1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config NF_TABLES_IPV4 40 depends on NF_TABLES 41 tristate "IPv4 nf_tables support" 42 43config NFT_REJECT_IPV4 44 depends on NF_TABLES_IPV4 45 tristate "nf_tables IPv4 reject support" 46 47config NFT_CHAIN_ROUTE_IPV4 48 depends on NF_TABLES_IPV4 49 tristate "IPv4 nf_tables route chain support" 50 51config NFT_CHAIN_NAT_IPV4 52 depends on NF_TABLES_IPV4 53 depends on NF_NAT_IPV4 && NFT_NAT 54 tristate "IPv4 nf_tables nat chain support" 55 56config NF_TABLES_ARP 57 depends on NF_TABLES 58 tristate "ARP nf_tables support" 59 60config IP_NF_IPTABLES 61 tristate "IP tables support (required for filtering/masq/NAT)" 62 default m if NETFILTER_ADVANCED=n 63 select NETFILTER_XTABLES 64 help 65 iptables is a general, extensible packet identification framework. 66 The packet filtering and full NAT (masquerading, port forwarding, 67 etc) subsystems now use this: say `Y' or `M' here if you want to use 68 either of those. 69 70 To compile it as a module, choose M here. If unsure, say N. 71 72if IP_NF_IPTABLES 73 74# The matches. 75config IP_NF_MATCH_AH 76 tristate '"ah" match support' 77 depends on NETFILTER_ADVANCED 78 help 79 This match extension allows you to match a range of SPIs 80 inside AH header of IPSec packets. 81 82 To compile it as a module, choose M here. If unsure, say N. 83 84config IP_NF_MATCH_ECN 85 tristate '"ecn" match support' 86 depends on NETFILTER_ADVANCED 87 select NETFILTER_XT_MATCH_ECN 88 ---help--- 89 This is a backwards-compat option for the user's convenience 90 (e.g. when running oldconfig). It selects 91 CONFIG_NETFILTER_XT_MATCH_ECN. 92 93config IP_NF_MATCH_RPFILTER 94 tristate '"rpfilter" reverse path filter match support' 95 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW) 96 ---help--- 97 This option allows you to match packets whose replies would 98 go out via the interface the packet came in. 99 100 To compile it as a module, choose M here. If unsure, say N. 101 The module will be called ipt_rpfilter. 102 103config IP_NF_MATCH_TTL 104 tristate '"ttl" match support' 105 depends on NETFILTER_ADVANCED 106 select NETFILTER_XT_MATCH_HL 107 ---help--- 108 This is a backwards-compat option for the user's convenience 109 (e.g. when running oldconfig). It selects 110 CONFIG_NETFILTER_XT_MATCH_HL. 111 112# `filter', generic and specific targets 113config IP_NF_FILTER 114 tristate "Packet filtering" 115 default m if NETFILTER_ADVANCED=n 116 help 117 Packet filtering defines a table `filter', which has a series of 118 rules for simple packet filtering at local input, forwarding and 119 local output. See the man page for iptables(8). 120 121 To compile it as a module, choose M here. If unsure, say N. 122 123config IP_NF_TARGET_REJECT 124 tristate "REJECT target support" 125 depends on IP_NF_FILTER 126 default m if NETFILTER_ADVANCED=n 127 help 128 The REJECT target allows a filtering rule to specify that an ICMP 129 error should be issued in response to an incoming packet, rather 130 than silently being dropped. 131 132 To compile it as a module, choose M here. If unsure, say N. 133 134config IP_NF_TARGET_SYNPROXY 135 tristate "SYNPROXY target support" 136 depends on NF_CONNTRACK && NETFILTER_ADVANCED 137 select NETFILTER_SYNPROXY 138 select SYN_COOKIES 139 help 140 The SYNPROXY target allows you to intercept TCP connections and 141 establish them using syncookies before they are passed on to the 142 server. This allows to avoid conntrack and server resource usage 143 during SYN-flood attacks. 144 145 To compile it as a module, choose M here. If unsure, say N. 146 147config IP_NF_TARGET_ULOG 148 tristate "ULOG target support (obsolete)" 149 default m if NETFILTER_ADVANCED=n 150 ---help--- 151 152 This option enables the old IPv4-only "ipt_ULOG" implementation 153 which has been obsoleted by the new "nfnetlink_log" code (see 154 CONFIG_NETFILTER_NETLINK_LOG). 155 156 This option adds a `ULOG' target, which allows you to create rules in 157 any iptables table. The packet is passed to a userspace logging 158 daemon using netlink multicast sockets; unlike the LOG target 159 which can only be viewed through syslog. 160 161 The appropriate userspace logging daemon (ulogd) may be obtained from 162 <http://www.netfilter.org/projects/ulogd/index.html> 163 164 To compile it as a module, choose M here. If unsure, say N. 165 166# NAT + specific targets: nf_conntrack 167config NF_NAT_IPV4 168 tristate "IPv4 NAT" 169 depends on NF_CONNTRACK_IPV4 170 default m if NETFILTER_ADVANCED=n 171 select NF_NAT 172 help 173 The IPv4 NAT option allows masquerading, port forwarding and other 174 forms of full Network Address Port Translation. It is controlled by 175 the `nat' table in iptables: see the man page for iptables(8). 176 177 To compile it as a module, choose M here. If unsure, say N. 178 179if NF_NAT_IPV4 180 181config IP_NF_TARGET_MASQUERADE 182 tristate "MASQUERADE target support" 183 default m if NETFILTER_ADVANCED=n 184 help 185 Masquerading is a special case of NAT: all outgoing connections are 186 changed to seem to come from a particular interface's address, and 187 if the interface goes down, those connections are lost. This is 188 only useful for dialup accounts with dynamic IP address (ie. your IP 189 address will be different on next dialup). 190 191 To compile it as a module, choose M here. If unsure, say N. 192 193config IP_NF_TARGET_NETMAP 194 tristate "NETMAP target support" 195 depends on NETFILTER_ADVANCED 196 select NETFILTER_XT_TARGET_NETMAP 197 ---help--- 198 This is a backwards-compat option for the user's convenience 199 (e.g. when running oldconfig). It selects 200 CONFIG_NETFILTER_XT_TARGET_NETMAP. 201 202config IP_NF_TARGET_REDIRECT 203 tristate "REDIRECT target support" 204 depends on NETFILTER_ADVANCED 205 select NETFILTER_XT_TARGET_REDIRECT 206 ---help--- 207 This is a backwards-compat option for the user's convenience 208 (e.g. when running oldconfig). It selects 209 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 210 211endif 212 213config NF_NAT_SNMP_BASIC 214 tristate "Basic SNMP-ALG support" 215 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4 216 depends on NETFILTER_ADVANCED 217 default NF_NAT && NF_CONNTRACK_SNMP 218 ---help--- 219 220 This module implements an Application Layer Gateway (ALG) for 221 SNMP payloads. In conjunction with NAT, it allows a network 222 management system to access multiple private networks with 223 conflicting addresses. It works by modifying IP addresses 224 inside SNMP payloads to match IP-layer NAT mapping. 225 226 This is the "basic" form of SNMP-ALG, as described in RFC 2962 227 228 To compile it as a module, choose M here. If unsure, say N. 229 230# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 231# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. 232# From kconfig-language.txt: 233# 234# <expr> '&&' <expr> (6) 235# 236# (6) Returns the result of min(/expr/, /expr/). 237 238config NF_NAT_PROTO_GRE 239 tristate 240 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE 241 242config NF_NAT_PPTP 243 tristate 244 depends on NF_CONNTRACK && NF_NAT_IPV4 245 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP 246 select NF_NAT_PROTO_GRE 247 248config NF_NAT_H323 249 tristate 250 depends on NF_CONNTRACK && NF_NAT_IPV4 251 default NF_NAT_IPV4 && NF_CONNTRACK_H323 252 253# mangle + specific targets 254config IP_NF_MANGLE 255 tristate "Packet mangling" 256 default m if NETFILTER_ADVANCED=n 257 help 258 This option adds a `mangle' table to iptables: see the man page for 259 iptables(8). This table is used for various packet alterations 260 which can effect how the packet is routed. 261 262 To compile it as a module, choose M here. If unsure, say N. 263 264config IP_NF_TARGET_CLUSTERIP 265 tristate "CLUSTERIP target support" 266 depends on IP_NF_MANGLE 267 depends on NF_CONNTRACK_IPV4 268 depends on NETFILTER_ADVANCED 269 select NF_CONNTRACK_MARK 270 help 271 The CLUSTERIP target allows you to build load-balancing clusters of 272 network servers without having a dedicated load-balancing 273 router/server/switch. 274 275 To compile it as a module, choose M here. If unsure, say N. 276 277config IP_NF_TARGET_ECN 278 tristate "ECN target support" 279 depends on IP_NF_MANGLE 280 depends on NETFILTER_ADVANCED 281 ---help--- 282 This option adds a `ECN' target, which can be used in the iptables mangle 283 table. 284 285 You can use this target to remove the ECN bits from the IPv4 header of 286 an IP packet. This is particularly useful, if you need to work around 287 existing ECN blackholes on the internet, but don't want to disable 288 ECN support in general. 289 290 To compile it as a module, choose M here. If unsure, say N. 291 292config IP_NF_TARGET_TTL 293 tristate '"TTL" target support' 294 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 295 select NETFILTER_XT_TARGET_HL 296 ---help--- 297 This is a backwards-compatible option for the user's convenience 298 (e.g. when running oldconfig). It selects 299 CONFIG_NETFILTER_XT_TARGET_HL. 300 301# raw + specific targets 302config IP_NF_RAW 303 tristate 'raw table support (required for NOTRACK/TRACE)' 304 help 305 This option adds a `raw' table to iptables. This table is the very 306 first in the netfilter framework and hooks in at the PREROUTING 307 and OUTPUT chains. 308 309 If you want to compile it as a module, say M here and read 310 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 311 312# security table for MAC policy 313config IP_NF_SECURITY 314 tristate "Security table" 315 depends on SECURITY 316 depends on NETFILTER_ADVANCED 317 help 318 This option adds a `security' table to iptables, for use 319 with Mandatory Access Control (MAC) policy. 320 321 If unsure, say N. 322 323endif # IP_NF_IPTABLES 324 325# ARP tables 326config IP_NF_ARPTABLES 327 tristate "ARP tables support" 328 select NETFILTER_XTABLES 329 depends on NETFILTER_ADVANCED 330 help 331 arptables is a general, extensible packet identification framework. 332 The ARP packet filtering and mangling (manipulation)subsystems 333 use this: say Y or M here if you want to use either of those. 334 335 To compile it as a module, choose M here. If unsure, say N. 336 337if IP_NF_ARPTABLES 338 339config IP_NF_ARPFILTER 340 tristate "ARP packet filtering" 341 help 342 ARP packet filtering defines a table `filter', which has a series of 343 rules for simple ARP packet filtering at local input and 344 local output. On a bridge, you can also specify filtering rules 345 for forwarded ARP packets. See the man page for arptables(8). 346 347 To compile it as a module, choose M here. If unsure, say N. 348 349config IP_NF_ARP_MANGLE 350 tristate "ARP payload mangling" 351 help 352 Allows altering the ARP packet payload: source and destination 353 hardware and network addresses. 354 355endif # IP_NF_ARPTABLES 356 357endmenu 358 359