1# SPDX-License-Identifier: GPL-2.0-only 2# 3# IP netfilter configuration 4# 5 6menu "IP: Netfilter Configuration" 7 depends on INET && NETFILTER 8 9config NF_DEFRAG_IPV4 10 tristate 11 default n 12 13config NF_SOCKET_IPV4 14 tristate "IPv4 socket lookup support" 15 help 16 This option enables the IPv4 socket lookup infrastructure. This is 17 is required by the {ip,nf}tables socket match. 18 19config NF_TPROXY_IPV4 20 tristate "IPv4 tproxy support" 21 22if NF_TABLES 23 24config NF_TABLES_IPV4 25 bool "IPv4 nf_tables support" 26 help 27 This option enables the IPv4 support for nf_tables. 28 29if NF_TABLES_IPV4 30 31config NFT_REJECT_IPV4 32 select NF_REJECT_IPV4 33 default NFT_REJECT 34 tristate 35 36config NFT_DUP_IPV4 37 tristate "IPv4 nf_tables packet duplication support" 38 depends on !NF_CONNTRACK || NF_CONNTRACK 39 select NF_DUP_IPV4 40 help 41 This module enables IPv4 packet duplication support for nf_tables. 42 43config NFT_FIB_IPV4 44 select NFT_FIB 45 tristate "nf_tables fib / ip route lookup support" 46 help 47 This module enables IPv4 FIB lookups, e.g. for reverse path filtering. 48 It also allows query of the FIB for the route type, e.g. local, unicast, 49 multicast or blackhole. 50 51endif # NF_TABLES_IPV4 52 53config NF_TABLES_ARP 54 bool "ARP nf_tables support" 55 select NETFILTER_FAMILY_ARP 56 help 57 This option enables the ARP support for nf_tables. 58 59endif # NF_TABLES 60 61config NF_FLOW_TABLE_IPV4 62 tristate "Netfilter flow table IPv4 module" 63 depends on NF_FLOW_TABLE 64 help 65 This option adds the flow table IPv4 support. 66 67 To compile it as a module, choose M here. 68 69config NF_DUP_IPV4 70 tristate "Netfilter IPv4 packet duplication to alternate destination" 71 depends on !NF_CONNTRACK || NF_CONNTRACK 72 help 73 This option enables the nf_dup_ipv4 core, which duplicates an IPv4 74 packet to be rerouted to another destination. 75 76config NF_LOG_ARP 77 tristate "ARP packet logging" 78 default m if NETFILTER_ADVANCED=n 79 select NF_LOG_COMMON 80 81config NF_LOG_IPV4 82 tristate "IPv4 packet logging" 83 default m if NETFILTER_ADVANCED=n 84 select NF_LOG_SYSLOG 85 help 86 This is a backwards-compat option for the user's convenience 87 (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG. 88 89config NF_REJECT_IPV4 90 tristate "IPv4 packet rejection" 91 default m if NETFILTER_ADVANCED=n 92 93if NF_NAT 94config NF_NAT_SNMP_BASIC 95 tristate "Basic SNMP-ALG support" 96 depends on NF_CONNTRACK_SNMP 97 depends on NETFILTER_ADVANCED 98 default NF_NAT && NF_CONNTRACK_SNMP 99 select ASN1 100 help 101 102 This module implements an Application Layer Gateway (ALG) for 103 SNMP payloads. In conjunction with NAT, it allows a network 104 management system to access multiple private networks with 105 conflicting addresses. It works by modifying IP addresses 106 inside SNMP payloads to match IP-layer NAT mapping. 107 108 This is the "basic" form of SNMP-ALG, as described in RFC 2962 109 110 To compile it as a module, choose M here. If unsure, say N. 111 112config NF_NAT_PPTP 113 tristate 114 depends on NF_CONNTRACK 115 default NF_CONNTRACK_PPTP 116 117config NF_NAT_H323 118 tristate 119 depends on NF_CONNTRACK 120 default NF_CONNTRACK_H323 121 122endif # NF_NAT 123 124config IP_NF_IPTABLES 125 tristate "IP tables support (required for filtering/masq/NAT)" 126 default m if NETFILTER_ADVANCED=n 127 select NETFILTER_XTABLES 128 help 129 iptables is a general, extensible packet identification framework. 130 The packet filtering and full NAT (masquerading, port forwarding, 131 etc) subsystems now use this: say `Y' or `M' here if you want to use 132 either of those. 133 134 To compile it as a module, choose M here. If unsure, say N. 135 136if IP_NF_IPTABLES 137 138# The matches. 139config IP_NF_MATCH_AH 140 tristate '"ah" match support' 141 depends on NETFILTER_ADVANCED 142 help 143 This match extension allows you to match a range of SPIs 144 inside AH header of IPSec packets. 145 146 To compile it as a module, choose M here. If unsure, say N. 147 148config IP_NF_MATCH_ECN 149 tristate '"ecn" match support' 150 depends on NETFILTER_ADVANCED 151 select NETFILTER_XT_MATCH_ECN 152 help 153 This is a backwards-compat option for the user's convenience 154 (e.g. when running oldconfig). It selects 155 CONFIG_NETFILTER_XT_MATCH_ECN. 156 157config IP_NF_MATCH_RPFILTER 158 tristate '"rpfilter" reverse path filter match support' 159 depends on NETFILTER_ADVANCED 160 depends on IP_NF_MANGLE || IP_NF_RAW 161 help 162 This option allows you to match packets whose replies would 163 go out via the interface the packet came in. 164 165 To compile it as a module, choose M here. If unsure, say N. 166 The module will be called ipt_rpfilter. 167 168config IP_NF_MATCH_TTL 169 tristate '"ttl" match support' 170 depends on NETFILTER_ADVANCED 171 select NETFILTER_XT_MATCH_HL 172 help 173 This is a backwards-compat option for the user's convenience 174 (e.g. when running oldconfig). It selects 175 CONFIG_NETFILTER_XT_MATCH_HL. 176 177# `filter', generic and specific targets 178config IP_NF_FILTER 179 tristate "Packet filtering" 180 default m if NETFILTER_ADVANCED=n 181 help 182 Packet filtering defines a table `filter', which has a series of 183 rules for simple packet filtering at local input, forwarding and 184 local output. See the man page for iptables(8). 185 186 To compile it as a module, choose M here. If unsure, say N. 187 188config IP_NF_TARGET_REJECT 189 tristate "REJECT target support" 190 depends on IP_NF_FILTER 191 select NF_REJECT_IPV4 192 default m if NETFILTER_ADVANCED=n 193 help 194 The REJECT target allows a filtering rule to specify that an ICMP 195 error should be issued in response to an incoming packet, rather 196 than silently being dropped. 197 198 To compile it as a module, choose M here. If unsure, say N. 199 200config IP_NF_TARGET_SYNPROXY 201 tristate "SYNPROXY target support" 202 depends on NF_CONNTRACK && NETFILTER_ADVANCED 203 select NETFILTER_SYNPROXY 204 select SYN_COOKIES 205 help 206 The SYNPROXY target allows you to intercept TCP connections and 207 establish them using syncookies before they are passed on to the 208 server. This allows to avoid conntrack and server resource usage 209 during SYN-flood attacks. 210 211 To compile it as a module, choose M here. If unsure, say N. 212 213# NAT + specific targets: nf_conntrack 214config IP_NF_NAT 215 tristate "iptables NAT support" 216 depends on NF_CONNTRACK 217 default m if NETFILTER_ADVANCED=n 218 select NF_NAT 219 select NETFILTER_XT_NAT 220 help 221 This enables the `nat' table in iptables. This allows masquerading, 222 port forwarding and other forms of full Network Address Port 223 Translation. 224 225 To compile it as a module, choose M here. If unsure, say N. 226 227if IP_NF_NAT 228 229config IP_NF_TARGET_MASQUERADE 230 tristate "MASQUERADE target support" 231 select NETFILTER_XT_TARGET_MASQUERADE 232 help 233 This is a backwards-compat option for the user's convenience 234 (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE. 235 236config IP_NF_TARGET_NETMAP 237 tristate "NETMAP target support" 238 depends on NETFILTER_ADVANCED 239 select NETFILTER_XT_TARGET_NETMAP 240 help 241 This is a backwards-compat option for the user's convenience 242 (e.g. when running oldconfig). It selects 243 CONFIG_NETFILTER_XT_TARGET_NETMAP. 244 245config IP_NF_TARGET_REDIRECT 246 tristate "REDIRECT target support" 247 depends on NETFILTER_ADVANCED 248 select NETFILTER_XT_TARGET_REDIRECT 249 help 250 This is a backwards-compat option for the user's convenience 251 (e.g. when running oldconfig). It selects 252 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 253 254endif # IP_NF_NAT 255 256# mangle + specific targets 257config IP_NF_MANGLE 258 tristate "Packet mangling" 259 default m if NETFILTER_ADVANCED=n 260 help 261 This option adds a `mangle' table to iptables: see the man page for 262 iptables(8). This table is used for various packet alterations 263 which can effect how the packet is routed. 264 265 To compile it as a module, choose M here. If unsure, say N. 266 267config IP_NF_TARGET_CLUSTERIP 268 tristate "CLUSTERIP target support" 269 depends on IP_NF_MANGLE 270 depends on NF_CONNTRACK 271 depends on NETFILTER_ADVANCED 272 select NF_CONNTRACK_MARK 273 select NETFILTER_FAMILY_ARP 274 help 275 The CLUSTERIP target allows you to build load-balancing clusters of 276 network servers without having a dedicated load-balancing 277 router/server/switch. 278 279 To compile it as a module, choose M here. If unsure, say N. 280 281config IP_NF_TARGET_ECN 282 tristate "ECN target support" 283 depends on IP_NF_MANGLE 284 depends on NETFILTER_ADVANCED 285 help 286 This option adds a `ECN' target, which can be used in the iptables mangle 287 table. 288 289 You can use this target to remove the ECN bits from the IPv4 header of 290 an IP packet. This is particularly useful, if you need to work around 291 existing ECN blackholes on the internet, but don't want to disable 292 ECN support in general. 293 294 To compile it as a module, choose M here. If unsure, say N. 295 296config IP_NF_TARGET_TTL 297 tristate '"TTL" target support' 298 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 299 select NETFILTER_XT_TARGET_HL 300 help 301 This is a backwards-compatible option for the user's convenience 302 (e.g. when running oldconfig). It selects 303 CONFIG_NETFILTER_XT_TARGET_HL. 304 305# raw + specific targets 306config IP_NF_RAW 307 tristate 'raw table support (required for NOTRACK/TRACE)' 308 help 309 This option adds a `raw' table to iptables. This table is the very 310 first in the netfilter framework and hooks in at the PREROUTING 311 and OUTPUT chains. 312 313 If you want to compile it as a module, say M here and read 314 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 315 316# security table for MAC policy 317config IP_NF_SECURITY 318 tristate "Security table" 319 depends on SECURITY 320 depends on NETFILTER_ADVANCED 321 help 322 This option adds a `security' table to iptables, for use 323 with Mandatory Access Control (MAC) policy. 324 325 If unsure, say N. 326 327endif # IP_NF_IPTABLES 328 329# ARP tables 330config IP_NF_ARPTABLES 331 tristate "ARP tables support" 332 select NETFILTER_XTABLES 333 select NETFILTER_FAMILY_ARP 334 depends on NETFILTER_ADVANCED 335 help 336 arptables is a general, extensible packet identification framework. 337 The ARP packet filtering and mangling (manipulation)subsystems 338 use this: say Y or M here if you want to use either of those. 339 340 To compile it as a module, choose M here. If unsure, say N. 341 342if IP_NF_ARPTABLES 343 344config IP_NF_ARPFILTER 345 tristate "ARP packet filtering" 346 help 347 ARP packet filtering defines a table `filter', which has a series of 348 rules for simple ARP packet filtering at local input and 349 local output. On a bridge, you can also specify filtering rules 350 for forwarded ARP packets. See the man page for arptables(8). 351 352 To compile it as a module, choose M here. If unsure, say N. 353 354config IP_NF_ARP_MANGLE 355 tristate "ARP payload mangling" 356 help 357 Allows altering the ARP packet payload: source and destination 358 hardware and network addresses. 359 360endif # IP_NF_ARPTABLES 361 362endmenu 363 364