1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_SOCKET_IPV4 13 tristate "IPv4 socket lookup support" 14 help 15 This option enables the IPv4 socket lookup infrastructure. This is 16 is required by the {ip,nf}tables socket match. 17 18config NF_TPROXY_IPV4 19 tristate "IPv4 tproxy support" 20 21if NF_TABLES 22 23config NF_TABLES_IPV4 24 bool "IPv4 nf_tables support" 25 help 26 This option enables the IPv4 support for nf_tables. 27 28if NF_TABLES_IPV4 29 30config NFT_CHAIN_ROUTE_IPV4 31 tristate "IPv4 nf_tables route chain support" 32 help 33 This option enables the "route" chain for IPv4 in nf_tables. This 34 chain type is used to force packet re-routing after mangling header 35 fields such as the source, destination, type of service and 36 the packet mark. 37 38config NFT_REJECT_IPV4 39 select NF_REJECT_IPV4 40 default NFT_REJECT 41 tristate 42 43config NFT_DUP_IPV4 44 tristate "IPv4 nf_tables packet duplication support" 45 depends on !NF_CONNTRACK || NF_CONNTRACK 46 select NF_DUP_IPV4 47 help 48 This module enables IPv4 packet duplication support for nf_tables. 49 50config NFT_FIB_IPV4 51 select NFT_FIB 52 tristate "nf_tables fib / ip route lookup support" 53 help 54 This module enables IPv4 FIB lookups, e.g. for reverse path filtering. 55 It also allows query of the FIB for the route type, e.g. local, unicast, 56 multicast or blackhole. 57 58endif # NF_TABLES_IPV4 59 60config NF_TABLES_ARP 61 bool "ARP nf_tables support" 62 select NETFILTER_FAMILY_ARP 63 help 64 This option enables the ARP support for nf_tables. 65 66endif # NF_TABLES 67 68config NF_FLOW_TABLE_IPV4 69 tristate "Netfilter flow table IPv4 module" 70 depends on NF_FLOW_TABLE 71 help 72 This option adds the flow table IPv4 support. 73 74 To compile it as a module, choose M here. 75 76config NF_DUP_IPV4 77 tristate "Netfilter IPv4 packet duplication to alternate destination" 78 depends on !NF_CONNTRACK || NF_CONNTRACK 79 help 80 This option enables the nf_dup_ipv4 core, which duplicates an IPv4 81 packet to be rerouted to another destination. 82 83config NF_LOG_ARP 84 tristate "ARP packet logging" 85 default m if NETFILTER_ADVANCED=n 86 select NF_LOG_COMMON 87 88config NF_LOG_IPV4 89 tristate "IPv4 packet logging" 90 default m if NETFILTER_ADVANCED=n 91 select NF_LOG_COMMON 92 93config NF_REJECT_IPV4 94 tristate "IPv4 packet rejection" 95 default m if NETFILTER_ADVANCED=n 96 97if NF_NAT 98 99if NF_TABLES 100config NFT_CHAIN_NAT_IPV4 101 depends on NF_TABLES_IPV4 102 tristate "IPv4 nf_tables nat chain support" 103 help 104 This option enables the "nat" chain for IPv4 in nf_tables. This 105 chain type is used to perform Network Address Translation (NAT) 106 packet transformations such as the source, destination address and 107 source and destination ports. 108 109config NFT_MASQ_IPV4 110 tristate "IPv4 masquerading support for nf_tables" 111 depends on NF_TABLES_IPV4 112 depends on NFT_MASQ 113 select NF_NAT_MASQUERADE 114 help 115 This is the expression that provides IPv4 masquerading support for 116 nf_tables. 117 118endif # NF_TABLES 119 120config NF_NAT_SNMP_BASIC 121 tristate "Basic SNMP-ALG support" 122 depends on NF_CONNTRACK_SNMP 123 depends on NETFILTER_ADVANCED 124 default NF_NAT && NF_CONNTRACK_SNMP 125 select ASN1 126 ---help--- 127 128 This module implements an Application Layer Gateway (ALG) for 129 SNMP payloads. In conjunction with NAT, it allows a network 130 management system to access multiple private networks with 131 conflicting addresses. It works by modifying IP addresses 132 inside SNMP payloads to match IP-layer NAT mapping. 133 134 This is the "basic" form of SNMP-ALG, as described in RFC 2962 135 136 To compile it as a module, choose M here. If unsure, say N. 137 138config NF_NAT_PPTP 139 tristate 140 depends on NF_CONNTRACK 141 default NF_CONNTRACK_PPTP 142 143config NF_NAT_H323 144 tristate 145 depends on NF_CONNTRACK 146 default NF_CONNTRACK_H323 147 148endif # NF_NAT 149 150config IP_NF_IPTABLES 151 tristate "IP tables support (required for filtering/masq/NAT)" 152 default m if NETFILTER_ADVANCED=n 153 select NETFILTER_XTABLES 154 help 155 iptables is a general, extensible packet identification framework. 156 The packet filtering and full NAT (masquerading, port forwarding, 157 etc) subsystems now use this: say `Y' or `M' here if you want to use 158 either of those. 159 160 To compile it as a module, choose M here. If unsure, say N. 161 162if IP_NF_IPTABLES 163 164# The matches. 165config IP_NF_MATCH_AH 166 tristate '"ah" match support' 167 depends on NETFILTER_ADVANCED 168 help 169 This match extension allows you to match a range of SPIs 170 inside AH header of IPSec packets. 171 172 To compile it as a module, choose M here. If unsure, say N. 173 174config IP_NF_MATCH_ECN 175 tristate '"ecn" match support' 176 depends on NETFILTER_ADVANCED 177 select NETFILTER_XT_MATCH_ECN 178 ---help--- 179 This is a backwards-compat option for the user's convenience 180 (e.g. when running oldconfig). It selects 181 CONFIG_NETFILTER_XT_MATCH_ECN. 182 183config IP_NF_MATCH_RPFILTER 184 tristate '"rpfilter" reverse path filter match support' 185 depends on NETFILTER_ADVANCED 186 depends on IP_NF_MANGLE || IP_NF_RAW 187 ---help--- 188 This option allows you to match packets whose replies would 189 go out via the interface the packet came in. 190 191 To compile it as a module, choose M here. If unsure, say N. 192 The module will be called ipt_rpfilter. 193 194config IP_NF_MATCH_TTL 195 tristate '"ttl" match support' 196 depends on NETFILTER_ADVANCED 197 select NETFILTER_XT_MATCH_HL 198 ---help--- 199 This is a backwards-compat option for the user's convenience 200 (e.g. when running oldconfig). It selects 201 CONFIG_NETFILTER_XT_MATCH_HL. 202 203# `filter', generic and specific targets 204config IP_NF_FILTER 205 tristate "Packet filtering" 206 default m if NETFILTER_ADVANCED=n 207 help 208 Packet filtering defines a table `filter', which has a series of 209 rules for simple packet filtering at local input, forwarding and 210 local output. See the man page for iptables(8). 211 212 To compile it as a module, choose M here. If unsure, say N. 213 214config IP_NF_TARGET_REJECT 215 tristate "REJECT target support" 216 depends on IP_NF_FILTER 217 select NF_REJECT_IPV4 218 default m if NETFILTER_ADVANCED=n 219 help 220 The REJECT target allows a filtering rule to specify that an ICMP 221 error should be issued in response to an incoming packet, rather 222 than silently being dropped. 223 224 To compile it as a module, choose M here. If unsure, say N. 225 226config IP_NF_TARGET_SYNPROXY 227 tristate "SYNPROXY target support" 228 depends on NF_CONNTRACK && NETFILTER_ADVANCED 229 select NETFILTER_SYNPROXY 230 select SYN_COOKIES 231 help 232 The SYNPROXY target allows you to intercept TCP connections and 233 establish them using syncookies before they are passed on to the 234 server. This allows to avoid conntrack and server resource usage 235 during SYN-flood attacks. 236 237 To compile it as a module, choose M here. If unsure, say N. 238 239# NAT + specific targets: nf_conntrack 240config IP_NF_NAT 241 tristate "iptables NAT support" 242 depends on NF_CONNTRACK 243 default m if NETFILTER_ADVANCED=n 244 select NF_NAT 245 select NETFILTER_XT_NAT 246 help 247 This enables the `nat' table in iptables. This allows masquerading, 248 port forwarding and other forms of full Network Address Port 249 Translation. 250 251 To compile it as a module, choose M here. If unsure, say N. 252 253if IP_NF_NAT 254 255config IP_NF_TARGET_MASQUERADE 256 tristate "MASQUERADE target support" 257 select NF_NAT_MASQUERADE 258 default m if NETFILTER_ADVANCED=n 259 help 260 Masquerading is a special case of NAT: all outgoing connections are 261 changed to seem to come from a particular interface's address, and 262 if the interface goes down, those connections are lost. This is 263 only useful for dialup accounts with dynamic IP address (ie. your IP 264 address will be different on next dialup). 265 266 To compile it as a module, choose M here. If unsure, say N. 267 268config IP_NF_TARGET_NETMAP 269 tristate "NETMAP target support" 270 depends on NETFILTER_ADVANCED 271 select NETFILTER_XT_TARGET_NETMAP 272 ---help--- 273 This is a backwards-compat option for the user's convenience 274 (e.g. when running oldconfig). It selects 275 CONFIG_NETFILTER_XT_TARGET_NETMAP. 276 277config IP_NF_TARGET_REDIRECT 278 tristate "REDIRECT target support" 279 depends on NETFILTER_ADVANCED 280 select NETFILTER_XT_TARGET_REDIRECT 281 ---help--- 282 This is a backwards-compat option for the user's convenience 283 (e.g. when running oldconfig). It selects 284 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 285 286endif # IP_NF_NAT 287 288# mangle + specific targets 289config IP_NF_MANGLE 290 tristate "Packet mangling" 291 default m if NETFILTER_ADVANCED=n 292 help 293 This option adds a `mangle' table to iptables: see the man page for 294 iptables(8). This table is used for various packet alterations 295 which can effect how the packet is routed. 296 297 To compile it as a module, choose M here. If unsure, say N. 298 299config IP_NF_TARGET_CLUSTERIP 300 tristate "CLUSTERIP target support" 301 depends on IP_NF_MANGLE 302 depends on NF_CONNTRACK 303 depends on NETFILTER_ADVANCED 304 select NF_CONNTRACK_MARK 305 select NETFILTER_FAMILY_ARP 306 help 307 The CLUSTERIP target allows you to build load-balancing clusters of 308 network servers without having a dedicated load-balancing 309 router/server/switch. 310 311 To compile it as a module, choose M here. If unsure, say N. 312 313config IP_NF_TARGET_ECN 314 tristate "ECN target support" 315 depends on IP_NF_MANGLE 316 depends on NETFILTER_ADVANCED 317 ---help--- 318 This option adds a `ECN' target, which can be used in the iptables mangle 319 table. 320 321 You can use this target to remove the ECN bits from the IPv4 header of 322 an IP packet. This is particularly useful, if you need to work around 323 existing ECN blackholes on the internet, but don't want to disable 324 ECN support in general. 325 326 To compile it as a module, choose M here. If unsure, say N. 327 328config IP_NF_TARGET_TTL 329 tristate '"TTL" target support' 330 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 331 select NETFILTER_XT_TARGET_HL 332 ---help--- 333 This is a backwards-compatible option for the user's convenience 334 (e.g. when running oldconfig). It selects 335 CONFIG_NETFILTER_XT_TARGET_HL. 336 337# raw + specific targets 338config IP_NF_RAW 339 tristate 'raw table support (required for NOTRACK/TRACE)' 340 help 341 This option adds a `raw' table to iptables. This table is the very 342 first in the netfilter framework and hooks in at the PREROUTING 343 and OUTPUT chains. 344 345 If you want to compile it as a module, say M here and read 346 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 347 348# security table for MAC policy 349config IP_NF_SECURITY 350 tristate "Security table" 351 depends on SECURITY 352 depends on NETFILTER_ADVANCED 353 help 354 This option adds a `security' table to iptables, for use 355 with Mandatory Access Control (MAC) policy. 356 357 If unsure, say N. 358 359endif # IP_NF_IPTABLES 360 361# ARP tables 362config IP_NF_ARPTABLES 363 tristate "ARP tables support" 364 select NETFILTER_XTABLES 365 select NETFILTER_FAMILY_ARP 366 depends on NETFILTER_ADVANCED 367 help 368 arptables is a general, extensible packet identification framework. 369 The ARP packet filtering and mangling (manipulation)subsystems 370 use this: say Y or M here if you want to use either of those. 371 372 To compile it as a module, choose M here. If unsure, say N. 373 374if IP_NF_ARPTABLES 375 376config IP_NF_ARPFILTER 377 tristate "ARP packet filtering" 378 help 379 ARP packet filtering defines a table `filter', which has a series of 380 rules for simple ARP packet filtering at local input and 381 local output. On a bridge, you can also specify filtering rules 382 for forwarded ARP packets. See the man page for arptables(8). 383 384 To compile it as a module, choose M here. If unsure, say N. 385 386config IP_NF_ARP_MANGLE 387 tristate "ARP payload mangling" 388 help 389 Allows altering the ARP packet payload: source and destination 390 hardware and network addresses. 391 392endif # IP_NF_ARPTABLES 393 394endmenu 395 396