1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config NF_LOG_ARP 40 tristate "ARP packet logging" 41 default m if NETFILTER_ADVANCED=n 42 select NF_LOG_COMMON 43 44config NF_LOG_IPV4 45 tristate "IPv4 packet logging" 46 default m if NETFILTER_ADVANCED=n 47 select NF_LOG_COMMON 48 49config NF_TABLES_IPV4 50 depends on NF_TABLES 51 tristate "IPv4 nf_tables support" 52 help 53 This option enables the IPv4 support for nf_tables. 54 55config NFT_CHAIN_ROUTE_IPV4 56 depends on NF_TABLES_IPV4 57 tristate "IPv4 nf_tables route chain support" 58 help 59 This option enables the "route" chain for IPv4 in nf_tables. This 60 chain type is used to force packet re-routing after mangling header 61 fields such as the source, destination, type of service and 62 the packet mark. 63 64config NF_REJECT_IPV4 65 tristate "IPv4 packet rejection" 66 default m if NETFILTER_ADVANCED=n 67 68config NFT_REJECT_IPV4 69 depends on NF_TABLES_IPV4 70 select NF_REJECT_IPV4 71 default NFT_REJECT 72 tristate 73 74config NF_TABLES_ARP 75 depends on NF_TABLES 76 tristate "ARP nf_tables support" 77 help 78 This option enables the ARP support for nf_tables. 79 80config NF_NAT_IPV4 81 tristate "IPv4 NAT" 82 depends on NF_CONNTRACK_IPV4 83 default m if NETFILTER_ADVANCED=n 84 select NF_NAT 85 help 86 The IPv4 NAT option allows masquerading, port forwarding and other 87 forms of full Network Address Port Translation. This can be 88 controlled by iptables or nft. 89 90if NF_NAT_IPV4 91 92config NFT_CHAIN_NAT_IPV4 93 depends on NF_TABLES_IPV4 94 tristate "IPv4 nf_tables nat chain support" 95 help 96 This option enables the "nat" chain for IPv4 in nf_tables. This 97 chain type is used to perform Network Address Translation (NAT) 98 packet transformations such as the source, destination address and 99 source and destination ports. 100 101config NF_NAT_MASQUERADE_IPV4 102 tristate "IPv4 masquerade support" 103 help 104 This is the kernel functionality to provide NAT in the masquerade 105 flavour (automatic source address selection). 106 107config NFT_MASQ_IPV4 108 tristate "IPv4 masquerading support for nf_tables" 109 depends on NF_TABLES_IPV4 110 depends on NFT_MASQ 111 select NF_NAT_MASQUERADE_IPV4 112 help 113 This is the expression that provides IPv4 masquerading support for 114 nf_tables. 115 116config NF_NAT_SNMP_BASIC 117 tristate "Basic SNMP-ALG support" 118 depends on NF_CONNTRACK_SNMP 119 depends on NETFILTER_ADVANCED 120 default NF_NAT && NF_CONNTRACK_SNMP 121 ---help--- 122 123 This module implements an Application Layer Gateway (ALG) for 124 SNMP payloads. In conjunction with NAT, it allows a network 125 management system to access multiple private networks with 126 conflicting addresses. It works by modifying IP addresses 127 inside SNMP payloads to match IP-layer NAT mapping. 128 129 This is the "basic" form of SNMP-ALG, as described in RFC 2962 130 131 To compile it as a module, choose M here. If unsure, say N. 132 133config NF_NAT_PROTO_GRE 134 tristate 135 depends on NF_CT_PROTO_GRE 136 137config NF_NAT_PPTP 138 tristate 139 depends on NF_CONNTRACK 140 default NF_CONNTRACK_PPTP 141 select NF_NAT_PROTO_GRE 142 143config NF_NAT_H323 144 tristate 145 depends on NF_CONNTRACK 146 default NF_CONNTRACK_H323 147 148endif # NF_NAT_IPV4 149 150config IP_NF_IPTABLES 151 tristate "IP tables support (required for filtering/masq/NAT)" 152 default m if NETFILTER_ADVANCED=n 153 select NETFILTER_XTABLES 154 help 155 iptables is a general, extensible packet identification framework. 156 The packet filtering and full NAT (masquerading, port forwarding, 157 etc) subsystems now use this: say `Y' or `M' here if you want to use 158 either of those. 159 160 To compile it as a module, choose M here. If unsure, say N. 161 162if IP_NF_IPTABLES 163 164# The matches. 165config IP_NF_MATCH_AH 166 tristate '"ah" match support' 167 depends on NETFILTER_ADVANCED 168 help 169 This match extension allows you to match a range of SPIs 170 inside AH header of IPSec packets. 171 172 To compile it as a module, choose M here. If unsure, say N. 173 174config IP_NF_MATCH_ECN 175 tristate '"ecn" match support' 176 depends on NETFILTER_ADVANCED 177 select NETFILTER_XT_MATCH_ECN 178 ---help--- 179 This is a backwards-compat option for the user's convenience 180 (e.g. when running oldconfig). It selects 181 CONFIG_NETFILTER_XT_MATCH_ECN. 182 183config IP_NF_MATCH_RPFILTER 184 tristate '"rpfilter" reverse path filter match support' 185 depends on NETFILTER_ADVANCED 186 depends on IP_NF_MANGLE || IP_NF_RAW 187 ---help--- 188 This option allows you to match packets whose replies would 189 go out via the interface the packet came in. 190 191 To compile it as a module, choose M here. If unsure, say N. 192 The module will be called ipt_rpfilter. 193 194config IP_NF_MATCH_TTL 195 tristate '"ttl" match support' 196 depends on NETFILTER_ADVANCED 197 select NETFILTER_XT_MATCH_HL 198 ---help--- 199 This is a backwards-compat option for the user's convenience 200 (e.g. when running oldconfig). It selects 201 CONFIG_NETFILTER_XT_MATCH_HL. 202 203# `filter', generic and specific targets 204config IP_NF_FILTER 205 tristate "Packet filtering" 206 default m if NETFILTER_ADVANCED=n 207 help 208 Packet filtering defines a table `filter', which has a series of 209 rules for simple packet filtering at local input, forwarding and 210 local output. See the man page for iptables(8). 211 212 To compile it as a module, choose M here. If unsure, say N. 213 214config IP_NF_TARGET_REJECT 215 tristate "REJECT target support" 216 depends on IP_NF_FILTER 217 select NF_REJECT_IPV4 218 default m if NETFILTER_ADVANCED=n 219 help 220 The REJECT target allows a filtering rule to specify that an ICMP 221 error should be issued in response to an incoming packet, rather 222 than silently being dropped. 223 224 To compile it as a module, choose M here. If unsure, say N. 225 226config IP_NF_TARGET_SYNPROXY 227 tristate "SYNPROXY target support" 228 depends on NF_CONNTRACK && NETFILTER_ADVANCED 229 select NETFILTER_SYNPROXY 230 select SYN_COOKIES 231 help 232 The SYNPROXY target allows you to intercept TCP connections and 233 establish them using syncookies before they are passed on to the 234 server. This allows to avoid conntrack and server resource usage 235 during SYN-flood attacks. 236 237 To compile it as a module, choose M here. If unsure, say N. 238 239# NAT + specific targets: nf_conntrack 240config IP_NF_NAT 241 tristate "iptables NAT support" 242 depends on NF_CONNTRACK_IPV4 243 default m if NETFILTER_ADVANCED=n 244 select NF_NAT 245 select NF_NAT_IPV4 246 select NETFILTER_XT_NAT 247 help 248 This enables the `nat' table in iptables. This allows masquerading, 249 port forwarding and other forms of full Network Address Port 250 Translation. 251 252 To compile it as a module, choose M here. If unsure, say N. 253 254if IP_NF_NAT 255 256config IP_NF_TARGET_MASQUERADE 257 tristate "MASQUERADE target support" 258 select NF_NAT_MASQUERADE_IPV4 259 default m if NETFILTER_ADVANCED=n 260 help 261 Masquerading is a special case of NAT: all outgoing connections are 262 changed to seem to come from a particular interface's address, and 263 if the interface goes down, those connections are lost. This is 264 only useful for dialup accounts with dynamic IP address (ie. your IP 265 address will be different on next dialup). 266 267 To compile it as a module, choose M here. If unsure, say N. 268 269config IP_NF_TARGET_NETMAP 270 tristate "NETMAP target support" 271 depends on NETFILTER_ADVANCED 272 select NETFILTER_XT_TARGET_NETMAP 273 ---help--- 274 This is a backwards-compat option for the user's convenience 275 (e.g. when running oldconfig). It selects 276 CONFIG_NETFILTER_XT_TARGET_NETMAP. 277 278config IP_NF_TARGET_REDIRECT 279 tristate "REDIRECT target support" 280 depends on NETFILTER_ADVANCED 281 select NETFILTER_XT_TARGET_REDIRECT 282 ---help--- 283 This is a backwards-compat option for the user's convenience 284 (e.g. when running oldconfig). It selects 285 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 286 287endif # IP_NF_NAT 288 289# mangle + specific targets 290config IP_NF_MANGLE 291 tristate "Packet mangling" 292 default m if NETFILTER_ADVANCED=n 293 help 294 This option adds a `mangle' table to iptables: see the man page for 295 iptables(8). This table is used for various packet alterations 296 which can effect how the packet is routed. 297 298 To compile it as a module, choose M here. If unsure, say N. 299 300config IP_NF_TARGET_CLUSTERIP 301 tristate "CLUSTERIP target support" 302 depends on IP_NF_MANGLE 303 depends on NF_CONNTRACK_IPV4 304 depends on NETFILTER_ADVANCED 305 select NF_CONNTRACK_MARK 306 help 307 The CLUSTERIP target allows you to build load-balancing clusters of 308 network servers without having a dedicated load-balancing 309 router/server/switch. 310 311 To compile it as a module, choose M here. If unsure, say N. 312 313config IP_NF_TARGET_ECN 314 tristate "ECN target support" 315 depends on IP_NF_MANGLE 316 depends on NETFILTER_ADVANCED 317 ---help--- 318 This option adds a `ECN' target, which can be used in the iptables mangle 319 table. 320 321 You can use this target to remove the ECN bits from the IPv4 header of 322 an IP packet. This is particularly useful, if you need to work around 323 existing ECN blackholes on the internet, but don't want to disable 324 ECN support in general. 325 326 To compile it as a module, choose M here. If unsure, say N. 327 328config IP_NF_TARGET_TTL 329 tristate '"TTL" target support' 330 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 331 select NETFILTER_XT_TARGET_HL 332 ---help--- 333 This is a backwards-compatible option for the user's convenience 334 (e.g. when running oldconfig). It selects 335 CONFIG_NETFILTER_XT_TARGET_HL. 336 337# raw + specific targets 338config IP_NF_RAW 339 tristate 'raw table support (required for NOTRACK/TRACE)' 340 help 341 This option adds a `raw' table to iptables. This table is the very 342 first in the netfilter framework and hooks in at the PREROUTING 343 and OUTPUT chains. 344 345 If you want to compile it as a module, say M here and read 346 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 347 348# security table for MAC policy 349config IP_NF_SECURITY 350 tristate "Security table" 351 depends on SECURITY 352 depends on NETFILTER_ADVANCED 353 help 354 This option adds a `security' table to iptables, for use 355 with Mandatory Access Control (MAC) policy. 356 357 If unsure, say N. 358 359endif # IP_NF_IPTABLES 360 361# ARP tables 362config IP_NF_ARPTABLES 363 tristate "ARP tables support" 364 select NETFILTER_XTABLES 365 depends on NETFILTER_ADVANCED 366 help 367 arptables is a general, extensible packet identification framework. 368 The ARP packet filtering and mangling (manipulation)subsystems 369 use this: say Y or M here if you want to use either of those. 370 371 To compile it as a module, choose M here. If unsure, say N. 372 373if IP_NF_ARPTABLES 374 375config IP_NF_ARPFILTER 376 tristate "ARP packet filtering" 377 help 378 ARP packet filtering defines a table `filter', which has a series of 379 rules for simple ARP packet filtering at local input and 380 local output. On a bridge, you can also specify filtering rules 381 for forwarded ARP packets. See the man page for arptables(8). 382 383 To compile it as a module, choose M here. If unsure, say N. 384 385config IP_NF_ARP_MANGLE 386 tristate "ARP payload mangling" 387 help 388 Allows altering the ARP packet payload: source and destination 389 hardware and network addresses. 390 391endif # IP_NF_ARPTABLES 392 393endmenu 394 395