1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_SOCKET_IPV4 13 tristate "IPv4 socket lookup support" 14 help 15 This option enables the IPv4 socket lookup infrastructure. This is 16 is required by the {ip,nf}tables socket match. 17 18config NF_TPROXY_IPV4 19 tristate "IPv4 tproxy support" 20 21if NF_TABLES 22 23config NF_TABLES_IPV4 24 bool "IPv4 nf_tables support" 25 help 26 This option enables the IPv4 support for nf_tables. 27 28if NF_TABLES_IPV4 29 30config NFT_CHAIN_ROUTE_IPV4 31 tristate "IPv4 nf_tables route chain support" 32 help 33 This option enables the "route" chain for IPv4 in nf_tables. This 34 chain type is used to force packet re-routing after mangling header 35 fields such as the source, destination, type of service and 36 the packet mark. 37 38config NFT_REJECT_IPV4 39 select NF_REJECT_IPV4 40 default NFT_REJECT 41 tristate 42 43config NFT_DUP_IPV4 44 tristate "IPv4 nf_tables packet duplication support" 45 depends on !NF_CONNTRACK || NF_CONNTRACK 46 select NF_DUP_IPV4 47 help 48 This module enables IPv4 packet duplication support for nf_tables. 49 50config NFT_FIB_IPV4 51 select NFT_FIB 52 tristate "nf_tables fib / ip route lookup support" 53 help 54 This module enables IPv4 FIB lookups, e.g. for reverse path filtering. 55 It also allows query of the FIB for the route type, e.g. local, unicast, 56 multicast or blackhole. 57 58endif # NF_TABLES_IPV4 59 60config NF_TABLES_ARP 61 bool "ARP nf_tables support" 62 select NETFILTER_FAMILY_ARP 63 help 64 This option enables the ARP support for nf_tables. 65 66endif # NF_TABLES 67 68config NF_FLOW_TABLE_IPV4 69 tristate "Netfilter flow table IPv4 module" 70 depends on NF_FLOW_TABLE 71 help 72 This option adds the flow table IPv4 support. 73 74 To compile it as a module, choose M here. 75 76config NF_DUP_IPV4 77 tristate "Netfilter IPv4 packet duplication to alternate destination" 78 depends on !NF_CONNTRACK || NF_CONNTRACK 79 help 80 This option enables the nf_dup_ipv4 core, which duplicates an IPv4 81 packet to be rerouted to another destination. 82 83config NF_LOG_ARP 84 tristate "ARP packet logging" 85 default m if NETFILTER_ADVANCED=n 86 select NF_LOG_COMMON 87 88config NF_LOG_IPV4 89 tristate "IPv4 packet logging" 90 default m if NETFILTER_ADVANCED=n 91 select NF_LOG_COMMON 92 93config NF_REJECT_IPV4 94 tristate "IPv4 packet rejection" 95 default m if NETFILTER_ADVANCED=n 96 97if NF_NAT 98config NF_NAT_SNMP_BASIC 99 tristate "Basic SNMP-ALG support" 100 depends on NF_CONNTRACK_SNMP 101 depends on NETFILTER_ADVANCED 102 default NF_NAT && NF_CONNTRACK_SNMP 103 select ASN1 104 ---help--- 105 106 This module implements an Application Layer Gateway (ALG) for 107 SNMP payloads. In conjunction with NAT, it allows a network 108 management system to access multiple private networks with 109 conflicting addresses. It works by modifying IP addresses 110 inside SNMP payloads to match IP-layer NAT mapping. 111 112 This is the "basic" form of SNMP-ALG, as described in RFC 2962 113 114 To compile it as a module, choose M here. If unsure, say N. 115 116config NF_NAT_PPTP 117 tristate 118 depends on NF_CONNTRACK 119 default NF_CONNTRACK_PPTP 120 121config NF_NAT_H323 122 tristate 123 depends on NF_CONNTRACK 124 default NF_CONNTRACK_H323 125 126endif # NF_NAT 127 128config IP_NF_IPTABLES 129 tristate "IP tables support (required for filtering/masq/NAT)" 130 default m if NETFILTER_ADVANCED=n 131 select NETFILTER_XTABLES 132 help 133 iptables is a general, extensible packet identification framework. 134 The packet filtering and full NAT (masquerading, port forwarding, 135 etc) subsystems now use this: say `Y' or `M' here if you want to use 136 either of those. 137 138 To compile it as a module, choose M here. If unsure, say N. 139 140if IP_NF_IPTABLES 141 142# The matches. 143config IP_NF_MATCH_AH 144 tristate '"ah" match support' 145 depends on NETFILTER_ADVANCED 146 help 147 This match extension allows you to match a range of SPIs 148 inside AH header of IPSec packets. 149 150 To compile it as a module, choose M here. If unsure, say N. 151 152config IP_NF_MATCH_ECN 153 tristate '"ecn" match support' 154 depends on NETFILTER_ADVANCED 155 select NETFILTER_XT_MATCH_ECN 156 ---help--- 157 This is a backwards-compat option for the user's convenience 158 (e.g. when running oldconfig). It selects 159 CONFIG_NETFILTER_XT_MATCH_ECN. 160 161config IP_NF_MATCH_RPFILTER 162 tristate '"rpfilter" reverse path filter match support' 163 depends on NETFILTER_ADVANCED 164 depends on IP_NF_MANGLE || IP_NF_RAW 165 ---help--- 166 This option allows you to match packets whose replies would 167 go out via the interface the packet came in. 168 169 To compile it as a module, choose M here. If unsure, say N. 170 The module will be called ipt_rpfilter. 171 172config IP_NF_MATCH_TTL 173 tristate '"ttl" match support' 174 depends on NETFILTER_ADVANCED 175 select NETFILTER_XT_MATCH_HL 176 ---help--- 177 This is a backwards-compat option for the user's convenience 178 (e.g. when running oldconfig). It selects 179 CONFIG_NETFILTER_XT_MATCH_HL. 180 181# `filter', generic and specific targets 182config IP_NF_FILTER 183 tristate "Packet filtering" 184 default m if NETFILTER_ADVANCED=n 185 help 186 Packet filtering defines a table `filter', which has a series of 187 rules for simple packet filtering at local input, forwarding and 188 local output. See the man page for iptables(8). 189 190 To compile it as a module, choose M here. If unsure, say N. 191 192config IP_NF_TARGET_REJECT 193 tristate "REJECT target support" 194 depends on IP_NF_FILTER 195 select NF_REJECT_IPV4 196 default m if NETFILTER_ADVANCED=n 197 help 198 The REJECT target allows a filtering rule to specify that an ICMP 199 error should be issued in response to an incoming packet, rather 200 than silently being dropped. 201 202 To compile it as a module, choose M here. If unsure, say N. 203 204config IP_NF_TARGET_SYNPROXY 205 tristate "SYNPROXY target support" 206 depends on NF_CONNTRACK && NETFILTER_ADVANCED 207 select NETFILTER_SYNPROXY 208 select SYN_COOKIES 209 help 210 The SYNPROXY target allows you to intercept TCP connections and 211 establish them using syncookies before they are passed on to the 212 server. This allows to avoid conntrack and server resource usage 213 during SYN-flood attacks. 214 215 To compile it as a module, choose M here. If unsure, say N. 216 217# NAT + specific targets: nf_conntrack 218config IP_NF_NAT 219 tristate "iptables NAT support" 220 depends on NF_CONNTRACK 221 default m if NETFILTER_ADVANCED=n 222 select NF_NAT 223 select NETFILTER_XT_NAT 224 help 225 This enables the `nat' table in iptables. This allows masquerading, 226 port forwarding and other forms of full Network Address Port 227 Translation. 228 229 To compile it as a module, choose M here. If unsure, say N. 230 231if IP_NF_NAT 232 233config IP_NF_TARGET_MASQUERADE 234 tristate "MASQUERADE target support" 235 select NF_NAT_MASQUERADE 236 default m if NETFILTER_ADVANCED=n 237 help 238 Masquerading is a special case of NAT: all outgoing connections are 239 changed to seem to come from a particular interface's address, and 240 if the interface goes down, those connections are lost. This is 241 only useful for dialup accounts with dynamic IP address (ie. your IP 242 address will be different on next dialup). 243 244 To compile it as a module, choose M here. If unsure, say N. 245 246config IP_NF_TARGET_NETMAP 247 tristate "NETMAP target support" 248 depends on NETFILTER_ADVANCED 249 select NETFILTER_XT_TARGET_NETMAP 250 ---help--- 251 This is a backwards-compat option for the user's convenience 252 (e.g. when running oldconfig). It selects 253 CONFIG_NETFILTER_XT_TARGET_NETMAP. 254 255config IP_NF_TARGET_REDIRECT 256 tristate "REDIRECT target support" 257 depends on NETFILTER_ADVANCED 258 select NETFILTER_XT_TARGET_REDIRECT 259 ---help--- 260 This is a backwards-compat option for the user's convenience 261 (e.g. when running oldconfig). It selects 262 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 263 264endif # IP_NF_NAT 265 266# mangle + specific targets 267config IP_NF_MANGLE 268 tristate "Packet mangling" 269 default m if NETFILTER_ADVANCED=n 270 help 271 This option adds a `mangle' table to iptables: see the man page for 272 iptables(8). This table is used for various packet alterations 273 which can effect how the packet is routed. 274 275 To compile it as a module, choose M here. If unsure, say N. 276 277config IP_NF_TARGET_CLUSTERIP 278 tristate "CLUSTERIP target support" 279 depends on IP_NF_MANGLE 280 depends on NF_CONNTRACK 281 depends on NETFILTER_ADVANCED 282 select NF_CONNTRACK_MARK 283 select NETFILTER_FAMILY_ARP 284 help 285 The CLUSTERIP target allows you to build load-balancing clusters of 286 network servers without having a dedicated load-balancing 287 router/server/switch. 288 289 To compile it as a module, choose M here. If unsure, say N. 290 291config IP_NF_TARGET_ECN 292 tristate "ECN target support" 293 depends on IP_NF_MANGLE 294 depends on NETFILTER_ADVANCED 295 ---help--- 296 This option adds a `ECN' target, which can be used in the iptables mangle 297 table. 298 299 You can use this target to remove the ECN bits from the IPv4 header of 300 an IP packet. This is particularly useful, if you need to work around 301 existing ECN blackholes on the internet, but don't want to disable 302 ECN support in general. 303 304 To compile it as a module, choose M here. If unsure, say N. 305 306config IP_NF_TARGET_TTL 307 tristate '"TTL" target support' 308 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 309 select NETFILTER_XT_TARGET_HL 310 ---help--- 311 This is a backwards-compatible option for the user's convenience 312 (e.g. when running oldconfig). It selects 313 CONFIG_NETFILTER_XT_TARGET_HL. 314 315# raw + specific targets 316config IP_NF_RAW 317 tristate 'raw table support (required for NOTRACK/TRACE)' 318 help 319 This option adds a `raw' table to iptables. This table is the very 320 first in the netfilter framework and hooks in at the PREROUTING 321 and OUTPUT chains. 322 323 If you want to compile it as a module, say M here and read 324 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 325 326# security table for MAC policy 327config IP_NF_SECURITY 328 tristate "Security table" 329 depends on SECURITY 330 depends on NETFILTER_ADVANCED 331 help 332 This option adds a `security' table to iptables, for use 333 with Mandatory Access Control (MAC) policy. 334 335 If unsure, say N. 336 337endif # IP_NF_IPTABLES 338 339# ARP tables 340config IP_NF_ARPTABLES 341 tristate "ARP tables support" 342 select NETFILTER_XTABLES 343 select NETFILTER_FAMILY_ARP 344 depends on NETFILTER_ADVANCED 345 help 346 arptables is a general, extensible packet identification framework. 347 The ARP packet filtering and mangling (manipulation)subsystems 348 use this: say Y or M here if you want to use either of those. 349 350 To compile it as a module, choose M here. If unsure, say N. 351 352if IP_NF_ARPTABLES 353 354config IP_NF_ARPFILTER 355 tristate "ARP packet filtering" 356 help 357 ARP packet filtering defines a table `filter', which has a series of 358 rules for simple ARP packet filtering at local input and 359 local output. On a bridge, you can also specify filtering rules 360 for forwarded ARP packets. See the man page for arptables(8). 361 362 To compile it as a module, choose M here. If unsure, say N. 363 364config IP_NF_ARP_MANGLE 365 tristate "ARP payload mangling" 366 help 367 Allows altering the ARP packet payload: source and destination 368 hardware and network addresses. 369 370endif # IP_NF_ARPTABLES 371 372endmenu 373 374