net/ipv4/netfilter/Kconfig

   1 #
   2 # IP netfilter configuration
   3 #
   4
   5 menu "IP: Netfilter Configuration"
   6         depends on INET && NETFILTER
   7
   8 config NF_CONNTRACK_IPV4
   9         tristate "IPv4 connection tracking support (required for NAT)"
  10         depends on NF_CONNTRACK
  11         default m if NETFILTER_ADVANCED=n
  12         ---help---
  13           Connection tracking keeps a record of what packets have passed
  14           through your machine, in order to figure out how they are related
  15           into connections.
  16
  17           This is IPv4 support on Layer 3 independent connection tracking.
  18           Layer 3 independent connection tracking is experimental scheme
  19           which generalize ip_conntrack to support other layer 3 protocols.
  20
  21           To compile it as a module, choose M here.  If unsure, say N.
  22
  23 config NF_CONNTRACK_PROC_COMPAT
  24         bool "proc/sysctl compatibility with old connection tracking"
  25         depends on NF_CONNTRACK_IPV4
  26         default y
  27         help
  28           This option enables /proc and sysctl compatibility with the old
  29           layer 3 dependant connection tracking. This is needed to keep
  30           old programs that have not been adapted to the new names working.
  31
  32           If unsure, say Y.
  33
  34 config IP_NF_QUEUE
  35         tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
  36         depends on NETFILTER_ADVANCED
  37         help
  38           Netfilter has the ability to queue packets to user space: the
  39           netlink device can be used to access them using this driver.
  40
  41           This option enables the old IPv4-only "ip_queue" implementation
  42           which has been obsoleted by the new "nfnetlink_queue" code (see
  43           CONFIG_NETFILTER_NETLINK_QUEUE).
  44
  45           To compile it as a module, choose M here.  If unsure, say N.
  46
  47 config IP_NF_IPTABLES
  48         tristate "IP tables support (required for filtering/masq/NAT)"
  49         default m if NETFILTER_ADVANCED=n
  50         select NETFILTER_XTABLES
  51         help
  52           iptables is a general, extensible packet identification framework.
  53           The packet filtering and full NAT (masquerading, port forwarding,
  54           etc) subsystems now use this: say `Y' or `M' here if you want to use
  55           either of those.
  56
  57           To compile it as a module, choose M here.  If unsure, say N.
  58
  59 # The matches.
  60 config IP_NF_MATCH_RECENT
  61         tristate '"recent" match support'
  62         depends on IP_NF_IPTABLES
  63         depends on NETFILTER_ADVANCED
  64         help
  65           This match is used for creating one or many lists of recently
  66           used addresses and then matching against that/those list(s).
  67
  68           Short options are available by using 'iptables -m recent -h'
  69           Official Website: <http://snowman.net/projects/ipt_recent/>
  70
  71           To compile it as a module, choose M here.  If unsure, say N.
  72
  73 config IP_NF_MATCH_ECN
  74         tristate '"ecn" match support'
  75         depends on IP_NF_IPTABLES
  76         depends on NETFILTER_ADVANCED
  77         help
  78           This option adds a `ECN' match, which allows you to match against
  79           the IPv4 and TCP header ECN fields.
  80
  81           To compile it as a module, choose M here.  If unsure, say N.
  82
  83 config IP_NF_MATCH_AH
  84         tristate '"ah" match support'
  85         depends on IP_NF_IPTABLES
  86         depends on NETFILTER_ADVANCED
  87         help
  88           This match extension allows you to match a range of SPIs
  89           inside AH header of IPSec packets.
  90
  91           To compile it as a module, choose M here.  If unsure, say N.
  92
  93 config IP_NF_MATCH_TTL
  94         tristate '"ttl" match support'
  95         depends on IP_NF_IPTABLES
  96         depends on NETFILTER_ADVANCED
  97         help
  98           This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
  99           to match packets by their TTL value.
 100
 101           To compile it as a module, choose M here.  If unsure, say N.
 102
 103 config IP_NF_MATCH_ADDRTYPE
 104         tristate '"addrtype" address type match support'
 105         depends on IP_NF_IPTABLES
 106         depends on NETFILTER_ADVANCED
 107         help
 108           This option allows you to match what routing thinks of an address,
 109           eg. UNICAST, LOCAL, BROADCAST, ...
 110
 111           If you want to compile it as a module, say M here and read
 112           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 113
 114 # `filter', generic and specific targets
 115 config IP_NF_FILTER
 116         tristate "Packet filtering"
 117         depends on IP_NF_IPTABLES
 118         default m if NETFILTER_ADVANCED=n
 119         help
 120           Packet filtering defines a table `filter', which has a series of
 121           rules for simple packet filtering at local input, forwarding and
 122           local output.  See the man page for iptables(8).
 123
 124           To compile it as a module, choose M here.  If unsure, say N.
 125
 126 config IP_NF_TARGET_REJECT
 127         tristate "REJECT target support"
 128         depends on IP_NF_FILTER
 129         default m if NETFILTER_ADVANCED=n
 130         help
 131           The REJECT target allows a filtering rule to specify that an ICMP
 132           error should be issued in response to an incoming packet, rather
 133           than silently being dropped.
 134
 135           To compile it as a module, choose M here.  If unsure, say N.
 136
 137 config IP_NF_TARGET_LOG
 138         tristate "LOG target support"
 139         depends on IP_NF_IPTABLES
 140         default m if NETFILTER_ADVANCED=n
 141         help
 142           This option adds a `LOG' target, which allows you to create rules in
 143           any iptables table which records the packet header to the syslog.
 144
 145           To compile it as a module, choose M here.  If unsure, say N.
 146
 147 config IP_NF_TARGET_ULOG
 148         tristate "ULOG target support"
 149         depends on IP_NF_IPTABLES
 150         default m if NETFILTER_ADVANCED=n
 151         ---help---
 152
 153           This option enables the old IPv4-only "ipt_ULOG" implementation
 154           which has been obsoleted by the new "nfnetlink_log" code (see
 155           CONFIG_NETFILTER_NETLINK_LOG).
 156
 157           This option adds a `ULOG' target, which allows you to create rules in
 158           any iptables table. The packet is passed to a userspace logging
 159           daemon using netlink multicast sockets; unlike the LOG target
 160           which can only be viewed through syslog.
 161
 162           The appropriate userspace logging daemon (ulogd) may be obtained from
 163           <http://www.gnumonks.org/projects/ulogd/>
 164
 165           To compile it as a module, choose M here.  If unsure, say N.
 166
 167 # NAT + specific targets: nf_conntrack
 168 config NF_NAT
 169         tristate "Full NAT"
 170         depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
 171         default m if NETFILTER_ADVANCED=n
 172         help
 173           The Full NAT option allows masquerading, port forwarding and other
 174           forms of full Network Address Port Translation.  It is controlled by
 175           the `nat' table in iptables: see the man page for iptables(8).
 176
 177           To compile it as a module, choose M here.  If unsure, say N.
 178
 179 config NF_NAT_NEEDED
 180         bool
 181         depends on NF_NAT
 182         default y
 183
 184 config IP_NF_TARGET_MASQUERADE
 185         tristate "MASQUERADE target support"
 186         depends on NF_NAT
 187         default m if NETFILTER_ADVANCED=n
 188         help
 189           Masquerading is a special case of NAT: all outgoing connections are
 190           changed to seem to come from a particular interface's address, and
 191           if the interface goes down, those connections are lost.  This is
 192           only useful for dialup accounts with dynamic IP address (ie. your IP
 193           address will be different on next dialup).
 194
 195           To compile it as a module, choose M here.  If unsure, say N.
 196
 197 config IP_NF_TARGET_REDIRECT
 198         tristate "REDIRECT target support"
 199         depends on NF_NAT
 200         depends on NETFILTER_ADVANCED
 201         help
 202           REDIRECT is a special case of NAT: all incoming connections are
 203           mapped onto the incoming interface's address, causing the packets to
 204           come to the local machine instead of passing through.  This is
 205           useful for transparent proxies.
 206
 207           To compile it as a module, choose M here.  If unsure, say N.
 208
 209 config IP_NF_TARGET_NETMAP
 210         tristate "NETMAP target support"
 211         depends on NF_NAT
 212         depends on NETFILTER_ADVANCED
 213         help
 214           NETMAP is an implementation of static 1:1 NAT mapping of network
 215           addresses. It maps the network address part, while keeping the host
 216           address part intact. It is similar to Fast NAT, except that
 217           Netfilter's connection tracking doesn't work well with Fast NAT.
 218
 219           To compile it as a module, choose M here.  If unsure, say N.
 220
 221 config NF_NAT_SNMP_BASIC
 222         tristate "Basic SNMP-ALG support"
 223         depends on NF_NAT
 224         depends on NETFILTER_ADVANCED
 225         ---help---
 226
 227           This module implements an Application Layer Gateway (ALG) for
 228           SNMP payloads.  In conjunction with NAT, it allows a network
 229           management system to access multiple private networks with
 230           conflicting addresses.  It works by modifying IP addresses
 231           inside SNMP payloads to match IP-layer NAT mapping.
 232
 233           This is the "basic" form of SNMP-ALG, as described in RFC 2962
 234
 235           To compile it as a module, choose M here.  If unsure, say N.
 236
 237 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
 238 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
 239 # From kconfig-language.txt:
 240 #
 241 #           <expr> '&&' <expr>                   (6)
 242 #
 243 # (6) Returns the result of min(/expr/, /expr/).
 244 config NF_NAT_PROTO_GRE
 245         tristate
 246         depends on NF_NAT && NF_CT_PROTO_GRE
 247
 248 config NF_NAT_FTP
 249         tristate
 250         depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
 251         default NF_NAT && NF_CONNTRACK_FTP
 252
 253 config NF_NAT_IRC
 254         tristate
 255         depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
 256         default NF_NAT && NF_CONNTRACK_IRC
 257
 258 config NF_NAT_TFTP
 259         tristate
 260         depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
 261         default NF_NAT && NF_CONNTRACK_TFTP
 262
 263 config NF_NAT_AMANDA
 264         tristate
 265         depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
 266         default NF_NAT && NF_CONNTRACK_AMANDA
 267
 268 config NF_NAT_PPTP
 269         tristate
 270         depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
 271         default NF_NAT && NF_CONNTRACK_PPTP
 272         select NF_NAT_PROTO_GRE
 273
 274 config NF_NAT_H323
 275         tristate
 276         depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
 277         default NF_NAT && NF_CONNTRACK_H323
 278
 279 config NF_NAT_SIP
 280         tristate
 281         depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
 282         default NF_NAT && NF_CONNTRACK_SIP
 283
 284 # mangle + specific targets
 285 config IP_NF_MANGLE
 286         tristate "Packet mangling"
 287         depends on IP_NF_IPTABLES
 288         default m if NETFILTER_ADVANCED=n
 289         help
 290           This option adds a `mangle' table to iptables: see the man page for
 291           iptables(8).  This table is used for various packet alterations
 292           which can effect how the packet is routed.
 293
 294           To compile it as a module, choose M here.  If unsure, say N.
 295
 296 config IP_NF_TARGET_ECN
 297         tristate "ECN target support"
 298         depends on IP_NF_MANGLE
 299         depends on NETFILTER_ADVANCED
 300         ---help---
 301           This option adds a `ECN' target, which can be used in the iptables mangle
 302           table.
 303
 304           You can use this target to remove the ECN bits from the IPv4 header of
 305           an IP packet.  This is particularly useful, if you need to work around
 306           existing ECN blackholes on the internet, but don't want to disable
 307           ECN support in general.
 308
 309           To compile it as a module, choose M here.  If unsure, say N.
 310
 311 config IP_NF_TARGET_TTL
 312         tristate  'TTL target support'
 313         depends on IP_NF_MANGLE
 314         depends on NETFILTER_ADVANCED
 315         help
 316           This option adds a `TTL' target, which enables the user to modify
 317           the TTL value of the IP header.
 318
 319           While it is safe to decrement/lower the TTL, this target also enables
 320           functionality to increment and set the TTL value of the IP header to
 321           arbitrary values.  This is EXTREMELY DANGEROUS since you can easily
 322           create immortal packets that loop forever on the network.
 323
 324           To compile it as a module, choose M here.  If unsure, say N.
 325
 326 config IP_NF_TARGET_CLUSTERIP
 327         tristate "CLUSTERIP target support (EXPERIMENTAL)"
 328         depends on IP_NF_MANGLE && EXPERIMENTAL
 329         depends on NF_CONNTRACK_IPV4
 330         depends on NETFILTER_ADVANCED
 331         select NF_CONNTRACK_MARK
 332         help
 333           The CLUSTERIP target allows you to build load-balancing clusters of
 334           network servers without having a dedicated load-balancing
 335           router/server/switch.
 336
 337           To compile it as a module, choose M here.  If unsure, say N.
 338
 339 # raw + specific targets
 340 config IP_NF_RAW
 341         tristate  'raw table support (required for NOTRACK/TRACE)'
 342         depends on IP_NF_IPTABLES
 343         depends on NETFILTER_ADVANCED
 344         help
 345           This option adds a `raw' table to iptables. This table is the very
 346           first in the netfilter framework and hooks in at the PREROUTING
 347           and OUTPUT chains.
 348
 349           If you want to compile it as a module, say M here and read
 350           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 351
 352 # ARP tables
 353 config IP_NF_ARPTABLES
 354         tristate "ARP tables support"
 355         select NETFILTER_XTABLES
 356         depends on NETFILTER_ADVANCED
 357         help
 358           arptables is a general, extensible packet identification framework.
 359           The ARP packet filtering and mangling (manipulation)subsystems
 360           use this: say Y or M here if you want to use either of those.
 361
 362           To compile it as a module, choose M here.  If unsure, say N.
 363
 364 config IP_NF_ARPFILTER
 365         tristate "ARP packet filtering"
 366         depends on IP_NF_ARPTABLES
 367         help
 368           ARP packet filtering defines a table `filter', which has a series of
 369           rules for simple ARP packet filtering at local input and
 370           local output.  On a bridge, you can also specify filtering rules
 371           for forwarded ARP packets. See the man page for arptables(8).
 372
 373           To compile it as a module, choose M here.  If unsure, say N.
 374
 375 config IP_NF_ARP_MANGLE
 376         tristate "ARP payload mangling"
 377         depends on IP_NF_ARPTABLES
 378         help
 379           Allows altering the ARP packet payload: source and destination
 380           hardware and network addresses.
 381
 382 endmenu
 383