xref: /openbmc/linux/net/ipv4/netfilter/Kconfig (revision db3187ae) 
1# SPDX-License-Identifier: GPL-2.0-only
2#
3# IP netfilter configuration
4#
5
6menu "IP: Netfilter Configuration"
7	depends on INET && NETFILTER
8
9config NF_DEFRAG_IPV4
10	tristate
11	default n
12
13config NF_SOCKET_IPV4
14	tristate "IPv4 socket lookup support"
15	help
16	  This option enables the IPv4 socket lookup infrastructure. This is
17	  is required by the {ip,nf}tables socket match.
18
19config NF_TPROXY_IPV4
20	tristate "IPv4 tproxy support"
21
22if NF_TABLES
23
24config NF_TABLES_IPV4
25	bool "IPv4 nf_tables support"
26	help
27	  This option enables the IPv4 support for nf_tables.
28
29if NF_TABLES_IPV4
30
31config NFT_REJECT_IPV4
32	select NF_REJECT_IPV4
33	default NFT_REJECT
34	tristate
35
36config NFT_DUP_IPV4
37	tristate "IPv4 nf_tables packet duplication support"
38	depends on !NF_CONNTRACK || NF_CONNTRACK
39	select NF_DUP_IPV4
40	help
41	  This module enables IPv4 packet duplication support for nf_tables.
42
43config NFT_FIB_IPV4
44	select NFT_FIB
45	tristate "nf_tables fib / ip route lookup support"
46	help
47	  This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
48	  It also allows query of the FIB for the route type, e.g. local, unicast,
49	  multicast or blackhole.
50
51endif # NF_TABLES_IPV4
52
53config NF_TABLES_ARP
54	bool "ARP nf_tables support"
55	select NETFILTER_FAMILY_ARP
56	help
57	  This option enables the ARP support for nf_tables.
58
59endif # NF_TABLES
60
61config NF_FLOW_TABLE_IPV4
62	tristate "Netfilter flow table IPv4 module"
63	depends on NF_FLOW_TABLE
64	help
65	  This option adds the flow table IPv4 support.
66
67	  To compile it as a module, choose M here.
68
69config NF_DUP_IPV4
70	tristate "Netfilter IPv4 packet duplication to alternate destination"
71	depends on !NF_CONNTRACK || NF_CONNTRACK
72	help
73	  This option enables the nf_dup_ipv4 core, which duplicates an IPv4
74	  packet to be rerouted to another destination.
75
76config NF_LOG_ARP
77	tristate "ARP packet logging"
78	default m if NETFILTER_ADVANCED=n
79	select NF_LOG_COMMON
80
81config NF_LOG_IPV4
82	tristate "IPv4 packet logging"
83	default m if NETFILTER_ADVANCED=n
84	select NF_LOG_SYSLOG
85	help
86	This is a backwards-compat option for the user's convenience
87	(e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.
88
89config NF_REJECT_IPV4
90	tristate "IPv4 packet rejection"
91	default m if NETFILTER_ADVANCED=n
92
93if NF_NAT
94config NF_NAT_SNMP_BASIC
95	tristate "Basic SNMP-ALG support"
96	depends on NF_CONNTRACK_SNMP
97	depends on NETFILTER_ADVANCED
98	default NF_NAT && NF_CONNTRACK_SNMP
99	select ASN1
100	help
101
102	  This module implements an Application Layer Gateway (ALG) for
103	  SNMP payloads.  In conjunction with NAT, it allows a network
104	  management system to access multiple private networks with
105	  conflicting addresses.  It works by modifying IP addresses
106	  inside SNMP payloads to match IP-layer NAT mapping.
107
108	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
109
110	  To compile it as a module, choose M here.  If unsure, say N.
111
112config NF_NAT_PPTP
113	tristate
114	depends on NF_CONNTRACK
115	default NF_CONNTRACK_PPTP
116
117config NF_NAT_H323
118	tristate
119	depends on NF_CONNTRACK
120	default NF_CONNTRACK_H323
121
122endif # NF_NAT
123
124config IP_NF_IPTABLES
125	tristate "IP tables support (required for filtering/masq/NAT)"
126	default m if NETFILTER_ADVANCED=n
127	select NETFILTER_XTABLES
128	help
129	  iptables is a general, extensible packet identification framework.
130	  The packet filtering and full NAT (masquerading, port forwarding,
131	  etc) subsystems now use this: say `Y' or `M' here if you want to use
132	  either of those.
133
134	  To compile it as a module, choose M here.  If unsure, say N.
135
136if IP_NF_IPTABLES
137
138# The matches.
139config IP_NF_MATCH_AH
140	tristate '"ah" match support'
141	depends on NETFILTER_ADVANCED
142	help
143	  This match extension allows you to match a range of SPIs
144	  inside AH header of IPSec packets.
145
146	  To compile it as a module, choose M here.  If unsure, say N.
147
148config IP_NF_MATCH_ECN
149	tristate '"ecn" match support'
150	depends on NETFILTER_ADVANCED
151	select NETFILTER_XT_MATCH_ECN
152	help
153	This is a backwards-compat option for the user's convenience
154	(e.g. when running oldconfig). It selects
155	CONFIG_NETFILTER_XT_MATCH_ECN.
156
157config IP_NF_MATCH_RPFILTER
158	tristate '"rpfilter" reverse path filter match support'
159	depends on NETFILTER_ADVANCED
160	depends on IP_NF_MANGLE || IP_NF_RAW
161	help
162	  This option allows you to match packets whose replies would
163	  go out via the interface the packet came in.
164
165	  To compile it as a module, choose M here.  If unsure, say N.
166	  The module will be called ipt_rpfilter.
167
168config IP_NF_MATCH_TTL
169	tristate '"ttl" match support'
170	depends on NETFILTER_ADVANCED
171	select NETFILTER_XT_MATCH_HL
172	help
173	This is a backwards-compat option for the user's convenience
174	(e.g. when running oldconfig). It selects
175	CONFIG_NETFILTER_XT_MATCH_HL.
176
177# `filter', generic and specific targets
178config IP_NF_FILTER
179	tristate "Packet filtering"
180	default m if NETFILTER_ADVANCED=n
181	help
182	  Packet filtering defines a table `filter', which has a series of
183	  rules for simple packet filtering at local input, forwarding and
184	  local output.  See the man page for iptables(8).
185
186	  To compile it as a module, choose M here.  If unsure, say N.
187
188config IP_NF_TARGET_REJECT
189	tristate "REJECT target support"
190	depends on IP_NF_FILTER
191	select NF_REJECT_IPV4
192	default m if NETFILTER_ADVANCED=n
193	help
194	  The REJECT target allows a filtering rule to specify that an ICMP
195	  error should be issued in response to an incoming packet, rather
196	  than silently being dropped.
197
198	  To compile it as a module, choose M here.  If unsure, say N.
199
200config IP_NF_TARGET_SYNPROXY
201	tristate "SYNPROXY target support"
202	depends on NF_CONNTRACK && NETFILTER_ADVANCED
203	select NETFILTER_SYNPROXY
204	select SYN_COOKIES
205	help
206	  The SYNPROXY target allows you to intercept TCP connections and
207	  establish them using syncookies before they are passed on to the
208	  server. This allows to avoid conntrack and server resource usage
209	  during SYN-flood attacks.
210
211	  To compile it as a module, choose M here. If unsure, say N.
212
213# NAT + specific targets: nf_conntrack
214config IP_NF_NAT
215	tristate "iptables NAT support"
216	depends on NF_CONNTRACK
217	default m if NETFILTER_ADVANCED=n
218	select NF_NAT
219	select NETFILTER_XT_NAT
220	help
221	  This enables the `nat' table in iptables. This allows masquerading,
222	  port forwarding and other forms of full Network Address Port
223	  Translation.
224
225	  To compile it as a module, choose M here.  If unsure, say N.
226
227if IP_NF_NAT
228
229config IP_NF_TARGET_MASQUERADE
230	tristate "MASQUERADE target support"
231	select NETFILTER_XT_TARGET_MASQUERADE
232	help
233	  This is a backwards-compat option for the user's convenience
234	  (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
235
236config IP_NF_TARGET_NETMAP
237	tristate "NETMAP target support"
238	depends on NETFILTER_ADVANCED
239	select NETFILTER_XT_TARGET_NETMAP
240	help
241	This is a backwards-compat option for the user's convenience
242	(e.g. when running oldconfig). It selects
243	CONFIG_NETFILTER_XT_TARGET_NETMAP.
244
245config IP_NF_TARGET_REDIRECT
246	tristate "REDIRECT target support"
247	depends on NETFILTER_ADVANCED
248	select NETFILTER_XT_TARGET_REDIRECT
249	help
250	This is a backwards-compat option for the user's convenience
251	(e.g. when running oldconfig). It selects
252	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
253
254endif # IP_NF_NAT
255
256# mangle + specific targets
257config IP_NF_MANGLE
258	tristate "Packet mangling"
259	default m if NETFILTER_ADVANCED=n
260	help
261	  This option adds a `mangle' table to iptables: see the man page for
262	  iptables(8).  This table is used for various packet alterations
263	  which can effect how the packet is routed.
264
265	  To compile it as a module, choose M here.  If unsure, say N.
266
267config IP_NF_TARGET_CLUSTERIP
268	tristate "CLUSTERIP target support"
269	depends on IP_NF_MANGLE
270	depends on NF_CONNTRACK
271	depends on NETFILTER_ADVANCED
272	select NF_CONNTRACK_MARK
273	select NETFILTER_FAMILY_ARP
274	help
275	  The CLUSTERIP target allows you to build load-balancing clusters of
276	  network servers without having a dedicated load-balancing
277	  router/server/switch.
278
279	  To compile it as a module, choose M here.  If unsure, say N.
280
281config IP_NF_TARGET_ECN
282	tristate "ECN target support"
283	depends on IP_NF_MANGLE
284	depends on NETFILTER_ADVANCED
285	help
286	  This option adds a `ECN' target, which can be used in the iptables mangle
287	  table.
288
289	  You can use this target to remove the ECN bits from the IPv4 header of
290	  an IP packet.  This is particularly useful, if you need to work around
291	  existing ECN blackholes on the internet, but don't want to disable
292	  ECN support in general.
293
294	  To compile it as a module, choose M here.  If unsure, say N.
295
296config IP_NF_TARGET_TTL
297	tristate '"TTL" target support'
298	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
299	select NETFILTER_XT_TARGET_HL
300	help
301	This is a backwards-compatible option for the user's convenience
302	(e.g. when running oldconfig). It selects
303	CONFIG_NETFILTER_XT_TARGET_HL.
304
305# raw + specific targets
306config IP_NF_RAW
307	tristate  'raw table support (required for NOTRACK/TRACE)'
308	help
309	  This option adds a `raw' table to iptables. This table is the very
310	  first in the netfilter framework and hooks in at the PREROUTING
311	  and OUTPUT chains.
312
313	  If you want to compile it as a module, say M here and read
314	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
315
316# security table for MAC policy
317config IP_NF_SECURITY
318	tristate "Security table"
319	depends on SECURITY
320	depends on NETFILTER_ADVANCED
321	help
322	  This option adds a `security' table to iptables, for use
323	  with Mandatory Access Control (MAC) policy.
324
325	  If unsure, say N.
326
327endif # IP_NF_IPTABLES
328
329# ARP tables
330config IP_NF_ARPTABLES
331	tristate "ARP tables support"
332	select NETFILTER_XTABLES
333	select NETFILTER_FAMILY_ARP
334	depends on NETFILTER_ADVANCED
335	help
336	  arptables is a general, extensible packet identification framework.
337	  The ARP packet filtering and mangling (manipulation)subsystems
338	  use this: say Y or M here if you want to use either of those.
339
340	  To compile it as a module, choose M here.  If unsure, say N.
341
342if IP_NF_ARPTABLES
343
344config IP_NF_ARPFILTER
345	tristate "ARP packet filtering"
346	help
347	  ARP packet filtering defines a table `filter', which has a series of
348	  rules for simple ARP packet filtering at local input and
349	  local output.  On a bridge, you can also specify filtering rules
350	  for forwarded ARP packets. See the man page for arptables(8).
351
352	  To compile it as a module, choose M here.  If unsure, say N.
353
354config IP_NF_ARP_MANGLE
355	tristate "ARP payload mangling"
356	help
357	  Allows altering the ARP packet payload: source and destination
358	  hardware and network addresses.
359
360endif # IP_NF_ARPTABLES
361
362endmenu
363
364