projects / deliverable / linux.git / blame
| Commit | Line | Data |
|---|---|---|
| 1da177e4 LT |
1 | # |
| 2 | # IP netfilter configuration | |
| 3 | # | |
| 4 | ||
| 5 | menu "IP: Netfilter Configuration" | |
| 6 | depends on INET && NETFILTER | |
| 7 | ||
| 9fb9cbb1 | 8 | config NF_CONNTRACK_IPV4 |
| c9386cfd PM |
9 | tristate "IPv4 connection tracking support (required for NAT)" |
| 10 | depends on NF_CONNTRACK | |
| 33b8e776 | 11 | default m if NETFILTER_ADVANCED=n |
| 9fb9cbb1 YK |
12 | ---help--- |
| 13 | Connection tracking keeps a record of what packets have passed | |
| 14 | through your machine, in order to figure out how they are related | |
| 15 | into connections. | |
| 16 | ||
| 17 | This is IPv4 support on Layer 3 independent connection tracking. | |
| 18 | Layer 3 independent connection tracking is experimental scheme | |
| 19 | which generalize ip_conntrack to support other layer 3 protocols. | |
| 20 | ||
| 21 | To compile it as a module, choose M here. If unsure, say N. | |
| 22 | ||
| a999e683 PM |
23 | config NF_CONNTRACK_PROC_COMPAT |
| 24 | bool "proc/sysctl compatibility with old connection tracking" | |
| 0c4ca1bd | 25 | depends on NF_CONNTRACK_IPV4 |
| a999e683 PM |
26 | default y |
| 27 | help | |
| 28 | This option enables /proc and sysctl compatibility with the old | |
| 29 | layer 3 dependant connection tracking. This is needed to keep | |
| 30 | old programs that have not been adapted to the new names working. | |
| 31 | ||
| 32 | If unsure, say Y. | |
| 33 | ||
| 1da177e4 | 34 | config IP_NF_QUEUE |
| 7af4cc3f | 35 | tristate "IP Userspace queueing via NETLINK (OBSOLETE)" |
| 33b8e776 | 36 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
37 | help |
| 38 | Netfilter has the ability to queue packets to user space: the | |
| 39 | netlink device can be used to access them using this driver. | |
| 40 | ||
| 7af4cc3f HW |
41 | This option enables the old IPv4-only "ip_queue" implementation |
| 42 | which has been obsoleted by the new "nfnetlink_queue" code (see | |
| 43 | CONFIG_NETFILTER_NETLINK_QUEUE). | |
| 44 | ||
| 1da177e4 LT |
45 | To compile it as a module, choose M here. If unsure, say N. |
| 46 | ||
| 47 | config IP_NF_IPTABLES | |
| 48 | tristate "IP tables support (required for filtering/masq/NAT)" | |
| 33b8e776 | 49 | default m if NETFILTER_ADVANCED=n |
| a3c941b0 | 50 | select NETFILTER_XTABLES |
| 1da177e4 LT |
51 | help |
| 52 | iptables is a general, extensible packet identification framework. | |
| 53 | The packet filtering and full NAT (masquerading, port forwarding, | |
| 54 | etc) subsystems now use this: say `Y' or `M' here if you want to use | |
| 55 | either of those. | |
| 56 | ||
| 57 | To compile it as a module, choose M here. If unsure, say N. | |
| 58 | ||
| 59 | # The matches. | |
| 1da177e4 | 60 | config IP_NF_MATCH_RECENT |
| 4c37799c | 61 | tristate '"recent" match support' |
| 1da177e4 | 62 | depends on IP_NF_IPTABLES |
| 33b8e776 | 63 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
64 | help |
| 65 | This match is used for creating one or many lists of recently | |
| 66 | used addresses and then matching against that/those list(s). | |
| 67 | ||
| 68 | Short options are available by using 'iptables -m recent -h' | |
| 69 | Official Website: <http://snowman.net/projects/ipt_recent/> | |
| 70 | ||
| 71 | To compile it as a module, choose M here. If unsure, say N. | |
| 72 | ||
| 73 | config IP_NF_MATCH_ECN | |
| 4c37799c | 74 | tristate '"ecn" match support' |
| 1da177e4 | 75 | depends on IP_NF_IPTABLES |
| 33b8e776 | 76 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
77 | help |
| 78 | This option adds a `ECN' match, which allows you to match against | |
| 79 | the IPv4 and TCP header ECN fields. | |
| 80 | ||
| 81 | To compile it as a module, choose M here. If unsure, say N. | |
| 82 | ||
| dc5ab2fa | 83 | config IP_NF_MATCH_AH |
| 4c37799c | 84 | tristate '"ah" match support' |
| 1da177e4 | 85 | depends on IP_NF_IPTABLES |
| 33b8e776 | 86 | depends on NETFILTER_ADVANCED |
| 1da177e4 | 87 | help |
| dc5ab2fa YK |
88 | This match extension allows you to match a range of SPIs |
| 89 | inside AH header of IPSec packets. | |
| 1da177e4 LT |
90 | |
| 91 | To compile it as a module, choose M here. If unsure, say N. | |
| 92 | ||
| 1da177e4 | 93 | config IP_NF_MATCH_TTL |
| 4c37799c | 94 | tristate '"ttl" match support' |
| 1da177e4 | 95 | depends on IP_NF_IPTABLES |
| 33b8e776 | 96 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
97 | help |
| 98 | This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user | |
| 99 | to match packets by their TTL value. | |
| 100 | ||
| 101 | To compile it as a module, choose M here. If unsure, say N. | |
| 102 | ||
| 1da177e4 | 103 | config IP_NF_MATCH_ADDRTYPE |
| 4c37799c | 104 | tristate '"addrtype" address type match support' |
| 1da177e4 | 105 | depends on IP_NF_IPTABLES |
| 33b8e776 | 106 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
107 | help |
| 108 | This option allows you to match what routing thinks of an address, | |
| 109 | eg. UNICAST, LOCAL, BROADCAST, ... | |
| 33b8e776 | 110 | |
| 1da177e4 | 111 | If you want to compile it as a module, say M here and read |
| e403149c | 112 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| 1da177e4 | 113 | |
| 1da177e4 LT |
114 | # `filter', generic and specific targets |
| 115 | config IP_NF_FILTER | |
| 116 | tristate "Packet filtering" | |
| 117 | depends on IP_NF_IPTABLES | |
| 33b8e776 | 118 | default m if NETFILTER_ADVANCED=n |
| 1da177e4 LT |
119 | help |
| 120 | Packet filtering defines a table `filter', which has a series of | |
| 121 | rules for simple packet filtering at local input, forwarding and | |
| 122 | local output. See the man page for iptables(8). | |
| 123 | ||
| 124 | To compile it as a module, choose M here. If unsure, say N. | |
| 125 | ||
| 126 | config IP_NF_TARGET_REJECT | |
| 127 | tristate "REJECT target support" | |
| 128 | depends on IP_NF_FILTER | |
| 33b8e776 | 129 | default m if NETFILTER_ADVANCED=n |
| 1da177e4 LT |
130 | help |
| 131 | The REJECT target allows a filtering rule to specify that an ICMP | |
| 132 | error should be issued in response to an incoming packet, rather | |
| 133 | than silently being dropped. | |
| 134 | ||
| 135 | To compile it as a module, choose M here. If unsure, say N. | |
| 136 | ||
| 137 | config IP_NF_TARGET_LOG | |
| 138 | tristate "LOG target support" | |
| 139 | depends on IP_NF_IPTABLES | |
| 33b8e776 | 140 | default m if NETFILTER_ADVANCED=n |
| 1da177e4 LT |
141 | help |
| 142 | This option adds a `LOG' target, which allows you to create rules in | |
| 143 | any iptables table which records the packet header to the syslog. | |
| 144 | ||
| 145 | To compile it as a module, choose M here. If unsure, say N. | |
| 146 | ||
| 147 | config IP_NF_TARGET_ULOG | |
| 44adf28f | 148 | tristate "ULOG target support" |
| 1da177e4 | 149 | depends on IP_NF_IPTABLES |
| 33b8e776 | 150 | default m if NETFILTER_ADVANCED=n |
| 1da177e4 | 151 | ---help--- |
| f40863ce HW |
152 | |
| 153 | This option enables the old IPv4-only "ipt_ULOG" implementation | |
| 154 | which has been obsoleted by the new "nfnetlink_log" code (see | |
| 155 | CONFIG_NETFILTER_NETLINK_LOG). | |
| 156 | ||
| 1da177e4 LT |
157 | This option adds a `ULOG' target, which allows you to create rules in |
| 158 | any iptables table. The packet is passed to a userspace logging | |
| 159 | daemon using netlink multicast sockets; unlike the LOG target | |
| 160 | which can only be viewed through syslog. | |
| 161 | ||
| 44c09201 | 162 | The appropriate userspace logging daemon (ulogd) may be obtained from |
| 1da177e4 LT |
163 | <http://www.gnumonks.org/projects/ulogd/> |
| 164 | ||
| 165 | To compile it as a module, choose M here. If unsure, say N. | |
| 166 | ||
| 5b1158e9 JK |
167 | # NAT + specific targets: nf_conntrack |
| 168 | config NF_NAT | |
| 169 | tristate "Full NAT" | |
| 083e69e9 | 170 | depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4 |
| 33b8e776 | 171 | default m if NETFILTER_ADVANCED=n |
| 5b1158e9 JK |
172 | help |
| 173 | The Full NAT option allows masquerading, port forwarding and other | |
| 174 | forms of full Network Address Port Translation. It is controlled by | |
| 175 | the `nat' table in iptables: see the man page for iptables(8). | |
| 176 | ||
| 177 | To compile it as a module, choose M here. If unsure, say N. | |
| 178 | ||
| 5b1158e9 JK |
179 | config NF_NAT_NEEDED |
| 180 | bool | |
| 181 | depends on NF_NAT | |
| 1da177e4 LT |
182 | default y |
| 183 | ||
| 184 | config IP_NF_TARGET_MASQUERADE | |
| 185 | tristate "MASQUERADE target support" | |
| 587aa641 | 186 | depends on NF_NAT |
| 33b8e776 | 187 | default m if NETFILTER_ADVANCED=n |
| 1da177e4 LT |
188 | help |
| 189 | Masquerading is a special case of NAT: all outgoing connections are | |
| 190 | changed to seem to come from a particular interface's address, and | |
| 191 | if the interface goes down, those connections are lost. This is | |
| 192 | only useful for dialup accounts with dynamic IP address (ie. your IP | |
| 193 | address will be different on next dialup). | |
| 194 | ||
| 195 | To compile it as a module, choose M here. If unsure, say N. | |
| 196 | ||
| 197 | config IP_NF_TARGET_REDIRECT | |
| 198 | tristate "REDIRECT target support" | |
| 587aa641 | 199 | depends on NF_NAT |
| 33b8e776 | 200 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
201 | help |
| 202 | REDIRECT is a special case of NAT: all incoming connections are | |
| 203 | mapped onto the incoming interface's address, causing the packets to | |
| 204 | come to the local machine instead of passing through. This is | |
| 205 | useful for transparent proxies. | |
| 206 | ||
| 207 | To compile it as a module, choose M here. If unsure, say N. | |
| 208 | ||
| 209 | config IP_NF_TARGET_NETMAP | |
| 210 | tristate "NETMAP target support" | |
| 587aa641 | 211 | depends on NF_NAT |
| 33b8e776 | 212 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
213 | help |
| 214 | NETMAP is an implementation of static 1:1 NAT mapping of network | |
| 215 | addresses. It maps the network address part, while keeping the host | |
| 216 | address part intact. It is similar to Fast NAT, except that | |
| 217 | Netfilter's connection tracking doesn't work well with Fast NAT. | |
| 218 | ||
| 219 | To compile it as a module, choose M here. If unsure, say N. | |
| 220 | ||
| 807467c2 | 221 | config NF_NAT_SNMP_BASIC |
| 8ce22fca PM |
222 | tristate "Basic SNMP-ALG support" |
| 223 | depends on NF_NAT | |
| 33b8e776 | 224 | depends on NETFILTER_ADVANCED |
| 807467c2 PM |
225 | ---help--- |
| 226 | ||
| 227 | This module implements an Application Layer Gateway (ALG) for | |
| 228 | SNMP payloads. In conjunction with NAT, it allows a network | |
| 1da177e4 LT |
229 | management system to access multiple private networks with |
| 230 | conflicting addresses. It works by modifying IP addresses | |
| 231 | inside SNMP payloads to match IP-layer NAT mapping. | |
| 232 | ||
| 233 | This is the "basic" form of SNMP-ALG, as described in RFC 2962 | |
| 234 | ||
| 235 | To compile it as a module, choose M here. If unsure, say N. | |
| 236 | ||
| 55a73324 JK |
237 | # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), |
| 238 | # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. | |
| 239 | # From kconfig-language.txt: | |
| 240 | # | |
| 241 | # <expr> '&&' <expr> (6) | |
| 242 | # | |
| 243 | # (6) Returns the result of min(/expr/, /expr/). | |
| 4910a087 PM |
244 | config NF_NAT_PROTO_DCCP |
| 245 | tristate | |
| 246 | depends on NF_NAT && NF_CT_PROTO_DCCP | |
| 247 | default NF_NAT && NF_CT_PROTO_DCCP | |
| 248 | ||
| f09943fe PM |
249 | config NF_NAT_PROTO_GRE |
| 250 | tristate | |
| 251 | depends on NF_NAT && NF_CT_PROTO_GRE | |
| 252 | ||
| 6185f870 PM |
253 | config NF_NAT_PROTO_UDPLITE |
| 254 | tristate | |
| 255 | depends on NF_NAT && NF_CT_PROTO_UDPLITE | |
| 256 | default NF_NAT && NF_CT_PROTO_UDPLITE | |
| 257 | ||
| 9d908a69 PM |
258 | config NF_NAT_PROTO_SCTP |
| 259 | tristate | |
| 260 | default NF_NAT && NF_CT_PROTO_SCTP | |
| 261 | depends on NF_NAT && NF_CT_PROTO_SCTP | |
| 4e9d8a70 | 262 | select LIBCRC32C |
| 9d908a69 | 263 | |
| 55a73324 JK |
264 | config NF_NAT_FTP |
| 265 | tristate | |
| 266 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
| 267 | default NF_NAT && NF_CONNTRACK_FTP | |
| 268 | ||
| 869f37d8 PM |
269 | config NF_NAT_IRC |
| 270 | tristate | |
| 271 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
| 272 | default NF_NAT && NF_CONNTRACK_IRC | |
| 273 | ||
| a536df35 PM |
274 | config NF_NAT_TFTP |
| 275 | tristate | |
| 276 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
| 277 | default NF_NAT && NF_CONNTRACK_TFTP | |
| 278 | ||
| 16958900 PM |
279 | config NF_NAT_AMANDA |
| 280 | tristate | |
| 281 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
| 282 | default NF_NAT && NF_CONNTRACK_AMANDA | |
| 283 | ||
| f09943fe PM |
284 | config NF_NAT_PPTP |
| 285 | tristate | |
| 286 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
| 287 | default NF_NAT && NF_CONNTRACK_PPTP | |
| 288 | select NF_NAT_PROTO_GRE | |
| 289 | ||
| f587de0e PM |
290 | config NF_NAT_H323 |
| 291 | tristate | |
| 292 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
| 293 | default NF_NAT && NF_CONNTRACK_H323 | |
| 294 | ||
| 9fafcd7b PM |
295 | config NF_NAT_SIP |
| 296 | tristate | |
| 297 | depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT | |
| 298 | default NF_NAT && NF_CONNTRACK_SIP | |
| 299 | ||
| 1da177e4 LT |
300 | # mangle + specific targets |
| 301 | config IP_NF_MANGLE | |
| 302 | tristate "Packet mangling" | |
| 303 | depends on IP_NF_IPTABLES | |
| 33b8e776 | 304 | default m if NETFILTER_ADVANCED=n |
| 1da177e4 LT |
305 | help |
| 306 | This option adds a `mangle' table to iptables: see the man page for | |
| 307 | iptables(8). This table is used for various packet alterations | |
| 308 | which can effect how the packet is routed. | |
| 309 | ||
| 310 | To compile it as a module, choose M here. If unsure, say N. | |
| 311 | ||
| 1da177e4 LT |
312 | config IP_NF_TARGET_ECN |
| 313 | tristate "ECN target support" | |
| 314 | depends on IP_NF_MANGLE | |
| 33b8e776 | 315 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
316 | ---help--- |
| 317 | This option adds a `ECN' target, which can be used in the iptables mangle | |
| 318 | table. | |
| 319 | ||
| 320 | You can use this target to remove the ECN bits from the IPv4 header of | |
| 321 | an IP packet. This is particularly useful, if you need to work around | |
| 322 | existing ECN blackholes on the internet, but don't want to disable | |
| 323 | ECN support in general. | |
| 324 | ||
| 325 | To compile it as a module, choose M here. If unsure, say N. | |
| 326 | ||
| 5f2c3b91 HW |
327 | config IP_NF_TARGET_TTL |
| 328 | tristate 'TTL target support' | |
| 329 | depends on IP_NF_MANGLE | |
| 33b8e776 | 330 | depends on NETFILTER_ADVANCED |
| 5f2c3b91 HW |
331 | help |
| 332 | This option adds a `TTL' target, which enables the user to modify | |
| 333 | the TTL value of the IP header. | |
| 334 | ||
| 335 | While it is safe to decrement/lower the TTL, this target also enables | |
| 336 | functionality to increment and set the TTL value of the IP header to | |
| 337 | arbitrary values. This is EXTREMELY DANGEROUS since you can easily | |
| 338 | create immortal packets that loop forever on the network. | |
| 339 | ||
| 340 | To compile it as a module, choose M here. If unsure, say N. | |
| 341 | ||
| 1da177e4 LT |
342 | config IP_NF_TARGET_CLUSTERIP |
| 343 | tristate "CLUSTERIP target support (EXPERIMENTAL)" | |
| 2b8f2ff6 | 344 | depends on IP_NF_MANGLE && EXPERIMENTAL |
| 587aa641 | 345 | depends on NF_CONNTRACK_IPV4 |
| 33b8e776 | 346 | depends on NETFILTER_ADVANCED |
| 587aa641 | 347 | select NF_CONNTRACK_MARK |
| 1da177e4 LT |
348 | help |
| 349 | The CLUSTERIP target allows you to build load-balancing clusters of | |
| 350 | network servers without having a dedicated load-balancing | |
| 351 | router/server/switch. | |
| 352 | ||
| 353 | To compile it as a module, choose M here. If unsure, say N. | |
| 354 | ||
| 355 | # raw + specific targets | |
| 356 | config IP_NF_RAW | |
| 357 | tristate 'raw table support (required for NOTRACK/TRACE)' | |
| 358 | depends on IP_NF_IPTABLES | |
| 33b8e776 | 359 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
360 | help |
| 361 | This option adds a `raw' table to iptables. This table is the very | |
| 362 | first in the netfilter framework and hooks in at the PREROUTING | |
| 363 | and OUTPUT chains. | |
| 364 | ||
| 365 | If you want to compile it as a module, say M here and read | |
| e403149c | 366 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| 1da177e4 | 367 | |
| 1da177e4 LT |
368 | # ARP tables |
| 369 | config IP_NF_ARPTABLES | |
| 370 | tristate "ARP tables support" | |
| a3c941b0 | 371 | select NETFILTER_XTABLES |
| 33b8e776 | 372 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
373 | help |
| 374 | arptables is a general, extensible packet identification framework. | |
| 375 | The ARP packet filtering and mangling (manipulation)subsystems | |
| 376 | use this: say Y or M here if you want to use either of those. | |
| 377 | ||
| 378 | To compile it as a module, choose M here. If unsure, say N. | |
| 379 | ||
| 380 | config IP_NF_ARPFILTER | |
| 381 | tristate "ARP packet filtering" | |
| 382 | depends on IP_NF_ARPTABLES | |
| 383 | help | |
| 384 | ARP packet filtering defines a table `filter', which has a series of | |
| 385 | rules for simple ARP packet filtering at local input and | |
| 386 | local output. On a bridge, you can also specify filtering rules | |
| 387 | for forwarded ARP packets. See the man page for arptables(8). | |
| 388 | ||
| 389 | To compile it as a module, choose M here. If unsure, say N. | |
| 390 | ||
| 391 | config IP_NF_ARP_MANGLE | |
| 392 | tristate "ARP payload mangling" | |
| 393 | depends on IP_NF_ARPTABLES | |
| 394 | help | |
| 395 | Allows altering the ARP packet payload: source and destination | |
| 396 | hardware and network addresses. | |
| 397 | ||
| 398 | endmenu | |
| 399 |