xref: /openbmc/linux/net/ipv4/netfilter/Kconfig (revision 0b003749) 
1#
2# IP netfilter configuration
3#
4
5menu "IP: Netfilter Configuration"
6	depends on INET && NETFILTER
7
8config NF_DEFRAG_IPV4
9	tristate
10	default n
11
12config NF_SOCKET_IPV4
13	tristate "IPv4 socket lookup support"
14	help
15	  This option enables the IPv4 socket lookup infrastructure. This is
16	  is required by the {ip,nf}tables socket match.
17
18config NF_TPROXY_IPV4
19	tristate "IPv4 tproxy support"
20
21if NF_TABLES
22
23config NF_TABLES_IPV4
24	bool "IPv4 nf_tables support"
25	help
26	  This option enables the IPv4 support for nf_tables.
27
28if NF_TABLES_IPV4
29
30config NFT_CHAIN_ROUTE_IPV4
31	tristate "IPv4 nf_tables route chain support"
32	help
33	  This option enables the "route" chain for IPv4 in nf_tables. This
34	  chain type is used to force packet re-routing after mangling header
35	  fields such as the source, destination, type of service and
36	  the packet mark.
37
38config NFT_REJECT_IPV4
39	select NF_REJECT_IPV4
40	default NFT_REJECT
41	tristate
42
43config NFT_DUP_IPV4
44	tristate "IPv4 nf_tables packet duplication support"
45	depends on !NF_CONNTRACK || NF_CONNTRACK
46	select NF_DUP_IPV4
47	help
48	  This module enables IPv4 packet duplication support for nf_tables.
49
50config NFT_FIB_IPV4
51	select NFT_FIB
52	tristate "nf_tables fib / ip route lookup support"
53	help
54	  This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
55	  It also allows query of the FIB for the route type, e.g. local, unicast,
56	  multicast or blackhole.
57
58endif # NF_TABLES_IPV4
59
60config NF_TABLES_ARP
61	bool "ARP nf_tables support"
62	select NETFILTER_FAMILY_ARP
63	help
64	  This option enables the ARP support for nf_tables.
65
66endif # NF_TABLES
67
68config NF_FLOW_TABLE_IPV4
69	tristate "Netfilter flow table IPv4 module"
70	depends on NF_FLOW_TABLE
71	help
72	  This option adds the flow table IPv4 support.
73
74	  To compile it as a module, choose M here.
75
76config NF_DUP_IPV4
77	tristate "Netfilter IPv4 packet duplication to alternate destination"
78	depends on !NF_CONNTRACK || NF_CONNTRACK
79	help
80	  This option enables the nf_dup_ipv4 core, which duplicates an IPv4
81	  packet to be rerouted to another destination.
82
83config NF_LOG_ARP
84	tristate "ARP packet logging"
85	default m if NETFILTER_ADVANCED=n
86	select NF_LOG_COMMON
87
88config NF_LOG_IPV4
89	tristate "IPv4 packet logging"
90	default m if NETFILTER_ADVANCED=n
91	select NF_LOG_COMMON
92
93config NF_REJECT_IPV4
94	tristate "IPv4 packet rejection"
95	default m if NETFILTER_ADVANCED=n
96
97config NF_NAT_IPV4
98	tristate "IPv4 NAT"
99	depends on NF_CONNTRACK
100	default m if NETFILTER_ADVANCED=n
101	select NF_NAT
102	help
103	  The IPv4 NAT option allows masquerading, port forwarding and other
104	  forms of full Network Address Port Translation. This can be
105	  controlled by iptables or nft.
106
107if NF_NAT_IPV4
108
109config NF_NAT_MASQUERADE_IPV4
110	bool
111
112if NF_TABLES
113config NFT_CHAIN_NAT_IPV4
114	depends on NF_TABLES_IPV4
115	tristate "IPv4 nf_tables nat chain support"
116	help
117	  This option enables the "nat" chain for IPv4 in nf_tables. This
118	  chain type is used to perform Network Address Translation (NAT)
119	  packet transformations such as the source, destination address and
120	  source and destination ports.
121
122config NFT_MASQ_IPV4
123	tristate "IPv4 masquerading support for nf_tables"
124	depends on NF_TABLES_IPV4
125	depends on NFT_MASQ
126	select NF_NAT_MASQUERADE_IPV4
127	help
128	  This is the expression that provides IPv4 masquerading support for
129	  nf_tables.
130
131config NFT_REDIR_IPV4
132	tristate "IPv4 redirect support for nf_tables"
133	depends on NF_TABLES_IPV4
134	depends on NFT_REDIR
135	select NF_NAT_REDIRECT
136	help
137	  This is the expression that provides IPv4 redirect support for
138	  nf_tables.
139endif # NF_TABLES
140
141config NF_NAT_SNMP_BASIC
142	tristate "Basic SNMP-ALG support"
143	depends on NF_CONNTRACK_SNMP
144	depends on NETFILTER_ADVANCED
145	default NF_NAT && NF_CONNTRACK_SNMP
146	select ASN1
147	---help---
148
149	  This module implements an Application Layer Gateway (ALG) for
150	  SNMP payloads.  In conjunction with NAT, it allows a network
151	  management system to access multiple private networks with
152	  conflicting addresses.  It works by modifying IP addresses
153	  inside SNMP payloads to match IP-layer NAT mapping.
154
155	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
156
157	  To compile it as a module, choose M here.  If unsure, say N.
158
159config NF_NAT_PROTO_GRE
160	tristate
161	depends on NF_CT_PROTO_GRE
162
163config NF_NAT_PPTP
164	tristate
165	depends on NF_CONNTRACK
166	default NF_CONNTRACK_PPTP
167	select NF_NAT_PROTO_GRE
168
169config NF_NAT_H323
170	tristate
171	depends on NF_CONNTRACK
172	default NF_CONNTRACK_H323
173
174endif # NF_NAT_IPV4
175
176config IP_NF_IPTABLES
177	tristate "IP tables support (required for filtering/masq/NAT)"
178	default m if NETFILTER_ADVANCED=n
179	select NETFILTER_XTABLES
180	help
181	  iptables is a general, extensible packet identification framework.
182	  The packet filtering and full NAT (masquerading, port forwarding,
183	  etc) subsystems now use this: say `Y' or `M' here if you want to use
184	  either of those.
185
186	  To compile it as a module, choose M here.  If unsure, say N.
187
188if IP_NF_IPTABLES
189
190# The matches.
191config IP_NF_MATCH_AH
192	tristate '"ah" match support'
193	depends on NETFILTER_ADVANCED
194	help
195	  This match extension allows you to match a range of SPIs
196	  inside AH header of IPSec packets.
197
198	  To compile it as a module, choose M here.  If unsure, say N.
199
200config IP_NF_MATCH_ECN
201	tristate '"ecn" match support'
202	depends on NETFILTER_ADVANCED
203	select NETFILTER_XT_MATCH_ECN
204	---help---
205	This is a backwards-compat option for the user's convenience
206	(e.g. when running oldconfig). It selects
207	CONFIG_NETFILTER_XT_MATCH_ECN.
208
209config IP_NF_MATCH_RPFILTER
210	tristate '"rpfilter" reverse path filter match support'
211	depends on NETFILTER_ADVANCED
212	depends on IP_NF_MANGLE || IP_NF_RAW
213	---help---
214	  This option allows you to match packets whose replies would
215	  go out via the interface the packet came in.
216
217	  To compile it as a module, choose M here.  If unsure, say N.
218	  The module will be called ipt_rpfilter.
219
220config IP_NF_MATCH_TTL
221	tristate '"ttl" match support'
222	depends on NETFILTER_ADVANCED
223	select NETFILTER_XT_MATCH_HL
224	---help---
225	This is a backwards-compat option for the user's convenience
226	(e.g. when running oldconfig). It selects
227	CONFIG_NETFILTER_XT_MATCH_HL.
228
229# `filter', generic and specific targets
230config IP_NF_FILTER
231	tristate "Packet filtering"
232	default m if NETFILTER_ADVANCED=n
233	help
234	  Packet filtering defines a table `filter', which has a series of
235	  rules for simple packet filtering at local input, forwarding and
236	  local output.  See the man page for iptables(8).
237
238	  To compile it as a module, choose M here.  If unsure, say N.
239
240config IP_NF_TARGET_REJECT
241	tristate "REJECT target support"
242	depends on IP_NF_FILTER
243	select NF_REJECT_IPV4
244	default m if NETFILTER_ADVANCED=n
245	help
246	  The REJECT target allows a filtering rule to specify that an ICMP
247	  error should be issued in response to an incoming packet, rather
248	  than silently being dropped.
249
250	  To compile it as a module, choose M here.  If unsure, say N.
251
252config IP_NF_TARGET_SYNPROXY
253	tristate "SYNPROXY target support"
254	depends on NF_CONNTRACK && NETFILTER_ADVANCED
255	select NETFILTER_SYNPROXY
256	select SYN_COOKIES
257	help
258	  The SYNPROXY target allows you to intercept TCP connections and
259	  establish them using syncookies before they are passed on to the
260	  server. This allows to avoid conntrack and server resource usage
261	  during SYN-flood attacks.
262
263	  To compile it as a module, choose M here. If unsure, say N.
264
265# NAT + specific targets: nf_conntrack
266config IP_NF_NAT
267	tristate "iptables NAT support"
268	depends on NF_CONNTRACK
269	default m if NETFILTER_ADVANCED=n
270	select NF_NAT
271	select NF_NAT_IPV4
272	select NETFILTER_XT_NAT
273	help
274	  This enables the `nat' table in iptables. This allows masquerading,
275	  port forwarding and other forms of full Network Address Port
276	  Translation.
277
278	  To compile it as a module, choose M here.  If unsure, say N.
279
280if IP_NF_NAT
281
282config IP_NF_TARGET_MASQUERADE
283	tristate "MASQUERADE target support"
284	select NF_NAT_MASQUERADE_IPV4
285	default m if NETFILTER_ADVANCED=n
286	help
287	  Masquerading is a special case of NAT: all outgoing connections are
288	  changed to seem to come from a particular interface's address, and
289	  if the interface goes down, those connections are lost.  This is
290	  only useful for dialup accounts with dynamic IP address (ie. your IP
291	  address will be different on next dialup).
292
293	  To compile it as a module, choose M here.  If unsure, say N.
294
295config IP_NF_TARGET_NETMAP
296	tristate "NETMAP target support"
297	depends on NETFILTER_ADVANCED
298	select NETFILTER_XT_TARGET_NETMAP
299	---help---
300	This is a backwards-compat option for the user's convenience
301	(e.g. when running oldconfig). It selects
302	CONFIG_NETFILTER_XT_TARGET_NETMAP.
303
304config IP_NF_TARGET_REDIRECT
305	tristate "REDIRECT target support"
306	depends on NETFILTER_ADVANCED
307	select NETFILTER_XT_TARGET_REDIRECT
308	---help---
309	This is a backwards-compat option for the user's convenience
310	(e.g. when running oldconfig). It selects
311	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
312
313endif # IP_NF_NAT
314
315# mangle + specific targets
316config IP_NF_MANGLE
317	tristate "Packet mangling"
318	default m if NETFILTER_ADVANCED=n
319	help
320	  This option adds a `mangle' table to iptables: see the man page for
321	  iptables(8).  This table is used for various packet alterations
322	  which can effect how the packet is routed.
323
324	  To compile it as a module, choose M here.  If unsure, say N.
325
326config IP_NF_TARGET_CLUSTERIP
327	tristate "CLUSTERIP target support"
328	depends on IP_NF_MANGLE
329	depends on NF_CONNTRACK
330	depends on NETFILTER_ADVANCED
331	select NF_CONNTRACK_MARK
332	select NETFILTER_FAMILY_ARP
333	help
334	  The CLUSTERIP target allows you to build load-balancing clusters of
335	  network servers without having a dedicated load-balancing
336	  router/server/switch.
337
338	  To compile it as a module, choose M here.  If unsure, say N.
339
340config IP_NF_TARGET_ECN
341	tristate "ECN target support"
342	depends on IP_NF_MANGLE
343	depends on NETFILTER_ADVANCED
344	---help---
345	  This option adds a `ECN' target, which can be used in the iptables mangle
346	  table.
347
348	  You can use this target to remove the ECN bits from the IPv4 header of
349	  an IP packet.  This is particularly useful, if you need to work around
350	  existing ECN blackholes on the internet, but don't want to disable
351	  ECN support in general.
352
353	  To compile it as a module, choose M here.  If unsure, say N.
354
355config IP_NF_TARGET_TTL
356	tristate '"TTL" target support'
357	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
358	select NETFILTER_XT_TARGET_HL
359	---help---
360	This is a backwards-compatible option for the user's convenience
361	(e.g. when running oldconfig). It selects
362	CONFIG_NETFILTER_XT_TARGET_HL.
363
364# raw + specific targets
365config IP_NF_RAW
366	tristate  'raw table support (required for NOTRACK/TRACE)'
367	help
368	  This option adds a `raw' table to iptables. This table is the very
369	  first in the netfilter framework and hooks in at the PREROUTING
370	  and OUTPUT chains.
371
372	  If you want to compile it as a module, say M here and read
373	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
374
375# security table for MAC policy
376config IP_NF_SECURITY
377	tristate "Security table"
378	depends on SECURITY
379	depends on NETFILTER_ADVANCED
380	help
381	  This option adds a `security' table to iptables, for use
382	  with Mandatory Access Control (MAC) policy.
383
384	  If unsure, say N.
385
386endif # IP_NF_IPTABLES
387
388# ARP tables
389config IP_NF_ARPTABLES
390	tristate "ARP tables support"
391	select NETFILTER_XTABLES
392	select NETFILTER_FAMILY_ARP
393	depends on NETFILTER_ADVANCED
394	help
395	  arptables is a general, extensible packet identification framework.
396	  The ARP packet filtering and mangling (manipulation)subsystems
397	  use this: say Y or M here if you want to use either of those.
398
399	  To compile it as a module, choose M here.  If unsure, say N.
400
401if IP_NF_ARPTABLES
402
403config IP_NF_ARPFILTER
404	tristate "ARP packet filtering"
405	help
406	  ARP packet filtering defines a table `filter', which has a series of
407	  rules for simple ARP packet filtering at local input and
408	  local output.  On a bridge, you can also specify filtering rules
409	  for forwarded ARP packets. See the man page for arptables(8).
410
411	  To compile it as a module, choose M here.  If unsure, say N.
412
413config IP_NF_ARP_MANGLE
414	tristate "ARP payload mangling"
415	help
416	  Allows altering the ARP packet payload: source and destination
417	  hardware and network addresses.
418
419endif # IP_NF_ARPTABLES
420
421endmenu
422
423