1#
2# IP netfilter configuration
3#
4
5menu "IP: Netfilter Configuration"
6	depends on INET && NETFILTER
7
8config NF_DEFRAG_IPV4
9	tristate
10	default n
11
12config NF_CONNTRACK_IPV4
13	tristate "IPv4 connection tracking support (required for NAT)"
14	depends on NF_CONNTRACK
15	default m if NETFILTER_ADVANCED=n
16	select NF_DEFRAG_IPV4
17	---help---
18	  Connection tracking keeps a record of what packets have passed
19	  through your machine, in order to figure out how they are related
20	  into connections.
21
22	  This is IPv4 support on Layer 3 independent connection tracking.
23	  Layer 3 independent connection tracking is experimental scheme
24	  which generalize ip_conntrack to support other layer 3 protocols.
25
26	  To compile it as a module, choose M here.  If unsure, say N.
27
28config NF_CONNTRACK_PROC_COMPAT
29	bool "proc/sysctl compatibility with old connection tracking"
30	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
31	default y
32	help
33	  This option enables /proc and sysctl compatibility with the old
34	  layer 3 dependent connection tracking. This is needed to keep
35	  old programs that have not been adapted to the new names working.
36
37	  If unsure, say Y.
38
39config NF_LOG_ARP
40	tristate "ARP packet logging"
41	default m if NETFILTER_ADVANCED=n
42	select NF_LOG_COMMON
43
44config NF_LOG_IPV4
45	tristate "IPv4 packet logging"
46	default m if NETFILTER_ADVANCED=n
47	select NF_LOG_COMMON
48
49config NF_TABLES_IPV4
50	depends on NF_TABLES
51	tristate "IPv4 nf_tables support"
52	help
53	  This option enables the IPv4 support for nf_tables.
54
55config NFT_CHAIN_ROUTE_IPV4
56	depends on NF_TABLES_IPV4
57	tristate "IPv4 nf_tables route chain support"
58	help
59	  This option enables the "route" chain for IPv4 in nf_tables. This
60	  chain type is used to force packet re-routing after mangling header
61	  fields such as the source, destination, type of service and
62	  the packet mark.
63
64config NF_REJECT_IPV4
65	tristate "IPv4 packet rejection"
66	default m if NETFILTER_ADVANCED=n
67
68config NFT_REJECT_IPV4
69	depends on NF_TABLES_IPV4
70	select NF_REJECT_IPV4
71	default NFT_REJECT
72	tristate
73
74config NF_TABLES_ARP
75	depends on NF_TABLES
76	tristate "ARP nf_tables support"
77	help
78	  This option enables the ARP support for nf_tables.
79
80config NF_NAT_IPV4
81	tristate "IPv4 NAT"
82	depends on NF_CONNTRACK_IPV4
83	default m if NETFILTER_ADVANCED=n
84	select NF_NAT
85	help
86	  The IPv4 NAT option allows masquerading, port forwarding and other
87	  forms of full Network Address Port Translation. This can be
88	  controlled by iptables or nft.
89
90if NF_NAT_IPV4
91
92config NFT_CHAIN_NAT_IPV4
93	depends on NF_TABLES_IPV4
94	tristate "IPv4 nf_tables nat chain support"
95	help
96	  This option enables the "nat" chain for IPv4 in nf_tables. This
97	  chain type is used to perform Network Address Translation (NAT)
98	  packet transformations such as the source, destination address and
99	  source and destination ports.
100
101config NF_NAT_MASQUERADE_IPV4
102	tristate "IPv4 masquerade support"
103	help
104	  This is the kernel functionality to provide NAT in the masquerade
105	  flavour (automatic source address selection).
106
107config NFT_MASQ_IPV4
108	tristate "IPv4 masquerading support for nf_tables"
109	depends on NF_TABLES_IPV4
110	depends on NFT_MASQ
111	select NF_NAT_MASQUERADE_IPV4
112	help
113	  This is the expression that provides IPv4 masquerading support for
114	  nf_tables.
115
116config NF_NAT_SNMP_BASIC
117	tristate "Basic SNMP-ALG support"
118	depends on NF_CONNTRACK_SNMP
119	depends on NETFILTER_ADVANCED
120	default NF_NAT && NF_CONNTRACK_SNMP
121	---help---
122
123	  This module implements an Application Layer Gateway (ALG) for
124	  SNMP payloads.  In conjunction with NAT, it allows a network
125	  management system to access multiple private networks with
126	  conflicting addresses.  It works by modifying IP addresses
127	  inside SNMP payloads to match IP-layer NAT mapping.
128
129	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
130
131	  To compile it as a module, choose M here.  If unsure, say N.
132
133config NF_NAT_PROTO_GRE
134	tristate
135	depends on NF_CT_PROTO_GRE
136
137config NF_NAT_PPTP
138	tristate
139	depends on NF_CONNTRACK
140	default NF_CONNTRACK_PPTP
141	select NF_NAT_PROTO_GRE
142
143config NF_NAT_H323
144	tristate
145	depends on NF_CONNTRACK
146	default NF_CONNTRACK_H323
147
148endif # NF_NAT_IPV4
149
150config IP_NF_IPTABLES
151	tristate "IP tables support (required for filtering/masq/NAT)"
152	default m if NETFILTER_ADVANCED=n
153	select NETFILTER_XTABLES
154	help
155	  iptables is a general, extensible packet identification framework.
156	  The packet filtering and full NAT (masquerading, port forwarding,
157	  etc) subsystems now use this: say `Y' or `M' here if you want to use
158	  either of those.
159
160	  To compile it as a module, choose M here.  If unsure, say N.
161
162if IP_NF_IPTABLES
163
164# The matches.
165config IP_NF_MATCH_AH
166	tristate '"ah" match support'
167	depends on NETFILTER_ADVANCED
168	help
169	  This match extension allows you to match a range of SPIs
170	  inside AH header of IPSec packets.
171
172	  To compile it as a module, choose M here.  If unsure, say N.
173
174config IP_NF_MATCH_ECN
175	tristate '"ecn" match support'
176	depends on NETFILTER_ADVANCED
177	select NETFILTER_XT_MATCH_ECN
178	---help---
179	This is a backwards-compat option for the user's convenience
180	(e.g. when running oldconfig). It selects
181	CONFIG_NETFILTER_XT_MATCH_ECN.
182
183config IP_NF_MATCH_RPFILTER
184	tristate '"rpfilter" reverse path filter match support'
185	depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
186	---help---
187	  This option allows you to match packets whose replies would
188	  go out via the interface the packet came in.
189
190	  To compile it as a module, choose M here.  If unsure, say N.
191	  The module will be called ipt_rpfilter.
192
193config IP_NF_MATCH_TTL
194	tristate '"ttl" match support'
195	depends on NETFILTER_ADVANCED
196	select NETFILTER_XT_MATCH_HL
197	---help---
198	This is a backwards-compat option for the user's convenience
199	(e.g. when running oldconfig). It selects
200	CONFIG_NETFILTER_XT_MATCH_HL.
201
202# `filter', generic and specific targets
203config IP_NF_FILTER
204	tristate "Packet filtering"
205	default m if NETFILTER_ADVANCED=n
206	help
207	  Packet filtering defines a table `filter', which has a series of
208	  rules for simple packet filtering at local input, forwarding and
209	  local output.  See the man page for iptables(8).
210
211	  To compile it as a module, choose M here.  If unsure, say N.
212
213config IP_NF_TARGET_REJECT
214	tristate "REJECT target support"
215	depends on IP_NF_FILTER
216	select NF_REJECT_IPV4
217	default m if NETFILTER_ADVANCED=n
218	help
219	  The REJECT target allows a filtering rule to specify that an ICMP
220	  error should be issued in response to an incoming packet, rather
221	  than silently being dropped.
222
223	  To compile it as a module, choose M here.  If unsure, say N.
224
225config IP_NF_TARGET_SYNPROXY
226	tristate "SYNPROXY target support"
227	depends on NF_CONNTRACK && NETFILTER_ADVANCED
228	select NETFILTER_SYNPROXY
229	select SYN_COOKIES
230	help
231	  The SYNPROXY target allows you to intercept TCP connections and
232	  establish them using syncookies before they are passed on to the
233	  server. This allows to avoid conntrack and server resource usage
234	  during SYN-flood attacks.
235
236	  To compile it as a module, choose M here. If unsure, say N.
237
238# NAT + specific targets: nf_conntrack
239config IP_NF_NAT
240	tristate "iptables NAT support"
241	depends on NF_CONNTRACK_IPV4
242	default m if NETFILTER_ADVANCED=n
243	select NF_NAT
244	select NF_NAT_IPV4
245	select NETFILTER_XT_NAT
246	help
247	  This enables the `nat' table in iptables. This allows masquerading,
248	  port forwarding and other forms of full Network Address Port
249	  Translation.
250
251	  To compile it as a module, choose M here.  If unsure, say N.
252
253if IP_NF_NAT
254
255config IP_NF_TARGET_MASQUERADE
256	tristate "MASQUERADE target support"
257	select NF_NAT_MASQUERADE_IPV4
258	default m if NETFILTER_ADVANCED=n
259	help
260	  Masquerading is a special case of NAT: all outgoing connections are
261	  changed to seem to come from a particular interface's address, and
262	  if the interface goes down, those connections are lost.  This is
263	  only useful for dialup accounts with dynamic IP address (ie. your IP
264	  address will be different on next dialup).
265
266	  To compile it as a module, choose M here.  If unsure, say N.
267
268config IP_NF_TARGET_NETMAP
269	tristate "NETMAP target support"
270	depends on NETFILTER_ADVANCED
271	select NETFILTER_XT_TARGET_NETMAP
272	---help---
273	This is a backwards-compat option for the user's convenience
274	(e.g. when running oldconfig). It selects
275	CONFIG_NETFILTER_XT_TARGET_NETMAP.
276
277config IP_NF_TARGET_REDIRECT
278	tristate "REDIRECT target support"
279	depends on NETFILTER_ADVANCED
280	select NETFILTER_XT_TARGET_REDIRECT
281	---help---
282	This is a backwards-compat option for the user's convenience
283	(e.g. when running oldconfig). It selects
284	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
285
286endif # IP_NF_NAT
287
288# mangle + specific targets
289config IP_NF_MANGLE
290	tristate "Packet mangling"
291	default m if NETFILTER_ADVANCED=n
292	help
293	  This option adds a `mangle' table to iptables: see the man page for
294	  iptables(8).  This table is used for various packet alterations
295	  which can effect how the packet is routed.
296
297	  To compile it as a module, choose M here.  If unsure, say N.
298
299config IP_NF_TARGET_CLUSTERIP
300	tristate "CLUSTERIP target support"
301	depends on IP_NF_MANGLE
302	depends on NF_CONNTRACK_IPV4
303	depends on NETFILTER_ADVANCED
304	select NF_CONNTRACK_MARK
305	help
306	  The CLUSTERIP target allows you to build load-balancing clusters of
307	  network servers without having a dedicated load-balancing
308	  router/server/switch.
309	
310	  To compile it as a module, choose M here.  If unsure, say N.
311
312config IP_NF_TARGET_ECN
313	tristate "ECN target support"
314	depends on IP_NF_MANGLE
315	depends on NETFILTER_ADVANCED
316	---help---
317	  This option adds a `ECN' target, which can be used in the iptables mangle
318	  table.  
319
320	  You can use this target to remove the ECN bits from the IPv4 header of
321	  an IP packet.  This is particularly useful, if you need to work around
322	  existing ECN blackholes on the internet, but don't want to disable
323	  ECN support in general.
324
325	  To compile it as a module, choose M here.  If unsure, say N.
326
327config IP_NF_TARGET_TTL
328	tristate '"TTL" target support'
329	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
330	select NETFILTER_XT_TARGET_HL
331	---help---
332	This is a backwards-compatible option for the user's convenience
333	(e.g. when running oldconfig). It selects
334	CONFIG_NETFILTER_XT_TARGET_HL.
335
336# raw + specific targets
337config IP_NF_RAW
338	tristate  'raw table support (required for NOTRACK/TRACE)'
339	help
340	  This option adds a `raw' table to iptables. This table is the very
341	  first in the netfilter framework and hooks in at the PREROUTING
342	  and OUTPUT chains.
343	
344	  If you want to compile it as a module, say M here and read
345	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
346
347# security table for MAC policy
348config IP_NF_SECURITY
349	tristate "Security table"
350	depends on SECURITY
351	depends on NETFILTER_ADVANCED
352	help
353	  This option adds a `security' table to iptables, for use
354	  with Mandatory Access Control (MAC) policy.
355	 
356	  If unsure, say N.
357
358endif # IP_NF_IPTABLES
359
360# ARP tables
361config IP_NF_ARPTABLES
362	tristate "ARP tables support"
363	select NETFILTER_XTABLES
364	depends on NETFILTER_ADVANCED
365	help
366	  arptables is a general, extensible packet identification framework.
367	  The ARP packet filtering and mangling (manipulation)subsystems
368	  use this: say Y or M here if you want to use either of those.
369
370	  To compile it as a module, choose M here.  If unsure, say N.
371
372if IP_NF_ARPTABLES
373
374config IP_NF_ARPFILTER
375	tristate "ARP packet filtering"
376	help
377	  ARP packet filtering defines a table `filter', which has a series of
378	  rules for simple ARP packet filtering at local input and
379	  local output.  On a bridge, you can also specify filtering rules
380	  for forwarded ARP packets. See the man page for arptables(8).
381
382	  To compile it as a module, choose M here.  If unsure, say N.
383
384config IP_NF_ARP_MANGLE
385	tristate "ARP payload mangling"
386	help
387	  Allows altering the ARP packet payload: source and destination
388	  hardware and network addresses.
389
390endif # IP_NF_ARPTABLES
391
392endmenu
393
394