Version:  2.0.40 2.2.26 2.4.37 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1

Linux/net/ipv4/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IP: Netfilter Configuration"
  6         depends on INET && NETFILTER
  7 
  8 config NF_DEFRAG_IPV4
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV4
 13         tristate "IPv4 connection tracking support (required for NAT)"
 14         depends on NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV4
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv4 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 config NF_CONNTRACK_PROC_COMPAT
 29         bool "proc/sysctl compatibility with old connection tracking"
 30         depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
 31         default y
 32         help
 33           This option enables /proc and sysctl compatibility with the old
 34           layer 3 dependent connection tracking. This is needed to keep
 35           old programs that have not been adapted to the new names working.
 36 
 37           If unsure, say Y.
 38 
 39 if NF_TABLES
 40 
 41 config NF_TABLES_IPV4
 42         tristate "IPv4 nf_tables support"
 43         help
 44           This option enables the IPv4 support for nf_tables.
 45 
 46 if NF_TABLES_IPV4
 47 
 48 config NFT_CHAIN_ROUTE_IPV4
 49         tristate "IPv4 nf_tables route chain support"
 50         help
 51           This option enables the "route" chain for IPv4 in nf_tables. This
 52           chain type is used to force packet re-routing after mangling header
 53           fields such as the source, destination, type of service and
 54           the packet mark.
 55 
 56 config NFT_REJECT_IPV4
 57         select NF_REJECT_IPV4
 58         default NFT_REJECT
 59         tristate
 60 
 61 endif # NF_TABLES_IPV4
 62 
 63 config NF_TABLES_ARP
 64         tristate "ARP nf_tables support"
 65         help
 66           This option enables the ARP support for nf_tables.
 67 
 68 endif # NF_TABLES
 69 
 70 config NF_LOG_ARP
 71         tristate "ARP packet logging"
 72         default m if NETFILTER_ADVANCED=n
 73         select NF_LOG_COMMON
 74 
 75 config NF_LOG_IPV4
 76         tristate "IPv4 packet logging"
 77         default m if NETFILTER_ADVANCED=n
 78         select NF_LOG_COMMON
 79 
 80 config NF_REJECT_IPV4
 81         tristate "IPv4 packet rejection"
 82         default m if NETFILTER_ADVANCED=n
 83 
 84 config NF_NAT_IPV4
 85         tristate "IPv4 NAT"
 86         depends on NF_CONNTRACK_IPV4
 87         default m if NETFILTER_ADVANCED=n
 88         select NF_NAT
 89         help
 90           The IPv4 NAT option allows masquerading, port forwarding and other
 91           forms of full Network Address Port Translation. This can be
 92           controlled by iptables or nft.
 93 
 94 if NF_NAT_IPV4
 95 
 96 config NFT_CHAIN_NAT_IPV4
 97         depends on NF_TABLES_IPV4
 98         tristate "IPv4 nf_tables nat chain support"
 99         help
100           This option enables the "nat" chain for IPv4 in nf_tables. This
101           chain type is used to perform Network Address Translation (NAT)
102           packet transformations such as the source, destination address and
103           source and destination ports.
104 
105 config NF_NAT_MASQUERADE_IPV4
106         tristate "IPv4 masquerade support"
107         help
108           This is the kernel functionality to provide NAT in the masquerade
109           flavour (automatic source address selection).
110 
111 config NFT_MASQ_IPV4
112         tristate "IPv4 masquerading support for nf_tables"
113         depends on NF_TABLES_IPV4
114         depends on NFT_MASQ
115         select NF_NAT_MASQUERADE_IPV4
116         help
117           This is the expression that provides IPv4 masquerading support for
118           nf_tables.
119 
120 config NFT_REDIR_IPV4
121         tristate "IPv4 redirect support for nf_tables"
122         depends on NF_TABLES_IPV4
123         depends on NFT_REDIR
124         select NF_NAT_REDIRECT
125         help
126           This is the expression that provides IPv4 redirect support for
127           nf_tables.
128 
129 config NF_NAT_SNMP_BASIC
130         tristate "Basic SNMP-ALG support"
131         depends on NF_CONNTRACK_SNMP
132         depends on NETFILTER_ADVANCED
133         default NF_NAT && NF_CONNTRACK_SNMP
134         ---help---
135 
136           This module implements an Application Layer Gateway (ALG) for
137           SNMP payloads.  In conjunction with NAT, it allows a network
138           management system to access multiple private networks with
139           conflicting addresses.  It works by modifying IP addresses
140           inside SNMP payloads to match IP-layer NAT mapping.
141 
142           This is the "basic" form of SNMP-ALG, as described in RFC 2962
143 
144           To compile it as a module, choose M here.  If unsure, say N.
145 
146 config NF_NAT_PROTO_GRE
147         tristate
148         depends on NF_CT_PROTO_GRE
149 
150 config NF_NAT_PPTP
151         tristate
152         depends on NF_CONNTRACK
153         default NF_CONNTRACK_PPTP
154         select NF_NAT_PROTO_GRE
155 
156 config NF_NAT_H323
157         tristate
158         depends on NF_CONNTRACK
159         default NF_CONNTRACK_H323
160 
161 endif # NF_NAT_IPV4
162 
163 config IP_NF_IPTABLES
164         tristate "IP tables support (required for filtering/masq/NAT)"
165         default m if NETFILTER_ADVANCED=n
166         select NETFILTER_XTABLES
167         help
168           iptables is a general, extensible packet identification framework.
169           The packet filtering and full NAT (masquerading, port forwarding,
170           etc) subsystems now use this: say `Y' or `M' here if you want to use
171           either of those.
172 
173           To compile it as a module, choose M here.  If unsure, say N.
174 
175 if IP_NF_IPTABLES
176 
177 # The matches.
178 config IP_NF_MATCH_AH
179         tristate '"ah" match support'
180         depends on NETFILTER_ADVANCED
181         help
182           This match extension allows you to match a range of SPIs
183           inside AH header of IPSec packets.
184 
185           To compile it as a module, choose M here.  If unsure, say N.
186 
187 config IP_NF_MATCH_ECN
188         tristate '"ecn" match support'
189         depends on NETFILTER_ADVANCED
190         select NETFILTER_XT_MATCH_ECN
191         ---help---
192         This is a backwards-compat option for the user's convenience
193         (e.g. when running oldconfig). It selects
194         CONFIG_NETFILTER_XT_MATCH_ECN.
195 
196 config IP_NF_MATCH_RPFILTER
197         tristate '"rpfilter" reverse path filter match support'
198         depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
199         ---help---
200           This option allows you to match packets whose replies would
201           go out via the interface the packet came in.
202 
203           To compile it as a module, choose M here.  If unsure, say N.
204           The module will be called ipt_rpfilter.
205 
206 config IP_NF_MATCH_TTL
207         tristate '"ttl" match support'
208         depends on NETFILTER_ADVANCED
209         select NETFILTER_XT_MATCH_HL
210         ---help---
211         This is a backwards-compat option for the user's convenience
212         (e.g. when running oldconfig). It selects
213         CONFIG_NETFILTER_XT_MATCH_HL.
214 
215 # `filter', generic and specific targets
216 config IP_NF_FILTER
217         tristate "Packet filtering"
218         default m if NETFILTER_ADVANCED=n
219         help
220           Packet filtering defines a table `filter', which has a series of
221           rules for simple packet filtering at local input, forwarding and
222           local output.  See the man page for iptables(8).
223 
224           To compile it as a module, choose M here.  If unsure, say N.
225 
226 config IP_NF_TARGET_REJECT
227         tristate "REJECT target support"
228         depends on IP_NF_FILTER
229         select NF_REJECT_IPV4
230         default m if NETFILTER_ADVANCED=n
231         help
232           The REJECT target allows a filtering rule to specify that an ICMP
233           error should be issued in response to an incoming packet, rather
234           than silently being dropped.
235 
236           To compile it as a module, choose M here.  If unsure, say N.
237 
238 config IP_NF_TARGET_SYNPROXY
239         tristate "SYNPROXY target support"
240         depends on NF_CONNTRACK && NETFILTER_ADVANCED
241         select NETFILTER_SYNPROXY
242         select SYN_COOKIES
243         help
244           The SYNPROXY target allows you to intercept TCP connections and
245           establish them using syncookies before they are passed on to the
246           server. This allows to avoid conntrack and server resource usage
247           during SYN-flood attacks.
248 
249           To compile it as a module, choose M here. If unsure, say N.
250 
251 # NAT + specific targets: nf_conntrack
252 config IP_NF_NAT
253         tristate "iptables NAT support"
254         depends on NF_CONNTRACK_IPV4
255         default m if NETFILTER_ADVANCED=n
256         select NF_NAT
257         select NF_NAT_IPV4
258         select NETFILTER_XT_NAT
259         help
260           This enables the `nat' table in iptables. This allows masquerading,
261           port forwarding and other forms of full Network Address Port
262           Translation.
263 
264           To compile it as a module, choose M here.  If unsure, say N.
265 
266 if IP_NF_NAT
267 
268 config IP_NF_TARGET_MASQUERADE
269         tristate "MASQUERADE target support"
270         select NF_NAT_MASQUERADE_IPV4
271         default m if NETFILTER_ADVANCED=n
272         help
273           Masquerading is a special case of NAT: all outgoing connections are
274           changed to seem to come from a particular interface's address, and
275           if the interface goes down, those connections are lost.  This is
276           only useful for dialup accounts with dynamic IP address (ie. your IP
277           address will be different on next dialup).
278 
279           To compile it as a module, choose M here.  If unsure, say N.
280 
281 config IP_NF_TARGET_NETMAP
282         tristate "NETMAP target support"
283         depends on NETFILTER_ADVANCED
284         select NETFILTER_XT_TARGET_NETMAP
285         ---help---
286         This is a backwards-compat option for the user's convenience
287         (e.g. when running oldconfig). It selects
288         CONFIG_NETFILTER_XT_TARGET_NETMAP.
289 
290 config IP_NF_TARGET_REDIRECT
291         tristate "REDIRECT target support"
292         depends on NETFILTER_ADVANCED
293         select NETFILTER_XT_TARGET_REDIRECT
294         ---help---
295         This is a backwards-compat option for the user's convenience
296         (e.g. when running oldconfig). It selects
297         CONFIG_NETFILTER_XT_TARGET_REDIRECT.
298 
299 endif # IP_NF_NAT
300 
301 # mangle + specific targets
302 config IP_NF_MANGLE
303         tristate "Packet mangling"
304         default m if NETFILTER_ADVANCED=n
305         help
306           This option adds a `mangle' table to iptables: see the man page for
307           iptables(8).  This table is used for various packet alterations
308           which can effect how the packet is routed.
309 
310           To compile it as a module, choose M here.  If unsure, say N.
311 
312 config IP_NF_TARGET_CLUSTERIP
313         tristate "CLUSTERIP target support"
314         depends on IP_NF_MANGLE
315         depends on NF_CONNTRACK_IPV4
316         depends on NETFILTER_ADVANCED
317         select NF_CONNTRACK_MARK
318         help
319           The CLUSTERIP target allows you to build load-balancing clusters of
320           network servers without having a dedicated load-balancing
321           router/server/switch.
322         
323           To compile it as a module, choose M here.  If unsure, say N.
324 
325 config IP_NF_TARGET_ECN
326         tristate "ECN target support"
327         depends on IP_NF_MANGLE
328         depends on NETFILTER_ADVANCED
329         ---help---
330           This option adds a `ECN' target, which can be used in the iptables mangle
331           table.  
332 
333           You can use this target to remove the ECN bits from the IPv4 header of
334           an IP packet.  This is particularly useful, if you need to work around
335           existing ECN blackholes on the internet, but don't want to disable
336           ECN support in general.
337 
338           To compile it as a module, choose M here.  If unsure, say N.
339 
340 config IP_NF_TARGET_TTL
341         tristate '"TTL" target support'
342         depends on NETFILTER_ADVANCED && IP_NF_MANGLE
343         select NETFILTER_XT_TARGET_HL
344         ---help---
345         This is a backwards-compatible option for the user's convenience
346         (e.g. when running oldconfig). It selects
347         CONFIG_NETFILTER_XT_TARGET_HL.
348 
349 # raw + specific targets
350 config IP_NF_RAW
351         tristate  'raw table support (required for NOTRACK/TRACE)'
352         help
353           This option adds a `raw' table to iptables. This table is the very
354           first in the netfilter framework and hooks in at the PREROUTING
355           and OUTPUT chains.
356         
357           If you want to compile it as a module, say M here and read
358           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
359 
360 # security table for MAC policy
361 config IP_NF_SECURITY
362         tristate "Security table"
363         depends on SECURITY
364         depends on NETFILTER_ADVANCED
365         help
366           This option adds a `security' table to iptables, for use
367           with Mandatory Access Control (MAC) policy.
368          
369           If unsure, say N.
370 
371 endif # IP_NF_IPTABLES
372 
373 # ARP tables
374 config IP_NF_ARPTABLES
375         tristate "ARP tables support"
376         select NETFILTER_XTABLES
377         depends on NETFILTER_ADVANCED
378         help
379           arptables is a general, extensible packet identification framework.
380           The ARP packet filtering and mangling (manipulation)subsystems
381           use this: say Y or M here if you want to use either of those.
382 
383           To compile it as a module, choose M here.  If unsure, say N.
384 
385 if IP_NF_ARPTABLES
386 
387 config IP_NF_ARPFILTER
388         tristate "ARP packet filtering"
389         help
390           ARP packet filtering defines a table `filter', which has a series of
391           rules for simple ARP packet filtering at local input and
392           local output.  On a bridge, you can also specify filtering rules
393           for forwarded ARP packets. See the man page for arptables(8).
394 
395           To compile it as a module, choose M here.  If unsure, say N.
396 
397 config IP_NF_ARP_MANGLE
398         tristate "ARP payload mangling"
399         help
400           Allows altering the ARP packet payload: source and destination
401           hardware and network addresses.
402 
403 endif # IP_NF_ARPTABLES
404 
405 endmenu
406 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us