1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config IP_NF_IPTABLES 40 tristate "IP tables support (required for filtering/masq/NAT)" 41 default m if NETFILTER_ADVANCED=n 42 select NETFILTER_XTABLES 43 help 44 iptables is a general, extensible packet identification framework. 45 The packet filtering and full NAT (masquerading, port forwarding, 46 etc) subsystems now use this: say `Y' or `M' here if you want to use 47 either of those. 48 49 To compile it as a module, choose M here. If unsure, say N. 50 51if IP_NF_IPTABLES 52 53# The matches. 54config IP_NF_MATCH_AH 55 tristate '"ah" match support' 56 depends on NETFILTER_ADVANCED 57 help 58 This match extension allows you to match a range of SPIs 59 inside AH header of IPSec packets. 60 61 To compile it as a module, choose M here. If unsure, say N. 62 63config IP_NF_MATCH_ECN 64 tristate '"ecn" match support' 65 depends on NETFILTER_ADVANCED 66 select NETFILTER_XT_MATCH_ECN 67 ---help--- 68 This is a backwards-compat option for the user's convenience 69 (e.g. when running oldconfig). It selects 70 CONFIG_NETFILTER_XT_MATCH_ECN. 71 72config IP_NF_MATCH_RPFILTER 73 tristate '"rpfilter" reverse path filter match support' 74 depends on NETFILTER_ADVANCED 75 depends on IP_NF_MANGLE || IP_NF_RAW 76 ---help--- 77 This option allows you to match packets whose replies would 78 go out via the interface the packet came in. 79 80 To compile it as a module, choose M here. If unsure, say N. 81 The module will be called ipt_rpfilter. 82 83config IP_NF_MATCH_TTL 84 tristate '"ttl" match support' 85 depends on NETFILTER_ADVANCED 86 select NETFILTER_XT_MATCH_HL 87 ---help--- 88 This is a backwards-compat option for the user's convenience 89 (e.g. when running oldconfig). It selects 90 CONFIG_NETFILTER_XT_MATCH_HL. 91 92# `filter', generic and specific targets 93config IP_NF_FILTER 94 tristate "Packet filtering" 95 default m if NETFILTER_ADVANCED=n 96 help 97 Packet filtering defines a table `filter', which has a series of 98 rules for simple packet filtering at local input, forwarding and 99 local output. See the man page for iptables(8). 100 101 To compile it as a module, choose M here. If unsure, say N. 102 103config IP_NF_TARGET_REJECT 104 tristate "REJECT target support" 105 depends on IP_NF_FILTER 106 default m if NETFILTER_ADVANCED=n 107 help 108 The REJECT target allows a filtering rule to specify that an ICMP 109 error should be issued in response to an incoming packet, rather 110 than silently being dropped. 111 112 To compile it as a module, choose M here. If unsure, say N. 113 114config IP_NF_TARGET_ULOG 115 tristate "ULOG target support" 116 default m if NETFILTER_ADVANCED=n 117 ---help--- 118 119 This option enables the old IPv4-only "ipt_ULOG" implementation 120 which has been obsoleted by the new "nfnetlink_log" code (see 121 CONFIG_NETFILTER_NETLINK_LOG). 122 123 This option adds a `ULOG' target, which allows you to create rules in 124 any iptables table. The packet is passed to a userspace logging 125 daemon using netlink multicast sockets; unlike the LOG target 126 which can only be viewed through syslog. 127 128 The appropriate userspace logging daemon (ulogd) may be obtained from 129 <http://www.netfilter.org/projects/ulogd/index.html> 130 131 To compile it as a module, choose M here. If unsure, say N. 132 133# NAT + specific targets: nf_conntrack 134config NF_NAT_IPV4 135 tristate "IPv4 NAT" 136 depends on NF_CONNTRACK_IPV4 137 default m if NETFILTER_ADVANCED=n 138 select NF_NAT 139 help 140 The IPv4 NAT option allows masquerading, port forwarding and other 141 forms of full Network Address Port Translation. It is controlled by 142 the `nat' table in iptables: see the man page for iptables(8). 143 144 To compile it as a module, choose M here. If unsure, say N. 145 146if NF_NAT_IPV4 147 148config IP_NF_TARGET_MASQUERADE 149 tristate "MASQUERADE target support" 150 default m if NETFILTER_ADVANCED=n 151 help 152 Masquerading is a special case of NAT: all outgoing connections are 153 changed to seem to come from a particular interface's address, and 154 if the interface goes down, those connections are lost. This is 155 only useful for dialup accounts with dynamic IP address (ie. your IP 156 address will be different on next dialup). 157 158 To compile it as a module, choose M here. If unsure, say N. 159 160config IP_NF_TARGET_NETMAP 161 tristate "NETMAP target support" 162 depends on NETFILTER_ADVANCED 163 select NETFILTER_XT_TARGET_NETMAP 164 ---help--- 165 This is a backwards-compat option for the user's convenience 166 (e.g. when running oldconfig). It selects 167 CONFIG_NETFILTER_XT_TARGET_NETMAP. 168 169config IP_NF_TARGET_REDIRECT 170 tristate "REDIRECT target support" 171 depends on NETFILTER_ADVANCED 172 select NETFILTER_XT_TARGET_REDIRECT 173 ---help--- 174 This is a backwards-compat option for the user's convenience 175 (e.g. when running oldconfig). It selects 176 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 177 178endif 179 180config NF_NAT_SNMP_BASIC 181 tristate "Basic SNMP-ALG support" 182 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4 183 depends on NETFILTER_ADVANCED 184 default NF_NAT && NF_CONNTRACK_SNMP 185 ---help--- 186 187 This module implements an Application Layer Gateway (ALG) for 188 SNMP payloads. In conjunction with NAT, it allows a network 189 management system to access multiple private networks with 190 conflicting addresses. It works by modifying IP addresses 191 inside SNMP payloads to match IP-layer NAT mapping. 192 193 This is the "basic" form of SNMP-ALG, as described in RFC 2962 194 195 To compile it as a module, choose M here. If unsure, say N. 196 197# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 198# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. 199# From kconfig-language.txt: 200# 201# <expr> '&&' <expr> (6) 202# 203# (6) Returns the result of min(/expr/, /expr/). 204 205config NF_NAT_PROTO_GRE 206 tristate 207 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE 208 209config NF_NAT_PPTP 210 tristate 211 depends on NF_CONNTRACK && NF_NAT_IPV4 212 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP 213 select NF_NAT_PROTO_GRE 214 215config NF_NAT_H323 216 tristate 217 depends on NF_CONNTRACK && NF_NAT_IPV4 218 default NF_NAT_IPV4 && NF_CONNTRACK_H323 219 220# mangle + specific targets 221config IP_NF_MANGLE 222 tristate "Packet mangling" 223 default m if NETFILTER_ADVANCED=n 224 help 225 This option adds a `mangle' table to iptables: see the man page for 226 iptables(8). This table is used for various packet alterations 227 which can effect how the packet is routed. 228 229 To compile it as a module, choose M here. If unsure, say N. 230 231config IP_NF_TARGET_CLUSTERIP 232 tristate "CLUSTERIP target support" 233 depends on IP_NF_MANGLE 234 depends on NF_CONNTRACK_IPV4 235 depends on NETFILTER_ADVANCED 236 select NF_CONNTRACK_MARK 237 help 238 The CLUSTERIP target allows you to build load-balancing clusters of 239 network servers without having a dedicated load-balancing 240 router/server/switch. 241 242 To compile it as a module, choose M here. If unsure, say N. 243 244config IP_NF_TARGET_ECN 245 tristate "ECN target support" 246 depends on IP_NF_MANGLE 247 depends on NETFILTER_ADVANCED 248 ---help--- 249 This option adds a `ECN' target, which can be used in the iptables mangle 250 table. 251 252 You can use this target to remove the ECN bits from the IPv4 header of 253 an IP packet. This is particularly useful, if you need to work around 254 existing ECN blackholes on the internet, but don't want to disable 255 ECN support in general. 256 257 To compile it as a module, choose M here. If unsure, say N. 258 259config IP_NF_TARGET_TTL 260 tristate '"TTL" target support' 261 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 262 select NETFILTER_XT_TARGET_HL 263 ---help--- 264 This is a backwards-compatible option for the user's convenience 265 (e.g. when running oldconfig). It selects 266 CONFIG_NETFILTER_XT_TARGET_HL. 267 268# raw + specific targets 269config IP_NF_RAW 270 tristate 'raw table support (required for NOTRACK/TRACE)' 271 help 272 This option adds a `raw' table to iptables. This table is the very 273 first in the netfilter framework and hooks in at the PREROUTING 274 and OUTPUT chains. 275 276 If you want to compile it as a module, say M here and read 277 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 278 279# security table for MAC policy 280config IP_NF_SECURITY 281 tristate "Security table" 282 depends on SECURITY 283 depends on NETFILTER_ADVANCED 284 help 285 This option adds a `security' table to iptables, for use 286 with Mandatory Access Control (MAC) policy. 287 288 If unsure, say N. 289 290endif # IP_NF_IPTABLES 291 292# ARP tables 293config IP_NF_ARPTABLES 294 tristate "ARP tables support" 295 select NETFILTER_XTABLES 296 depends on NETFILTER_ADVANCED 297 help 298 arptables is a general, extensible packet identification framework. 299 The ARP packet filtering and mangling (manipulation)subsystems 300 use this: say Y or M here if you want to use either of those. 301 302 To compile it as a module, choose M here. If unsure, say N. 303 304if IP_NF_ARPTABLES 305 306config IP_NF_ARPFILTER 307 tristate "ARP packet filtering" 308 help 309 ARP packet filtering defines a table `filter', which has a series of 310 rules for simple ARP packet filtering at local input and 311 local output. On a bridge, you can also specify filtering rules 312 for forwarded ARP packets. See the man page for arptables(8). 313 314 To compile it as a module, choose M here. If unsure, say N. 315 316config IP_NF_ARP_MANGLE 317 tristate "ARP payload mangling" 318 help 319 Allows altering the ARP packet payload: source and destination 320 hardware and network addresses. 321 322endif # IP_NF_ARPTABLES 323 324endmenu 325 326