1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config IP_NF_QUEUE 40 tristate "IP Userspace queueing via NETLINK (OBSOLETE)" 41 depends on NETFILTER_ADVANCED 42 help 43 Netfilter has the ability to queue packets to user space: the 44 netlink device can be used to access them using this driver. 45 46 This option enables the old IPv4-only "ip_queue" implementation 47 which has been obsoleted by the new "nfnetlink_queue" code (see 48 CONFIG_NETFILTER_NETLINK_QUEUE). 49 50 To compile it as a module, choose M here. If unsure, say N. 51 52config IP_NF_IPTABLES 53 tristate "IP tables support (required for filtering/masq/NAT)" 54 default m if NETFILTER_ADVANCED=n 55 select NETFILTER_XTABLES 56 help 57 iptables is a general, extensible packet identification framework. 58 The packet filtering and full NAT (masquerading, port forwarding, 59 etc) subsystems now use this: say `Y' or `M' here if you want to use 60 either of those. 61 62 To compile it as a module, choose M here. If unsure, say N. 63 64if IP_NF_IPTABLES 65 66# The matches. 67config IP_NF_MATCH_AH 68 tristate '"ah" match support' 69 depends on NETFILTER_ADVANCED 70 help 71 This match extension allows you to match a range of SPIs 72 inside AH header of IPSec packets. 73 74 To compile it as a module, choose M here. If unsure, say N. 75 76config IP_NF_MATCH_ECN 77 tristate '"ecn" match support' 78 depends on NETFILTER_ADVANCED 79 select NETFILTER_XT_MATCH_ECN 80 ---help--- 81 This is a backwards-compat option for the user's convenience 82 (e.g. when running oldconfig). It selects 83 CONFIG_NETFILTER_XT_MATCH_ECN. 84 85config IP_NF_MATCH_RPFILTER 86 tristate '"rpfilter" reverse path filter match support' 87 depends on NETFILTER_ADVANCED 88 ---help--- 89 This option allows you to match packets whose replies would 90 go out via the interface the packet came in. 91 92 To compile it as a module, choose M here. If unsure, say N. 93 The module will be called ipt_rpfilter. 94 95config IP_NF_MATCH_TTL 96 tristate '"ttl" match support' 97 depends on NETFILTER_ADVANCED 98 select NETFILTER_XT_MATCH_HL 99 ---help--- 100 This is a backwards-compat option for the user's convenience 101 (e.g. when running oldconfig). It selects 102 CONFIG_NETFILTER_XT_MATCH_HL. 103 104# `filter', generic and specific targets 105config IP_NF_FILTER 106 tristate "Packet filtering" 107 default m if NETFILTER_ADVANCED=n 108 help 109 Packet filtering defines a table `filter', which has a series of 110 rules for simple packet filtering at local input, forwarding and 111 local output. See the man page for iptables(8). 112 113 To compile it as a module, choose M here. If unsure, say N. 114 115config IP_NF_TARGET_REJECT 116 tristate "REJECT target support" 117 depends on IP_NF_FILTER 118 default m if NETFILTER_ADVANCED=n 119 help 120 The REJECT target allows a filtering rule to specify that an ICMP 121 error should be issued in response to an incoming packet, rather 122 than silently being dropped. 123 124 To compile it as a module, choose M here. If unsure, say N. 125 126config IP_NF_TARGET_ULOG 127 tristate "ULOG target support" 128 default m if NETFILTER_ADVANCED=n 129 ---help--- 130 131 This option enables the old IPv4-only "ipt_ULOG" implementation 132 which has been obsoleted by the new "nfnetlink_log" code (see 133 CONFIG_NETFILTER_NETLINK_LOG). 134 135 This option adds a `ULOG' target, which allows you to create rules in 136 any iptables table. The packet is passed to a userspace logging 137 daemon using netlink multicast sockets; unlike the LOG target 138 which can only be viewed through syslog. 139 140 The appropriate userspace logging daemon (ulogd) may be obtained from 141 <http://www.netfilter.org/projects/ulogd/index.html> 142 143 To compile it as a module, choose M here. If unsure, say N. 144 145# NAT + specific targets: nf_conntrack 146config NF_NAT_IPV4 147 tristate "IPv4 NAT" 148 depends on NF_CONNTRACK_IPV4 149 default m if NETFILTER_ADVANCED=n 150 select NF_NAT 151 help 152 The IPv4 NAT option allows masquerading, port forwarding and other 153 forms of full Network Address Port Translation. It is controlled by 154 the `nat' table in iptables: see the man page for iptables(8). 155 156 To compile it as a module, choose M here. If unsure, say N. 157 158if NF_NAT_IPV4 159 160config IP_NF_TARGET_MASQUERADE 161 tristate "MASQUERADE target support" 162 default m if NETFILTER_ADVANCED=n 163 help 164 Masquerading is a special case of NAT: all outgoing connections are 165 changed to seem to come from a particular interface's address, and 166 if the interface goes down, those connections are lost. This is 167 only useful for dialup accounts with dynamic IP address (ie. your IP 168 address will be different on next dialup). 169 170 To compile it as a module, choose M here. If unsure, say N. 171 172config IP_NF_TARGET_NETMAP 173 tristate "NETMAP target support" 174 depends on NETFILTER_ADVANCED 175 select NETFILTER_XT_TARGET_NETMAP 176 ---help--- 177 This is a backwards-compat option for the user's convenience 178 (e.g. when running oldconfig). It selects 179 CONFIG_NETFILTER_XT_TARGET_NETMAP. 180 181config IP_NF_TARGET_REDIRECT 182 tristate "REDIRECT target support" 183 depends on NETFILTER_ADVANCED 184 select NETFILTER_XT_TARGET_REDIRECT 185 ---help--- 186 This is a backwards-compat option for the user's convenience 187 (e.g. when running oldconfig). It selects 188 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 189 190endif 191 192config NF_NAT_SNMP_BASIC 193 tristate "Basic SNMP-ALG support" 194 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4 195 depends on NETFILTER_ADVANCED 196 default NF_NAT && NF_CONNTRACK_SNMP 197 ---help--- 198 199 This module implements an Application Layer Gateway (ALG) for 200 SNMP payloads. In conjunction with NAT, it allows a network 201 management system to access multiple private networks with 202 conflicting addresses. It works by modifying IP addresses 203 inside SNMP payloads to match IP-layer NAT mapping. 204 205 This is the "basic" form of SNMP-ALG, as described in RFC 2962 206 207 To compile it as a module, choose M here. If unsure, say N. 208 209# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 210# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. 211# From kconfig-language.txt: 212# 213# <expr> '&&' <expr> (6) 214# 215# (6) Returns the result of min(/expr/, /expr/). 216 217config NF_NAT_PROTO_GRE 218 tristate 219 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE 220 221config NF_NAT_PPTP 222 tristate 223 depends on NF_CONNTRACK && NF_NAT_IPV4 224 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP 225 select NF_NAT_PROTO_GRE 226 227config NF_NAT_H323 228 tristate 229 depends on NF_CONNTRACK && NF_NAT_IPV4 230 default NF_NAT_IPV4 && NF_CONNTRACK_H323 231 232# mangle + specific targets 233config IP_NF_MANGLE 234 tristate "Packet mangling" 235 default m if NETFILTER_ADVANCED=n 236 help 237 This option adds a `mangle' table to iptables: see the man page for 238 iptables(8). This table is used for various packet alterations 239 which can effect how the packet is routed. 240 241 To compile it as a module, choose M here. If unsure, say N. 242 243config IP_NF_TARGET_CLUSTERIP 244 tristate "CLUSTERIP target support" 245 depends on IP_NF_MANGLE 246 depends on NF_CONNTRACK_IPV4 247 depends on NETFILTER_ADVANCED 248 select NF_CONNTRACK_MARK 249 help 250 The CLUSTERIP target allows you to build load-balancing clusters of 251 network servers without having a dedicated load-balancing 252 router/server/switch. 253 254 To compile it as a module, choose M here. If unsure, say N. 255 256config IP_NF_TARGET_ECN 257 tristate "ECN target support" 258 depends on IP_NF_MANGLE 259 depends on NETFILTER_ADVANCED 260 ---help--- 261 This option adds a `ECN' target, which can be used in the iptables mangle 262 table. 263 264 You can use this target to remove the ECN bits from the IPv4 header of 265 an IP packet. This is particularly useful, if you need to work around 266 existing ECN blackholes on the internet, but don't want to disable 267 ECN support in general. 268 269 To compile it as a module, choose M here. If unsure, say N. 270 271config IP_NF_TARGET_TTL 272 tristate '"TTL" target support' 273 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 274 select NETFILTER_XT_TARGET_HL 275 ---help--- 276 This is a backwards-compatible option for the user's convenience 277 (e.g. when running oldconfig). It selects 278 CONFIG_NETFILTER_XT_TARGET_HL. 279 280# raw + specific targets 281config IP_NF_RAW 282 tristate 'raw table support (required for NOTRACK/TRACE)' 283 help 284 This option adds a `raw' table to iptables. This table is the very 285 first in the netfilter framework and hooks in at the PREROUTING 286 and OUTPUT chains. 287 288 If you want to compile it as a module, say M here and read 289 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 290 291# security table for MAC policy 292config IP_NF_SECURITY 293 tristate "Security table" 294 depends on SECURITY 295 depends on NETFILTER_ADVANCED 296 help 297 This option adds a `security' table to iptables, for use 298 with Mandatory Access Control (MAC) policy. 299 300 If unsure, say N. 301 302endif # IP_NF_IPTABLES 303 304# ARP tables 305config IP_NF_ARPTABLES 306 tristate "ARP tables support" 307 select NETFILTER_XTABLES 308 depends on NETFILTER_ADVANCED 309 help 310 arptables is a general, extensible packet identification framework. 311 The ARP packet filtering and mangling (manipulation)subsystems 312 use this: say Y or M here if you want to use either of those. 313 314 To compile it as a module, choose M here. If unsure, say N. 315 316if IP_NF_ARPTABLES 317 318config IP_NF_ARPFILTER 319 tristate "ARP packet filtering" 320 help 321 ARP packet filtering defines a table `filter', which has a series of 322 rules for simple ARP packet filtering at local input and 323 local output. On a bridge, you can also specify filtering rules 324 for forwarded ARP packets. See the man page for arptables(8). 325 326 To compile it as a module, choose M here. If unsure, say N. 327 328config IP_NF_ARP_MANGLE 329 tristate "ARP payload mangling" 330 help 331 Allows altering the ARP packet payload: source and destination 332 hardware and network addresses. 333 334endif # IP_NF_ARPTABLES 335 336endmenu 337 338