Version:  2.0.40 2.2.26 2.4.37 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17

Linux/net/ipv4/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IP: Netfilter Configuration"
  6         depends on INET && NETFILTER
  7 
  8 config NF_DEFRAG_IPV4
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV4
 13         tristate "IPv4 connection tracking support (required for NAT)"
 14         depends on NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV4
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv4 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 config NF_CONNTRACK_PROC_COMPAT
 29         bool "proc/sysctl compatibility with old connection tracking"
 30         depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
 31         default y
 32         help
 33           This option enables /proc and sysctl compatibility with the old
 34           layer 3 dependent connection tracking. This is needed to keep
 35           old programs that have not been adapted to the new names working.
 36 
 37           If unsure, say Y.
 38 
 39 config NF_LOG_ARP
 40         tristate "ARP packet logging"
 41         default m if NETFILTER_ADVANCED=n
 42         select NF_LOG_COMMON
 43 
 44 config NF_LOG_IPV4
 45         tristate "IPv4 packet logging"
 46         default m if NETFILTER_ADVANCED=n
 47         select NF_LOG_COMMON
 48 
 49 config NF_TABLES_IPV4
 50         depends on NF_TABLES
 51         tristate "IPv4 nf_tables support"
 52         help
 53           This option enables the IPv4 support for nf_tables.
 54 
 55 config NFT_CHAIN_ROUTE_IPV4
 56         depends on NF_TABLES_IPV4
 57         tristate "IPv4 nf_tables route chain support"
 58         help
 59           This option enables the "route" chain for IPv4 in nf_tables. This
 60           chain type is used to force packet re-routing after mangling header
 61           fields such as the source, destination, type of service and
 62           the packet mark.
 63 
 64 config NFT_CHAIN_NAT_IPV4
 65         depends on NF_TABLES_IPV4
 66         depends on NF_NAT_IPV4 && NFT_NAT
 67         tristate "IPv4 nf_tables nat chain support"
 68         help
 69           This option enables the "nat" chain for IPv4 in nf_tables. This
 70           chain type is used to perform Network Address Translation (NAT)
 71           packet transformations such as the source, destination address and
 72           source and destination ports.
 73 
 74 config NFT_REJECT_IPV4
 75         depends on NF_TABLES_IPV4
 76         default NFT_REJECT
 77         tristate
 78 
 79 config NF_TABLES_ARP
 80         depends on NF_TABLES
 81         tristate "ARP nf_tables support"
 82         help
 83           This option enables the ARP support for nf_tables.
 84 
 85 config NF_NAT_IPV4
 86         tristate "IPv4 NAT"
 87         depends on NF_CONNTRACK_IPV4
 88         default m if NETFILTER_ADVANCED=n
 89         select NF_NAT
 90         help
 91           The IPv4 NAT option allows masquerading, port forwarding and other
 92           forms of full Network Address Port Translation. This can be
 93           controlled by iptables or nft.
 94 
 95 if NF_NAT_IPV4
 96 
 97 config NF_NAT_SNMP_BASIC
 98         tristate "Basic SNMP-ALG support"
 99         depends on NF_CONNTRACK_SNMP
100         depends on NETFILTER_ADVANCED
101         default NF_NAT && NF_CONNTRACK_SNMP
102         ---help---
103 
104           This module implements an Application Layer Gateway (ALG) for
105           SNMP payloads.  In conjunction with NAT, it allows a network
106           management system to access multiple private networks with
107           conflicting addresses.  It works by modifying IP addresses
108           inside SNMP payloads to match IP-layer NAT mapping.
109 
110           This is the "basic" form of SNMP-ALG, as described in RFC 2962
111 
112           To compile it as a module, choose M here.  If unsure, say N.
113 
114 config NF_NAT_PROTO_GRE
115         tristate
116         depends on NF_CT_PROTO_GRE
117 
118 config NF_NAT_PPTP
119         tristate
120         depends on NF_CONNTRACK
121         default NF_CONNTRACK_PPTP
122         select NF_NAT_PROTO_GRE
123 
124 config NF_NAT_H323
125         tristate
126         depends on NF_CONNTRACK
127         default NF_CONNTRACK_H323
128 
129 endif # NF_NAT_IPV4
130 
131 config IP_NF_IPTABLES
132         tristate "IP tables support (required for filtering/masq/NAT)"
133         default m if NETFILTER_ADVANCED=n
134         select NETFILTER_XTABLES
135         help
136           iptables is a general, extensible packet identification framework.
137           The packet filtering and full NAT (masquerading, port forwarding,
138           etc) subsystems now use this: say `Y' or `M' here if you want to use
139           either of those.
140 
141           To compile it as a module, choose M here.  If unsure, say N.
142 
143 if IP_NF_IPTABLES
144 
145 # The matches.
146 config IP_NF_MATCH_AH
147         tristate '"ah" match support'
148         depends on NETFILTER_ADVANCED
149         help
150           This match extension allows you to match a range of SPIs
151           inside AH header of IPSec packets.
152 
153           To compile it as a module, choose M here.  If unsure, say N.
154 
155 config IP_NF_MATCH_ECN
156         tristate '"ecn" match support'
157         depends on NETFILTER_ADVANCED
158         select NETFILTER_XT_MATCH_ECN
159         ---help---
160         This is a backwards-compat option for the user's convenience
161         (e.g. when running oldconfig). It selects
162         CONFIG_NETFILTER_XT_MATCH_ECN.
163 
164 config IP_NF_MATCH_RPFILTER
165         tristate '"rpfilter" reverse path filter match support'
166         depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
167         ---help---
168           This option allows you to match packets whose replies would
169           go out via the interface the packet came in.
170 
171           To compile it as a module, choose M here.  If unsure, say N.
172           The module will be called ipt_rpfilter.
173 
174 config IP_NF_MATCH_TTL
175         tristate '"ttl" match support'
176         depends on NETFILTER_ADVANCED
177         select NETFILTER_XT_MATCH_HL
178         ---help---
179         This is a backwards-compat option for the user's convenience
180         (e.g. when running oldconfig). It selects
181         CONFIG_NETFILTER_XT_MATCH_HL.
182 
183 # `filter', generic and specific targets
184 config IP_NF_FILTER
185         tristate "Packet filtering"
186         default m if NETFILTER_ADVANCED=n
187         help
188           Packet filtering defines a table `filter', which has a series of
189           rules for simple packet filtering at local input, forwarding and
190           local output.  See the man page for iptables(8).
191 
192           To compile it as a module, choose M here.  If unsure, say N.
193 
194 config IP_NF_TARGET_REJECT
195         tristate "REJECT target support"
196         depends on IP_NF_FILTER
197         default m if NETFILTER_ADVANCED=n
198         help
199           The REJECT target allows a filtering rule to specify that an ICMP
200           error should be issued in response to an incoming packet, rather
201           than silently being dropped.
202 
203           To compile it as a module, choose M here.  If unsure, say N.
204 
205 config IP_NF_TARGET_SYNPROXY
206         tristate "SYNPROXY target support"
207         depends on NF_CONNTRACK && NETFILTER_ADVANCED
208         select NETFILTER_SYNPROXY
209         select SYN_COOKIES
210         help
211           The SYNPROXY target allows you to intercept TCP connections and
212           establish them using syncookies before they are passed on to the
213           server. This allows to avoid conntrack and server resource usage
214           during SYN-flood attacks.
215 
216           To compile it as a module, choose M here. If unsure, say N.
217 
218 # NAT + specific targets: nf_conntrack
219 config IP_NF_NAT
220         tristate "iptables NAT support"
221         depends on NF_CONNTRACK_IPV4
222         default m if NETFILTER_ADVANCED=n
223         select NF_NAT
224         select NF_NAT_IPV4
225         select NETFILTER_XT_NAT
226         help
227           This enables the `nat' table in iptables. This allows masquerading,
228           port forwarding and other forms of full Network Address Port
229           Translation.
230 
231           To compile it as a module, choose M here.  If unsure, say N.
232 
233 if IP_NF_NAT
234 
235 config IP_NF_TARGET_MASQUERADE
236         tristate "MASQUERADE target support"
237         default m if NETFILTER_ADVANCED=n
238         help
239           Masquerading is a special case of NAT: all outgoing connections are
240           changed to seem to come from a particular interface's address, and
241           if the interface goes down, those connections are lost.  This is
242           only useful for dialup accounts with dynamic IP address (ie. your IP
243           address will be different on next dialup).
244 
245           To compile it as a module, choose M here.  If unsure, say N.
246 
247 config IP_NF_TARGET_NETMAP
248         tristate "NETMAP target support"
249         depends on NETFILTER_ADVANCED
250         select NETFILTER_XT_TARGET_NETMAP
251         ---help---
252         This is a backwards-compat option for the user's convenience
253         (e.g. when running oldconfig). It selects
254         CONFIG_NETFILTER_XT_TARGET_NETMAP.
255 
256 config IP_NF_TARGET_REDIRECT
257         tristate "REDIRECT target support"
258         depends on NETFILTER_ADVANCED
259         select NETFILTER_XT_TARGET_REDIRECT
260         ---help---
261         This is a backwards-compat option for the user's convenience
262         (e.g. when running oldconfig). It selects
263         CONFIG_NETFILTER_XT_TARGET_REDIRECT.
264 
265 endif # IP_NF_NAT
266 
267 # mangle + specific targets
268 config IP_NF_MANGLE
269         tristate "Packet mangling"
270         default m if NETFILTER_ADVANCED=n
271         help
272           This option adds a `mangle' table to iptables: see the man page for
273           iptables(8).  This table is used for various packet alterations
274           which can effect how the packet is routed.
275 
276           To compile it as a module, choose M here.  If unsure, say N.
277 
278 config IP_NF_TARGET_CLUSTERIP
279         tristate "CLUSTERIP target support"
280         depends on IP_NF_MANGLE
281         depends on NF_CONNTRACK_IPV4
282         depends on NETFILTER_ADVANCED
283         select NF_CONNTRACK_MARK
284         help
285           The CLUSTERIP target allows you to build load-balancing clusters of
286           network servers without having a dedicated load-balancing
287           router/server/switch.
288         
289           To compile it as a module, choose M here.  If unsure, say N.
290 
291 config IP_NF_TARGET_ECN
292         tristate "ECN target support"
293         depends on IP_NF_MANGLE
294         depends on NETFILTER_ADVANCED
295         ---help---
296           This option adds a `ECN' target, which can be used in the iptables mangle
297           table.  
298 
299           You can use this target to remove the ECN bits from the IPv4 header of
300           an IP packet.  This is particularly useful, if you need to work around
301           existing ECN blackholes on the internet, but don't want to disable
302           ECN support in general.
303 
304           To compile it as a module, choose M here.  If unsure, say N.
305 
306 config IP_NF_TARGET_TTL
307         tristate '"TTL" target support'
308         depends on NETFILTER_ADVANCED && IP_NF_MANGLE
309         select NETFILTER_XT_TARGET_HL
310         ---help---
311         This is a backwards-compatible option for the user's convenience
312         (e.g. when running oldconfig). It selects
313         CONFIG_NETFILTER_XT_TARGET_HL.
314 
315 # raw + specific targets
316 config IP_NF_RAW
317         tristate  'raw table support (required for NOTRACK/TRACE)'
318         help
319           This option adds a `raw' table to iptables. This table is the very
320           first in the netfilter framework and hooks in at the PREROUTING
321           and OUTPUT chains.
322         
323           If you want to compile it as a module, say M here and read
324           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
325 
326 # security table for MAC policy
327 config IP_NF_SECURITY
328         tristate "Security table"
329         depends on SECURITY
330         depends on NETFILTER_ADVANCED
331         help
332           This option adds a `security' table to iptables, for use
333           with Mandatory Access Control (MAC) policy.
334          
335           If unsure, say N.
336 
337 endif # IP_NF_IPTABLES
338 
339 # ARP tables
340 config IP_NF_ARPTABLES
341         tristate "ARP tables support"
342         select NETFILTER_XTABLES
343         depends on NETFILTER_ADVANCED
344         help
345           arptables is a general, extensible packet identification framework.
346           The ARP packet filtering and mangling (manipulation)subsystems
347           use this: say Y or M here if you want to use either of those.
348 
349           To compile it as a module, choose M here.  If unsure, say N.
350 
351 if IP_NF_ARPTABLES
352 
353 config IP_NF_ARPFILTER
354         tristate "ARP packet filtering"
355         help
356           ARP packet filtering defines a table `filter', which has a series of
357           rules for simple ARP packet filtering at local input and
358           local output.  On a bridge, you can also specify filtering rules
359           for forwarded ARP packets. See the man page for arptables(8).
360 
361           To compile it as a module, choose M here.  If unsure, say N.
362 
363 config IP_NF_ARP_MANGLE
364         tristate "ARP payload mangling"
365         help
366           Allows altering the ARP packet payload: source and destination
367           hardware and network addresses.
368 
369 endif # IP_NF_ARPTABLES
370 
371 endmenu
372 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us