1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config NF_LOG_ARP 40 tristate "ARP packet logging" 41 default m if NETFILTER_ADVANCED=n 42 select NF_LOG_COMMON 43 44config NF_LOG_IPV4 45 tristate "IPv4 packet logging" 46 default m if NETFILTER_ADVANCED=n 47 select NF_LOG_COMMON 48 49config NF_TABLES_IPV4 50 depends on NF_TABLES 51 tristate "IPv4 nf_tables support" 52 help 53 This option enables the IPv4 support for nf_tables. 54 55config NFT_CHAIN_ROUTE_IPV4 56 depends on NF_TABLES_IPV4 57 tristate "IPv4 nf_tables route chain support" 58 help 59 This option enables the "route" chain for IPv4 in nf_tables. This 60 chain type is used to force packet re-routing after mangling header 61 fields such as the source, destination, type of service and 62 the packet mark. 63 64config NFT_CHAIN_NAT_IPV4 65 depends on NF_TABLES_IPV4 66 depends on NF_NAT_IPV4 && NFT_NAT 67 tristate "IPv4 nf_tables nat chain support" 68 help 69 This option enables the "nat" chain for IPv4 in nf_tables. This 70 chain type is used to perform Network Address Translation (NAT) 71 packet transformations such as the source, destination address and 72 source and destination ports. 73 74config NFT_REJECT_IPV4 75 depends on NF_TABLES_IPV4 76 default NFT_REJECT 77 tristate 78 79config NF_TABLES_ARP 80 depends on NF_TABLES 81 tristate "ARP nf_tables support" 82 help 83 This option enables the ARP support for nf_tables. 84 85config IP_NF_IPTABLES 86 tristate "IP tables support (required for filtering/masq/NAT)" 87 default m if NETFILTER_ADVANCED=n 88 select NETFILTER_XTABLES 89 help 90 iptables is a general, extensible packet identification framework. 91 The packet filtering and full NAT (masquerading, port forwarding, 92 etc) subsystems now use this: say `Y' or `M' here if you want to use 93 either of those. 94 95 To compile it as a module, choose M here. If unsure, say N. 96 97if IP_NF_IPTABLES 98 99# The matches. 100config IP_NF_MATCH_AH 101 tristate '"ah" match support' 102 depends on NETFILTER_ADVANCED 103 help 104 This match extension allows you to match a range of SPIs 105 inside AH header of IPSec packets. 106 107 To compile it as a module, choose M here. If unsure, say N. 108 109config IP_NF_MATCH_ECN 110 tristate '"ecn" match support' 111 depends on NETFILTER_ADVANCED 112 select NETFILTER_XT_MATCH_ECN 113 ---help--- 114 This is a backwards-compat option for the user's convenience 115 (e.g. when running oldconfig). It selects 116 CONFIG_NETFILTER_XT_MATCH_ECN. 117 118config IP_NF_MATCH_RPFILTER 119 tristate '"rpfilter" reverse path filter match support' 120 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW) 121 ---help--- 122 This option allows you to match packets whose replies would 123 go out via the interface the packet came in. 124 125 To compile it as a module, choose M here. If unsure, say N. 126 The module will be called ipt_rpfilter. 127 128config IP_NF_MATCH_TTL 129 tristate '"ttl" match support' 130 depends on NETFILTER_ADVANCED 131 select NETFILTER_XT_MATCH_HL 132 ---help--- 133 This is a backwards-compat option for the user's convenience 134 (e.g. when running oldconfig). It selects 135 CONFIG_NETFILTER_XT_MATCH_HL. 136 137# `filter', generic and specific targets 138config IP_NF_FILTER 139 tristate "Packet filtering" 140 default m if NETFILTER_ADVANCED=n 141 help 142 Packet filtering defines a table `filter', which has a series of 143 rules for simple packet filtering at local input, forwarding and 144 local output. See the man page for iptables(8). 145 146 To compile it as a module, choose M here. If unsure, say N. 147 148config IP_NF_TARGET_REJECT 149 tristate "REJECT target support" 150 depends on IP_NF_FILTER 151 default m if NETFILTER_ADVANCED=n 152 help 153 The REJECT target allows a filtering rule to specify that an ICMP 154 error should be issued in response to an incoming packet, rather 155 than silently being dropped. 156 157 To compile it as a module, choose M here. If unsure, say N. 158 159config IP_NF_TARGET_SYNPROXY 160 tristate "SYNPROXY target support" 161 depends on NF_CONNTRACK && NETFILTER_ADVANCED 162 select NETFILTER_SYNPROXY 163 select SYN_COOKIES 164 help 165 The SYNPROXY target allows you to intercept TCP connections and 166 establish them using syncookies before they are passed on to the 167 server. This allows to avoid conntrack and server resource usage 168 during SYN-flood attacks. 169 170 To compile it as a module, choose M here. If unsure, say N. 171 172# NAT + specific targets: nf_conntrack 173config NF_NAT_IPV4 174 tristate "IPv4 NAT" 175 depends on NF_CONNTRACK_IPV4 176 default m if NETFILTER_ADVANCED=n 177 select NF_NAT 178 help 179 The IPv4 NAT option allows masquerading, port forwarding and other 180 forms of full Network Address Port Translation. It is controlled by 181 the `nat' table in iptables: see the man page for iptables(8). 182 183 To compile it as a module, choose M here. If unsure, say N. 184 185if NF_NAT_IPV4 186 187config IP_NF_TARGET_MASQUERADE 188 tristate "MASQUERADE target support" 189 default m if NETFILTER_ADVANCED=n 190 help 191 Masquerading is a special case of NAT: all outgoing connections are 192 changed to seem to come from a particular interface's address, and 193 if the interface goes down, those connections are lost. This is 194 only useful for dialup accounts with dynamic IP address (ie. your IP 195 address will be different on next dialup). 196 197 To compile it as a module, choose M here. If unsure, say N. 198 199config IP_NF_TARGET_NETMAP 200 tristate "NETMAP target support" 201 depends on NETFILTER_ADVANCED 202 select NETFILTER_XT_TARGET_NETMAP 203 ---help--- 204 This is a backwards-compat option for the user's convenience 205 (e.g. when running oldconfig). It selects 206 CONFIG_NETFILTER_XT_TARGET_NETMAP. 207 208config IP_NF_TARGET_REDIRECT 209 tristate "REDIRECT target support" 210 depends on NETFILTER_ADVANCED 211 select NETFILTER_XT_TARGET_REDIRECT 212 ---help--- 213 This is a backwards-compat option for the user's convenience 214 (e.g. when running oldconfig). It selects 215 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 216 217endif 218 219config NF_NAT_SNMP_BASIC 220 tristate "Basic SNMP-ALG support" 221 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4 222 depends on NETFILTER_ADVANCED 223 default NF_NAT && NF_CONNTRACK_SNMP 224 ---help--- 225 226 This module implements an Application Layer Gateway (ALG) for 227 SNMP payloads. In conjunction with NAT, it allows a network 228 management system to access multiple private networks with 229 conflicting addresses. It works by modifying IP addresses 230 inside SNMP payloads to match IP-layer NAT mapping. 231 232 This is the "basic" form of SNMP-ALG, as described in RFC 2962 233 234 To compile it as a module, choose M here. If unsure, say N. 235 236# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 237# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. 238# From kconfig-language.txt: 239# 240# <expr> '&&' <expr> (6) 241# 242# (6) Returns the result of min(/expr/, /expr/). 243 244config NF_NAT_PROTO_GRE 245 tristate 246 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE 247 248config NF_NAT_PPTP 249 tristate 250 depends on NF_CONNTRACK && NF_NAT_IPV4 251 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP 252 select NF_NAT_PROTO_GRE 253 254config NF_NAT_H323 255 tristate 256 depends on NF_CONNTRACK && NF_NAT_IPV4 257 default NF_NAT_IPV4 && NF_CONNTRACK_H323 258 259# mangle + specific targets 260config IP_NF_MANGLE 261 tristate "Packet mangling" 262 default m if NETFILTER_ADVANCED=n 263 help 264 This option adds a `mangle' table to iptables: see the man page for 265 iptables(8). This table is used for various packet alterations 266 which can effect how the packet is routed. 267 268 To compile it as a module, choose M here. If unsure, say N. 269 270config IP_NF_TARGET_CLUSTERIP 271 tristate "CLUSTERIP target support" 272 depends on IP_NF_MANGLE 273 depends on NF_CONNTRACK_IPV4 274 depends on NETFILTER_ADVANCED 275 select NF_CONNTRACK_MARK 276 help 277 The CLUSTERIP target allows you to build load-balancing clusters of 278 network servers without having a dedicated load-balancing 279 router/server/switch. 280 281 To compile it as a module, choose M here. If unsure, say N. 282 283config IP_NF_TARGET_ECN 284 tristate "ECN target support" 285 depends on IP_NF_MANGLE 286 depends on NETFILTER_ADVANCED 287 ---help--- 288 This option adds a `ECN' target, which can be used in the iptables mangle 289 table. 290 291 You can use this target to remove the ECN bits from the IPv4 header of 292 an IP packet. This is particularly useful, if you need to work around 293 existing ECN blackholes on the internet, but don't want to disable 294 ECN support in general. 295 296 To compile it as a module, choose M here. If unsure, say N. 297 298config IP_NF_TARGET_TTL 299 tristate '"TTL" target support' 300 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 301 select NETFILTER_XT_TARGET_HL 302 ---help--- 303 This is a backwards-compatible option for the user's convenience 304 (e.g. when running oldconfig). It selects 305 CONFIG_NETFILTER_XT_TARGET_HL. 306 307# raw + specific targets 308config IP_NF_RAW 309 tristate 'raw table support (required for NOTRACK/TRACE)' 310 help 311 This option adds a `raw' table to iptables. This table is the very 312 first in the netfilter framework and hooks in at the PREROUTING 313 and OUTPUT chains. 314 315 If you want to compile it as a module, say M here and read 316 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 317 318# security table for MAC policy 319config IP_NF_SECURITY 320 tristate "Security table" 321 depends on SECURITY 322 depends on NETFILTER_ADVANCED 323 help 324 This option adds a `security' table to iptables, for use 325 with Mandatory Access Control (MAC) policy. 326 327 If unsure, say N. 328 329endif # IP_NF_IPTABLES 330 331# ARP tables 332config IP_NF_ARPTABLES 333 tristate "ARP tables support" 334 select NETFILTER_XTABLES 335 depends on NETFILTER_ADVANCED 336 help 337 arptables is a general, extensible packet identification framework. 338 The ARP packet filtering and mangling (manipulation)subsystems 339 use this: say Y or M here if you want to use either of those. 340 341 To compile it as a module, choose M here. If unsure, say N. 342 343if IP_NF_ARPTABLES 344 345config IP_NF_ARPFILTER 346 tristate "ARP packet filtering" 347 help 348 ARP packet filtering defines a table `filter', which has a series of 349 rules for simple ARP packet filtering at local input and 350 local output. On a bridge, you can also specify filtering rules 351 for forwarded ARP packets. See the man page for arptables(8). 352 353 To compile it as a module, choose M here. If unsure, say N. 354 355config IP_NF_ARP_MANGLE 356 tristate "ARP payload mangling" 357 help 358 Allows altering the ARP packet payload: source and destination 359 hardware and network addresses. 360 361endif # IP_NF_ARPTABLES 362 363endmenu 364 365