1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_SOCKET_IPV4 13 tristate "IPv4 socket lookup support" 14 help 15 This option enables the IPv4 socket lookup infrastructure. This is 16 is required by the {ip,nf}tables socket match. 17 18config NF_TPROXY_IPV4 19 tristate "IPv4 tproxy support" 20 21if NF_TABLES 22 23config NF_TABLES_IPV4 24 bool "IPv4 nf_tables support" 25 help 26 This option enables the IPv4 support for nf_tables. 27 28if NF_TABLES_IPV4 29 30config NFT_CHAIN_ROUTE_IPV4 31 tristate "IPv4 nf_tables route chain support" 32 help 33 This option enables the "route" chain for IPv4 in nf_tables. This 34 chain type is used to force packet re-routing after mangling header 35 fields such as the source, destination, type of service and 36 the packet mark. 37 38config NFT_REJECT_IPV4 39 select NF_REJECT_IPV4 40 default NFT_REJECT 41 tristate 42 43config NFT_DUP_IPV4 44 tristate "IPv4 nf_tables packet duplication support" 45 depends on !NF_CONNTRACK || NF_CONNTRACK 46 select NF_DUP_IPV4 47 help 48 This module enables IPv4 packet duplication support for nf_tables. 49 50config NFT_FIB_IPV4 51 select NFT_FIB 52 tristate "nf_tables fib / ip route lookup support" 53 help 54 This module enables IPv4 FIB lookups, e.g. for reverse path filtering. 55 It also allows query of the FIB for the route type, e.g. local, unicast, 56 multicast or blackhole. 57 58endif # NF_TABLES_IPV4 59 60config NF_TABLES_ARP 61 bool "ARP nf_tables support" 62 select NETFILTER_FAMILY_ARP 63 help 64 This option enables the ARP support for nf_tables. 65 66endif # NF_TABLES 67 68config NF_FLOW_TABLE_IPV4 69 tristate "Netfilter flow table IPv4 module" 70 depends on NF_FLOW_TABLE 71 help 72 This option adds the flow table IPv4 support. 73 74 To compile it as a module, choose M here. 75 76config NF_DUP_IPV4 77 tristate "Netfilter IPv4 packet duplication to alternate destination" 78 depends on !NF_CONNTRACK || NF_CONNTRACK 79 help 80 This option enables the nf_dup_ipv4 core, which duplicates an IPv4 81 packet to be rerouted to another destination. 82 83config NF_LOG_ARP 84 tristate "ARP packet logging" 85 default m if NETFILTER_ADVANCED=n 86 select NF_LOG_COMMON 87 88config NF_LOG_IPV4 89 tristate "IPv4 packet logging" 90 default m if NETFILTER_ADVANCED=n 91 select NF_LOG_COMMON 92 93config NF_REJECT_IPV4 94 tristate "IPv4 packet rejection" 95 default m if NETFILTER_ADVANCED=n 96 97config NF_NAT_IPV4 98 tristate "IPv4 NAT" 99 depends on NF_CONNTRACK 100 default m if NETFILTER_ADVANCED=n 101 select NF_NAT 102 help 103 The IPv4 NAT option allows masquerading, port forwarding and other 104 forms of full Network Address Port Translation. This can be 105 controlled by iptables or nft. 106 107if NF_NAT_IPV4 108 109config NFT_CHAIN_NAT_IPV4 110 depends on NF_TABLES_IPV4 111 tristate "IPv4 nf_tables nat chain support" 112 help 113 This option enables the "nat" chain for IPv4 in nf_tables. This 114 chain type is used to perform Network Address Translation (NAT) 115 packet transformations such as the source, destination address and 116 source and destination ports. 117 118config NF_NAT_MASQUERADE_IPV4 119 bool 120 121config NFT_MASQ_IPV4 122 tristate "IPv4 masquerading support for nf_tables" 123 depends on NF_TABLES_IPV4 124 depends on NFT_MASQ 125 select NF_NAT_MASQUERADE_IPV4 126 help 127 This is the expression that provides IPv4 masquerading support for 128 nf_tables. 129 130config NFT_REDIR_IPV4 131 tristate "IPv4 redirect support for nf_tables" 132 depends on NF_TABLES_IPV4 133 depends on NFT_REDIR 134 select NF_NAT_REDIRECT 135 help 136 This is the expression that provides IPv4 redirect support for 137 nf_tables. 138 139config NF_NAT_SNMP_BASIC 140 tristate "Basic SNMP-ALG support" 141 depends on NF_CONNTRACK_SNMP 142 depends on NETFILTER_ADVANCED 143 default NF_NAT && NF_CONNTRACK_SNMP 144 select ASN1 145 ---help--- 146 147 This module implements an Application Layer Gateway (ALG) for 148 SNMP payloads. In conjunction with NAT, it allows a network 149 management system to access multiple private networks with 150 conflicting addresses. It works by modifying IP addresses 151 inside SNMP payloads to match IP-layer NAT mapping. 152 153 This is the "basic" form of SNMP-ALG, as described in RFC 2962 154 155 To compile it as a module, choose M here. If unsure, say N. 156 157config NF_NAT_PROTO_GRE 158 tristate 159 depends on NF_CT_PROTO_GRE 160 161config NF_NAT_PPTP 162 tristate 163 depends on NF_CONNTRACK 164 default NF_CONNTRACK_PPTP 165 select NF_NAT_PROTO_GRE 166 167config NF_NAT_H323 168 tristate 169 depends on NF_CONNTRACK 170 default NF_CONNTRACK_H323 171 172endif # NF_NAT_IPV4 173 174config IP_NF_IPTABLES 175 tristate "IP tables support (required for filtering/masq/NAT)" 176 default m if NETFILTER_ADVANCED=n 177 select NETFILTER_XTABLES 178 help 179 iptables is a general, extensible packet identification framework. 180 The packet filtering and full NAT (masquerading, port forwarding, 181 etc) subsystems now use this: say `Y' or `M' here if you want to use 182 either of those. 183 184 To compile it as a module, choose M here. If unsure, say N. 185 186if IP_NF_IPTABLES 187 188# The matches. 189config IP_NF_MATCH_AH 190 tristate '"ah" match support' 191 depends on NETFILTER_ADVANCED 192 help 193 This match extension allows you to match a range of SPIs 194 inside AH header of IPSec packets. 195 196 To compile it as a module, choose M here. If unsure, say N. 197 198config IP_NF_MATCH_ECN 199 tristate '"ecn" match support' 200 depends on NETFILTER_ADVANCED 201 select NETFILTER_XT_MATCH_ECN 202 ---help--- 203 This is a backwards-compat option for the user's convenience 204 (e.g. when running oldconfig). It selects 205 CONFIG_NETFILTER_XT_MATCH_ECN. 206 207config IP_NF_MATCH_RPFILTER 208 tristate '"rpfilter" reverse path filter match support' 209 depends on NETFILTER_ADVANCED 210 depends on IP_NF_MANGLE || IP_NF_RAW 211 ---help--- 212 This option allows you to match packets whose replies would 213 go out via the interface the packet came in. 214 215 To compile it as a module, choose M here. If unsure, say N. 216 The module will be called ipt_rpfilter. 217 218config IP_NF_MATCH_TTL 219 tristate '"ttl" match support' 220 depends on NETFILTER_ADVANCED 221 select NETFILTER_XT_MATCH_HL 222 ---help--- 223 This is a backwards-compat option for the user's convenience 224 (e.g. when running oldconfig). It selects 225 CONFIG_NETFILTER_XT_MATCH_HL. 226 227# `filter', generic and specific targets 228config IP_NF_FILTER 229 tristate "Packet filtering" 230 default m if NETFILTER_ADVANCED=n 231 help 232 Packet filtering defines a table `filter', which has a series of 233 rules for simple packet filtering at local input, forwarding and 234 local output. See the man page for iptables(8). 235 236 To compile it as a module, choose M here. If unsure, say N. 237 238config IP_NF_TARGET_REJECT 239 tristate "REJECT target support" 240 depends on IP_NF_FILTER 241 select NF_REJECT_IPV4 242 default m if NETFILTER_ADVANCED=n 243 help 244 The REJECT target allows a filtering rule to specify that an ICMP 245 error should be issued in response to an incoming packet, rather 246 than silently being dropped. 247 248 To compile it as a module, choose M here. If unsure, say N. 249 250config IP_NF_TARGET_SYNPROXY 251 tristate "SYNPROXY target support" 252 depends on NF_CONNTRACK && NETFILTER_ADVANCED 253 select NETFILTER_SYNPROXY 254 select SYN_COOKIES 255 help 256 The SYNPROXY target allows you to intercept TCP connections and 257 establish them using syncookies before they are passed on to the 258 server. This allows to avoid conntrack and server resource usage 259 during SYN-flood attacks. 260 261 To compile it as a module, choose M here. If unsure, say N. 262 263# NAT + specific targets: nf_conntrack 264config IP_NF_NAT 265 tristate "iptables NAT support" 266 depends on NF_CONNTRACK 267 default m if NETFILTER_ADVANCED=n 268 select NF_NAT 269 select NF_NAT_IPV4 270 select NETFILTER_XT_NAT 271 help 272 This enables the `nat' table in iptables. This allows masquerading, 273 port forwarding and other forms of full Network Address Port 274 Translation. 275 276 To compile it as a module, choose M here. If unsure, say N. 277 278if IP_NF_NAT 279 280config IP_NF_TARGET_MASQUERADE 281 tristate "MASQUERADE target support" 282 select NF_NAT_MASQUERADE_IPV4 283 default m if NETFILTER_ADVANCED=n 284 help 285 Masquerading is a special case of NAT: all outgoing connections are 286 changed to seem to come from a particular interface's address, and 287 if the interface goes down, those connections are lost. This is 288 only useful for dialup accounts with dynamic IP address (ie. your IP 289 address will be different on next dialup). 290 291 To compile it as a module, choose M here. If unsure, say N. 292 293config IP_NF_TARGET_NETMAP 294 tristate "NETMAP target support" 295 depends on NETFILTER_ADVANCED 296 select NETFILTER_XT_TARGET_NETMAP 297 ---help--- 298 This is a backwards-compat option for the user's convenience 299 (e.g. when running oldconfig). It selects 300 CONFIG_NETFILTER_XT_TARGET_NETMAP. 301 302config IP_NF_TARGET_REDIRECT 303 tristate "REDIRECT target support" 304 depends on NETFILTER_ADVANCED 305 select NETFILTER_XT_TARGET_REDIRECT 306 ---help--- 307 This is a backwards-compat option for the user's convenience 308 (e.g. when running oldconfig). It selects 309 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 310 311endif # IP_NF_NAT 312 313# mangle + specific targets 314config IP_NF_MANGLE 315 tristate "Packet mangling" 316 default m if NETFILTER_ADVANCED=n 317 help 318 This option adds a `mangle' table to iptables: see the man page for 319 iptables(8). This table is used for various packet alterations 320 which can effect how the packet is routed. 321 322 To compile it as a module, choose M here. If unsure, say N. 323 324config IP_NF_TARGET_CLUSTERIP 325 tristate "CLUSTERIP target support" 326 depends on IP_NF_MANGLE 327 depends on NF_CONNTRACK 328 depends on NETFILTER_ADVANCED 329 select NF_CONNTRACK_MARK 330 select NETFILTER_FAMILY_ARP 331 help 332 The CLUSTERIP target allows you to build load-balancing clusters of 333 network servers without having a dedicated load-balancing 334 router/server/switch. 335 336 To compile it as a module, choose M here. If unsure, say N. 337 338config IP_NF_TARGET_ECN 339 tristate "ECN target support" 340 depends on IP_NF_MANGLE 341 depends on NETFILTER_ADVANCED 342 ---help--- 343 This option adds a `ECN' target, which can be used in the iptables mangle 344 table. 345 346 You can use this target to remove the ECN bits from the IPv4 header of 347 an IP packet. This is particularly useful, if you need to work around 348 existing ECN blackholes on the internet, but don't want to disable 349 ECN support in general. 350 351 To compile it as a module, choose M here. If unsure, say N. 352 353config IP_NF_TARGET_TTL 354 tristate '"TTL" target support' 355 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 356 select NETFILTER_XT_TARGET_HL 357 ---help--- 358 This is a backwards-compatible option for the user's convenience 359 (e.g. when running oldconfig). It selects 360 CONFIG_NETFILTER_XT_TARGET_HL. 361 362# raw + specific targets 363config IP_NF_RAW 364 tristate 'raw table support (required for NOTRACK/TRACE)' 365 help 366 This option adds a `raw' table to iptables. This table is the very 367 first in the netfilter framework and hooks in at the PREROUTING 368 and OUTPUT chains. 369 370 If you want to compile it as a module, say M here and read 371 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 372 373# security table for MAC policy 374config IP_NF_SECURITY 375 tristate "Security table" 376 depends on SECURITY 377 depends on NETFILTER_ADVANCED 378 help 379 This option adds a `security' table to iptables, for use 380 with Mandatory Access Control (MAC) policy. 381 382 If unsure, say N. 383 384endif # IP_NF_IPTABLES 385 386# ARP tables 387config IP_NF_ARPTABLES 388 tristate "ARP tables support" 389 select NETFILTER_XTABLES 390 select NETFILTER_FAMILY_ARP 391 depends on NETFILTER_ADVANCED 392 help 393 arptables is a general, extensible packet identification framework. 394 The ARP packet filtering and mangling (manipulation)subsystems 395 use this: say Y or M here if you want to use either of those. 396 397 To compile it as a module, choose M here. If unsure, say N. 398 399if IP_NF_ARPTABLES 400 401config IP_NF_ARPFILTER 402 tristate "ARP packet filtering" 403 help 404 ARP packet filtering defines a table `filter', which has a series of 405 rules for simple ARP packet filtering at local input and 406 local output. On a bridge, you can also specify filtering rules 407 for forwarded ARP packets. See the man page for arptables(8). 408 409 To compile it as a module, choose M here. If unsure, say N. 410 411config IP_NF_ARP_MANGLE 412 tristate "ARP payload mangling" 413 help 414 Allows altering the ARP packet payload: source and destination 415 hardware and network addresses. 416 417endif # IP_NF_ARPTABLES 418 419endmenu 420 421