1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config NF_LOG_ARP 40 tristate "ARP packet logging" 41 default m if NETFILTER_ADVANCED=n 42 select NF_LOG_COMMON 43 44config NF_LOG_IPV4 45 tristate "IPv4 packet logging" 46 default m if NETFILTER_ADVANCED=n 47 select NF_LOG_COMMON 48 49config NF_TABLES_IPV4 50 depends on NF_TABLES 51 tristate "IPv4 nf_tables support" 52 help 53 This option enables the IPv4 support for nf_tables. 54 55config NFT_CHAIN_ROUTE_IPV4 56 depends on NF_TABLES_IPV4 57 tristate "IPv4 nf_tables route chain support" 58 help 59 This option enables the "route" chain for IPv4 in nf_tables. This 60 chain type is used to force packet re-routing after mangling header 61 fields such as the source, destination, type of service and 62 the packet mark. 63 64config NFT_CHAIN_NAT_IPV4 65 depends on NF_TABLES_IPV4 66 depends on NF_NAT_IPV4 && NFT_NAT 67 tristate "IPv4 nf_tables nat chain support" 68 help 69 This option enables the "nat" chain for IPv4 in nf_tables. This 70 chain type is used to perform Network Address Translation (NAT) 71 packet transformations such as the source, destination address and 72 source and destination ports. 73 74config NFT_REJECT_IPV4 75 depends on NF_TABLES_IPV4 76 default NFT_REJECT 77 tristate 78 79config NF_TABLES_ARP 80 depends on NF_TABLES 81 tristate "ARP nf_tables support" 82 help 83 This option enables the ARP support for nf_tables. 84 85config IP_NF_IPTABLES 86 tristate "IP tables support (required for filtering/masq/NAT)" 87 default m if NETFILTER_ADVANCED=n 88 select NETFILTER_XTABLES 89 help 90 iptables is a general, extensible packet identification framework. 91 The packet filtering and full NAT (masquerading, port forwarding, 92 etc) subsystems now use this: say `Y' or `M' here if you want to use 93 either of those. 94 95 To compile it as a module, choose M here. If unsure, say N. 96 97if IP_NF_IPTABLES 98 99# The matches. 100config IP_NF_MATCH_AH 101 tristate '"ah" match support' 102 depends on NETFILTER_ADVANCED 103 help 104 This match extension allows you to match a range of SPIs 105 inside AH header of IPSec packets. 106 107 To compile it as a module, choose M here. If unsure, say N. 108 109config IP_NF_MATCH_ECN 110 tristate '"ecn" match support' 111 depends on NETFILTER_ADVANCED 112 select NETFILTER_XT_MATCH_ECN 113 ---help--- 114 This is a backwards-compat option for the user's convenience 115 (e.g. when running oldconfig). It selects 116 CONFIG_NETFILTER_XT_MATCH_ECN. 117 118config IP_NF_MATCH_RPFILTER 119 tristate '"rpfilter" reverse path filter match support' 120 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW) 121 ---help--- 122 This option allows you to match packets whose replies would 123 go out via the interface the packet came in. 124 125 To compile it as a module, choose M here. If unsure, say N. 126 The module will be called ipt_rpfilter. 127 128config IP_NF_MATCH_TTL 129 tristate '"ttl" match support' 130 depends on NETFILTER_ADVANCED 131 select NETFILTER_XT_MATCH_HL 132 ---help--- 133 This is a backwards-compat option for the user's convenience 134 (e.g. when running oldconfig). It selects 135 CONFIG_NETFILTER_XT_MATCH_HL. 136 137# `filter', generic and specific targets 138config IP_NF_FILTER 139 tristate "Packet filtering" 140 default m if NETFILTER_ADVANCED=n 141 help 142 Packet filtering defines a table `filter', which has a series of 143 rules for simple packet filtering at local input, forwarding and 144 local output. See the man page for iptables(8). 145 146 To compile it as a module, choose M here. If unsure, say N. 147 148config IP_NF_TARGET_REJECT 149 tristate "REJECT target support" 150 depends on IP_NF_FILTER 151 default m if NETFILTER_ADVANCED=n 152 help 153 The REJECT target allows a filtering rule to specify that an ICMP 154 error should be issued in response to an incoming packet, rather 155 than silently being dropped. 156 157 To compile it as a module, choose M here. If unsure, say N. 158 159config IP_NF_TARGET_SYNPROXY 160 tristate "SYNPROXY target support" 161 depends on NF_CONNTRACK && NETFILTER_ADVANCED 162 select NETFILTER_SYNPROXY 163 select SYN_COOKIES 164 help 165 The SYNPROXY target allows you to intercept TCP connections and 166 establish them using syncookies before they are passed on to the 167 server. This allows to avoid conntrack and server resource usage 168 during SYN-flood attacks. 169 170 To compile it as a module, choose M here. If unsure, say N. 171 172# NAT + specific targets: nf_conntrack 173config NF_NAT_IPV4 174 tristate "IPv4 NAT" 175 depends on NF_CONNTRACK_IPV4 176 default m if NETFILTER_ADVANCED=n 177 select NF_NAT 178 help 179 The IPv4 NAT option allows masquerading, port forwarding and other 180 forms of full Network Address Port Translation. It is controlled by 181 the `nat' table in iptables: see the man page for iptables(8). 182 183 To compile it as a module, choose M here. If unsure, say N. 184 185if NF_NAT_IPV4 186 187config NF_NAT_MASQUERADE_IPV4 188 tristate "IPv4 masquerade support" 189 help 190 This is the kernel functionality to provide NAT in the masquerade 191 flavour (automatic source address selection). 192 193config NFT_MASQ_IPV4 194 tristate "IPv4 masquerading support for nf_tables" 195 depends on NF_TABLES_IPV4 196 depends on NFT_MASQ 197 select NF_NAT_MASQUERADE_IPV4 198 199config IP_NF_TARGET_MASQUERADE 200 tristate "MASQUERADE target support" 201 select NF_NAT_MASQUERADE_IPV4 202 default m if NETFILTER_ADVANCED=n 203 help 204 Masquerading is a special case of NAT: all outgoing connections are 205 changed to seem to come from a particular interface's address, and 206 if the interface goes down, those connections are lost. This is 207 only useful for dialup accounts with dynamic IP address (ie. your IP 208 address will be different on next dialup). 209 210 To compile it as a module, choose M here. If unsure, say N. 211 212config IP_NF_TARGET_NETMAP 213 tristate "NETMAP target support" 214 depends on NETFILTER_ADVANCED 215 select NETFILTER_XT_TARGET_NETMAP 216 ---help--- 217 This is a backwards-compat option for the user's convenience 218 (e.g. when running oldconfig). It selects 219 CONFIG_NETFILTER_XT_TARGET_NETMAP. 220 221config IP_NF_TARGET_REDIRECT 222 tristate "REDIRECT target support" 223 depends on NETFILTER_ADVANCED 224 select NETFILTER_XT_TARGET_REDIRECT 225 ---help--- 226 This is a backwards-compat option for the user's convenience 227 (e.g. when running oldconfig). It selects 228 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 229 230endif 231 232config NF_NAT_SNMP_BASIC 233 tristate "Basic SNMP-ALG support" 234 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4 235 depends on NETFILTER_ADVANCED 236 default NF_NAT && NF_CONNTRACK_SNMP 237 ---help--- 238 239 This module implements an Application Layer Gateway (ALG) for 240 SNMP payloads. In conjunction with NAT, it allows a network 241 management system to access multiple private networks with 242 conflicting addresses. It works by modifying IP addresses 243 inside SNMP payloads to match IP-layer NAT mapping. 244 245 This is the "basic" form of SNMP-ALG, as described in RFC 2962 246 247 To compile it as a module, choose M here. If unsure, say N. 248 249# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 250# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. 251# From kconfig-language.txt: 252# 253# <expr> '&&' <expr> (6) 254# 255# (6) Returns the result of min(/expr/, /expr/). 256 257config NF_NAT_PROTO_GRE 258 tristate 259 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE 260 261config NF_NAT_PPTP 262 tristate 263 depends on NF_CONNTRACK && NF_NAT_IPV4 264 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP 265 select NF_NAT_PROTO_GRE 266 267config NF_NAT_H323 268 tristate 269 depends on NF_CONNTRACK && NF_NAT_IPV4 270 default NF_NAT_IPV4 && NF_CONNTRACK_H323 271 272# mangle + specific targets 273config IP_NF_MANGLE 274 tristate "Packet mangling" 275 default m if NETFILTER_ADVANCED=n 276 help 277 This option adds a `mangle' table to iptables: see the man page for 278 iptables(8). This table is used for various packet alterations 279 which can effect how the packet is routed. 280 281 To compile it as a module, choose M here. If unsure, say N. 282 283config IP_NF_TARGET_CLUSTERIP 284 tristate "CLUSTERIP target support" 285 depends on IP_NF_MANGLE 286 depends on NF_CONNTRACK_IPV4 287 depends on NETFILTER_ADVANCED 288 select NF_CONNTRACK_MARK 289 help 290 The CLUSTERIP target allows you to build load-balancing clusters of 291 network servers without having a dedicated load-balancing 292 router/server/switch. 293 294 To compile it as a module, choose M here. If unsure, say N. 295 296config IP_NF_TARGET_ECN 297 tristate "ECN target support" 298 depends on IP_NF_MANGLE 299 depends on NETFILTER_ADVANCED 300 ---help--- 301 This option adds a `ECN' target, which can be used in the iptables mangle 302 table. 303 304 You can use this target to remove the ECN bits from the IPv4 header of 305 an IP packet. This is particularly useful, if you need to work around 306 existing ECN blackholes on the internet, but don't want to disable 307 ECN support in general. 308 309 To compile it as a module, choose M here. If unsure, say N. 310 311config IP_NF_TARGET_TTL 312 tristate '"TTL" target support' 313 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 314 select NETFILTER_XT_TARGET_HL 315 ---help--- 316 This is a backwards-compatible option for the user's convenience 317 (e.g. when running oldconfig). It selects 318 CONFIG_NETFILTER_XT_TARGET_HL. 319 320# raw + specific targets 321config IP_NF_RAW 322 tristate 'raw table support (required for NOTRACK/TRACE)' 323 help 324 This option adds a `raw' table to iptables. This table is the very 325 first in the netfilter framework and hooks in at the PREROUTING 326 and OUTPUT chains. 327 328 If you want to compile it as a module, say M here and read 329 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 330 331# security table for MAC policy 332config IP_NF_SECURITY 333 tristate "Security table" 334 depends on SECURITY 335 depends on NETFILTER_ADVANCED 336 help 337 This option adds a `security' table to iptables, for use 338 with Mandatory Access Control (MAC) policy. 339 340 If unsure, say N. 341 342endif # IP_NF_IPTABLES 343 344# ARP tables 345config IP_NF_ARPTABLES 346 tristate "ARP tables support" 347 select NETFILTER_XTABLES 348 depends on NETFILTER_ADVANCED 349 help 350 arptables is a general, extensible packet identification framework. 351 The ARP packet filtering and mangling (manipulation)subsystems 352 use this: say Y or M here if you want to use either of those. 353 354 To compile it as a module, choose M here. If unsure, say N. 355 356if IP_NF_ARPTABLES 357 358config IP_NF_ARPFILTER 359 tristate "ARP packet filtering" 360 help 361 ARP packet filtering defines a table `filter', which has a series of 362 rules for simple ARP packet filtering at local input and 363 local output. On a bridge, you can also specify filtering rules 364 for forwarded ARP packets. See the man page for arptables(8). 365 366 To compile it as a module, choose M here. If unsure, say N. 367 368config IP_NF_ARP_MANGLE 369 tristate "ARP payload mangling" 370 help 371 Allows altering the ARP packet payload: source and destination 372 hardware and network addresses. 373 374endif # IP_NF_ARPTABLES 375 376endmenu 377 378