1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config NF_LOG_ARP 40 tristate "ARP packet logging" 41 default m if NETFILTER_ADVANCED=n 42 select NF_LOG_COMMON 43 44config NF_LOG_IPV4 45 tristate "IPv4 packet logging" 46 default m if NETFILTER_ADVANCED=n 47 select NF_LOG_COMMON 48 49config NF_TABLES_IPV4 50 depends on NF_TABLES 51 tristate "IPv4 nf_tables support" 52 help 53 This option enables the IPv4 support for nf_tables. 54 55config NFT_CHAIN_ROUTE_IPV4 56 depends on NF_TABLES_IPV4 57 tristate "IPv4 nf_tables route chain support" 58 help 59 This option enables the "route" chain for IPv4 in nf_tables. This 60 chain type is used to force packet re-routing after mangling header 61 fields such as the source, destination, type of service and 62 the packet mark. 63 64config NF_REJECT_IPV4 65 tristate "IPv4 packet rejection" 66 default m if NETFILTER_ADVANCED=n 67 68config NFT_REJECT_IPV4 69 depends on NF_TABLES_IPV4 70 select NF_REJECT_IPV4 71 default NFT_REJECT 72 tristate 73 74config NF_TABLES_ARP 75 depends on NF_TABLES 76 tristate "ARP nf_tables support" 77 help 78 This option enables the ARP support for nf_tables. 79 80config NF_NAT_IPV4 81 tristate "IPv4 NAT" 82 depends on NF_CONNTRACK_IPV4 83 default m if NETFILTER_ADVANCED=n 84 select NF_NAT 85 help 86 The IPv4 NAT option allows masquerading, port forwarding and other 87 forms of full Network Address Port Translation. This can be 88 controlled by iptables or nft. 89 90if NF_NAT_IPV4 91 92config NFT_CHAIN_NAT_IPV4 93 depends on NF_TABLES_IPV4 94 tristate "IPv4 nf_tables nat chain support" 95 help 96 This option enables the "nat" chain for IPv4 in nf_tables. This 97 chain type is used to perform Network Address Translation (NAT) 98 packet transformations such as the source, destination address and 99 source and destination ports. 100 101config NF_NAT_MASQUERADE_IPV4 102 tristate "IPv4 masquerade support" 103 help 104 This is the kernel functionality to provide NAT in the masquerade 105 flavour (automatic source address selection). 106 107config NFT_MASQ_IPV4 108 tristate "IPv4 masquerading support for nf_tables" 109 depends on NF_TABLES_IPV4 110 depends on NFT_MASQ 111 select NF_NAT_MASQUERADE_IPV4 112 help 113 This is the expression that provides IPv4 masquerading support for 114 nf_tables. 115 116config NF_NAT_SNMP_BASIC 117 tristate "Basic SNMP-ALG support" 118 depends on NF_CONNTRACK_SNMP 119 depends on NETFILTER_ADVANCED 120 default NF_NAT && NF_CONNTRACK_SNMP 121 ---help--- 122 123 This module implements an Application Layer Gateway (ALG) for 124 SNMP payloads. In conjunction with NAT, it allows a network 125 management system to access multiple private networks with 126 conflicting addresses. It works by modifying IP addresses 127 inside SNMP payloads to match IP-layer NAT mapping. 128 129 This is the "basic" form of SNMP-ALG, as described in RFC 2962 130 131 To compile it as a module, choose M here. If unsure, say N. 132 133config NF_NAT_PROTO_GRE 134 tristate 135 depends on NF_CT_PROTO_GRE 136 137config NF_NAT_PPTP 138 tristate 139 depends on NF_CONNTRACK 140 default NF_CONNTRACK_PPTP 141 select NF_NAT_PROTO_GRE 142 143config NF_NAT_H323 144 tristate 145 depends on NF_CONNTRACK 146 default NF_CONNTRACK_H323 147 148endif # NF_NAT_IPV4 149 150config IP_NF_IPTABLES 151 tristate "IP tables support (required for filtering/masq/NAT)" 152 default m if NETFILTER_ADVANCED=n 153 select NETFILTER_XTABLES 154 help 155 iptables is a general, extensible packet identification framework. 156 The packet filtering and full NAT (masquerading, port forwarding, 157 etc) subsystems now use this: say `Y' or `M' here if you want to use 158 either of those. 159 160 To compile it as a module, choose M here. If unsure, say N. 161 162if IP_NF_IPTABLES 163 164# The matches. 165config IP_NF_MATCH_AH 166 tristate '"ah" match support' 167 depends on NETFILTER_ADVANCED 168 help 169 This match extension allows you to match a range of SPIs 170 inside AH header of IPSec packets. 171 172 To compile it as a module, choose M here. If unsure, say N. 173 174config IP_NF_MATCH_ECN 175 tristate '"ecn" match support' 176 depends on NETFILTER_ADVANCED 177 select NETFILTER_XT_MATCH_ECN 178 ---help--- 179 This is a backwards-compat option for the user's convenience 180 (e.g. when running oldconfig). It selects 181 CONFIG_NETFILTER_XT_MATCH_ECN. 182 183config IP_NF_MATCH_RPFILTER 184 tristate '"rpfilter" reverse path filter match support' 185 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW) 186 ---help--- 187 This option allows you to match packets whose replies would 188 go out via the interface the packet came in. 189 190 To compile it as a module, choose M here. If unsure, say N. 191 The module will be called ipt_rpfilter. 192 193config IP_NF_MATCH_TTL 194 tristate '"ttl" match support' 195 depends on NETFILTER_ADVANCED 196 select NETFILTER_XT_MATCH_HL 197 ---help--- 198 This is a backwards-compat option for the user's convenience 199 (e.g. when running oldconfig). It selects 200 CONFIG_NETFILTER_XT_MATCH_HL. 201 202# `filter', generic and specific targets 203config IP_NF_FILTER 204 tristate "Packet filtering" 205 default m if NETFILTER_ADVANCED=n 206 help 207 Packet filtering defines a table `filter', which has a series of 208 rules for simple packet filtering at local input, forwarding and 209 local output. See the man page for iptables(8). 210 211 To compile it as a module, choose M here. If unsure, say N. 212 213config IP_NF_TARGET_REJECT 214 tristate "REJECT target support" 215 depends on IP_NF_FILTER 216 select NF_REJECT_IPV4 217 default m if NETFILTER_ADVANCED=n 218 help 219 The REJECT target allows a filtering rule to specify that an ICMP 220 error should be issued in response to an incoming packet, rather 221 than silently being dropped. 222 223 To compile it as a module, choose M here. If unsure, say N. 224 225config IP_NF_TARGET_SYNPROXY 226 tristate "SYNPROXY target support" 227 depends on NF_CONNTRACK && NETFILTER_ADVANCED 228 select NETFILTER_SYNPROXY 229 select SYN_COOKIES 230 help 231 The SYNPROXY target allows you to intercept TCP connections and 232 establish them using syncookies before they are passed on to the 233 server. This allows to avoid conntrack and server resource usage 234 during SYN-flood attacks. 235 236 To compile it as a module, choose M here. If unsure, say N. 237 238# NAT + specific targets: nf_conntrack 239config IP_NF_NAT 240 tristate "iptables NAT support" 241 depends on NF_CONNTRACK_IPV4 242 default m if NETFILTER_ADVANCED=n 243 select NF_NAT 244 select NF_NAT_IPV4 245 select NETFILTER_XT_NAT 246 help 247 This enables the `nat' table in iptables. This allows masquerading, 248 port forwarding and other forms of full Network Address Port 249 Translation. 250 251 To compile it as a module, choose M here. If unsure, say N. 252 253if IP_NF_NAT 254 255config IP_NF_TARGET_MASQUERADE 256 tristate "MASQUERADE target support" 257 select NF_NAT_MASQUERADE_IPV4 258 default m if NETFILTER_ADVANCED=n 259 help 260 Masquerading is a special case of NAT: all outgoing connections are 261 changed to seem to come from a particular interface's address, and 262 if the interface goes down, those connections are lost. This is 263 only useful for dialup accounts with dynamic IP address (ie. your IP 264 address will be different on next dialup). 265 266 To compile it as a module, choose M here. If unsure, say N. 267 268config IP_NF_TARGET_NETMAP 269 tristate "NETMAP target support" 270 depends on NETFILTER_ADVANCED 271 select NETFILTER_XT_TARGET_NETMAP 272 ---help--- 273 This is a backwards-compat option for the user's convenience 274 (e.g. when running oldconfig). It selects 275 CONFIG_NETFILTER_XT_TARGET_NETMAP. 276 277config IP_NF_TARGET_REDIRECT 278 tristate "REDIRECT target support" 279 depends on NETFILTER_ADVANCED 280 select NETFILTER_XT_TARGET_REDIRECT 281 ---help--- 282 This is a backwards-compat option for the user's convenience 283 (e.g. when running oldconfig). It selects 284 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 285 286endif # IP_NF_NAT 287 288# mangle + specific targets 289config IP_NF_MANGLE 290 tristate "Packet mangling" 291 default m if NETFILTER_ADVANCED=n 292 help 293 This option adds a `mangle' table to iptables: see the man page for 294 iptables(8). This table is used for various packet alterations 295 which can effect how the packet is routed. 296 297 To compile it as a module, choose M here. If unsure, say N. 298 299config IP_NF_TARGET_CLUSTERIP 300 tristate "CLUSTERIP target support" 301 depends on IP_NF_MANGLE 302 depends on NF_CONNTRACK_IPV4 303 depends on NETFILTER_ADVANCED 304 select NF_CONNTRACK_MARK 305 help 306 The CLUSTERIP target allows you to build load-balancing clusters of 307 network servers without having a dedicated load-balancing 308 router/server/switch. 309 310 To compile it as a module, choose M here. If unsure, say N. 311 312config IP_NF_TARGET_ECN 313 tristate "ECN target support" 314 depends on IP_NF_MANGLE 315 depends on NETFILTER_ADVANCED 316 ---help--- 317 This option adds a `ECN' target, which can be used in the iptables mangle 318 table. 319 320 You can use this target to remove the ECN bits from the IPv4 header of 321 an IP packet. This is particularly useful, if you need to work around 322 existing ECN blackholes on the internet, but don't want to disable 323 ECN support in general. 324 325 To compile it as a module, choose M here. If unsure, say N. 326 327config IP_NF_TARGET_TTL 328 tristate '"TTL" target support' 329 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 330 select NETFILTER_XT_TARGET_HL 331 ---help--- 332 This is a backwards-compatible option for the user's convenience 333 (e.g. when running oldconfig). It selects 334 CONFIG_NETFILTER_XT_TARGET_HL. 335 336# raw + specific targets 337config IP_NF_RAW 338 tristate 'raw table support (required for NOTRACK/TRACE)' 339 help 340 This option adds a `raw' table to iptables. This table is the very 341 first in the netfilter framework and hooks in at the PREROUTING 342 and OUTPUT chains. 343 344 If you want to compile it as a module, say M here and read 345 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 346 347# security table for MAC policy 348config IP_NF_SECURITY 349 tristate "Security table" 350 depends on SECURITY 351 depends on NETFILTER_ADVANCED 352 help 353 This option adds a `security' table to iptables, for use 354 with Mandatory Access Control (MAC) policy. 355 356 If unsure, say N. 357 358endif # IP_NF_IPTABLES 359 360# ARP tables 361config IP_NF_ARPTABLES 362 tristate "ARP tables support" 363 select NETFILTER_XTABLES 364 depends on NETFILTER_ADVANCED 365 help 366 arptables is a general, extensible packet identification framework. 367 The ARP packet filtering and mangling (manipulation)subsystems 368 use this: say Y or M here if you want to use either of those. 369 370 To compile it as a module, choose M here. If unsure, say N. 371 372if IP_NF_ARPTABLES 373 374config IP_NF_ARPFILTER 375 tristate "ARP packet filtering" 376 help 377 ARP packet filtering defines a table `filter', which has a series of 378 rules for simple ARP packet filtering at local input and 379 local output. On a bridge, you can also specify filtering rules 380 for forwarded ARP packets. See the man page for arptables(8). 381 382 To compile it as a module, choose M here. If unsure, say N. 383 384config IP_NF_ARP_MANGLE 385 tristate "ARP payload mangling" 386 help 387 Allows altering the ARP packet payload: source and destination 388 hardware and network addresses. 389 390endif # IP_NF_ARPTABLES 391 392endmenu 393 394