1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_SOCKET_IPV4 13 tristate "IPv4 socket lookup support" 14 help 15 This option enables the IPv4 socket lookup infrastructure. This is 16 is required by the {ip,nf}tables socket match. 17 18config NF_TPROXY_IPV4 19 tristate "IPv4 tproxy support" 20 21if NF_TABLES 22 23config NF_TABLES_IPV4 24 bool "IPv4 nf_tables support" 25 help 26 This option enables the IPv4 support for nf_tables. 27 28if NF_TABLES_IPV4 29 30config NFT_CHAIN_ROUTE_IPV4 31 tristate "IPv4 nf_tables route chain support" 32 help 33 This option enables the "route" chain for IPv4 in nf_tables. This 34 chain type is used to force packet re-routing after mangling header 35 fields such as the source, destination, type of service and 36 the packet mark. 37 38config NFT_REJECT_IPV4 39 select NF_REJECT_IPV4 40 default NFT_REJECT 41 tristate 42 43config NFT_DUP_IPV4 44 tristate "IPv4 nf_tables packet duplication support" 45 depends on !NF_CONNTRACK || NF_CONNTRACK 46 select NF_DUP_IPV4 47 help 48 This module enables IPv4 packet duplication support for nf_tables. 49 50config NFT_FIB_IPV4 51 select NFT_FIB 52 tristate "nf_tables fib / ip route lookup support" 53 help 54 This module enables IPv4 FIB lookups, e.g. for reverse path filtering. 55 It also allows query of the FIB for the route type, e.g. local, unicast, 56 multicast or blackhole. 57 58endif # NF_TABLES_IPV4 59 60config NF_TABLES_ARP 61 bool "ARP nf_tables support" 62 select NETFILTER_FAMILY_ARP 63 help 64 This option enables the ARP support for nf_tables. 65 66endif # NF_TABLES 67 68config NF_FLOW_TABLE_IPV4 69 tristate "Netfilter flow table IPv4 module" 70 depends on NF_FLOW_TABLE 71 help 72 This option adds the flow table IPv4 support. 73 74 To compile it as a module, choose M here. 75 76config NF_DUP_IPV4 77 tristate "Netfilter IPv4 packet duplication to alternate destination" 78 depends on !NF_CONNTRACK || NF_CONNTRACK 79 help 80 This option enables the nf_dup_ipv4 core, which duplicates an IPv4 81 packet to be rerouted to another destination. 82 83config NF_LOG_ARP 84 tristate "ARP packet logging" 85 default m if NETFILTER_ADVANCED=n 86 select NF_LOG_COMMON 87 88config NF_LOG_IPV4 89 tristate "IPv4 packet logging" 90 default m if NETFILTER_ADVANCED=n 91 select NF_LOG_COMMON 92 93config NF_REJECT_IPV4 94 tristate "IPv4 packet rejection" 95 default m if NETFILTER_ADVANCED=n 96 97config NF_NAT_IPV4 98 tristate "IPv4 NAT" 99 depends on NF_CONNTRACK 100 default m if NETFILTER_ADVANCED=n 101 select NF_NAT 102 help 103 The IPv4 NAT option allows masquerading, port forwarding and other 104 forms of full Network Address Port Translation. This can be 105 controlled by iptables or nft. 106 107if NF_NAT_IPV4 108 109config NF_NAT_MASQUERADE_IPV4 110 bool 111 112if NF_TABLES 113config NFT_CHAIN_NAT_IPV4 114 depends on NF_TABLES_IPV4 115 tristate "IPv4 nf_tables nat chain support" 116 help 117 This option enables the "nat" chain for IPv4 in nf_tables. This 118 chain type is used to perform Network Address Translation (NAT) 119 packet transformations such as the source, destination address and 120 source and destination ports. 121 122config NFT_MASQ_IPV4 123 tristate "IPv4 masquerading support for nf_tables" 124 depends on NF_TABLES_IPV4 125 depends on NFT_MASQ 126 select NF_NAT_MASQUERADE_IPV4 127 help 128 This is the expression that provides IPv4 masquerading support for 129 nf_tables. 130 131config NFT_REDIR_IPV4 132 tristate "IPv4 redirect support for nf_tables" 133 depends on NF_TABLES_IPV4 134 depends on NFT_REDIR 135 select NF_NAT_REDIRECT 136 help 137 This is the expression that provides IPv4 redirect support for 138 nf_tables. 139endif # NF_TABLES 140 141config NF_NAT_SNMP_BASIC 142 tristate "Basic SNMP-ALG support" 143 depends on NF_CONNTRACK_SNMP 144 depends on NETFILTER_ADVANCED 145 default NF_NAT && NF_CONNTRACK_SNMP 146 select ASN1 147 ---help--- 148 149 This module implements an Application Layer Gateway (ALG) for 150 SNMP payloads. In conjunction with NAT, it allows a network 151 management system to access multiple private networks with 152 conflicting addresses. It works by modifying IP addresses 153 inside SNMP payloads to match IP-layer NAT mapping. 154 155 This is the "basic" form of SNMP-ALG, as described in RFC 2962 156 157 To compile it as a module, choose M here. If unsure, say N. 158 159config NF_NAT_PROTO_GRE 160 tristate 161 depends on NF_CT_PROTO_GRE 162 163config NF_NAT_PPTP 164 tristate 165 depends on NF_CONNTRACK 166 default NF_CONNTRACK_PPTP 167 select NF_NAT_PROTO_GRE 168 169config NF_NAT_H323 170 tristate 171 depends on NF_CONNTRACK 172 default NF_CONNTRACK_H323 173 174endif # NF_NAT_IPV4 175 176config IP_NF_IPTABLES 177 tristate "IP tables support (required for filtering/masq/NAT)" 178 default m if NETFILTER_ADVANCED=n 179 select NETFILTER_XTABLES 180 help 181 iptables is a general, extensible packet identification framework. 182 The packet filtering and full NAT (masquerading, port forwarding, 183 etc) subsystems now use this: say `Y' or `M' here if you want to use 184 either of those. 185 186 To compile it as a module, choose M here. If unsure, say N. 187 188if IP_NF_IPTABLES 189 190# The matches. 191config IP_NF_MATCH_AH 192 tristate '"ah" match support' 193 depends on NETFILTER_ADVANCED 194 help 195 This match extension allows you to match a range of SPIs 196 inside AH header of IPSec packets. 197 198 To compile it as a module, choose M here. If unsure, say N. 199 200config IP_NF_MATCH_ECN 201 tristate '"ecn" match support' 202 depends on NETFILTER_ADVANCED 203 select NETFILTER_XT_MATCH_ECN 204 ---help--- 205 This is a backwards-compat option for the user's convenience 206 (e.g. when running oldconfig). It selects 207 CONFIG_NETFILTER_XT_MATCH_ECN. 208 209config IP_NF_MATCH_RPFILTER 210 tristate '"rpfilter" reverse path filter match support' 211 depends on NETFILTER_ADVANCED 212 depends on IP_NF_MANGLE || IP_NF_RAW 213 ---help--- 214 This option allows you to match packets whose replies would 215 go out via the interface the packet came in. 216 217 To compile it as a module, choose M here. If unsure, say N. 218 The module will be called ipt_rpfilter. 219 220config IP_NF_MATCH_TTL 221 tristate '"ttl" match support' 222 depends on NETFILTER_ADVANCED 223 select NETFILTER_XT_MATCH_HL 224 ---help--- 225 This is a backwards-compat option for the user's convenience 226 (e.g. when running oldconfig). It selects 227 CONFIG_NETFILTER_XT_MATCH_HL. 228 229# `filter', generic and specific targets 230config IP_NF_FILTER 231 tristate "Packet filtering" 232 default m if NETFILTER_ADVANCED=n 233 help 234 Packet filtering defines a table `filter', which has a series of 235 rules for simple packet filtering at local input, forwarding and 236 local output. See the man page for iptables(8). 237 238 To compile it as a module, choose M here. If unsure, say N. 239 240config IP_NF_TARGET_REJECT 241 tristate "REJECT target support" 242 depends on IP_NF_FILTER 243 select NF_REJECT_IPV4 244 default m if NETFILTER_ADVANCED=n 245 help 246 The REJECT target allows a filtering rule to specify that an ICMP 247 error should be issued in response to an incoming packet, rather 248 than silently being dropped. 249 250 To compile it as a module, choose M here. If unsure, say N. 251 252config IP_NF_TARGET_SYNPROXY 253 tristate "SYNPROXY target support" 254 depends on NF_CONNTRACK && NETFILTER_ADVANCED 255 select NETFILTER_SYNPROXY 256 select SYN_COOKIES 257 help 258 The SYNPROXY target allows you to intercept TCP connections and 259 establish them using syncookies before they are passed on to the 260 server. This allows to avoid conntrack and server resource usage 261 during SYN-flood attacks. 262 263 To compile it as a module, choose M here. If unsure, say N. 264 265# NAT + specific targets: nf_conntrack 266config IP_NF_NAT 267 tristate "iptables NAT support" 268 depends on NF_CONNTRACK 269 default m if NETFILTER_ADVANCED=n 270 select NF_NAT 271 select NF_NAT_IPV4 272 select NETFILTER_XT_NAT 273 help 274 This enables the `nat' table in iptables. This allows masquerading, 275 port forwarding and other forms of full Network Address Port 276 Translation. 277 278 To compile it as a module, choose M here. If unsure, say N. 279 280if IP_NF_NAT 281 282config IP_NF_TARGET_MASQUERADE 283 tristate "MASQUERADE target support" 284 select NF_NAT_MASQUERADE_IPV4 285 default m if NETFILTER_ADVANCED=n 286 help 287 Masquerading is a special case of NAT: all outgoing connections are 288 changed to seem to come from a particular interface's address, and 289 if the interface goes down, those connections are lost. This is 290 only useful for dialup accounts with dynamic IP address (ie. your IP 291 address will be different on next dialup). 292 293 To compile it as a module, choose M here. If unsure, say N. 294 295config IP_NF_TARGET_NETMAP 296 tristate "NETMAP target support" 297 depends on NETFILTER_ADVANCED 298 select NETFILTER_XT_TARGET_NETMAP 299 ---help--- 300 This is a backwards-compat option for the user's convenience 301 (e.g. when running oldconfig). It selects 302 CONFIG_NETFILTER_XT_TARGET_NETMAP. 303 304config IP_NF_TARGET_REDIRECT 305 tristate "REDIRECT target support" 306 depends on NETFILTER_ADVANCED 307 select NETFILTER_XT_TARGET_REDIRECT 308 ---help--- 309 This is a backwards-compat option for the user's convenience 310 (e.g. when running oldconfig). It selects 311 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 312 313endif # IP_NF_NAT 314 315# mangle + specific targets 316config IP_NF_MANGLE 317 tristate "Packet mangling" 318 default m if NETFILTER_ADVANCED=n 319 help 320 This option adds a `mangle' table to iptables: see the man page for 321 iptables(8). This table is used for various packet alterations 322 which can effect how the packet is routed. 323 324 To compile it as a module, choose M here. If unsure, say N. 325 326config IP_NF_TARGET_CLUSTERIP 327 tristate "CLUSTERIP target support" 328 depends on IP_NF_MANGLE 329 depends on NF_CONNTRACK 330 depends on NETFILTER_ADVANCED 331 select NF_CONNTRACK_MARK 332 select NETFILTER_FAMILY_ARP 333 help 334 The CLUSTERIP target allows you to build load-balancing clusters of 335 network servers without having a dedicated load-balancing 336 router/server/switch. 337 338 To compile it as a module, choose M here. If unsure, say N. 339 340config IP_NF_TARGET_ECN 341 tristate "ECN target support" 342 depends on IP_NF_MANGLE 343 depends on NETFILTER_ADVANCED 344 ---help--- 345 This option adds a `ECN' target, which can be used in the iptables mangle 346 table. 347 348 You can use this target to remove the ECN bits from the IPv4 header of 349 an IP packet. This is particularly useful, if you need to work around 350 existing ECN blackholes on the internet, but don't want to disable 351 ECN support in general. 352 353 To compile it as a module, choose M here. If unsure, say N. 354 355config IP_NF_TARGET_TTL 356 tristate '"TTL" target support' 357 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 358 select NETFILTER_XT_TARGET_HL 359 ---help--- 360 This is a backwards-compatible option for the user's convenience 361 (e.g. when running oldconfig). It selects 362 CONFIG_NETFILTER_XT_TARGET_HL. 363 364# raw + specific targets 365config IP_NF_RAW 366 tristate 'raw table support (required for NOTRACK/TRACE)' 367 help 368 This option adds a `raw' table to iptables. This table is the very 369 first in the netfilter framework and hooks in at the PREROUTING 370 and OUTPUT chains. 371 372 If you want to compile it as a module, say M here and read 373 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 374 375# security table for MAC policy 376config IP_NF_SECURITY 377 tristate "Security table" 378 depends on SECURITY 379 depends on NETFILTER_ADVANCED 380 help 381 This option adds a `security' table to iptables, for use 382 with Mandatory Access Control (MAC) policy. 383 384 If unsure, say N. 385 386endif # IP_NF_IPTABLES 387 388# ARP tables 389config IP_NF_ARPTABLES 390 tristate "ARP tables support" 391 select NETFILTER_XTABLES 392 select NETFILTER_FAMILY_ARP 393 depends on NETFILTER_ADVANCED 394 help 395 arptables is a general, extensible packet identification framework. 396 The ARP packet filtering and mangling (manipulation)subsystems 397 use this: say Y or M here if you want to use either of those. 398 399 To compile it as a module, choose M here. If unsure, say N. 400 401if IP_NF_ARPTABLES 402 403config IP_NF_ARPFILTER 404 tristate "ARP packet filtering" 405 help 406 ARP packet filtering defines a table `filter', which has a series of 407 rules for simple ARP packet filtering at local input and 408 local output. On a bridge, you can also specify filtering rules 409 for forwarded ARP packets. See the man page for arptables(8). 410 411 To compile it as a module, choose M here. If unsure, say N. 412 413config IP_NF_ARP_MANGLE 414 tristate "ARP payload mangling" 415 help 416 Allows altering the ARP packet payload: source and destination 417 hardware and network addresses. 418 419endif # IP_NF_ARPTABLES 420 421endmenu 422 423