Version:  2.0.40 2.2.26 2.4.37 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9

Linux/net/ipv4/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IP: Netfilter Configuration"
  6         depends on INET && NETFILTER
  7 
  8 config NF_DEFRAG_IPV4
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV4
 13         tristate "IPv4 connection tracking support (required for NAT)"
 14         depends on NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV4
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv4 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 if NF_TABLES
 29 
 30 config NF_TABLES_IPV4
 31         tristate "IPv4 nf_tables support"
 32         help
 33           This option enables the IPv4 support for nf_tables.
 34 
 35 if NF_TABLES_IPV4
 36 
 37 config NFT_CHAIN_ROUTE_IPV4
 38         tristate "IPv4 nf_tables route chain support"
 39         help
 40           This option enables the "route" chain for IPv4 in nf_tables. This
 41           chain type is used to force packet re-routing after mangling header
 42           fields such as the source, destination, type of service and
 43           the packet mark.
 44 
 45 config NFT_REJECT_IPV4
 46         select NF_REJECT_IPV4
 47         default NFT_REJECT
 48         tristate
 49 
 50 config NFT_DUP_IPV4
 51         tristate "IPv4 nf_tables packet duplication support"
 52         depends on !NF_CONNTRACK || NF_CONNTRACK
 53         select NF_DUP_IPV4
 54         help
 55           This module enables IPv4 packet duplication support for nf_tables.
 56 
 57 endif # NF_TABLES_IPV4
 58 
 59 config NF_TABLES_ARP
 60         tristate "ARP nf_tables support"
 61         help
 62           This option enables the ARP support for nf_tables.
 63 
 64 endif # NF_TABLES
 65 
 66 config NF_DUP_IPV4
 67         tristate "Netfilter IPv4 packet duplication to alternate destination"
 68         depends on !NF_CONNTRACK || NF_CONNTRACK
 69         help
 70           This option enables the nf_dup_ipv4 core, which duplicates an IPv4
 71           packet to be rerouted to another destination.
 72 
 73 config NF_LOG_ARP
 74         tristate "ARP packet logging"
 75         default m if NETFILTER_ADVANCED=n
 76         select NF_LOG_COMMON
 77 
 78 config NF_LOG_IPV4
 79         tristate "IPv4 packet logging"
 80         default m if NETFILTER_ADVANCED=n
 81         select NF_LOG_COMMON
 82 
 83 config NF_REJECT_IPV4
 84         tristate "IPv4 packet rejection"
 85         default m if NETFILTER_ADVANCED=n
 86 
 87 config NF_NAT_IPV4
 88         tristate "IPv4 NAT"
 89         depends on NF_CONNTRACK_IPV4
 90         default m if NETFILTER_ADVANCED=n
 91         select NF_NAT
 92         help
 93           The IPv4 NAT option allows masquerading, port forwarding and other
 94           forms of full Network Address Port Translation. This can be
 95           controlled by iptables or nft.
 96 
 97 if NF_NAT_IPV4
 98 
 99 config NFT_CHAIN_NAT_IPV4
100         depends on NF_TABLES_IPV4
101         tristate "IPv4 nf_tables nat chain support"
102         help
103           This option enables the "nat" chain for IPv4 in nf_tables. This
104           chain type is used to perform Network Address Translation (NAT)
105           packet transformations such as the source, destination address and
106           source and destination ports.
107 
108 config NF_NAT_MASQUERADE_IPV4
109         tristate "IPv4 masquerade support"
110         help
111           This is the kernel functionality to provide NAT in the masquerade
112           flavour (automatic source address selection).
113 
114 config NFT_MASQ_IPV4
115         tristate "IPv4 masquerading support for nf_tables"
116         depends on NF_TABLES_IPV4
117         depends on NFT_MASQ
118         select NF_NAT_MASQUERADE_IPV4
119         help
120           This is the expression that provides IPv4 masquerading support for
121           nf_tables.
122 
123 config NFT_REDIR_IPV4
124         tristate "IPv4 redirect support for nf_tables"
125         depends on NF_TABLES_IPV4
126         depends on NFT_REDIR
127         select NF_NAT_REDIRECT
128         help
129           This is the expression that provides IPv4 redirect support for
130           nf_tables.
131 
132 config NF_NAT_SNMP_BASIC
133         tristate "Basic SNMP-ALG support"
134         depends on NF_CONNTRACK_SNMP
135         depends on NETFILTER_ADVANCED
136         default NF_NAT && NF_CONNTRACK_SNMP
137         ---help---
138 
139           This module implements an Application Layer Gateway (ALG) for
140           SNMP payloads.  In conjunction with NAT, it allows a network
141           management system to access multiple private networks with
142           conflicting addresses.  It works by modifying IP addresses
143           inside SNMP payloads to match IP-layer NAT mapping.
144 
145           This is the "basic" form of SNMP-ALG, as described in RFC 2962
146 
147           To compile it as a module, choose M here.  If unsure, say N.
148 
149 config NF_NAT_PROTO_GRE
150         tristate
151         depends on NF_CT_PROTO_GRE
152 
153 config NF_NAT_PPTP
154         tristate
155         depends on NF_CONNTRACK
156         default NF_CONNTRACK_PPTP
157         select NF_NAT_PROTO_GRE
158 
159 config NF_NAT_H323
160         tristate
161         depends on NF_CONNTRACK
162         default NF_CONNTRACK_H323
163 
164 endif # NF_NAT_IPV4
165 
166 config IP_NF_IPTABLES
167         tristate "IP tables support (required for filtering/masq/NAT)"
168         default m if NETFILTER_ADVANCED=n
169         select NETFILTER_XTABLES
170         help
171           iptables is a general, extensible packet identification framework.
172           The packet filtering and full NAT (masquerading, port forwarding,
173           etc) subsystems now use this: say `Y' or `M' here if you want to use
174           either of those.
175 
176           To compile it as a module, choose M here.  If unsure, say N.
177 
178 if IP_NF_IPTABLES
179 
180 # The matches.
181 config IP_NF_MATCH_AH
182         tristate '"ah" match support'
183         depends on NETFILTER_ADVANCED
184         help
185           This match extension allows you to match a range of SPIs
186           inside AH header of IPSec packets.
187 
188           To compile it as a module, choose M here.  If unsure, say N.
189 
190 config IP_NF_MATCH_ECN
191         tristate '"ecn" match support'
192         depends on NETFILTER_ADVANCED
193         select NETFILTER_XT_MATCH_ECN
194         ---help---
195         This is a backwards-compat option for the user's convenience
196         (e.g. when running oldconfig). It selects
197         CONFIG_NETFILTER_XT_MATCH_ECN.
198 
199 config IP_NF_MATCH_RPFILTER
200         tristate '"rpfilter" reverse path filter match support'
201         depends on NETFILTER_ADVANCED
202         depends on IP_NF_MANGLE || IP_NF_RAW
203         ---help---
204           This option allows you to match packets whose replies would
205           go out via the interface the packet came in.
206 
207           To compile it as a module, choose M here.  If unsure, say N.
208           The module will be called ipt_rpfilter.
209 
210 config IP_NF_MATCH_TTL
211         tristate '"ttl" match support'
212         depends on NETFILTER_ADVANCED
213         select NETFILTER_XT_MATCH_HL
214         ---help---
215         This is a backwards-compat option for the user's convenience
216         (e.g. when running oldconfig). It selects
217         CONFIG_NETFILTER_XT_MATCH_HL.
218 
219 # `filter', generic and specific targets
220 config IP_NF_FILTER
221         tristate "Packet filtering"
222         default m if NETFILTER_ADVANCED=n
223         help
224           Packet filtering defines a table `filter', which has a series of
225           rules for simple packet filtering at local input, forwarding and
226           local output.  See the man page for iptables(8).
227 
228           To compile it as a module, choose M here.  If unsure, say N.
229 
230 config IP_NF_TARGET_REJECT
231         tristate "REJECT target support"
232         depends on IP_NF_FILTER
233         select NF_REJECT_IPV4
234         default m if NETFILTER_ADVANCED=n
235         help
236           The REJECT target allows a filtering rule to specify that an ICMP
237           error should be issued in response to an incoming packet, rather
238           than silently being dropped.
239 
240           To compile it as a module, choose M here.  If unsure, say N.
241 
242 config IP_NF_TARGET_SYNPROXY
243         tristate "SYNPROXY target support"
244         depends on NF_CONNTRACK && NETFILTER_ADVANCED
245         select NETFILTER_SYNPROXY
246         select SYN_COOKIES
247         help
248           The SYNPROXY target allows you to intercept TCP connections and
249           establish them using syncookies before they are passed on to the
250           server. This allows to avoid conntrack and server resource usage
251           during SYN-flood attacks.
252 
253           To compile it as a module, choose M here. If unsure, say N.
254 
255 # NAT + specific targets: nf_conntrack
256 config IP_NF_NAT
257         tristate "iptables NAT support"
258         depends on NF_CONNTRACK_IPV4
259         default m if NETFILTER_ADVANCED=n
260         select NF_NAT
261         select NF_NAT_IPV4
262         select NETFILTER_XT_NAT
263         help
264           This enables the `nat' table in iptables. This allows masquerading,
265           port forwarding and other forms of full Network Address Port
266           Translation.
267 
268           To compile it as a module, choose M here.  If unsure, say N.
269 
270 if IP_NF_NAT
271 
272 config IP_NF_TARGET_MASQUERADE
273         tristate "MASQUERADE target support"
274         select NF_NAT_MASQUERADE_IPV4
275         default m if NETFILTER_ADVANCED=n
276         help
277           Masquerading is a special case of NAT: all outgoing connections are
278           changed to seem to come from a particular interface's address, and
279           if the interface goes down, those connections are lost.  This is
280           only useful for dialup accounts with dynamic IP address (ie. your IP
281           address will be different on next dialup).
282 
283           To compile it as a module, choose M here.  If unsure, say N.
284 
285 config IP_NF_TARGET_NETMAP
286         tristate "NETMAP target support"
287         depends on NETFILTER_ADVANCED
288         select NETFILTER_XT_TARGET_NETMAP
289         ---help---
290         This is a backwards-compat option for the user's convenience
291         (e.g. when running oldconfig). It selects
292         CONFIG_NETFILTER_XT_TARGET_NETMAP.
293 
294 config IP_NF_TARGET_REDIRECT
295         tristate "REDIRECT target support"
296         depends on NETFILTER_ADVANCED
297         select NETFILTER_XT_TARGET_REDIRECT
298         ---help---
299         This is a backwards-compat option for the user's convenience
300         (e.g. when running oldconfig). It selects
301         CONFIG_NETFILTER_XT_TARGET_REDIRECT.
302 
303 endif # IP_NF_NAT
304 
305 # mangle + specific targets
306 config IP_NF_MANGLE
307         tristate "Packet mangling"
308         default m if NETFILTER_ADVANCED=n
309         help
310           This option adds a `mangle' table to iptables: see the man page for
311           iptables(8).  This table is used for various packet alterations
312           which can effect how the packet is routed.
313 
314           To compile it as a module, choose M here.  If unsure, say N.
315 
316 config IP_NF_TARGET_CLUSTERIP
317         tristate "CLUSTERIP target support"
318         depends on IP_NF_MANGLE
319         depends on NF_CONNTRACK_IPV4
320         depends on NETFILTER_ADVANCED
321         select NF_CONNTRACK_MARK
322         help
323           The CLUSTERIP target allows you to build load-balancing clusters of
324           network servers without having a dedicated load-balancing
325           router/server/switch.
326         
327           To compile it as a module, choose M here.  If unsure, say N.
328 
329 config IP_NF_TARGET_ECN
330         tristate "ECN target support"
331         depends on IP_NF_MANGLE
332         depends on NETFILTER_ADVANCED
333         ---help---
334           This option adds a `ECN' target, which can be used in the iptables mangle
335           table.  
336 
337           You can use this target to remove the ECN bits from the IPv4 header of
338           an IP packet.  This is particularly useful, if you need to work around
339           existing ECN blackholes on the internet, but don't want to disable
340           ECN support in general.
341 
342           To compile it as a module, choose M here.  If unsure, say N.
343 
344 config IP_NF_TARGET_TTL
345         tristate '"TTL" target support'
346         depends on NETFILTER_ADVANCED && IP_NF_MANGLE
347         select NETFILTER_XT_TARGET_HL
348         ---help---
349         This is a backwards-compatible option for the user's convenience
350         (e.g. when running oldconfig). It selects
351         CONFIG_NETFILTER_XT_TARGET_HL.
352 
353 # raw + specific targets
354 config IP_NF_RAW
355         tristate  'raw table support (required for NOTRACK/TRACE)'
356         help
357           This option adds a `raw' table to iptables. This table is the very
358           first in the netfilter framework and hooks in at the PREROUTING
359           and OUTPUT chains.
360         
361           If you want to compile it as a module, say M here and read
362           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
363 
364 # security table for MAC policy
365 config IP_NF_SECURITY
366         tristate "Security table"
367         depends on SECURITY
368         depends on NETFILTER_ADVANCED
369         help
370           This option adds a `security' table to iptables, for use
371           with Mandatory Access Control (MAC) policy.
372          
373           If unsure, say N.
374 
375 endif # IP_NF_IPTABLES
376 
377 # ARP tables
378 config IP_NF_ARPTABLES
379         tristate "ARP tables support"
380         select NETFILTER_XTABLES
381         depends on NETFILTER_ADVANCED
382         help
383           arptables is a general, extensible packet identification framework.
384           The ARP packet filtering and mangling (manipulation)subsystems
385           use this: say Y or M here if you want to use either of those.
386 
387           To compile it as a module, choose M here.  If unsure, say N.
388 
389 if IP_NF_ARPTABLES
390 
391 config IP_NF_ARPFILTER
392         tristate "ARP packet filtering"
393         help
394           ARP packet filtering defines a table `filter', which has a series of
395           rules for simple ARP packet filtering at local input and
396           local output.  On a bridge, you can also specify filtering rules
397           for forwarded ARP packets. See the man page for arptables(8).
398 
399           To compile it as a module, choose M here.  If unsure, say N.
400 
401 config IP_NF_ARP_MANGLE
402         tristate "ARP payload mangling"
403         help
404           Allows altering the ARP packet payload: source and destination
405           hardware and network addresses.
406 
407 endif # IP_NF_ARPTABLES
408 
409 endmenu
410 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us