net/ipv4/netfilter/Kconfig

   1 #
   2 # IP netfilter configuration
   3 #
   4
   5 menu "IP: Netfilter Configuration"
   6         depends on INET && NETFILTER
   7
   8 config NF_DEFRAG_IPV4
   9         tristate
  10         default n
  11
  12 config NF_CONNTRACK_IPV4
  13         tristate "IPv4 connection tracking support (required for NAT)"
  14         depends on NF_CONNTRACK
  15         default m if NETFILTER_ADVANCED=n
  16         select NF_DEFRAG_IPV4
  17         ---help---
  18           Connection tracking keeps a record of what packets have passed
  19           through your machine, in order to figure out how they are related
  20           into connections.
  21
  22           This is IPv4 support on Layer 3 independent connection tracking.
  23           Layer 3 independent connection tracking is experimental scheme
  24           which generalize ip_conntrack to support other layer 3 protocols.
  25
  26           To compile it as a module, choose M here.  If unsure, say N.
  27
  28 config NF_CONNTRACK_PROC_COMPAT
  29         bool "proc/sysctl compatibility with old connection tracking"
  30         depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
  31         default y
  32         help
  33           This option enables /proc and sysctl compatibility with the old
  34           layer 3 dependent connection tracking. This is needed to keep
  35           old programs that have not been adapted to the new names working.
  36
  37           If unsure, say Y.
  38
  39 if NF_TABLES
  40
  41 config NF_TABLES_IPV4
  42         tristate "IPv4 nf_tables support"
  43         help
  44           This option enables the IPv4 support for nf_tables.
  45
  46 if NF_TABLES_IPV4
  47
  48 config NFT_CHAIN_ROUTE_IPV4
  49         tristate "IPv4 nf_tables route chain support"
  50         help
  51           This option enables the "route" chain for IPv4 in nf_tables. This
  52           chain type is used to force packet re-routing after mangling header
  53           fields such as the source, destination, type of service and
  54           the packet mark.
  55
  56 config NFT_REJECT_IPV4
  57         select NF_REJECT_IPV4
  58         default NFT_REJECT
  59         tristate
  60
  61 endif # NF_TABLES_IPV4
  62
  63 config NF_TABLES_ARP
  64         tristate "ARP nf_tables support"
  65         help
  66           This option enables the ARP support for nf_tables.
  67
  68 endif # NF_TABLES
  69
  70 config NF_DUP_IPV4
  71         tristate "Netfilter IPv4 packet duplication to alternate destination"
  72         help
  73           This option enables the nf_dup_ipv4 core, which duplicates an IPv4
  74           packet to be rerouted to another destination.
  75
  76 config NF_LOG_ARP
  77         tristate "ARP packet logging"
  78         default m if NETFILTER_ADVANCED=n
  79         select NF_LOG_COMMON
  80
  81 config NF_LOG_IPV4
  82         tristate "IPv4 packet logging"
  83         default m if NETFILTER_ADVANCED=n
  84         select NF_LOG_COMMON
  85
  86 config NF_REJECT_IPV4
  87         tristate "IPv4 packet rejection"
  88         default m if NETFILTER_ADVANCED=n
  89
  90 config NF_NAT_IPV4
  91         tristate "IPv4 NAT"
  92         depends on NF_CONNTRACK_IPV4
  93         default m if NETFILTER_ADVANCED=n
  94         select NF_NAT
  95         help
  96           The IPv4 NAT option allows masquerading, port forwarding and other
  97           forms of full Network Address Port Translation. This can be
  98           controlled by iptables or nft.
  99
 100 if NF_NAT_IPV4
 101
 102 config NFT_CHAIN_NAT_IPV4
 103         depends on NF_TABLES_IPV4
 104         tristate "IPv4 nf_tables nat chain support"
 105         help
 106           This option enables the "nat" chain for IPv4 in nf_tables. This
 107           chain type is used to perform Network Address Translation (NAT)
 108           packet transformations such as the source, destination address and
 109           source and destination ports.
 110
 111 config NF_NAT_MASQUERADE_IPV4
 112         tristate "IPv4 masquerade support"
 113         help
 114           This is the kernel functionality to provide NAT in the masquerade
 115           flavour (automatic source address selection).
 116
 117 config NFT_MASQ_IPV4
 118         tristate "IPv4 masquerading support for nf_tables"
 119         depends on NF_TABLES_IPV4
 120         depends on NFT_MASQ
 121         select NF_NAT_MASQUERADE_IPV4
 122         help
 123           This is the expression that provides IPv4 masquerading support for
 124           nf_tables.
 125
 126 config NFT_REDIR_IPV4
 127         tristate "IPv4 redirect support for nf_tables"
 128         depends on NF_TABLES_IPV4
 129         depends on NFT_REDIR
 130         select NF_NAT_REDIRECT
 131         help
 132           This is the expression that provides IPv4 redirect support for
 133           nf_tables.
 134
 135 config NF_NAT_SNMP_BASIC
 136         tristate "Basic SNMP-ALG support"
 137         depends on NF_CONNTRACK_SNMP
 138         depends on NETFILTER_ADVANCED
 139         default NF_NAT && NF_CONNTRACK_SNMP
 140         ---help---
 141
 142           This module implements an Application Layer Gateway (ALG) for
 143           SNMP payloads.  In conjunction with NAT, it allows a network
 144           management system to access multiple private networks with
 145           conflicting addresses.  It works by modifying IP addresses
 146           inside SNMP payloads to match IP-layer NAT mapping.
 147
 148           This is the "basic" form of SNMP-ALG, as described in RFC 2962
 149
 150           To compile it as a module, choose M here.  If unsure, say N.
 151
 152 config NF_NAT_PROTO_GRE
 153         tristate
 154         depends on NF_CT_PROTO_GRE
 155
 156 config NF_NAT_PPTP
 157         tristate
 158         depends on NF_CONNTRACK
 159         default NF_CONNTRACK_PPTP
 160         select NF_NAT_PROTO_GRE
 161
 162 config NF_NAT_H323
 163         tristate
 164         depends on NF_CONNTRACK
 165         default NF_CONNTRACK_H323
 166
 167 endif # NF_NAT_IPV4
 168
 169 config IP_NF_IPTABLES
 170         tristate "IP tables support (required for filtering/masq/NAT)"
 171         default m if NETFILTER_ADVANCED=n
 172         select NETFILTER_XTABLES
 173         help
 174           iptables is a general, extensible packet identification framework.
 175           The packet filtering and full NAT (masquerading, port forwarding,
 176           etc) subsystems now use this: say `Y' or `M' here if you want to use
 177           either of those.
 178
 179           To compile it as a module, choose M here.  If unsure, say N.
 180
 181 if IP_NF_IPTABLES
 182
 183 # The matches.
 184 config IP_NF_MATCH_AH
 185         tristate '"ah" match support'
 186         depends on NETFILTER_ADVANCED
 187         help
 188           This match extension allows you to match a range of SPIs
 189           inside AH header of IPSec packets.
 190
 191           To compile it as a module, choose M here.  If unsure, say N.
 192
 193 config IP_NF_MATCH_ECN
 194         tristate '"ecn" match support'
 195         depends on NETFILTER_ADVANCED
 196         select NETFILTER_XT_MATCH_ECN
 197         ---help---
 198         This is a backwards-compat option for the user's convenience
 199         (e.g. when running oldconfig). It selects
 200         CONFIG_NETFILTER_XT_MATCH_ECN.
 201
 202 config IP_NF_MATCH_RPFILTER
 203         tristate '"rpfilter" reverse path filter match support'
 204         depends on NETFILTER_ADVANCED
 205         depends on IP_NF_MANGLE || IP_NF_RAW
 206         ---help---
 207           This option allows you to match packets whose replies would
 208           go out via the interface the packet came in.
 209
 210           To compile it as a module, choose M here.  If unsure, say N.
 211           The module will be called ipt_rpfilter.
 212
 213 config IP_NF_MATCH_TTL
 214         tristate '"ttl" match support'
 215         depends on NETFILTER_ADVANCED
 216         select NETFILTER_XT_MATCH_HL
 217         ---help---
 218         This is a backwards-compat option for the user's convenience
 219         (e.g. when running oldconfig). It selects
 220         CONFIG_NETFILTER_XT_MATCH_HL.
 221
 222 # `filter', generic and specific targets
 223 config IP_NF_FILTER
 224         tristate "Packet filtering"
 225         default m if NETFILTER_ADVANCED=n
 226         help
 227           Packet filtering defines a table `filter', which has a series of
 228           rules for simple packet filtering at local input, forwarding and
 229           local output.  See the man page for iptables(8).
 230
 231           To compile it as a module, choose M here.  If unsure, say N.
 232
 233 config IP_NF_TARGET_REJECT
 234         tristate "REJECT target support"
 235         depends on IP_NF_FILTER
 236         select NF_REJECT_IPV4
 237         default m if NETFILTER_ADVANCED=n
 238         help
 239           The REJECT target allows a filtering rule to specify that an ICMP
 240           error should be issued in response to an incoming packet, rather
 241           than silently being dropped.
 242
 243           To compile it as a module, choose M here.  If unsure, say N.
 244
 245 config IP_NF_TARGET_SYNPROXY
 246         tristate "SYNPROXY target support"
 247         depends on NF_CONNTRACK && NETFILTER_ADVANCED
 248         select NETFILTER_SYNPROXY
 249         select SYN_COOKIES
 250         help
 251           The SYNPROXY target allows you to intercept TCP connections and
 252           establish them using syncookies before they are passed on to the
 253           server. This allows to avoid conntrack and server resource usage
 254           during SYN-flood attacks.
 255
 256           To compile it as a module, choose M here. If unsure, say N.
 257
 258 # NAT + specific targets: nf_conntrack
 259 config IP_NF_NAT
 260         tristate "iptables NAT support"
 261         depends on NF_CONNTRACK_IPV4
 262         default m if NETFILTER_ADVANCED=n
 263         select NF_NAT
 264         select NF_NAT_IPV4
 265         select NETFILTER_XT_NAT
 266         help
 267           This enables the `nat' table in iptables. This allows masquerading,
 268           port forwarding and other forms of full Network Address Port
 269           Translation.
 270
 271           To compile it as a module, choose M here.  If unsure, say N.
 272
 273 if IP_NF_NAT
 274
 275 config IP_NF_TARGET_MASQUERADE
 276         tristate "MASQUERADE target support"
 277         select NF_NAT_MASQUERADE_IPV4
 278         default m if NETFILTER_ADVANCED=n
 279         help
 280           Masquerading is a special case of NAT: all outgoing connections are
 281           changed to seem to come from a particular interface's address, and
 282           if the interface goes down, those connections are lost.  This is
 283           only useful for dialup accounts with dynamic IP address (ie. your IP
 284           address will be different on next dialup).
 285
 286           To compile it as a module, choose M here.  If unsure, say N.
 287
 288 config IP_NF_TARGET_NETMAP
 289         tristate "NETMAP target support"
 290         depends on NETFILTER_ADVANCED
 291         select NETFILTER_XT_TARGET_NETMAP
 292         ---help---
 293         This is a backwards-compat option for the user's convenience
 294         (e.g. when running oldconfig). It selects
 295         CONFIG_NETFILTER_XT_TARGET_NETMAP.
 296
 297 config IP_NF_TARGET_REDIRECT
 298         tristate "REDIRECT target support"
 299         depends on NETFILTER_ADVANCED
 300         select NETFILTER_XT_TARGET_REDIRECT
 301         ---help---
 302         This is a backwards-compat option for the user's convenience
 303         (e.g. when running oldconfig). It selects
 304         CONFIG_NETFILTER_XT_TARGET_REDIRECT.
 305
 306 endif # IP_NF_NAT
 307
 308 # mangle + specific targets
 309 config IP_NF_MANGLE
 310         tristate "Packet mangling"
 311         default m if NETFILTER_ADVANCED=n
 312         help
 313           This option adds a `mangle' table to iptables: see the man page for
 314           iptables(8).  This table is used for various packet alterations
 315           which can effect how the packet is routed.
 316
 317           To compile it as a module, choose M here.  If unsure, say N.
 318
 319 config IP_NF_TARGET_CLUSTERIP
 320         tristate "CLUSTERIP target support"
 321         depends on IP_NF_MANGLE
 322         depends on NF_CONNTRACK_IPV4
 323         depends on NETFILTER_ADVANCED
 324         select NF_CONNTRACK_MARK
 325         help
 326           The CLUSTERIP target allows you to build load-balancing clusters of
 327           network servers without having a dedicated load-balancing
 328           router/server/switch.
 329
 330           To compile it as a module, choose M here.  If unsure, say N.
 331
 332 config IP_NF_TARGET_ECN
 333         tristate "ECN target support"
 334         depends on IP_NF_MANGLE
 335         depends on NETFILTER_ADVANCED
 336         ---help---
 337           This option adds a `ECN' target, which can be used in the iptables mangle
 338           table.
 339
 340           You can use this target to remove the ECN bits from the IPv4 header of
 341           an IP packet.  This is particularly useful, if you need to work around
 342           existing ECN blackholes on the internet, but don't want to disable
 343           ECN support in general.
 344
 345           To compile it as a module, choose M here.  If unsure, say N.
 346
 347 config IP_NF_TARGET_TTL
 348         tristate '"TTL" target support'
 349         depends on NETFILTER_ADVANCED && IP_NF_MANGLE
 350         select NETFILTER_XT_TARGET_HL
 351         ---help---
 352         This is a backwards-compatible option for the user's convenience
 353         (e.g. when running oldconfig). It selects
 354         CONFIG_NETFILTER_XT_TARGET_HL.
 355
 356 # raw + specific targets
 357 config IP_NF_RAW
 358         tristate  'raw table support (required for NOTRACK/TRACE)'
 359         help
 360           This option adds a `raw' table to iptables. This table is the very
 361           first in the netfilter framework and hooks in at the PREROUTING
 362           and OUTPUT chains.
 363
 364           If you want to compile it as a module, say M here and read
 365           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 366
 367 # security table for MAC policy
 368 config IP_NF_SECURITY
 369         tristate "Security table"
 370         depends on SECURITY
 371         depends on NETFILTER_ADVANCED
 372         help
 373           This option adds a `security' table to iptables, for use
 374           with Mandatory Access Control (MAC) policy.
 375
 376           If unsure, say N.
 377
 378 endif # IP_NF_IPTABLES
 379
 380 # ARP tables
 381 config IP_NF_ARPTABLES
 382         tristate "ARP tables support"
 383         select NETFILTER_XTABLES
 384         depends on NETFILTER_ADVANCED
 385         help
 386           arptables is a general, extensible packet identification framework.
 387           The ARP packet filtering and mangling (manipulation)subsystems
 388           use this: say Y or M here if you want to use either of those.
 389
 390           To compile it as a module, choose M here.  If unsure, say N.
 391
 392 if IP_NF_ARPTABLES
 393
 394 config IP_NF_ARPFILTER
 395         tristate "ARP packet filtering"
 396         help
 397           ARP packet filtering defines a table `filter', which has a series of
 398           rules for simple ARP packet filtering at local input and
 399           local output.  On a bridge, you can also specify filtering rules
 400           for forwarded ARP packets. See the man page for arptables(8).
 401
 402           To compile it as a module, choose M here.  If unsure, say N.
 403
 404 config IP_NF_ARP_MANGLE
 405         tristate "ARP payload mangling"
 406         help
 407           Allows altering the ARP packet payload: source and destination
 408           hardware and network addresses.
 409
 410 endif # IP_NF_ARPTABLES
 411
 412 endmenu
 413