Version:  2.0.40 2.2.26 2.4.37 2.6.39 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15

Linux/net/ipv4/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IP: Netfilter Configuration"
  6         depends on INET && NETFILTER
  7 
  8 config NF_DEFRAG_IPV4
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV4
 13         tristate "IPv4 connection tracking support (required for NAT)"
 14         depends on NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV4
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv4 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 config NF_CONNTRACK_PROC_COMPAT
 29         bool "proc/sysctl compatibility with old connection tracking"
 30         depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
 31         default y
 32         help
 33           This option enables /proc and sysctl compatibility with the old
 34           layer 3 dependent connection tracking. This is needed to keep
 35           old programs that have not been adapted to the new names working.
 36 
 37           If unsure, say Y.
 38 
 39 config NF_TABLES_IPV4
 40         depends on NF_TABLES
 41         tristate "IPv4 nf_tables support"
 42         help
 43           This option enables the IPv4 support for nf_tables.
 44 
 45 config NFT_CHAIN_ROUTE_IPV4
 46         depends on NF_TABLES_IPV4
 47         tristate "IPv4 nf_tables route chain support"
 48         help
 49           This option enables the "route" chain for IPv4 in nf_tables. This
 50           chain type is used to force packet re-routing after mangling header
 51           fields such as the source, destination, type of service and
 52           the packet mark.
 53 
 54 config NFT_CHAIN_NAT_IPV4
 55         depends on NF_TABLES_IPV4
 56         depends on NF_NAT_IPV4 && NFT_NAT
 57         tristate "IPv4 nf_tables nat chain support"
 58         help
 59           This option enables the "nat" chain for IPv4 in nf_tables. This
 60           chain type is used to perform Network Address Translation (NAT)
 61           packet transformations such as the source, destination address and
 62           source and destination ports.
 63 
 64 config NFT_REJECT_IPV4
 65         depends on NF_TABLES_IPV4
 66         default NFT_REJECT
 67         tristate
 68 
 69 config NF_TABLES_ARP
 70         depends on NF_TABLES
 71         tristate "ARP nf_tables support"
 72         help
 73           This option enables the ARP support for nf_tables.
 74 
 75 config IP_NF_IPTABLES
 76         tristate "IP tables support (required for filtering/masq/NAT)"
 77         default m if NETFILTER_ADVANCED=n
 78         select NETFILTER_XTABLES
 79         help
 80           iptables is a general, extensible packet identification framework.
 81           The packet filtering and full NAT (masquerading, port forwarding,
 82           etc) subsystems now use this: say `Y' or `M' here if you want to use
 83           either of those.
 84 
 85           To compile it as a module, choose M here.  If unsure, say N.
 86 
 87 if IP_NF_IPTABLES
 88 
 89 # The matches.
 90 config IP_NF_MATCH_AH
 91         tristate '"ah" match support'
 92         depends on NETFILTER_ADVANCED
 93         help
 94           This match extension allows you to match a range of SPIs
 95           inside AH header of IPSec packets.
 96 
 97           To compile it as a module, choose M here.  If unsure, say N.
 98 
 99 config IP_NF_MATCH_ECN
100         tristate '"ecn" match support'
101         depends on NETFILTER_ADVANCED
102         select NETFILTER_XT_MATCH_ECN
103         ---help---
104         This is a backwards-compat option for the user's convenience
105         (e.g. when running oldconfig). It selects
106         CONFIG_NETFILTER_XT_MATCH_ECN.
107 
108 config IP_NF_MATCH_RPFILTER
109         tristate '"rpfilter" reverse path filter match support'
110         depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
111         ---help---
112           This option allows you to match packets whose replies would
113           go out via the interface the packet came in.
114 
115           To compile it as a module, choose M here.  If unsure, say N.
116           The module will be called ipt_rpfilter.
117 
118 config IP_NF_MATCH_TTL
119         tristate '"ttl" match support'
120         depends on NETFILTER_ADVANCED
121         select NETFILTER_XT_MATCH_HL
122         ---help---
123         This is a backwards-compat option for the user's convenience
124         (e.g. when running oldconfig). It selects
125         CONFIG_NETFILTER_XT_MATCH_HL.
126 
127 # `filter', generic and specific targets
128 config IP_NF_FILTER
129         tristate "Packet filtering"
130         default m if NETFILTER_ADVANCED=n
131         help
132           Packet filtering defines a table `filter', which has a series of
133           rules for simple packet filtering at local input, forwarding and
134           local output.  See the man page for iptables(8).
135 
136           To compile it as a module, choose M here.  If unsure, say N.
137 
138 config IP_NF_TARGET_REJECT
139         tristate "REJECT target support"
140         depends on IP_NF_FILTER
141         default m if NETFILTER_ADVANCED=n
142         help
143           The REJECT target allows a filtering rule to specify that an ICMP
144           error should be issued in response to an incoming packet, rather
145           than silently being dropped.
146 
147           To compile it as a module, choose M here.  If unsure, say N.
148 
149 config IP_NF_TARGET_SYNPROXY
150         tristate "SYNPROXY target support"
151         depends on NF_CONNTRACK && NETFILTER_ADVANCED
152         select NETFILTER_SYNPROXY
153         select SYN_COOKIES
154         help
155           The SYNPROXY target allows you to intercept TCP connections and
156           establish them using syncookies before they are passed on to the
157           server. This allows to avoid conntrack and server resource usage
158           during SYN-flood attacks.
159 
160           To compile it as a module, choose M here. If unsure, say N.
161 
162 config IP_NF_TARGET_ULOG
163         tristate "ULOG target support (obsolete)"
164         default m if NETFILTER_ADVANCED=n
165         ---help---
166 
167           This option enables the old IPv4-only "ipt_ULOG" implementation
168           which has been obsoleted by the new "nfnetlink_log" code (see
169           CONFIG_NETFILTER_NETLINK_LOG).
170 
171           This option adds a `ULOG' target, which allows you to create rules in
172           any iptables table. The packet is passed to a userspace logging
173           daemon using netlink multicast sockets; unlike the LOG target
174           which can only be viewed through syslog.
175 
176           The appropriate userspace logging daemon (ulogd) may be obtained from
177           <http://www.netfilter.org/projects/ulogd/index.html>
178 
179           To compile it as a module, choose M here.  If unsure, say N.
180 
181 # NAT + specific targets: nf_conntrack
182 config NF_NAT_IPV4
183         tristate "IPv4 NAT"
184         depends on NF_CONNTRACK_IPV4
185         default m if NETFILTER_ADVANCED=n
186         select NF_NAT
187         help
188           The IPv4 NAT option allows masquerading, port forwarding and other
189           forms of full Network Address Port Translation.  It is controlled by
190           the `nat' table in iptables: see the man page for iptables(8).
191 
192           To compile it as a module, choose M here.  If unsure, say N.
193 
194 if NF_NAT_IPV4
195 
196 config IP_NF_TARGET_MASQUERADE
197         tristate "MASQUERADE target support"
198         default m if NETFILTER_ADVANCED=n
199         help
200           Masquerading is a special case of NAT: all outgoing connections are
201           changed to seem to come from a particular interface's address, and
202           if the interface goes down, those connections are lost.  This is
203           only useful for dialup accounts with dynamic IP address (ie. your IP
204           address will be different on next dialup).
205 
206           To compile it as a module, choose M here.  If unsure, say N.
207 
208 config IP_NF_TARGET_NETMAP
209         tristate "NETMAP target support"
210         depends on NETFILTER_ADVANCED
211         select NETFILTER_XT_TARGET_NETMAP
212         ---help---
213         This is a backwards-compat option for the user's convenience
214         (e.g. when running oldconfig). It selects
215         CONFIG_NETFILTER_XT_TARGET_NETMAP.
216 
217 config IP_NF_TARGET_REDIRECT
218         tristate "REDIRECT target support"
219         depends on NETFILTER_ADVANCED
220         select NETFILTER_XT_TARGET_REDIRECT
221         ---help---
222         This is a backwards-compat option for the user's convenience
223         (e.g. when running oldconfig). It selects
224         CONFIG_NETFILTER_XT_TARGET_REDIRECT.
225 
226 endif
227 
228 config NF_NAT_SNMP_BASIC
229         tristate "Basic SNMP-ALG support"
230         depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4
231         depends on NETFILTER_ADVANCED
232         default NF_NAT && NF_CONNTRACK_SNMP
233         ---help---
234 
235           This module implements an Application Layer Gateway (ALG) for
236           SNMP payloads.  In conjunction with NAT, it allows a network
237           management system to access multiple private networks with
238           conflicting addresses.  It works by modifying IP addresses
239           inside SNMP payloads to match IP-layer NAT mapping.
240 
241           This is the "basic" form of SNMP-ALG, as described in RFC 2962
242 
243           To compile it as a module, choose M here.  If unsure, say N.
244 
245 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
246 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
247 # From kconfig-language.txt:
248 #
249 #           <expr> '&&' <expr>                   (6)
250 #
251 # (6) Returns the result of min(/expr/, /expr/).
252 
253 config NF_NAT_PROTO_GRE
254         tristate
255         depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE
256 
257 config NF_NAT_PPTP
258         tristate
259         depends on NF_CONNTRACK && NF_NAT_IPV4
260         default NF_NAT_IPV4 && NF_CONNTRACK_PPTP
261         select NF_NAT_PROTO_GRE
262 
263 config NF_NAT_H323
264         tristate
265         depends on NF_CONNTRACK && NF_NAT_IPV4
266         default NF_NAT_IPV4 && NF_CONNTRACK_H323
267 
268 # mangle + specific targets
269 config IP_NF_MANGLE
270         tristate "Packet mangling"
271         default m if NETFILTER_ADVANCED=n
272         help
273           This option adds a `mangle' table to iptables: see the man page for
274           iptables(8).  This table is used for various packet alterations
275           which can effect how the packet is routed.
276 
277           To compile it as a module, choose M here.  If unsure, say N.
278 
279 config IP_NF_TARGET_CLUSTERIP
280         tristate "CLUSTERIP target support"
281         depends on IP_NF_MANGLE
282         depends on NF_CONNTRACK_IPV4
283         depends on NETFILTER_ADVANCED
284         select NF_CONNTRACK_MARK
285         help
286           The CLUSTERIP target allows you to build load-balancing clusters of
287           network servers without having a dedicated load-balancing
288           router/server/switch.
289         
290           To compile it as a module, choose M here.  If unsure, say N.
291 
292 config IP_NF_TARGET_ECN
293         tristate "ECN target support"
294         depends on IP_NF_MANGLE
295         depends on NETFILTER_ADVANCED
296         ---help---
297           This option adds a `ECN' target, which can be used in the iptables mangle
298           table.  
299 
300           You can use this target to remove the ECN bits from the IPv4 header of
301           an IP packet.  This is particularly useful, if you need to work around
302           existing ECN blackholes on the internet, but don't want to disable
303           ECN support in general.
304 
305           To compile it as a module, choose M here.  If unsure, say N.
306 
307 config IP_NF_TARGET_TTL
308         tristate '"TTL" target support'
309         depends on NETFILTER_ADVANCED && IP_NF_MANGLE
310         select NETFILTER_XT_TARGET_HL
311         ---help---
312         This is a backwards-compatible option for the user's convenience
313         (e.g. when running oldconfig). It selects
314         CONFIG_NETFILTER_XT_TARGET_HL.
315 
316 # raw + specific targets
317 config IP_NF_RAW
318         tristate  'raw table support (required for NOTRACK/TRACE)'
319         help
320           This option adds a `raw' table to iptables. This table is the very
321           first in the netfilter framework and hooks in at the PREROUTING
322           and OUTPUT chains.
323         
324           If you want to compile it as a module, say M here and read
325           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
326 
327 # security table for MAC policy
328 config IP_NF_SECURITY
329         tristate "Security table"
330         depends on SECURITY
331         depends on NETFILTER_ADVANCED
332         help
333           This option adds a `security' table to iptables, for use
334           with Mandatory Access Control (MAC) policy.
335          
336           If unsure, say N.
337 
338 endif # IP_NF_IPTABLES
339 
340 # ARP tables
341 config IP_NF_ARPTABLES
342         tristate "ARP tables support"
343         select NETFILTER_XTABLES
344         depends on NETFILTER_ADVANCED
345         help
346           arptables is a general, extensible packet identification framework.
347           The ARP packet filtering and mangling (manipulation)subsystems
348           use this: say Y or M here if you want to use either of those.
349 
350           To compile it as a module, choose M here.  If unsure, say N.
351 
352 if IP_NF_ARPTABLES
353 
354 config IP_NF_ARPFILTER
355         tristate "ARP packet filtering"
356         help
357           ARP packet filtering defines a table `filter', which has a series of
358           rules for simple ARP packet filtering at local input and
359           local output.  On a bridge, you can also specify filtering rules
360           for forwarded ARP packets. See the man page for arptables(8).
361 
362           To compile it as a module, choose M here.  If unsure, say N.
363 
364 config IP_NF_ARP_MANGLE
365         tristate "ARP payload mangling"
366         help
367           Allows altering the ARP packet payload: source and destination
368           hardware and network addresses.
369 
370 endif # IP_NF_ARPTABLES
371 
372 endmenu
373 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us