1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config NF_TABLES_IPV4 40 depends on NF_TABLES 41 tristate "IPv4 nf_tables support" 42 help 43 This option enables the IPv4 support for nf_tables. 44 45config NFT_CHAIN_ROUTE_IPV4 46 depends on NF_TABLES_IPV4 47 tristate "IPv4 nf_tables route chain support" 48 help 49 This option enables the "route" chain for IPv4 in nf_tables. This 50 chain type is used to force packet re-routing after mangling header 51 fields such as the source, destination, type of service and 52 the packet mark. 53 54config NFT_CHAIN_NAT_IPV4 55 depends on NF_TABLES_IPV4 56 depends on NF_NAT_IPV4 && NFT_NAT 57 tristate "IPv4 nf_tables nat chain support" 58 help 59 This option enables the "nat" chain for IPv4 in nf_tables. This 60 chain type is used to perform Network Address Translation (NAT) 61 packet transformations such as the source, destination address and 62 source and destination ports. 63 64config NFT_REJECT_IPV4 65 depends on NF_TABLES_IPV4 66 default NFT_REJECT 67 tristate 68 69config NF_TABLES_ARP 70 depends on NF_TABLES 71 tristate "ARP nf_tables support" 72 help 73 This option enables the ARP support for nf_tables. 74 75config IP_NF_IPTABLES 76 tristate "IP tables support (required for filtering/masq/NAT)" 77 default m if NETFILTER_ADVANCED=n 78 select NETFILTER_XTABLES 79 help 80 iptables is a general, extensible packet identification framework. 81 The packet filtering and full NAT (masquerading, port forwarding, 82 etc) subsystems now use this: say `Y' or `M' here if you want to use 83 either of those. 84 85 To compile it as a module, choose M here. If unsure, say N. 86 87if IP_NF_IPTABLES 88 89# The matches. 90config IP_NF_MATCH_AH 91 tristate '"ah" match support' 92 depends on NETFILTER_ADVANCED 93 help 94 This match extension allows you to match a range of SPIs 95 inside AH header of IPSec packets. 96 97 To compile it as a module, choose M here. If unsure, say N. 98 99config IP_NF_MATCH_ECN 100 tristate '"ecn" match support' 101 depends on NETFILTER_ADVANCED 102 select NETFILTER_XT_MATCH_ECN 103 ---help--- 104 This is a backwards-compat option for the user's convenience 105 (e.g. when running oldconfig). It selects 106 CONFIG_NETFILTER_XT_MATCH_ECN. 107 108config IP_NF_MATCH_RPFILTER 109 tristate '"rpfilter" reverse path filter match support' 110 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW) 111 ---help--- 112 This option allows you to match packets whose replies would 113 go out via the interface the packet came in. 114 115 To compile it as a module, choose M here. If unsure, say N. 116 The module will be called ipt_rpfilter. 117 118config IP_NF_MATCH_TTL 119 tristate '"ttl" match support' 120 depends on NETFILTER_ADVANCED 121 select NETFILTER_XT_MATCH_HL 122 ---help--- 123 This is a backwards-compat option for the user's convenience 124 (e.g. when running oldconfig). It selects 125 CONFIG_NETFILTER_XT_MATCH_HL. 126 127# `filter', generic and specific targets 128config IP_NF_FILTER 129 tristate "Packet filtering" 130 default m if NETFILTER_ADVANCED=n 131 help 132 Packet filtering defines a table `filter', which has a series of 133 rules for simple packet filtering at local input, forwarding and 134 local output. See the man page for iptables(8). 135 136 To compile it as a module, choose M here. If unsure, say N. 137 138config IP_NF_TARGET_REJECT 139 tristate "REJECT target support" 140 depends on IP_NF_FILTER 141 default m if NETFILTER_ADVANCED=n 142 help 143 The REJECT target allows a filtering rule to specify that an ICMP 144 error should be issued in response to an incoming packet, rather 145 than silently being dropped. 146 147 To compile it as a module, choose M here. If unsure, say N. 148 149config IP_NF_TARGET_SYNPROXY 150 tristate "SYNPROXY target support" 151 depends on NF_CONNTRACK && NETFILTER_ADVANCED 152 select NETFILTER_SYNPROXY 153 select SYN_COOKIES 154 help 155 The SYNPROXY target allows you to intercept TCP connections and 156 establish them using syncookies before they are passed on to the 157 server. This allows to avoid conntrack and server resource usage 158 during SYN-flood attacks. 159 160 To compile it as a module, choose M here. If unsure, say N. 161 162config NF_LOG_IPV4 163 tristate "IPv4 packet logging" 164 default m if NETFILTER_ADVANCED=n 165 select NF_LOG_COMMON 166 167# NAT + specific targets: nf_conntrack 168config NF_NAT_IPV4 169 tristate "IPv4 NAT" 170 depends on NF_CONNTRACK_IPV4 171 default m if NETFILTER_ADVANCED=n 172 select NF_NAT 173 help 174 The IPv4 NAT option allows masquerading, port forwarding and other 175 forms of full Network Address Port Translation. It is controlled by 176 the `nat' table in iptables: see the man page for iptables(8). 177 178 To compile it as a module, choose M here. If unsure, say N. 179 180if NF_NAT_IPV4 181 182config IP_NF_TARGET_MASQUERADE 183 tristate "MASQUERADE target support" 184 default m if NETFILTER_ADVANCED=n 185 help 186 Masquerading is a special case of NAT: all outgoing connections are 187 changed to seem to come from a particular interface's address, and 188 if the interface goes down, those connections are lost. This is 189 only useful for dialup accounts with dynamic IP address (ie. your IP 190 address will be different on next dialup). 191 192 To compile it as a module, choose M here. If unsure, say N. 193 194config IP_NF_TARGET_NETMAP 195 tristate "NETMAP target support" 196 depends on NETFILTER_ADVANCED 197 select NETFILTER_XT_TARGET_NETMAP 198 ---help--- 199 This is a backwards-compat option for the user's convenience 200 (e.g. when running oldconfig). It selects 201 CONFIG_NETFILTER_XT_TARGET_NETMAP. 202 203config IP_NF_TARGET_REDIRECT 204 tristate "REDIRECT target support" 205 depends on NETFILTER_ADVANCED 206 select NETFILTER_XT_TARGET_REDIRECT 207 ---help--- 208 This is a backwards-compat option for the user's convenience 209 (e.g. when running oldconfig). It selects 210 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 211 212endif 213 214config NF_NAT_SNMP_BASIC 215 tristate "Basic SNMP-ALG support" 216 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4 217 depends on NETFILTER_ADVANCED 218 default NF_NAT && NF_CONNTRACK_SNMP 219 ---help--- 220 221 This module implements an Application Layer Gateway (ALG) for 222 SNMP payloads. In conjunction with NAT, it allows a network 223 management system to access multiple private networks with 224 conflicting addresses. It works by modifying IP addresses 225 inside SNMP payloads to match IP-layer NAT mapping. 226 227 This is the "basic" form of SNMP-ALG, as described in RFC 2962 228 229 To compile it as a module, choose M here. If unsure, say N. 230 231# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 232# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. 233# From kconfig-language.txt: 234# 235# <expr> '&&' <expr> (6) 236# 237# (6) Returns the result of min(/expr/, /expr/). 238 239config NF_NAT_PROTO_GRE 240 tristate 241 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE 242 243config NF_NAT_PPTP 244 tristate 245 depends on NF_CONNTRACK && NF_NAT_IPV4 246 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP 247 select NF_NAT_PROTO_GRE 248 249config NF_NAT_H323 250 tristate 251 depends on NF_CONNTRACK && NF_NAT_IPV4 252 default NF_NAT_IPV4 && NF_CONNTRACK_H323 253 254# mangle + specific targets 255config IP_NF_MANGLE 256 tristate "Packet mangling" 257 default m if NETFILTER_ADVANCED=n 258 help 259 This option adds a `mangle' table to iptables: see the man page for 260 iptables(8). This table is used for various packet alterations 261 which can effect how the packet is routed. 262 263 To compile it as a module, choose M here. If unsure, say N. 264 265config IP_NF_TARGET_CLUSTERIP 266 tristate "CLUSTERIP target support" 267 depends on IP_NF_MANGLE 268 depends on NF_CONNTRACK_IPV4 269 depends on NETFILTER_ADVANCED 270 select NF_CONNTRACK_MARK 271 help 272 The CLUSTERIP target allows you to build load-balancing clusters of 273 network servers without having a dedicated load-balancing 274 router/server/switch. 275 276 To compile it as a module, choose M here. If unsure, say N. 277 278config IP_NF_TARGET_ECN 279 tristate "ECN target support" 280 depends on IP_NF_MANGLE 281 depends on NETFILTER_ADVANCED 282 ---help--- 283 This option adds a `ECN' target, which can be used in the iptables mangle 284 table. 285 286 You can use this target to remove the ECN bits from the IPv4 header of 287 an IP packet. This is particularly useful, if you need to work around 288 existing ECN blackholes on the internet, but don't want to disable 289 ECN support in general. 290 291 To compile it as a module, choose M here. If unsure, say N. 292 293config IP_NF_TARGET_TTL 294 tristate '"TTL" target support' 295 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 296 select NETFILTER_XT_TARGET_HL 297 ---help--- 298 This is a backwards-compatible option for the user's convenience 299 (e.g. when running oldconfig). It selects 300 CONFIG_NETFILTER_XT_TARGET_HL. 301 302# raw + specific targets 303config IP_NF_RAW 304 tristate 'raw table support (required for NOTRACK/TRACE)' 305 help 306 This option adds a `raw' table to iptables. This table is the very 307 first in the netfilter framework and hooks in at the PREROUTING 308 and OUTPUT chains. 309 310 If you want to compile it as a module, say M here and read 311 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 312 313# security table for MAC policy 314config IP_NF_SECURITY 315 tristate "Security table" 316 depends on SECURITY 317 depends on NETFILTER_ADVANCED 318 help 319 This option adds a `security' table to iptables, for use 320 with Mandatory Access Control (MAC) policy. 321 322 If unsure, say N. 323 324endif # IP_NF_IPTABLES 325 326# ARP tables 327config IP_NF_ARPTABLES 328 tristate "ARP tables support" 329 select NETFILTER_XTABLES 330 depends on NETFILTER_ADVANCED 331 help 332 arptables is a general, extensible packet identification framework. 333 The ARP packet filtering and mangling (manipulation)subsystems 334 use this: say Y or M here if you want to use either of those. 335 336 To compile it as a module, choose M here. If unsure, say N. 337 338if IP_NF_ARPTABLES 339 340config IP_NF_ARPFILTER 341 tristate "ARP packet filtering" 342 help 343 ARP packet filtering defines a table `filter', which has a series of 344 rules for simple ARP packet filtering at local input and 345 local output. On a bridge, you can also specify filtering rules 346 for forwarded ARP packets. See the man page for arptables(8). 347 348 To compile it as a module, choose M here. If unsure, say N. 349 350config IP_NF_ARP_MANGLE 351 tristate "ARP payload mangling" 352 help 353 Allows altering the ARP packet payload: source and destination 354 hardware and network addresses. 355 356endif # IP_NF_ARPTABLES 357 358endmenu 359 360