1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config NF_LOG_ARP 40 tristate "ARP packet logging" 41 default m if NETFILTER_ADVANCED=n 42 select NF_LOG_COMMON 43 44config NF_LOG_IPV4 45 tristate "IPv4 packet logging" 46 default m if NETFILTER_ADVANCED=n 47 select NF_LOG_COMMON 48 49config NF_TABLES_IPV4 50 depends on NF_TABLES 51 tristate "IPv4 nf_tables support" 52 help 53 This option enables the IPv4 support for nf_tables. 54 55config NFT_CHAIN_ROUTE_IPV4 56 depends on NF_TABLES_IPV4 57 tristate "IPv4 nf_tables route chain support" 58 help 59 This option enables the "route" chain for IPv4 in nf_tables. This 60 chain type is used to force packet re-routing after mangling header 61 fields such as the source, destination, type of service and 62 the packet mark. 63 64config NFT_CHAIN_NAT_IPV4 65 depends on NF_TABLES_IPV4 66 depends on NF_NAT_IPV4 && NFT_NAT 67 tristate "IPv4 nf_tables nat chain support" 68 help 69 This option enables the "nat" chain for IPv4 in nf_tables. This 70 chain type is used to perform Network Address Translation (NAT) 71 packet transformations such as the source, destination address and 72 source and destination ports. 73 74config NFT_REJECT_IPV4 75 depends on NF_TABLES_IPV4 76 default NFT_REJECT 77 tristate 78 79config NF_TABLES_ARP 80 depends on NF_TABLES 81 tristate "ARP nf_tables support" 82 help 83 This option enables the ARP support for nf_tables. 84 85config NF_NAT_IPV4 86 tristate "IPv4 NAT" 87 depends on NF_CONNTRACK_IPV4 88 default m if NETFILTER_ADVANCED=n 89 select NF_NAT 90 help 91 The IPv4 NAT option allows masquerading, port forwarding and other 92 forms of full Network Address Port Translation. This can be 93 controlled by iptables or nft. 94 95if NF_NAT_IPV4 96 97config NF_NAT_SNMP_BASIC 98 tristate "Basic SNMP-ALG support" 99 depends on NF_CONNTRACK_SNMP 100 depends on NETFILTER_ADVANCED 101 default NF_NAT && NF_CONNTRACK_SNMP 102 ---help--- 103 104 This module implements an Application Layer Gateway (ALG) for 105 SNMP payloads. In conjunction with NAT, it allows a network 106 management system to access multiple private networks with 107 conflicting addresses. It works by modifying IP addresses 108 inside SNMP payloads to match IP-layer NAT mapping. 109 110 This is the "basic" form of SNMP-ALG, as described in RFC 2962 111 112 To compile it as a module, choose M here. If unsure, say N. 113 114config NF_NAT_PROTO_GRE 115 tristate 116 depends on NF_CT_PROTO_GRE 117 118config NF_NAT_PPTP 119 tristate 120 depends on NF_CONNTRACK 121 default NF_CONNTRACK_PPTP 122 select NF_NAT_PROTO_GRE 123 124config NF_NAT_H323 125 tristate 126 depends on NF_CONNTRACK 127 default NF_CONNTRACK_H323 128 129endif # NF_NAT_IPV4 130 131config IP_NF_IPTABLES 132 tristate "IP tables support (required for filtering/masq/NAT)" 133 default m if NETFILTER_ADVANCED=n 134 select NETFILTER_XTABLES 135 help 136 iptables is a general, extensible packet identification framework. 137 The packet filtering and full NAT (masquerading, port forwarding, 138 etc) subsystems now use this: say `Y' or `M' here if you want to use 139 either of those. 140 141 To compile it as a module, choose M here. If unsure, say N. 142 143if IP_NF_IPTABLES 144 145# The matches. 146config IP_NF_MATCH_AH 147 tristate '"ah" match support' 148 depends on NETFILTER_ADVANCED 149 help 150 This match extension allows you to match a range of SPIs 151 inside AH header of IPSec packets. 152 153 To compile it as a module, choose M here. If unsure, say N. 154 155config IP_NF_MATCH_ECN 156 tristate '"ecn" match support' 157 depends on NETFILTER_ADVANCED 158 select NETFILTER_XT_MATCH_ECN 159 ---help--- 160 This is a backwards-compat option for the user's convenience 161 (e.g. when running oldconfig). It selects 162 CONFIG_NETFILTER_XT_MATCH_ECN. 163 164config IP_NF_MATCH_RPFILTER 165 tristate '"rpfilter" reverse path filter match support' 166 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW) 167 ---help--- 168 This option allows you to match packets whose replies would 169 go out via the interface the packet came in. 170 171 To compile it as a module, choose M here. If unsure, say N. 172 The module will be called ipt_rpfilter. 173 174config IP_NF_MATCH_TTL 175 tristate '"ttl" match support' 176 depends on NETFILTER_ADVANCED 177 select NETFILTER_XT_MATCH_HL 178 ---help--- 179 This is a backwards-compat option for the user's convenience 180 (e.g. when running oldconfig). It selects 181 CONFIG_NETFILTER_XT_MATCH_HL. 182 183# `filter', generic and specific targets 184config IP_NF_FILTER 185 tristate "Packet filtering" 186 default m if NETFILTER_ADVANCED=n 187 help 188 Packet filtering defines a table `filter', which has a series of 189 rules for simple packet filtering at local input, forwarding and 190 local output. See the man page for iptables(8). 191 192 To compile it as a module, choose M here. If unsure, say N. 193 194config IP_NF_TARGET_REJECT 195 tristate "REJECT target support" 196 depends on IP_NF_FILTER 197 default m if NETFILTER_ADVANCED=n 198 help 199 The REJECT target allows a filtering rule to specify that an ICMP 200 error should be issued in response to an incoming packet, rather 201 than silently being dropped. 202 203 To compile it as a module, choose M here. If unsure, say N. 204 205config IP_NF_TARGET_SYNPROXY 206 tristate "SYNPROXY target support" 207 depends on NF_CONNTRACK && NETFILTER_ADVANCED 208 select NETFILTER_SYNPROXY 209 select SYN_COOKIES 210 help 211 The SYNPROXY target allows you to intercept TCP connections and 212 establish them using syncookies before they are passed on to the 213 server. This allows to avoid conntrack and server resource usage 214 during SYN-flood attacks. 215 216 To compile it as a module, choose M here. If unsure, say N. 217 218# NAT + specific targets: nf_conntrack 219config IP_NF_NAT 220 tristate "iptables NAT support" 221 depends on NF_CONNTRACK_IPV4 222 default m if NETFILTER_ADVANCED=n 223 select NF_NAT 224 select NF_NAT_IPV4 225 select NETFILTER_XT_NAT 226 help 227 This enables the `nat' table in iptables. This allows masquerading, 228 port forwarding and other forms of full Network Address Port 229 Translation. 230 231 To compile it as a module, choose M here. If unsure, say N. 232 233if IP_NF_NAT 234 235config IP_NF_TARGET_MASQUERADE 236 tristate "MASQUERADE target support" 237 default m if NETFILTER_ADVANCED=n 238 help 239 Masquerading is a special case of NAT: all outgoing connections are 240 changed to seem to come from a particular interface's address, and 241 if the interface goes down, those connections are lost. This is 242 only useful for dialup accounts with dynamic IP address (ie. your IP 243 address will be different on next dialup). 244 245 To compile it as a module, choose M here. If unsure, say N. 246 247config IP_NF_TARGET_NETMAP 248 tristate "NETMAP target support" 249 depends on NETFILTER_ADVANCED 250 select NETFILTER_XT_TARGET_NETMAP 251 ---help--- 252 This is a backwards-compat option for the user's convenience 253 (e.g. when running oldconfig). It selects 254 CONFIG_NETFILTER_XT_TARGET_NETMAP. 255 256config IP_NF_TARGET_REDIRECT 257 tristate "REDIRECT target support" 258 depends on NETFILTER_ADVANCED 259 select NETFILTER_XT_TARGET_REDIRECT 260 ---help--- 261 This is a backwards-compat option for the user's convenience 262 (e.g. when running oldconfig). It selects 263 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 264 265endif # IP_NF_NAT 266 267# mangle + specific targets 268config IP_NF_MANGLE 269 tristate "Packet mangling" 270 default m if NETFILTER_ADVANCED=n 271 help 272 This option adds a `mangle' table to iptables: see the man page for 273 iptables(8). This table is used for various packet alterations 274 which can effect how the packet is routed. 275 276 To compile it as a module, choose M here. If unsure, say N. 277 278config IP_NF_TARGET_CLUSTERIP 279 tristate "CLUSTERIP target support" 280 depends on IP_NF_MANGLE 281 depends on NF_CONNTRACK_IPV4 282 depends on NETFILTER_ADVANCED 283 select NF_CONNTRACK_MARK 284 help 285 The CLUSTERIP target allows you to build load-balancing clusters of 286 network servers without having a dedicated load-balancing 287 router/server/switch. 288 289 To compile it as a module, choose M here. If unsure, say N. 290 291config IP_NF_TARGET_ECN 292 tristate "ECN target support" 293 depends on IP_NF_MANGLE 294 depends on NETFILTER_ADVANCED 295 ---help--- 296 This option adds a `ECN' target, which can be used in the iptables mangle 297 table. 298 299 You can use this target to remove the ECN bits from the IPv4 header of 300 an IP packet. This is particularly useful, if you need to work around 301 existing ECN blackholes on the internet, but don't want to disable 302 ECN support in general. 303 304 To compile it as a module, choose M here. If unsure, say N. 305 306config IP_NF_TARGET_TTL 307 tristate '"TTL" target support' 308 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 309 select NETFILTER_XT_TARGET_HL 310 ---help--- 311 This is a backwards-compatible option for the user's convenience 312 (e.g. when running oldconfig). It selects 313 CONFIG_NETFILTER_XT_TARGET_HL. 314 315# raw + specific targets 316config IP_NF_RAW 317 tristate 'raw table support (required for NOTRACK/TRACE)' 318 help 319 This option adds a `raw' table to iptables. This table is the very 320 first in the netfilter framework and hooks in at the PREROUTING 321 and OUTPUT chains. 322 323 If you want to compile it as a module, say M here and read 324 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 325 326# security table for MAC policy 327config IP_NF_SECURITY 328 tristate "Security table" 329 depends on SECURITY 330 depends on NETFILTER_ADVANCED 331 help 332 This option adds a `security' table to iptables, for use 333 with Mandatory Access Control (MAC) policy. 334 335 If unsure, say N. 336 337endif # IP_NF_IPTABLES 338 339# ARP tables 340config IP_NF_ARPTABLES 341 tristate "ARP tables support" 342 select NETFILTER_XTABLES 343 depends on NETFILTER_ADVANCED 344 help 345 arptables is a general, extensible packet identification framework. 346 The ARP packet filtering and mangling (manipulation)subsystems 347 use this: say Y or M here if you want to use either of those. 348 349 To compile it as a module, choose M here. If unsure, say N. 350 351if IP_NF_ARPTABLES 352 353config IP_NF_ARPFILTER 354 tristate "ARP packet filtering" 355 help 356 ARP packet filtering defines a table `filter', which has a series of 357 rules for simple ARP packet filtering at local input and 358 local output. On a bridge, you can also specify filtering rules 359 for forwarded ARP packets. See the man page for arptables(8). 360 361 To compile it as a module, choose M here. If unsure, say N. 362 363config IP_NF_ARP_MANGLE 364 tristate "ARP payload mangling" 365 help 366 Allows altering the ARP packet payload: source and destination 367 hardware and network addresses. 368 369endif # IP_NF_ARPTABLES 370 371endmenu 372 373