Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
1da177e4 LT |
2 | # |
3 | # IP netfilter configuration | |
4 | # | |
5 | ||
6 | menu "IP: Netfilter Configuration" | |
7 | depends on INET && NETFILTER | |
8 | ||
73e4022f KK |
9 | config NF_DEFRAG_IPV4 |
10 | tristate | |
11 | default n | |
12 | ||
8db4c5be PNA |
13 | config NF_SOCKET_IPV4 |
14 | tristate "IPv4 socket lookup support" | |
15 | help | |
16 | This option enables the IPv4 socket lookup infrastructure. This is | |
45ca4e0c ME |
17 | is required by the {ip,nf}tables socket match. |
18 | ||
19 | config NF_TPROXY_IPV4 | |
20 | tristate "IPv4 tproxy support" | |
8db4c5be | 21 | |
f04e599e | 22 | if NF_TABLES |
c1878869 | 23 | |
96518518 | 24 | config NF_TABLES_IPV4 |
02c7b25e | 25 | bool "IPv4 nf_tables support" |
d497c635 PNA |
26 | help |
27 | This option enables the IPv4 support for nf_tables. | |
96518518 | 28 | |
f04e599e PNA |
29 | if NF_TABLES_IPV4 |
30 | ||
cc4723ca | 31 | config NFT_REJECT_IPV4 |
c8d7b98b | 32 | select NF_REJECT_IPV4 |
cc4723ca PM |
33 | default NFT_REJECT |
34 | tristate | |
35 | ||
d877f071 PNA |
36 | config NFT_DUP_IPV4 |
37 | tristate "IPv4 nf_tables packet duplication support" | |
d3340b79 | 38 | depends on !NF_CONNTRACK || NF_CONNTRACK |
d877f071 PNA |
39 | select NF_DUP_IPV4 |
40 | help | |
41 | This module enables IPv4 packet duplication support for nf_tables. | |
42 | ||
f6d0cbcf FW |
43 | config NFT_FIB_IPV4 |
44 | select NFT_FIB | |
45 | tristate "nf_tables fib / ip route lookup support" | |
46 | help | |
47 | This module enables IPv4 FIB lookups, e.g. for reverse path filtering. | |
48 | It also allows query of the FIB for the route type, e.g. local, unicast, | |
49 | multicast or blackhole. | |
50 | ||
f04e599e PNA |
51 | endif # NF_TABLES_IPV4 |
52 | ||
ed683f13 | 53 | config NF_TABLES_ARP |
02c7b25e | 54 | bool "ARP nf_tables support" |
2a95183a | 55 | select NETFILTER_FAMILY_ARP |
d497c635 PNA |
56 | help |
57 | This option enables the ARP support for nf_tables. | |
ed683f13 | 58 | |
f04e599e PNA |
59 | endif # NF_TABLES |
60 | ||
97add9f0 | 61 | config NF_FLOW_TABLE_IPV4 |
97add9f0 | 62 | tristate "Netfilter flow table IPv4 module" |
6be3bcd7 | 63 | depends on NF_FLOW_TABLE |
97add9f0 PNA |
64 | help |
65 | This option adds the flow table IPv4 support. | |
66 | ||
67 | To compile it as a module, choose M here. | |
68 | ||
bbde9fc1 PNA |
69 | config NF_DUP_IPV4 |
70 | tristate "Netfilter IPv4 packet duplication to alternate destination" | |
6ece90f9 | 71 | depends on !NF_CONNTRACK || NF_CONNTRACK |
bbde9fc1 PNA |
72 | help |
73 | This option enables the nf_dup_ipv4 core, which duplicates an IPv4 | |
74 | packet to be rerouted to another destination. | |
75 | ||
f04e599e PNA |
76 | config NF_LOG_ARP |
77 | tristate "ARP packet logging" | |
78 | default m if NETFILTER_ADVANCED=n | |
79 | select NF_LOG_COMMON | |
80 | ||
81 | config NF_LOG_IPV4 | |
82 | tristate "IPv4 packet logging" | |
83 | default m if NETFILTER_ADVANCED=n | |
84 | select NF_LOG_COMMON | |
85 | ||
86 | config NF_REJECT_IPV4 | |
87 | tristate "IPv4 packet rejection" | |
88 | default m if NETFILTER_ADVANCED=n | |
89 | ||
3bf195ae | 90 | if NF_NAT |
8993cf8e PNA |
91 | config NF_NAT_SNMP_BASIC |
92 | tristate "Basic SNMP-ALG support" | |
93 | depends on NF_CONNTRACK_SNMP | |
94 | depends on NETFILTER_ADVANCED | |
95 | default NF_NAT && NF_CONNTRACK_SNMP | |
cc2d5863 | 96 | select ASN1 |
8993cf8e PNA |
97 | ---help--- |
98 | ||
99 | This module implements an Application Layer Gateway (ALG) for | |
100 | SNMP payloads. In conjunction with NAT, it allows a network | |
101 | management system to access multiple private networks with | |
102 | conflicting addresses. It works by modifying IP addresses | |
103 | inside SNMP payloads to match IP-layer NAT mapping. | |
104 | ||
105 | This is the "basic" form of SNMP-ALG, as described in RFC 2962 | |
106 | ||
107 | To compile it as a module, choose M here. If unsure, say N. | |
108 | ||
8993cf8e PNA |
109 | config NF_NAT_PPTP |
110 | tristate | |
111 | depends on NF_CONNTRACK | |
112 | default NF_CONNTRACK_PPTP | |
8993cf8e PNA |
113 | |
114 | config NF_NAT_H323 | |
115 | tristate | |
116 | depends on NF_CONNTRACK | |
117 | default NF_CONNTRACK_H323 | |
118 | ||
3bf195ae | 119 | endif # NF_NAT |
8993cf8e | 120 | |
1da177e4 LT |
121 | config IP_NF_IPTABLES |
122 | tristate "IP tables support (required for filtering/masq/NAT)" | |
33b8e776 | 123 | default m if NETFILTER_ADVANCED=n |
a3c941b0 | 124 | select NETFILTER_XTABLES |
1da177e4 LT |
125 | help |
126 | iptables is a general, extensible packet identification framework. | |
127 | The packet filtering and full NAT (masquerading, port forwarding, | |
128 | etc) subsystems now use this: say `Y' or `M' here if you want to use | |
129 | either of those. | |
130 | ||
131 | To compile it as a module, choose M here. If unsure, say N. | |
132 | ||
c2df73de JE |
133 | if IP_NF_IPTABLES |
134 | ||
1da177e4 | 135 | # The matches. |
dc5ab2fa | 136 | config IP_NF_MATCH_AH |
4c37799c | 137 | tristate '"ah" match support' |
33b8e776 | 138 | depends on NETFILTER_ADVANCED |
1da177e4 | 139 | help |
dc5ab2fa YK |
140 | This match extension allows you to match a range of SPIs |
141 | inside AH header of IPSec packets. | |
1da177e4 LT |
142 | |
143 | To compile it as a module, choose M here. If unsure, say N. | |
144 | ||
aba0d348 JE |
145 | config IP_NF_MATCH_ECN |
146 | tristate '"ecn" match support' | |
33b8e776 | 147 | depends on NETFILTER_ADVANCED |
d446a820 JE |
148 | select NETFILTER_XT_MATCH_ECN |
149 | ---help--- | |
150 | This is a backwards-compat option for the user's convenience | |
151 | (e.g. when running oldconfig). It selects | |
152 | CONFIG_NETFILTER_XT_MATCH_ECN. | |
1da177e4 | 153 | |
8f97339d FW |
154 | config IP_NF_MATCH_RPFILTER |
155 | tristate '"rpfilter" reverse path filter match support' | |
f09becc7 PNA |
156 | depends on NETFILTER_ADVANCED |
157 | depends on IP_NF_MANGLE || IP_NF_RAW | |
8f97339d FW |
158 | ---help--- |
159 | This option allows you to match packets whose replies would | |
160 | go out via the interface the packet came in. | |
161 | ||
162 | To compile it as a module, choose M here. If unsure, say N. | |
163 | The module will be called ipt_rpfilter. | |
164 | ||
4323362e JE |
165 | config IP_NF_MATCH_TTL |
166 | tristate '"ttl" match support' | |
167 | depends on NETFILTER_ADVANCED | |
168 | select NETFILTER_XT_MATCH_HL | |
169 | ---help--- | |
170 | This is a backwards-compat option for the user's convenience | |
171 | (e.g. when running oldconfig). It selects | |
67c0d579 | 172 | CONFIG_NETFILTER_XT_MATCH_HL. |
4323362e | 173 | |
1da177e4 LT |
174 | # `filter', generic and specific targets |
175 | config IP_NF_FILTER | |
176 | tristate "Packet filtering" | |
33b8e776 | 177 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
178 | help |
179 | Packet filtering defines a table `filter', which has a series of | |
180 | rules for simple packet filtering at local input, forwarding and | |
181 | local output. See the man page for iptables(8). | |
182 | ||
183 | To compile it as a module, choose M here. If unsure, say N. | |
184 | ||
185 | config IP_NF_TARGET_REJECT | |
186 | tristate "REJECT target support" | |
187 | depends on IP_NF_FILTER | |
c8d7b98b | 188 | select NF_REJECT_IPV4 |
33b8e776 | 189 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
190 | help |
191 | The REJECT target allows a filtering rule to specify that an ICMP | |
192 | error should be issued in response to an incoming packet, rather | |
193 | than silently being dropped. | |
194 | ||
195 | To compile it as a module, choose M here. If unsure, say N. | |
196 | ||
48b1de4c PM |
197 | config IP_NF_TARGET_SYNPROXY |
198 | tristate "SYNPROXY target support" | |
199 | depends on NF_CONNTRACK && NETFILTER_ADVANCED | |
200 | select NETFILTER_SYNPROXY | |
201 | select SYN_COOKIES | |
202 | help | |
203 | The SYNPROXY target allows you to intercept TCP connections and | |
204 | establish them using syncookies before they are passed on to the | |
205 | server. This allows to avoid conntrack and server resource usage | |
206 | during SYN-flood attacks. | |
207 | ||
208 | To compile it as a module, choose M here. If unsure, say N. | |
209 | ||
5b1158e9 | 210 | # NAT + specific targets: nf_conntrack |
8993cf8e PNA |
211 | config IP_NF_NAT |
212 | tristate "iptables NAT support" | |
a0ae2562 | 213 | depends on NF_CONNTRACK |
33b8e776 | 214 | default m if NETFILTER_ADVANCED=n |
c7232c99 | 215 | select NF_NAT |
8993cf8e | 216 | select NETFILTER_XT_NAT |
5b1158e9 | 217 | help |
8993cf8e PNA |
218 | This enables the `nat' table in iptables. This allows masquerading, |
219 | port forwarding and other forms of full Network Address Port | |
220 | Translation. | |
5b1158e9 JK |
221 | |
222 | To compile it as a module, choose M here. If unsure, say N. | |
223 | ||
8993cf8e | 224 | if IP_NF_NAT |
1da177e4 LT |
225 | |
226 | config IP_NF_TARGET_MASQUERADE | |
227 | tristate "MASQUERADE target support" | |
adf82acc | 228 | select NETFILTER_XT_TARGET_MASQUERADE |
1da177e4 | 229 | help |
adf82acc FW |
230 | This is a backwards-compat option for the user's convenience |
231 | (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE. | |
1da177e4 | 232 | |
aba0d348 JE |
233 | config IP_NF_TARGET_NETMAP |
234 | tristate "NETMAP target support" | |
33b8e776 | 235 | depends on NETFILTER_ADVANCED |
b3d54b3e JE |
236 | select NETFILTER_XT_TARGET_NETMAP |
237 | ---help--- | |
238 | This is a backwards-compat option for the user's convenience | |
239 | (e.g. when running oldconfig). It selects | |
240 | CONFIG_NETFILTER_XT_TARGET_NETMAP. | |
1da177e4 | 241 | |
aba0d348 JE |
242 | config IP_NF_TARGET_REDIRECT |
243 | tristate "REDIRECT target support" | |
33b8e776 | 244 | depends on NETFILTER_ADVANCED |
2cbc78a2 JE |
245 | select NETFILTER_XT_TARGET_REDIRECT |
246 | ---help--- | |
247 | This is a backwards-compat option for the user's convenience | |
248 | (e.g. when running oldconfig). It selects | |
249 | CONFIG_NETFILTER_XT_TARGET_REDIRECT. | |
1da177e4 | 250 | |
8993cf8e | 251 | endif # IP_NF_NAT |
f587de0e | 252 | |
1da177e4 LT |
253 | # mangle + specific targets |
254 | config IP_NF_MANGLE | |
255 | tristate "Packet mangling" | |
33b8e776 | 256 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
257 | help |
258 | This option adds a `mangle' table to iptables: see the man page for | |
259 | iptables(8). This table is used for various packet alterations | |
260 | which can effect how the packet is routed. | |
261 | ||
262 | To compile it as a module, choose M here. If unsure, say N. | |
263 | ||
aba0d348 | 264 | config IP_NF_TARGET_CLUSTERIP |
aec9a0eb KC |
265 | tristate "CLUSTERIP target support" |
266 | depends on IP_NF_MANGLE | |
a0ae2562 | 267 | depends on NF_CONNTRACK |
aba0d348 JE |
268 | depends on NETFILTER_ADVANCED |
269 | select NF_CONNTRACK_MARK | |
5ed001ba | 270 | select NETFILTER_FAMILY_ARP |
aba0d348 JE |
271 | help |
272 | The CLUSTERIP target allows you to build load-balancing clusters of | |
273 | network servers without having a dedicated load-balancing | |
274 | router/server/switch. | |
275 | ||
276 | To compile it as a module, choose M here. If unsure, say N. | |
277 | ||
1da177e4 LT |
278 | config IP_NF_TARGET_ECN |
279 | tristate "ECN target support" | |
280 | depends on IP_NF_MANGLE | |
33b8e776 | 281 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
282 | ---help--- |
283 | This option adds a `ECN' target, which can be used in the iptables mangle | |
284 | table. | |
285 | ||
286 | You can use this target to remove the ECN bits from the IPv4 header of | |
287 | an IP packet. This is particularly useful, if you need to work around | |
288 | existing ECN blackholes on the internet, but don't want to disable | |
289 | ECN support in general. | |
290 | ||
291 | To compile it as a module, choose M here. If unsure, say N. | |
292 | ||
4323362e JE |
293 | config IP_NF_TARGET_TTL |
294 | tristate '"TTL" target support' | |
76b6717b | 295 | depends on NETFILTER_ADVANCED && IP_NF_MANGLE |
4323362e JE |
296 | select NETFILTER_XT_TARGET_HL |
297 | ---help--- | |
76b6717b | 298 | This is a backwards-compatible option for the user's convenience |
4323362e | 299 | (e.g. when running oldconfig). It selects |
67c0d579 | 300 | CONFIG_NETFILTER_XT_TARGET_HL. |
4323362e | 301 | |
1da177e4 LT |
302 | # raw + specific targets |
303 | config IP_NF_RAW | |
304 | tristate 'raw table support (required for NOTRACK/TRACE)' | |
1da177e4 LT |
305 | help |
306 | This option adds a `raw' table to iptables. This table is the very | |
307 | first in the netfilter framework and hooks in at the PREROUTING | |
308 | and OUTPUT chains. | |
309 | ||
310 | If you want to compile it as a module, say M here and read | |
e403149c | 311 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
560ee653 JM |
312 | |
313 | # security table for MAC policy | |
314 | config IP_NF_SECURITY | |
315 | tristate "Security table" | |
560ee653 | 316 | depends on SECURITY |
70eed75d | 317 | depends on NETFILTER_ADVANCED |
560ee653 JM |
318 | help |
319 | This option adds a `security' table to iptables, for use | |
320 | with Mandatory Access Control (MAC) policy. | |
321 | ||
322 | If unsure, say N. | |
1da177e4 | 323 | |
c2df73de JE |
324 | endif # IP_NF_IPTABLES |
325 | ||
1da177e4 LT |
326 | # ARP tables |
327 | config IP_NF_ARPTABLES | |
328 | tristate "ARP tables support" | |
a3c941b0 | 329 | select NETFILTER_XTABLES |
2a95183a | 330 | select NETFILTER_FAMILY_ARP |
33b8e776 | 331 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
332 | help |
333 | arptables is a general, extensible packet identification framework. | |
334 | The ARP packet filtering and mangling (manipulation)subsystems | |
335 | use this: say Y or M here if you want to use either of those. | |
336 | ||
337 | To compile it as a module, choose M here. If unsure, say N. | |
338 | ||
c2df73de JE |
339 | if IP_NF_ARPTABLES |
340 | ||
1da177e4 LT |
341 | config IP_NF_ARPFILTER |
342 | tristate "ARP packet filtering" | |
1da177e4 LT |
343 | help |
344 | ARP packet filtering defines a table `filter', which has a series of | |
345 | rules for simple ARP packet filtering at local input and | |
346 | local output. On a bridge, you can also specify filtering rules | |
347 | for forwarded ARP packets. See the man page for arptables(8). | |
348 | ||
349 | To compile it as a module, choose M here. If unsure, say N. | |
350 | ||
351 | config IP_NF_ARP_MANGLE | |
352 | tristate "ARP payload mangling" | |
1da177e4 LT |
353 | help |
354 | Allows altering the ARP packet payload: source and destination | |
355 | hardware and network addresses. | |
356 | ||
c2df73de JE |
357 | endif # IP_NF_ARPTABLES |
358 | ||
1da177e4 LT |
359 | endmenu |
360 |