Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | # |
2 | # IP netfilter configuration | |
3 | # | |
4 | ||
5 | menu "IP: Netfilter Configuration" | |
6 | depends on INET && NETFILTER | |
7 | ||
73e4022f KK |
8 | config NF_DEFRAG_IPV4 |
9 | tristate | |
10 | default n | |
11 | ||
9fb9cbb1 | 12 | config NF_CONNTRACK_IPV4 |
c9386cfd PM |
13 | tristate "IPv4 connection tracking support (required for NAT)" |
14 | depends on NF_CONNTRACK | |
33b8e776 | 15 | default m if NETFILTER_ADVANCED=n |
73e4022f | 16 | select NF_DEFRAG_IPV4 |
9fb9cbb1 YK |
17 | ---help--- |
18 | Connection tracking keeps a record of what packets have passed | |
19 | through your machine, in order to figure out how they are related | |
20 | into connections. | |
21 | ||
22 | This is IPv4 support on Layer 3 independent connection tracking. | |
23 | Layer 3 independent connection tracking is experimental scheme | |
24 | which generalize ip_conntrack to support other layer 3 protocols. | |
25 | ||
26 | To compile it as a module, choose M here. If unsure, say N. | |
27 | ||
a999e683 PM |
28 | config NF_CONNTRACK_PROC_COMPAT |
29 | bool "proc/sysctl compatibility with old connection tracking" | |
54b07dca | 30 | depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 |
a999e683 PM |
31 | default y |
32 | help | |
33 | This option enables /proc and sysctl compatibility with the old | |
67c0d579 | 34 | layer 3 dependent connection tracking. This is needed to keep |
a999e683 PM |
35 | old programs that have not been adapted to the new names working. |
36 | ||
37 | If unsure, say Y. | |
38 | ||
f04e599e | 39 | if NF_TABLES |
c1878869 | 40 | |
96518518 | 41 | config NF_TABLES_IPV4 |
96518518 | 42 | tristate "IPv4 nf_tables support" |
d497c635 PNA |
43 | help |
44 | This option enables the IPv4 support for nf_tables. | |
96518518 | 45 | |
f04e599e PNA |
46 | if NF_TABLES_IPV4 |
47 | ||
9370761c | 48 | config NFT_CHAIN_ROUTE_IPV4 |
9370761c | 49 | tristate "IPv4 nf_tables route chain support" |
d497c635 PNA |
50 | help |
51 | This option enables the "route" chain for IPv4 in nf_tables. This | |
52 | chain type is used to force packet re-routing after mangling header | |
53 | fields such as the source, destination, type of service and | |
54 | the packet mark. | |
96518518 | 55 | |
cc4723ca | 56 | config NFT_REJECT_IPV4 |
c8d7b98b | 57 | select NF_REJECT_IPV4 |
cc4723ca PM |
58 | default NFT_REJECT |
59 | tristate | |
60 | ||
d877f071 PNA |
61 | config NFT_DUP_IPV4 |
62 | tristate "IPv4 nf_tables packet duplication support" | |
d3340b79 | 63 | depends on !NF_CONNTRACK || NF_CONNTRACK |
d877f071 PNA |
64 | select NF_DUP_IPV4 |
65 | help | |
66 | This module enables IPv4 packet duplication support for nf_tables. | |
67 | ||
f04e599e PNA |
68 | endif # NF_TABLES_IPV4 |
69 | ||
ed683f13 | 70 | config NF_TABLES_ARP |
ed683f13 | 71 | tristate "ARP nf_tables support" |
d497c635 PNA |
72 | help |
73 | This option enables the ARP support for nf_tables. | |
ed683f13 | 74 | |
f04e599e PNA |
75 | endif # NF_TABLES |
76 | ||
bbde9fc1 PNA |
77 | config NF_DUP_IPV4 |
78 | tristate "Netfilter IPv4 packet duplication to alternate destination" | |
6ece90f9 | 79 | depends on !NF_CONNTRACK || NF_CONNTRACK |
bbde9fc1 PNA |
80 | help |
81 | This option enables the nf_dup_ipv4 core, which duplicates an IPv4 | |
82 | packet to be rerouted to another destination. | |
83 | ||
f04e599e PNA |
84 | config NF_LOG_ARP |
85 | tristate "ARP packet logging" | |
86 | default m if NETFILTER_ADVANCED=n | |
87 | select NF_LOG_COMMON | |
88 | ||
89 | config NF_LOG_IPV4 | |
90 | tristate "IPv4 packet logging" | |
91 | default m if NETFILTER_ADVANCED=n | |
92 | select NF_LOG_COMMON | |
93 | ||
94 | config NF_REJECT_IPV4 | |
95 | tristate "IPv4 packet rejection" | |
96 | default m if NETFILTER_ADVANCED=n | |
97 | ||
8993cf8e PNA |
98 | config NF_NAT_IPV4 |
99 | tristate "IPv4 NAT" | |
100 | depends on NF_CONNTRACK_IPV4 | |
101 | default m if NETFILTER_ADVANCED=n | |
102 | select NF_NAT | |
103 | help | |
104 | The IPv4 NAT option allows masquerading, port forwarding and other | |
105 | forms of full Network Address Port Translation. This can be | |
106 | controlled by iptables or nft. | |
107 | ||
108 | if NF_NAT_IPV4 | |
109 | ||
3e8dc212 PNA |
110 | config NFT_CHAIN_NAT_IPV4 |
111 | depends on NF_TABLES_IPV4 | |
112 | tristate "IPv4 nf_tables nat chain support" | |
113 | help | |
114 | This option enables the "nat" chain for IPv4 in nf_tables. This | |
115 | chain type is used to perform Network Address Translation (NAT) | |
116 | packet transformations such as the source, destination address and | |
117 | source and destination ports. | |
118 | ||
0bbe80e5 PNA |
119 | config NF_NAT_MASQUERADE_IPV4 |
120 | tristate "IPv4 masquerade support" | |
121 | help | |
122 | This is the kernel functionality to provide NAT in the masquerade | |
123 | flavour (automatic source address selection). | |
124 | ||
125 | config NFT_MASQ_IPV4 | |
126 | tristate "IPv4 masquerading support for nf_tables" | |
127 | depends on NF_TABLES_IPV4 | |
128 | depends on NFT_MASQ | |
129 | select NF_NAT_MASQUERADE_IPV4 | |
130 | help | |
131 | This is the expression that provides IPv4 masquerading support for | |
132 | nf_tables. | |
133 | ||
e9105f1b AB |
134 | config NFT_REDIR_IPV4 |
135 | tristate "IPv4 redirect support for nf_tables" | |
136 | depends on NF_TABLES_IPV4 | |
137 | depends on NFT_REDIR | |
b59eaf9e | 138 | select NF_NAT_REDIRECT |
e9105f1b AB |
139 | help |
140 | This is the expression that provides IPv4 redirect support for | |
141 | nf_tables. | |
142 | ||
8993cf8e PNA |
143 | config NF_NAT_SNMP_BASIC |
144 | tristate "Basic SNMP-ALG support" | |
145 | depends on NF_CONNTRACK_SNMP | |
146 | depends on NETFILTER_ADVANCED | |
147 | default NF_NAT && NF_CONNTRACK_SNMP | |
148 | ---help--- | |
149 | ||
150 | This module implements an Application Layer Gateway (ALG) for | |
151 | SNMP payloads. In conjunction with NAT, it allows a network | |
152 | management system to access multiple private networks with | |
153 | conflicting addresses. It works by modifying IP addresses | |
154 | inside SNMP payloads to match IP-layer NAT mapping. | |
155 | ||
156 | This is the "basic" form of SNMP-ALG, as described in RFC 2962 | |
157 | ||
158 | To compile it as a module, choose M here. If unsure, say N. | |
159 | ||
160 | config NF_NAT_PROTO_GRE | |
161 | tristate | |
162 | depends on NF_CT_PROTO_GRE | |
163 | ||
164 | config NF_NAT_PPTP | |
165 | tristate | |
166 | depends on NF_CONNTRACK | |
167 | default NF_CONNTRACK_PPTP | |
168 | select NF_NAT_PROTO_GRE | |
169 | ||
170 | config NF_NAT_H323 | |
171 | tristate | |
172 | depends on NF_CONNTRACK | |
173 | default NF_CONNTRACK_H323 | |
174 | ||
175 | endif # NF_NAT_IPV4 | |
176 | ||
1da177e4 LT |
177 | config IP_NF_IPTABLES |
178 | tristate "IP tables support (required for filtering/masq/NAT)" | |
33b8e776 | 179 | default m if NETFILTER_ADVANCED=n |
a3c941b0 | 180 | select NETFILTER_XTABLES |
1da177e4 LT |
181 | help |
182 | iptables is a general, extensible packet identification framework. | |
183 | The packet filtering and full NAT (masquerading, port forwarding, | |
184 | etc) subsystems now use this: say `Y' or `M' here if you want to use | |
185 | either of those. | |
186 | ||
187 | To compile it as a module, choose M here. If unsure, say N. | |
188 | ||
c2df73de JE |
189 | if IP_NF_IPTABLES |
190 | ||
1da177e4 | 191 | # The matches. |
dc5ab2fa | 192 | config IP_NF_MATCH_AH |
4c37799c | 193 | tristate '"ah" match support' |
33b8e776 | 194 | depends on NETFILTER_ADVANCED |
1da177e4 | 195 | help |
dc5ab2fa YK |
196 | This match extension allows you to match a range of SPIs |
197 | inside AH header of IPSec packets. | |
1da177e4 LT |
198 | |
199 | To compile it as a module, choose M here. If unsure, say N. | |
200 | ||
aba0d348 JE |
201 | config IP_NF_MATCH_ECN |
202 | tristate '"ecn" match support' | |
33b8e776 | 203 | depends on NETFILTER_ADVANCED |
d446a820 JE |
204 | select NETFILTER_XT_MATCH_ECN |
205 | ---help--- | |
206 | This is a backwards-compat option for the user's convenience | |
207 | (e.g. when running oldconfig). It selects | |
208 | CONFIG_NETFILTER_XT_MATCH_ECN. | |
1da177e4 | 209 | |
8f97339d FW |
210 | config IP_NF_MATCH_RPFILTER |
211 | tristate '"rpfilter" reverse path filter match support' | |
f09becc7 PNA |
212 | depends on NETFILTER_ADVANCED |
213 | depends on IP_NF_MANGLE || IP_NF_RAW | |
8f97339d FW |
214 | ---help--- |
215 | This option allows you to match packets whose replies would | |
216 | go out via the interface the packet came in. | |
217 | ||
218 | To compile it as a module, choose M here. If unsure, say N. | |
219 | The module will be called ipt_rpfilter. | |
220 | ||
4323362e JE |
221 | config IP_NF_MATCH_TTL |
222 | tristate '"ttl" match support' | |
223 | depends on NETFILTER_ADVANCED | |
224 | select NETFILTER_XT_MATCH_HL | |
225 | ---help--- | |
226 | This is a backwards-compat option for the user's convenience | |
227 | (e.g. when running oldconfig). It selects | |
67c0d579 | 228 | CONFIG_NETFILTER_XT_MATCH_HL. |
4323362e | 229 | |
1da177e4 LT |
230 | # `filter', generic and specific targets |
231 | config IP_NF_FILTER | |
232 | tristate "Packet filtering" | |
33b8e776 | 233 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
234 | help |
235 | Packet filtering defines a table `filter', which has a series of | |
236 | rules for simple packet filtering at local input, forwarding and | |
237 | local output. See the man page for iptables(8). | |
238 | ||
239 | To compile it as a module, choose M here. If unsure, say N. | |
240 | ||
241 | config IP_NF_TARGET_REJECT | |
242 | tristate "REJECT target support" | |
243 | depends on IP_NF_FILTER | |
c8d7b98b | 244 | select NF_REJECT_IPV4 |
33b8e776 | 245 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
246 | help |
247 | The REJECT target allows a filtering rule to specify that an ICMP | |
248 | error should be issued in response to an incoming packet, rather | |
249 | than silently being dropped. | |
250 | ||
251 | To compile it as a module, choose M here. If unsure, say N. | |
252 | ||
48b1de4c PM |
253 | config IP_NF_TARGET_SYNPROXY |
254 | tristate "SYNPROXY target support" | |
255 | depends on NF_CONNTRACK && NETFILTER_ADVANCED | |
256 | select NETFILTER_SYNPROXY | |
257 | select SYN_COOKIES | |
258 | help | |
259 | The SYNPROXY target allows you to intercept TCP connections and | |
260 | establish them using syncookies before they are passed on to the | |
261 | server. This allows to avoid conntrack and server resource usage | |
262 | during SYN-flood attacks. | |
263 | ||
264 | To compile it as a module, choose M here. If unsure, say N. | |
265 | ||
5b1158e9 | 266 | # NAT + specific targets: nf_conntrack |
8993cf8e PNA |
267 | config IP_NF_NAT |
268 | tristate "iptables NAT support" | |
c2df73de | 269 | depends on NF_CONNTRACK_IPV4 |
33b8e776 | 270 | default m if NETFILTER_ADVANCED=n |
c7232c99 | 271 | select NF_NAT |
8993cf8e PNA |
272 | select NF_NAT_IPV4 |
273 | select NETFILTER_XT_NAT | |
5b1158e9 | 274 | help |
8993cf8e PNA |
275 | This enables the `nat' table in iptables. This allows masquerading, |
276 | port forwarding and other forms of full Network Address Port | |
277 | Translation. | |
5b1158e9 JK |
278 | |
279 | To compile it as a module, choose M here. If unsure, say N. | |
280 | ||
8993cf8e | 281 | if IP_NF_NAT |
1da177e4 LT |
282 | |
283 | config IP_NF_TARGET_MASQUERADE | |
284 | tristate "MASQUERADE target support" | |
8dd33cc9 | 285 | select NF_NAT_MASQUERADE_IPV4 |
33b8e776 | 286 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
287 | help |
288 | Masquerading is a special case of NAT: all outgoing connections are | |
289 | changed to seem to come from a particular interface's address, and | |
290 | if the interface goes down, those connections are lost. This is | |
291 | only useful for dialup accounts with dynamic IP address (ie. your IP | |
292 | address will be different on next dialup). | |
293 | ||
294 | To compile it as a module, choose M here. If unsure, say N. | |
295 | ||
aba0d348 JE |
296 | config IP_NF_TARGET_NETMAP |
297 | tristate "NETMAP target support" | |
33b8e776 | 298 | depends on NETFILTER_ADVANCED |
b3d54b3e JE |
299 | select NETFILTER_XT_TARGET_NETMAP |
300 | ---help--- | |
301 | This is a backwards-compat option for the user's convenience | |
302 | (e.g. when running oldconfig). It selects | |
303 | CONFIG_NETFILTER_XT_TARGET_NETMAP. | |
1da177e4 | 304 | |
aba0d348 JE |
305 | config IP_NF_TARGET_REDIRECT |
306 | tristate "REDIRECT target support" | |
33b8e776 | 307 | depends on NETFILTER_ADVANCED |
2cbc78a2 JE |
308 | select NETFILTER_XT_TARGET_REDIRECT |
309 | ---help--- | |
310 | This is a backwards-compat option for the user's convenience | |
311 | (e.g. when running oldconfig). It selects | |
312 | CONFIG_NETFILTER_XT_TARGET_REDIRECT. | |
1da177e4 | 313 | |
8993cf8e | 314 | endif # IP_NF_NAT |
f587de0e | 315 | |
1da177e4 LT |
316 | # mangle + specific targets |
317 | config IP_NF_MANGLE | |
318 | tristate "Packet mangling" | |
33b8e776 | 319 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
320 | help |
321 | This option adds a `mangle' table to iptables: see the man page for | |
322 | iptables(8). This table is used for various packet alterations | |
323 | which can effect how the packet is routed. | |
324 | ||
325 | To compile it as a module, choose M here. If unsure, say N. | |
326 | ||
aba0d348 | 327 | config IP_NF_TARGET_CLUSTERIP |
aec9a0eb KC |
328 | tristate "CLUSTERIP target support" |
329 | depends on IP_NF_MANGLE | |
aba0d348 JE |
330 | depends on NF_CONNTRACK_IPV4 |
331 | depends on NETFILTER_ADVANCED | |
332 | select NF_CONNTRACK_MARK | |
333 | help | |
334 | The CLUSTERIP target allows you to build load-balancing clusters of | |
335 | network servers without having a dedicated load-balancing | |
336 | router/server/switch. | |
337 | ||
338 | To compile it as a module, choose M here. If unsure, say N. | |
339 | ||
1da177e4 LT |
340 | config IP_NF_TARGET_ECN |
341 | tristate "ECN target support" | |
342 | depends on IP_NF_MANGLE | |
33b8e776 | 343 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
344 | ---help--- |
345 | This option adds a `ECN' target, which can be used in the iptables mangle | |
346 | table. | |
347 | ||
348 | You can use this target to remove the ECN bits from the IPv4 header of | |
349 | an IP packet. This is particularly useful, if you need to work around | |
350 | existing ECN blackholes on the internet, but don't want to disable | |
351 | ECN support in general. | |
352 | ||
353 | To compile it as a module, choose M here. If unsure, say N. | |
354 | ||
4323362e JE |
355 | config IP_NF_TARGET_TTL |
356 | tristate '"TTL" target support' | |
76b6717b | 357 | depends on NETFILTER_ADVANCED && IP_NF_MANGLE |
4323362e JE |
358 | select NETFILTER_XT_TARGET_HL |
359 | ---help--- | |
76b6717b | 360 | This is a backwards-compatible option for the user's convenience |
4323362e | 361 | (e.g. when running oldconfig). It selects |
67c0d579 | 362 | CONFIG_NETFILTER_XT_TARGET_HL. |
4323362e | 363 | |
1da177e4 LT |
364 | # raw + specific targets |
365 | config IP_NF_RAW | |
366 | tristate 'raw table support (required for NOTRACK/TRACE)' | |
1da177e4 LT |
367 | help |
368 | This option adds a `raw' table to iptables. This table is the very | |
369 | first in the netfilter framework and hooks in at the PREROUTING | |
370 | and OUTPUT chains. | |
371 | ||
372 | If you want to compile it as a module, say M here and read | |
e403149c | 373 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
560ee653 JM |
374 | |
375 | # security table for MAC policy | |
376 | config IP_NF_SECURITY | |
377 | tristate "Security table" | |
560ee653 | 378 | depends on SECURITY |
70eed75d | 379 | depends on NETFILTER_ADVANCED |
560ee653 JM |
380 | help |
381 | This option adds a `security' table to iptables, for use | |
382 | with Mandatory Access Control (MAC) policy. | |
383 | ||
384 | If unsure, say N. | |
1da177e4 | 385 | |
c2df73de JE |
386 | endif # IP_NF_IPTABLES |
387 | ||
1da177e4 LT |
388 | # ARP tables |
389 | config IP_NF_ARPTABLES | |
390 | tristate "ARP tables support" | |
a3c941b0 | 391 | select NETFILTER_XTABLES |
33b8e776 | 392 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
393 | help |
394 | arptables is a general, extensible packet identification framework. | |
395 | The ARP packet filtering and mangling (manipulation)subsystems | |
396 | use this: say Y or M here if you want to use either of those. | |
397 | ||
398 | To compile it as a module, choose M here. If unsure, say N. | |
399 | ||
c2df73de JE |
400 | if IP_NF_ARPTABLES |
401 | ||
1da177e4 LT |
402 | config IP_NF_ARPFILTER |
403 | tristate "ARP packet filtering" | |
1da177e4 LT |
404 | help |
405 | ARP packet filtering defines a table `filter', which has a series of | |
406 | rules for simple ARP packet filtering at local input and | |
407 | local output. On a bridge, you can also specify filtering rules | |
408 | for forwarded ARP packets. See the man page for arptables(8). | |
409 | ||
410 | To compile it as a module, choose M here. If unsure, say N. | |
411 | ||
412 | config IP_NF_ARP_MANGLE | |
413 | tristate "ARP payload mangling" | |
1da177e4 LT |
414 | help |
415 | Allows altering the ARP packet payload: source and destination | |
416 | hardware and network addresses. | |
417 | ||
c2df73de JE |
418 | endif # IP_NF_ARPTABLES |
419 | ||
1da177e4 LT |
420 | endmenu |
421 |