1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_SOCKET_IPV4 29 tristate "IPv4 socket lookup support" 30 help 31 This option enables the IPv4 socket lookup infrastructure. This is 32 is required by the iptables socket match. 33 34if NF_TABLES 35 36config NF_TABLES_IPV4 37 tristate "IPv4 nf_tables support" 38 help 39 This option enables the IPv4 support for nf_tables. 40 41if NF_TABLES_IPV4 42 43config NFT_CHAIN_ROUTE_IPV4 44 tristate "IPv4 nf_tables route chain support" 45 help 46 This option enables the "route" chain for IPv4 in nf_tables. This 47 chain type is used to force packet re-routing after mangling header 48 fields such as the source, destination, type of service and 49 the packet mark. 50 51config NFT_REJECT_IPV4 52 select NF_REJECT_IPV4 53 default NFT_REJECT 54 tristate 55 56config NFT_DUP_IPV4 57 tristate "IPv4 nf_tables packet duplication support" 58 depends on !NF_CONNTRACK || NF_CONNTRACK 59 select NF_DUP_IPV4 60 help 61 This module enables IPv4 packet duplication support for nf_tables. 62 63config NFT_FIB_IPV4 64 select NFT_FIB 65 tristate "nf_tables fib / ip route lookup support" 66 help 67 This module enables IPv4 FIB lookups, e.g. for reverse path filtering. 68 It also allows query of the FIB for the route type, e.g. local, unicast, 69 multicast or blackhole. 70 71endif # NF_TABLES_IPV4 72 73config NF_TABLES_ARP 74 tristate "ARP nf_tables support" 75 select NETFILTER_FAMILY_ARP 76 help 77 This option enables the ARP support for nf_tables. 78 79endif # NF_TABLES 80 81config NF_FLOW_TABLE_IPV4 82 select NF_FLOW_TABLE 83 tristate "Netfilter flow table IPv4 module" 84 help 85 This option adds the flow table IPv4 support. 86 87 To compile it as a module, choose M here. 88 89config NF_DUP_IPV4 90 tristate "Netfilter IPv4 packet duplication to alternate destination" 91 depends on !NF_CONNTRACK || NF_CONNTRACK 92 help 93 This option enables the nf_dup_ipv4 core, which duplicates an IPv4 94 packet to be rerouted to another destination. 95 96config NF_LOG_ARP 97 tristate "ARP packet logging" 98 default m if NETFILTER_ADVANCED=n 99 select NF_LOG_COMMON 100 101config NF_LOG_IPV4 102 tristate "IPv4 packet logging" 103 default m if NETFILTER_ADVANCED=n 104 select NF_LOG_COMMON 105 106config NF_REJECT_IPV4 107 tristate "IPv4 packet rejection" 108 default m if NETFILTER_ADVANCED=n 109 110config NF_NAT_IPV4 111 tristate "IPv4 NAT" 112 depends on NF_CONNTRACK_IPV4 113 default m if NETFILTER_ADVANCED=n 114 select NF_NAT 115 help 116 The IPv4 NAT option allows masquerading, port forwarding and other 117 forms of full Network Address Port Translation. This can be 118 controlled by iptables or nft. 119 120if NF_NAT_IPV4 121 122config NFT_CHAIN_NAT_IPV4 123 depends on NF_TABLES_IPV4 124 tristate "IPv4 nf_tables nat chain support" 125 help 126 This option enables the "nat" chain for IPv4 in nf_tables. This 127 chain type is used to perform Network Address Translation (NAT) 128 packet transformations such as the source, destination address and 129 source and destination ports. 130 131config NF_NAT_MASQUERADE_IPV4 132 tristate "IPv4 masquerade support" 133 help 134 This is the kernel functionality to provide NAT in the masquerade 135 flavour (automatic source address selection). 136 137config NFT_MASQ_IPV4 138 tristate "IPv4 masquerading support for nf_tables" 139 depends on NF_TABLES_IPV4 140 depends on NFT_MASQ 141 select NF_NAT_MASQUERADE_IPV4 142 help 143 This is the expression that provides IPv4 masquerading support for 144 nf_tables. 145 146config NFT_REDIR_IPV4 147 tristate "IPv4 redirect support for nf_tables" 148 depends on NF_TABLES_IPV4 149 depends on NFT_REDIR 150 select NF_NAT_REDIRECT 151 help 152 This is the expression that provides IPv4 redirect support for 153 nf_tables. 154 155config NF_NAT_SNMP_BASIC 156 tristate "Basic SNMP-ALG support" 157 depends on NF_CONNTRACK_SNMP 158 depends on NETFILTER_ADVANCED 159 default NF_NAT && NF_CONNTRACK_SNMP 160 ---help--- 161 162 This module implements an Application Layer Gateway (ALG) for 163 SNMP payloads. In conjunction with NAT, it allows a network 164 management system to access multiple private networks with 165 conflicting addresses. It works by modifying IP addresses 166 inside SNMP payloads to match IP-layer NAT mapping. 167 168 This is the "basic" form of SNMP-ALG, as described in RFC 2962 169 170 To compile it as a module, choose M here. If unsure, say N. 171 172config NF_NAT_PROTO_GRE 173 tristate 174 depends on NF_CT_PROTO_GRE 175 176config NF_NAT_PPTP 177 tristate 178 depends on NF_CONNTRACK 179 default NF_CONNTRACK_PPTP 180 select NF_NAT_PROTO_GRE 181 182config NF_NAT_H323 183 tristate 184 depends on NF_CONNTRACK 185 default NF_CONNTRACK_H323 186 187endif # NF_NAT_IPV4 188 189config IP_NF_IPTABLES 190 tristate "IP tables support (required for filtering/masq/NAT)" 191 default m if NETFILTER_ADVANCED=n 192 select NETFILTER_XTABLES 193 help 194 iptables is a general, extensible packet identification framework. 195 The packet filtering and full NAT (masquerading, port forwarding, 196 etc) subsystems now use this: say `Y' or `M' here if you want to use 197 either of those. 198 199 To compile it as a module, choose M here. If unsure, say N. 200 201if IP_NF_IPTABLES 202 203# The matches. 204config IP_NF_MATCH_AH 205 tristate '"ah" match support' 206 depends on NETFILTER_ADVANCED 207 help 208 This match extension allows you to match a range of SPIs 209 inside AH header of IPSec packets. 210 211 To compile it as a module, choose M here. If unsure, say N. 212 213config IP_NF_MATCH_ECN 214 tristate '"ecn" match support' 215 depends on NETFILTER_ADVANCED 216 select NETFILTER_XT_MATCH_ECN 217 ---help--- 218 This is a backwards-compat option for the user's convenience 219 (e.g. when running oldconfig). It selects 220 CONFIG_NETFILTER_XT_MATCH_ECN. 221 222config IP_NF_MATCH_RPFILTER 223 tristate '"rpfilter" reverse path filter match support' 224 depends on NETFILTER_ADVANCED 225 depends on IP_NF_MANGLE || IP_NF_RAW 226 ---help--- 227 This option allows you to match packets whose replies would 228 go out via the interface the packet came in. 229 230 To compile it as a module, choose M here. If unsure, say N. 231 The module will be called ipt_rpfilter. 232 233config IP_NF_MATCH_TTL 234 tristate '"ttl" match support' 235 depends on NETFILTER_ADVANCED 236 select NETFILTER_XT_MATCH_HL 237 ---help--- 238 This is a backwards-compat option for the user's convenience 239 (e.g. when running oldconfig). It selects 240 CONFIG_NETFILTER_XT_MATCH_HL. 241 242# `filter', generic and specific targets 243config IP_NF_FILTER 244 tristate "Packet filtering" 245 default m if NETFILTER_ADVANCED=n 246 help 247 Packet filtering defines a table `filter', which has a series of 248 rules for simple packet filtering at local input, forwarding and 249 local output. See the man page for iptables(8). 250 251 To compile it as a module, choose M here. If unsure, say N. 252 253config IP_NF_TARGET_REJECT 254 tristate "REJECT target support" 255 depends on IP_NF_FILTER 256 select NF_REJECT_IPV4 257 default m if NETFILTER_ADVANCED=n 258 help 259 The REJECT target allows a filtering rule to specify that an ICMP 260 error should be issued in response to an incoming packet, rather 261 than silently being dropped. 262 263 To compile it as a module, choose M here. If unsure, say N. 264 265config IP_NF_TARGET_SYNPROXY 266 tristate "SYNPROXY target support" 267 depends on NF_CONNTRACK && NETFILTER_ADVANCED 268 select NETFILTER_SYNPROXY 269 select SYN_COOKIES 270 help 271 The SYNPROXY target allows you to intercept TCP connections and 272 establish them using syncookies before they are passed on to the 273 server. This allows to avoid conntrack and server resource usage 274 during SYN-flood attacks. 275 276 To compile it as a module, choose M here. If unsure, say N. 277 278# NAT + specific targets: nf_conntrack 279config IP_NF_NAT 280 tristate "iptables NAT support" 281 depends on NF_CONNTRACK_IPV4 282 default m if NETFILTER_ADVANCED=n 283 select NF_NAT 284 select NF_NAT_IPV4 285 select NETFILTER_XT_NAT 286 help 287 This enables the `nat' table in iptables. This allows masquerading, 288 port forwarding and other forms of full Network Address Port 289 Translation. 290 291 To compile it as a module, choose M here. If unsure, say N. 292 293if IP_NF_NAT 294 295config IP_NF_TARGET_MASQUERADE 296 tristate "MASQUERADE target support" 297 select NF_NAT_MASQUERADE_IPV4 298 default m if NETFILTER_ADVANCED=n 299 help 300 Masquerading is a special case of NAT: all outgoing connections are 301 changed to seem to come from a particular interface's address, and 302 if the interface goes down, those connections are lost. This is 303 only useful for dialup accounts with dynamic IP address (ie. your IP 304 address will be different on next dialup). 305 306 To compile it as a module, choose M here. If unsure, say N. 307 308config IP_NF_TARGET_NETMAP 309 tristate "NETMAP target support" 310 depends on NETFILTER_ADVANCED 311 select NETFILTER_XT_TARGET_NETMAP 312 ---help--- 313 This is a backwards-compat option for the user's convenience 314 (e.g. when running oldconfig). It selects 315 CONFIG_NETFILTER_XT_TARGET_NETMAP. 316 317config IP_NF_TARGET_REDIRECT 318 tristate "REDIRECT target support" 319 depends on NETFILTER_ADVANCED 320 select NETFILTER_XT_TARGET_REDIRECT 321 ---help--- 322 This is a backwards-compat option for the user's convenience 323 (e.g. when running oldconfig). It selects 324 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 325 326endif # IP_NF_NAT 327 328# mangle + specific targets 329config IP_NF_MANGLE 330 tristate "Packet mangling" 331 default m if NETFILTER_ADVANCED=n 332 help 333 This option adds a `mangle' table to iptables: see the man page for 334 iptables(8). This table is used for various packet alterations 335 which can effect how the packet is routed. 336 337 To compile it as a module, choose M here. If unsure, say N. 338 339config IP_NF_TARGET_CLUSTERIP 340 tristate "CLUSTERIP target support" 341 depends on IP_NF_MANGLE 342 depends on NF_CONNTRACK_IPV4 343 depends on NETFILTER_ADVANCED 344 select NF_CONNTRACK_MARK 345 help 346 The CLUSTERIP target allows you to build load-balancing clusters of 347 network servers without having a dedicated load-balancing 348 router/server/switch. 349 350 To compile it as a module, choose M here. If unsure, say N. 351 352config IP_NF_TARGET_ECN 353 tristate "ECN target support" 354 depends on IP_NF_MANGLE 355 depends on NETFILTER_ADVANCED 356 ---help--- 357 This option adds a `ECN' target, which can be used in the iptables mangle 358 table. 359 360 You can use this target to remove the ECN bits from the IPv4 header of 361 an IP packet. This is particularly useful, if you need to work around 362 existing ECN blackholes on the internet, but don't want to disable 363 ECN support in general. 364 365 To compile it as a module, choose M here. If unsure, say N. 366 367config IP_NF_TARGET_TTL 368 tristate '"TTL" target support' 369 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 370 select NETFILTER_XT_TARGET_HL 371 ---help--- 372 This is a backwards-compatible option for the user's convenience 373 (e.g. when running oldconfig). It selects 374 CONFIG_NETFILTER_XT_TARGET_HL. 375 376# raw + specific targets 377config IP_NF_RAW 378 tristate 'raw table support (required for NOTRACK/TRACE)' 379 help 380 This option adds a `raw' table to iptables. This table is the very 381 first in the netfilter framework and hooks in at the PREROUTING 382 and OUTPUT chains. 383 384 If you want to compile it as a module, say M here and read 385 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 386 387# security table for MAC policy 388config IP_NF_SECURITY 389 tristate "Security table" 390 depends on SECURITY 391 depends on NETFILTER_ADVANCED 392 help 393 This option adds a `security' table to iptables, for use 394 with Mandatory Access Control (MAC) policy. 395 396 If unsure, say N. 397 398endif # IP_NF_IPTABLES 399 400# ARP tables 401config IP_NF_ARPTABLES 402 tristate "ARP tables support" 403 select NETFILTER_XTABLES 404 select NETFILTER_FAMILY_ARP 405 depends on NETFILTER_ADVANCED 406 help 407 arptables is a general, extensible packet identification framework. 408 The ARP packet filtering and mangling (manipulation)subsystems 409 use this: say Y or M here if you want to use either of those. 410 411 To compile it as a module, choose M here. If unsure, say N. 412 413if IP_NF_ARPTABLES 414 415config IP_NF_ARPFILTER 416 tristate "ARP packet filtering" 417 help 418 ARP packet filtering defines a table `filter', which has a series of 419 rules for simple ARP packet filtering at local input and 420 local output. On a bridge, you can also specify filtering rules 421 for forwarded ARP packets. See the man page for arptables(8). 422 423 To compile it as a module, choose M here. If unsure, say N. 424 425config IP_NF_ARP_MANGLE 426 tristate "ARP payload mangling" 427 help 428 Allows altering the ARP packet payload: source and destination 429 hardware and network addresses. 430 431endif # IP_NF_ARPTABLES 432 433endmenu 434 435