net/ipv4/netfilter/Kconfig v3.0-rc7

Menu: IP: Netfilter Configuration

NF_CONNTRACK_IPV4

IPv4 connection tracking support (required for NAT)

Connection tracking keeps a record of what packets have passed
through your machine, in order to figure out how they are related
into connections.

This is IPv4 support on Layer 3 independent connection tracking.
Layer 3 independent connection tracking is experimental scheme
which generalize ip_conntrack to support other layer 3 protocols.

To compile it as a module, choose M here.  If unsure, say N.

NF_CONNTRACK_PROC_COMPAT

proc/sysctl compatibility with old connection tracking

This option enables /proc and sysctl compatibility with the old
layer 3 dependent connection tracking. This is needed to keep
old programs that have not been adapted to the new names working.

If unsure, say Y.

IP_NF_QUEUE

IP Userspace queueing via NETLINK (OBSOLETE)

Netfilter has the ability to queue packets to user space: the
netlink device can be used to access them using this driver.

This option enables the old IPv4-only "ip_queue" implementation
which has been obsoleted by the new "nfnetlink_queue" code (see
CONFIG_NETFILTER_NETLINK_QUEUE).

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_IPTABLES

IP tables support (required for filtering/masq/NAT)

iptables is a general, extensible packet identification framework.
The packet filtering and full NAT (masquerading, port forwarding,
etc) subsystems now use this: say `Y' or `M' here if you want to use
either of those.

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_MATCH_AH

'"ah" match support'

This match extension allows you to match a range of SPIs
inside AH header of IPSec packets.

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_MATCH_ECN

'"ecn" match support'

This option adds a `ECN' match, which allows you to match against
the IPv4 and TCP header ECN fields.

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_MATCH_TTL

'"ttl" match support'

This is a backwards-compat option for the user's convenience
(e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_MATCH_HL.

IP_NF_FILTER

Packet filtering

Packet filtering defines a table `filter', which has a series of
rules for simple packet filtering at local input, forwarding and
local output.  See the man page for iptables(8).

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_TARGET_REJECT

REJECT target support

The REJECT target allows a filtering rule to specify that an ICMP
error should be issued in response to an incoming packet, rather
than silently being dropped.

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_TARGET_LOG

LOG target support

This option adds a `LOG' target, which allows you to create rules in
any iptables table which records the packet header to the syslog.

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_TARGET_ULOG

ULOG target support

This option enables the old IPv4-only "ipt_ULOG" implementation
which has been obsoleted by the new "nfnetlink_log" code (see
CONFIG_NETFILTER_NETLINK_LOG).

This option adds a `ULOG' target, which allows you to create rules in
any iptables table. The packet is passed to a userspace logging
daemon using netlink multicast sockets; unlike the LOG target
which can only be viewed through syslog.

The appropriate userspace logging daemon (ulogd) may be obtained from
<http://www.netfilter.org/projects/ulogd/index.html>

To compile it as a module, choose M here.  If unsure, say N.

NF_NAT

Full NAT

The Full NAT option allows masquerading, port forwarding and other
forms of full Network Address Port Translation.  It is controlled by
the `nat' table in iptables: see the man page for iptables(8).

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_TARGET_MASQUERADE

MASQUERADE target support

Masquerading is a special case of NAT: all outgoing connections are
changed to seem to come from a particular interface's address, and
if the interface goes down, those connections are lost.  This is
only useful for dialup accounts with dynamic IP address (ie. your IP
address will be different on next dialup).

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_TARGET_NETMAP

NETMAP target support

NETMAP is an implementation of static 1:1 NAT mapping of network
addresses. It maps the network address part, while keeping the host
address part intact.

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_TARGET_REDIRECT

REDIRECT target support

REDIRECT is a special case of NAT: all incoming connections are
mapped onto the incoming interface's address, causing the packets to
come to the local machine instead of passing through.  This is
useful for transparent proxies.

To compile it as a module, choose M here.  If unsure, say N.

NF_NAT_SNMP_BASIC

Basic SNMP-ALG support

This module implements an Application Layer Gateway (ALG) for
SNMP payloads.  In conjunction with NAT, it allows a network
management system to access multiple private networks with
conflicting addresses.  It works by modifying IP addresses
inside SNMP payloads to match IP-layer NAT mapping.

This is the "basic" form of SNMP-ALG, as described in RFC 2962

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_MANGLE

Packet mangling

This option adds a `mangle' table to iptables: see the man page for
iptables(8).  This table is used for various packet alterations
which can effect how the packet is routed.

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_TARGET_CLUSTERIP

CLUSTERIP target support (EXPERIMENTAL)

The CLUSTERIP target allows you to build load-balancing clusters of
network servers without having a dedicated load-balancing
router/server/switch.

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_TARGET_ECN

ECN target support

This option adds a `ECN' target, which can be used in the iptables mangle
table.

You can use this target to remove the ECN bits from the IPv4 header of
an IP packet.  This is particularly useful, if you need to work around
existing ECN blackholes on the internet, but don't want to disable
ECN support in general.

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_TARGET_TTL

'"TTL" target support'

This is a backwards-compatible option for the user's convenience
(e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_TARGET_HL.

IP_NF_RAW

'raw table support (required for NOTRACK/TRACE)'

This option adds a `raw' table to iptables. This table is the very
first in the netfilter framework and hooks in at the PREROUTING
and OUTPUT chains.

If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

IP_NF_SECURITY

Security table

This option adds a `security' table to iptables, for use
with Mandatory Access Control (MAC) policy.

If unsure, say N.

IP_NF_ARPTABLES

ARP tables support

arptables is a general, extensible packet identification framework.
The ARP packet filtering and mangling (manipulation)subsystems
use this: say Y or M here if you want to use either of those.

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_ARPFILTER

ARP packet filtering

ARP packet filtering defines a table `filter', which has a series of
rules for simple ARP packet filtering at local input and
local output.  On a bridge, you can also specify filtering rules
for forwarded ARP packets. See the man page for arptables(8).

To compile it as a module, choose M here.  If unsure, say N.

IP_NF_ARP_MANGLE

ARP payload mangling

Allows altering the ARP packet payload: source and destination
hardware and network addresses.