1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28if NF_TABLES 29 30config NF_TABLES_IPV4 31 tristate "IPv4 nf_tables support" 32 help 33 This option enables the IPv4 support for nf_tables. 34 35if NF_TABLES_IPV4 36 37config NFT_CHAIN_ROUTE_IPV4 38 tristate "IPv4 nf_tables route chain support" 39 help 40 This option enables the "route" chain for IPv4 in nf_tables. This 41 chain type is used to force packet re-routing after mangling header 42 fields such as the source, destination, type of service and 43 the packet mark. 44 45config NFT_REJECT_IPV4 46 select NF_REJECT_IPV4 47 default NFT_REJECT 48 tristate 49 50config NFT_DUP_IPV4 51 tristate "IPv4 nf_tables packet duplication support" 52 depends on !NF_CONNTRACK || NF_CONNTRACK 53 select NF_DUP_IPV4 54 help 55 This module enables IPv4 packet duplication support for nf_tables. 56 57endif # NF_TABLES_IPV4 58 59config NF_TABLES_ARP 60 tristate "ARP nf_tables support" 61 help 62 This option enables the ARP support for nf_tables. 63 64endif # NF_TABLES 65 66config NF_DUP_IPV4 67 tristate "Netfilter IPv4 packet duplication to alternate destination" 68 depends on !NF_CONNTRACK || NF_CONNTRACK 69 help 70 This option enables the nf_dup_ipv4 core, which duplicates an IPv4 71 packet to be rerouted to another destination. 72 73config NF_LOG_ARP 74 tristate "ARP packet logging" 75 default m if NETFILTER_ADVANCED=n 76 select NF_LOG_COMMON 77 78config NF_LOG_IPV4 79 tristate "IPv4 packet logging" 80 default m if NETFILTER_ADVANCED=n 81 select NF_LOG_COMMON 82 83config NF_REJECT_IPV4 84 tristate "IPv4 packet rejection" 85 default m if NETFILTER_ADVANCED=n 86 87config NF_NAT_IPV4 88 tristate "IPv4 NAT" 89 depends on NF_CONNTRACK_IPV4 90 default m if NETFILTER_ADVANCED=n 91 select NF_NAT 92 help 93 The IPv4 NAT option allows masquerading, port forwarding and other 94 forms of full Network Address Port Translation. This can be 95 controlled by iptables or nft. 96 97if NF_NAT_IPV4 98 99config NFT_CHAIN_NAT_IPV4 100 depends on NF_TABLES_IPV4 101 tristate "IPv4 nf_tables nat chain support" 102 help 103 This option enables the "nat" chain for IPv4 in nf_tables. This 104 chain type is used to perform Network Address Translation (NAT) 105 packet transformations such as the source, destination address and 106 source and destination ports. 107 108config NF_NAT_MASQUERADE_IPV4 109 tristate "IPv4 masquerade support" 110 help 111 This is the kernel functionality to provide NAT in the masquerade 112 flavour (automatic source address selection). 113 114config NFT_MASQ_IPV4 115 tristate "IPv4 masquerading support for nf_tables" 116 depends on NF_TABLES_IPV4 117 depends on NFT_MASQ 118 select NF_NAT_MASQUERADE_IPV4 119 help 120 This is the expression that provides IPv4 masquerading support for 121 nf_tables. 122 123config NFT_REDIR_IPV4 124 tristate "IPv4 redirect support for nf_tables" 125 depends on NF_TABLES_IPV4 126 depends on NFT_REDIR 127 select NF_NAT_REDIRECT 128 help 129 This is the expression that provides IPv4 redirect support for 130 nf_tables. 131 132config NF_NAT_SNMP_BASIC 133 tristate "Basic SNMP-ALG support" 134 depends on NF_CONNTRACK_SNMP 135 depends on NETFILTER_ADVANCED 136 default NF_NAT && NF_CONNTRACK_SNMP 137 ---help--- 138 139 This module implements an Application Layer Gateway (ALG) for 140 SNMP payloads. In conjunction with NAT, it allows a network 141 management system to access multiple private networks with 142 conflicting addresses. It works by modifying IP addresses 143 inside SNMP payloads to match IP-layer NAT mapping. 144 145 This is the "basic" form of SNMP-ALG, as described in RFC 2962 146 147 To compile it as a module, choose M here. If unsure, say N. 148 149config NF_NAT_PROTO_GRE 150 tristate 151 depends on NF_CT_PROTO_GRE 152 153config NF_NAT_PPTP 154 tristate 155 depends on NF_CONNTRACK 156 default NF_CONNTRACK_PPTP 157 select NF_NAT_PROTO_GRE 158 159config NF_NAT_H323 160 tristate 161 depends on NF_CONNTRACK 162 default NF_CONNTRACK_H323 163 164endif # NF_NAT_IPV4 165 166config IP_NF_IPTABLES 167 tristate "IP tables support (required for filtering/masq/NAT)" 168 default m if NETFILTER_ADVANCED=n 169 select NETFILTER_XTABLES 170 help 171 iptables is a general, extensible packet identification framework. 172 The packet filtering and full NAT (masquerading, port forwarding, 173 etc) subsystems now use this: say `Y' or `M' here if you want to use 174 either of those. 175 176 To compile it as a module, choose M here. If unsure, say N. 177 178if IP_NF_IPTABLES 179 180# The matches. 181config IP_NF_MATCH_AH 182 tristate '"ah" match support' 183 depends on NETFILTER_ADVANCED 184 help 185 This match extension allows you to match a range of SPIs 186 inside AH header of IPSec packets. 187 188 To compile it as a module, choose M here. If unsure, say N. 189 190config IP_NF_MATCH_ECN 191 tristate '"ecn" match support' 192 depends on NETFILTER_ADVANCED 193 select NETFILTER_XT_MATCH_ECN 194 ---help--- 195 This is a backwards-compat option for the user's convenience 196 (e.g. when running oldconfig). It selects 197 CONFIG_NETFILTER_XT_MATCH_ECN. 198 199config IP_NF_MATCH_RPFILTER 200 tristate '"rpfilter" reverse path filter match support' 201 depends on NETFILTER_ADVANCED 202 depends on IP_NF_MANGLE || IP_NF_RAW 203 ---help--- 204 This option allows you to match packets whose replies would 205 go out via the interface the packet came in. 206 207 To compile it as a module, choose M here. If unsure, say N. 208 The module will be called ipt_rpfilter. 209 210config IP_NF_MATCH_TTL 211 tristate '"ttl" match support' 212 depends on NETFILTER_ADVANCED 213 select NETFILTER_XT_MATCH_HL 214 ---help--- 215 This is a backwards-compat option for the user's convenience 216 (e.g. when running oldconfig). It selects 217 CONFIG_NETFILTER_XT_MATCH_HL. 218 219# `filter', generic and specific targets 220config IP_NF_FILTER 221 tristate "Packet filtering" 222 default m if NETFILTER_ADVANCED=n 223 help 224 Packet filtering defines a table `filter', which has a series of 225 rules for simple packet filtering at local input, forwarding and 226 local output. See the man page for iptables(8). 227 228 To compile it as a module, choose M here. If unsure, say N. 229 230config IP_NF_TARGET_REJECT 231 tristate "REJECT target support" 232 depends on IP_NF_FILTER 233 select NF_REJECT_IPV4 234 default m if NETFILTER_ADVANCED=n 235 help 236 The REJECT target allows a filtering rule to specify that an ICMP 237 error should be issued in response to an incoming packet, rather 238 than silently being dropped. 239 240 To compile it as a module, choose M here. If unsure, say N. 241 242config IP_NF_TARGET_SYNPROXY 243 tristate "SYNPROXY target support" 244 depends on NF_CONNTRACK && NETFILTER_ADVANCED 245 select NETFILTER_SYNPROXY 246 select SYN_COOKIES 247 help 248 The SYNPROXY target allows you to intercept TCP connections and 249 establish them using syncookies before they are passed on to the 250 server. This allows to avoid conntrack and server resource usage 251 during SYN-flood attacks. 252 253 To compile it as a module, choose M here. If unsure, say N. 254 255# NAT + specific targets: nf_conntrack 256config IP_NF_NAT 257 tristate "iptables NAT support" 258 depends on NF_CONNTRACK_IPV4 259 default m if NETFILTER_ADVANCED=n 260 select NF_NAT 261 select NF_NAT_IPV4 262 select NETFILTER_XT_NAT 263 help 264 This enables the `nat' table in iptables. This allows masquerading, 265 port forwarding and other forms of full Network Address Port 266 Translation. 267 268 To compile it as a module, choose M here. If unsure, say N. 269 270if IP_NF_NAT 271 272config IP_NF_TARGET_MASQUERADE 273 tristate "MASQUERADE target support" 274 select NF_NAT_MASQUERADE_IPV4 275 default m if NETFILTER_ADVANCED=n 276 help 277 Masquerading is a special case of NAT: all outgoing connections are 278 changed to seem to come from a particular interface's address, and 279 if the interface goes down, those connections are lost. This is 280 only useful for dialup accounts with dynamic IP address (ie. your IP 281 address will be different on next dialup). 282 283 To compile it as a module, choose M here. If unsure, say N. 284 285config IP_NF_TARGET_NETMAP 286 tristate "NETMAP target support" 287 depends on NETFILTER_ADVANCED 288 select NETFILTER_XT_TARGET_NETMAP 289 ---help--- 290 This is a backwards-compat option for the user's convenience 291 (e.g. when running oldconfig). It selects 292 CONFIG_NETFILTER_XT_TARGET_NETMAP. 293 294config IP_NF_TARGET_REDIRECT 295 tristate "REDIRECT target support" 296 depends on NETFILTER_ADVANCED 297 select NETFILTER_XT_TARGET_REDIRECT 298 ---help--- 299 This is a backwards-compat option for the user's convenience 300 (e.g. when running oldconfig). It selects 301 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 302 303endif # IP_NF_NAT 304 305# mangle + specific targets 306config IP_NF_MANGLE 307 tristate "Packet mangling" 308 default m if NETFILTER_ADVANCED=n 309 help 310 This option adds a `mangle' table to iptables: see the man page for 311 iptables(8). This table is used for various packet alterations 312 which can effect how the packet is routed. 313 314 To compile it as a module, choose M here. If unsure, say N. 315 316config IP_NF_TARGET_CLUSTERIP 317 tristate "CLUSTERIP target support" 318 depends on IP_NF_MANGLE 319 depends on NF_CONNTRACK_IPV4 320 depends on NETFILTER_ADVANCED 321 select NF_CONNTRACK_MARK 322 help 323 The CLUSTERIP target allows you to build load-balancing clusters of 324 network servers without having a dedicated load-balancing 325 router/server/switch. 326 327 To compile it as a module, choose M here. If unsure, say N. 328 329config IP_NF_TARGET_ECN 330 tristate "ECN target support" 331 depends on IP_NF_MANGLE 332 depends on NETFILTER_ADVANCED 333 ---help--- 334 This option adds a `ECN' target, which can be used in the iptables mangle 335 table. 336 337 You can use this target to remove the ECN bits from the IPv4 header of 338 an IP packet. This is particularly useful, if you need to work around 339 existing ECN blackholes on the internet, but don't want to disable 340 ECN support in general. 341 342 To compile it as a module, choose M here. If unsure, say N. 343 344config IP_NF_TARGET_TTL 345 tristate '"TTL" target support' 346 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 347 select NETFILTER_XT_TARGET_HL 348 ---help--- 349 This is a backwards-compatible option for the user's convenience 350 (e.g. when running oldconfig). It selects 351 CONFIG_NETFILTER_XT_TARGET_HL. 352 353# raw + specific targets 354config IP_NF_RAW 355 tristate 'raw table support (required for NOTRACK/TRACE)' 356 help 357 This option adds a `raw' table to iptables. This table is the very 358 first in the netfilter framework and hooks in at the PREROUTING 359 and OUTPUT chains. 360 361 If you want to compile it as a module, say M here and read 362 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 363 364# security table for MAC policy 365config IP_NF_SECURITY 366 tristate "Security table" 367 depends on SECURITY 368 depends on NETFILTER_ADVANCED 369 help 370 This option adds a `security' table to iptables, for use 371 with Mandatory Access Control (MAC) policy. 372 373 If unsure, say N. 374 375endif # IP_NF_IPTABLES 376 377# ARP tables 378config IP_NF_ARPTABLES 379 tristate "ARP tables support" 380 select NETFILTER_XTABLES 381 depends on NETFILTER_ADVANCED 382 help 383 arptables is a general, extensible packet identification framework. 384 The ARP packet filtering and mangling (manipulation)subsystems 385 use this: say Y or M here if you want to use either of those. 386 387 To compile it as a module, choose M here. If unsure, say N. 388 389if IP_NF_ARPTABLES 390 391config IP_NF_ARPFILTER 392 tristate "ARP packet filtering" 393 help 394 ARP packet filtering defines a table `filter', which has a series of 395 rules for simple ARP packet filtering at local input and 396 local output. On a bridge, you can also specify filtering rules 397 for forwarded ARP packets. See the man page for arptables(8). 398 399 To compile it as a module, choose M here. If unsure, say N. 400 401config IP_NF_ARP_MANGLE 402 tristate "ARP payload mangling" 403 help 404 Allows altering the ARP packet payload: source and destination 405 hardware and network addresses. 406 407endif # IP_NF_ARPTABLES 408 409endmenu 410 411