]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | # |
2 | # IP netfilter configuration | |
3 | # | |
4 | ||
5 | menu "IP: Netfilter Configuration" | |
6 | depends on INET && NETFILTER | |
7 | ||
9fb9cbb1 YK |
8 | config NF_CONNTRACK_IPV4 |
9 | tristate "IPv4 support for new connection tracking (EXPERIMENTAL)" | |
10 | depends on EXPERIMENTAL && NF_CONNTRACK | |
11 | ---help--- | |
12 | Connection tracking keeps a record of what packets have passed | |
13 | through your machine, in order to figure out how they are related | |
14 | into connections. | |
15 | ||
16 | This is IPv4 support on Layer 3 independent connection tracking. | |
17 | Layer 3 independent connection tracking is experimental scheme | |
18 | which generalize ip_conntrack to support other layer 3 protocols. | |
19 | ||
20 | To compile it as a module, choose M here. If unsure, say N. | |
21 | ||
1da177e4 LT |
22 | # connection tracking, helpers and protocols |
23 | config IP_NF_CONNTRACK | |
24 | tristate "Connection tracking (required for masq/NAT)" | |
25 | ---help--- | |
26 | Connection tracking keeps a record of what packets have passed | |
27 | through your machine, in order to figure out how they are related | |
28 | into connections. | |
29 | ||
30 | This is required to do Masquerading or other kinds of Network | |
31 | Address Translation (except for Fast NAT). It can also be used to | |
32 | enhance packet filtering (see `Connection state match support' | |
33 | below). | |
34 | ||
35 | To compile it as a module, choose M here. If unsure, say N. | |
36 | ||
37 | config IP_NF_CT_ACCT | |
38 | bool "Connection tracking flow accounting" | |
39 | depends on IP_NF_CONNTRACK | |
40 | help | |
41 | If this option is enabled, the connection tracking code will | |
42 | keep per-flow packet and byte counters. | |
43 | ||
44 | Those counters can be used for flow-based accounting or the | |
45 | `connbytes' match. | |
46 | ||
47 | If unsure, say `N'. | |
48 | ||
49 | config IP_NF_CONNTRACK_MARK | |
50 | bool 'Connection mark tracking support' | |
31c913e7 | 51 | depends on IP_NF_CONNTRACK |
1da177e4 LT |
52 | help |
53 | This option enables support for connection marks, used by the | |
54 | `CONNMARK' target and `connmark' match. Similar to the mark value | |
55 | of packets, but this mark value is kept in the conntrack session | |
56 | instead of the individual packets. | |
57 | ||
ac3247ba HW |
58 | config IP_NF_CONNTRACK_EVENTS |
59 | bool "Connection tracking events" | |
60 | depends on IP_NF_CONNTRACK | |
61 | help | |
62 | If this option is enabled, the connection tracking code will | |
63 | provide a notifier chain that can be used by other kernel code | |
64 | to get notified about changes in the connection tracking state. | |
65 | ||
66 | IF unsure, say `N'. | |
67 | ||
777ed97f HW |
68 | config IP_NF_CONNTRACK_NETLINK |
69 | tristate 'Connection tracking netlink interface' | |
70 | depends on IP_NF_CONNTRACK && NETFILTER_NETLINK | |
628f87f3 | 71 | depends on IP_NF_CONNTRACK!=y || NETFILTER_NETLINK!=m |
777ed97f HW |
72 | help |
73 | This option enables support for a netlink-based userspace interface | |
74 | ||
75 | ||
1da177e4 LT |
76 | config IP_NF_CT_PROTO_SCTP |
77 | tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' | |
78 | depends on IP_NF_CONNTRACK && EXPERIMENTAL | |
79 | help | |
80 | With this option enabled, the connection tracking code will | |
81 | be able to do state tracking on SCTP connections. | |
82 | ||
83 | If you want to compile it as a module, say M here and read | |
84 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
85 | ||
86 | config IP_NF_FTP | |
87 | tristate "FTP protocol support" | |
88 | depends on IP_NF_CONNTRACK | |
89 | help | |
90 | Tracking FTP connections is problematic: special helpers are | |
91 | required for tracking them, and doing masquerading and other forms | |
92 | of Network Address Translation on them. | |
93 | ||
94 | To compile it as a module, choose M here. If unsure, say Y. | |
95 | ||
96 | config IP_NF_IRC | |
97 | tristate "IRC protocol support" | |
98 | depends on IP_NF_CONNTRACK | |
99 | ---help--- | |
100 | There is a commonly-used extension to IRC called | |
101 | Direct Client-to-Client Protocol (DCC). This enables users to send | |
102 | files to each other, and also chat to each other without the need | |
103 | of a server. DCC Sending is used anywhere you send files over IRC, | |
104 | and DCC Chat is most commonly used by Eggdrop bots. If you are | |
105 | using NAT, this extension will enable you to send files and initiate | |
106 | chats. Note that you do NOT need this extension to get files or | |
107 | have others initiate chats, or everything else in IRC. | |
108 | ||
109 | To compile it as a module, choose M here. If unsure, say Y. | |
110 | ||
a2978aea PM |
111 | config IP_NF_NETBIOS_NS |
112 | tristate "NetBIOS name service protocol support (EXPERIMENTAL)" | |
113 | depends on IP_NF_CONNTRACK && EXPERIMENTAL | |
114 | help | |
115 | NetBIOS name service requests are sent as broadcast messages from an | |
116 | unprivileged port and responded to with unicast messages to the | |
117 | same port. This make them hard to firewall properly because connection | |
118 | tracking doesn't deal with broadcasts. This helper tracks locally | |
119 | originating NetBIOS name service requests and the corresponding | |
120 | responses. It relies on correct IP address configuration, specifically | |
121 | netmask and broadcast address. When properly configured, the output | |
122 | of "ip address show" should look similar to this: | |
123 | ||
124 | $ ip -4 address show eth0 | |
125 | 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 | |
126 | inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 | |
127 | ||
128 | To compile it as a module, choose M here. If unsure, say N. | |
129 | ||
1da177e4 LT |
130 | config IP_NF_TFTP |
131 | tristate "TFTP protocol support" | |
132 | depends on IP_NF_CONNTRACK | |
133 | help | |
134 | TFTP connection tracking helper, this is required depending | |
135 | on how restrictive your ruleset is. | |
136 | If you are using a tftp client behind -j SNAT or -j MASQUERADING | |
137 | you will need this. | |
138 | ||
139 | To compile it as a module, choose M here. If unsure, say Y. | |
140 | ||
141 | config IP_NF_AMANDA | |
142 | tristate "Amanda backup protocol support" | |
143 | depends on IP_NF_CONNTRACK | |
144 | help | |
145 | If you are running the Amanda backup package <http://www.amanda.org/> | |
146 | on this machine or machines that will be MASQUERADED through this | |
147 | machine, then you may want to enable this feature. This allows the | |
148 | connection tracking and natting code to allow the sub-channels that | |
149 | Amanda requires for communication of the backup data, messages and | |
150 | index. | |
151 | ||
152 | To compile it as a module, choose M here. If unsure, say Y. | |
153 | ||
926b50f9 HW |
154 | config IP_NF_PPTP |
155 | tristate 'PPTP protocol support' | |
85d9b05d | 156 | depends on IP_NF_CONNTRACK |
926b50f9 HW |
157 | help |
158 | This module adds support for PPTP (Point to Point Tunnelling | |
a5181ab0 | 159 | Protocol, RFC2637) connection tracking and NAT. |
926b50f9 HW |
160 | |
161 | If you are running PPTP sessions over a stateful firewall or NAT | |
162 | box, you may want to enable this feature. | |
163 | ||
164 | Please note that not all PPTP modes of operation are supported yet. | |
165 | For more info, read top of the file | |
166 | net/ipv4/netfilter/ip_conntrack_pptp.c | |
167 | ||
168 | If you want to compile it as a module, say M here and read | |
169 | Documentation/modules.txt. If unsure, say `N'. | |
170 | ||
1da177e4 | 171 | config IP_NF_QUEUE |
7af4cc3f | 172 | tristate "IP Userspace queueing via NETLINK (OBSOLETE)" |
1da177e4 LT |
173 | help |
174 | Netfilter has the ability to queue packets to user space: the | |
175 | netlink device can be used to access them using this driver. | |
176 | ||
7af4cc3f HW |
177 | This option enables the old IPv4-only "ip_queue" implementation |
178 | which has been obsoleted by the new "nfnetlink_queue" code (see | |
179 | CONFIG_NETFILTER_NETLINK_QUEUE). | |
180 | ||
1da177e4 LT |
181 | To compile it as a module, choose M here. If unsure, say N. |
182 | ||
183 | config IP_NF_IPTABLES | |
184 | tristate "IP tables support (required for filtering/masq/NAT)" | |
185 | help | |
186 | iptables is a general, extensible packet identification framework. | |
187 | The packet filtering and full NAT (masquerading, port forwarding, | |
188 | etc) subsystems now use this: say `Y' or `M' here if you want to use | |
189 | either of those. | |
190 | ||
191 | To compile it as a module, choose M here. If unsure, say N. | |
192 | ||
193 | # The matches. | |
194 | config IP_NF_MATCH_LIMIT | |
195 | tristate "limit match support" | |
196 | depends on IP_NF_IPTABLES | |
197 | help | |
198 | limit matching allows you to control the rate at which a rule can be | |
199 | matched: mainly useful in combination with the LOG target ("LOG | |
200 | target support", below) and to avoid some Denial of Service attacks. | |
201 | ||
202 | To compile it as a module, choose M here. If unsure, say N. | |
203 | ||
204 | config IP_NF_MATCH_IPRANGE | |
205 | tristate "IP range match support" | |
206 | depends on IP_NF_IPTABLES | |
207 | help | |
208 | This option makes possible to match IP addresses against IP address | |
209 | ranges. | |
210 | ||
211 | To compile it as a module, choose M here. If unsure, say N. | |
212 | ||
213 | config IP_NF_MATCH_MAC | |
214 | tristate "MAC address match support" | |
215 | depends on IP_NF_IPTABLES | |
216 | help | |
217 | MAC matching allows you to match packets based on the source | |
218 | Ethernet address of the packet. | |
219 | ||
220 | To compile it as a module, choose M here. If unsure, say N. | |
221 | ||
222 | config IP_NF_MATCH_PKTTYPE | |
223 | tristate "Packet type match support" | |
224 | depends on IP_NF_IPTABLES | |
225 | help | |
9fb9cbb1 YK |
226 | Packet type matching allows you to match a packet by |
227 | its "class", eg. BROADCAST, MULTICAST, ... | |
1da177e4 LT |
228 | |
229 | Typical usage: | |
230 | iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG | |
231 | ||
232 | To compile it as a module, choose M here. If unsure, say N. | |
233 | ||
234 | config IP_NF_MATCH_MARK | |
235 | tristate "netfilter MARK match support" | |
236 | depends on IP_NF_IPTABLES | |
237 | help | |
238 | Netfilter mark matching allows you to match packets based on the | |
239 | `nfmark' value in the packet. This can be set by the MARK target | |
240 | (see below). | |
241 | ||
242 | To compile it as a module, choose M here. If unsure, say N. | |
243 | ||
244 | config IP_NF_MATCH_MULTIPORT | |
245 | tristate "Multiple port match support" | |
246 | depends on IP_NF_IPTABLES | |
247 | help | |
248 | Multiport matching allows you to match TCP or UDP packets based on | |
249 | a series of source or destination ports: normally a rule can only | |
250 | match a single range of ports. | |
251 | ||
252 | To compile it as a module, choose M here. If unsure, say N. | |
253 | ||
254 | config IP_NF_MATCH_TOS | |
255 | tristate "TOS match support" | |
256 | depends on IP_NF_IPTABLES | |
257 | help | |
258 | TOS matching allows you to match packets based on the Type Of | |
259 | Service fields of the IP packet. | |
260 | ||
261 | To compile it as a module, choose M here. If unsure, say N. | |
262 | ||
263 | config IP_NF_MATCH_RECENT | |
264 | tristate "recent match support" | |
265 | depends on IP_NF_IPTABLES | |
266 | help | |
267 | This match is used for creating one or many lists of recently | |
268 | used addresses and then matching against that/those list(s). | |
269 | ||
270 | Short options are available by using 'iptables -m recent -h' | |
271 | Official Website: <http://snowman.net/projects/ipt_recent/> | |
272 | ||
273 | To compile it as a module, choose M here. If unsure, say N. | |
274 | ||
275 | config IP_NF_MATCH_ECN | |
276 | tristate "ECN match support" | |
277 | depends on IP_NF_IPTABLES | |
278 | help | |
279 | This option adds a `ECN' match, which allows you to match against | |
280 | the IPv4 and TCP header ECN fields. | |
281 | ||
282 | To compile it as a module, choose M here. If unsure, say N. | |
283 | ||
284 | config IP_NF_MATCH_DSCP | |
285 | tristate "DSCP match support" | |
286 | depends on IP_NF_IPTABLES | |
287 | help | |
288 | This option adds a `DSCP' match, which allows you to match against | |
289 | the IPv4 header DSCP field (DSCP codepoint). | |
290 | ||
291 | The DSCP codepoint can have any value between 0x0 and 0x4f. | |
292 | ||
293 | To compile it as a module, choose M here. If unsure, say N. | |
294 | ||
295 | config IP_NF_MATCH_AH_ESP | |
296 | tristate "AH/ESP match support" | |
297 | depends on IP_NF_IPTABLES | |
298 | help | |
299 | These two match extensions (`ah' and `esp') allow you to match a | |
300 | range of SPIs inside AH or ESP headers of IPSec packets. | |
301 | ||
302 | To compile it as a module, choose M here. If unsure, say N. | |
303 | ||
304 | config IP_NF_MATCH_LENGTH | |
305 | tristate "LENGTH match support" | |
306 | depends on IP_NF_IPTABLES | |
307 | help | |
308 | This option allows you to match the length of a packet against a | |
309 | specific value or range of values. | |
310 | ||
311 | To compile it as a module, choose M here. If unsure, say N. | |
312 | ||
313 | config IP_NF_MATCH_TTL | |
314 | tristate "TTL match support" | |
315 | depends on IP_NF_IPTABLES | |
316 | help | |
317 | This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user | |
318 | to match packets by their TTL value. | |
319 | ||
320 | To compile it as a module, choose M here. If unsure, say N. | |
321 | ||
322 | config IP_NF_MATCH_TCPMSS | |
323 | tristate "tcpmss match support" | |
324 | depends on IP_NF_IPTABLES | |
325 | help | |
326 | This option adds a `tcpmss' match, which allows you to examine the | |
327 | MSS value of TCP SYN packets, which control the maximum packet size | |
328 | for that connection. | |
329 | ||
330 | To compile it as a module, choose M here. If unsure, say N. | |
331 | ||
332 | config IP_NF_MATCH_HELPER | |
333 | tristate "Helper match support" | |
9fb9cbb1 YK |
334 | depends on IP_NF_IPTABLES |
335 | depends on IP_NF_CONNTRACK || NF_CONNTRACK_IPV4 | |
1da177e4 LT |
336 | help |
337 | Helper matching allows you to match packets in dynamic connections | |
338 | tracked by a conntrack-helper, ie. ip_conntrack_ftp | |
339 | ||
340 | To compile it as a module, choose M here. If unsure, say Y. | |
341 | ||
342 | config IP_NF_MATCH_STATE | |
343 | tristate "Connection state match support" | |
9fb9cbb1 YK |
344 | depends on IP_NF_IPTABLES |
345 | depends on IP_NF_CONNTRACK || NF_CONNTRACK_IPV4 | |
1da177e4 LT |
346 | help |
347 | Connection state matching allows you to match packets based on their | |
348 | relationship to a tracked connection (ie. previous packets). This | |
349 | is a powerful tool for packet classification. | |
350 | ||
351 | To compile it as a module, choose M here. If unsure, say N. | |
352 | ||
353 | config IP_NF_MATCH_CONNTRACK | |
354 | tristate "Connection tracking match support" | |
9fb9cbb1 YK |
355 | depends on IP_NF_IPTABLES |
356 | depends on IP_NF_CONNTRACK || NF_CONNTRACK_IPV4 | |
1da177e4 LT |
357 | help |
358 | This is a general conntrack match module, a superset of the state match. | |
359 | ||
360 | It allows matching on additional conntrack information, which is | |
361 | useful in complex configurations, such as NAT gateways with multiple | |
362 | internet links or tunnels. | |
363 | ||
364 | To compile it as a module, choose M here. If unsure, say N. | |
365 | ||
366 | config IP_NF_MATCH_OWNER | |
367 | tristate "Owner match support" | |
368 | depends on IP_NF_IPTABLES | |
369 | help | |
370 | Packet owner matching allows you to match locally-generated packets | |
371 | based on who created them: the user, group, process or session. | |
372 | ||
373 | To compile it as a module, choose M here. If unsure, say N. | |
374 | ||
375 | config IP_NF_MATCH_PHYSDEV | |
376 | tristate "Physdev match support" | |
377 | depends on IP_NF_IPTABLES && BRIDGE_NETFILTER | |
378 | help | |
379 | Physdev packet matching matches against the physical bridge ports | |
380 | the IP packet arrived on or will leave by. | |
381 | ||
382 | To compile it as a module, choose M here. If unsure, say N. | |
383 | ||
384 | config IP_NF_MATCH_ADDRTYPE | |
385 | tristate 'address type match support' | |
386 | depends on IP_NF_IPTABLES | |
387 | help | |
388 | This option allows you to match what routing thinks of an address, | |
389 | eg. UNICAST, LOCAL, BROADCAST, ... | |
390 | ||
391 | If you want to compile it as a module, say M here and read | |
392 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
393 | ||
394 | config IP_NF_MATCH_REALM | |
395 | tristate 'realm match support' | |
396 | depends on IP_NF_IPTABLES | |
397 | select NET_CLS_ROUTE | |
398 | help | |
399 | This option adds a `realm' match, which allows you to use the realm | |
400 | key from the routing subsystem inside iptables. | |
401 | ||
402 | This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option | |
403 | in tc world. | |
404 | ||
405 | If you want to compile it as a module, say M here and read | |
406 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
407 | ||
408 | config IP_NF_MATCH_SCTP | |
409 | tristate 'SCTP protocol match support' | |
410 | depends on IP_NF_IPTABLES | |
411 | help | |
412 | With this option enabled, you will be able to use the iptables | |
413 | `sctp' match in order to match on SCTP source/destination ports | |
414 | and SCTP chunk types. | |
415 | ||
416 | If you want to compile it as a module, say M here and read | |
417 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
418 | ||
1d3de414 HW |
419 | config IP_NF_MATCH_DCCP |
420 | tristate 'DCCP protocol match support' | |
421 | depends on IP_NF_IPTABLES | |
422 | help | |
423 | With this option enabled, you will be able to use the iptables | |
424 | `dccp' match in order to match on DCCP source/destination ports | |
425 | and DCCP flags. | |
426 | ||
427 | If you want to compile it as a module, say M here and read | |
428 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
429 | ||
1da177e4 LT |
430 | config IP_NF_MATCH_COMMENT |
431 | tristate 'comment match support' | |
432 | depends on IP_NF_IPTABLES | |
433 | help | |
434 | This option adds a `comment' dummy-match, which allows you to put | |
435 | comments in your iptables ruleset. | |
436 | ||
437 | If you want to compile it as a module, say M here and read | |
438 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
439 | ||
440 | config IP_NF_MATCH_CONNMARK | |
441 | tristate 'Connection mark match support' | |
9fb9cbb1 YK |
442 | depends on IP_NF_IPTABLES |
443 | depends on IP_NF_CONNTRACK_MARK || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4) | |
1da177e4 LT |
444 | help |
445 | This option adds a `connmark' match, which allows you to match the | |
446 | connection mark value previously set for the session by `CONNMARK'. | |
447 | ||
448 | If you want to compile it as a module, say M here and read | |
449 | <file:Documentation/modules.txt>. The module will be called | |
450 | ipt_connmark.o. If unsure, say `N'. | |
451 | ||
9d810fd2 HW |
452 | config IP_NF_MATCH_CONNBYTES |
453 | tristate 'Connection byte/packet counter match support' | |
9fb9cbb1 YK |
454 | depends on IP_NF_IPTABLES |
455 | depends on IP_NF_CT_ACCT || (NF_CT_ACCT && NF_CONNTRACK_IPV4) | |
9d810fd2 HW |
456 | help |
457 | This option adds a `connbytes' match, which allows you to match the | |
458 | number of bytes and/or packets for each direction within a connection. | |
459 | ||
460 | If you want to compile it as a module, say M here and read | |
461 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
462 | ||
1da177e4 LT |
463 | config IP_NF_MATCH_HASHLIMIT |
464 | tristate 'hashlimit match support' | |
465 | depends on IP_NF_IPTABLES | |
466 | help | |
467 | This option adds a new iptables `hashlimit' match. | |
468 | ||
469 | As opposed to `limit', this match dynamically crates a hash table | |
470 | of limit buckets, based on your selection of source/destination | |
471 | ip addresses and/or ports. | |
472 | ||
473 | It enables you to express policies like `10kpps for any given | |
474 | destination IP' or `500pps from any given source IP' with a single | |
475 | IPtables rule. | |
476 | ||
7567662b PNA |
477 | config IP_NF_MATCH_STRING |
478 | tristate 'string match support' | |
479 | depends on IP_NF_IPTABLES | |
480 | select TEXTSEARCH | |
481 | select TEXTSEARCH_KMP | |
29cb9f9c | 482 | select TEXTSEARCH_BM |
7567662b PNA |
483 | select TEXTSEARCH_FSM |
484 | help | |
485 | This option adds a `string' match, which allows you to look for | |
486 | pattern matchings in packets. | |
487 | ||
488 | To compile it as a module, choose M here. If unsure, say N. | |
489 | ||
1da177e4 LT |
490 | # `filter', generic and specific targets |
491 | config IP_NF_FILTER | |
492 | tristate "Packet filtering" | |
493 | depends on IP_NF_IPTABLES | |
494 | help | |
495 | Packet filtering defines a table `filter', which has a series of | |
496 | rules for simple packet filtering at local input, forwarding and | |
497 | local output. See the man page for iptables(8). | |
498 | ||
499 | To compile it as a module, choose M here. If unsure, say N. | |
500 | ||
501 | config IP_NF_TARGET_REJECT | |
502 | tristate "REJECT target support" | |
503 | depends on IP_NF_FILTER | |
504 | help | |
505 | The REJECT target allows a filtering rule to specify that an ICMP | |
506 | error should be issued in response to an incoming packet, rather | |
507 | than silently being dropped. | |
508 | ||
509 | To compile it as a module, choose M here. If unsure, say N. | |
510 | ||
511 | config IP_NF_TARGET_LOG | |
512 | tristate "LOG target support" | |
513 | depends on IP_NF_IPTABLES | |
514 | help | |
515 | This option adds a `LOG' target, which allows you to create rules in | |
516 | any iptables table which records the packet header to the syslog. | |
517 | ||
518 | To compile it as a module, choose M here. If unsure, say N. | |
519 | ||
520 | config IP_NF_TARGET_ULOG | |
f40863ce | 521 | tristate "ULOG target support (OBSOLETE)" |
1da177e4 LT |
522 | depends on IP_NF_IPTABLES |
523 | ---help--- | |
f40863ce HW |
524 | |
525 | This option enables the old IPv4-only "ipt_ULOG" implementation | |
526 | which has been obsoleted by the new "nfnetlink_log" code (see | |
527 | CONFIG_NETFILTER_NETLINK_LOG). | |
528 | ||
1da177e4 LT |
529 | This option adds a `ULOG' target, which allows you to create rules in |
530 | any iptables table. The packet is passed to a userspace logging | |
531 | daemon using netlink multicast sockets; unlike the LOG target | |
532 | which can only be viewed through syslog. | |
533 | ||
534 | The apropriate userspace logging daemon (ulogd) may be obtained from | |
535 | <http://www.gnumonks.org/projects/ulogd/> | |
536 | ||
537 | To compile it as a module, choose M here. If unsure, say N. | |
538 | ||
539 | config IP_NF_TARGET_TCPMSS | |
540 | tristate "TCPMSS target support" | |
541 | depends on IP_NF_IPTABLES | |
542 | ---help--- | |
543 | This option adds a `TCPMSS' target, which allows you to alter the | |
544 | MSS value of TCP SYN packets, to control the maximum size for that | |
545 | connection (usually limiting it to your outgoing interface's MTU | |
546 | minus 40). | |
547 | ||
548 | This is used to overcome criminally braindead ISPs or servers which | |
549 | block ICMP Fragmentation Needed packets. The symptoms of this | |
550 | problem are that everything works fine from your Linux | |
551 | firewall/router, but machines behind it can never exchange large | |
552 | packets: | |
553 | 1) Web browsers connect, then hang with no data received. | |
554 | 2) Small mail works fine, but large emails hang. | |
555 | 3) ssh works fine, but scp hangs after initial handshaking. | |
556 | ||
557 | Workaround: activate this option and add a rule to your firewall | |
558 | configuration like: | |
559 | ||
560 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ | |
561 | -j TCPMSS --clamp-mss-to-pmtu | |
562 | ||
563 | To compile it as a module, choose M here. If unsure, say N. | |
d67b24c4 HW |
564 | |
565 | config IP_NF_TARGET_NFQUEUE | |
566 | tristate "NFQUEUE Target Support" | |
567 | depends on IP_NF_IPTABLES | |
568 | help | |
569 | This Target replaced the old obsolete QUEUE target. | |
570 | ||
571 | As opposed to QUEUE, it supports 65535 different queues, | |
572 | not just one. | |
573 | ||
574 | To compile it as a module, choose M here. If unsure, say N. | |
1da177e4 LT |
575 | |
576 | # NAT + specific targets | |
577 | config IP_NF_NAT | |
578 | tristate "Full NAT" | |
579 | depends on IP_NF_IPTABLES && IP_NF_CONNTRACK | |
580 | help | |
581 | The Full NAT option allows masquerading, port forwarding and other | |
582 | forms of full Network Address Port Translation. It is controlled by | |
583 | the `nat' table in iptables: see the man page for iptables(8). | |
584 | ||
585 | To compile it as a module, choose M here. If unsure, say N. | |
586 | ||
587 | config IP_NF_NAT_NEEDED | |
588 | bool | |
589 | depends on IP_NF_NAT != n | |
590 | default y | |
591 | ||
592 | config IP_NF_TARGET_MASQUERADE | |
593 | tristate "MASQUERADE target support" | |
594 | depends on IP_NF_NAT | |
595 | help | |
596 | Masquerading is a special case of NAT: all outgoing connections are | |
597 | changed to seem to come from a particular interface's address, and | |
598 | if the interface goes down, those connections are lost. This is | |
599 | only useful for dialup accounts with dynamic IP address (ie. your IP | |
600 | address will be different on next dialup). | |
601 | ||
602 | To compile it as a module, choose M here. If unsure, say N. | |
603 | ||
604 | config IP_NF_TARGET_REDIRECT | |
605 | tristate "REDIRECT target support" | |
606 | depends on IP_NF_NAT | |
607 | help | |
608 | REDIRECT is a special case of NAT: all incoming connections are | |
609 | mapped onto the incoming interface's address, causing the packets to | |
610 | come to the local machine instead of passing through. This is | |
611 | useful for transparent proxies. | |
612 | ||
613 | To compile it as a module, choose M here. If unsure, say N. | |
614 | ||
615 | config IP_NF_TARGET_NETMAP | |
616 | tristate "NETMAP target support" | |
617 | depends on IP_NF_NAT | |
618 | help | |
619 | NETMAP is an implementation of static 1:1 NAT mapping of network | |
620 | addresses. It maps the network address part, while keeping the host | |
621 | address part intact. It is similar to Fast NAT, except that | |
622 | Netfilter's connection tracking doesn't work well with Fast NAT. | |
623 | ||
624 | To compile it as a module, choose M here. If unsure, say N. | |
625 | ||
626 | config IP_NF_TARGET_SAME | |
627 | tristate "SAME target support" | |
628 | depends on IP_NF_NAT | |
629 | help | |
630 | This option adds a `SAME' target, which works like the standard SNAT | |
631 | target, but attempts to give clients the same IP for all connections. | |
632 | ||
633 | To compile it as a module, choose M here. If unsure, say N. | |
634 | ||
635 | config IP_NF_NAT_SNMP_BASIC | |
636 | tristate "Basic SNMP-ALG support (EXPERIMENTAL)" | |
637 | depends on EXPERIMENTAL && IP_NF_NAT | |
638 | ---help--- | |
639 | ||
640 | This module implements an Application Layer Gateway (ALG) for | |
641 | SNMP payloads. In conjunction with NAT, it allows a network | |
642 | management system to access multiple private networks with | |
643 | conflicting addresses. It works by modifying IP addresses | |
644 | inside SNMP payloads to match IP-layer NAT mapping. | |
645 | ||
646 | This is the "basic" form of SNMP-ALG, as described in RFC 2962 | |
647 | ||
648 | To compile it as a module, choose M here. If unsure, say N. | |
649 | ||
650 | config IP_NF_NAT_IRC | |
651 | tristate | |
652 | depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n | |
653 | default IP_NF_NAT if IP_NF_IRC=y | |
654 | default m if IP_NF_IRC=m | |
655 | ||
656 | # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), | |
657 | # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh. | |
658 | config IP_NF_NAT_FTP | |
659 | tristate | |
660 | depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n | |
661 | default IP_NF_NAT if IP_NF_FTP=y | |
662 | default m if IP_NF_FTP=m | |
663 | ||
664 | config IP_NF_NAT_TFTP | |
665 | tristate | |
666 | depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n | |
667 | default IP_NF_NAT if IP_NF_TFTP=y | |
668 | default m if IP_NF_TFTP=m | |
669 | ||
670 | config IP_NF_NAT_AMANDA | |
671 | tristate | |
672 | depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n | |
673 | default IP_NF_NAT if IP_NF_AMANDA=y | |
674 | default m if IP_NF_AMANDA=m | |
675 | ||
926b50f9 HW |
676 | config IP_NF_NAT_PPTP |
677 | tristate | |
678 | depends on IP_NF_NAT!=n && IP_NF_PPTP!=n | |
679 | default IP_NF_NAT if IP_NF_PPTP=y | |
680 | default m if IP_NF_PPTP=m | |
681 | ||
1da177e4 LT |
682 | # mangle + specific targets |
683 | config IP_NF_MANGLE | |
684 | tristate "Packet mangling" | |
685 | depends on IP_NF_IPTABLES | |
686 | help | |
687 | This option adds a `mangle' table to iptables: see the man page for | |
688 | iptables(8). This table is used for various packet alterations | |
689 | which can effect how the packet is routed. | |
690 | ||
691 | To compile it as a module, choose M here. If unsure, say N. | |
692 | ||
693 | config IP_NF_TARGET_TOS | |
694 | tristate "TOS target support" | |
695 | depends on IP_NF_MANGLE | |
696 | help | |
697 | This option adds a `TOS' target, which allows you to create rules in | |
698 | the `mangle' table which alter the Type Of Service field of an IP | |
699 | packet prior to routing. | |
700 | ||
701 | To compile it as a module, choose M here. If unsure, say N. | |
702 | ||
703 | config IP_NF_TARGET_ECN | |
704 | tristate "ECN target support" | |
705 | depends on IP_NF_MANGLE | |
706 | ---help--- | |
707 | This option adds a `ECN' target, which can be used in the iptables mangle | |
708 | table. | |
709 | ||
710 | You can use this target to remove the ECN bits from the IPv4 header of | |
711 | an IP packet. This is particularly useful, if you need to work around | |
712 | existing ECN blackholes on the internet, but don't want to disable | |
713 | ECN support in general. | |
714 | ||
715 | To compile it as a module, choose M here. If unsure, say N. | |
716 | ||
717 | config IP_NF_TARGET_DSCP | |
718 | tristate "DSCP target support" | |
719 | depends on IP_NF_MANGLE | |
720 | help | |
721 | This option adds a `DSCP' match, which allows you to match against | |
722 | the IPv4 header DSCP field (DSCP codepoint). | |
723 | ||
724 | The DSCP codepoint can have any value between 0x0 and 0x4f. | |
725 | ||
726 | To compile it as a module, choose M here. If unsure, say N. | |
727 | ||
728 | config IP_NF_TARGET_MARK | |
729 | tristate "MARK target support" | |
730 | depends on IP_NF_MANGLE | |
731 | help | |
732 | This option adds a `MARK' target, which allows you to create rules | |
733 | in the `mangle' table which alter the netfilter mark (nfmark) field | |
734 | associated with the packet prior to routing. This can change | |
735 | the routing method (see `Use netfilter MARK value as routing | |
736 | key') and can also be used by other subsystems to change their | |
737 | behavior. | |
738 | ||
739 | To compile it as a module, choose M here. If unsure, say N. | |
740 | ||
741 | config IP_NF_TARGET_CLASSIFY | |
742 | tristate "CLASSIFY target support" | |
743 | depends on IP_NF_MANGLE | |
744 | help | |
745 | This option adds a `CLASSIFY' target, which enables the user to set | |
746 | the priority of a packet. Some qdiscs can use this value for | |
747 | classification, among these are: | |
748 | ||
749 | atm, cbq, dsmark, pfifo_fast, htb, prio | |
750 | ||
751 | To compile it as a module, choose M here. If unsure, say N. | |
752 | ||
5f2c3b91 HW |
753 | config IP_NF_TARGET_TTL |
754 | tristate 'TTL target support' | |
755 | depends on IP_NF_MANGLE | |
756 | help | |
757 | This option adds a `TTL' target, which enables the user to modify | |
758 | the TTL value of the IP header. | |
759 | ||
760 | While it is safe to decrement/lower the TTL, this target also enables | |
761 | functionality to increment and set the TTL value of the IP header to | |
762 | arbitrary values. This is EXTREMELY DANGEROUS since you can easily | |
763 | create immortal packets that loop forever on the network. | |
764 | ||
765 | To compile it as a module, choose M here. If unsure, say N. | |
766 | ||
1da177e4 LT |
767 | config IP_NF_TARGET_CONNMARK |
768 | tristate 'CONNMARK target support' | |
9fb9cbb1 YK |
769 | depends on IP_NF_MANGLE |
770 | depends on IP_NF_CONNTRACK_MARK || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4) | |
1da177e4 LT |
771 | help |
772 | This option adds a `CONNMARK' target, which allows one to manipulate | |
773 | the connection mark value. Similar to the MARK target, but | |
774 | affects the connection mark value rather than the packet mark value. | |
775 | ||
776 | If you want to compile it as a module, say M here and read | |
777 | <file:Documentation/modules.txt>. The module will be called | |
778 | ipt_CONNMARK.o. If unsure, say `N'. | |
779 | ||
780 | config IP_NF_TARGET_CLUSTERIP | |
781 | tristate "CLUSTERIP target support (EXPERIMENTAL)" | |
9fb9cbb1 YK |
782 | depends on IP_NF_IPTABLES && EXPERIMENTAL |
783 | depends on IP_NF_CONNTRACK_MARK || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4) | |
1da177e4 LT |
784 | help |
785 | The CLUSTERIP target allows you to build load-balancing clusters of | |
786 | network servers without having a dedicated load-balancing | |
787 | router/server/switch. | |
788 | ||
789 | To compile it as a module, choose M here. If unsure, say N. | |
790 | ||
791 | # raw + specific targets | |
792 | config IP_NF_RAW | |
793 | tristate 'raw table support (required for NOTRACK/TRACE)' | |
794 | depends on IP_NF_IPTABLES | |
795 | help | |
796 | This option adds a `raw' table to iptables. This table is the very | |
797 | first in the netfilter framework and hooks in at the PREROUTING | |
798 | and OUTPUT chains. | |
799 | ||
800 | If you want to compile it as a module, say M here and read | |
801 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
802 | ||
803 | config IP_NF_TARGET_NOTRACK | |
804 | tristate 'NOTRACK target support' | |
805 | depends on IP_NF_RAW | |
9fb9cbb1 | 806 | depends on IP_NF_CONNTRACK || NF_CONNTRACK_IPV4 |
1da177e4 LT |
807 | help |
808 | The NOTRACK target allows a select rule to specify | |
809 | which packets *not* to enter the conntrack/NAT | |
810 | subsystem with all the consequences (no ICMP error tracking, | |
811 | no protocol helpers for the selected packets). | |
812 | ||
813 | If you want to compile it as a module, say M here and read | |
814 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
815 | ||
816 | ||
817 | # ARP tables | |
818 | config IP_NF_ARPTABLES | |
819 | tristate "ARP tables support" | |
820 | help | |
821 | arptables is a general, extensible packet identification framework. | |
822 | The ARP packet filtering and mangling (manipulation)subsystems | |
823 | use this: say Y or M here if you want to use either of those. | |
824 | ||
825 | To compile it as a module, choose M here. If unsure, say N. | |
826 | ||
827 | config IP_NF_ARPFILTER | |
828 | tristate "ARP packet filtering" | |
829 | depends on IP_NF_ARPTABLES | |
830 | help | |
831 | ARP packet filtering defines a table `filter', which has a series of | |
832 | rules for simple ARP packet filtering at local input and | |
833 | local output. On a bridge, you can also specify filtering rules | |
834 | for forwarded ARP packets. See the man page for arptables(8). | |
835 | ||
836 | To compile it as a module, choose M here. If unsure, say N. | |
837 | ||
838 | config IP_NF_ARP_MANGLE | |
839 | tristate "ARP payload mangling" | |
840 | depends on IP_NF_ARPTABLES | |
841 | help | |
842 | Allows altering the ARP packet payload: source and destination | |
843 | hardware and network addresses. | |
844 | ||
845 | endmenu | |
846 |