Version:  2.0.40 2.2.26 2.4.37 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7

Linux/net/ipv4/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IP: Netfilter Configuration"
  6         depends on INET && NETFILTER
  7 
  8 config NF_DEFRAG_IPV4
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV4
 13         tristate "IPv4 connection tracking support (required for NAT)"
 14         depends on NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV4
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv4 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 config NF_CONNTRACK_PROC_COMPAT
 29         bool "proc/sysctl compatibility with old connection tracking"
 30         depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
 31         default y
 32         help
 33           This option enables /proc and sysctl compatibility with the old
 34           layer 3 dependent connection tracking. This is needed to keep
 35           old programs that have not been adapted to the new names working.
 36 
 37           If unsure, say Y.
 38 
 39 if NF_TABLES
 40 
 41 config NF_TABLES_IPV4
 42         tristate "IPv4 nf_tables support"
 43         help
 44           This option enables the IPv4 support for nf_tables.
 45 
 46 if NF_TABLES_IPV4
 47 
 48 config NFT_CHAIN_ROUTE_IPV4
 49         tristate "IPv4 nf_tables route chain support"
 50         help
 51           This option enables the "route" chain for IPv4 in nf_tables. This
 52           chain type is used to force packet re-routing after mangling header
 53           fields such as the source, destination, type of service and
 54           the packet mark.
 55 
 56 config NFT_REJECT_IPV4
 57         select NF_REJECT_IPV4
 58         default NFT_REJECT
 59         tristate
 60 
 61 config NFT_DUP_IPV4
 62         tristate "IPv4 nf_tables packet duplication support"
 63         depends on !NF_CONNTRACK || NF_CONNTRACK
 64         select NF_DUP_IPV4
 65         help
 66           This module enables IPv4 packet duplication support for nf_tables.
 67 
 68 endif # NF_TABLES_IPV4
 69 
 70 config NF_TABLES_ARP
 71         tristate "ARP nf_tables support"
 72         help
 73           This option enables the ARP support for nf_tables.
 74 
 75 endif # NF_TABLES
 76 
 77 config NF_DUP_IPV4
 78         tristate "Netfilter IPv4 packet duplication to alternate destination"
 79         depends on !NF_CONNTRACK || NF_CONNTRACK
 80         help
 81           This option enables the nf_dup_ipv4 core, which duplicates an IPv4
 82           packet to be rerouted to another destination.
 83 
 84 config NF_LOG_ARP
 85         tristate "ARP packet logging"
 86         default m if NETFILTER_ADVANCED=n
 87         select NF_LOG_COMMON
 88 
 89 config NF_LOG_IPV4
 90         tristate "IPv4 packet logging"
 91         default m if NETFILTER_ADVANCED=n
 92         select NF_LOG_COMMON
 93 
 94 config NF_REJECT_IPV4
 95         tristate "IPv4 packet rejection"
 96         default m if NETFILTER_ADVANCED=n
 97 
 98 config NF_NAT_IPV4
 99         tristate "IPv4 NAT"
100         depends on NF_CONNTRACK_IPV4
101         default m if NETFILTER_ADVANCED=n
102         select NF_NAT
103         help
104           The IPv4 NAT option allows masquerading, port forwarding and other
105           forms of full Network Address Port Translation. This can be
106           controlled by iptables or nft.
107 
108 if NF_NAT_IPV4
109 
110 config NFT_CHAIN_NAT_IPV4
111         depends on NF_TABLES_IPV4
112         tristate "IPv4 nf_tables nat chain support"
113         help
114           This option enables the "nat" chain for IPv4 in nf_tables. This
115           chain type is used to perform Network Address Translation (NAT)
116           packet transformations such as the source, destination address and
117           source and destination ports.
118 
119 config NF_NAT_MASQUERADE_IPV4
120         tristate "IPv4 masquerade support"
121         help
122           This is the kernel functionality to provide NAT in the masquerade
123           flavour (automatic source address selection).
124 
125 config NFT_MASQ_IPV4
126         tristate "IPv4 masquerading support for nf_tables"
127         depends on NF_TABLES_IPV4
128         depends on NFT_MASQ
129         select NF_NAT_MASQUERADE_IPV4
130         help
131           This is the expression that provides IPv4 masquerading support for
132           nf_tables.
133 
134 config NFT_REDIR_IPV4
135         tristate "IPv4 redirect support for nf_tables"
136         depends on NF_TABLES_IPV4
137         depends on NFT_REDIR
138         select NF_NAT_REDIRECT
139         help
140           This is the expression that provides IPv4 redirect support for
141           nf_tables.
142 
143 config NF_NAT_SNMP_BASIC
144         tristate "Basic SNMP-ALG support"
145         depends on NF_CONNTRACK_SNMP
146         depends on NETFILTER_ADVANCED
147         default NF_NAT && NF_CONNTRACK_SNMP
148         ---help---
149 
150           This module implements an Application Layer Gateway (ALG) for
151           SNMP payloads.  In conjunction with NAT, it allows a network
152           management system to access multiple private networks with
153           conflicting addresses.  It works by modifying IP addresses
154           inside SNMP payloads to match IP-layer NAT mapping.
155 
156           This is the "basic" form of SNMP-ALG, as described in RFC 2962
157 
158           To compile it as a module, choose M here.  If unsure, say N.
159 
160 config NF_NAT_PROTO_GRE
161         tristate
162         depends on NF_CT_PROTO_GRE
163 
164 config NF_NAT_PPTP
165         tristate
166         depends on NF_CONNTRACK
167         default NF_CONNTRACK_PPTP
168         select NF_NAT_PROTO_GRE
169 
170 config NF_NAT_H323
171         tristate
172         depends on NF_CONNTRACK
173         default NF_CONNTRACK_H323
174 
175 endif # NF_NAT_IPV4
176 
177 config IP_NF_IPTABLES
178         tristate "IP tables support (required for filtering/masq/NAT)"
179         default m if NETFILTER_ADVANCED=n
180         select NETFILTER_XTABLES
181         help
182           iptables is a general, extensible packet identification framework.
183           The packet filtering and full NAT (masquerading, port forwarding,
184           etc) subsystems now use this: say `Y' or `M' here if you want to use
185           either of those.
186 
187           To compile it as a module, choose M here.  If unsure, say N.
188 
189 if IP_NF_IPTABLES
190 
191 # The matches.
192 config IP_NF_MATCH_AH
193         tristate '"ah" match support'
194         depends on NETFILTER_ADVANCED
195         help
196           This match extension allows you to match a range of SPIs
197           inside AH header of IPSec packets.
198 
199           To compile it as a module, choose M here.  If unsure, say N.
200 
201 config IP_NF_MATCH_ECN
202         tristate '"ecn" match support'
203         depends on NETFILTER_ADVANCED
204         select NETFILTER_XT_MATCH_ECN
205         ---help---
206         This is a backwards-compat option for the user's convenience
207         (e.g. when running oldconfig). It selects
208         CONFIG_NETFILTER_XT_MATCH_ECN.
209 
210 config IP_NF_MATCH_RPFILTER
211         tristate '"rpfilter" reverse path filter match support'
212         depends on NETFILTER_ADVANCED
213         depends on IP_NF_MANGLE || IP_NF_RAW
214         ---help---
215           This option allows you to match packets whose replies would
216           go out via the interface the packet came in.
217 
218           To compile it as a module, choose M here.  If unsure, say N.
219           The module will be called ipt_rpfilter.
220 
221 config IP_NF_MATCH_TTL
222         tristate '"ttl" match support'
223         depends on NETFILTER_ADVANCED
224         select NETFILTER_XT_MATCH_HL
225         ---help---
226         This is a backwards-compat option for the user's convenience
227         (e.g. when running oldconfig). It selects
228         CONFIG_NETFILTER_XT_MATCH_HL.
229 
230 # `filter', generic and specific targets
231 config IP_NF_FILTER
232         tristate "Packet filtering"
233         default m if NETFILTER_ADVANCED=n
234         help
235           Packet filtering defines a table `filter', which has a series of
236           rules for simple packet filtering at local input, forwarding and
237           local output.  See the man page for iptables(8).
238 
239           To compile it as a module, choose M here.  If unsure, say N.
240 
241 config IP_NF_TARGET_REJECT
242         tristate "REJECT target support"
243         depends on IP_NF_FILTER
244         select NF_REJECT_IPV4
245         default m if NETFILTER_ADVANCED=n
246         help
247           The REJECT target allows a filtering rule to specify that an ICMP
248           error should be issued in response to an incoming packet, rather
249           than silently being dropped.
250 
251           To compile it as a module, choose M here.  If unsure, say N.
252 
253 config IP_NF_TARGET_SYNPROXY
254         tristate "SYNPROXY target support"
255         depends on NF_CONNTRACK && NETFILTER_ADVANCED
256         select NETFILTER_SYNPROXY
257         select SYN_COOKIES
258         help
259           The SYNPROXY target allows you to intercept TCP connections and
260           establish them using syncookies before they are passed on to the
261           server. This allows to avoid conntrack and server resource usage
262           during SYN-flood attacks.
263 
264           To compile it as a module, choose M here. If unsure, say N.
265 
266 # NAT + specific targets: nf_conntrack
267 config IP_NF_NAT
268         tristate "iptables NAT support"
269         depends on NF_CONNTRACK_IPV4
270         default m if NETFILTER_ADVANCED=n
271         select NF_NAT
272         select NF_NAT_IPV4
273         select NETFILTER_XT_NAT
274         help
275           This enables the `nat' table in iptables. This allows masquerading,
276           port forwarding and other forms of full Network Address Port
277           Translation.
278 
279           To compile it as a module, choose M here.  If unsure, say N.
280 
281 if IP_NF_NAT
282 
283 config IP_NF_TARGET_MASQUERADE
284         tristate "MASQUERADE target support"
285         select NF_NAT_MASQUERADE_IPV4
286         default m if NETFILTER_ADVANCED=n
287         help
288           Masquerading is a special case of NAT: all outgoing connections are
289           changed to seem to come from a particular interface's address, and
290           if the interface goes down, those connections are lost.  This is
291           only useful for dialup accounts with dynamic IP address (ie. your IP
292           address will be different on next dialup).
293 
294           To compile it as a module, choose M here.  If unsure, say N.
295 
296 config IP_NF_TARGET_NETMAP
297         tristate "NETMAP target support"
298         depends on NETFILTER_ADVANCED
299         select NETFILTER_XT_TARGET_NETMAP
300         ---help---
301         This is a backwards-compat option for the user's convenience
302         (e.g. when running oldconfig). It selects
303         CONFIG_NETFILTER_XT_TARGET_NETMAP.
304 
305 config IP_NF_TARGET_REDIRECT
306         tristate "REDIRECT target support"
307         depends on NETFILTER_ADVANCED
308         select NETFILTER_XT_TARGET_REDIRECT
309         ---help---
310         This is a backwards-compat option for the user's convenience
311         (e.g. when running oldconfig). It selects
312         CONFIG_NETFILTER_XT_TARGET_REDIRECT.
313 
314 endif # IP_NF_NAT
315 
316 # mangle + specific targets
317 config IP_NF_MANGLE
318         tristate "Packet mangling"
319         default m if NETFILTER_ADVANCED=n
320         help
321           This option adds a `mangle' table to iptables: see the man page for
322           iptables(8).  This table is used for various packet alterations
323           which can effect how the packet is routed.
324 
325           To compile it as a module, choose M here.  If unsure, say N.
326 
327 config IP_NF_TARGET_CLUSTERIP
328         tristate "CLUSTERIP target support"
329         depends on IP_NF_MANGLE
330         depends on NF_CONNTRACK_IPV4
331         depends on NETFILTER_ADVANCED
332         select NF_CONNTRACK_MARK
333         help
334           The CLUSTERIP target allows you to build load-balancing clusters of
335           network servers without having a dedicated load-balancing
336           router/server/switch.
337         
338           To compile it as a module, choose M here.  If unsure, say N.
339 
340 config IP_NF_TARGET_ECN
341         tristate "ECN target support"
342         depends on IP_NF_MANGLE
343         depends on NETFILTER_ADVANCED
344         ---help---
345           This option adds a `ECN' target, which can be used in the iptables mangle
346           table.  
347 
348           You can use this target to remove the ECN bits from the IPv4 header of
349           an IP packet.  This is particularly useful, if you need to work around
350           existing ECN blackholes on the internet, but don't want to disable
351           ECN support in general.
352 
353           To compile it as a module, choose M here.  If unsure, say N.
354 
355 config IP_NF_TARGET_TTL
356         tristate '"TTL" target support'
357         depends on NETFILTER_ADVANCED && IP_NF_MANGLE
358         select NETFILTER_XT_TARGET_HL
359         ---help---
360         This is a backwards-compatible option for the user's convenience
361         (e.g. when running oldconfig). It selects
362         CONFIG_NETFILTER_XT_TARGET_HL.
363 
364 # raw + specific targets
365 config IP_NF_RAW
366         tristate  'raw table support (required for NOTRACK/TRACE)'
367         help
368           This option adds a `raw' table to iptables. This table is the very
369           first in the netfilter framework and hooks in at the PREROUTING
370           and OUTPUT chains.
371         
372           If you want to compile it as a module, say M here and read
373           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
374 
375 # security table for MAC policy
376 config IP_NF_SECURITY
377         tristate "Security table"
378         depends on SECURITY
379         depends on NETFILTER_ADVANCED
380         help
381           This option adds a `security' table to iptables, for use
382           with Mandatory Access Control (MAC) policy.
383          
384           If unsure, say N.
385 
386 endif # IP_NF_IPTABLES
387 
388 # ARP tables
389 config IP_NF_ARPTABLES
390         tristate "ARP tables support"
391         select NETFILTER_XTABLES
392         depends on NETFILTER_ADVANCED
393         help
394           arptables is a general, extensible packet identification framework.
395           The ARP packet filtering and mangling (manipulation)subsystems
396           use this: say Y or M here if you want to use either of those.
397 
398           To compile it as a module, choose M here.  If unsure, say N.
399 
400 if IP_NF_ARPTABLES
401 
402 config IP_NF_ARPFILTER
403         tristate "ARP packet filtering"
404         help
405           ARP packet filtering defines a table `filter', which has a series of
406           rules for simple ARP packet filtering at local input and
407           local output.  On a bridge, you can also specify filtering rules
408           for forwarded ARP packets. See the man page for arptables(8).
409 
410           To compile it as a module, choose M here.  If unsure, say N.
411 
412 config IP_NF_ARP_MANGLE
413         tristate "ARP payload mangling"
414         help
415           Allows altering the ARP packet payload: source and destination
416           hardware and network addresses.
417 
418 endif # IP_NF_ARPTABLES
419 
420 endmenu
421 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us