Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | # |
2 | # IP netfilter configuration | |
3 | # | |
4 | ||
5 | menu "IP: Netfilter Configuration" | |
6 | depends on INET && NETFILTER | |
7 | ||
73e4022f KK |
8 | config NF_DEFRAG_IPV4 |
9 | tristate | |
10 | default n | |
11 | ||
9fb9cbb1 | 12 | config NF_CONNTRACK_IPV4 |
c9386cfd PM |
13 | tristate "IPv4 connection tracking support (required for NAT)" |
14 | depends on NF_CONNTRACK | |
33b8e776 | 15 | default m if NETFILTER_ADVANCED=n |
73e4022f | 16 | select NF_DEFRAG_IPV4 |
9fb9cbb1 YK |
17 | ---help--- |
18 | Connection tracking keeps a record of what packets have passed | |
19 | through your machine, in order to figure out how they are related | |
20 | into connections. | |
21 | ||
22 | This is IPv4 support on Layer 3 independent connection tracking. | |
23 | Layer 3 independent connection tracking is experimental scheme | |
24 | which generalize ip_conntrack to support other layer 3 protocols. | |
25 | ||
26 | To compile it as a module, choose M here. If unsure, say N. | |
27 | ||
a999e683 PM |
28 | config NF_CONNTRACK_PROC_COMPAT |
29 | bool "proc/sysctl compatibility with old connection tracking" | |
54b07dca | 30 | depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 |
a999e683 PM |
31 | default y |
32 | help | |
33 | This option enables /proc and sysctl compatibility with the old | |
67c0d579 | 34 | layer 3 dependent connection tracking. This is needed to keep |
a999e683 PM |
35 | old programs that have not been adapted to the new names working. |
36 | ||
37 | If unsure, say Y. | |
38 | ||
96518518 PM |
39 | config NF_TABLES_IPV4 |
40 | depends on NF_TABLES | |
41 | tristate "IPv4 nf_tables support" | |
d497c635 PNA |
42 | help |
43 | This option enables the IPv4 support for nf_tables. | |
96518518 | 44 | |
9370761c | 45 | config NFT_CHAIN_ROUTE_IPV4 |
96518518 | 46 | depends on NF_TABLES_IPV4 |
9370761c | 47 | tristate "IPv4 nf_tables route chain support" |
d497c635 PNA |
48 | help |
49 | This option enables the "route" chain for IPv4 in nf_tables. This | |
50 | chain type is used to force packet re-routing after mangling header | |
51 | fields such as the source, destination, type of service and | |
52 | the packet mark. | |
96518518 | 53 | |
9370761c | 54 | config NFT_CHAIN_NAT_IPV4 |
96518518 | 55 | depends on NF_TABLES_IPV4 |
eb31628e | 56 | depends on NF_NAT_IPV4 && NFT_NAT |
9370761c | 57 | tristate "IPv4 nf_tables nat chain support" |
d497c635 PNA |
58 | help |
59 | This option enables the "nat" chain for IPv4 in nf_tables. This | |
60 | chain type is used to perform Network Address Translation (NAT) | |
61 | packet transformations such as the source, destination address and | |
62 | source and destination ports. | |
96518518 | 63 | |
cc4723ca PM |
64 | config NFT_REJECT_IPV4 |
65 | depends on NF_TABLES_IPV4 | |
66 | default NFT_REJECT | |
67 | tristate | |
68 | ||
ed683f13 PNA |
69 | config NF_TABLES_ARP |
70 | depends on NF_TABLES | |
71 | tristate "ARP nf_tables support" | |
d497c635 PNA |
72 | help |
73 | This option enables the ARP support for nf_tables. | |
ed683f13 | 74 | |
1da177e4 LT |
75 | config IP_NF_IPTABLES |
76 | tristate "IP tables support (required for filtering/masq/NAT)" | |
33b8e776 | 77 | default m if NETFILTER_ADVANCED=n |
a3c941b0 | 78 | select NETFILTER_XTABLES |
1da177e4 LT |
79 | help |
80 | iptables is a general, extensible packet identification framework. | |
81 | The packet filtering and full NAT (masquerading, port forwarding, | |
82 | etc) subsystems now use this: say `Y' or `M' here if you want to use | |
83 | either of those. | |
84 | ||
85 | To compile it as a module, choose M here. If unsure, say N. | |
86 | ||
c2df73de JE |
87 | if IP_NF_IPTABLES |
88 | ||
1da177e4 | 89 | # The matches. |
dc5ab2fa | 90 | config IP_NF_MATCH_AH |
4c37799c | 91 | tristate '"ah" match support' |
33b8e776 | 92 | depends on NETFILTER_ADVANCED |
1da177e4 | 93 | help |
dc5ab2fa YK |
94 | This match extension allows you to match a range of SPIs |
95 | inside AH header of IPSec packets. | |
1da177e4 LT |
96 | |
97 | To compile it as a module, choose M here. If unsure, say N. | |
98 | ||
aba0d348 JE |
99 | config IP_NF_MATCH_ECN |
100 | tristate '"ecn" match support' | |
33b8e776 | 101 | depends on NETFILTER_ADVANCED |
d446a820 JE |
102 | select NETFILTER_XT_MATCH_ECN |
103 | ---help--- | |
104 | This is a backwards-compat option for the user's convenience | |
105 | (e.g. when running oldconfig). It selects | |
106 | CONFIG_NETFILTER_XT_MATCH_ECN. | |
1da177e4 | 107 | |
8f97339d FW |
108 | config IP_NF_MATCH_RPFILTER |
109 | tristate '"rpfilter" reverse path filter match support' | |
d37d6968 | 110 | depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW) |
8f97339d FW |
111 | ---help--- |
112 | This option allows you to match packets whose replies would | |
113 | go out via the interface the packet came in. | |
114 | ||
115 | To compile it as a module, choose M here. If unsure, say N. | |
116 | The module will be called ipt_rpfilter. | |
117 | ||
4323362e JE |
118 | config IP_NF_MATCH_TTL |
119 | tristate '"ttl" match support' | |
120 | depends on NETFILTER_ADVANCED | |
121 | select NETFILTER_XT_MATCH_HL | |
122 | ---help--- | |
123 | This is a backwards-compat option for the user's convenience | |
124 | (e.g. when running oldconfig). It selects | |
67c0d579 | 125 | CONFIG_NETFILTER_XT_MATCH_HL. |
4323362e | 126 | |
1da177e4 LT |
127 | # `filter', generic and specific targets |
128 | config IP_NF_FILTER | |
129 | tristate "Packet filtering" | |
33b8e776 | 130 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
131 | help |
132 | Packet filtering defines a table `filter', which has a series of | |
133 | rules for simple packet filtering at local input, forwarding and | |
134 | local output. See the man page for iptables(8). | |
135 | ||
136 | To compile it as a module, choose M here. If unsure, say N. | |
137 | ||
138 | config IP_NF_TARGET_REJECT | |
139 | tristate "REJECT target support" | |
140 | depends on IP_NF_FILTER | |
33b8e776 | 141 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
142 | help |
143 | The REJECT target allows a filtering rule to specify that an ICMP | |
144 | error should be issued in response to an incoming packet, rather | |
145 | than silently being dropped. | |
146 | ||
147 | To compile it as a module, choose M here. If unsure, say N. | |
148 | ||
48b1de4c PM |
149 | config IP_NF_TARGET_SYNPROXY |
150 | tristate "SYNPROXY target support" | |
151 | depends on NF_CONNTRACK && NETFILTER_ADVANCED | |
152 | select NETFILTER_SYNPROXY | |
153 | select SYN_COOKIES | |
154 | help | |
155 | The SYNPROXY target allows you to intercept TCP connections and | |
156 | establish them using syncookies before they are passed on to the | |
157 | server. This allows to avoid conntrack and server resource usage | |
158 | during SYN-flood attacks. | |
159 | ||
160 | To compile it as a module, choose M here. If unsure, say N. | |
161 | ||
1da177e4 | 162 | config IP_NF_TARGET_ULOG |
de94c459 | 163 | tristate "ULOG target support (obsolete)" |
33b8e776 | 164 | default m if NETFILTER_ADVANCED=n |
1da177e4 | 165 | ---help--- |
f40863ce HW |
166 | |
167 | This option enables the old IPv4-only "ipt_ULOG" implementation | |
168 | which has been obsoleted by the new "nfnetlink_log" code (see | |
169 | CONFIG_NETFILTER_NETLINK_LOG). | |
170 | ||
1da177e4 LT |
171 | This option adds a `ULOG' target, which allows you to create rules in |
172 | any iptables table. The packet is passed to a userspace logging | |
173 | daemon using netlink multicast sockets; unlike the LOG target | |
174 | which can only be viewed through syslog. | |
175 | ||
44c09201 | 176 | The appropriate userspace logging daemon (ulogd) may be obtained from |
631dd1a8 | 177 | <http://www.netfilter.org/projects/ulogd/index.html> |
1da177e4 LT |
178 | |
179 | To compile it as a module, choose M here. If unsure, say N. | |
180 | ||
5b1158e9 | 181 | # NAT + specific targets: nf_conntrack |
c7232c99 PM |
182 | config NF_NAT_IPV4 |
183 | tristate "IPv4 NAT" | |
c2df73de | 184 | depends on NF_CONNTRACK_IPV4 |
33b8e776 | 185 | default m if NETFILTER_ADVANCED=n |
c7232c99 | 186 | select NF_NAT |
5b1158e9 | 187 | help |
c7232c99 | 188 | The IPv4 NAT option allows masquerading, port forwarding and other |
5b1158e9 JK |
189 | forms of full Network Address Port Translation. It is controlled by |
190 | the `nat' table in iptables: see the man page for iptables(8). | |
191 | ||
192 | To compile it as a module, choose M here. If unsure, say N. | |
193 | ||
c7232c99 | 194 | if NF_NAT_IPV4 |
1da177e4 LT |
195 | |
196 | config IP_NF_TARGET_MASQUERADE | |
197 | tristate "MASQUERADE target support" | |
33b8e776 | 198 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
199 | help |
200 | Masquerading is a special case of NAT: all outgoing connections are | |
201 | changed to seem to come from a particular interface's address, and | |
202 | if the interface goes down, those connections are lost. This is | |
203 | only useful for dialup accounts with dynamic IP address (ie. your IP | |
204 | address will be different on next dialup). | |
205 | ||
206 | To compile it as a module, choose M here. If unsure, say N. | |
207 | ||
aba0d348 JE |
208 | config IP_NF_TARGET_NETMAP |
209 | tristate "NETMAP target support" | |
33b8e776 | 210 | depends on NETFILTER_ADVANCED |
b3d54b3e JE |
211 | select NETFILTER_XT_TARGET_NETMAP |
212 | ---help--- | |
213 | This is a backwards-compat option for the user's convenience | |
214 | (e.g. when running oldconfig). It selects | |
215 | CONFIG_NETFILTER_XT_TARGET_NETMAP. | |
1da177e4 | 216 | |
aba0d348 JE |
217 | config IP_NF_TARGET_REDIRECT |
218 | tristate "REDIRECT target support" | |
33b8e776 | 219 | depends on NETFILTER_ADVANCED |
2cbc78a2 JE |
220 | select NETFILTER_XT_TARGET_REDIRECT |
221 | ---help--- | |
222 | This is a backwards-compat option for the user's convenience | |
223 | (e.g. when running oldconfig). It selects | |
224 | CONFIG_NETFILTER_XT_TARGET_REDIRECT. | |
1da177e4 | 225 | |
c7232c99 PM |
226 | endif |
227 | ||
807467c2 | 228 | config NF_NAT_SNMP_BASIC |
8ce22fca | 229 | tristate "Basic SNMP-ALG support" |
c7232c99 | 230 | depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4 |
33b8e776 | 231 | depends on NETFILTER_ADVANCED |
93557f53 | 232 | default NF_NAT && NF_CONNTRACK_SNMP |
807467c2 PM |
233 | ---help--- |
234 | ||
235 | This module implements an Application Layer Gateway (ALG) for | |
236 | SNMP payloads. In conjunction with NAT, it allows a network | |
1da177e4 LT |
237 | management system to access multiple private networks with |
238 | conflicting addresses. It works by modifying IP addresses | |
239 | inside SNMP payloads to match IP-layer NAT mapping. | |
240 | ||
241 | This is the "basic" form of SNMP-ALG, as described in RFC 2962 | |
242 | ||
243 | To compile it as a module, choose M here. If unsure, say N. | |
244 | ||
55a73324 JK |
245 | # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), |
246 | # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. | |
247 | # From kconfig-language.txt: | |
248 | # | |
249 | # <expr> '&&' <expr> (6) | |
250 | # | |
251 | # (6) Returns the result of min(/expr/, /expr/). | |
4910a087 | 252 | |
f09943fe PM |
253 | config NF_NAT_PROTO_GRE |
254 | tristate | |
c7232c99 | 255 | depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE |
9d908a69 | 256 | |
f09943fe PM |
257 | config NF_NAT_PPTP |
258 | tristate | |
c7232c99 PM |
259 | depends on NF_CONNTRACK && NF_NAT_IPV4 |
260 | default NF_NAT_IPV4 && NF_CONNTRACK_PPTP | |
f09943fe PM |
261 | select NF_NAT_PROTO_GRE |
262 | ||
f587de0e PM |
263 | config NF_NAT_H323 |
264 | tristate | |
c7232c99 PM |
265 | depends on NF_CONNTRACK && NF_NAT_IPV4 |
266 | default NF_NAT_IPV4 && NF_CONNTRACK_H323 | |
f587de0e | 267 | |
1da177e4 LT |
268 | # mangle + specific targets |
269 | config IP_NF_MANGLE | |
270 | tristate "Packet mangling" | |
33b8e776 | 271 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
272 | help |
273 | This option adds a `mangle' table to iptables: see the man page for | |
274 | iptables(8). This table is used for various packet alterations | |
275 | which can effect how the packet is routed. | |
276 | ||
277 | To compile it as a module, choose M here. If unsure, say N. | |
278 | ||
aba0d348 | 279 | config IP_NF_TARGET_CLUSTERIP |
aec9a0eb KC |
280 | tristate "CLUSTERIP target support" |
281 | depends on IP_NF_MANGLE | |
aba0d348 JE |
282 | depends on NF_CONNTRACK_IPV4 |
283 | depends on NETFILTER_ADVANCED | |
284 | select NF_CONNTRACK_MARK | |
285 | help | |
286 | The CLUSTERIP target allows you to build load-balancing clusters of | |
287 | network servers without having a dedicated load-balancing | |
288 | router/server/switch. | |
289 | ||
290 | To compile it as a module, choose M here. If unsure, say N. | |
291 | ||
1da177e4 LT |
292 | config IP_NF_TARGET_ECN |
293 | tristate "ECN target support" | |
294 | depends on IP_NF_MANGLE | |
33b8e776 | 295 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
296 | ---help--- |
297 | This option adds a `ECN' target, which can be used in the iptables mangle | |
298 | table. | |
299 | ||
300 | You can use this target to remove the ECN bits from the IPv4 header of | |
301 | an IP packet. This is particularly useful, if you need to work around | |
302 | existing ECN blackholes on the internet, but don't want to disable | |
303 | ECN support in general. | |
304 | ||
305 | To compile it as a module, choose M here. If unsure, say N. | |
306 | ||
4323362e JE |
307 | config IP_NF_TARGET_TTL |
308 | tristate '"TTL" target support' | |
76b6717b | 309 | depends on NETFILTER_ADVANCED && IP_NF_MANGLE |
4323362e JE |
310 | select NETFILTER_XT_TARGET_HL |
311 | ---help--- | |
76b6717b | 312 | This is a backwards-compatible option for the user's convenience |
4323362e | 313 | (e.g. when running oldconfig). It selects |
67c0d579 | 314 | CONFIG_NETFILTER_XT_TARGET_HL. |
4323362e | 315 | |
1da177e4 LT |
316 | # raw + specific targets |
317 | config IP_NF_RAW | |
318 | tristate 'raw table support (required for NOTRACK/TRACE)' | |
1da177e4 LT |
319 | help |
320 | This option adds a `raw' table to iptables. This table is the very | |
321 | first in the netfilter framework and hooks in at the PREROUTING | |
322 | and OUTPUT chains. | |
323 | ||
324 | If you want to compile it as a module, say M here and read | |
e403149c | 325 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
560ee653 JM |
326 | |
327 | # security table for MAC policy | |
328 | config IP_NF_SECURITY | |
329 | tristate "Security table" | |
560ee653 | 330 | depends on SECURITY |
70eed75d | 331 | depends on NETFILTER_ADVANCED |
560ee653 JM |
332 | help |
333 | This option adds a `security' table to iptables, for use | |
334 | with Mandatory Access Control (MAC) policy. | |
335 | ||
336 | If unsure, say N. | |
1da177e4 | 337 | |
c2df73de JE |
338 | endif # IP_NF_IPTABLES |
339 | ||
1da177e4 LT |
340 | # ARP tables |
341 | config IP_NF_ARPTABLES | |
342 | tristate "ARP tables support" | |
a3c941b0 | 343 | select NETFILTER_XTABLES |
33b8e776 | 344 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
345 | help |
346 | arptables is a general, extensible packet identification framework. | |
347 | The ARP packet filtering and mangling (manipulation)subsystems | |
348 | use this: say Y or M here if you want to use either of those. | |
349 | ||
350 | To compile it as a module, choose M here. If unsure, say N. | |
351 | ||
c2df73de JE |
352 | if IP_NF_ARPTABLES |
353 | ||
1da177e4 LT |
354 | config IP_NF_ARPFILTER |
355 | tristate "ARP packet filtering" | |
1da177e4 LT |
356 | help |
357 | ARP packet filtering defines a table `filter', which has a series of | |
358 | rules for simple ARP packet filtering at local input and | |
359 | local output. On a bridge, you can also specify filtering rules | |
360 | for forwarded ARP packets. See the man page for arptables(8). | |
361 | ||
362 | To compile it as a module, choose M here. If unsure, say N. | |
363 | ||
364 | config IP_NF_ARP_MANGLE | |
365 | tristate "ARP payload mangling" | |
1da177e4 LT |
366 | help |
367 | Allows altering the ARP packet payload: source and destination | |
368 | hardware and network addresses. | |
369 | ||
c2df73de JE |
370 | endif # IP_NF_ARPTABLES |
371 | ||
1da177e4 LT |
372 | endmenu |
373 |