1#
2# IP netfilter configuration
3#
4
5menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
7
8config NF_CONNTRACK_IPV4
9 tristate "IPv4 support for new connection tracking (EXPERIMENTAL)"
10 depends on EXPERIMENTAL && NF_CONNTRACK
11 ---help---
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
14 into connections.
15
16 This is IPv4 support on Layer 3 independent connection tracking.
17 Layer 3 independent connection tracking is experimental scheme
18 which generalize ip_conntrack to support other layer 3 protocols.
19
20 To compile it as a module, choose M here. If unsure, say N.
21
22# connection tracking, helpers and protocols
23config IP_NF_CONNTRACK
24 tristate "Connection tracking (required for masq/NAT)"
25 ---help---
26 Connection tracking keeps a record of what packets have passed
27 through your machine, in order to figure out how they are related
28 into connections.
29
30 This is required to do Masquerading or other kinds of Network
31 Address Translation (except for Fast NAT). It can also be used to
32 enhance packet filtering (see `Connection state match support'
33 below).
34
35 To compile it as a module, choose M here. If unsure, say N.
36
37config IP_NF_CT_ACCT
38 bool "Connection tracking flow accounting"
39 depends on IP_NF_CONNTRACK
40 help
41 If this option is enabled, the connection tracking code will
42 keep per-flow packet and byte counters.
43
44 Those counters can be used for flow-based accounting or the
45 `connbytes' match.
46
47 If unsure, say `N'.
48
49config IP_NF_CONNTRACK_MARK
50 bool 'Connection mark tracking support'
51 depends on IP_NF_CONNTRACK
52 help
53 This option enables support for connection marks, used by the
54 `CONNMARK' target and `connmark' match. Similar to the mark value
55 of packets, but this mark value is kept in the conntrack session
56 instead of the individual packets.
57
58config IP_NF_CONNTRACK_EVENTS
59 bool "Connection tracking events (EXPERIMENTAL)"
60 depends on EXPERIMENTAL && IP_NF_CONNTRACK
61 help
62 If this option is enabled, the connection tracking code will
63 provide a notifier chain that can be used by other kernel code
64 to get notified about changes in the connection tracking state.
65
66 IF unsure, say `N'.
67
68config IP_NF_CONNTRACK_NETLINK
69 tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
70 depends on EXPERIMENTAL && IP_NF_CONNTRACK && NETFILTER_NETLINK
71 depends on IP_NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
72 help
73 This option enables support for a netlink-based userspace interface
74
75
76config IP_NF_CT_PROTO_SCTP
77 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
78 depends on IP_NF_CONNTRACK && EXPERIMENTAL
79 help
80 With this option enabled, the connection tracking code will
81 be able to do state tracking on SCTP connections.
82
83 If you want to compile it as a module, say M here and read
84 <file:Documentation/modules.txt>. If unsure, say `N'.
85
86config IP_NF_FTP
87 tristate "FTP protocol support"
88 depends on IP_NF_CONNTRACK
89 help
90 Tracking FTP connections is problematic: special helpers are
91 required for tracking them, and doing masquerading and other forms
92 of Network Address Translation on them.
93
94 To compile it as a module, choose M here. If unsure, say Y.
95
96config IP_NF_IRC
97 tristate "IRC protocol support"
98 depends on IP_NF_CONNTRACK
99 ---help---
100 There is a commonly-used extension to IRC called
101 Direct Client-to-Client Protocol (DCC). This enables users to send
102 files to each other, and also chat to each other without the need
103 of a server. DCC Sending is used anywhere you send files over IRC,
104 and DCC Chat is most commonly used by Eggdrop bots. If you are
105 using NAT, this extension will enable you to send files and initiate
106 chats. Note that you do NOT need this extension to get files or
107 have others initiate chats, or everything else in IRC.
108
109 To compile it as a module, choose M here. If unsure, say Y.
110
111config IP_NF_NETBIOS_NS
112 tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
113 depends on IP_NF_CONNTRACK && EXPERIMENTAL
114 help
115 NetBIOS name service requests are sent as broadcast messages from an
116 unprivileged port and responded to with unicast messages to the
117 same port. This make them hard to firewall properly because connection
118 tracking doesn't deal with broadcasts. This helper tracks locally
119 originating NetBIOS name service requests and the corresponding
120 responses. It relies on correct IP address configuration, specifically
121 netmask and broadcast address. When properly configured, the output
122 of "ip address show" should look similar to this:
123
124 $ ip -4 address show eth0
125 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
126 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
127
128 To compile it as a module, choose M here. If unsure, say N.
129
130config IP_NF_TFTP
131 tristate "TFTP protocol support"
132 depends on IP_NF_CONNTRACK
133 help
134 TFTP connection tracking helper, this is required depending
135 on how restrictive your ruleset is.
136 If you are using a tftp client behind -j SNAT or -j MASQUERADING
137 you will need this.
138
139 To compile it as a module, choose M here. If unsure, say Y.
140
141config IP_NF_AMANDA
142 tristate "Amanda backup protocol support"
143 depends on IP_NF_CONNTRACK
144 help
145 If you are running the Amanda backup package <http://www.amanda.org/>
146 on this machine or machines that will be MASQUERADED through this
147 machine, then you may want to enable this feature. This allows the
148 connection tracking and natting code to allow the sub-channels that
149 Amanda requires for communication of the backup data, messages and
150 index.
151
152 To compile it as a module, choose M here. If unsure, say Y.
153
154config IP_NF_PPTP
155 tristate 'PPTP protocol support'
156 depends on IP_NF_CONNTRACK
157 help
158 This module adds support for PPTP (Point to Point Tunnelling
159 Protocol, RFC2637) connection tracking and NAT.
160
161 If you are running PPTP sessions over a stateful firewall or NAT
162 box, you may want to enable this feature.
163
164 Please note that not all PPTP modes of operation are supported yet.
165 For more info, read top of the file
166 net/ipv4/netfilter/ip_conntrack_pptp.c
167
168 If you want to compile it as a module, say M here and read
169 Documentation/modules.txt. If unsure, say `N'.
170
171config IP_NF_QUEUE
172 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
173 help
174 Netfilter has the ability to queue packets to user space: the
175 netlink device can be used to access them using this driver.
176
177 This option enables the old IPv4-only "ip_queue" implementation
178 which has been obsoleted by the new "nfnetlink_queue" code (see
179 CONFIG_NETFILTER_NETLINK_QUEUE).
180
181 To compile it as a module, choose M here. If unsure, say N.
182
183config IP_NF_IPTABLES
184 tristate "IP tables support (required for filtering/masq/NAT)"
185 depends on NETFILTER_XTABLES
186 help
187 iptables is a general, extensible packet identification framework.
188 The packet filtering and full NAT (masquerading, port forwarding,
189 etc) subsystems now use this: say `Y' or `M' here if you want to use
190 either of those.
191
192 To compile it as a module, choose M here. If unsure, say N.
193
194# The matches.
195config IP_NF_MATCH_IPRANGE
196 tristate "IP range match support"
197 depends on IP_NF_IPTABLES
198 help
199 This option makes possible to match IP addresses against IP address
200 ranges.
201
202 To compile it as a module, choose M here. If unsure, say N.
203
204config IP_NF_MATCH_MULTIPORT
205 tristate "Multiple port match support"
206 depends on IP_NF_IPTABLES
207 help
208 Multiport matching allows you to match TCP or UDP packets based on
209 a series of source or destination ports: normally a rule can only
210 match a single range of ports.
211
212 To compile it as a module, choose M here. If unsure, say N.
213
214config IP_NF_MATCH_TOS
215 tristate "TOS match support"
216 depends on IP_NF_IPTABLES
217 help
218 TOS matching allows you to match packets based on the Type Of
219 Service fields of the IP packet.
220
221 To compile it as a module, choose M here. If unsure, say N.
222
223config IP_NF_MATCH_RECENT
224 tristate "recent match support"
225 depends on IP_NF_IPTABLES
226 help
227 This match is used for creating one or many lists of recently
228 used addresses and then matching against that/those list(s).
229
230 Short options are available by using 'iptables -m recent -h'
231 Official Website: <http://snowman.net/projects/ipt_recent/>
232
233 To compile it as a module, choose M here. If unsure, say N.
234
235config IP_NF_MATCH_ECN
236 tristate "ECN match support"
237 depends on IP_NF_IPTABLES
238 help
239 This option adds a `ECN' match, which allows you to match against
240 the IPv4 and TCP header ECN fields.
241
242 To compile it as a module, choose M here. If unsure, say N.
243
244config IP_NF_MATCH_DSCP
245 tristate "DSCP match support"
246 depends on IP_NF_IPTABLES
247 help
248 This option adds a `DSCP' match, which allows you to match against
249 the IPv4 header DSCP field (DSCP codepoint).
250
251 The DSCP codepoint can have any value between 0x0 and 0x4f.
252
253 To compile it as a module, choose M here. If unsure, say N.
254
255config IP_NF_MATCH_AH_ESP
256 tristate "AH/ESP match support"
257 depends on IP_NF_IPTABLES
258 help
259 These two match extensions (`ah' and `esp') allow you to match a
260 range of SPIs inside AH or ESP headers of IPSec packets.
261
262 To compile it as a module, choose M here. If unsure, say N.
263
264config IP_NF_MATCH_TTL
265 tristate "TTL match support"
266 depends on IP_NF_IPTABLES
267 help
268 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
269 to match packets by their TTL value.
270
271 To compile it as a module, choose M here. If unsure, say N.
272
273config IP_NF_MATCH_OWNER
274 tristate "Owner match support"
275 depends on IP_NF_IPTABLES
276 help
277 Packet owner matching allows you to match locally-generated packets
278 based on who created them: the user, group, process or session.
279
280 To compile it as a module, choose M here. If unsure, say N.
281
282config IP_NF_MATCH_ADDRTYPE
283 tristate 'address type match support'
284 depends on IP_NF_IPTABLES
285 help
286 This option allows you to match what routing thinks of an address,
287 eg. UNICAST, LOCAL, BROADCAST, ...
288
289 If you want to compile it as a module, say M here and read
290 <file:Documentation/modules.txt>. If unsure, say `N'.
291
292config IP_NF_MATCH_HASHLIMIT
293 tristate 'hashlimit match support'
294 depends on IP_NF_IPTABLES
295 help
296 This option adds a new iptables `hashlimit' match.
297
298 As opposed to `limit', this match dynamically crates a hash table
299 of limit buckets, based on your selection of source/destination
300 ip addresses and/or ports.
301
302 It enables you to express policies like `10kpps for any given
303 destination IP' or `500pps from any given source IP' with a single
304 IPtables rule.
305
306config IP_NF_MATCH_POLICY
307 tristate "IPsec policy match support"
308 depends on IP_NF_IPTABLES && XFRM
309 help
310 Policy matching allows you to match packets based on the
311 IPsec policy that was used during decapsulation/will
312 be used during encapsulation.
313
314 To compile it as a module, choose M here. If unsure, say N.
315
316# `filter', generic and specific targets
317config IP_NF_FILTER
318 tristate "Packet filtering"
319 depends on IP_NF_IPTABLES
320 help
321 Packet filtering defines a table `filter', which has a series of
322 rules for simple packet filtering at local input, forwarding and
323 local output. See the man page for iptables(8).
324
325 To compile it as a module, choose M here. If unsure, say N.
326
327config IP_NF_TARGET_REJECT
328 tristate "REJECT target support"
329 depends on IP_NF_FILTER
330 help
331 The REJECT target allows a filtering rule to specify that an ICMP
332 error should be issued in response to an incoming packet, rather
333 than silently being dropped.
334
335 To compile it as a module, choose M here. If unsure, say N.
336
337config IP_NF_TARGET_LOG
338 tristate "LOG target support"
339 depends on IP_NF_IPTABLES
340 help
341 This option adds a `LOG' target, which allows you to create rules in
342 any iptables table which records the packet header to the syslog.
343
344 To compile it as a module, choose M here. If unsure, say N.
345
346config IP_NF_TARGET_ULOG
347 tristate "ULOG target support (OBSOLETE)"
348 depends on IP_NF_IPTABLES
349 ---help---
350
351 This option enables the old IPv4-only "ipt_ULOG" implementation
352 which has been obsoleted by the new "nfnetlink_log" code (see
353 CONFIG_NETFILTER_NETLINK_LOG).
354
355 This option adds a `ULOG' target, which allows you to create rules in
356 any iptables table. The packet is passed to a userspace logging
357 daemon using netlink multicast sockets; unlike the LOG target
358 which can only be viewed through syslog.
359
360 The apropriate userspace logging daemon (ulogd) may be obtained from
361 <http://www.gnumonks.org/projects/ulogd/>
362
363 To compile it as a module, choose M here. If unsure, say N.
364
365config IP_NF_TARGET_TCPMSS
366 tristate "TCPMSS target support"
367 depends on IP_NF_IPTABLES
368 ---help---
369 This option adds a `TCPMSS' target, which allows you to alter the
370 MSS value of TCP SYN packets, to control the maximum size for that
371 connection (usually limiting it to your outgoing interface's MTU
372 minus 40).
373
374 This is used to overcome criminally braindead ISPs or servers which
375 block ICMP Fragmentation Needed packets. The symptoms of this
376 problem are that everything works fine from your Linux
377 firewall/router, but machines behind it can never exchange large
378 packets:
379 1) Web browsers connect, then hang with no data received.
380 2) Small mail works fine, but large emails hang.
381 3) ssh works fine, but scp hangs after initial handshaking.
382
383 Workaround: activate this option and add a rule to your firewall
384 configuration like:
385
386 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
387 -j TCPMSS --clamp-mss-to-pmtu
388
389 To compile it as a module, choose M here. If unsure, say N.
390
391# NAT + specific targets
392config IP_NF_NAT
393 tristate "Full NAT"
394 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
395 help
396 The Full NAT option allows masquerading, port forwarding and other
397 forms of full Network Address Port Translation. It is controlled by
398 the `nat' table in iptables: see the man page for iptables(8).
399
400 To compile it as a module, choose M here. If unsure, say N.
401
402config IP_NF_NAT_NEEDED
403 bool
404 depends on IP_NF_NAT != n
405 default y
406
407config IP_NF_TARGET_MASQUERADE
408 tristate "MASQUERADE target support"
409 depends on IP_NF_NAT
410 help
411 Masquerading is a special case of NAT: all outgoing connections are
412 changed to seem to come from a particular interface's address, and
413 if the interface goes down, those connections are lost. This is
414 only useful for dialup accounts with dynamic IP address (ie. your IP
415 address will be different on next dialup).
416
417 To compile it as a module, choose M here. If unsure, say N.
418
419config IP_NF_TARGET_REDIRECT
420 tristate "REDIRECT target support"
421 depends on IP_NF_NAT
422 help
423 REDIRECT is a special case of NAT: all incoming connections are
424 mapped onto the incoming interface's address, causing the packets to
425 come to the local machine instead of passing through. This is
426 useful for transparent proxies.
427
428 To compile it as a module, choose M here. If unsure, say N.
429
430config IP_NF_TARGET_NETMAP
431 tristate "NETMAP target support"
432 depends on IP_NF_NAT
433 help
434 NETMAP is an implementation of static 1:1 NAT mapping of network
435 addresses. It maps the network address part, while keeping the host
436 address part intact. It is similar to Fast NAT, except that
437 Netfilter's connection tracking doesn't work well with Fast NAT.
438
439 To compile it as a module, choose M here. If unsure, say N.
440
441config IP_NF_TARGET_SAME
442 tristate "SAME target support"
443 depends on IP_NF_NAT
444 help
445 This option adds a `SAME' target, which works like the standard SNAT
446 target, but attempts to give clients the same IP for all connections.
447
448 To compile it as a module, choose M here. If unsure, say N.
449
450config IP_NF_NAT_SNMP_BASIC
451 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
452 depends on EXPERIMENTAL && IP_NF_NAT
453 ---help---
454
455 This module implements an Application Layer Gateway (ALG) for
456 SNMP payloads. In conjunction with NAT, it allows a network
457 management system to access multiple private networks with
458 conflicting addresses. It works by modifying IP addresses
459 inside SNMP payloads to match IP-layer NAT mapping.
460
461 This is the "basic" form of SNMP-ALG, as described in RFC 2962
462
463 To compile it as a module, choose M here. If unsure, say N.
464
465config IP_NF_NAT_IRC
466 tristate
467 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
468 default IP_NF_NAT if IP_NF_IRC=y
469 default m if IP_NF_IRC=m
470
471# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
472# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
473config IP_NF_NAT_FTP
474 tristate
475 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
476 default IP_NF_NAT if IP_NF_FTP=y
477 default m if IP_NF_FTP=m
478
479config IP_NF_NAT_TFTP
480 tristate
481 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
482 default IP_NF_NAT if IP_NF_TFTP=y
483 default m if IP_NF_TFTP=m
484
485config IP_NF_NAT_AMANDA
486 tristate
487 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
488 default IP_NF_NAT if IP_NF_AMANDA=y
489 default m if IP_NF_AMANDA=m
490
491config IP_NF_NAT_PPTP
492 tristate
493 depends on IP_NF_NAT!=n && IP_NF_PPTP!=n
494 default IP_NF_NAT if IP_NF_PPTP=y
495 default m if IP_NF_PPTP=m
496
497# mangle + specific targets
498config IP_NF_MANGLE
499 tristate "Packet mangling"
500 depends on IP_NF_IPTABLES
501 help
502 This option adds a `mangle' table to iptables: see the man page for
503 iptables(8). This table is used for various packet alterations
504 which can effect how the packet is routed.
505
506 To compile it as a module, choose M here. If unsure, say N.
507
508config IP_NF_TARGET_TOS
509 tristate "TOS target support"
510 depends on IP_NF_MANGLE
511 help
512 This option adds a `TOS' target, which allows you to create rules in
513 the `mangle' table which alter the Type Of Service field of an IP
514 packet prior to routing.
515
516 To compile it as a module, choose M here. If unsure, say N.
517
518config IP_NF_TARGET_ECN
519 tristate "ECN target support"
520 depends on IP_NF_MANGLE
521 ---help---
522 This option adds a `ECN' target, which can be used in the iptables mangle
523 table.
524
525 You can use this target to remove the ECN bits from the IPv4 header of
526 an IP packet. This is particularly useful, if you need to work around
527 existing ECN blackholes on the internet, but don't want to disable
528 ECN support in general.
529
530 To compile it as a module, choose M here. If unsure, say N.
531
532config IP_NF_TARGET_DSCP
533 tristate "DSCP target support"
534 depends on IP_NF_MANGLE
535 help
536 This option adds a `DSCP' match, which allows you to match against
537 the IPv4 header DSCP field (DSCP codepoint).
538
539 The DSCP codepoint can have any value between 0x0 and 0x4f.
540
541 To compile it as a module, choose M here. If unsure, say N.
542
543config IP_NF_TARGET_TTL
544 tristate 'TTL target support'
545 depends on IP_NF_MANGLE
546 help
547 This option adds a `TTL' target, which enables the user to modify
548 the TTL value of the IP header.
549
550 While it is safe to decrement/lower the TTL, this target also enables
551 functionality to increment and set the TTL value of the IP header to
552 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
553 create immortal packets that loop forever on the network.
554
555 To compile it as a module, choose M here. If unsure, say N.
556
557config IP_NF_TARGET_CLUSTERIP
558 tristate "CLUSTERIP target support (EXPERIMENTAL)"
559 depends on IP_NF_MANGLE && EXPERIMENTAL
560 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4)
561 help
562 The CLUSTERIP target allows you to build load-balancing clusters of
563 network servers without having a dedicated load-balancing
564 router/server/switch.
565
566 To compile it as a module, choose M here. If unsure, say N.
567
568# raw + specific targets
569config IP_NF_RAW
570 tristate 'raw table support (required for NOTRACK/TRACE)'
571 depends on IP_NF_IPTABLES
572 help
573 This option adds a `raw' table to iptables. This table is the very
574 first in the netfilter framework and hooks in at the PREROUTING
575 and OUTPUT chains.
576
577 If you want to compile it as a module, say M here and read
578 <file:Documentation/modules.txt>. If unsure, say `N'.
579
580# ARP tables
581config IP_NF_ARPTABLES
582 tristate "ARP tables support"
583 depends on NETFILTER_XTABLES
584 help
585 arptables is a general, extensible packet identification framework.
586 The ARP packet filtering and mangling (manipulation)subsystems
587 use this: say Y or M here if you want to use either of those.
588
589 To compile it as a module, choose M here. If unsure, say N.
590
591config IP_NF_ARPFILTER
592 tristate "ARP packet filtering"
593 depends on IP_NF_ARPTABLES
594 help
595 ARP packet filtering defines a table `filter', which has a series of
596 rules for simple ARP packet filtering at local input and
597 local output. On a bridge, you can also specify filtering rules
598 for forwarded ARP packets. See the man page for arptables(8).
599
600 To compile it as a module, choose M here. If unsure, say N.
601
602config IP_NF_ARP_MANGLE
603 tristate "ARP payload mangling"
604 depends on IP_NF_ARPTABLES
605 help
606 Allows altering the ARP packet payload: source and destination
607 hardware and network addresses.
608
609endmenu
610