Network packet filtering framework (Netfilter)
modulename: netfilter.ko
configname: CONFIG_NETFILTER
Linux Kernel Configuration
└─>Networking support
└─>Networking options
└─>Network packet filtering framework (Netfilter)
In linux kernel since version 2.6.12
Netfilter is a framework for filtering and mangling network packets
that pass through your Linux box.
The most common use of packet filtering is to run your Linux box as
a firewall protecting a local network from the Internet. The type of
firewall provided by this kernel support is called a "packet
filter", which means that it can reject individual network packets
based on type, source, destination etc. The other kind of firewall,
a "proxy-based" one, is more secure but more intrusive and more
bothersome to set up; it inspects the network traffic much more
closely, modifies it and has knowledge about the higher level
protocols, which a packet filter lacks. Moreover, proxy-based
firewalls often require changes to the programs running on the local
clients. Proxy-based firewalls don't need support by the kernel, but
they are often combined with a packet filter, which only works if
you say Y here.
You should also say Y here if you intend to use your Linux box as
the gateway to the Internet for a local network of machines without
globally valid IP addresses. This is called "masquerading": if one
of the computers on your local network wants to send something to
the outside, your box can "masquerade" as that computer, i.e. it
forwards the traffic to the intended outside destination, but
modifies the packets to make it look like they came from the
firewall box itself. It works both ways: if the outside host
replies, the Linux box will silently forward the traffic to the
correct local computer. This way, the computers on your local net
are completely invisible to the outside world, even though they can
reach the outside and can receive replies. It is even possible to
run globally visible servers from within a masqueraded local network
using a mechanism called portforwarding. Masquerading is also often
called NAT (Network Address Translation).
Another use of Netfilter is in transparent proxying: if a machine on
the local network tries to connect to an outside host, your Linux
box can transparently forward the traffic to a local server,
typically a caching proxy server.
Yet another use of Netfilter is building a bridging firewall. Using
a bridge with Network packet filtering enabled makes iptables "see"
the bridged traffic. For filtering on the lower network and Ethernet
protocols over the bridge, use ebtables (under bridge netfilter
configuration).
Various modules exist for netfilter which replace the previous
masquerading (ipmasqadm), packet filtering (ipchains), transparent
proxying, and portforwarding mechanisms. Please see
<file:Documentation/Changes> under "iptables" for the location of
these packages.
that pass through your Linux box.
The most common use of packet filtering is to run your Linux box as
a firewall protecting a local network from the Internet. The type of
firewall provided by this kernel support is called a "packet
filter", which means that it can reject individual network packets
based on type, source, destination etc. The other kind of firewall,
a "proxy-based" one, is more secure but more intrusive and more
bothersome to set up; it inspects the network traffic much more
closely, modifies it and has knowledge about the higher level
protocols, which a packet filter lacks. Moreover, proxy-based
firewalls often require changes to the programs running on the local
clients. Proxy-based firewalls don't need support by the kernel, but
they are often combined with a packet filter, which only works if
you say Y here.
You should also say Y here if you intend to use your Linux box as
the gateway to the Internet for a local network of machines without
globally valid IP addresses. This is called "masquerading": if one
of the computers on your local network wants to send something to
the outside, your box can "masquerade" as that computer, i.e. it
forwards the traffic to the intended outside destination, but
modifies the packets to make it look like they came from the
firewall box itself. It works both ways: if the outside host
replies, the Linux box will silently forward the traffic to the
correct local computer. This way, the computers on your local net
are completely invisible to the outside world, even though they can
reach the outside and can receive replies. It is even possible to
run globally visible servers from within a masqueraded local network
using a mechanism called portforwarding. Masquerading is also often
called NAT (Network Address Translation).
Another use of Netfilter is in transparent proxying: if a machine on
the local network tries to connect to an outside host, your Linux
box can transparently forward the traffic to a local server,
typically a caching proxy server.
Yet another use of Netfilter is building a bridging firewall. Using
a bridge with Network packet filtering enabled makes iptables "see"
the bridged traffic. For filtering on the lower network and Ethernet
protocols over the bridge, use ebtables (under bridge netfilter
configuration).
Various modules exist for netfilter which replace the previous
masquerading (ipmasqadm), packet filtering (ipchains), transparent
proxying, and portforwarding mechanisms. Please see
<file:Documentation/Changes> under "iptables" for the location of
these packages.
source code:
is selected by
CONFIG_IPVLAN_L3SCONFIG_IPV6_ILA
CONFIG_BRIDGE_NETFILTER
CONFIG_NETFILTER_INGRESS
CONFIG_NETFILTER_EGRESS
CONFIG_NETFILTER_NETLINK_HOOK
CONFIG_NETFILTER_NETLINK_ACCT
CONFIG_NETFILTER_NETLINK_QUEUE
CONFIG_NETFILTER_NETLINK_LOG
CONFIG_NETFILTER_NETLINK_OSF
CONFIG_NF_CONNTRACK
CONFIG_NF_CT_PROTO_SCTP
CONFIG_NF_CONNTRACK_AMANDA
CONFIG_NF_CONNTRACK_NETBIOS_NS
CONFIG_NF_CONNTRACK_SNMP
CONFIG_NF_CONNTRACK_PPTP
CONFIG_NF_CT_NETLINK
CONFIG_NF_CT_NETLINK_TIMEOUT
CONFIG_NF_CT_NETLINK_HELPER
CONFIG_NF_TABLES
CONFIG_NF_TABLES_INET
CONFIG_NFT_CONNLIMIT
CONFIG_NFT_MASQ
CONFIG_NFT_REDIR
CONFIG_NFT_NAT
CONFIG_NFT_SOCKET
CONFIG_NFT_OSF
CONFIG_NFT_TPROXY
CONFIG_NFT_SYNPROXY
CONFIG_NFT_DUP_NETDEV
CONFIG_NFT_FWD_NETDEV
CONFIG_NETFILTER_XT_CONNMARK
CONFIG_NETFILTER_XT_TARGET_CONNMARK
CONFIG_NETFILTER_XT_TARGET_LOG
CONFIG_NETFILTER_XT_TARGET_MARK
CONFIG_NETFILTER_XT_TARGET_NFLOG
CONFIG_NETFILTER_XT_TARGET_NFQUEUE
CONFIG_NETFILTER_XT_TARGET_NOTRACK
CONFIG_NETFILTER_XT_TARGET_REDIRECT
CONFIG_NETFILTER_XT_TARGET_MASQUERADE
CONFIG_NETFILTER_XT_TARGET_TEE
CONFIG_NETFILTER_XT_TARGET_TPROXY
CONFIG_NETFILTER_XT_MATCH_CGROUP
CONFIG_NETFILTER_XT_MATCH_CONNLABEL
CONFIG_NETFILTER_XT_MATCH_CONNLIMIT
CONFIG_NETFILTER_XT_MATCH_CONNMARK
CONFIG_NETFILTER_XT_MATCH_MARK
CONFIG_NETFILTER_XT_MATCH_NFACCT
CONFIG_NETFILTER_XT_MATCH_OSF
CONFIG_NETFILTER_XT_MATCH_RATEEST
CONFIG_NETFILTER_XT_MATCH_REALM
CONFIG_NETFILTER_XT_MATCH_SOCKET
CONFIG_NETFILTER_XT_MATCH_STRING
CONFIG_IP_SET
CONFIG_IP_VS_IPV6
CONFIG_IP_VS_PROTO_SCTP
CONFIG_IP_VS_FTP
CONFIG_NFT_REJECT_IPV4
CONFIG_NFT_DUP_IPV4
CONFIG_NFT_FIB_IPV4
CONFIG_NF_TABLES_ARP
CONFIG_NF_LOG_ARP
CONFIG_NF_LOG_IPV4
CONFIG_NF_NAT_SNMP_BASIC
CONFIG_IP_NF_IPTABLES
CONFIG_IP_NF_MATCH_ECN
CONFIG_IP_NF_MATCH_TTL
CONFIG_IP_NF_TARGET_REJECT
CONFIG_IP_NF_TARGET_SYNPROXY
CONFIG_IP_NF_NAT
CONFIG_IP_NF_TARGET_MASQUERADE
CONFIG_IP_NF_TARGET_NETMAP
CONFIG_IP_NF_TARGET_REDIRECT
CONFIG_IP_NF_TARGET_CLUSTERIP
CONFIG_IP_NF_TARGET_TTL
CONFIG_IP_NF_ARPTABLES
CONFIG_NFT_REJECT_IPV6
CONFIG_NFT_DUP_IPV6
CONFIG_NFT_FIB_IPV6
CONFIG_NF_LOG_IPV6
CONFIG_IP6_NF_IPTABLES
CONFIG_IP6_NF_MATCH_HL
CONFIG_IP6_NF_TARGET_HL
CONFIG_IP6_NF_TARGET_REJECT
CONFIG_IP6_NF_TARGET_SYNPROXY
CONFIG_IP6_NF_NAT
CONFIG_IP6_NF_TARGET_MASQUERADE
CONFIG_NF_TABLES_BRIDGE
CONFIG_BRIDGE_NF_EBTABLES