xref: /openbmc/linux/net/ipv4/netfilter/Kconfig (revision aec9a0eb) 
1#
2# IP netfilter configuration
3#
4
5menu "IP: Netfilter Configuration"
6	depends on INET && NETFILTER
7
8config NF_DEFRAG_IPV4
9	tristate
10	default n
11
12config NF_CONNTRACK_IPV4
13	tristate "IPv4 connection tracking support (required for NAT)"
14	depends on NF_CONNTRACK
15	default m if NETFILTER_ADVANCED=n
16	select NF_DEFRAG_IPV4
17	---help---
18	  Connection tracking keeps a record of what packets have passed
19	  through your machine, in order to figure out how they are related
20	  into connections.
21
22	  This is IPv4 support on Layer 3 independent connection tracking.
23	  Layer 3 independent connection tracking is experimental scheme
24	  which generalize ip_conntrack to support other layer 3 protocols.
25
26	  To compile it as a module, choose M here.  If unsure, say N.
27
28config NF_CONNTRACK_PROC_COMPAT
29	bool "proc/sysctl compatibility with old connection tracking"
30	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
31	default y
32	help
33	  This option enables /proc and sysctl compatibility with the old
34	  layer 3 dependent connection tracking. This is needed to keep
35	  old programs that have not been adapted to the new names working.
36
37	  If unsure, say Y.
38
39config IP_NF_QUEUE
40	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
41	depends on NETFILTER_ADVANCED
42	help
43	  Netfilter has the ability to queue packets to user space: the
44	  netlink device can be used to access them using this driver.
45
46	  This option enables the old IPv4-only "ip_queue" implementation
47	  which has been obsoleted by the new "nfnetlink_queue" code (see
48	  CONFIG_NETFILTER_NETLINK_QUEUE).
49
50	  To compile it as a module, choose M here.  If unsure, say N.
51
52config IP_NF_IPTABLES
53	tristate "IP tables support (required for filtering/masq/NAT)"
54	default m if NETFILTER_ADVANCED=n
55	select NETFILTER_XTABLES
56	help
57	  iptables is a general, extensible packet identification framework.
58	  The packet filtering and full NAT (masquerading, port forwarding,
59	  etc) subsystems now use this: say `Y' or `M' here if you want to use
60	  either of those.
61
62	  To compile it as a module, choose M here.  If unsure, say N.
63
64if IP_NF_IPTABLES
65
66# The matches.
67config IP_NF_MATCH_AH
68	tristate '"ah" match support'
69	depends on NETFILTER_ADVANCED
70	help
71	  This match extension allows you to match a range of SPIs
72	  inside AH header of IPSec packets.
73
74	  To compile it as a module, choose M here.  If unsure, say N.
75
76config IP_NF_MATCH_ECN
77	tristate '"ecn" match support'
78	depends on NETFILTER_ADVANCED
79	select NETFILTER_XT_MATCH_ECN
80	---help---
81	This is a backwards-compat option for the user's convenience
82	(e.g. when running oldconfig). It selects
83	CONFIG_NETFILTER_XT_MATCH_ECN.
84
85config IP_NF_MATCH_RPFILTER
86	tristate '"rpfilter" reverse path filter match support'
87	depends on NETFILTER_ADVANCED
88	---help---
89	  This option allows you to match packets whose replies would
90	  go out via the interface the packet came in.
91
92	  To compile it as a module, choose M here.  If unsure, say N.
93	  The module will be called ipt_rpfilter.
94
95config IP_NF_MATCH_TTL
96	tristate '"ttl" match support'
97	depends on NETFILTER_ADVANCED
98	select NETFILTER_XT_MATCH_HL
99	---help---
100	This is a backwards-compat option for the user's convenience
101	(e.g. when running oldconfig). It selects
102	CONFIG_NETFILTER_XT_MATCH_HL.
103
104# `filter', generic and specific targets
105config IP_NF_FILTER
106	tristate "Packet filtering"
107	default m if NETFILTER_ADVANCED=n
108	help
109	  Packet filtering defines a table `filter', which has a series of
110	  rules for simple packet filtering at local input, forwarding and
111	  local output.  See the man page for iptables(8).
112
113	  To compile it as a module, choose M here.  If unsure, say N.
114
115config IP_NF_TARGET_REJECT
116	tristate "REJECT target support"
117	depends on IP_NF_FILTER
118	default m if NETFILTER_ADVANCED=n
119	help
120	  The REJECT target allows a filtering rule to specify that an ICMP
121	  error should be issued in response to an incoming packet, rather
122	  than silently being dropped.
123
124	  To compile it as a module, choose M here.  If unsure, say N.
125
126config IP_NF_TARGET_ULOG
127	tristate "ULOG target support"
128	default m if NETFILTER_ADVANCED=n
129	---help---
130
131	  This option enables the old IPv4-only "ipt_ULOG" implementation
132	  which has been obsoleted by the new "nfnetlink_log" code (see
133	  CONFIG_NETFILTER_NETLINK_LOG).
134
135	  This option adds a `ULOG' target, which allows you to create rules in
136	  any iptables table. The packet is passed to a userspace logging
137	  daemon using netlink multicast sockets; unlike the LOG target
138	  which can only be viewed through syslog.
139
140	  The appropriate userspace logging daemon (ulogd) may be obtained from
141	  <http://www.netfilter.org/projects/ulogd/index.html>
142
143	  To compile it as a module, choose M here.  If unsure, say N.
144
145# NAT + specific targets: nf_conntrack
146config NF_NAT_IPV4
147	tristate "IPv4 NAT"
148	depends on NF_CONNTRACK_IPV4
149	default m if NETFILTER_ADVANCED=n
150	select NF_NAT
151	help
152	  The IPv4 NAT option allows masquerading, port forwarding and other
153	  forms of full Network Address Port Translation.  It is controlled by
154	  the `nat' table in iptables: see the man page for iptables(8).
155
156	  To compile it as a module, choose M here.  If unsure, say N.
157
158if NF_NAT_IPV4
159
160config IP_NF_TARGET_MASQUERADE
161	tristate "MASQUERADE target support"
162	default m if NETFILTER_ADVANCED=n
163	help
164	  Masquerading is a special case of NAT: all outgoing connections are
165	  changed to seem to come from a particular interface's address, and
166	  if the interface goes down, those connections are lost.  This is
167	  only useful for dialup accounts with dynamic IP address (ie. your IP
168	  address will be different on next dialup).
169
170	  To compile it as a module, choose M here.  If unsure, say N.
171
172config IP_NF_TARGET_NETMAP
173	tristate "NETMAP target support"
174	depends on NETFILTER_ADVANCED
175	select NETFILTER_XT_TARGET_NETMAP
176	---help---
177	This is a backwards-compat option for the user's convenience
178	(e.g. when running oldconfig). It selects
179	CONFIG_NETFILTER_XT_TARGET_NETMAP.
180
181config IP_NF_TARGET_REDIRECT
182	tristate "REDIRECT target support"
183	depends on NETFILTER_ADVANCED
184	select NETFILTER_XT_TARGET_REDIRECT
185	---help---
186	This is a backwards-compat option for the user's convenience
187	(e.g. when running oldconfig). It selects
188	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
189
190endif
191
192config NF_NAT_SNMP_BASIC
193	tristate "Basic SNMP-ALG support"
194	depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4
195	depends on NETFILTER_ADVANCED
196	default NF_NAT && NF_CONNTRACK_SNMP
197	---help---
198
199	  This module implements an Application Layer Gateway (ALG) for
200	  SNMP payloads.  In conjunction with NAT, it allows a network
201	  management system to access multiple private networks with
202	  conflicting addresses.  It works by modifying IP addresses
203	  inside SNMP payloads to match IP-layer NAT mapping.
204
205	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
206
207	  To compile it as a module, choose M here.  If unsure, say N.
208
209# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
210# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
211# From kconfig-language.txt:
212#
213#           <expr> '&&' <expr>                   (6)
214#
215# (6) Returns the result of min(/expr/, /expr/).
216
217config NF_NAT_PROTO_GRE
218	tristate
219	depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE
220
221config NF_NAT_PPTP
222	tristate
223	depends on NF_CONNTRACK && NF_NAT_IPV4
224	default NF_NAT_IPV4 && NF_CONNTRACK_PPTP
225	select NF_NAT_PROTO_GRE
226
227config NF_NAT_H323
228	tristate
229	depends on NF_CONNTRACK && NF_NAT_IPV4
230	default NF_NAT_IPV4 && NF_CONNTRACK_H323
231
232# mangle + specific targets
233config IP_NF_MANGLE
234	tristate "Packet mangling"
235	default m if NETFILTER_ADVANCED=n
236	help
237	  This option adds a `mangle' table to iptables: see the man page for
238	  iptables(8).  This table is used for various packet alterations
239	  which can effect how the packet is routed.
240
241	  To compile it as a module, choose M here.  If unsure, say N.
242
243config IP_NF_TARGET_CLUSTERIP
244	tristate "CLUSTERIP target support"
245	depends on IP_NF_MANGLE
246	depends on NF_CONNTRACK_IPV4
247	depends on NETFILTER_ADVANCED
248	select NF_CONNTRACK_MARK
249	help
250	  The CLUSTERIP target allows you to build load-balancing clusters of
251	  network servers without having a dedicated load-balancing
252	  router/server/switch.
253
254	  To compile it as a module, choose M here.  If unsure, say N.
255
256config IP_NF_TARGET_ECN
257	tristate "ECN target support"
258	depends on IP_NF_MANGLE
259	depends on NETFILTER_ADVANCED
260	---help---
261	  This option adds a `ECN' target, which can be used in the iptables mangle
262	  table.
263
264	  You can use this target to remove the ECN bits from the IPv4 header of
265	  an IP packet.  This is particularly useful, if you need to work around
266	  existing ECN blackholes on the internet, but don't want to disable
267	  ECN support in general.
268
269	  To compile it as a module, choose M here.  If unsure, say N.
270
271config IP_NF_TARGET_TTL
272	tristate '"TTL" target support'
273	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
274	select NETFILTER_XT_TARGET_HL
275	---help---
276	This is a backwards-compatible option for the user's convenience
277	(e.g. when running oldconfig). It selects
278	CONFIG_NETFILTER_XT_TARGET_HL.
279
280# raw + specific targets
281config IP_NF_RAW
282	tristate  'raw table support (required for NOTRACK/TRACE)'
283	help
284	  This option adds a `raw' table to iptables. This table is the very
285	  first in the netfilter framework and hooks in at the PREROUTING
286	  and OUTPUT chains.
287
288	  If you want to compile it as a module, say M here and read
289	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
290
291# security table for MAC policy
292config IP_NF_SECURITY
293	tristate "Security table"
294	depends on SECURITY
295	depends on NETFILTER_ADVANCED
296	help
297	  This option adds a `security' table to iptables, for use
298	  with Mandatory Access Control (MAC) policy.
299
300	  If unsure, say N.
301
302endif # IP_NF_IPTABLES
303
304# ARP tables
305config IP_NF_ARPTABLES
306	tristate "ARP tables support"
307	select NETFILTER_XTABLES
308	depends on NETFILTER_ADVANCED
309	help
310	  arptables is a general, extensible packet identification framework.
311	  The ARP packet filtering and mangling (manipulation)subsystems
312	  use this: say Y or M here if you want to use either of those.
313
314	  To compile it as a module, choose M here.  If unsure, say N.
315
316if IP_NF_ARPTABLES
317
318config IP_NF_ARPFILTER
319	tristate "ARP packet filtering"
320	help
321	  ARP packet filtering defines a table `filter', which has a series of
322	  rules for simple ARP packet filtering at local input and
323	  local output.  On a bridge, you can also specify filtering rules
324	  for forwarded ARP packets. See the man page for arptables(8).
325
326	  To compile it as a module, choose M here.  If unsure, say N.
327
328config IP_NF_ARP_MANGLE
329	tristate "ARP payload mangling"
330	help
331	  Allows altering the ARP packet payload: source and destination
332	  hardware and network addresses.
333
334endif # IP_NF_ARPTABLES
335
336endmenu
337
338