Version:  2.0.40 2.2.26 2.4.37 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18

Linux/net/ipv4/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IP: Netfilter Configuration"
  6         depends on INET && NETFILTER
  7 
  8 config NF_DEFRAG_IPV4
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV4
 13         tristate "IPv4 connection tracking support (required for NAT)"
 14         depends on NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV4
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv4 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 config NF_CONNTRACK_PROC_COMPAT
 29         bool "proc/sysctl compatibility with old connection tracking"
 30         depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
 31         default y
 32         help
 33           This option enables /proc and sysctl compatibility with the old
 34           layer 3 dependent connection tracking. This is needed to keep
 35           old programs that have not been adapted to the new names working.
 36 
 37           If unsure, say Y.
 38 
 39 config NF_LOG_ARP
 40         tristate "ARP packet logging"
 41         default m if NETFILTER_ADVANCED=n
 42         select NF_LOG_COMMON
 43 
 44 config NF_LOG_IPV4
 45         tristate "IPv4 packet logging"
 46         default m if NETFILTER_ADVANCED=n
 47         select NF_LOG_COMMON
 48 
 49 config NF_TABLES_IPV4
 50         depends on NF_TABLES
 51         tristate "IPv4 nf_tables support"
 52         help
 53           This option enables the IPv4 support for nf_tables.
 54 
 55 config NFT_CHAIN_ROUTE_IPV4
 56         depends on NF_TABLES_IPV4
 57         tristate "IPv4 nf_tables route chain support"
 58         help
 59           This option enables the "route" chain for IPv4 in nf_tables. This
 60           chain type is used to force packet re-routing after mangling header
 61           fields such as the source, destination, type of service and
 62           the packet mark.
 63 
 64 config NF_REJECT_IPV4
 65         tristate "IPv4 packet rejection"
 66         default m if NETFILTER_ADVANCED=n
 67 
 68 config NFT_REJECT_IPV4
 69         depends on NF_TABLES_IPV4
 70         select NF_REJECT_IPV4
 71         default NFT_REJECT
 72         tristate
 73 
 74 config NF_TABLES_ARP
 75         depends on NF_TABLES
 76         tristate "ARP nf_tables support"
 77         help
 78           This option enables the ARP support for nf_tables.
 79 
 80 config NF_NAT_IPV4
 81         tristate "IPv4 NAT"
 82         depends on NF_CONNTRACK_IPV4
 83         default m if NETFILTER_ADVANCED=n
 84         select NF_NAT
 85         help
 86           The IPv4 NAT option allows masquerading, port forwarding and other
 87           forms of full Network Address Port Translation. This can be
 88           controlled by iptables or nft.
 89 
 90 if NF_NAT_IPV4
 91 
 92 config NFT_CHAIN_NAT_IPV4
 93         depends on NF_TABLES_IPV4
 94         tristate "IPv4 nf_tables nat chain support"
 95         help
 96           This option enables the "nat" chain for IPv4 in nf_tables. This
 97           chain type is used to perform Network Address Translation (NAT)
 98           packet transformations such as the source, destination address and
 99           source and destination ports.
100 
101 config NF_NAT_MASQUERADE_IPV4
102         tristate "IPv4 masquerade support"
103         help
104           This is the kernel functionality to provide NAT in the masquerade
105           flavour (automatic source address selection).
106 
107 config NFT_MASQ_IPV4
108         tristate "IPv4 masquerading support for nf_tables"
109         depends on NF_TABLES_IPV4
110         depends on NFT_MASQ
111         select NF_NAT_MASQUERADE_IPV4
112         help
113           This is the expression that provides IPv4 masquerading support for
114           nf_tables.
115 
116 config NF_NAT_SNMP_BASIC
117         tristate "Basic SNMP-ALG support"
118         depends on NF_CONNTRACK_SNMP
119         depends on NETFILTER_ADVANCED
120         default NF_NAT && NF_CONNTRACK_SNMP
121         ---help---
122 
123           This module implements an Application Layer Gateway (ALG) for
124           SNMP payloads.  In conjunction with NAT, it allows a network
125           management system to access multiple private networks with
126           conflicting addresses.  It works by modifying IP addresses
127           inside SNMP payloads to match IP-layer NAT mapping.
128 
129           This is the "basic" form of SNMP-ALG, as described in RFC 2962
130 
131           To compile it as a module, choose M here.  If unsure, say N.
132 
133 config NF_NAT_PROTO_GRE
134         tristate
135         depends on NF_CT_PROTO_GRE
136 
137 config NF_NAT_PPTP
138         tristate
139         depends on NF_CONNTRACK
140         default NF_CONNTRACK_PPTP
141         select NF_NAT_PROTO_GRE
142 
143 config NF_NAT_H323
144         tristate
145         depends on NF_CONNTRACK
146         default NF_CONNTRACK_H323
147 
148 endif # NF_NAT_IPV4
149 
150 config IP_NF_IPTABLES
151         tristate "IP tables support (required for filtering/masq/NAT)"
152         default m if NETFILTER_ADVANCED=n
153         select NETFILTER_XTABLES
154         help
155           iptables is a general, extensible packet identification framework.
156           The packet filtering and full NAT (masquerading, port forwarding,
157           etc) subsystems now use this: say `Y' or `M' here if you want to use
158           either of those.
159 
160           To compile it as a module, choose M here.  If unsure, say N.
161 
162 if IP_NF_IPTABLES
163 
164 # The matches.
165 config IP_NF_MATCH_AH
166         tristate '"ah" match support'
167         depends on NETFILTER_ADVANCED
168         help
169           This match extension allows you to match a range of SPIs
170           inside AH header of IPSec packets.
171 
172           To compile it as a module, choose M here.  If unsure, say N.
173 
174 config IP_NF_MATCH_ECN
175         tristate '"ecn" match support'
176         depends on NETFILTER_ADVANCED
177         select NETFILTER_XT_MATCH_ECN
178         ---help---
179         This is a backwards-compat option for the user's convenience
180         (e.g. when running oldconfig). It selects
181         CONFIG_NETFILTER_XT_MATCH_ECN.
182 
183 config IP_NF_MATCH_RPFILTER
184         tristate '"rpfilter" reverse path filter match support'
185         depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
186         ---help---
187           This option allows you to match packets whose replies would
188           go out via the interface the packet came in.
189 
190           To compile it as a module, choose M here.  If unsure, say N.
191           The module will be called ipt_rpfilter.
192 
193 config IP_NF_MATCH_TTL
194         tristate '"ttl" match support'
195         depends on NETFILTER_ADVANCED
196         select NETFILTER_XT_MATCH_HL
197         ---help---
198         This is a backwards-compat option for the user's convenience
199         (e.g. when running oldconfig). It selects
200         CONFIG_NETFILTER_XT_MATCH_HL.
201 
202 # `filter', generic and specific targets
203 config IP_NF_FILTER
204         tristate "Packet filtering"
205         default m if NETFILTER_ADVANCED=n
206         help
207           Packet filtering defines a table `filter', which has a series of
208           rules for simple packet filtering at local input, forwarding and
209           local output.  See the man page for iptables(8).
210 
211           To compile it as a module, choose M here.  If unsure, say N.
212 
213 config IP_NF_TARGET_REJECT
214         tristate "REJECT target support"
215         depends on IP_NF_FILTER
216         select NF_REJECT_IPV4
217         default m if NETFILTER_ADVANCED=n
218         help
219           The REJECT target allows a filtering rule to specify that an ICMP
220           error should be issued in response to an incoming packet, rather
221           than silently being dropped.
222 
223           To compile it as a module, choose M here.  If unsure, say N.
224 
225 config IP_NF_TARGET_SYNPROXY
226         tristate "SYNPROXY target support"
227         depends on NF_CONNTRACK && NETFILTER_ADVANCED
228         select NETFILTER_SYNPROXY
229         select SYN_COOKIES
230         help
231           The SYNPROXY target allows you to intercept TCP connections and
232           establish them using syncookies before they are passed on to the
233           server. This allows to avoid conntrack and server resource usage
234           during SYN-flood attacks.
235 
236           To compile it as a module, choose M here. If unsure, say N.
237 
238 # NAT + specific targets: nf_conntrack
239 config IP_NF_NAT
240         tristate "iptables NAT support"
241         depends on NF_CONNTRACK_IPV4
242         default m if NETFILTER_ADVANCED=n
243         select NF_NAT
244         select NF_NAT_IPV4
245         select NETFILTER_XT_NAT
246         help
247           This enables the `nat' table in iptables. This allows masquerading,
248           port forwarding and other forms of full Network Address Port
249           Translation.
250 
251           To compile it as a module, choose M here.  If unsure, say N.
252 
253 if IP_NF_NAT
254 
255 config IP_NF_TARGET_MASQUERADE
256         tristate "MASQUERADE target support"
257         select NF_NAT_MASQUERADE_IPV4
258         default m if NETFILTER_ADVANCED=n
259         help
260           Masquerading is a special case of NAT: all outgoing connections are
261           changed to seem to come from a particular interface's address, and
262           if the interface goes down, those connections are lost.  This is
263           only useful for dialup accounts with dynamic IP address (ie. your IP
264           address will be different on next dialup).
265 
266           To compile it as a module, choose M here.  If unsure, say N.
267 
268 config IP_NF_TARGET_NETMAP
269         tristate "NETMAP target support"
270         depends on NETFILTER_ADVANCED
271         select NETFILTER_XT_TARGET_NETMAP
272         ---help---
273         This is a backwards-compat option for the user's convenience
274         (e.g. when running oldconfig). It selects
275         CONFIG_NETFILTER_XT_TARGET_NETMAP.
276 
277 config IP_NF_TARGET_REDIRECT
278         tristate "REDIRECT target support"
279         depends on NETFILTER_ADVANCED
280         select NETFILTER_XT_TARGET_REDIRECT
281         ---help---
282         This is a backwards-compat option for the user's convenience
283         (e.g. when running oldconfig). It selects
284         CONFIG_NETFILTER_XT_TARGET_REDIRECT.
285 
286 endif # IP_NF_NAT
287 
288 # mangle + specific targets
289 config IP_NF_MANGLE
290         tristate "Packet mangling"
291         default m if NETFILTER_ADVANCED=n
292         help
293           This option adds a `mangle' table to iptables: see the man page for
294           iptables(8).  This table is used for various packet alterations
295           which can effect how the packet is routed.
296 
297           To compile it as a module, choose M here.  If unsure, say N.
298 
299 config IP_NF_TARGET_CLUSTERIP
300         tristate "CLUSTERIP target support"
301         depends on IP_NF_MANGLE
302         depends on NF_CONNTRACK_IPV4
303         depends on NETFILTER_ADVANCED
304         select NF_CONNTRACK_MARK
305         help
306           The CLUSTERIP target allows you to build load-balancing clusters of
307           network servers without having a dedicated load-balancing
308           router/server/switch.
309         
310           To compile it as a module, choose M here.  If unsure, say N.
311 
312 config IP_NF_TARGET_ECN
313         tristate "ECN target support"
314         depends on IP_NF_MANGLE
315         depends on NETFILTER_ADVANCED
316         ---help---
317           This option adds a `ECN' target, which can be used in the iptables mangle
318           table.  
319 
320           You can use this target to remove the ECN bits from the IPv4 header of
321           an IP packet.  This is particularly useful, if you need to work around
322           existing ECN blackholes on the internet, but don't want to disable
323           ECN support in general.
324 
325           To compile it as a module, choose M here.  If unsure, say N.
326 
327 config IP_NF_TARGET_TTL
328         tristate '"TTL" target support'
329         depends on NETFILTER_ADVANCED && IP_NF_MANGLE
330         select NETFILTER_XT_TARGET_HL
331         ---help---
332         This is a backwards-compatible option for the user's convenience
333         (e.g. when running oldconfig). It selects
334         CONFIG_NETFILTER_XT_TARGET_HL.
335 
336 # raw + specific targets
337 config IP_NF_RAW
338         tristate  'raw table support (required for NOTRACK/TRACE)'
339         help
340           This option adds a `raw' table to iptables. This table is the very
341           first in the netfilter framework and hooks in at the PREROUTING
342           and OUTPUT chains.
343         
344           If you want to compile it as a module, say M here and read
345           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
346 
347 # security table for MAC policy
348 config IP_NF_SECURITY
349         tristate "Security table"
350         depends on SECURITY
351         depends on NETFILTER_ADVANCED
352         help
353           This option adds a `security' table to iptables, for use
354           with Mandatory Access Control (MAC) policy.
355          
356           If unsure, say N.
357 
358 endif # IP_NF_IPTABLES
359 
360 # ARP tables
361 config IP_NF_ARPTABLES
362         tristate "ARP tables support"
363         select NETFILTER_XTABLES
364         depends on NETFILTER_ADVANCED
365         help
366           arptables is a general, extensible packet identification framework.
367           The ARP packet filtering and mangling (manipulation)subsystems
368           use this: say Y or M here if you want to use either of those.
369 
370           To compile it as a module, choose M here.  If unsure, say N.
371 
372 if IP_NF_ARPTABLES
373 
374 config IP_NF_ARPFILTER
375         tristate "ARP packet filtering"
376         help
377           ARP packet filtering defines a table `filter', which has a series of
378           rules for simple ARP packet filtering at local input and
379           local output.  On a bridge, you can also specify filtering rules
380           for forwarded ARP packets. See the man page for arptables(8).
381 
382           To compile it as a module, choose M here.  If unsure, say N.
383 
384 config IP_NF_ARP_MANGLE
385         tristate "ARP payload mangling"
386         help
387           Allows altering the ARP packet payload: source and destination
388           hardware and network addresses.
389 
390 endif # IP_NF_ARPTABLES
391 
392 endmenu
393 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us