Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | # |
2 | # IP netfilter configuration | |
3 | # | |
4 | ||
5 | menu "IP: Netfilter Configuration" | |
6 | depends on INET && NETFILTER | |
7 | ||
73e4022f KK |
8 | config NF_DEFRAG_IPV4 |
9 | tristate | |
10 | default n | |
11 | ||
9fb9cbb1 | 12 | config NF_CONNTRACK_IPV4 |
c9386cfd PM |
13 | tristate "IPv4 connection tracking support (required for NAT)" |
14 | depends on NF_CONNTRACK | |
33b8e776 | 15 | default m if NETFILTER_ADVANCED=n |
73e4022f | 16 | select NF_DEFRAG_IPV4 |
9fb9cbb1 YK |
17 | ---help--- |
18 | Connection tracking keeps a record of what packets have passed | |
19 | through your machine, in order to figure out how they are related | |
20 | into connections. | |
21 | ||
22 | This is IPv4 support on Layer 3 independent connection tracking. | |
23 | Layer 3 independent connection tracking is experimental scheme | |
24 | which generalize ip_conntrack to support other layer 3 protocols. | |
25 | ||
26 | To compile it as a module, choose M here. If unsure, say N. | |
27 | ||
a999e683 PM |
28 | config NF_CONNTRACK_PROC_COMPAT |
29 | bool "proc/sysctl compatibility with old connection tracking" | |
0c4ca1bd | 30 | depends on NF_CONNTRACK_IPV4 |
a999e683 PM |
31 | default y |
32 | help | |
33 | This option enables /proc and sysctl compatibility with the old | |
67c0d579 | 34 | layer 3 dependent connection tracking. This is needed to keep |
a999e683 PM |
35 | old programs that have not been adapted to the new names working. |
36 | ||
37 | If unsure, say Y. | |
38 | ||
1da177e4 | 39 | config IP_NF_QUEUE |
7af4cc3f | 40 | tristate "IP Userspace queueing via NETLINK (OBSOLETE)" |
33b8e776 | 41 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
42 | help |
43 | Netfilter has the ability to queue packets to user space: the | |
44 | netlink device can be used to access them using this driver. | |
45 | ||
7af4cc3f HW |
46 | This option enables the old IPv4-only "ip_queue" implementation |
47 | which has been obsoleted by the new "nfnetlink_queue" code (see | |
48 | CONFIG_NETFILTER_NETLINK_QUEUE). | |
49 | ||
1da177e4 LT |
50 | To compile it as a module, choose M here. If unsure, say N. |
51 | ||
52 | config IP_NF_IPTABLES | |
53 | tristate "IP tables support (required for filtering/masq/NAT)" | |
33b8e776 | 54 | default m if NETFILTER_ADVANCED=n |
a3c941b0 | 55 | select NETFILTER_XTABLES |
1da177e4 LT |
56 | help |
57 | iptables is a general, extensible packet identification framework. | |
58 | The packet filtering and full NAT (masquerading, port forwarding, | |
59 | etc) subsystems now use this: say `Y' or `M' here if you want to use | |
60 | either of those. | |
61 | ||
62 | To compile it as a module, choose M here. If unsure, say N. | |
63 | ||
c2df73de JE |
64 | if IP_NF_IPTABLES |
65 | ||
1da177e4 | 66 | # The matches. |
dc5ab2fa | 67 | config IP_NF_MATCH_AH |
4c37799c | 68 | tristate '"ah" match support' |
33b8e776 | 69 | depends on NETFILTER_ADVANCED |
1da177e4 | 70 | help |
dc5ab2fa YK |
71 | This match extension allows you to match a range of SPIs |
72 | inside AH header of IPSec packets. | |
1da177e4 LT |
73 | |
74 | To compile it as a module, choose M here. If unsure, say N. | |
75 | ||
aba0d348 JE |
76 | config IP_NF_MATCH_ECN |
77 | tristate '"ecn" match support' | |
33b8e776 | 78 | depends on NETFILTER_ADVANCED |
d446a820 JE |
79 | select NETFILTER_XT_MATCH_ECN |
80 | ---help--- | |
81 | This is a backwards-compat option for the user's convenience | |
82 | (e.g. when running oldconfig). It selects | |
83 | CONFIG_NETFILTER_XT_MATCH_ECN. | |
1da177e4 | 84 | |
8f97339d FW |
85 | config IP_NF_MATCH_RPFILTER |
86 | tristate '"rpfilter" reverse path filter match support' | |
87 | depends on NETFILTER_ADVANCED | |
88 | ---help--- | |
89 | This option allows you to match packets whose replies would | |
90 | go out via the interface the packet came in. | |
91 | ||
92 | To compile it as a module, choose M here. If unsure, say N. | |
93 | The module will be called ipt_rpfilter. | |
94 | ||
4323362e JE |
95 | config IP_NF_MATCH_TTL |
96 | tristate '"ttl" match support' | |
97 | depends on NETFILTER_ADVANCED | |
98 | select NETFILTER_XT_MATCH_HL | |
99 | ---help--- | |
100 | This is a backwards-compat option for the user's convenience | |
101 | (e.g. when running oldconfig). It selects | |
67c0d579 | 102 | CONFIG_NETFILTER_XT_MATCH_HL. |
4323362e | 103 | |
1da177e4 LT |
104 | # `filter', generic and specific targets |
105 | config IP_NF_FILTER | |
106 | tristate "Packet filtering" | |
33b8e776 | 107 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
108 | help |
109 | Packet filtering defines a table `filter', which has a series of | |
110 | rules for simple packet filtering at local input, forwarding and | |
111 | local output. See the man page for iptables(8). | |
112 | ||
113 | To compile it as a module, choose M here. If unsure, say N. | |
114 | ||
115 | config IP_NF_TARGET_REJECT | |
116 | tristate "REJECT target support" | |
117 | depends on IP_NF_FILTER | |
33b8e776 | 118 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
119 | help |
120 | The REJECT target allows a filtering rule to specify that an ICMP | |
121 | error should be issued in response to an incoming packet, rather | |
122 | than silently being dropped. | |
123 | ||
124 | To compile it as a module, choose M here. If unsure, say N. | |
125 | ||
126 | config IP_NF_TARGET_LOG | |
127 | tristate "LOG target support" | |
33b8e776 | 128 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
129 | help |
130 | This option adds a `LOG' target, which allows you to create rules in | |
131 | any iptables table which records the packet header to the syslog. | |
132 | ||
133 | To compile it as a module, choose M here. If unsure, say N. | |
134 | ||
135 | config IP_NF_TARGET_ULOG | |
44adf28f | 136 | tristate "ULOG target support" |
33b8e776 | 137 | default m if NETFILTER_ADVANCED=n |
1da177e4 | 138 | ---help--- |
f40863ce HW |
139 | |
140 | This option enables the old IPv4-only "ipt_ULOG" implementation | |
141 | which has been obsoleted by the new "nfnetlink_log" code (see | |
142 | CONFIG_NETFILTER_NETLINK_LOG). | |
143 | ||
1da177e4 LT |
144 | This option adds a `ULOG' target, which allows you to create rules in |
145 | any iptables table. The packet is passed to a userspace logging | |
146 | daemon using netlink multicast sockets; unlike the LOG target | |
147 | which can only be viewed through syslog. | |
148 | ||
44c09201 | 149 | The appropriate userspace logging daemon (ulogd) may be obtained from |
631dd1a8 | 150 | <http://www.netfilter.org/projects/ulogd/index.html> |
1da177e4 LT |
151 | |
152 | To compile it as a module, choose M here. If unsure, say N. | |
153 | ||
5b1158e9 JK |
154 | # NAT + specific targets: nf_conntrack |
155 | config NF_NAT | |
156 | tristate "Full NAT" | |
c2df73de | 157 | depends on NF_CONNTRACK_IPV4 |
33b8e776 | 158 | default m if NETFILTER_ADVANCED=n |
5b1158e9 JK |
159 | help |
160 | The Full NAT option allows masquerading, port forwarding and other | |
161 | forms of full Network Address Port Translation. It is controlled by | |
162 | the `nat' table in iptables: see the man page for iptables(8). | |
163 | ||
164 | To compile it as a module, choose M here. If unsure, say N. | |
165 | ||
5b1158e9 JK |
166 | config NF_NAT_NEEDED |
167 | bool | |
168 | depends on NF_NAT | |
1da177e4 LT |
169 | default y |
170 | ||
171 | config IP_NF_TARGET_MASQUERADE | |
172 | tristate "MASQUERADE target support" | |
587aa641 | 173 | depends on NF_NAT |
33b8e776 | 174 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
175 | help |
176 | Masquerading is a special case of NAT: all outgoing connections are | |
177 | changed to seem to come from a particular interface's address, and | |
178 | if the interface goes down, those connections are lost. This is | |
179 | only useful for dialup accounts with dynamic IP address (ie. your IP | |
180 | address will be different on next dialup). | |
181 | ||
182 | To compile it as a module, choose M here. If unsure, say N. | |
183 | ||
aba0d348 JE |
184 | config IP_NF_TARGET_NETMAP |
185 | tristate "NETMAP target support" | |
587aa641 | 186 | depends on NF_NAT |
33b8e776 | 187 | depends on NETFILTER_ADVANCED |
1da177e4 | 188 | help |
aba0d348 JE |
189 | NETMAP is an implementation of static 1:1 NAT mapping of network |
190 | addresses. It maps the network address part, while keeping the host | |
191 | address part intact. | |
1da177e4 LT |
192 | |
193 | To compile it as a module, choose M here. If unsure, say N. | |
194 | ||
aba0d348 JE |
195 | config IP_NF_TARGET_REDIRECT |
196 | tristate "REDIRECT target support" | |
587aa641 | 197 | depends on NF_NAT |
33b8e776 | 198 | depends on NETFILTER_ADVANCED |
1da177e4 | 199 | help |
aba0d348 JE |
200 | REDIRECT is a special case of NAT: all incoming connections are |
201 | mapped onto the incoming interface's address, causing the packets to | |
202 | come to the local machine instead of passing through. This is | |
203 | useful for transparent proxies. | |
1da177e4 LT |
204 | |
205 | To compile it as a module, choose M here. If unsure, say N. | |
206 | ||
807467c2 | 207 | config NF_NAT_SNMP_BASIC |
8ce22fca | 208 | tristate "Basic SNMP-ALG support" |
93557f53 | 209 | depends on NF_CONNTRACK_SNMP && NF_NAT |
33b8e776 | 210 | depends on NETFILTER_ADVANCED |
93557f53 | 211 | default NF_NAT && NF_CONNTRACK_SNMP |
807467c2 PM |
212 | ---help--- |
213 | ||
214 | This module implements an Application Layer Gateway (ALG) for | |
215 | SNMP payloads. In conjunction with NAT, it allows a network | |
1da177e4 LT |
216 | management system to access multiple private networks with |
217 | conflicting addresses. It works by modifying IP addresses | |
218 | inside SNMP payloads to match IP-layer NAT mapping. | |
219 | ||
220 | This is the "basic" form of SNMP-ALG, as described in RFC 2962 | |
221 | ||
222 | To compile it as a module, choose M here. If unsure, say N. | |
223 | ||
55a73324 JK |
224 | # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), |
225 | # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. | |
226 | # From kconfig-language.txt: | |
227 | # | |
228 | # <expr> '&&' <expr> (6) | |
229 | # | |
230 | # (6) Returns the result of min(/expr/, /expr/). | |
4910a087 PM |
231 | config NF_NAT_PROTO_DCCP |
232 | tristate | |
233 | depends on NF_NAT && NF_CT_PROTO_DCCP | |
234 | default NF_NAT && NF_CT_PROTO_DCCP | |
235 | ||
f09943fe PM |
236 | config NF_NAT_PROTO_GRE |
237 | tristate | |
238 | depends on NF_NAT && NF_CT_PROTO_GRE | |
239 | ||
6185f870 PM |
240 | config NF_NAT_PROTO_UDPLITE |
241 | tristate | |
242 | depends on NF_NAT && NF_CT_PROTO_UDPLITE | |
243 | default NF_NAT && NF_CT_PROTO_UDPLITE | |
244 | ||
9d908a69 PM |
245 | config NF_NAT_PROTO_SCTP |
246 | tristate | |
247 | default NF_NAT && NF_CT_PROTO_SCTP | |
248 | depends on NF_NAT && NF_CT_PROTO_SCTP | |
4e9d8a70 | 249 | select LIBCRC32C |
9d908a69 | 250 | |
55a73324 JK |
251 | config NF_NAT_FTP |
252 | tristate | |
c2df73de | 253 | depends on NF_CONNTRACK && NF_NAT |
55a73324 JK |
254 | default NF_NAT && NF_CONNTRACK_FTP |
255 | ||
869f37d8 PM |
256 | config NF_NAT_IRC |
257 | tristate | |
c2df73de | 258 | depends on NF_CONNTRACK && NF_NAT |
869f37d8 PM |
259 | default NF_NAT && NF_CONNTRACK_IRC |
260 | ||
a536df35 PM |
261 | config NF_NAT_TFTP |
262 | tristate | |
c2df73de | 263 | depends on NF_CONNTRACK && NF_NAT |
a536df35 PM |
264 | default NF_NAT && NF_CONNTRACK_TFTP |
265 | ||
16958900 PM |
266 | config NF_NAT_AMANDA |
267 | tristate | |
c2df73de | 268 | depends on NF_CONNTRACK && NF_NAT |
16958900 PM |
269 | default NF_NAT && NF_CONNTRACK_AMANDA |
270 | ||
f09943fe PM |
271 | config NF_NAT_PPTP |
272 | tristate | |
c2df73de | 273 | depends on NF_CONNTRACK && NF_NAT |
f09943fe PM |
274 | default NF_NAT && NF_CONNTRACK_PPTP |
275 | select NF_NAT_PROTO_GRE | |
276 | ||
f587de0e PM |
277 | config NF_NAT_H323 |
278 | tristate | |
c2df73de | 279 | depends on NF_CONNTRACK && NF_NAT |
f587de0e PM |
280 | default NF_NAT && NF_CONNTRACK_H323 |
281 | ||
9fafcd7b PM |
282 | config NF_NAT_SIP |
283 | tristate | |
c2df73de | 284 | depends on NF_CONNTRACK && NF_NAT |
9fafcd7b PM |
285 | default NF_NAT && NF_CONNTRACK_SIP |
286 | ||
1da177e4 LT |
287 | # mangle + specific targets |
288 | config IP_NF_MANGLE | |
289 | tristate "Packet mangling" | |
33b8e776 | 290 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
291 | help |
292 | This option adds a `mangle' table to iptables: see the man page for | |
293 | iptables(8). This table is used for various packet alterations | |
294 | which can effect how the packet is routed. | |
295 | ||
296 | To compile it as a module, choose M here. If unsure, say N. | |
297 | ||
aba0d348 JE |
298 | config IP_NF_TARGET_CLUSTERIP |
299 | tristate "CLUSTERIP target support (EXPERIMENTAL)" | |
300 | depends on IP_NF_MANGLE && EXPERIMENTAL | |
301 | depends on NF_CONNTRACK_IPV4 | |
302 | depends on NETFILTER_ADVANCED | |
303 | select NF_CONNTRACK_MARK | |
304 | help | |
305 | The CLUSTERIP target allows you to build load-balancing clusters of | |
306 | network servers without having a dedicated load-balancing | |
307 | router/server/switch. | |
308 | ||
309 | To compile it as a module, choose M here. If unsure, say N. | |
310 | ||
1da177e4 LT |
311 | config IP_NF_TARGET_ECN |
312 | tristate "ECN target support" | |
313 | depends on IP_NF_MANGLE | |
33b8e776 | 314 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
315 | ---help--- |
316 | This option adds a `ECN' target, which can be used in the iptables mangle | |
317 | table. | |
318 | ||
319 | You can use this target to remove the ECN bits from the IPv4 header of | |
320 | an IP packet. This is particularly useful, if you need to work around | |
321 | existing ECN blackholes on the internet, but don't want to disable | |
322 | ECN support in general. | |
323 | ||
324 | To compile it as a module, choose M here. If unsure, say N. | |
325 | ||
4323362e JE |
326 | config IP_NF_TARGET_TTL |
327 | tristate '"TTL" target support' | |
76b6717b | 328 | depends on NETFILTER_ADVANCED && IP_NF_MANGLE |
4323362e JE |
329 | select NETFILTER_XT_TARGET_HL |
330 | ---help--- | |
76b6717b | 331 | This is a backwards-compatible option for the user's convenience |
4323362e | 332 | (e.g. when running oldconfig). It selects |
67c0d579 | 333 | CONFIG_NETFILTER_XT_TARGET_HL. |
4323362e | 334 | |
1da177e4 LT |
335 | # raw + specific targets |
336 | config IP_NF_RAW | |
337 | tristate 'raw table support (required for NOTRACK/TRACE)' | |
1da177e4 LT |
338 | help |
339 | This option adds a `raw' table to iptables. This table is the very | |
340 | first in the netfilter framework and hooks in at the PREROUTING | |
341 | and OUTPUT chains. | |
342 | ||
343 | If you want to compile it as a module, say M here and read | |
e403149c | 344 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
560ee653 JM |
345 | |
346 | # security table for MAC policy | |
347 | config IP_NF_SECURITY | |
348 | tristate "Security table" | |
560ee653 | 349 | depends on SECURITY |
70eed75d | 350 | depends on NETFILTER_ADVANCED |
560ee653 JM |
351 | help |
352 | This option adds a `security' table to iptables, for use | |
353 | with Mandatory Access Control (MAC) policy. | |
354 | ||
355 | If unsure, say N. | |
1da177e4 | 356 | |
c2df73de JE |
357 | endif # IP_NF_IPTABLES |
358 | ||
1da177e4 LT |
359 | # ARP tables |
360 | config IP_NF_ARPTABLES | |
361 | tristate "ARP tables support" | |
a3c941b0 | 362 | select NETFILTER_XTABLES |
33b8e776 | 363 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
364 | help |
365 | arptables is a general, extensible packet identification framework. | |
366 | The ARP packet filtering and mangling (manipulation)subsystems | |
367 | use this: say Y or M here if you want to use either of those. | |
368 | ||
369 | To compile it as a module, choose M here. If unsure, say N. | |
370 | ||
c2df73de JE |
371 | if IP_NF_ARPTABLES |
372 | ||
1da177e4 LT |
373 | config IP_NF_ARPFILTER |
374 | tristate "ARP packet filtering" | |
1da177e4 LT |
375 | help |
376 | ARP packet filtering defines a table `filter', which has a series of | |
377 | rules for simple ARP packet filtering at local input and | |
378 | local output. On a bridge, you can also specify filtering rules | |
379 | for forwarded ARP packets. See the man page for arptables(8). | |
380 | ||
381 | To compile it as a module, choose M here. If unsure, say N. | |
382 | ||
383 | config IP_NF_ARP_MANGLE | |
384 | tristate "ARP payload mangling" | |
1da177e4 LT |
385 | help |
386 | Allows altering the ARP packet payload: source and destination | |
387 | hardware and network addresses. | |
388 | ||
c2df73de JE |
389 | endif # IP_NF_ARPTABLES |
390 | ||
1da177e4 LT |
391 | endmenu |
392 |