Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | # |
| 2 | # IP netfilter configuration |
| 3 | # |
| 4 | |
| 5 | menu "IP: Netfilter Configuration" |
| 6 | depends on INET && NETFILTER |
| 7 | |
| 8 | # connection tracking, helpers and protocols |
| 9 | config IP_NF_CONNTRACK |
| 10 | tristate "Connection tracking (required for masq/NAT)" |
| 11 | ---help--- |
| 12 | Connection tracking keeps a record of what packets have passed |
| 13 | through your machine, in order to figure out how they are related |
| 14 | into connections. |
| 15 | |
| 16 | This is required to do Masquerading or other kinds of Network |
| 17 | Address Translation (except for Fast NAT). It can also be used to |
| 18 | enhance packet filtering (see `Connection state match support' |
| 19 | below). |
| 20 | |
| 21 | To compile it as a module, choose M here. If unsure, say N. |
| 22 | |
| 23 | config IP_NF_CT_ACCT |
| 24 | bool "Connection tracking flow accounting" |
| 25 | depends on IP_NF_CONNTRACK |
| 26 | help |
| 27 | If this option is enabled, the connection tracking code will |
| 28 | keep per-flow packet and byte counters. |
| 29 | |
| 30 | Those counters can be used for flow-based accounting or the |
| 31 | `connbytes' match. |
| 32 | |
| 33 | If unsure, say `N'. |
| 34 | |
| 35 | config IP_NF_CONNTRACK_MARK |
| 36 | bool 'Connection mark tracking support' |
| 37 | help |
| 38 | This option enables support for connection marks, used by the |
| 39 | `CONNMARK' target and `connmark' match. Similar to the mark value |
| 40 | of packets, but this mark value is kept in the conntrack session |
| 41 | instead of the individual packets. |
| 42 | |
Harald Welte | ac3247b | 2005-08-09 19:28:03 -0700 | [diff] [blame] | 43 | config IP_NF_CONNTRACK_EVENTS |
| 44 | bool "Connection tracking events" |
| 45 | depends on IP_NF_CONNTRACK |
| 46 | help |
| 47 | If this option is enabled, the connection tracking code will |
| 48 | provide a notifier chain that can be used by other kernel code |
| 49 | to get notified about changes in the connection tracking state. |
| 50 | |
| 51 | IF unsure, say `N'. |
| 52 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 53 | config IP_NF_CT_PROTO_SCTP |
| 54 | tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' |
| 55 | depends on IP_NF_CONNTRACK && EXPERIMENTAL |
| 56 | help |
| 57 | With this option enabled, the connection tracking code will |
| 58 | be able to do state tracking on SCTP connections. |
| 59 | |
| 60 | If you want to compile it as a module, say M here and read |
| 61 | <file:Documentation/modules.txt>. If unsure, say `N'. |
| 62 | |
| 63 | config IP_NF_FTP |
| 64 | tristate "FTP protocol support" |
| 65 | depends on IP_NF_CONNTRACK |
| 66 | help |
| 67 | Tracking FTP connections is problematic: special helpers are |
| 68 | required for tracking them, and doing masquerading and other forms |
| 69 | of Network Address Translation on them. |
| 70 | |
| 71 | To compile it as a module, choose M here. If unsure, say Y. |
| 72 | |
| 73 | config IP_NF_IRC |
| 74 | tristate "IRC protocol support" |
| 75 | depends on IP_NF_CONNTRACK |
| 76 | ---help--- |
| 77 | There is a commonly-used extension to IRC called |
| 78 | Direct Client-to-Client Protocol (DCC). This enables users to send |
| 79 | files to each other, and also chat to each other without the need |
| 80 | of a server. DCC Sending is used anywhere you send files over IRC, |
| 81 | and DCC Chat is most commonly used by Eggdrop bots. If you are |
| 82 | using NAT, this extension will enable you to send files and initiate |
| 83 | chats. Note that you do NOT need this extension to get files or |
| 84 | have others initiate chats, or everything else in IRC. |
| 85 | |
| 86 | To compile it as a module, choose M here. If unsure, say Y. |
| 87 | |
Patrick McHardy | a2978ae | 2005-09-06 15:08:51 -0700 | [diff] [blame^] | 88 | config IP_NF_NETBIOS_NS |
| 89 | tristate "NetBIOS name service protocol support (EXPERIMENTAL)" |
| 90 | depends on IP_NF_CONNTRACK && EXPERIMENTAL |
| 91 | help |
| 92 | NetBIOS name service requests are sent as broadcast messages from an |
| 93 | unprivileged port and responded to with unicast messages to the |
| 94 | same port. This make them hard to firewall properly because connection |
| 95 | tracking doesn't deal with broadcasts. This helper tracks locally |
| 96 | originating NetBIOS name service requests and the corresponding |
| 97 | responses. It relies on correct IP address configuration, specifically |
| 98 | netmask and broadcast address. When properly configured, the output |
| 99 | of "ip address show" should look similar to this: |
| 100 | |
| 101 | $ ip -4 address show eth0 |
| 102 | 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 |
| 103 | inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 |
| 104 | |
| 105 | To compile it as a module, choose M here. If unsure, say N. |
| 106 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 107 | config IP_NF_TFTP |
| 108 | tristate "TFTP protocol support" |
| 109 | depends on IP_NF_CONNTRACK |
| 110 | help |
| 111 | TFTP connection tracking helper, this is required depending |
| 112 | on how restrictive your ruleset is. |
| 113 | If you are using a tftp client behind -j SNAT or -j MASQUERADING |
| 114 | you will need this. |
| 115 | |
| 116 | To compile it as a module, choose M here. If unsure, say Y. |
| 117 | |
| 118 | config IP_NF_AMANDA |
| 119 | tristate "Amanda backup protocol support" |
| 120 | depends on IP_NF_CONNTRACK |
| 121 | help |
| 122 | If you are running the Amanda backup package <http://www.amanda.org/> |
| 123 | on this machine or machines that will be MASQUERADED through this |
| 124 | machine, then you may want to enable this feature. This allows the |
| 125 | connection tracking and natting code to allow the sub-channels that |
| 126 | Amanda requires for communication of the backup data, messages and |
| 127 | index. |
| 128 | |
| 129 | To compile it as a module, choose M here. If unsure, say Y. |
| 130 | |
| 131 | config IP_NF_QUEUE |
Harald Welte | 7af4cc3 | 2005-08-09 19:44:15 -0700 | [diff] [blame] | 132 | tristate "IP Userspace queueing via NETLINK (OBSOLETE)" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 133 | help |
| 134 | Netfilter has the ability to queue packets to user space: the |
| 135 | netlink device can be used to access them using this driver. |
| 136 | |
Harald Welte | 7af4cc3 | 2005-08-09 19:44:15 -0700 | [diff] [blame] | 137 | This option enables the old IPv4-only "ip_queue" implementation |
| 138 | which has been obsoleted by the new "nfnetlink_queue" code (see |
| 139 | CONFIG_NETFILTER_NETLINK_QUEUE). |
| 140 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 141 | To compile it as a module, choose M here. If unsure, say N. |
| 142 | |
| 143 | config IP_NF_IPTABLES |
| 144 | tristate "IP tables support (required for filtering/masq/NAT)" |
| 145 | help |
| 146 | iptables is a general, extensible packet identification framework. |
| 147 | The packet filtering and full NAT (masquerading, port forwarding, |
| 148 | etc) subsystems now use this: say `Y' or `M' here if you want to use |
| 149 | either of those. |
| 150 | |
| 151 | To compile it as a module, choose M here. If unsure, say N. |
| 152 | |
| 153 | # The matches. |
| 154 | config IP_NF_MATCH_LIMIT |
| 155 | tristate "limit match support" |
| 156 | depends on IP_NF_IPTABLES |
| 157 | help |
| 158 | limit matching allows you to control the rate at which a rule can be |
| 159 | matched: mainly useful in combination with the LOG target ("LOG |
| 160 | target support", below) and to avoid some Denial of Service attacks. |
| 161 | |
| 162 | To compile it as a module, choose M here. If unsure, say N. |
| 163 | |
| 164 | config IP_NF_MATCH_IPRANGE |
| 165 | tristate "IP range match support" |
| 166 | depends on IP_NF_IPTABLES |
| 167 | help |
| 168 | This option makes possible to match IP addresses against IP address |
| 169 | ranges. |
| 170 | |
| 171 | To compile it as a module, choose M here. If unsure, say N. |
| 172 | |
| 173 | config IP_NF_MATCH_MAC |
| 174 | tristate "MAC address match support" |
| 175 | depends on IP_NF_IPTABLES |
| 176 | help |
| 177 | MAC matching allows you to match packets based on the source |
| 178 | Ethernet address of the packet. |
| 179 | |
| 180 | To compile it as a module, choose M here. If unsure, say N. |
| 181 | |
| 182 | config IP_NF_MATCH_PKTTYPE |
| 183 | tristate "Packet type match support" |
| 184 | depends on IP_NF_IPTABLES |
| 185 | help |
| 186 | Packet type matching allows you to match a packet by |
| 187 | its "class", eg. BROADCAST, MULTICAST, ... |
| 188 | |
| 189 | Typical usage: |
| 190 | iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG |
| 191 | |
| 192 | To compile it as a module, choose M here. If unsure, say N. |
| 193 | |
| 194 | config IP_NF_MATCH_MARK |
| 195 | tristate "netfilter MARK match support" |
| 196 | depends on IP_NF_IPTABLES |
| 197 | help |
| 198 | Netfilter mark matching allows you to match packets based on the |
| 199 | `nfmark' value in the packet. This can be set by the MARK target |
| 200 | (see below). |
| 201 | |
| 202 | To compile it as a module, choose M here. If unsure, say N. |
| 203 | |
| 204 | config IP_NF_MATCH_MULTIPORT |
| 205 | tristate "Multiple port match support" |
| 206 | depends on IP_NF_IPTABLES |
| 207 | help |
| 208 | Multiport matching allows you to match TCP or UDP packets based on |
| 209 | a series of source or destination ports: normally a rule can only |
| 210 | match a single range of ports. |
| 211 | |
| 212 | To compile it as a module, choose M here. If unsure, say N. |
| 213 | |
| 214 | config IP_NF_MATCH_TOS |
| 215 | tristate "TOS match support" |
| 216 | depends on IP_NF_IPTABLES |
| 217 | help |
| 218 | TOS matching allows you to match packets based on the Type Of |
| 219 | Service fields of the IP packet. |
| 220 | |
| 221 | To compile it as a module, choose M here. If unsure, say N. |
| 222 | |
| 223 | config IP_NF_MATCH_RECENT |
| 224 | tristate "recent match support" |
| 225 | depends on IP_NF_IPTABLES |
| 226 | help |
| 227 | This match is used for creating one or many lists of recently |
| 228 | used addresses and then matching against that/those list(s). |
| 229 | |
| 230 | Short options are available by using 'iptables -m recent -h' |
| 231 | Official Website: <http://snowman.net/projects/ipt_recent/> |
| 232 | |
| 233 | To compile it as a module, choose M here. If unsure, say N. |
| 234 | |
| 235 | config IP_NF_MATCH_ECN |
| 236 | tristate "ECN match support" |
| 237 | depends on IP_NF_IPTABLES |
| 238 | help |
| 239 | This option adds a `ECN' match, which allows you to match against |
| 240 | the IPv4 and TCP header ECN fields. |
| 241 | |
| 242 | To compile it as a module, choose M here. If unsure, say N. |
| 243 | |
| 244 | config IP_NF_MATCH_DSCP |
| 245 | tristate "DSCP match support" |
| 246 | depends on IP_NF_IPTABLES |
| 247 | help |
| 248 | This option adds a `DSCP' match, which allows you to match against |
| 249 | the IPv4 header DSCP field (DSCP codepoint). |
| 250 | |
| 251 | The DSCP codepoint can have any value between 0x0 and 0x4f. |
| 252 | |
| 253 | To compile it as a module, choose M here. If unsure, say N. |
| 254 | |
| 255 | config IP_NF_MATCH_AH_ESP |
| 256 | tristate "AH/ESP match support" |
| 257 | depends on IP_NF_IPTABLES |
| 258 | help |
| 259 | These two match extensions (`ah' and `esp') allow you to match a |
| 260 | range of SPIs inside AH or ESP headers of IPSec packets. |
| 261 | |
| 262 | To compile it as a module, choose M here. If unsure, say N. |
| 263 | |
| 264 | config IP_NF_MATCH_LENGTH |
| 265 | tristate "LENGTH match support" |
| 266 | depends on IP_NF_IPTABLES |
| 267 | help |
| 268 | This option allows you to match the length of a packet against a |
| 269 | specific value or range of values. |
| 270 | |
| 271 | To compile it as a module, choose M here. If unsure, say N. |
| 272 | |
| 273 | config IP_NF_MATCH_TTL |
| 274 | tristate "TTL match support" |
| 275 | depends on IP_NF_IPTABLES |
| 276 | help |
| 277 | This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user |
| 278 | to match packets by their TTL value. |
| 279 | |
| 280 | To compile it as a module, choose M here. If unsure, say N. |
| 281 | |
| 282 | config IP_NF_MATCH_TCPMSS |
| 283 | tristate "tcpmss match support" |
| 284 | depends on IP_NF_IPTABLES |
| 285 | help |
| 286 | This option adds a `tcpmss' match, which allows you to examine the |
| 287 | MSS value of TCP SYN packets, which control the maximum packet size |
| 288 | for that connection. |
| 289 | |
| 290 | To compile it as a module, choose M here. If unsure, say N. |
| 291 | |
| 292 | config IP_NF_MATCH_HELPER |
| 293 | tristate "Helper match support" |
| 294 | depends on IP_NF_CONNTRACK && IP_NF_IPTABLES |
| 295 | help |
| 296 | Helper matching allows you to match packets in dynamic connections |
| 297 | tracked by a conntrack-helper, ie. ip_conntrack_ftp |
| 298 | |
| 299 | To compile it as a module, choose M here. If unsure, say Y. |
| 300 | |
| 301 | config IP_NF_MATCH_STATE |
| 302 | tristate "Connection state match support" |
| 303 | depends on IP_NF_CONNTRACK && IP_NF_IPTABLES |
| 304 | help |
| 305 | Connection state matching allows you to match packets based on their |
| 306 | relationship to a tracked connection (ie. previous packets). This |
| 307 | is a powerful tool for packet classification. |
| 308 | |
| 309 | To compile it as a module, choose M here. If unsure, say N. |
| 310 | |
| 311 | config IP_NF_MATCH_CONNTRACK |
| 312 | tristate "Connection tracking match support" |
| 313 | depends on IP_NF_CONNTRACK && IP_NF_IPTABLES |
| 314 | help |
| 315 | This is a general conntrack match module, a superset of the state match. |
| 316 | |
| 317 | It allows matching on additional conntrack information, which is |
| 318 | useful in complex configurations, such as NAT gateways with multiple |
| 319 | internet links or tunnels. |
| 320 | |
| 321 | To compile it as a module, choose M here. If unsure, say N. |
| 322 | |
| 323 | config IP_NF_MATCH_OWNER |
| 324 | tristate "Owner match support" |
| 325 | depends on IP_NF_IPTABLES |
| 326 | help |
| 327 | Packet owner matching allows you to match locally-generated packets |
| 328 | based on who created them: the user, group, process or session. |
| 329 | |
| 330 | To compile it as a module, choose M here. If unsure, say N. |
| 331 | |
| 332 | config IP_NF_MATCH_PHYSDEV |
| 333 | tristate "Physdev match support" |
| 334 | depends on IP_NF_IPTABLES && BRIDGE_NETFILTER |
| 335 | help |
| 336 | Physdev packet matching matches against the physical bridge ports |
| 337 | the IP packet arrived on or will leave by. |
| 338 | |
| 339 | To compile it as a module, choose M here. If unsure, say N. |
| 340 | |
| 341 | config IP_NF_MATCH_ADDRTYPE |
| 342 | tristate 'address type match support' |
| 343 | depends on IP_NF_IPTABLES |
| 344 | help |
| 345 | This option allows you to match what routing thinks of an address, |
| 346 | eg. UNICAST, LOCAL, BROADCAST, ... |
| 347 | |
| 348 | If you want to compile it as a module, say M here and read |
| 349 | <file:Documentation/modules.txt>. If unsure, say `N'. |
| 350 | |
| 351 | config IP_NF_MATCH_REALM |
| 352 | tristate 'realm match support' |
| 353 | depends on IP_NF_IPTABLES |
| 354 | select NET_CLS_ROUTE |
| 355 | help |
| 356 | This option adds a `realm' match, which allows you to use the realm |
| 357 | key from the routing subsystem inside iptables. |
| 358 | |
| 359 | This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option |
| 360 | in tc world. |
| 361 | |
| 362 | If you want to compile it as a module, say M here and read |
| 363 | <file:Documentation/modules.txt>. If unsure, say `N'. |
| 364 | |
| 365 | config IP_NF_MATCH_SCTP |
| 366 | tristate 'SCTP protocol match support' |
| 367 | depends on IP_NF_IPTABLES |
| 368 | help |
| 369 | With this option enabled, you will be able to use the iptables |
| 370 | `sctp' match in order to match on SCTP source/destination ports |
| 371 | and SCTP chunk types. |
| 372 | |
| 373 | If you want to compile it as a module, say M here and read |
| 374 | <file:Documentation/modules.txt>. If unsure, say `N'. |
| 375 | |
Harald Welte | 1d3de41 | 2005-08-09 20:26:55 -0700 | [diff] [blame] | 376 | config IP_NF_MATCH_DCCP |
| 377 | tristate 'DCCP protocol match support' |
| 378 | depends on IP_NF_IPTABLES |
| 379 | help |
| 380 | With this option enabled, you will be able to use the iptables |
| 381 | `dccp' match in order to match on DCCP source/destination ports |
| 382 | and DCCP flags. |
| 383 | |
| 384 | If you want to compile it as a module, say M here and read |
| 385 | <file:Documentation/modules.txt>. If unsure, say `N'. |
| 386 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 387 | config IP_NF_MATCH_COMMENT |
| 388 | tristate 'comment match support' |
| 389 | depends on IP_NF_IPTABLES |
| 390 | help |
| 391 | This option adds a `comment' dummy-match, which allows you to put |
| 392 | comments in your iptables ruleset. |
| 393 | |
| 394 | If you want to compile it as a module, say M here and read |
| 395 | <file:Documentation/modules.txt>. If unsure, say `N'. |
| 396 | |
| 397 | config IP_NF_MATCH_CONNMARK |
| 398 | tristate 'Connection mark match support' |
| 399 | depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES |
| 400 | help |
| 401 | This option adds a `connmark' match, which allows you to match the |
| 402 | connection mark value previously set for the session by `CONNMARK'. |
| 403 | |
| 404 | If you want to compile it as a module, say M here and read |
| 405 | <file:Documentation/modules.txt>. The module will be called |
| 406 | ipt_connmark.o. If unsure, say `N'. |
| 407 | |
Harald Welte | 9d810fd | 2005-08-13 13:56:26 -0700 | [diff] [blame] | 408 | config IP_NF_MATCH_CONNBYTES |
| 409 | tristate 'Connection byte/packet counter match support' |
| 410 | depends on IP_NF_CT_ACCT && IP_NF_IPTABLES |
| 411 | help |
| 412 | This option adds a `connbytes' match, which allows you to match the |
| 413 | number of bytes and/or packets for each direction within a connection. |
| 414 | |
| 415 | If you want to compile it as a module, say M here and read |
| 416 | <file:Documentation/modules.txt>. If unsure, say `N'. |
| 417 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 418 | config IP_NF_MATCH_HASHLIMIT |
| 419 | tristate 'hashlimit match support' |
| 420 | depends on IP_NF_IPTABLES |
| 421 | help |
| 422 | This option adds a new iptables `hashlimit' match. |
| 423 | |
| 424 | As opposed to `limit', this match dynamically crates a hash table |
| 425 | of limit buckets, based on your selection of source/destination |
| 426 | ip addresses and/or ports. |
| 427 | |
| 428 | It enables you to express policies like `10kpps for any given |
| 429 | destination IP' or `500pps from any given source IP' with a single |
| 430 | IPtables rule. |
| 431 | |
Pablo Neira Ayuso | 7567662 | 2005-08-21 23:30:34 -0700 | [diff] [blame] | 432 | config IP_NF_MATCH_STRING |
| 433 | tristate 'string match support' |
| 434 | depends on IP_NF_IPTABLES |
| 435 | select TEXTSEARCH |
| 436 | select TEXTSEARCH_KMP |
David S. Miller | 29cb9f9 | 2005-08-25 16:23:11 -0700 | [diff] [blame] | 437 | select TEXTSEARCH_BM |
Pablo Neira Ayuso | 7567662 | 2005-08-21 23:30:34 -0700 | [diff] [blame] | 438 | select TEXTSEARCH_FSM |
| 439 | help |
| 440 | This option adds a `string' match, which allows you to look for |
| 441 | pattern matchings in packets. |
| 442 | |
| 443 | To compile it as a module, choose M here. If unsure, say N. |
| 444 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 445 | # `filter', generic and specific targets |
| 446 | config IP_NF_FILTER |
| 447 | tristate "Packet filtering" |
| 448 | depends on IP_NF_IPTABLES |
| 449 | help |
| 450 | Packet filtering defines a table `filter', which has a series of |
| 451 | rules for simple packet filtering at local input, forwarding and |
| 452 | local output. See the man page for iptables(8). |
| 453 | |
| 454 | To compile it as a module, choose M here. If unsure, say N. |
| 455 | |
| 456 | config IP_NF_TARGET_REJECT |
| 457 | tristate "REJECT target support" |
| 458 | depends on IP_NF_FILTER |
| 459 | help |
| 460 | The REJECT target allows a filtering rule to specify that an ICMP |
| 461 | error should be issued in response to an incoming packet, rather |
| 462 | than silently being dropped. |
| 463 | |
| 464 | To compile it as a module, choose M here. If unsure, say N. |
| 465 | |
| 466 | config IP_NF_TARGET_LOG |
| 467 | tristate "LOG target support" |
| 468 | depends on IP_NF_IPTABLES |
| 469 | help |
| 470 | This option adds a `LOG' target, which allows you to create rules in |
| 471 | any iptables table which records the packet header to the syslog. |
| 472 | |
| 473 | To compile it as a module, choose M here. If unsure, say N. |
| 474 | |
| 475 | config IP_NF_TARGET_ULOG |
| 476 | tristate "ULOG target support" |
| 477 | depends on IP_NF_IPTABLES |
| 478 | ---help--- |
| 479 | This option adds a `ULOG' target, which allows you to create rules in |
| 480 | any iptables table. The packet is passed to a userspace logging |
| 481 | daemon using netlink multicast sockets; unlike the LOG target |
| 482 | which can only be viewed through syslog. |
| 483 | |
| 484 | The apropriate userspace logging daemon (ulogd) may be obtained from |
| 485 | <http://www.gnumonks.org/projects/ulogd/> |
| 486 | |
| 487 | To compile it as a module, choose M here. If unsure, say N. |
| 488 | |
| 489 | config IP_NF_TARGET_TCPMSS |
| 490 | tristate "TCPMSS target support" |
| 491 | depends on IP_NF_IPTABLES |
| 492 | ---help--- |
| 493 | This option adds a `TCPMSS' target, which allows you to alter the |
| 494 | MSS value of TCP SYN packets, to control the maximum size for that |
| 495 | connection (usually limiting it to your outgoing interface's MTU |
| 496 | minus 40). |
| 497 | |
| 498 | This is used to overcome criminally braindead ISPs or servers which |
| 499 | block ICMP Fragmentation Needed packets. The symptoms of this |
| 500 | problem are that everything works fine from your Linux |
| 501 | firewall/router, but machines behind it can never exchange large |
| 502 | packets: |
| 503 | 1) Web browsers connect, then hang with no data received. |
| 504 | 2) Small mail works fine, but large emails hang. |
| 505 | 3) ssh works fine, but scp hangs after initial handshaking. |
| 506 | |
| 507 | Workaround: activate this option and add a rule to your firewall |
| 508 | configuration like: |
| 509 | |
| 510 | iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ |
| 511 | -j TCPMSS --clamp-mss-to-pmtu |
| 512 | |
| 513 | To compile it as a module, choose M here. If unsure, say N. |
| 514 | |
| 515 | # NAT + specific targets |
| 516 | config IP_NF_NAT |
| 517 | tristate "Full NAT" |
| 518 | depends on IP_NF_IPTABLES && IP_NF_CONNTRACK |
| 519 | help |
| 520 | The Full NAT option allows masquerading, port forwarding and other |
| 521 | forms of full Network Address Port Translation. It is controlled by |
| 522 | the `nat' table in iptables: see the man page for iptables(8). |
| 523 | |
| 524 | To compile it as a module, choose M here. If unsure, say N. |
| 525 | |
| 526 | config IP_NF_NAT_NEEDED |
| 527 | bool |
| 528 | depends on IP_NF_NAT != n |
| 529 | default y |
| 530 | |
| 531 | config IP_NF_TARGET_MASQUERADE |
| 532 | tristate "MASQUERADE target support" |
| 533 | depends on IP_NF_NAT |
| 534 | help |
| 535 | Masquerading is a special case of NAT: all outgoing connections are |
| 536 | changed to seem to come from a particular interface's address, and |
| 537 | if the interface goes down, those connections are lost. This is |
| 538 | only useful for dialup accounts with dynamic IP address (ie. your IP |
| 539 | address will be different on next dialup). |
| 540 | |
| 541 | To compile it as a module, choose M here. If unsure, say N. |
| 542 | |
| 543 | config IP_NF_TARGET_REDIRECT |
| 544 | tristate "REDIRECT target support" |
| 545 | depends on IP_NF_NAT |
| 546 | help |
| 547 | REDIRECT is a special case of NAT: all incoming connections are |
| 548 | mapped onto the incoming interface's address, causing the packets to |
| 549 | come to the local machine instead of passing through. This is |
| 550 | useful for transparent proxies. |
| 551 | |
| 552 | To compile it as a module, choose M here. If unsure, say N. |
| 553 | |
| 554 | config IP_NF_TARGET_NETMAP |
| 555 | tristate "NETMAP target support" |
| 556 | depends on IP_NF_NAT |
| 557 | help |
| 558 | NETMAP is an implementation of static 1:1 NAT mapping of network |
| 559 | addresses. It maps the network address part, while keeping the host |
| 560 | address part intact. It is similar to Fast NAT, except that |
| 561 | Netfilter's connection tracking doesn't work well with Fast NAT. |
| 562 | |
| 563 | To compile it as a module, choose M here. If unsure, say N. |
| 564 | |
| 565 | config IP_NF_TARGET_SAME |
| 566 | tristate "SAME target support" |
| 567 | depends on IP_NF_NAT |
| 568 | help |
| 569 | This option adds a `SAME' target, which works like the standard SNAT |
| 570 | target, but attempts to give clients the same IP for all connections. |
| 571 | |
| 572 | To compile it as a module, choose M here. If unsure, say N. |
| 573 | |
| 574 | config IP_NF_NAT_SNMP_BASIC |
| 575 | tristate "Basic SNMP-ALG support (EXPERIMENTAL)" |
| 576 | depends on EXPERIMENTAL && IP_NF_NAT |
| 577 | ---help--- |
| 578 | |
| 579 | This module implements an Application Layer Gateway (ALG) for |
| 580 | SNMP payloads. In conjunction with NAT, it allows a network |
| 581 | management system to access multiple private networks with |
| 582 | conflicting addresses. It works by modifying IP addresses |
| 583 | inside SNMP payloads to match IP-layer NAT mapping. |
| 584 | |
| 585 | This is the "basic" form of SNMP-ALG, as described in RFC 2962 |
| 586 | |
| 587 | To compile it as a module, choose M here. If unsure, say N. |
| 588 | |
| 589 | config IP_NF_NAT_IRC |
| 590 | tristate |
| 591 | depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n |
| 592 | default IP_NF_NAT if IP_NF_IRC=y |
| 593 | default m if IP_NF_IRC=m |
| 594 | |
| 595 | # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), |
| 596 | # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh. |
| 597 | config IP_NF_NAT_FTP |
| 598 | tristate |
| 599 | depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n |
| 600 | default IP_NF_NAT if IP_NF_FTP=y |
| 601 | default m if IP_NF_FTP=m |
| 602 | |
| 603 | config IP_NF_NAT_TFTP |
| 604 | tristate |
| 605 | depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n |
| 606 | default IP_NF_NAT if IP_NF_TFTP=y |
| 607 | default m if IP_NF_TFTP=m |
| 608 | |
| 609 | config IP_NF_NAT_AMANDA |
| 610 | tristate |
| 611 | depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n |
| 612 | default IP_NF_NAT if IP_NF_AMANDA=y |
| 613 | default m if IP_NF_AMANDA=m |
| 614 | |
| 615 | # mangle + specific targets |
| 616 | config IP_NF_MANGLE |
| 617 | tristate "Packet mangling" |
| 618 | depends on IP_NF_IPTABLES |
| 619 | help |
| 620 | This option adds a `mangle' table to iptables: see the man page for |
| 621 | iptables(8). This table is used for various packet alterations |
| 622 | which can effect how the packet is routed. |
| 623 | |
| 624 | To compile it as a module, choose M here. If unsure, say N. |
| 625 | |
| 626 | config IP_NF_TARGET_TOS |
| 627 | tristate "TOS target support" |
| 628 | depends on IP_NF_MANGLE |
| 629 | help |
| 630 | This option adds a `TOS' target, which allows you to create rules in |
| 631 | the `mangle' table which alter the Type Of Service field of an IP |
| 632 | packet prior to routing. |
| 633 | |
| 634 | To compile it as a module, choose M here. If unsure, say N. |
| 635 | |
| 636 | config IP_NF_TARGET_ECN |
| 637 | tristate "ECN target support" |
| 638 | depends on IP_NF_MANGLE |
| 639 | ---help--- |
| 640 | This option adds a `ECN' target, which can be used in the iptables mangle |
| 641 | table. |
| 642 | |
| 643 | You can use this target to remove the ECN bits from the IPv4 header of |
| 644 | an IP packet. This is particularly useful, if you need to work around |
| 645 | existing ECN blackholes on the internet, but don't want to disable |
| 646 | ECN support in general. |
| 647 | |
| 648 | To compile it as a module, choose M here. If unsure, say N. |
| 649 | |
| 650 | config IP_NF_TARGET_DSCP |
| 651 | tristate "DSCP target support" |
| 652 | depends on IP_NF_MANGLE |
| 653 | help |
| 654 | This option adds a `DSCP' match, which allows you to match against |
| 655 | the IPv4 header DSCP field (DSCP codepoint). |
| 656 | |
| 657 | The DSCP codepoint can have any value between 0x0 and 0x4f. |
| 658 | |
| 659 | To compile it as a module, choose M here. If unsure, say N. |
| 660 | |
| 661 | config IP_NF_TARGET_MARK |
| 662 | tristate "MARK target support" |
| 663 | depends on IP_NF_MANGLE |
| 664 | help |
| 665 | This option adds a `MARK' target, which allows you to create rules |
| 666 | in the `mangle' table which alter the netfilter mark (nfmark) field |
| 667 | associated with the packet prior to routing. This can change |
| 668 | the routing method (see `Use netfilter MARK value as routing |
| 669 | key') and can also be used by other subsystems to change their |
| 670 | behavior. |
| 671 | |
| 672 | To compile it as a module, choose M here. If unsure, say N. |
| 673 | |
| 674 | config IP_NF_TARGET_CLASSIFY |
| 675 | tristate "CLASSIFY target support" |
| 676 | depends on IP_NF_MANGLE |
| 677 | help |
| 678 | This option adds a `CLASSIFY' target, which enables the user to set |
| 679 | the priority of a packet. Some qdiscs can use this value for |
| 680 | classification, among these are: |
| 681 | |
| 682 | atm, cbq, dsmark, pfifo_fast, htb, prio |
| 683 | |
| 684 | To compile it as a module, choose M here. If unsure, say N. |
| 685 | |
Harald Welte | 5f2c3b9 | 2005-08-27 22:37:03 -0700 | [diff] [blame] | 686 | config IP_NF_TARGET_TTL |
| 687 | tristate 'TTL target support' |
| 688 | depends on IP_NF_MANGLE |
| 689 | help |
| 690 | This option adds a `TTL' target, which enables the user to modify |
| 691 | the TTL value of the IP header. |
| 692 | |
| 693 | While it is safe to decrement/lower the TTL, this target also enables |
| 694 | functionality to increment and set the TTL value of the IP header to |
| 695 | arbitrary values. This is EXTREMELY DANGEROUS since you can easily |
| 696 | create immortal packets that loop forever on the network. |
| 697 | |
| 698 | To compile it as a module, choose M here. If unsure, say N. |
| 699 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 700 | config IP_NF_TARGET_CONNMARK |
| 701 | tristate 'CONNMARK target support' |
| 702 | depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE |
| 703 | help |
| 704 | This option adds a `CONNMARK' target, which allows one to manipulate |
| 705 | the connection mark value. Similar to the MARK target, but |
| 706 | affects the connection mark value rather than the packet mark value. |
| 707 | |
| 708 | If you want to compile it as a module, say M here and read |
| 709 | <file:Documentation/modules.txt>. The module will be called |
| 710 | ipt_CONNMARK.o. If unsure, say `N'. |
| 711 | |
| 712 | config IP_NF_TARGET_CLUSTERIP |
| 713 | tristate "CLUSTERIP target support (EXPERIMENTAL)" |
| 714 | depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES && EXPERIMENTAL |
| 715 | help |
| 716 | The CLUSTERIP target allows you to build load-balancing clusters of |
| 717 | network servers without having a dedicated load-balancing |
| 718 | router/server/switch. |
| 719 | |
| 720 | To compile it as a module, choose M here. If unsure, say N. |
| 721 | |
| 722 | # raw + specific targets |
| 723 | config IP_NF_RAW |
| 724 | tristate 'raw table support (required for NOTRACK/TRACE)' |
| 725 | depends on IP_NF_IPTABLES |
| 726 | help |
| 727 | This option adds a `raw' table to iptables. This table is the very |
| 728 | first in the netfilter framework and hooks in at the PREROUTING |
| 729 | and OUTPUT chains. |
| 730 | |
| 731 | If you want to compile it as a module, say M here and read |
| 732 | <file:Documentation/modules.txt>. If unsure, say `N'. |
| 733 | |
| 734 | config IP_NF_TARGET_NOTRACK |
| 735 | tristate 'NOTRACK target support' |
| 736 | depends on IP_NF_RAW |
| 737 | depends on IP_NF_CONNTRACK |
| 738 | help |
| 739 | The NOTRACK target allows a select rule to specify |
| 740 | which packets *not* to enter the conntrack/NAT |
| 741 | subsystem with all the consequences (no ICMP error tracking, |
| 742 | no protocol helpers for the selected packets). |
| 743 | |
| 744 | If you want to compile it as a module, say M here and read |
| 745 | <file:Documentation/modules.txt>. If unsure, say `N'. |
| 746 | |
| 747 | |
| 748 | # ARP tables |
| 749 | config IP_NF_ARPTABLES |
| 750 | tristate "ARP tables support" |
| 751 | help |
| 752 | arptables is a general, extensible packet identification framework. |
| 753 | The ARP packet filtering and mangling (manipulation)subsystems |
| 754 | use this: say Y or M here if you want to use either of those. |
| 755 | |
| 756 | To compile it as a module, choose M here. If unsure, say N. |
| 757 | |
| 758 | config IP_NF_ARPFILTER |
| 759 | tristate "ARP packet filtering" |
| 760 | depends on IP_NF_ARPTABLES |
| 761 | help |
| 762 | ARP packet filtering defines a table `filter', which has a series of |
| 763 | rules for simple ARP packet filtering at local input and |
| 764 | local output. On a bridge, you can also specify filtering rules |
| 765 | for forwarded ARP packets. See the man page for arptables(8). |
| 766 | |
| 767 | To compile it as a module, choose M here. If unsure, say N. |
| 768 | |
| 769 | config IP_NF_ARP_MANGLE |
| 770 | tristate "ARP payload mangling" |
| 771 | depends on IP_NF_ARPTABLES |
| 772 | help |
| 773 | Allows altering the ARP packet payload: source and destination |
| 774 | hardware and network addresses. |
| 775 | |
Harald Welte | 080774a | 2005-08-09 19:32:58 -0700 | [diff] [blame] | 776 | config IP_NF_CONNTRACK_NETLINK |
| 777 | tristate 'Connection tracking netlink interface' |
| 778 | depends on IP_NF_CONNTRACK && NETFILTER_NETLINK |
| 779 | help |
| 780 | This option enables support for a netlink-based userspace interface |
| 781 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 782 | endmenu |
| 783 | |