• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# IP netfilter configuration
3#
4
5menu "IP: Netfilter Configuration"
6	depends on INET && NETFILTER
7
8config NF_DEFRAG_IPV4
9	tristate
10	default n
11
12config NF_CONNTRACK_IPV4
13	tristate "IPv4 connection tracking support (required for NAT)"
14	depends on NF_CONNTRACK
15	default m if NETFILTER_ADVANCED=n
16	select NF_DEFRAG_IPV4
17	---help---
18	  Connection tracking keeps a record of what packets have passed
19	  through your machine, in order to figure out how they are related
20	  into connections.
21
22	  This is IPv4 support on Layer 3 independent connection tracking.
23	  Layer 3 independent connection tracking is experimental scheme
24	  which generalize ip_conntrack to support other layer 3 protocols.
25
26	  To compile it as a module, choose M here.  If unsure, say N.
27
28config NF_CONNTRACK_PROC_COMPAT
29	bool "proc/sysctl compatibility with old connection tracking"
30	depends on NF_CONNTRACK_IPV4
31	default y
32	help
33	  This option enables /proc and sysctl compatibility with the old
34	  layer 3 dependant connection tracking. This is needed to keep
35	  old programs that have not been adapted to the new names working.
36
37	  If unsure, say Y.
38
39config IP_NF_QUEUE
40	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
41	depends on NETFILTER_ADVANCED
42	help
43	  Netfilter has the ability to queue packets to user space: the
44	  netlink device can be used to access them using this driver.
45
46	  This option enables the old IPv4-only "ip_queue" implementation
47	  which has been obsoleted by the new "nfnetlink_queue" code (see
48	  CONFIG_NETFILTER_NETLINK_QUEUE).
49
50	  To compile it as a module, choose M here.  If unsure, say N.
51
52config IP_NF_IPTABLES
53	tristate "IP tables support (required for filtering/masq/NAT)"
54	default m if NETFILTER_ADVANCED=n
55	select NETFILTER_XTABLES
56	help
57	  iptables is a general, extensible packet identification framework.
58	  The packet filtering and full NAT (masquerading, port forwarding,
59	  etc) subsystems now use this: say `Y' or `M' here if you want to use
60	  either of those.
61
62	  To compile it as a module, choose M here.  If unsure, say N.
63
64if IP_NF_IPTABLES
65
66# The matches.
67config IP_NF_MATCH_ADDRTYPE
68	tristate '"addrtype" address type match support'
69	depends on NETFILTER_ADVANCED
70	help
71	  This option allows you to match what routing thinks of an address,
72	  eg. UNICAST, LOCAL, BROADCAST, ...
73
74	  If you want to compile it as a module, say M here and read
75	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
76
77config IP_NF_MATCH_AH
78	tristate '"ah" match support'
79	depends on NETFILTER_ADVANCED
80	help
81	  This match extension allows you to match a range of SPIs
82	  inside AH header of IPSec packets.
83
84	  To compile it as a module, choose M here.  If unsure, say N.
85
86config IP_NF_MATCH_ECN
87	tristate '"ecn" match support'
88	depends on NETFILTER_ADVANCED
89	help
90	  This option adds a `ECN' match, which allows you to match against
91	  the IPv4 and TCP header ECN fields.
92
93	  To compile it as a module, choose M here.  If unsure, say N.
94
95config IP_NF_MATCH_TTL
96	tristate '"ttl" match support'
97	depends on NETFILTER_ADVANCED
98	help
99	  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
100	  to match packets by their TTL value.
101
102	  To compile it as a module, choose M here.  If unsure, say N.
103
104# `filter', generic and specific targets
105config IP_NF_FILTER
106	tristate "Packet filtering"
107	default m if NETFILTER_ADVANCED=n
108	help
109	  Packet filtering defines a table `filter', which has a series of
110	  rules for simple packet filtering at local input, forwarding and
111	  local output.  See the man page for iptables(8).
112
113	  To compile it as a module, choose M here.  If unsure, say N.
114
115config IP_NF_TARGET_REJECT
116	tristate "REJECT target support"
117	depends on IP_NF_FILTER
118	default m if NETFILTER_ADVANCED=n
119	help
120	  The REJECT target allows a filtering rule to specify that an ICMP
121	  error should be issued in response to an incoming packet, rather
122	  than silently being dropped.
123
124	  To compile it as a module, choose M here.  If unsure, say N.
125
126config IP_NF_TARGET_LOG
127	tristate "LOG target support"
128	default m if NETFILTER_ADVANCED=n
129	help
130	  This option adds a `LOG' target, which allows you to create rules in
131	  any iptables table which records the packet header to the syslog.
132
133	  To compile it as a module, choose M here.  If unsure, say N.
134
135config IP_NF_TARGET_ULOG
136	tristate "ULOG target support"
137	default m if NETFILTER_ADVANCED=n
138	---help---
139
140	  This option enables the old IPv4-only "ipt_ULOG" implementation
141	  which has been obsoleted by the new "nfnetlink_log" code (see
142	  CONFIG_NETFILTER_NETLINK_LOG).
143
144	  This option adds a `ULOG' target, which allows you to create rules in
145	  any iptables table. The packet is passed to a userspace logging
146	  daemon using netlink multicast sockets; unlike the LOG target
147	  which can only be viewed through syslog.
148
149	  The appropriate userspace logging daemon (ulogd) may be obtained from
150	  <http://www.gnumonks.org/projects/ulogd/>
151
152	  To compile it as a module, choose M here.  If unsure, say N.
153
154# NAT + specific targets: nf_conntrack
155config NF_NAT
156	tristate "Full NAT"
157	depends on NF_CONNTRACK_IPV4
158	default m if NETFILTER_ADVANCED=n
159	help
160	  The Full NAT option allows masquerading, port forwarding and other
161	  forms of full Network Address Port Translation.  It is controlled by
162	  the `nat' table in iptables: see the man page for iptables(8).
163
164	  To compile it as a module, choose M here.  If unsure, say N.
165
166config NF_NAT_NEEDED
167	bool
168	depends on NF_NAT
169	default y
170
171config IP_NF_TARGET_MASQUERADE
172	tristate "MASQUERADE target support"
173	depends on NF_NAT
174	default m if NETFILTER_ADVANCED=n
175	help
176	  Masquerading is a special case of NAT: all outgoing connections are
177	  changed to seem to come from a particular interface's address, and
178	  if the interface goes down, those connections are lost.  This is
179	  only useful for dialup accounts with dynamic IP address (ie. your IP
180	  address will be different on next dialup).
181
182	  To compile it as a module, choose M here.  If unsure, say N.
183
184config IP_NF_TARGET_NETMAP
185	tristate "NETMAP target support"
186	depends on NF_NAT
187	depends on NETFILTER_ADVANCED
188	help
189	  NETMAP is an implementation of static 1:1 NAT mapping of network
190	  addresses. It maps the network address part, while keeping the host
191	  address part intact.
192
193	  To compile it as a module, choose M here.  If unsure, say N.
194
195config IP_NF_TARGET_REDIRECT
196	tristate "REDIRECT target support"
197	depends on NF_NAT
198	depends on NETFILTER_ADVANCED
199	help
200	  REDIRECT is a special case of NAT: all incoming connections are
201	  mapped onto the incoming interface's address, causing the packets to
202	  come to the local machine instead of passing through.  This is
203	  useful for transparent proxies.
204
205	  To compile it as a module, choose M here.  If unsure, say N.
206
207config NF_NAT_SNMP_BASIC
208	tristate "Basic SNMP-ALG support"
209	depends on NF_NAT
210	depends on NETFILTER_ADVANCED
211	---help---
212
213	  This module implements an Application Layer Gateway (ALG) for
214	  SNMP payloads.  In conjunction with NAT, it allows a network
215	  management system to access multiple private networks with
216	  conflicting addresses.  It works by modifying IP addresses
217	  inside SNMP payloads to match IP-layer NAT mapping.
218
219	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
220
221	  To compile it as a module, choose M here.  If unsure, say N.
222
223# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
224# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
225# From kconfig-language.txt:
226#
227#           <expr> '&&' <expr>                   (6)
228#
229# (6) Returns the result of min(/expr/, /expr/).
230config NF_NAT_PROTO_DCCP
231	tristate
232	depends on NF_NAT && NF_CT_PROTO_DCCP
233	default NF_NAT && NF_CT_PROTO_DCCP
234
235config NF_NAT_PROTO_GRE
236	tristate
237	depends on NF_NAT && NF_CT_PROTO_GRE
238
239config NF_NAT_PROTO_UDPLITE
240	tristate
241	depends on NF_NAT && NF_CT_PROTO_UDPLITE
242	default NF_NAT && NF_CT_PROTO_UDPLITE
243
244config NF_NAT_PROTO_SCTP
245	tristate
246	default NF_NAT && NF_CT_PROTO_SCTP
247	depends on NF_NAT && NF_CT_PROTO_SCTP
248	select LIBCRC32C
249
250config NF_NAT_FTP
251	tristate
252	depends on NF_CONNTRACK && NF_NAT
253	default NF_NAT && NF_CONNTRACK_FTP
254
255config NF_NAT_IRC
256	tristate
257	depends on NF_CONNTRACK && NF_NAT
258	default NF_NAT && NF_CONNTRACK_IRC
259
260config NF_NAT_TFTP
261	tristate
262	depends on NF_CONNTRACK && NF_NAT
263	default NF_NAT && NF_CONNTRACK_TFTP
264
265config NF_NAT_AMANDA
266	tristate
267	depends on NF_CONNTRACK && NF_NAT
268	default NF_NAT && NF_CONNTRACK_AMANDA
269
270config NF_NAT_PPTP
271	tristate
272	depends on NF_CONNTRACK && NF_NAT
273	default NF_NAT && NF_CONNTRACK_PPTP
274	select NF_NAT_PROTO_GRE
275
276config NF_NAT_H323
277	tristate
278	depends on NF_CONNTRACK && NF_NAT
279	default NF_NAT && NF_CONNTRACK_H323
280
281config NF_NAT_SIP
282	tristate
283	depends on NF_CONNTRACK && NF_NAT
284	default NF_NAT && NF_CONNTRACK_SIP
285
286# mangle + specific targets
287config IP_NF_MANGLE
288	tristate "Packet mangling"
289	default m if NETFILTER_ADVANCED=n
290	help
291	  This option adds a `mangle' table to iptables: see the man page for
292	  iptables(8).  This table is used for various packet alterations
293	  which can effect how the packet is routed.
294
295	  To compile it as a module, choose M here.  If unsure, say N.
296
297config IP_NF_TARGET_CLUSTERIP
298	tristate "CLUSTERIP target support (EXPERIMENTAL)"
299	depends on IP_NF_MANGLE && EXPERIMENTAL
300	depends on NF_CONNTRACK_IPV4
301	depends on NETFILTER_ADVANCED
302	select NF_CONNTRACK_MARK
303	help
304	  The CLUSTERIP target allows you to build load-balancing clusters of
305	  network servers without having a dedicated load-balancing
306	  router/server/switch.
307
308	  To compile it as a module, choose M here.  If unsure, say N.
309
310config IP_NF_TARGET_ECN
311	tristate "ECN target support"
312	depends on IP_NF_MANGLE
313	depends on NETFILTER_ADVANCED
314	---help---
315	  This option adds a `ECN' target, which can be used in the iptables mangle
316	  table.
317
318	  You can use this target to remove the ECN bits from the IPv4 header of
319	  an IP packet.  This is particularly useful, if you need to work around
320	  existing ECN blackholes on the internet, but don't want to disable
321	  ECN support in general.
322
323	  To compile it as a module, choose M here.  If unsure, say N.
324
325config IP_NF_TARGET_TTL
326	tristate  'TTL target support'
327	depends on IP_NF_MANGLE
328	depends on NETFILTER_ADVANCED
329	help
330	  This option adds a `TTL' target, which enables the user to modify
331	  the TTL value of the IP header.
332
333	  While it is safe to decrement/lower the TTL, this target also enables
334	  functionality to increment and set the TTL value of the IP header to
335	  arbitrary values.  This is EXTREMELY DANGEROUS since you can easily
336	  create immortal packets that loop forever on the network.
337
338	  To compile it as a module, choose M here.  If unsure, say N.
339
340# raw + specific targets
341config IP_NF_RAW
342	tristate  'raw table support (required for NOTRACK/TRACE)'
343	depends on NETFILTER_ADVANCED
344	help
345	  This option adds a `raw' table to iptables. This table is the very
346	  first in the netfilter framework and hooks in at the PREROUTING
347	  and OUTPUT chains.
348
349	  If you want to compile it as a module, say M here and read
350	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
351
352# security table for MAC policy
353config IP_NF_SECURITY
354	tristate "Security table"
355	depends on SECURITY
356	depends on NETFILTER_ADVANCED
357	help
358	  This option adds a `security' table to iptables, for use
359	  with Mandatory Access Control (MAC) policy.
360
361	  If unsure, say N.
362
363endif # IP_NF_IPTABLES
364
365# ARP tables
366config IP_NF_ARPTABLES
367	tristate "ARP tables support"
368	select NETFILTER_XTABLES
369	depends on NETFILTER_ADVANCED
370	help
371	  arptables is a general, extensible packet identification framework.
372	  The ARP packet filtering and mangling (manipulation)subsystems
373	  use this: say Y or M here if you want to use either of those.
374
375	  To compile it as a module, choose M here.  If unsure, say N.
376
377if IP_NF_ARPTABLES
378
379config IP_NF_ARPFILTER
380	tristate "ARP packet filtering"
381	help
382	  ARP packet filtering defines a table `filter', which has a series of
383	  rules for simple ARP packet filtering at local input and
384	  local output.  On a bridge, you can also specify filtering rules
385	  for forwarded ARP packets. See the man page for arptables(8).
386
387	  To compile it as a module, choose M here.  If unsure, say N.
388
389config IP_NF_ARP_MANGLE
390	tristate "ARP payload mangling"
391	help
392	  Allows altering the ARP packet payload: source and destination
393	  hardware and network addresses.
394
395endif # IP_NF_ARPTABLES
396
397endmenu
398
399