1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39if NF_TABLES 40 41config NF_TABLES_IPV4 42 tristate "IPv4 nf_tables support" 43 help 44 This option enables the IPv4 support for nf_tables. 45 46if NF_TABLES_IPV4 47 48config NFT_CHAIN_ROUTE_IPV4 49 tristate "IPv4 nf_tables route chain support" 50 help 51 This option enables the "route" chain for IPv4 in nf_tables. This 52 chain type is used to force packet re-routing after mangling header 53 fields such as the source, destination, type of service and 54 the packet mark. 55 56config NFT_REJECT_IPV4 57 select NF_REJECT_IPV4 58 default NFT_REJECT 59 tristate 60 61endif # NF_TABLES_IPV4 62 63config NF_TABLES_ARP 64 tristate "ARP nf_tables support" 65 help 66 This option enables the ARP support for nf_tables. 67 68endif # NF_TABLES 69 70config NF_LOG_ARP 71 tristate "ARP packet logging" 72 default m if NETFILTER_ADVANCED=n 73 select NF_LOG_COMMON 74 75config NF_LOG_IPV4 76 tristate "IPv4 packet logging" 77 default m if NETFILTER_ADVANCED=n 78 select NF_LOG_COMMON 79 80config NF_REJECT_IPV4 81 tristate "IPv4 packet rejection" 82 default m if NETFILTER_ADVANCED=n 83 84config NF_NAT_IPV4 85 tristate "IPv4 NAT" 86 depends on NF_CONNTRACK_IPV4 87 default m if NETFILTER_ADVANCED=n 88 select NF_NAT 89 help 90 The IPv4 NAT option allows masquerading, port forwarding and other 91 forms of full Network Address Port Translation. This can be 92 controlled by iptables or nft. 93 94if NF_NAT_IPV4 95 96config NFT_CHAIN_NAT_IPV4 97 depends on NF_TABLES_IPV4 98 tristate "IPv4 nf_tables nat chain support" 99 help 100 This option enables the "nat" chain for IPv4 in nf_tables. This 101 chain type is used to perform Network Address Translation (NAT) 102 packet transformations such as the source, destination address and 103 source and destination ports. 104 105config NF_NAT_MASQUERADE_IPV4 106 tristate "IPv4 masquerade support" 107 help 108 This is the kernel functionality to provide NAT in the masquerade 109 flavour (automatic source address selection). 110 111config NFT_MASQ_IPV4 112 tristate "IPv4 masquerading support for nf_tables" 113 depends on NF_TABLES_IPV4 114 depends on NFT_MASQ 115 select NF_NAT_MASQUERADE_IPV4 116 help 117 This is the expression that provides IPv4 masquerading support for 118 nf_tables. 119 120config NFT_REDIR_IPV4 121 tristate "IPv4 redirect support for nf_tables" 122 depends on NF_TABLES_IPV4 123 depends on NFT_REDIR 124 select NF_NAT_REDIRECT 125 help 126 This is the expression that provides IPv4 redirect support for 127 nf_tables. 128 129config NF_NAT_SNMP_BASIC 130 tristate "Basic SNMP-ALG support" 131 depends on NF_CONNTRACK_SNMP 132 depends on NETFILTER_ADVANCED 133 default NF_NAT && NF_CONNTRACK_SNMP 134 ---help--- 135 136 This module implements an Application Layer Gateway (ALG) for 137 SNMP payloads. In conjunction with NAT, it allows a network 138 management system to access multiple private networks with 139 conflicting addresses. It works by modifying IP addresses 140 inside SNMP payloads to match IP-layer NAT mapping. 141 142 This is the "basic" form of SNMP-ALG, as described in RFC 2962 143 144 To compile it as a module, choose M here. If unsure, say N. 145 146config NF_NAT_PROTO_GRE 147 tristate 148 depends on NF_CT_PROTO_GRE 149 150config NF_NAT_PPTP 151 tristate 152 depends on NF_CONNTRACK 153 default NF_CONNTRACK_PPTP 154 select NF_NAT_PROTO_GRE 155 156config NF_NAT_H323 157 tristate 158 depends on NF_CONNTRACK 159 default NF_CONNTRACK_H323 160 161endif # NF_NAT_IPV4 162 163config IP_NF_IPTABLES 164 tristate "IP tables support (required for filtering/masq/NAT)" 165 default m if NETFILTER_ADVANCED=n 166 select NETFILTER_XTABLES 167 help 168 iptables is a general, extensible packet identification framework. 169 The packet filtering and full NAT (masquerading, port forwarding, 170 etc) subsystems now use this: say `Y' or `M' here if you want to use 171 either of those. 172 173 To compile it as a module, choose M here. If unsure, say N. 174 175if IP_NF_IPTABLES 176 177# The matches. 178config IP_NF_MATCH_AH 179 tristate '"ah" match support' 180 depends on NETFILTER_ADVANCED 181 help 182 This match extension allows you to match a range of SPIs 183 inside AH header of IPSec packets. 184 185 To compile it as a module, choose M here. If unsure, say N. 186 187config IP_NF_MATCH_ECN 188 tristate '"ecn" match support' 189 depends on NETFILTER_ADVANCED 190 select NETFILTER_XT_MATCH_ECN 191 ---help--- 192 This is a backwards-compat option for the user's convenience 193 (e.g. when running oldconfig). It selects 194 CONFIG_NETFILTER_XT_MATCH_ECN. 195 196config IP_NF_MATCH_RPFILTER 197 tristate '"rpfilter" reverse path filter match support' 198 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW) 199 ---help--- 200 This option allows you to match packets whose replies would 201 go out via the interface the packet came in. 202 203 To compile it as a module, choose M here. If unsure, say N. 204 The module will be called ipt_rpfilter. 205 206config IP_NF_MATCH_TTL 207 tristate '"ttl" match support' 208 depends on NETFILTER_ADVANCED 209 select NETFILTER_XT_MATCH_HL 210 ---help--- 211 This is a backwards-compat option for the user's convenience 212 (e.g. when running oldconfig). It selects 213 CONFIG_NETFILTER_XT_MATCH_HL. 214 215# `filter', generic and specific targets 216config IP_NF_FILTER 217 tristate "Packet filtering" 218 default m if NETFILTER_ADVANCED=n 219 help 220 Packet filtering defines a table `filter', which has a series of 221 rules for simple packet filtering at local input, forwarding and 222 local output. See the man page for iptables(8). 223 224 To compile it as a module, choose M here. If unsure, say N. 225 226config IP_NF_TARGET_REJECT 227 tristate "REJECT target support" 228 depends on IP_NF_FILTER 229 select NF_REJECT_IPV4 230 default m if NETFILTER_ADVANCED=n 231 help 232 The REJECT target allows a filtering rule to specify that an ICMP 233 error should be issued in response to an incoming packet, rather 234 than silently being dropped. 235 236 To compile it as a module, choose M here. If unsure, say N. 237 238config IP_NF_TARGET_SYNPROXY 239 tristate "SYNPROXY target support" 240 depends on NF_CONNTRACK && NETFILTER_ADVANCED 241 select NETFILTER_SYNPROXY 242 select SYN_COOKIES 243 help 244 The SYNPROXY target allows you to intercept TCP connections and 245 establish them using syncookies before they are passed on to the 246 server. This allows to avoid conntrack and server resource usage 247 during SYN-flood attacks. 248 249 To compile it as a module, choose M here. If unsure, say N. 250 251# NAT + specific targets: nf_conntrack 252config IP_NF_NAT 253 tristate "iptables NAT support" 254 depends on NF_CONNTRACK_IPV4 255 default m if NETFILTER_ADVANCED=n 256 select NF_NAT 257 select NF_NAT_IPV4 258 select NETFILTER_XT_NAT 259 help 260 This enables the `nat' table in iptables. This allows masquerading, 261 port forwarding and other forms of full Network Address Port 262 Translation. 263 264 To compile it as a module, choose M here. If unsure, say N. 265 266if IP_NF_NAT 267 268config IP_NF_TARGET_MASQUERADE 269 tristate "MASQUERADE target support" 270 select NF_NAT_MASQUERADE_IPV4 271 default m if NETFILTER_ADVANCED=n 272 help 273 Masquerading is a special case of NAT: all outgoing connections are 274 changed to seem to come from a particular interface's address, and 275 if the interface goes down, those connections are lost. This is 276 only useful for dialup accounts with dynamic IP address (ie. your IP 277 address will be different on next dialup). 278 279 To compile it as a module, choose M here. If unsure, say N. 280 281config IP_NF_TARGET_NETMAP 282 tristate "NETMAP target support" 283 depends on NETFILTER_ADVANCED 284 select NETFILTER_XT_TARGET_NETMAP 285 ---help--- 286 This is a backwards-compat option for the user's convenience 287 (e.g. when running oldconfig). It selects 288 CONFIG_NETFILTER_XT_TARGET_NETMAP. 289 290config IP_NF_TARGET_REDIRECT 291 tristate "REDIRECT target support" 292 depends on NETFILTER_ADVANCED 293 select NETFILTER_XT_TARGET_REDIRECT 294 ---help--- 295 This is a backwards-compat option for the user's convenience 296 (e.g. when running oldconfig). It selects 297 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 298 299endif # IP_NF_NAT 300 301# mangle + specific targets 302config IP_NF_MANGLE 303 tristate "Packet mangling" 304 default m if NETFILTER_ADVANCED=n 305 help 306 This option adds a `mangle' table to iptables: see the man page for 307 iptables(8). This table is used for various packet alterations 308 which can effect how the packet is routed. 309 310 To compile it as a module, choose M here. If unsure, say N. 311 312config IP_NF_TARGET_CLUSTERIP 313 tristate "CLUSTERIP target support" 314 depends on IP_NF_MANGLE 315 depends on NF_CONNTRACK_IPV4 316 depends on NETFILTER_ADVANCED 317 select NF_CONNTRACK_MARK 318 help 319 The CLUSTERIP target allows you to build load-balancing clusters of 320 network servers without having a dedicated load-balancing 321 router/server/switch. 322 323 To compile it as a module, choose M here. If unsure, say N. 324 325config IP_NF_TARGET_ECN 326 tristate "ECN target support" 327 depends on IP_NF_MANGLE 328 depends on NETFILTER_ADVANCED 329 ---help--- 330 This option adds a `ECN' target, which can be used in the iptables mangle 331 table. 332 333 You can use this target to remove the ECN bits from the IPv4 header of 334 an IP packet. This is particularly useful, if you need to work around 335 existing ECN blackholes on the internet, but don't want to disable 336 ECN support in general. 337 338 To compile it as a module, choose M here. If unsure, say N. 339 340config IP_NF_TARGET_TTL 341 tristate '"TTL" target support' 342 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 343 select NETFILTER_XT_TARGET_HL 344 ---help--- 345 This is a backwards-compatible option for the user's convenience 346 (e.g. when running oldconfig). It selects 347 CONFIG_NETFILTER_XT_TARGET_HL. 348 349# raw + specific targets 350config IP_NF_RAW 351 tristate 'raw table support (required for NOTRACK/TRACE)' 352 help 353 This option adds a `raw' table to iptables. This table is the very 354 first in the netfilter framework and hooks in at the PREROUTING 355 and OUTPUT chains. 356 357 If you want to compile it as a module, say M here and read 358 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 359 360# security table for MAC policy 361config IP_NF_SECURITY 362 tristate "Security table" 363 depends on SECURITY 364 depends on NETFILTER_ADVANCED 365 help 366 This option adds a `security' table to iptables, for use 367 with Mandatory Access Control (MAC) policy. 368 369 If unsure, say N. 370 371endif # IP_NF_IPTABLES 372 373# ARP tables 374config IP_NF_ARPTABLES 375 tristate "ARP tables support" 376 select NETFILTER_XTABLES 377 depends on NETFILTER_ADVANCED 378 help 379 arptables is a general, extensible packet identification framework. 380 The ARP packet filtering and mangling (manipulation)subsystems 381 use this: say Y or M here if you want to use either of those. 382 383 To compile it as a module, choose M here. If unsure, say N. 384 385if IP_NF_ARPTABLES 386 387config IP_NF_ARPFILTER 388 tristate "ARP packet filtering" 389 help 390 ARP packet filtering defines a table `filter', which has a series of 391 rules for simple ARP packet filtering at local input and 392 local output. On a bridge, you can also specify filtering rules 393 for forwarded ARP packets. See the man page for arptables(8). 394 395 To compile it as a module, choose M here. If unsure, say N. 396 397config IP_NF_ARP_MANGLE 398 tristate "ARP payload mangling" 399 help 400 Allows altering the ARP packet payload: source and destination 401 hardware and network addresses. 402 403endif # IP_NF_ARPTABLES 404 405endmenu 406 407