1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config IP_NF_QUEUE 40 tristate "IP Userspace queueing via NETLINK (OBSOLETE)" 41 depends on NETFILTER_ADVANCED 42 help 43 Netfilter has the ability to queue packets to user space: the 44 netlink device can be used to access them using this driver. 45 46 This option enables the old IPv4-only "ip_queue" implementation 47 which has been obsoleted by the new "nfnetlink_queue" code (see 48 CONFIG_NETFILTER_NETLINK_QUEUE). 49 50 To compile it as a module, choose M here. If unsure, say N. 51 52config IP_NF_IPTABLES 53 tristate "IP tables support (required for filtering/masq/NAT)" 54 default m if NETFILTER_ADVANCED=n 55 select NETFILTER_XTABLES 56 help 57 iptables is a general, extensible packet identification framework. 58 The packet filtering and full NAT (masquerading, port forwarding, 59 etc) subsystems now use this: say `Y' or `M' here if you want to use 60 either of those. 61 62 To compile it as a module, choose M here. If unsure, say N. 63 64if IP_NF_IPTABLES 65 66# The matches. 67config IP_NF_MATCH_AH 68 tristate '"ah" match support' 69 depends on NETFILTER_ADVANCED 70 help 71 This match extension allows you to match a range of SPIs 72 inside AH header of IPSec packets. 73 74 To compile it as a module, choose M here. If unsure, say N. 75 76config IP_NF_MATCH_ECN 77 tristate '"ecn" match support' 78 depends on NETFILTER_ADVANCED 79 help 80 This option adds a `ECN' match, which allows you to match against 81 the IPv4 and TCP header ECN fields. 82 83 To compile it as a module, choose M here. If unsure, say N. 84 85config IP_NF_MATCH_TTL 86 tristate '"ttl" match support' 87 depends on NETFILTER_ADVANCED 88 select NETFILTER_XT_MATCH_HL 89 ---help--- 90 This is a backwards-compat option for the user's convenience 91 (e.g. when running oldconfig). It selects 92 CONFIG_NETFILTER_XT_MATCH_HL. 93 94# `filter', generic and specific targets 95config IP_NF_FILTER 96 tristate "Packet filtering" 97 default m if NETFILTER_ADVANCED=n 98 help 99 Packet filtering defines a table `filter', which has a series of 100 rules for simple packet filtering at local input, forwarding and 101 local output. See the man page for iptables(8). 102 103 To compile it as a module, choose M here. If unsure, say N. 104 105config IP_NF_TARGET_REJECT 106 tristate "REJECT target support" 107 depends on IP_NF_FILTER 108 default m if NETFILTER_ADVANCED=n 109 help 110 The REJECT target allows a filtering rule to specify that an ICMP 111 error should be issued in response to an incoming packet, rather 112 than silently being dropped. 113 114 To compile it as a module, choose M here. If unsure, say N. 115 116config IP_NF_TARGET_LOG 117 tristate "LOG target support" 118 default m if NETFILTER_ADVANCED=n 119 help 120 This option adds a `LOG' target, which allows you to create rules in 121 any iptables table which records the packet header to the syslog. 122 123 To compile it as a module, choose M here. If unsure, say N. 124 125config IP_NF_TARGET_ULOG 126 tristate "ULOG target support" 127 default m if NETFILTER_ADVANCED=n 128 ---help--- 129 130 This option enables the old IPv4-only "ipt_ULOG" implementation 131 which has been obsoleted by the new "nfnetlink_log" code (see 132 CONFIG_NETFILTER_NETLINK_LOG). 133 134 This option adds a `ULOG' target, which allows you to create rules in 135 any iptables table. The packet is passed to a userspace logging 136 daemon using netlink multicast sockets; unlike the LOG target 137 which can only be viewed through syslog. 138 139 The appropriate userspace logging daemon (ulogd) may be obtained from 140 <http://www.netfilter.org/projects/ulogd/index.html> 141 142 To compile it as a module, choose M here. If unsure, say N. 143 144# NAT + specific targets: nf_conntrack 145config NF_NAT 146 tristate "Full NAT" 147 depends on NF_CONNTRACK_IPV4 148 default m if NETFILTER_ADVANCED=n 149 help 150 The Full NAT option allows masquerading, port forwarding and other 151 forms of full Network Address Port Translation. It is controlled by 152 the `nat' table in iptables: see the man page for iptables(8). 153 154 To compile it as a module, choose M here. If unsure, say N. 155 156config NF_NAT_NEEDED 157 bool 158 depends on NF_NAT 159 default y 160 161config IP_NF_TARGET_MASQUERADE 162 tristate "MASQUERADE target support" 163 depends on NF_NAT 164 default m if NETFILTER_ADVANCED=n 165 help 166 Masquerading is a special case of NAT: all outgoing connections are 167 changed to seem to come from a particular interface's address, and 168 if the interface goes down, those connections are lost. This is 169 only useful for dialup accounts with dynamic IP address (ie. your IP 170 address will be different on next dialup). 171 172 To compile it as a module, choose M here. If unsure, say N. 173 174config IP_NF_TARGET_NETMAP 175 tristate "NETMAP target support" 176 depends on NF_NAT 177 depends on NETFILTER_ADVANCED 178 help 179 NETMAP is an implementation of static 1:1 NAT mapping of network 180 addresses. It maps the network address part, while keeping the host 181 address part intact. 182 183 To compile it as a module, choose M here. If unsure, say N. 184 185config IP_NF_TARGET_REDIRECT 186 tristate "REDIRECT target support" 187 depends on NF_NAT 188 depends on NETFILTER_ADVANCED 189 help 190 REDIRECT is a special case of NAT: all incoming connections are 191 mapped onto the incoming interface's address, causing the packets to 192 come to the local machine instead of passing through. This is 193 useful for transparent proxies. 194 195 To compile it as a module, choose M here. If unsure, say N. 196 197config NF_NAT_SNMP_BASIC 198 tristate "Basic SNMP-ALG support" 199 depends on NF_CONNTRACK_SNMP && NF_NAT 200 depends on NETFILTER_ADVANCED 201 default NF_NAT && NF_CONNTRACK_SNMP 202 ---help--- 203 204 This module implements an Application Layer Gateway (ALG) for 205 SNMP payloads. In conjunction with NAT, it allows a network 206 management system to access multiple private networks with 207 conflicting addresses. It works by modifying IP addresses 208 inside SNMP payloads to match IP-layer NAT mapping. 209 210 This is the "basic" form of SNMP-ALG, as described in RFC 2962 211 212 To compile it as a module, choose M here. If unsure, say N. 213 214# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 215# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. 216# From kconfig-language.txt: 217# 218# <expr> '&&' <expr> (6) 219# 220# (6) Returns the result of min(/expr/, /expr/). 221config NF_NAT_PROTO_DCCP 222 tristate 223 depends on NF_NAT && NF_CT_PROTO_DCCP 224 default NF_NAT && NF_CT_PROTO_DCCP 225 226config NF_NAT_PROTO_GRE 227 tristate 228 depends on NF_NAT && NF_CT_PROTO_GRE 229 230config NF_NAT_PROTO_UDPLITE 231 tristate 232 depends on NF_NAT && NF_CT_PROTO_UDPLITE 233 default NF_NAT && NF_CT_PROTO_UDPLITE 234 235config NF_NAT_PROTO_SCTP 236 tristate 237 default NF_NAT && NF_CT_PROTO_SCTP 238 depends on NF_NAT && NF_CT_PROTO_SCTP 239 select LIBCRC32C 240 241config NF_NAT_FTP 242 tristate 243 depends on NF_CONNTRACK && NF_NAT 244 default NF_NAT && NF_CONNTRACK_FTP 245 246config NF_NAT_IRC 247 tristate 248 depends on NF_CONNTRACK && NF_NAT 249 default NF_NAT && NF_CONNTRACK_IRC 250 251config NF_NAT_TFTP 252 tristate 253 depends on NF_CONNTRACK && NF_NAT 254 default NF_NAT && NF_CONNTRACK_TFTP 255 256config NF_NAT_AMANDA 257 tristate 258 depends on NF_CONNTRACK && NF_NAT 259 default NF_NAT && NF_CONNTRACK_AMANDA 260 261config NF_NAT_PPTP 262 tristate 263 depends on NF_CONNTRACK && NF_NAT 264 default NF_NAT && NF_CONNTRACK_PPTP 265 select NF_NAT_PROTO_GRE 266 267config NF_NAT_H323 268 tristate 269 depends on NF_CONNTRACK && NF_NAT 270 default NF_NAT && NF_CONNTRACK_H323 271 272config NF_NAT_SIP 273 tristate 274 depends on NF_CONNTRACK && NF_NAT 275 default NF_NAT && NF_CONNTRACK_SIP 276 277# mangle + specific targets 278config IP_NF_MANGLE 279 tristate "Packet mangling" 280 default m if NETFILTER_ADVANCED=n 281 help 282 This option adds a `mangle' table to iptables: see the man page for 283 iptables(8). This table is used for various packet alterations 284 which can effect how the packet is routed. 285 286 To compile it as a module, choose M here. If unsure, say N. 287 288config IP_NF_TARGET_CLUSTERIP 289 tristate "CLUSTERIP target support (EXPERIMENTAL)" 290 depends on IP_NF_MANGLE && EXPERIMENTAL 291 depends on NF_CONNTRACK_IPV4 292 depends on NETFILTER_ADVANCED 293 select NF_CONNTRACK_MARK 294 help 295 The CLUSTERIP target allows you to build load-balancing clusters of 296 network servers without having a dedicated load-balancing 297 router/server/switch. 298 299 To compile it as a module, choose M here. If unsure, say N. 300 301config IP_NF_TARGET_ECN 302 tristate "ECN target support" 303 depends on IP_NF_MANGLE 304 depends on NETFILTER_ADVANCED 305 ---help--- 306 This option adds a `ECN' target, which can be used in the iptables mangle 307 table. 308 309 You can use this target to remove the ECN bits from the IPv4 header of 310 an IP packet. This is particularly useful, if you need to work around 311 existing ECN blackholes on the internet, but don't want to disable 312 ECN support in general. 313 314 To compile it as a module, choose M here. If unsure, say N. 315 316config IP_NF_TARGET_TTL 317 tristate '"TTL" target support' 318 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 319 select NETFILTER_XT_TARGET_HL 320 ---help--- 321 This is a backwards-compatible option for the user's convenience 322 (e.g. when running oldconfig). It selects 323 CONFIG_NETFILTER_XT_TARGET_HL. 324 325# raw + specific targets 326config IP_NF_RAW 327 tristate 'raw table support (required for NOTRACK/TRACE)' 328 depends on NETFILTER_ADVANCED 329 help 330 This option adds a `raw' table to iptables. This table is the very 331 first in the netfilter framework and hooks in at the PREROUTING 332 and OUTPUT chains. 333 334 If you want to compile it as a module, say M here and read 335 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 336 337# security table for MAC policy 338config IP_NF_SECURITY 339 tristate "Security table" 340 depends on SECURITY 341 depends on NETFILTER_ADVANCED 342 help 343 This option adds a `security' table to iptables, for use 344 with Mandatory Access Control (MAC) policy. 345 346 If unsure, say N. 347 348endif # IP_NF_IPTABLES 349 350# ARP tables 351config IP_NF_ARPTABLES 352 tristate "ARP tables support" 353 select NETFILTER_XTABLES 354 depends on NETFILTER_ADVANCED 355 help 356 arptables is a general, extensible packet identification framework. 357 The ARP packet filtering and mangling (manipulation)subsystems 358 use this: say Y or M here if you want to use either of those. 359 360 To compile it as a module, choose M here. If unsure, say N. 361 362if IP_NF_ARPTABLES 363 364config IP_NF_ARPFILTER 365 tristate "ARP packet filtering" 366 help 367 ARP packet filtering defines a table `filter', which has a series of 368 rules for simple ARP packet filtering at local input and 369 local output. On a bridge, you can also specify filtering rules 370 for forwarded ARP packets. See the man page for arptables(8). 371 372 To compile it as a module, choose M here. If unsure, say N. 373 374config IP_NF_ARP_MANGLE 375 tristate "ARP payload mangling" 376 help 377 Allows altering the ARP packet payload: source and destination 378 hardware and network addresses. 379 380endif # IP_NF_ARPTABLES 381 382endmenu 383 384