Version:  2.0.40 2.2.26 2.4.37 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10

Linux/net/ipv4/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IP: Netfilter Configuration"
  6         depends on INET && NETFILTER
  7 
  8 config NF_DEFRAG_IPV4
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV4
 13         tristate "IPv4 connection tracking support (required for NAT)"
 14         depends on NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV4
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv4 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 config NF_SOCKET_IPV4
 29         tristate "IPv4 socket lookup support"
 30         help
 31           This option enables the IPv4 socket lookup infrastructure. This is
 32           is required by the iptables socket match.
 33 
 34 if NF_TABLES
 35 
 36 config NF_TABLES_IPV4
 37         tristate "IPv4 nf_tables support"
 38         help
 39           This option enables the IPv4 support for nf_tables.
 40 
 41 if NF_TABLES_IPV4
 42 
 43 config NFT_CHAIN_ROUTE_IPV4
 44         tristate "IPv4 nf_tables route chain support"
 45         help
 46           This option enables the "route" chain for IPv4 in nf_tables. This
 47           chain type is used to force packet re-routing after mangling header
 48           fields such as the source, destination, type of service and
 49           the packet mark.
 50 
 51 config NFT_REJECT_IPV4
 52         select NF_REJECT_IPV4
 53         default NFT_REJECT
 54         tristate
 55 
 56 config NFT_DUP_IPV4
 57         tristate "IPv4 nf_tables packet duplication support"
 58         depends on !NF_CONNTRACK || NF_CONNTRACK
 59         select NF_DUP_IPV4
 60         help
 61           This module enables IPv4 packet duplication support for nf_tables.
 62 
 63 config NFT_FIB_IPV4
 64         select NFT_FIB
 65         tristate "nf_tables fib / ip route lookup support"
 66         help
 67           This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
 68           It also allows query of the FIB for the route type, e.g. local, unicast,
 69           multicast or blackhole.
 70 
 71 endif # NF_TABLES_IPV4
 72 
 73 config NF_TABLES_ARP
 74         tristate "ARP nf_tables support"
 75         help
 76           This option enables the ARP support for nf_tables.
 77 
 78 endif # NF_TABLES
 79 
 80 config NF_DUP_IPV4
 81         tristate "Netfilter IPv4 packet duplication to alternate destination"
 82         depends on !NF_CONNTRACK || NF_CONNTRACK
 83         help
 84           This option enables the nf_dup_ipv4 core, which duplicates an IPv4
 85           packet to be rerouted to another destination.
 86 
 87 config NF_LOG_ARP
 88         tristate "ARP packet logging"
 89         default m if NETFILTER_ADVANCED=n
 90         select NF_LOG_COMMON
 91 
 92 config NF_LOG_IPV4
 93         tristate "IPv4 packet logging"
 94         default m if NETFILTER_ADVANCED=n
 95         select NF_LOG_COMMON
 96 
 97 config NF_REJECT_IPV4
 98         tristate "IPv4 packet rejection"
 99         default m if NETFILTER_ADVANCED=n
100 
101 config NF_NAT_IPV4
102         tristate "IPv4 NAT"
103         depends on NF_CONNTRACK_IPV4
104         default m if NETFILTER_ADVANCED=n
105         select NF_NAT
106         help
107           The IPv4 NAT option allows masquerading, port forwarding and other
108           forms of full Network Address Port Translation. This can be
109           controlled by iptables or nft.
110 
111 if NF_NAT_IPV4
112 
113 config NFT_CHAIN_NAT_IPV4
114         depends on NF_TABLES_IPV4
115         tristate "IPv4 nf_tables nat chain support"
116         help
117           This option enables the "nat" chain for IPv4 in nf_tables. This
118           chain type is used to perform Network Address Translation (NAT)
119           packet transformations such as the source, destination address and
120           source and destination ports.
121 
122 config NF_NAT_MASQUERADE_IPV4
123         tristate "IPv4 masquerade support"
124         help
125           This is the kernel functionality to provide NAT in the masquerade
126           flavour (automatic source address selection).
127 
128 config NFT_MASQ_IPV4
129         tristate "IPv4 masquerading support for nf_tables"
130         depends on NF_TABLES_IPV4
131         depends on NFT_MASQ
132         select NF_NAT_MASQUERADE_IPV4
133         help
134           This is the expression that provides IPv4 masquerading support for
135           nf_tables.
136 
137 config NFT_REDIR_IPV4
138         tristate "IPv4 redirect support for nf_tables"
139         depends on NF_TABLES_IPV4
140         depends on NFT_REDIR
141         select NF_NAT_REDIRECT
142         help
143           This is the expression that provides IPv4 redirect support for
144           nf_tables.
145 
146 config NF_NAT_SNMP_BASIC
147         tristate "Basic SNMP-ALG support"
148         depends on NF_CONNTRACK_SNMP
149         depends on NETFILTER_ADVANCED
150         default NF_NAT && NF_CONNTRACK_SNMP
151         ---help---
152 
153           This module implements an Application Layer Gateway (ALG) for
154           SNMP payloads.  In conjunction with NAT, it allows a network
155           management system to access multiple private networks with
156           conflicting addresses.  It works by modifying IP addresses
157           inside SNMP payloads to match IP-layer NAT mapping.
158 
159           This is the "basic" form of SNMP-ALG, as described in RFC 2962
160 
161           To compile it as a module, choose M here.  If unsure, say N.
162 
163 config NF_NAT_PROTO_GRE
164         tristate
165         depends on NF_CT_PROTO_GRE
166 
167 config NF_NAT_PPTP
168         tristate
169         depends on NF_CONNTRACK
170         default NF_CONNTRACK_PPTP
171         select NF_NAT_PROTO_GRE
172 
173 config NF_NAT_H323
174         tristate
175         depends on NF_CONNTRACK
176         default NF_CONNTRACK_H323
177 
178 endif # NF_NAT_IPV4
179 
180 config IP_NF_IPTABLES
181         tristate "IP tables support (required for filtering/masq/NAT)"
182         default m if NETFILTER_ADVANCED=n
183         select NETFILTER_XTABLES
184         help
185           iptables is a general, extensible packet identification framework.
186           The packet filtering and full NAT (masquerading, port forwarding,
187           etc) subsystems now use this: say `Y' or `M' here if you want to use
188           either of those.
189 
190           To compile it as a module, choose M here.  If unsure, say N.
191 
192 if IP_NF_IPTABLES
193 
194 # The matches.
195 config IP_NF_MATCH_AH
196         tristate '"ah" match support'
197         depends on NETFILTER_ADVANCED
198         help
199           This match extension allows you to match a range of SPIs
200           inside AH header of IPSec packets.
201 
202           To compile it as a module, choose M here.  If unsure, say N.
203 
204 config IP_NF_MATCH_ECN
205         tristate '"ecn" match support'
206         depends on NETFILTER_ADVANCED
207         select NETFILTER_XT_MATCH_ECN
208         ---help---
209         This is a backwards-compat option for the user's convenience
210         (e.g. when running oldconfig). It selects
211         CONFIG_NETFILTER_XT_MATCH_ECN.
212 
213 config IP_NF_MATCH_RPFILTER
214         tristate '"rpfilter" reverse path filter match support'
215         depends on NETFILTER_ADVANCED
216         depends on IP_NF_MANGLE || IP_NF_RAW
217         ---help---
218           This option allows you to match packets whose replies would
219           go out via the interface the packet came in.
220 
221           To compile it as a module, choose M here.  If unsure, say N.
222           The module will be called ipt_rpfilter.
223 
224 config IP_NF_MATCH_TTL
225         tristate '"ttl" match support'
226         depends on NETFILTER_ADVANCED
227         select NETFILTER_XT_MATCH_HL
228         ---help---
229         This is a backwards-compat option for the user's convenience
230         (e.g. when running oldconfig). It selects
231         CONFIG_NETFILTER_XT_MATCH_HL.
232 
233 # `filter', generic and specific targets
234 config IP_NF_FILTER
235         tristate "Packet filtering"
236         default m if NETFILTER_ADVANCED=n
237         help
238           Packet filtering defines a table `filter', which has a series of
239           rules for simple packet filtering at local input, forwarding and
240           local output.  See the man page for iptables(8).
241 
242           To compile it as a module, choose M here.  If unsure, say N.
243 
244 config IP_NF_TARGET_REJECT
245         tristate "REJECT target support"
246         depends on IP_NF_FILTER
247         select NF_REJECT_IPV4
248         default m if NETFILTER_ADVANCED=n
249         help
250           The REJECT target allows a filtering rule to specify that an ICMP
251           error should be issued in response to an incoming packet, rather
252           than silently being dropped.
253 
254           To compile it as a module, choose M here.  If unsure, say N.
255 
256 config IP_NF_TARGET_SYNPROXY
257         tristate "SYNPROXY target support"
258         depends on NF_CONNTRACK && NETFILTER_ADVANCED
259         select NETFILTER_SYNPROXY
260         select SYN_COOKIES
261         help
262           The SYNPROXY target allows you to intercept TCP connections and
263           establish them using syncookies before they are passed on to the
264           server. This allows to avoid conntrack and server resource usage
265           during SYN-flood attacks.
266 
267           To compile it as a module, choose M here. If unsure, say N.
268 
269 # NAT + specific targets: nf_conntrack
270 config IP_NF_NAT
271         tristate "iptables NAT support"
272         depends on NF_CONNTRACK_IPV4
273         default m if NETFILTER_ADVANCED=n
274         select NF_NAT
275         select NF_NAT_IPV4
276         select NETFILTER_XT_NAT
277         help
278           This enables the `nat' table in iptables. This allows masquerading,
279           port forwarding and other forms of full Network Address Port
280           Translation.
281 
282           To compile it as a module, choose M here.  If unsure, say N.
283 
284 if IP_NF_NAT
285 
286 config IP_NF_TARGET_MASQUERADE
287         tristate "MASQUERADE target support"
288         select NF_NAT_MASQUERADE_IPV4
289         default m if NETFILTER_ADVANCED=n
290         help
291           Masquerading is a special case of NAT: all outgoing connections are
292           changed to seem to come from a particular interface's address, and
293           if the interface goes down, those connections are lost.  This is
294           only useful for dialup accounts with dynamic IP address (ie. your IP
295           address will be different on next dialup).
296 
297           To compile it as a module, choose M here.  If unsure, say N.
298 
299 config IP_NF_TARGET_NETMAP
300         tristate "NETMAP target support"
301         depends on NETFILTER_ADVANCED
302         select NETFILTER_XT_TARGET_NETMAP
303         ---help---
304         This is a backwards-compat option for the user's convenience
305         (e.g. when running oldconfig). It selects
306         CONFIG_NETFILTER_XT_TARGET_NETMAP.
307 
308 config IP_NF_TARGET_REDIRECT
309         tristate "REDIRECT target support"
310         depends on NETFILTER_ADVANCED
311         select NETFILTER_XT_TARGET_REDIRECT
312         ---help---
313         This is a backwards-compat option for the user's convenience
314         (e.g. when running oldconfig). It selects
315         CONFIG_NETFILTER_XT_TARGET_REDIRECT.
316 
317 endif # IP_NF_NAT
318 
319 # mangle + specific targets
320 config IP_NF_MANGLE
321         tristate "Packet mangling"
322         default m if NETFILTER_ADVANCED=n
323         help
324           This option adds a `mangle' table to iptables: see the man page for
325           iptables(8).  This table is used for various packet alterations
326           which can effect how the packet is routed.
327 
328           To compile it as a module, choose M here.  If unsure, say N.
329 
330 config IP_NF_TARGET_CLUSTERIP
331         tristate "CLUSTERIP target support"
332         depends on IP_NF_MANGLE
333         depends on NF_CONNTRACK_IPV4
334         depends on NETFILTER_ADVANCED
335         select NF_CONNTRACK_MARK
336         help
337           The CLUSTERIP target allows you to build load-balancing clusters of
338           network servers without having a dedicated load-balancing
339           router/server/switch.
340         
341           To compile it as a module, choose M here.  If unsure, say N.
342 
343 config IP_NF_TARGET_ECN
344         tristate "ECN target support"
345         depends on IP_NF_MANGLE
346         depends on NETFILTER_ADVANCED
347         ---help---
348           This option adds a `ECN' target, which can be used in the iptables mangle
349           table.  
350 
351           You can use this target to remove the ECN bits from the IPv4 header of
352           an IP packet.  This is particularly useful, if you need to work around
353           existing ECN blackholes on the internet, but don't want to disable
354           ECN support in general.
355 
356           To compile it as a module, choose M here.  If unsure, say N.
357 
358 config IP_NF_TARGET_TTL
359         tristate '"TTL" target support'
360         depends on NETFILTER_ADVANCED && IP_NF_MANGLE
361         select NETFILTER_XT_TARGET_HL
362         ---help---
363         This is a backwards-compatible option for the user's convenience
364         (e.g. when running oldconfig). It selects
365         CONFIG_NETFILTER_XT_TARGET_HL.
366 
367 # raw + specific targets
368 config IP_NF_RAW
369         tristate  'raw table support (required for NOTRACK/TRACE)'
370         help
371           This option adds a `raw' table to iptables. This table is the very
372           first in the netfilter framework and hooks in at the PREROUTING
373           and OUTPUT chains.
374         
375           If you want to compile it as a module, say M here and read
376           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
377 
378 # security table for MAC policy
379 config IP_NF_SECURITY
380         tristate "Security table"
381         depends on SECURITY
382         depends on NETFILTER_ADVANCED
383         help
384           This option adds a `security' table to iptables, for use
385           with Mandatory Access Control (MAC) policy.
386          
387           If unsure, say N.
388 
389 endif # IP_NF_IPTABLES
390 
391 # ARP tables
392 config IP_NF_ARPTABLES
393         tristate "ARP tables support"
394         select NETFILTER_XTABLES
395         depends on NETFILTER_ADVANCED
396         help
397           arptables is a general, extensible packet identification framework.
398           The ARP packet filtering and mangling (manipulation)subsystems
399           use this: say Y or M here if you want to use either of those.
400 
401           To compile it as a module, choose M here.  If unsure, say N.
402 
403 if IP_NF_ARPTABLES
404 
405 config IP_NF_ARPFILTER
406         tristate "ARP packet filtering"
407         help
408           ARP packet filtering defines a table `filter', which has a series of
409           rules for simple ARP packet filtering at local input and
410           local output.  On a bridge, you can also specify filtering rules
411           for forwarded ARP packets. See the man page for arptables(8).
412 
413           To compile it as a module, choose M here.  If unsure, say N.
414 
415 config IP_NF_ARP_MANGLE
416         tristate "ARP payload mangling"
417         help
418           Allows altering the ARP packet payload: source and destination
419           hardware and network addresses.
420 
421 endif # IP_NF_ARPTABLES
422 
423 endmenu
424 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us