Version:  2.0.40 2.2.26 2.4.37 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19

Linux/net/ipv4/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IP: Netfilter Configuration"
  6         depends on INET && NETFILTER
  7 
  8 config NF_DEFRAG_IPV4
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV4
 13         tristate "IPv4 connection tracking support (required for NAT)"
 14         depends on NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV4
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv4 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 config NF_CONNTRACK_PROC_COMPAT
 29         bool "proc/sysctl compatibility with old connection tracking"
 30         depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
 31         default y
 32         help
 33           This option enables /proc and sysctl compatibility with the old
 34           layer 3 dependent connection tracking. This is needed to keep
 35           old programs that have not been adapted to the new names working.
 36 
 37           If unsure, say Y.
 38 
 39 config NF_LOG_ARP
 40         tristate "ARP packet logging"
 41         default m if NETFILTER_ADVANCED=n
 42         select NF_LOG_COMMON
 43 
 44 config NF_LOG_IPV4
 45         tristate "IPv4 packet logging"
 46         default m if NETFILTER_ADVANCED=n
 47         select NF_LOG_COMMON
 48 
 49 config NF_TABLES_IPV4
 50         depends on NF_TABLES
 51         tristate "IPv4 nf_tables support"
 52         help
 53           This option enables the IPv4 support for nf_tables.
 54 
 55 config NFT_CHAIN_ROUTE_IPV4
 56         depends on NF_TABLES_IPV4
 57         tristate "IPv4 nf_tables route chain support"
 58         help
 59           This option enables the "route" chain for IPv4 in nf_tables. This
 60           chain type is used to force packet re-routing after mangling header
 61           fields such as the source, destination, type of service and
 62           the packet mark.
 63 
 64 config NF_REJECT_IPV4
 65         tristate "IPv4 packet rejection"
 66         default m if NETFILTER_ADVANCED=n
 67 
 68 config NFT_REJECT_IPV4
 69         depends on NF_TABLES_IPV4
 70         select NF_REJECT_IPV4
 71         default NFT_REJECT
 72         tristate
 73 
 74 config NF_TABLES_ARP
 75         depends on NF_TABLES
 76         tristate "ARP nf_tables support"
 77         help
 78           This option enables the ARP support for nf_tables.
 79 
 80 config NF_NAT_IPV4
 81         tristate "IPv4 NAT"
 82         depends on NF_CONNTRACK_IPV4
 83         default m if NETFILTER_ADVANCED=n
 84         select NF_NAT
 85         help
 86           The IPv4 NAT option allows masquerading, port forwarding and other
 87           forms of full Network Address Port Translation. This can be
 88           controlled by iptables or nft.
 89 
 90 if NF_NAT_IPV4
 91 
 92 config NFT_CHAIN_NAT_IPV4
 93         depends on NF_TABLES_IPV4
 94         tristate "IPv4 nf_tables nat chain support"
 95         help
 96           This option enables the "nat" chain for IPv4 in nf_tables. This
 97           chain type is used to perform Network Address Translation (NAT)
 98           packet transformations such as the source, destination address and
 99           source and destination ports.
100 
101 config NF_NAT_MASQUERADE_IPV4
102         tristate "IPv4 masquerade support"
103         help
104           This is the kernel functionality to provide NAT in the masquerade
105           flavour (automatic source address selection).
106 
107 config NFT_MASQ_IPV4
108         tristate "IPv4 masquerading support for nf_tables"
109         depends on NF_TABLES_IPV4
110         depends on NFT_MASQ
111         select NF_NAT_MASQUERADE_IPV4
112         help
113           This is the expression that provides IPv4 masquerading support for
114           nf_tables.
115 
116 config NFT_REDIR_IPV4
117         tristate "IPv4 redirect support for nf_tables"
118         depends on NF_TABLES_IPV4
119         depends on NFT_REDIR
120         select NF_NAT_REDIRECT
121         help
122           This is the expression that provides IPv4 redirect support for
123           nf_tables.
124 
125 config NF_NAT_SNMP_BASIC
126         tristate "Basic SNMP-ALG support"
127         depends on NF_CONNTRACK_SNMP
128         depends on NETFILTER_ADVANCED
129         default NF_NAT && NF_CONNTRACK_SNMP
130         ---help---
131 
132           This module implements an Application Layer Gateway (ALG) for
133           SNMP payloads.  In conjunction with NAT, it allows a network
134           management system to access multiple private networks with
135           conflicting addresses.  It works by modifying IP addresses
136           inside SNMP payloads to match IP-layer NAT mapping.
137 
138           This is the "basic" form of SNMP-ALG, as described in RFC 2962
139 
140           To compile it as a module, choose M here.  If unsure, say N.
141 
142 config NF_NAT_PROTO_GRE
143         tristate
144         depends on NF_CT_PROTO_GRE
145 
146 config NF_NAT_PPTP
147         tristate
148         depends on NF_CONNTRACK
149         default NF_CONNTRACK_PPTP
150         select NF_NAT_PROTO_GRE
151 
152 config NF_NAT_H323
153         tristate
154         depends on NF_CONNTRACK
155         default NF_CONNTRACK_H323
156 
157 endif # NF_NAT_IPV4
158 
159 config IP_NF_IPTABLES
160         tristate "IP tables support (required for filtering/masq/NAT)"
161         default m if NETFILTER_ADVANCED=n
162         select NETFILTER_XTABLES
163         help
164           iptables is a general, extensible packet identification framework.
165           The packet filtering and full NAT (masquerading, port forwarding,
166           etc) subsystems now use this: say `Y' or `M' here if you want to use
167           either of those.
168 
169           To compile it as a module, choose M here.  If unsure, say N.
170 
171 if IP_NF_IPTABLES
172 
173 # The matches.
174 config IP_NF_MATCH_AH
175         tristate '"ah" match support'
176         depends on NETFILTER_ADVANCED
177         help
178           This match extension allows you to match a range of SPIs
179           inside AH header of IPSec packets.
180 
181           To compile it as a module, choose M here.  If unsure, say N.
182 
183 config IP_NF_MATCH_ECN
184         tristate '"ecn" match support'
185         depends on NETFILTER_ADVANCED
186         select NETFILTER_XT_MATCH_ECN
187         ---help---
188         This is a backwards-compat option for the user's convenience
189         (e.g. when running oldconfig). It selects
190         CONFIG_NETFILTER_XT_MATCH_ECN.
191 
192 config IP_NF_MATCH_RPFILTER
193         tristate '"rpfilter" reverse path filter match support'
194         depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
195         ---help---
196           This option allows you to match packets whose replies would
197           go out via the interface the packet came in.
198 
199           To compile it as a module, choose M here.  If unsure, say N.
200           The module will be called ipt_rpfilter.
201 
202 config IP_NF_MATCH_TTL
203         tristate '"ttl" match support'
204         depends on NETFILTER_ADVANCED
205         select NETFILTER_XT_MATCH_HL
206         ---help---
207         This is a backwards-compat option for the user's convenience
208         (e.g. when running oldconfig). It selects
209         CONFIG_NETFILTER_XT_MATCH_HL.
210 
211 # `filter', generic and specific targets
212 config IP_NF_FILTER
213         tristate "Packet filtering"
214         default m if NETFILTER_ADVANCED=n
215         help
216           Packet filtering defines a table `filter', which has a series of
217           rules for simple packet filtering at local input, forwarding and
218           local output.  See the man page for iptables(8).
219 
220           To compile it as a module, choose M here.  If unsure, say N.
221 
222 config IP_NF_TARGET_REJECT
223         tristate "REJECT target support"
224         depends on IP_NF_FILTER
225         select NF_REJECT_IPV4
226         default m if NETFILTER_ADVANCED=n
227         help
228           The REJECT target allows a filtering rule to specify that an ICMP
229           error should be issued in response to an incoming packet, rather
230           than silently being dropped.
231 
232           To compile it as a module, choose M here.  If unsure, say N.
233 
234 config IP_NF_TARGET_SYNPROXY
235         tristate "SYNPROXY target support"
236         depends on NF_CONNTRACK && NETFILTER_ADVANCED
237         select NETFILTER_SYNPROXY
238         select SYN_COOKIES
239         help
240           The SYNPROXY target allows you to intercept TCP connections and
241           establish them using syncookies before they are passed on to the
242           server. This allows to avoid conntrack and server resource usage
243           during SYN-flood attacks.
244 
245           To compile it as a module, choose M here. If unsure, say N.
246 
247 # NAT + specific targets: nf_conntrack
248 config IP_NF_NAT
249         tristate "iptables NAT support"
250         depends on NF_CONNTRACK_IPV4
251         default m if NETFILTER_ADVANCED=n
252         select NF_NAT
253         select NF_NAT_IPV4
254         select NETFILTER_XT_NAT
255         help
256           This enables the `nat' table in iptables. This allows masquerading,
257           port forwarding and other forms of full Network Address Port
258           Translation.
259 
260           To compile it as a module, choose M here.  If unsure, say N.
261 
262 if IP_NF_NAT
263 
264 config IP_NF_TARGET_MASQUERADE
265         tristate "MASQUERADE target support"
266         select NF_NAT_MASQUERADE_IPV4
267         default m if NETFILTER_ADVANCED=n
268         help
269           Masquerading is a special case of NAT: all outgoing connections are
270           changed to seem to come from a particular interface's address, and
271           if the interface goes down, those connections are lost.  This is
272           only useful for dialup accounts with dynamic IP address (ie. your IP
273           address will be different on next dialup).
274 
275           To compile it as a module, choose M here.  If unsure, say N.
276 
277 config IP_NF_TARGET_NETMAP
278         tristate "NETMAP target support"
279         depends on NETFILTER_ADVANCED
280         select NETFILTER_XT_TARGET_NETMAP
281         ---help---
282         This is a backwards-compat option for the user's convenience
283         (e.g. when running oldconfig). It selects
284         CONFIG_NETFILTER_XT_TARGET_NETMAP.
285 
286 config IP_NF_TARGET_REDIRECT
287         tristate "REDIRECT target support"
288         depends on NETFILTER_ADVANCED
289         select NETFILTER_XT_TARGET_REDIRECT
290         ---help---
291         This is a backwards-compat option for the user's convenience
292         (e.g. when running oldconfig). It selects
293         CONFIG_NETFILTER_XT_TARGET_REDIRECT.
294 
295 endif # IP_NF_NAT
296 
297 # mangle + specific targets
298 config IP_NF_MANGLE
299         tristate "Packet mangling"
300         default m if NETFILTER_ADVANCED=n
301         help
302           This option adds a `mangle' table to iptables: see the man page for
303           iptables(8).  This table is used for various packet alterations
304           which can effect how the packet is routed.
305 
306           To compile it as a module, choose M here.  If unsure, say N.
307 
308 config IP_NF_TARGET_CLUSTERIP
309         tristate "CLUSTERIP target support"
310         depends on IP_NF_MANGLE
311         depends on NF_CONNTRACK_IPV4
312         depends on NETFILTER_ADVANCED
313         select NF_CONNTRACK_MARK
314         help
315           The CLUSTERIP target allows you to build load-balancing clusters of
316           network servers without having a dedicated load-balancing
317           router/server/switch.
318         
319           To compile it as a module, choose M here.  If unsure, say N.
320 
321 config IP_NF_TARGET_ECN
322         tristate "ECN target support"
323         depends on IP_NF_MANGLE
324         depends on NETFILTER_ADVANCED
325         ---help---
326           This option adds a `ECN' target, which can be used in the iptables mangle
327           table.  
328 
329           You can use this target to remove the ECN bits from the IPv4 header of
330           an IP packet.  This is particularly useful, if you need to work around
331           existing ECN blackholes on the internet, but don't want to disable
332           ECN support in general.
333 
334           To compile it as a module, choose M here.  If unsure, say N.
335 
336 config IP_NF_TARGET_TTL
337         tristate '"TTL" target support'
338         depends on NETFILTER_ADVANCED && IP_NF_MANGLE
339         select NETFILTER_XT_TARGET_HL
340         ---help---
341         This is a backwards-compatible option for the user's convenience
342         (e.g. when running oldconfig). It selects
343         CONFIG_NETFILTER_XT_TARGET_HL.
344 
345 # raw + specific targets
346 config IP_NF_RAW
347         tristate  'raw table support (required for NOTRACK/TRACE)'
348         help
349           This option adds a `raw' table to iptables. This table is the very
350           first in the netfilter framework and hooks in at the PREROUTING
351           and OUTPUT chains.
352         
353           If you want to compile it as a module, say M here and read
354           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
355 
356 # security table for MAC policy
357 config IP_NF_SECURITY
358         tristate "Security table"
359         depends on SECURITY
360         depends on NETFILTER_ADVANCED
361         help
362           This option adds a `security' table to iptables, for use
363           with Mandatory Access Control (MAC) policy.
364          
365           If unsure, say N.
366 
367 endif # IP_NF_IPTABLES
368 
369 # ARP tables
370 config IP_NF_ARPTABLES
371         tristate "ARP tables support"
372         select NETFILTER_XTABLES
373         depends on NETFILTER_ADVANCED
374         help
375           arptables is a general, extensible packet identification framework.
376           The ARP packet filtering and mangling (manipulation)subsystems
377           use this: say Y or M here if you want to use either of those.
378 
379           To compile it as a module, choose M here.  If unsure, say N.
380 
381 if IP_NF_ARPTABLES
382 
383 config IP_NF_ARPFILTER
384         tristate "ARP packet filtering"
385         help
386           ARP packet filtering defines a table `filter', which has a series of
387           rules for simple ARP packet filtering at local input and
388           local output.  On a bridge, you can also specify filtering rules
389           for forwarded ARP packets. See the man page for arptables(8).
390 
391           To compile it as a module, choose M here.  If unsure, say N.
392 
393 config IP_NF_ARP_MANGLE
394         tristate "ARP payload mangling"
395         help
396           Allows altering the ARP packet payload: source and destination
397           hardware and network addresses.
398 
399 endif # IP_NF_ARPTABLES
400 
401 endmenu
402 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us