1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config NF_TABLES_IPV4 40 depends on NF_TABLES 41 tristate "IPv4 nf_tables support" 42 help 43 This option enables the IPv4 support for nf_tables. 44 45config NFT_CHAIN_ROUTE_IPV4 46 depends on NF_TABLES_IPV4 47 tristate "IPv4 nf_tables route chain support" 48 help 49 This option enables the "route" chain for IPv4 in nf_tables. This 50 chain type is used to force packet re-routing after mangling header 51 fields such as the source, destination, type of service and 52 the packet mark. 53 54config NFT_CHAIN_NAT_IPV4 55 depends on NF_TABLES_IPV4 56 depends on NF_NAT_IPV4 && NFT_NAT 57 tristate "IPv4 nf_tables nat chain support" 58 help 59 This option enables the "nat" chain for IPv4 in nf_tables. This 60 chain type is used to perform Network Address Translation (NAT) 61 packet transformations such as the source, destination address and 62 source and destination ports. 63 64config NF_TABLES_ARP 65 depends on NF_TABLES 66 tristate "ARP nf_tables support" 67 help 68 This option enables the ARP support for nf_tables. 69 70config IP_NF_IPTABLES 71 tristate "IP tables support (required for filtering/masq/NAT)" 72 default m if NETFILTER_ADVANCED=n 73 select NETFILTER_XTABLES 74 help 75 iptables is a general, extensible packet identification framework. 76 The packet filtering and full NAT (masquerading, port forwarding, 77 etc) subsystems now use this: say `Y' or `M' here if you want to use 78 either of those. 79 80 To compile it as a module, choose M here. If unsure, say N. 81 82if IP_NF_IPTABLES 83 84# The matches. 85config IP_NF_MATCH_AH 86 tristate '"ah" match support' 87 depends on NETFILTER_ADVANCED 88 help 89 This match extension allows you to match a range of SPIs 90 inside AH header of IPSec packets. 91 92 To compile it as a module, choose M here. If unsure, say N. 93 94config IP_NF_MATCH_ECN 95 tristate '"ecn" match support' 96 depends on NETFILTER_ADVANCED 97 select NETFILTER_XT_MATCH_ECN 98 ---help--- 99 This is a backwards-compat option for the user's convenience 100 (e.g. when running oldconfig). It selects 101 CONFIG_NETFILTER_XT_MATCH_ECN. 102 103config IP_NF_MATCH_RPFILTER 104 tristate '"rpfilter" reverse path filter match support' 105 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW) 106 ---help--- 107 This option allows you to match packets whose replies would 108 go out via the interface the packet came in. 109 110 To compile it as a module, choose M here. If unsure, say N. 111 The module will be called ipt_rpfilter. 112 113config IP_NF_MATCH_TTL 114 tristate '"ttl" match support' 115 depends on NETFILTER_ADVANCED 116 select NETFILTER_XT_MATCH_HL 117 ---help--- 118 This is a backwards-compat option for the user's convenience 119 (e.g. when running oldconfig). It selects 120 CONFIG_NETFILTER_XT_MATCH_HL. 121 122# `filter', generic and specific targets 123config IP_NF_FILTER 124 tristate "Packet filtering" 125 default m if NETFILTER_ADVANCED=n 126 help 127 Packet filtering defines a table `filter', which has a series of 128 rules for simple packet filtering at local input, forwarding and 129 local output. See the man page for iptables(8). 130 131 To compile it as a module, choose M here. If unsure, say N. 132 133config IP_NF_TARGET_REJECT 134 tristate "REJECT target support" 135 depends on IP_NF_FILTER 136 default m if NETFILTER_ADVANCED=n 137 help 138 The REJECT target allows a filtering rule to specify that an ICMP 139 error should be issued in response to an incoming packet, rather 140 than silently being dropped. 141 142 To compile it as a module, choose M here. If unsure, say N. 143 144config IP_NF_TARGET_SYNPROXY 145 tristate "SYNPROXY target support" 146 depends on NF_CONNTRACK && NETFILTER_ADVANCED 147 select NETFILTER_SYNPROXY 148 select SYN_COOKIES 149 help 150 The SYNPROXY target allows you to intercept TCP connections and 151 establish them using syncookies before they are passed on to the 152 server. This allows to avoid conntrack and server resource usage 153 during SYN-flood attacks. 154 155 To compile it as a module, choose M here. If unsure, say N. 156 157config IP_NF_TARGET_ULOG 158 tristate "ULOG target support (obsolete)" 159 default m if NETFILTER_ADVANCED=n 160 ---help--- 161 162 This option enables the old IPv4-only "ipt_ULOG" implementation 163 which has been obsoleted by the new "nfnetlink_log" code (see 164 CONFIG_NETFILTER_NETLINK_LOG). 165 166 This option adds a `ULOG' target, which allows you to create rules in 167 any iptables table. The packet is passed to a userspace logging 168 daemon using netlink multicast sockets; unlike the LOG target 169 which can only be viewed through syslog. 170 171 The appropriate userspace logging daemon (ulogd) may be obtained from 172 <http://www.netfilter.org/projects/ulogd/index.html> 173 174 To compile it as a module, choose M here. If unsure, say N. 175 176# NAT + specific targets: nf_conntrack 177config NF_NAT_IPV4 178 tristate "IPv4 NAT" 179 depends on NF_CONNTRACK_IPV4 180 default m if NETFILTER_ADVANCED=n 181 select NF_NAT 182 help 183 The IPv4 NAT option allows masquerading, port forwarding and other 184 forms of full Network Address Port Translation. It is controlled by 185 the `nat' table in iptables: see the man page for iptables(8). 186 187 To compile it as a module, choose M here. If unsure, say N. 188 189if NF_NAT_IPV4 190 191config IP_NF_TARGET_MASQUERADE 192 tristate "MASQUERADE target support" 193 default m if NETFILTER_ADVANCED=n 194 help 195 Masquerading is a special case of NAT: all outgoing connections are 196 changed to seem to come from a particular interface's address, and 197 if the interface goes down, those connections are lost. This is 198 only useful for dialup accounts with dynamic IP address (ie. your IP 199 address will be different on next dialup). 200 201 To compile it as a module, choose M here. If unsure, say N. 202 203config IP_NF_TARGET_NETMAP 204 tristate "NETMAP target support" 205 depends on NETFILTER_ADVANCED 206 select NETFILTER_XT_TARGET_NETMAP 207 ---help--- 208 This is a backwards-compat option for the user's convenience 209 (e.g. when running oldconfig). It selects 210 CONFIG_NETFILTER_XT_TARGET_NETMAP. 211 212config IP_NF_TARGET_REDIRECT 213 tristate "REDIRECT target support" 214 depends on NETFILTER_ADVANCED 215 select NETFILTER_XT_TARGET_REDIRECT 216 ---help--- 217 This is a backwards-compat option for the user's convenience 218 (e.g. when running oldconfig). It selects 219 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 220 221endif 222 223config NF_NAT_SNMP_BASIC 224 tristate "Basic SNMP-ALG support" 225 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4 226 depends on NETFILTER_ADVANCED 227 default NF_NAT && NF_CONNTRACK_SNMP 228 ---help--- 229 230 This module implements an Application Layer Gateway (ALG) for 231 SNMP payloads. In conjunction with NAT, it allows a network 232 management system to access multiple private networks with 233 conflicting addresses. It works by modifying IP addresses 234 inside SNMP payloads to match IP-layer NAT mapping. 235 236 This is the "basic" form of SNMP-ALG, as described in RFC 2962 237 238 To compile it as a module, choose M here. If unsure, say N. 239 240# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 241# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. 242# From kconfig-language.txt: 243# 244# <expr> '&&' <expr> (6) 245# 246# (6) Returns the result of min(/expr/, /expr/). 247 248config NF_NAT_PROTO_GRE 249 tristate 250 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE 251 252config NF_NAT_PPTP 253 tristate 254 depends on NF_CONNTRACK && NF_NAT_IPV4 255 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP 256 select NF_NAT_PROTO_GRE 257 258config NF_NAT_H323 259 tristate 260 depends on NF_CONNTRACK && NF_NAT_IPV4 261 default NF_NAT_IPV4 && NF_CONNTRACK_H323 262 263# mangle + specific targets 264config IP_NF_MANGLE 265 tristate "Packet mangling" 266 default m if NETFILTER_ADVANCED=n 267 help 268 This option adds a `mangle' table to iptables: see the man page for 269 iptables(8). This table is used for various packet alterations 270 which can effect how the packet is routed. 271 272 To compile it as a module, choose M here. If unsure, say N. 273 274config IP_NF_TARGET_CLUSTERIP 275 tristate "CLUSTERIP target support" 276 depends on IP_NF_MANGLE 277 depends on NF_CONNTRACK_IPV4 278 depends on NETFILTER_ADVANCED 279 select NF_CONNTRACK_MARK 280 help 281 The CLUSTERIP target allows you to build load-balancing clusters of 282 network servers without having a dedicated load-balancing 283 router/server/switch. 284 285 To compile it as a module, choose M here. If unsure, say N. 286 287config IP_NF_TARGET_ECN 288 tristate "ECN target support" 289 depends on IP_NF_MANGLE 290 depends on NETFILTER_ADVANCED 291 ---help--- 292 This option adds a `ECN' target, which can be used in the iptables mangle 293 table. 294 295 You can use this target to remove the ECN bits from the IPv4 header of 296 an IP packet. This is particularly useful, if you need to work around 297 existing ECN blackholes on the internet, but don't want to disable 298 ECN support in general. 299 300 To compile it as a module, choose M here. If unsure, say N. 301 302config IP_NF_TARGET_TTL 303 tristate '"TTL" target support' 304 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 305 select NETFILTER_XT_TARGET_HL 306 ---help--- 307 This is a backwards-compatible option for the user's convenience 308 (e.g. when running oldconfig). It selects 309 CONFIG_NETFILTER_XT_TARGET_HL. 310 311# raw + specific targets 312config IP_NF_RAW 313 tristate 'raw table support (required for NOTRACK/TRACE)' 314 help 315 This option adds a `raw' table to iptables. This table is the very 316 first in the netfilter framework and hooks in at the PREROUTING 317 and OUTPUT chains. 318 319 If you want to compile it as a module, say M here and read 320 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 321 322# security table for MAC policy 323config IP_NF_SECURITY 324 tristate "Security table" 325 depends on SECURITY 326 depends on NETFILTER_ADVANCED 327 help 328 This option adds a `security' table to iptables, for use 329 with Mandatory Access Control (MAC) policy. 330 331 If unsure, say N. 332 333endif # IP_NF_IPTABLES 334 335# ARP tables 336config IP_NF_ARPTABLES 337 tristate "ARP tables support" 338 select NETFILTER_XTABLES 339 depends on NETFILTER_ADVANCED 340 help 341 arptables is a general, extensible packet identification framework. 342 The ARP packet filtering and mangling (manipulation)subsystems 343 use this: say Y or M here if you want to use either of those. 344 345 To compile it as a module, choose M here. If unsure, say N. 346 347if IP_NF_ARPTABLES 348 349config IP_NF_ARPFILTER 350 tristate "ARP packet filtering" 351 help 352 ARP packet filtering defines a table `filter', which has a series of 353 rules for simple ARP packet filtering at local input and 354 local output. On a bridge, you can also specify filtering rules 355 for forwarded ARP packets. See the man page for arptables(8). 356 357 To compile it as a module, choose M here. If unsure, say N. 358 359config IP_NF_ARP_MANGLE 360 tristate "ARP payload mangling" 361 help 362 Allows altering the ARP packet payload: source and destination 363 hardware and network addresses. 364 365endif # IP_NF_ARPTABLES 366 367endmenu 368 369