1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config NF_LOG_ARP 40 tristate "ARP packet logging" 41 default m if NETFILTER_ADVANCED=n 42 select NF_LOG_COMMON 43 44config NF_LOG_IPV4 45 tristate "IPv4 packet logging" 46 default m if NETFILTER_ADVANCED=n 47 select NF_LOG_COMMON 48 49config NF_TABLES_IPV4 50 depends on NF_TABLES 51 tristate "IPv4 nf_tables support" 52 help 53 This option enables the IPv4 support for nf_tables. 54 55config NFT_CHAIN_ROUTE_IPV4 56 depends on NF_TABLES_IPV4 57 tristate "IPv4 nf_tables route chain support" 58 help 59 This option enables the "route" chain for IPv4 in nf_tables. This 60 chain type is used to force packet re-routing after mangling header 61 fields such as the source, destination, type of service and 62 the packet mark. 63 64config NF_REJECT_IPV4 65 tristate "IPv4 packet rejection" 66 default m if NETFILTER_ADVANCED=n 67 68config NFT_REJECT_IPV4 69 depends on NF_TABLES_IPV4 70 select NF_REJECT_IPV4 71 default NFT_REJECT 72 tristate 73 74config NF_TABLES_ARP 75 depends on NF_TABLES 76 tristate "ARP nf_tables support" 77 help 78 This option enables the ARP support for nf_tables. 79 80config NF_NAT_IPV4 81 tristate "IPv4 NAT" 82 depends on NF_CONNTRACK_IPV4 83 default m if NETFILTER_ADVANCED=n 84 select NF_NAT 85 help 86 The IPv4 NAT option allows masquerading, port forwarding and other 87 forms of full Network Address Port Translation. This can be 88 controlled by iptables or nft. 89 90if NF_NAT_IPV4 91 92config NFT_CHAIN_NAT_IPV4 93 depends on NF_TABLES_IPV4 94 tristate "IPv4 nf_tables nat chain support" 95 help 96 This option enables the "nat" chain for IPv4 in nf_tables. This 97 chain type is used to perform Network Address Translation (NAT) 98 packet transformations such as the source, destination address and 99 source and destination ports. 100 101config NF_NAT_MASQUERADE_IPV4 102 tristate "IPv4 masquerade support" 103 help 104 This is the kernel functionality to provide NAT in the masquerade 105 flavour (automatic source address selection). 106 107config NFT_MASQ_IPV4 108 tristate "IPv4 masquerading support for nf_tables" 109 depends on NF_TABLES_IPV4 110 depends on NFT_MASQ 111 select NF_NAT_MASQUERADE_IPV4 112 help 113 This is the expression that provides IPv4 masquerading support for 114 nf_tables. 115 116config NFT_REDIR_IPV4 117 tristate "IPv4 redirect support for nf_tables" 118 depends on NF_TABLES_IPV4 119 depends on NFT_REDIR 120 select NF_NAT_REDIRECT 121 help 122 This is the expression that provides IPv4 redirect support for 123 nf_tables. 124 125config NF_NAT_SNMP_BASIC 126 tristate "Basic SNMP-ALG support" 127 depends on NF_CONNTRACK_SNMP 128 depends on NETFILTER_ADVANCED 129 default NF_NAT && NF_CONNTRACK_SNMP 130 ---help--- 131 132 This module implements an Application Layer Gateway (ALG) for 133 SNMP payloads. In conjunction with NAT, it allows a network 134 management system to access multiple private networks with 135 conflicting addresses. It works by modifying IP addresses 136 inside SNMP payloads to match IP-layer NAT mapping. 137 138 This is the "basic" form of SNMP-ALG, as described in RFC 2962 139 140 To compile it as a module, choose M here. If unsure, say N. 141 142config NF_NAT_PROTO_GRE 143 tristate 144 depends on NF_CT_PROTO_GRE 145 146config NF_NAT_PPTP 147 tristate 148 depends on NF_CONNTRACK 149 default NF_CONNTRACK_PPTP 150 select NF_NAT_PROTO_GRE 151 152config NF_NAT_H323 153 tristate 154 depends on NF_CONNTRACK 155 default NF_CONNTRACK_H323 156 157endif # NF_NAT_IPV4 158 159config IP_NF_IPTABLES 160 tristate "IP tables support (required for filtering/masq/NAT)" 161 default m if NETFILTER_ADVANCED=n 162 select NETFILTER_XTABLES 163 help 164 iptables is a general, extensible packet identification framework. 165 The packet filtering and full NAT (masquerading, port forwarding, 166 etc) subsystems now use this: say `Y' or `M' here if you want to use 167 either of those. 168 169 To compile it as a module, choose M here. If unsure, say N. 170 171if IP_NF_IPTABLES 172 173# The matches. 174config IP_NF_MATCH_AH 175 tristate '"ah" match support' 176 depends on NETFILTER_ADVANCED 177 help 178 This match extension allows you to match a range of SPIs 179 inside AH header of IPSec packets. 180 181 To compile it as a module, choose M here. If unsure, say N. 182 183config IP_NF_MATCH_ECN 184 tristate '"ecn" match support' 185 depends on NETFILTER_ADVANCED 186 select NETFILTER_XT_MATCH_ECN 187 ---help--- 188 This is a backwards-compat option for the user's convenience 189 (e.g. when running oldconfig). It selects 190 CONFIG_NETFILTER_XT_MATCH_ECN. 191 192config IP_NF_MATCH_RPFILTER 193 tristate '"rpfilter" reverse path filter match support' 194 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW) 195 ---help--- 196 This option allows you to match packets whose replies would 197 go out via the interface the packet came in. 198 199 To compile it as a module, choose M here. If unsure, say N. 200 The module will be called ipt_rpfilter. 201 202config IP_NF_MATCH_TTL 203 tristate '"ttl" match support' 204 depends on NETFILTER_ADVANCED 205 select NETFILTER_XT_MATCH_HL 206 ---help--- 207 This is a backwards-compat option for the user's convenience 208 (e.g. when running oldconfig). It selects 209 CONFIG_NETFILTER_XT_MATCH_HL. 210 211# `filter', generic and specific targets 212config IP_NF_FILTER 213 tristate "Packet filtering" 214 default m if NETFILTER_ADVANCED=n 215 help 216 Packet filtering defines a table `filter', which has a series of 217 rules for simple packet filtering at local input, forwarding and 218 local output. See the man page for iptables(8). 219 220 To compile it as a module, choose M here. If unsure, say N. 221 222config IP_NF_TARGET_REJECT 223 tristate "REJECT target support" 224 depends on IP_NF_FILTER 225 select NF_REJECT_IPV4 226 default m if NETFILTER_ADVANCED=n 227 help 228 The REJECT target allows a filtering rule to specify that an ICMP 229 error should be issued in response to an incoming packet, rather 230 than silently being dropped. 231 232 To compile it as a module, choose M here. If unsure, say N. 233 234config IP_NF_TARGET_SYNPROXY 235 tristate "SYNPROXY target support" 236 depends on NF_CONNTRACK && NETFILTER_ADVANCED 237 select NETFILTER_SYNPROXY 238 select SYN_COOKIES 239 help 240 The SYNPROXY target allows you to intercept TCP connections and 241 establish them using syncookies before they are passed on to the 242 server. This allows to avoid conntrack and server resource usage 243 during SYN-flood attacks. 244 245 To compile it as a module, choose M here. If unsure, say N. 246 247# NAT + specific targets: nf_conntrack 248config IP_NF_NAT 249 tristate "iptables NAT support" 250 depends on NF_CONNTRACK_IPV4 251 default m if NETFILTER_ADVANCED=n 252 select NF_NAT 253 select NF_NAT_IPV4 254 select NETFILTER_XT_NAT 255 help 256 This enables the `nat' table in iptables. This allows masquerading, 257 port forwarding and other forms of full Network Address Port 258 Translation. 259 260 To compile it as a module, choose M here. If unsure, say N. 261 262if IP_NF_NAT 263 264config IP_NF_TARGET_MASQUERADE 265 tristate "MASQUERADE target support" 266 select NF_NAT_MASQUERADE_IPV4 267 default m if NETFILTER_ADVANCED=n 268 help 269 Masquerading is a special case of NAT: all outgoing connections are 270 changed to seem to come from a particular interface's address, and 271 if the interface goes down, those connections are lost. This is 272 only useful for dialup accounts with dynamic IP address (ie. your IP 273 address will be different on next dialup). 274 275 To compile it as a module, choose M here. If unsure, say N. 276 277config IP_NF_TARGET_NETMAP 278 tristate "NETMAP target support" 279 depends on NETFILTER_ADVANCED 280 select NETFILTER_XT_TARGET_NETMAP 281 ---help--- 282 This is a backwards-compat option for the user's convenience 283 (e.g. when running oldconfig). It selects 284 CONFIG_NETFILTER_XT_TARGET_NETMAP. 285 286config IP_NF_TARGET_REDIRECT 287 tristate "REDIRECT target support" 288 depends on NETFILTER_ADVANCED 289 select NETFILTER_XT_TARGET_REDIRECT 290 ---help--- 291 This is a backwards-compat option for the user's convenience 292 (e.g. when running oldconfig). It selects 293 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 294 295endif # IP_NF_NAT 296 297# mangle + specific targets 298config IP_NF_MANGLE 299 tristate "Packet mangling" 300 default m if NETFILTER_ADVANCED=n 301 help 302 This option adds a `mangle' table to iptables: see the man page for 303 iptables(8). This table is used for various packet alterations 304 which can effect how the packet is routed. 305 306 To compile it as a module, choose M here. If unsure, say N. 307 308config IP_NF_TARGET_CLUSTERIP 309 tristate "CLUSTERIP target support" 310 depends on IP_NF_MANGLE 311 depends on NF_CONNTRACK_IPV4 312 depends on NETFILTER_ADVANCED 313 select NF_CONNTRACK_MARK 314 help 315 The CLUSTERIP target allows you to build load-balancing clusters of 316 network servers without having a dedicated load-balancing 317 router/server/switch. 318 319 To compile it as a module, choose M here. If unsure, say N. 320 321config IP_NF_TARGET_ECN 322 tristate "ECN target support" 323 depends on IP_NF_MANGLE 324 depends on NETFILTER_ADVANCED 325 ---help--- 326 This option adds a `ECN' target, which can be used in the iptables mangle 327 table. 328 329 You can use this target to remove the ECN bits from the IPv4 header of 330 an IP packet. This is particularly useful, if you need to work around 331 existing ECN blackholes on the internet, but don't want to disable 332 ECN support in general. 333 334 To compile it as a module, choose M here. If unsure, say N. 335 336config IP_NF_TARGET_TTL 337 tristate '"TTL" target support' 338 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 339 select NETFILTER_XT_TARGET_HL 340 ---help--- 341 This is a backwards-compatible option for the user's convenience 342 (e.g. when running oldconfig). It selects 343 CONFIG_NETFILTER_XT_TARGET_HL. 344 345# raw + specific targets 346config IP_NF_RAW 347 tristate 'raw table support (required for NOTRACK/TRACE)' 348 help 349 This option adds a `raw' table to iptables. This table is the very 350 first in the netfilter framework and hooks in at the PREROUTING 351 and OUTPUT chains. 352 353 If you want to compile it as a module, say M here and read 354 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 355 356# security table for MAC policy 357config IP_NF_SECURITY 358 tristate "Security table" 359 depends on SECURITY 360 depends on NETFILTER_ADVANCED 361 help 362 This option adds a `security' table to iptables, for use 363 with Mandatory Access Control (MAC) policy. 364 365 If unsure, say N. 366 367endif # IP_NF_IPTABLES 368 369# ARP tables 370config IP_NF_ARPTABLES 371 tristate "ARP tables support" 372 select NETFILTER_XTABLES 373 depends on NETFILTER_ADVANCED 374 help 375 arptables is a general, extensible packet identification framework. 376 The ARP packet filtering and mangling (manipulation)subsystems 377 use this: say Y or M here if you want to use either of those. 378 379 To compile it as a module, choose M here. If unsure, say N. 380 381if IP_NF_ARPTABLES 382 383config IP_NF_ARPFILTER 384 tristate "ARP packet filtering" 385 help 386 ARP packet filtering defines a table `filter', which has a series of 387 rules for simple ARP packet filtering at local input and 388 local output. On a bridge, you can also specify filtering rules 389 for forwarded ARP packets. See the man page for arptables(8). 390 391 To compile it as a module, choose M here. If unsure, say N. 392 393config IP_NF_ARP_MANGLE 394 tristate "ARP payload mangling" 395 help 396 Allows altering the ARP packet payload: source and destination 397 hardware and network addresses. 398 399endif # IP_NF_ARPTABLES 400 401endmenu 402 403