| blob | dfe6fa4ea5540bf0f81bf54685f5ee54c32af178 |
1 #
2 # IP netfilter configuration
3 #
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 config NF_DEFRAG_IPV4
9 tristate
10 default n
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
16 select NF_DEFRAG_IPV4
17 ---help---
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
20 into connections.
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_SOCKET_IPV4
29 tristate "IPv4 socket lookup support"
30 help
31 This option enables the IPv4 socket lookup infrastructure. This is
32 is required by the iptables socket match.
34 if NF_TABLES
36 config NF_TABLES_IPV4
37 tristate "IPv4 nf_tables support"
38 help
39 This option enables the IPv4 support for nf_tables.
41 if NF_TABLES_IPV4
43 config NFT_CHAIN_ROUTE_IPV4
44 tristate "IPv4 nf_tables route chain support"
45 help
46 This option enables the "route" chain for IPv4 in nf_tables. This
47 chain type is used to force packet re-routing after mangling header
48 fields such as the source, destination, type of service and
49 the packet mark.
51 config NFT_REJECT_IPV4
52 select NF_REJECT_IPV4
53 default NFT_REJECT
54 tristate
56 config NFT_DUP_IPV4
57 tristate "IPv4 nf_tables packet duplication support"
58 depends on !NF_CONNTRACK || NF_CONNTRACK
59 select NF_DUP_IPV4
60 help
61 This module enables IPv4 packet duplication support for nf_tables.
63 config NFT_FIB_IPV4
64 select NFT_FIB
65 tristate "nf_tables fib / ip route lookup support"
66 help
67 This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
68 It also allows query of the FIB for the route type, e.g. local, unicast,
69 multicast or blackhole.
71 endif # NF_TABLES_IPV4
73 config NF_TABLES_ARP
74 tristate "ARP nf_tables support"
75 select NETFILTER_FAMILY_ARP
76 help
77 This option enables the ARP support for nf_tables.
79 endif # NF_TABLES
81 config NF_FLOW_TABLE_IPV4
82 tristate "Netfilter flow table IPv4 module"
83 depends on NF_FLOW_TABLE
84 help
85 This option adds the flow table IPv4 support.
87 To compile it as a module, choose M here.
89 config NF_DUP_IPV4
90 tristate "Netfilter IPv4 packet duplication to alternate destination"
91 depends on !NF_CONNTRACK || NF_CONNTRACK
92 help
93 This option enables the nf_dup_ipv4 core, which duplicates an IPv4
94 packet to be rerouted to another destination.
96 config NF_LOG_ARP
97 tristate "ARP packet logging"
98 default m if NETFILTER_ADVANCED=n
99 select NF_LOG_COMMON
101 config NF_LOG_IPV4
102 tristate "IPv4 packet logging"
103 default m if NETFILTER_ADVANCED=n
104 select NF_LOG_COMMON
106 config NF_REJECT_IPV4
107 tristate "IPv4 packet rejection"
108 default m if NETFILTER_ADVANCED=n
110 config NF_NAT_IPV4
111 tristate "IPv4 NAT"
112 depends on NF_CONNTRACK_IPV4
113 default m if NETFILTER_ADVANCED=n
114 select NF_NAT
115 help
116 The IPv4 NAT option allows masquerading, port forwarding and other
117 forms of full Network Address Port Translation. This can be
118 controlled by iptables or nft.
120 if NF_NAT_IPV4
122 config NFT_CHAIN_NAT_IPV4
123 depends on NF_TABLES_IPV4
124 tristate "IPv4 nf_tables nat chain support"
125 help
126 This option enables the "nat" chain for IPv4 in nf_tables. This
127 chain type is used to perform Network Address Translation (NAT)
128 packet transformations such as the source, destination address and
129 source and destination ports.
131 config NF_NAT_MASQUERADE_IPV4
132 tristate "IPv4 masquerade support"
133 help
134 This is the kernel functionality to provide NAT in the masquerade
135 flavour (automatic source address selection).
137 config NFT_MASQ_IPV4
138 tristate "IPv4 masquerading support for nf_tables"
139 depends on NF_TABLES_IPV4
140 depends on NFT_MASQ
141 select NF_NAT_MASQUERADE_IPV4
142 help
143 This is the expression that provides IPv4 masquerading support for
144 nf_tables.
146 config NFT_REDIR_IPV4
147 tristate "IPv4 redirect support for nf_tables"
148 depends on NF_TABLES_IPV4
149 depends on NFT_REDIR
150 select NF_NAT_REDIRECT
151 help
152 This is the expression that provides IPv4 redirect support for
153 nf_tables.
155 config NF_NAT_SNMP_BASIC
156 tristate "Basic SNMP-ALG support"
157 depends on NF_CONNTRACK_SNMP
158 depends on NETFILTER_ADVANCED
159 default NF_NAT && NF_CONNTRACK_SNMP
160 select ASN1
161 ---help---
163 This module implements an Application Layer Gateway (ALG) for
164 SNMP payloads. In conjunction with NAT, it allows a network
165 management system to access multiple private networks with
166 conflicting addresses. It works by modifying IP addresses
167 inside SNMP payloads to match IP-layer NAT mapping.
169 This is the "basic" form of SNMP-ALG, as described in RFC 2962
171 To compile it as a module, choose M here. If unsure, say N.
173 config NF_NAT_PROTO_GRE
174 tristate
175 depends on NF_CT_PROTO_GRE
177 config NF_NAT_PPTP
178 tristate
179 depends on NF_CONNTRACK
180 default NF_CONNTRACK_PPTP
181 select NF_NAT_PROTO_GRE
183 config NF_NAT_H323
184 tristate
185 depends on NF_CONNTRACK
186 default NF_CONNTRACK_H323
188 endif # NF_NAT_IPV4
190 config IP_NF_IPTABLES
191 tristate "IP tables support (required for filtering/masq/NAT)"
192 default m if NETFILTER_ADVANCED=n
193 select NETFILTER_XTABLES
194 help
195 iptables is a general, extensible packet identification framework.
196 The packet filtering and full NAT (masquerading, port forwarding,
197 etc) subsystems now use this: say `Y' or `M' here if you want to use
198 either of those.
200 To compile it as a module, choose M here. If unsure, say N.
202 if IP_NF_IPTABLES
204 # The matches.
205 config IP_NF_MATCH_AH
206 tristate '"ah" match support'
207 depends on NETFILTER_ADVANCED
208 help
209 This match extension allows you to match a range of SPIs
210 inside AH header of IPSec packets.
212 To compile it as a module, choose M here. If unsure, say N.
214 config IP_NF_MATCH_ECN
215 tristate '"ecn" match support'
216 depends on NETFILTER_ADVANCED
217 select NETFILTER_XT_MATCH_ECN
218 ---help---
219 This is a backwards-compat option for the user's convenience
220 (e.g. when running oldconfig). It selects
221 CONFIG_NETFILTER_XT_MATCH_ECN.
223 config IP_NF_MATCH_RPFILTER
224 tristate '"rpfilter" reverse path filter match support'
225 depends on NETFILTER_ADVANCED
226 depends on IP_NF_MANGLE || IP_NF_RAW
227 ---help---
228 This option allows you to match packets whose replies would
229 go out via the interface the packet came in.
231 To compile it as a module, choose M here. If unsure, say N.
232 The module will be called ipt_rpfilter.
234 config IP_NF_MATCH_TTL
235 tristate '"ttl" match support'
236 depends on NETFILTER_ADVANCED
237 select NETFILTER_XT_MATCH_HL
238 ---help---
239 This is a backwards-compat option for the user's convenience
240 (e.g. when running oldconfig). It selects
241 CONFIG_NETFILTER_XT_MATCH_HL.
243 # `filter', generic and specific targets
244 config IP_NF_FILTER
245 tristate "Packet filtering"
246 default m if NETFILTER_ADVANCED=n
247 help
248 Packet filtering defines a table `filter', which has a series of
249 rules for simple packet filtering at local input, forwarding and
250 local output. See the man page for iptables(8).
252 To compile it as a module, choose M here. If unsure, say N.
254 config IP_NF_TARGET_REJECT
255 tristate "REJECT target support"
256 depends on IP_NF_FILTER
257 select NF_REJECT_IPV4
258 default m if NETFILTER_ADVANCED=n
259 help
260 The REJECT target allows a filtering rule to specify that an ICMP
261 error should be issued in response to an incoming packet, rather
262 than silently being dropped.
264 To compile it as a module, choose M here. If unsure, say N.
266 config IP_NF_TARGET_SYNPROXY
267 tristate "SYNPROXY target support"
268 depends on NF_CONNTRACK && NETFILTER_ADVANCED
269 select NETFILTER_SYNPROXY
270 select SYN_COOKIES
271 help
272 The SYNPROXY target allows you to intercept TCP connections and
273 establish them using syncookies before they are passed on to the
274 server. This allows to avoid conntrack and server resource usage
275 during SYN-flood attacks.
277 To compile it as a module, choose M here. If unsure, say N.
279 # NAT + specific targets: nf_conntrack
280 config IP_NF_NAT
281 tristate "iptables NAT support"
282 depends on NF_CONNTRACK_IPV4
283 default m if NETFILTER_ADVANCED=n
284 select NF_NAT
285 select NF_NAT_IPV4
286 select NETFILTER_XT_NAT
287 help
288 This enables the `nat' table in iptables. This allows masquerading,
289 port forwarding and other forms of full Network Address Port
290 Translation.
292 To compile it as a module, choose M here. If unsure, say N.
294 if IP_NF_NAT
296 config IP_NF_TARGET_MASQUERADE
297 tristate "MASQUERADE target support"
298 select NF_NAT_MASQUERADE_IPV4
299 default m if NETFILTER_ADVANCED=n
300 help
301 Masquerading is a special case of NAT: all outgoing connections are
302 changed to seem to come from a particular interface's address, and
303 if the interface goes down, those connections are lost. This is
304 only useful for dialup accounts with dynamic IP address (ie. your IP
305 address will be different on next dialup).
307 To compile it as a module, choose M here. If unsure, say N.
309 config IP_NF_TARGET_NETMAP
310 tristate "NETMAP target support"
311 depends on NETFILTER_ADVANCED
312 select NETFILTER_XT_TARGET_NETMAP
313 ---help---
314 This is a backwards-compat option for the user's convenience
315 (e.g. when running oldconfig). It selects
316 CONFIG_NETFILTER_XT_TARGET_NETMAP.
318 config IP_NF_TARGET_REDIRECT
319 tristate "REDIRECT target support"
320 depends on NETFILTER_ADVANCED
321 select NETFILTER_XT_TARGET_REDIRECT
322 ---help---
323 This is a backwards-compat option for the user's convenience
324 (e.g. when running oldconfig). It selects
325 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
327 endif # IP_NF_NAT
329 # mangle + specific targets
330 config IP_NF_MANGLE
331 tristate "Packet mangling"
332 default m if NETFILTER_ADVANCED=n
333 help
334 This option adds a `mangle' table to iptables: see the man page for
335 iptables(8). This table is used for various packet alterations
336 which can effect how the packet is routed.
338 To compile it as a module, choose M here. If unsure, say N.
340 config IP_NF_TARGET_CLUSTERIP
341 tristate "CLUSTERIP target support"
342 depends on IP_NF_MANGLE
343 depends on NF_CONNTRACK_IPV4
344 depends on NETFILTER_ADVANCED
345 select NF_CONNTRACK_MARK
346 select NETFILTER_FAMILY_ARP
347 help
348 The CLUSTERIP target allows you to build load-balancing clusters of
349 network servers without having a dedicated load-balancing
350 router/server/switch.
352 To compile it as a module, choose M here. If unsure, say N.
354 config IP_NF_TARGET_ECN
355 tristate "ECN target support"
356 depends on IP_NF_MANGLE
357 depends on NETFILTER_ADVANCED
358 ---help---
359 This option adds a `ECN' target, which can be used in the iptables mangle
360 table.
362 You can use this target to remove the ECN bits from the IPv4 header of
363 an IP packet. This is particularly useful, if you need to work around
364 existing ECN blackholes on the internet, but don't want to disable
365 ECN support in general.
367 To compile it as a module, choose M here. If unsure, say N.
369 config IP_NF_TARGET_TTL
370 tristate '"TTL" target support'
371 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
372 select NETFILTER_XT_TARGET_HL
373 ---help---
374 This is a backwards-compatible option for the user's convenience
375 (e.g. when running oldconfig). It selects
376 CONFIG_NETFILTER_XT_TARGET_HL.
378 # raw + specific targets
379 config IP_NF_RAW
380 tristate 'raw table support (required for NOTRACK/TRACE)'
381 help
382 This option adds a `raw' table to iptables. This table is the very
383 first in the netfilter framework and hooks in at the PREROUTING
384 and OUTPUT chains.
386 If you want to compile it as a module, say M here and read
387 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
389 # security table for MAC policy
390 config IP_NF_SECURITY
391 tristate "Security table"
392 depends on SECURITY
393 depends on NETFILTER_ADVANCED
394 help
395 This option adds a `security' table to iptables, for use
396 with Mandatory Access Control (MAC) policy.
398 If unsure, say N.
400 endif # IP_NF_IPTABLES
402 # ARP tables
403 config IP_NF_ARPTABLES
404 tristate "ARP tables support"
405 select NETFILTER_XTABLES
406 select NETFILTER_FAMILY_ARP
407 depends on NETFILTER_ADVANCED
408 help
409 arptables is a general, extensible packet identification framework.
410 The ARP packet filtering and mangling (manipulation)subsystems
411 use this: say Y or M here if you want to use either of those.
413 To compile it as a module, choose M here. If unsure, say N.
415 if IP_NF_ARPTABLES
417 config IP_NF_ARPFILTER
418 tristate "ARP packet filtering"
419 help
420 ARP packet filtering defines a table `filter', which has a series of
421 rules for simple ARP packet filtering at local input and
422 local output. On a bridge, you can also specify filtering rules
423 for forwarded ARP packets. See the man page for arptables(8).
425 To compile it as a module, choose M here. If unsure, say N.
427 config IP_NF_ARP_MANGLE
428 tristate "ARP payload mangling"
429 help
430 Allows altering the ARP packet payload: source and destination
431 hardware and network addresses.
433 endif # IP_NF_ARPTABLES
435 endmenu