1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config NF_TABLES_IPV4 40 depends on NF_TABLES 41 tristate "IPv4 nf_tables support" 42 43config NFT_REJECT_IPV4 44 depends on NF_TABLES_IPV4 45 tristate "nf_tables IPv4 reject support" 46 47config NFT_CHAIN_ROUTE_IPV4 48 depends on NF_TABLES_IPV4 49 tristate "IPv4 nf_tables route chain support" 50 51config NFT_CHAIN_NAT_IPV4 52 depends on NF_TABLES_IPV4 53 depends on NF_NAT_IPV4 && NFT_NAT 54 tristate "IPv4 nf_tables nat chain support" 55 56config IP_NF_IPTABLES 57 tristate "IP tables support (required for filtering/masq/NAT)" 58 default m if NETFILTER_ADVANCED=n 59 select NETFILTER_XTABLES 60 help 61 iptables is a general, extensible packet identification framework. 62 The packet filtering and full NAT (masquerading, port forwarding, 63 etc) subsystems now use this: say `Y' or `M' here if you want to use 64 either of those. 65 66 To compile it as a module, choose M here. If unsure, say N. 67 68if IP_NF_IPTABLES 69 70# The matches. 71config IP_NF_MATCH_AH 72 tristate '"ah" match support' 73 depends on NETFILTER_ADVANCED 74 help 75 This match extension allows you to match a range of SPIs 76 inside AH header of IPSec packets. 77 78 To compile it as a module, choose M here. If unsure, say N. 79 80config IP_NF_MATCH_ECN 81 tristate '"ecn" match support' 82 depends on NETFILTER_ADVANCED 83 select NETFILTER_XT_MATCH_ECN 84 ---help--- 85 This is a backwards-compat option for the user's convenience 86 (e.g. when running oldconfig). It selects 87 CONFIG_NETFILTER_XT_MATCH_ECN. 88 89config IP_NF_MATCH_RPFILTER 90 tristate '"rpfilter" reverse path filter match support' 91 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW) 92 ---help--- 93 This option allows you to match packets whose replies would 94 go out via the interface the packet came in. 95 96 To compile it as a module, choose M here. If unsure, say N. 97 The module will be called ipt_rpfilter. 98 99config IP_NF_MATCH_TTL 100 tristate '"ttl" match support' 101 depends on NETFILTER_ADVANCED 102 select NETFILTER_XT_MATCH_HL 103 ---help--- 104 This is a backwards-compat option for the user's convenience 105 (e.g. when running oldconfig). It selects 106 CONFIG_NETFILTER_XT_MATCH_HL. 107 108# `filter', generic and specific targets 109config IP_NF_FILTER 110 tristate "Packet filtering" 111 default m if NETFILTER_ADVANCED=n 112 help 113 Packet filtering defines a table `filter', which has a series of 114 rules for simple packet filtering at local input, forwarding and 115 local output. See the man page for iptables(8). 116 117 To compile it as a module, choose M here. If unsure, say N. 118 119config IP_NF_TARGET_REJECT 120 tristate "REJECT target support" 121 depends on IP_NF_FILTER 122 default m if NETFILTER_ADVANCED=n 123 help 124 The REJECT target allows a filtering rule to specify that an ICMP 125 error should be issued in response to an incoming packet, rather 126 than silently being dropped. 127 128 To compile it as a module, choose M here. If unsure, say N. 129 130config IP_NF_TARGET_SYNPROXY 131 tristate "SYNPROXY target support" 132 depends on NF_CONNTRACK && NETFILTER_ADVANCED 133 select NETFILTER_SYNPROXY 134 select SYN_COOKIES 135 help 136 The SYNPROXY target allows you to intercept TCP connections and 137 establish them using syncookies before they are passed on to the 138 server. This allows to avoid conntrack and server resource usage 139 during SYN-flood attacks. 140 141 To compile it as a module, choose M here. If unsure, say N. 142 143config IP_NF_TARGET_ULOG 144 tristate "ULOG target support (obsolete)" 145 default m if NETFILTER_ADVANCED=n 146 ---help--- 147 148 This option enables the old IPv4-only "ipt_ULOG" implementation 149 which has been obsoleted by the new "nfnetlink_log" code (see 150 CONFIG_NETFILTER_NETLINK_LOG). 151 152 This option adds a `ULOG' target, which allows you to create rules in 153 any iptables table. The packet is passed to a userspace logging 154 daemon using netlink multicast sockets; unlike the LOG target 155 which can only be viewed through syslog. 156 157 The appropriate userspace logging daemon (ulogd) may be obtained from 158 <http://www.netfilter.org/projects/ulogd/index.html> 159 160 To compile it as a module, choose M here. If unsure, say N. 161 162# NAT + specific targets: nf_conntrack 163config NF_NAT_IPV4 164 tristate "IPv4 NAT" 165 depends on NF_CONNTRACK_IPV4 166 default m if NETFILTER_ADVANCED=n 167 select NF_NAT 168 help 169 The IPv4 NAT option allows masquerading, port forwarding and other 170 forms of full Network Address Port Translation. It is controlled by 171 the `nat' table in iptables: see the man page for iptables(8). 172 173 To compile it as a module, choose M here. If unsure, say N. 174 175if NF_NAT_IPV4 176 177config IP_NF_TARGET_MASQUERADE 178 tristate "MASQUERADE target support" 179 default m if NETFILTER_ADVANCED=n 180 help 181 Masquerading is a special case of NAT: all outgoing connections are 182 changed to seem to come from a particular interface's address, and 183 if the interface goes down, those connections are lost. This is 184 only useful for dialup accounts with dynamic IP address (ie. your IP 185 address will be different on next dialup). 186 187 To compile it as a module, choose M here. If unsure, say N. 188 189config IP_NF_TARGET_NETMAP 190 tristate "NETMAP target support" 191 depends on NETFILTER_ADVANCED 192 select NETFILTER_XT_TARGET_NETMAP 193 ---help--- 194 This is a backwards-compat option for the user's convenience 195 (e.g. when running oldconfig). It selects 196 CONFIG_NETFILTER_XT_TARGET_NETMAP. 197 198config IP_NF_TARGET_REDIRECT 199 tristate "REDIRECT target support" 200 depends on NETFILTER_ADVANCED 201 select NETFILTER_XT_TARGET_REDIRECT 202 ---help--- 203 This is a backwards-compat option for the user's convenience 204 (e.g. when running oldconfig). It selects 205 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 206 207endif 208 209config NF_NAT_SNMP_BASIC 210 tristate "Basic SNMP-ALG support" 211 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4 212 depends on NETFILTER_ADVANCED 213 default NF_NAT && NF_CONNTRACK_SNMP 214 ---help--- 215 216 This module implements an Application Layer Gateway (ALG) for 217 SNMP payloads. In conjunction with NAT, it allows a network 218 management system to access multiple private networks with 219 conflicting addresses. It works by modifying IP addresses 220 inside SNMP payloads to match IP-layer NAT mapping. 221 222 This is the "basic" form of SNMP-ALG, as described in RFC 2962 223 224 To compile it as a module, choose M here. If unsure, say N. 225 226# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 227# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. 228# From kconfig-language.txt: 229# 230# <expr> '&&' <expr> (6) 231# 232# (6) Returns the result of min(/expr/, /expr/). 233 234config NF_NAT_PROTO_GRE 235 tristate 236 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE 237 238config NF_NAT_PPTP 239 tristate 240 depends on NF_CONNTRACK && NF_NAT_IPV4 241 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP 242 select NF_NAT_PROTO_GRE 243 244config NF_NAT_H323 245 tristate 246 depends on NF_CONNTRACK && NF_NAT_IPV4 247 default NF_NAT_IPV4 && NF_CONNTRACK_H323 248 249# mangle + specific targets 250config IP_NF_MANGLE 251 tristate "Packet mangling" 252 default m if NETFILTER_ADVANCED=n 253 help 254 This option adds a `mangle' table to iptables: see the man page for 255 iptables(8). This table is used for various packet alterations 256 which can effect how the packet is routed. 257 258 To compile it as a module, choose M here. If unsure, say N. 259 260config IP_NF_TARGET_CLUSTERIP 261 tristate "CLUSTERIP target support" 262 depends on IP_NF_MANGLE 263 depends on NF_CONNTRACK_IPV4 264 depends on NETFILTER_ADVANCED 265 select NF_CONNTRACK_MARK 266 help 267 The CLUSTERIP target allows you to build load-balancing clusters of 268 network servers without having a dedicated load-balancing 269 router/server/switch. 270 271 To compile it as a module, choose M here. If unsure, say N. 272 273config IP_NF_TARGET_ECN 274 tristate "ECN target support" 275 depends on IP_NF_MANGLE 276 depends on NETFILTER_ADVANCED 277 ---help--- 278 This option adds a `ECN' target, which can be used in the iptables mangle 279 table. 280 281 You can use this target to remove the ECN bits from the IPv4 header of 282 an IP packet. This is particularly useful, if you need to work around 283 existing ECN blackholes on the internet, but don't want to disable 284 ECN support in general. 285 286 To compile it as a module, choose M here. If unsure, say N. 287 288config IP_NF_TARGET_TTL 289 tristate '"TTL" target support' 290 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 291 select NETFILTER_XT_TARGET_HL 292 ---help--- 293 This is a backwards-compatible option for the user's convenience 294 (e.g. when running oldconfig). It selects 295 CONFIG_NETFILTER_XT_TARGET_HL. 296 297# raw + specific targets 298config IP_NF_RAW 299 tristate 'raw table support (required for NOTRACK/TRACE)' 300 help 301 This option adds a `raw' table to iptables. This table is the very 302 first in the netfilter framework and hooks in at the PREROUTING 303 and OUTPUT chains. 304 305 If you want to compile it as a module, say M here and read 306 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 307 308# security table for MAC policy 309config IP_NF_SECURITY 310 tristate "Security table" 311 depends on SECURITY 312 depends on NETFILTER_ADVANCED 313 help 314 This option adds a `security' table to iptables, for use 315 with Mandatory Access Control (MAC) policy. 316 317 If unsure, say N. 318 319endif # IP_NF_IPTABLES 320 321# ARP tables 322config IP_NF_ARPTABLES 323 tristate "ARP tables support" 324 select NETFILTER_XTABLES 325 depends on NETFILTER_ADVANCED 326 help 327 arptables is a general, extensible packet identification framework. 328 The ARP packet filtering and mangling (manipulation)subsystems 329 use this: say Y or M here if you want to use either of those. 330 331 To compile it as a module, choose M here. If unsure, say N. 332 333if IP_NF_ARPTABLES 334 335config IP_NF_ARPFILTER 336 tristate "ARP packet filtering" 337 help 338 ARP packet filtering defines a table `filter', which has a series of 339 rules for simple ARP packet filtering at local input and 340 local output. On a bridge, you can also specify filtering rules 341 for forwarded ARP packets. See the man page for arptables(8). 342 343 To compile it as a module, choose M here. If unsure, say N. 344 345config IP_NF_ARP_MANGLE 346 tristate "ARP payload mangling" 347 help 348 Allows altering the ARP packet payload: source and destination 349 hardware and network addresses. 350 351endif # IP_NF_ARPTABLES 352 353endmenu 354 355