1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config IP_NF_QUEUE 40 tristate "IP Userspace queueing via NETLINK (OBSOLETE)" 41 depends on NETFILTER_ADVANCED 42 help 43 Netfilter has the ability to queue packets to user space: the 44 netlink device can be used to access them using this driver. 45 46 This option enables the old IPv4-only "ip_queue" implementation 47 which has been obsoleted by the new "nfnetlink_queue" code (see 48 CONFIG_NETFILTER_NETLINK_QUEUE). 49 50 To compile it as a module, choose M here. If unsure, say N. 51 52config IP_NF_IPTABLES 53 tristate "IP tables support (required for filtering/masq/NAT)" 54 default m if NETFILTER_ADVANCED=n 55 select NETFILTER_XTABLES 56 help 57 iptables is a general, extensible packet identification framework. 58 The packet filtering and full NAT (masquerading, port forwarding, 59 etc) subsystems now use this: say `Y' or `M' here if you want to use 60 either of those. 61 62 To compile it as a module, choose M here. If unsure, say N. 63 64if IP_NF_IPTABLES 65 66# The matches. 67config IP_NF_MATCH_AH 68 tristate '"ah" match support' 69 depends on NETFILTER_ADVANCED 70 help 71 This match extension allows you to match a range of SPIs 72 inside AH header of IPSec packets. 73 74 To compile it as a module, choose M here. If unsure, say N. 75 76config IP_NF_MATCH_ECN 77 tristate '"ecn" match support' 78 depends on NETFILTER_ADVANCED 79 select NETFILTER_XT_MATCH_ECN 80 ---help--- 81 This is a backwards-compat option for the user's convenience 82 (e.g. when running oldconfig). It selects 83 CONFIG_NETFILTER_XT_MATCH_ECN. 84 85config IP_NF_MATCH_RPFILTER 86 tristate '"rpfilter" reverse path filter match support' 87 depends on NETFILTER_ADVANCED 88 ---help--- 89 This option allows you to match packets whose replies would 90 go out via the interface the packet came in. 91 92 To compile it as a module, choose M here. If unsure, say N. 93 The module will be called ipt_rpfilter. 94 95config IP_NF_MATCH_TTL 96 tristate '"ttl" match support' 97 depends on NETFILTER_ADVANCED 98 select NETFILTER_XT_MATCH_HL 99 ---help--- 100 This is a backwards-compat option for the user's convenience 101 (e.g. when running oldconfig). It selects 102 CONFIG_NETFILTER_XT_MATCH_HL. 103 104# `filter', generic and specific targets 105config IP_NF_FILTER 106 tristate "Packet filtering" 107 default m if NETFILTER_ADVANCED=n 108 help 109 Packet filtering defines a table `filter', which has a series of 110 rules for simple packet filtering at local input, forwarding and 111 local output. See the man page for iptables(8). 112 113 To compile it as a module, choose M here. If unsure, say N. 114 115config IP_NF_TARGET_REJECT 116 tristate "REJECT target support" 117 depends on IP_NF_FILTER 118 default m if NETFILTER_ADVANCED=n 119 help 120 The REJECT target allows a filtering rule to specify that an ICMP 121 error should be issued in response to an incoming packet, rather 122 than silently being dropped. 123 124 To compile it as a module, choose M here. If unsure, say N. 125 126config IP_NF_TARGET_ULOG 127 tristate "ULOG target support" 128 default m if NETFILTER_ADVANCED=n 129 ---help--- 130 131 This option enables the old IPv4-only "ipt_ULOG" implementation 132 which has been obsoleted by the new "nfnetlink_log" code (see 133 CONFIG_NETFILTER_NETLINK_LOG). 134 135 This option adds a `ULOG' target, which allows you to create rules in 136 any iptables table. The packet is passed to a userspace logging 137 daemon using netlink multicast sockets; unlike the LOG target 138 which can only be viewed through syslog. 139 140 The appropriate userspace logging daemon (ulogd) may be obtained from 141 <http://www.netfilter.org/projects/ulogd/index.html> 142 143 To compile it as a module, choose M here. If unsure, say N. 144 145# NAT + specific targets: nf_conntrack 146config NF_NAT_IPV4 147 tristate "IPv4 NAT" 148 depends on NF_CONNTRACK_IPV4 149 default m if NETFILTER_ADVANCED=n 150 select NF_NAT 151 help 152 The IPv4 NAT option allows masquerading, port forwarding and other 153 forms of full Network Address Port Translation. It is controlled by 154 the `nat' table in iptables: see the man page for iptables(8). 155 156 To compile it as a module, choose M here. If unsure, say N. 157 158if NF_NAT_IPV4 159 160config IP_NF_TARGET_MASQUERADE 161 tristate "MASQUERADE target support" 162 default m if NETFILTER_ADVANCED=n 163 help 164 Masquerading is a special case of NAT: all outgoing connections are 165 changed to seem to come from a particular interface's address, and 166 if the interface goes down, those connections are lost. This is 167 only useful for dialup accounts with dynamic IP address (ie. your IP 168 address will be different on next dialup). 169 170 To compile it as a module, choose M here. If unsure, say N. 171 172config IP_NF_TARGET_NETMAP 173 tristate "NETMAP target support" 174 depends on NETFILTER_ADVANCED 175 help 176 NETMAP is an implementation of static 1:1 NAT mapping of network 177 addresses. It maps the network address part, while keeping the host 178 address part intact. 179 180 To compile it as a module, choose M here. If unsure, say N. 181 182config IP_NF_TARGET_REDIRECT 183 tristate "REDIRECT target support" 184 depends on NETFILTER_ADVANCED 185 help 186 REDIRECT is a special case of NAT: all incoming connections are 187 mapped onto the incoming interface's address, causing the packets to 188 come to the local machine instead of passing through. This is 189 useful for transparent proxies. 190 191 To compile it as a module, choose M here. If unsure, say N. 192 193endif 194 195config NF_NAT_SNMP_BASIC 196 tristate "Basic SNMP-ALG support" 197 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4 198 depends on NETFILTER_ADVANCED 199 default NF_NAT && NF_CONNTRACK_SNMP 200 ---help--- 201 202 This module implements an Application Layer Gateway (ALG) for 203 SNMP payloads. In conjunction with NAT, it allows a network 204 management system to access multiple private networks with 205 conflicting addresses. It works by modifying IP addresses 206 inside SNMP payloads to match IP-layer NAT mapping. 207 208 This is the "basic" form of SNMP-ALG, as described in RFC 2962 209 210 To compile it as a module, choose M here. If unsure, say N. 211 212# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 213# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. 214# From kconfig-language.txt: 215# 216# <expr> '&&' <expr> (6) 217# 218# (6) Returns the result of min(/expr/, /expr/). 219 220config NF_NAT_PROTO_GRE 221 tristate 222 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE 223 224config NF_NAT_PPTP 225 tristate 226 depends on NF_CONNTRACK && NF_NAT_IPV4 227 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP 228 select NF_NAT_PROTO_GRE 229 230config NF_NAT_H323 231 tristate 232 depends on NF_CONNTRACK && NF_NAT_IPV4 233 default NF_NAT_IPV4 && NF_CONNTRACK_H323 234 235# mangle + specific targets 236config IP_NF_MANGLE 237 tristate "Packet mangling" 238 default m if NETFILTER_ADVANCED=n 239 help 240 This option adds a `mangle' table to iptables: see the man page for 241 iptables(8). This table is used for various packet alterations 242 which can effect how the packet is routed. 243 244 To compile it as a module, choose M here. If unsure, say N. 245 246config IP_NF_TARGET_CLUSTERIP 247 tristate "CLUSTERIP target support (EXPERIMENTAL)" 248 depends on IP_NF_MANGLE && EXPERIMENTAL 249 depends on NF_CONNTRACK_IPV4 250 depends on NETFILTER_ADVANCED 251 select NF_CONNTRACK_MARK 252 help 253 The CLUSTERIP target allows you to build load-balancing clusters of 254 network servers without having a dedicated load-balancing 255 router/server/switch. 256 257 To compile it as a module, choose M here. If unsure, say N. 258 259config IP_NF_TARGET_ECN 260 tristate "ECN target support" 261 depends on IP_NF_MANGLE 262 depends on NETFILTER_ADVANCED 263 ---help--- 264 This option adds a `ECN' target, which can be used in the iptables mangle 265 table. 266 267 You can use this target to remove the ECN bits from the IPv4 header of 268 an IP packet. This is particularly useful, if you need to work around 269 existing ECN blackholes on the internet, but don't want to disable 270 ECN support in general. 271 272 To compile it as a module, choose M here. If unsure, say N. 273 274config IP_NF_TARGET_TTL 275 tristate '"TTL" target support' 276 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 277 select NETFILTER_XT_TARGET_HL 278 ---help--- 279 This is a backwards-compatible option for the user's convenience 280 (e.g. when running oldconfig). It selects 281 CONFIG_NETFILTER_XT_TARGET_HL. 282 283# raw + specific targets 284config IP_NF_RAW 285 tristate 'raw table support (required for NOTRACK/TRACE)' 286 help 287 This option adds a `raw' table to iptables. This table is the very 288 first in the netfilter framework and hooks in at the PREROUTING 289 and OUTPUT chains. 290 291 If you want to compile it as a module, say M here and read 292 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 293 294# security table for MAC policy 295config IP_NF_SECURITY 296 tristate "Security table" 297 depends on SECURITY 298 depends on NETFILTER_ADVANCED 299 help 300 This option adds a `security' table to iptables, for use 301 with Mandatory Access Control (MAC) policy. 302 303 If unsure, say N. 304 305endif # IP_NF_IPTABLES 306 307# ARP tables 308config IP_NF_ARPTABLES 309 tristate "ARP tables support" 310 select NETFILTER_XTABLES 311 depends on NETFILTER_ADVANCED 312 help 313 arptables is a general, extensible packet identification framework. 314 The ARP packet filtering and mangling (manipulation)subsystems 315 use this: say Y or M here if you want to use either of those. 316 317 To compile it as a module, choose M here. If unsure, say N. 318 319if IP_NF_ARPTABLES 320 321config IP_NF_ARPFILTER 322 tristate "ARP packet filtering" 323 help 324 ARP packet filtering defines a table `filter', which has a series of 325 rules for simple ARP packet filtering at local input and 326 local output. On a bridge, you can also specify filtering rules 327 for forwarded ARP packets. See the man page for arptables(8). 328 329 To compile it as a module, choose M here. If unsure, say N. 330 331config IP_NF_ARP_MANGLE 332 tristate "ARP payload mangling" 333 help 334 Allows altering the ARP packet payload: source and destination 335 hardware and network addresses. 336 337endif # IP_NF_ARPTABLES 338 339endmenu 340 341