1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39if NF_TABLES 40 41config NF_TABLES_IPV4 42 tristate "IPv4 nf_tables support" 43 help 44 This option enables the IPv4 support for nf_tables. 45 46if NF_TABLES_IPV4 47 48config NFT_CHAIN_ROUTE_IPV4 49 tristate "IPv4 nf_tables route chain support" 50 help 51 This option enables the "route" chain for IPv4 in nf_tables. This 52 chain type is used to force packet re-routing after mangling header 53 fields such as the source, destination, type of service and 54 the packet mark. 55 56config NFT_REJECT_IPV4 57 select NF_REJECT_IPV4 58 default NFT_REJECT 59 tristate 60 61endif # NF_TABLES_IPV4 62 63config NF_TABLES_ARP 64 tristate "ARP nf_tables support" 65 help 66 This option enables the ARP support for nf_tables. 67 68endif # NF_TABLES 69 70config NF_LOG_ARP 71 tristate "ARP packet logging" 72 default m if NETFILTER_ADVANCED=n 73 select NF_LOG_COMMON 74 75config NF_LOG_IPV4 76 tristate "IPv4 packet logging" 77 default m if NETFILTER_ADVANCED=n 78 select NF_LOG_COMMON 79 80config NF_REJECT_IPV4 81 tristate "IPv4 packet rejection" 82 default m if NETFILTER_ADVANCED=n 83 84config NF_NAT_IPV4 85 tristate "IPv4 NAT" 86 depends on NF_CONNTRACK_IPV4 87 default m if NETFILTER_ADVANCED=n 88 select NF_NAT 89 help 90 The IPv4 NAT option allows masquerading, port forwarding and other 91 forms of full Network Address Port Translation. This can be 92 controlled by iptables or nft. 93 94if NF_NAT_IPV4 95 96config NFT_CHAIN_NAT_IPV4 97 depends on NF_TABLES_IPV4 98 tristate "IPv4 nf_tables nat chain support" 99 help 100 This option enables the "nat" chain for IPv4 in nf_tables. This 101 chain type is used to perform Network Address Translation (NAT) 102 packet transformations such as the source, destination address and 103 source and destination ports. 104 105config NF_NAT_MASQUERADE_IPV4 106 tristate "IPv4 masquerade support" 107 help 108 This is the kernel functionality to provide NAT in the masquerade 109 flavour (automatic source address selection). 110 111config NFT_MASQ_IPV4 112 tristate "IPv4 masquerading support for nf_tables" 113 depends on NF_TABLES_IPV4 114 depends on NFT_MASQ 115 select NF_NAT_MASQUERADE_IPV4 116 help 117 This is the expression that provides IPv4 masquerading support for 118 nf_tables. 119 120config NFT_REDIR_IPV4 121 tristate "IPv4 redirect support for nf_tables" 122 depends on NF_TABLES_IPV4 123 depends on NFT_REDIR 124 select NF_NAT_REDIRECT 125 help 126 This is the expression that provides IPv4 redirect support for 127 nf_tables. 128 129config NF_NAT_SNMP_BASIC 130 tristate "Basic SNMP-ALG support" 131 depends on NF_CONNTRACK_SNMP 132 depends on NETFILTER_ADVANCED 133 default NF_NAT && NF_CONNTRACK_SNMP 134 ---help--- 135 136 This module implements an Application Layer Gateway (ALG) for 137 SNMP payloads. In conjunction with NAT, it allows a network 138 management system to access multiple private networks with 139 conflicting addresses. It works by modifying IP addresses 140 inside SNMP payloads to match IP-layer NAT mapping. 141 142 This is the "basic" form of SNMP-ALG, as described in RFC 2962 143 144 To compile it as a module, choose M here. If unsure, say N. 145 146config NF_NAT_PROTO_GRE 147 tristate 148 depends on NF_CT_PROTO_GRE 149 150config NF_NAT_PPTP 151 tristate 152 depends on NF_CONNTRACK 153 default NF_CONNTRACK_PPTP 154 select NF_NAT_PROTO_GRE 155 156config NF_NAT_H323 157 tristate 158 depends on NF_CONNTRACK 159 default NF_CONNTRACK_H323 160 161endif # NF_NAT_IPV4 162 163config IP_NF_IPTABLES 164 tristate "IP tables support (required for filtering/masq/NAT)" 165 default m if NETFILTER_ADVANCED=n 166 select NETFILTER_XTABLES 167 help 168 iptables is a general, extensible packet identification framework. 169 The packet filtering and full NAT (masquerading, port forwarding, 170 etc) subsystems now use this: say `Y' or `M' here if you want to use 171 either of those. 172 173 To compile it as a module, choose M here. If unsure, say N. 174 175if IP_NF_IPTABLES 176 177# The matches. 178config IP_NF_MATCH_AH 179 tristate '"ah" match support' 180 depends on NETFILTER_ADVANCED 181 help 182 This match extension allows you to match a range of SPIs 183 inside AH header of IPSec packets. 184 185 To compile it as a module, choose M here. If unsure, say N. 186 187config IP_NF_MATCH_ECN 188 tristate '"ecn" match support' 189 depends on NETFILTER_ADVANCED 190 select NETFILTER_XT_MATCH_ECN 191 ---help--- 192 This is a backwards-compat option for the user's convenience 193 (e.g. when running oldconfig). It selects 194 CONFIG_NETFILTER_XT_MATCH_ECN. 195 196config IP_NF_MATCH_RPFILTER 197 tristate '"rpfilter" reverse path filter match support' 198 depends on NETFILTER_ADVANCED 199 depends on IP_NF_MANGLE || IP_NF_RAW 200 ---help--- 201 This option allows you to match packets whose replies would 202 go out via the interface the packet came in. 203 204 To compile it as a module, choose M here. If unsure, say N. 205 The module will be called ipt_rpfilter. 206 207config IP_NF_MATCH_TTL 208 tristate '"ttl" match support' 209 depends on NETFILTER_ADVANCED 210 select NETFILTER_XT_MATCH_HL 211 ---help--- 212 This is a backwards-compat option for the user's convenience 213 (e.g. when running oldconfig). It selects 214 CONFIG_NETFILTER_XT_MATCH_HL. 215 216# `filter', generic and specific targets 217config IP_NF_FILTER 218 tristate "Packet filtering" 219 default m if NETFILTER_ADVANCED=n 220 help 221 Packet filtering defines a table `filter', which has a series of 222 rules for simple packet filtering at local input, forwarding and 223 local output. See the man page for iptables(8). 224 225 To compile it as a module, choose M here. If unsure, say N. 226 227config IP_NF_TARGET_REJECT 228 tristate "REJECT target support" 229 depends on IP_NF_FILTER 230 select NF_REJECT_IPV4 231 default m if NETFILTER_ADVANCED=n 232 help 233 The REJECT target allows a filtering rule to specify that an ICMP 234 error should be issued in response to an incoming packet, rather 235 than silently being dropped. 236 237 To compile it as a module, choose M here. If unsure, say N. 238 239config IP_NF_TARGET_SYNPROXY 240 tristate "SYNPROXY target support" 241 depends on NF_CONNTRACK && NETFILTER_ADVANCED 242 select NETFILTER_SYNPROXY 243 select SYN_COOKIES 244 help 245 The SYNPROXY target allows you to intercept TCP connections and 246 establish them using syncookies before they are passed on to the 247 server. This allows to avoid conntrack and server resource usage 248 during SYN-flood attacks. 249 250 To compile it as a module, choose M here. If unsure, say N. 251 252# NAT + specific targets: nf_conntrack 253config IP_NF_NAT 254 tristate "iptables NAT support" 255 depends on NF_CONNTRACK_IPV4 256 default m if NETFILTER_ADVANCED=n 257 select NF_NAT 258 select NF_NAT_IPV4 259 select NETFILTER_XT_NAT 260 help 261 This enables the `nat' table in iptables. This allows masquerading, 262 port forwarding and other forms of full Network Address Port 263 Translation. 264 265 To compile it as a module, choose M here. If unsure, say N. 266 267if IP_NF_NAT 268 269config IP_NF_TARGET_MASQUERADE 270 tristate "MASQUERADE target support" 271 select NF_NAT_MASQUERADE_IPV4 272 default m if NETFILTER_ADVANCED=n 273 help 274 Masquerading is a special case of NAT: all outgoing connections are 275 changed to seem to come from a particular interface's address, and 276 if the interface goes down, those connections are lost. This is 277 only useful for dialup accounts with dynamic IP address (ie. your IP 278 address will be different on next dialup). 279 280 To compile it as a module, choose M here. If unsure, say N. 281 282config IP_NF_TARGET_NETMAP 283 tristate "NETMAP target support" 284 depends on NETFILTER_ADVANCED 285 select NETFILTER_XT_TARGET_NETMAP 286 ---help--- 287 This is a backwards-compat option for the user's convenience 288 (e.g. when running oldconfig). It selects 289 CONFIG_NETFILTER_XT_TARGET_NETMAP. 290 291config IP_NF_TARGET_REDIRECT 292 tristate "REDIRECT target support" 293 depends on NETFILTER_ADVANCED 294 select NETFILTER_XT_TARGET_REDIRECT 295 ---help--- 296 This is a backwards-compat option for the user's convenience 297 (e.g. when running oldconfig). It selects 298 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 299 300endif # IP_NF_NAT 301 302# mangle + specific targets 303config IP_NF_MANGLE 304 tristate "Packet mangling" 305 default m if NETFILTER_ADVANCED=n 306 help 307 This option adds a `mangle' table to iptables: see the man page for 308 iptables(8). This table is used for various packet alterations 309 which can effect how the packet is routed. 310 311 To compile it as a module, choose M here. If unsure, say N. 312 313config IP_NF_TARGET_CLUSTERIP 314 tristate "CLUSTERIP target support" 315 depends on IP_NF_MANGLE 316 depends on NF_CONNTRACK_IPV4 317 depends on NETFILTER_ADVANCED 318 select NF_CONNTRACK_MARK 319 help 320 The CLUSTERIP target allows you to build load-balancing clusters of 321 network servers without having a dedicated load-balancing 322 router/server/switch. 323 324 To compile it as a module, choose M here. If unsure, say N. 325 326config IP_NF_TARGET_ECN 327 tristate "ECN target support" 328 depends on IP_NF_MANGLE 329 depends on NETFILTER_ADVANCED 330 ---help--- 331 This option adds a `ECN' target, which can be used in the iptables mangle 332 table. 333 334 You can use this target to remove the ECN bits from the IPv4 header of 335 an IP packet. This is particularly useful, if you need to work around 336 existing ECN blackholes on the internet, but don't want to disable 337 ECN support in general. 338 339 To compile it as a module, choose M here. If unsure, say N. 340 341config IP_NF_TARGET_TTL 342 tristate '"TTL" target support' 343 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 344 select NETFILTER_XT_TARGET_HL 345 ---help--- 346 This is a backwards-compatible option for the user's convenience 347 (e.g. when running oldconfig). It selects 348 CONFIG_NETFILTER_XT_TARGET_HL. 349 350# raw + specific targets 351config IP_NF_RAW 352 tristate 'raw table support (required for NOTRACK/TRACE)' 353 help 354 This option adds a `raw' table to iptables. This table is the very 355 first in the netfilter framework and hooks in at the PREROUTING 356 and OUTPUT chains. 357 358 If you want to compile it as a module, say M here and read 359 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 360 361# security table for MAC policy 362config IP_NF_SECURITY 363 tristate "Security table" 364 depends on SECURITY 365 depends on NETFILTER_ADVANCED 366 help 367 This option adds a `security' table to iptables, for use 368 with Mandatory Access Control (MAC) policy. 369 370 If unsure, say N. 371 372endif # IP_NF_IPTABLES 373 374# ARP tables 375config IP_NF_ARPTABLES 376 tristate "ARP tables support" 377 select NETFILTER_XTABLES 378 depends on NETFILTER_ADVANCED 379 help 380 arptables is a general, extensible packet identification framework. 381 The ARP packet filtering and mangling (manipulation)subsystems 382 use this: say Y or M here if you want to use either of those. 383 384 To compile it as a module, choose M here. If unsure, say N. 385 386if IP_NF_ARPTABLES 387 388config IP_NF_ARPFILTER 389 tristate "ARP packet filtering" 390 help 391 ARP packet filtering defines a table `filter', which has a series of 392 rules for simple ARP packet filtering at local input and 393 local output. On a bridge, you can also specify filtering rules 394 for forwarded ARP packets. See the man page for arptables(8). 395 396 To compile it as a module, choose M here. If unsure, say N. 397 398config IP_NF_ARP_MANGLE 399 tristate "ARP payload mangling" 400 help 401 Allows altering the ARP packet payload: source and destination 402 hardware and network addresses. 403 404endif # IP_NF_ARPTABLES 405 406endmenu 407 408