net/ipv4/netfilter/Kconfig

   1 #
   2 # IP netfilter configuration
   3 #
   4
   5 menu "IP: Netfilter Configuration"
   6         depends on INET && NETFILTER
   7
   8 config NF_DEFRAG_IPV4
   9         tristate
  10         default n
  11
  12 config NF_SOCKET_IPV4
  13         tristate "IPv4 socket lookup support"
  14         help
  15           This option enables the IPv4 socket lookup infrastructure. This is
  16           is required by the {ip,nf}tables socket match.
  17
  18 config NF_TPROXY_IPV4
  19         tristate "IPv4 tproxy support"
  20
  21 if NF_TABLES
  22
  23 config NF_TABLES_IPV4
  24         bool "IPv4 nf_tables support"
  25         help
  26           This option enables the IPv4 support for nf_tables.
  27
  28 if NF_TABLES_IPV4
  29
  30 config NFT_CHAIN_ROUTE_IPV4
  31         tristate "IPv4 nf_tables route chain support"
  32         help
  33           This option enables the "route" chain for IPv4 in nf_tables. This
  34           chain type is used to force packet re-routing after mangling header
  35           fields such as the source, destination, type of service and
  36           the packet mark.
  37
  38 config NFT_REJECT_IPV4
  39         select NF_REJECT_IPV4
  40         default NFT_REJECT
  41         tristate
  42
  43 config NFT_DUP_IPV4
  44         tristate "IPv4 nf_tables packet duplication support"
  45         depends on !NF_CONNTRACK || NF_CONNTRACK
  46         select NF_DUP_IPV4
  47         help
  48           This module enables IPv4 packet duplication support for nf_tables.
  49
  50 config NFT_FIB_IPV4
  51         select NFT_FIB
  52         tristate "nf_tables fib / ip route lookup support"
  53         help
  54           This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
  55           It also allows query of the FIB for the route type, e.g. local, unicast,
  56           multicast or blackhole.
  57
  58 endif # NF_TABLES_IPV4
  59
  60 config NF_TABLES_ARP
  61         bool "ARP nf_tables support"
  62         select NETFILTER_FAMILY_ARP
  63         help
  64           This option enables the ARP support for nf_tables.
  65
  66 endif # NF_TABLES
  67
  68 config NF_FLOW_TABLE_IPV4
  69         tristate "Netfilter flow table IPv4 module"
  70         depends on NF_FLOW_TABLE
  71         help
  72           This option adds the flow table IPv4 support.
  73
  74           To compile it as a module, choose M here.
  75
  76 config NF_DUP_IPV4
  77         tristate "Netfilter IPv4 packet duplication to alternate destination"
  78         depends on !NF_CONNTRACK || NF_CONNTRACK
  79         help
  80           This option enables the nf_dup_ipv4 core, which duplicates an IPv4
  81           packet to be rerouted to another destination.
  82
  83 config NF_LOG_ARP
  84         tristate "ARP packet logging"
  85         default m if NETFILTER_ADVANCED=n
  86         select NF_LOG_COMMON
  87
  88 config NF_LOG_IPV4
  89         tristate "IPv4 packet logging"
  90         default m if NETFILTER_ADVANCED=n
  91         select NF_LOG_COMMON
  92
  93 config NF_REJECT_IPV4
  94         tristate "IPv4 packet rejection"
  95         default m if NETFILTER_ADVANCED=n
  96
  97 config NF_NAT_IPV4
  98         tristate "IPv4 NAT"
  99         depends on NF_CONNTRACK
 100         default m if NETFILTER_ADVANCED=n
 101         select NF_NAT
 102         help
 103           The IPv4 NAT option allows masquerading, port forwarding and other
 104           forms of full Network Address Port Translation. This can be
 105           controlled by iptables or nft.
 106
 107 if NF_NAT_IPV4
 108
 109 config NF_NAT_MASQUERADE_IPV4
 110         bool
 111
 112 if NF_TABLES
 113 config NFT_CHAIN_NAT_IPV4
 114         depends on NF_TABLES_IPV4
 115         tristate "IPv4 nf_tables nat chain support"
 116         help
 117           This option enables the "nat" chain for IPv4 in nf_tables. This
 118           chain type is used to perform Network Address Translation (NAT)
 119           packet transformations such as the source, destination address and
 120           source and destination ports.
 121
 122 config NFT_MASQ_IPV4
 123         tristate "IPv4 masquerading support for nf_tables"
 124         depends on NF_TABLES_IPV4
 125         depends on NFT_MASQ
 126         select NF_NAT_MASQUERADE_IPV4
 127         help
 128           This is the expression that provides IPv4 masquerading support for
 129           nf_tables.
 130
 131 config NFT_REDIR_IPV4
 132         tristate "IPv4 redirect support for nf_tables"
 133         depends on NF_TABLES_IPV4
 134         depends on NFT_REDIR
 135         select NF_NAT_REDIRECT
 136         help
 137           This is the expression that provides IPv4 redirect support for
 138           nf_tables.
 139 endif # NF_TABLES
 140
 141 config NF_NAT_SNMP_BASIC
 142         tristate "Basic SNMP-ALG support"
 143         depends on NF_CONNTRACK_SNMP
 144         depends on NETFILTER_ADVANCED
 145         default NF_NAT && NF_CONNTRACK_SNMP
 146         select ASN1
 147         ---help---
 148
 149           This module implements an Application Layer Gateway (ALG) for
 150           SNMP payloads.  In conjunction with NAT, it allows a network
 151           management system to access multiple private networks with
 152           conflicting addresses.  It works by modifying IP addresses
 153           inside SNMP payloads to match IP-layer NAT mapping.
 154
 155           This is the "basic" form of SNMP-ALG, as described in RFC 2962
 156
 157           To compile it as a module, choose M here.  If unsure, say N.
 158
 159 config NF_NAT_PPTP
 160         tristate
 161         depends on NF_CONNTRACK
 162         default NF_CONNTRACK_PPTP
 163
 164 config NF_NAT_H323
 165         tristate
 166         depends on NF_CONNTRACK
 167         default NF_CONNTRACK_H323
 168
 169 endif # NF_NAT_IPV4
 170
 171 config IP_NF_IPTABLES
 172         tristate "IP tables support (required for filtering/masq/NAT)"
 173         default m if NETFILTER_ADVANCED=n
 174         select NETFILTER_XTABLES
 175         help
 176           iptables is a general, extensible packet identification framework.
 177           The packet filtering and full NAT (masquerading, port forwarding,
 178           etc) subsystems now use this: say `Y' or `M' here if you want to use
 179           either of those.
 180
 181           To compile it as a module, choose M here.  If unsure, say N.
 182
 183 if IP_NF_IPTABLES
 184
 185 # The matches.
 186 config IP_NF_MATCH_AH
 187         tristate '"ah" match support'
 188         depends on NETFILTER_ADVANCED
 189         help
 190           This match extension allows you to match a range of SPIs
 191           inside AH header of IPSec packets.
 192
 193           To compile it as a module, choose M here.  If unsure, say N.
 194
 195 config IP_NF_MATCH_ECN
 196         tristate '"ecn" match support'
 197         depends on NETFILTER_ADVANCED
 198         select NETFILTER_XT_MATCH_ECN
 199         ---help---
 200         This is a backwards-compat option for the user's convenience
 201         (e.g. when running oldconfig). It selects
 202         CONFIG_NETFILTER_XT_MATCH_ECN.
 203
 204 config IP_NF_MATCH_RPFILTER
 205         tristate '"rpfilter" reverse path filter match support'
 206         depends on NETFILTER_ADVANCED
 207         depends on IP_NF_MANGLE || IP_NF_RAW
 208         ---help---
 209           This option allows you to match packets whose replies would
 210           go out via the interface the packet came in.
 211
 212           To compile it as a module, choose M here.  If unsure, say N.
 213           The module will be called ipt_rpfilter.
 214
 215 config IP_NF_MATCH_TTL
 216         tristate '"ttl" match support'
 217         depends on NETFILTER_ADVANCED
 218         select NETFILTER_XT_MATCH_HL
 219         ---help---
 220         This is a backwards-compat option for the user's convenience
 221         (e.g. when running oldconfig). It selects
 222         CONFIG_NETFILTER_XT_MATCH_HL.
 223
 224 # `filter', generic and specific targets
 225 config IP_NF_FILTER
 226         tristate "Packet filtering"
 227         default m if NETFILTER_ADVANCED=n
 228         help
 229           Packet filtering defines a table `filter', which has a series of
 230           rules for simple packet filtering at local input, forwarding and
 231           local output.  See the man page for iptables(8).
 232
 233           To compile it as a module, choose M here.  If unsure, say N.
 234
 235 config IP_NF_TARGET_REJECT
 236         tristate "REJECT target support"
 237         depends on IP_NF_FILTER
 238         select NF_REJECT_IPV4
 239         default m if NETFILTER_ADVANCED=n
 240         help
 241           The REJECT target allows a filtering rule to specify that an ICMP
 242           error should be issued in response to an incoming packet, rather
 243           than silently being dropped.
 244
 245           To compile it as a module, choose M here.  If unsure, say N.
 246
 247 config IP_NF_TARGET_SYNPROXY
 248         tristate "SYNPROXY target support"
 249         depends on NF_CONNTRACK && NETFILTER_ADVANCED
 250         select NETFILTER_SYNPROXY
 251         select SYN_COOKIES
 252         help
 253           The SYNPROXY target allows you to intercept TCP connections and
 254           establish them using syncookies before they are passed on to the
 255           server. This allows to avoid conntrack and server resource usage
 256           during SYN-flood attacks.
 257
 258           To compile it as a module, choose M here. If unsure, say N.
 259
 260 # NAT + specific targets: nf_conntrack
 261 config IP_NF_NAT
 262         tristate "iptables NAT support"
 263         depends on NF_CONNTRACK
 264         default m if NETFILTER_ADVANCED=n
 265         select NF_NAT
 266         select NF_NAT_IPV4
 267         select NETFILTER_XT_NAT
 268         help
 269           This enables the `nat' table in iptables. This allows masquerading,
 270           port forwarding and other forms of full Network Address Port
 271           Translation.
 272
 273           To compile it as a module, choose M here.  If unsure, say N.
 274
 275 if IP_NF_NAT
 276
 277 config IP_NF_TARGET_MASQUERADE
 278         tristate "MASQUERADE target support"
 279         select NF_NAT_MASQUERADE_IPV4
 280         default m if NETFILTER_ADVANCED=n
 281         help
 282           Masquerading is a special case of NAT: all outgoing connections are
 283           changed to seem to come from a particular interface's address, and
 284           if the interface goes down, those connections are lost.  This is
 285           only useful for dialup accounts with dynamic IP address (ie. your IP
 286           address will be different on next dialup).
 287
 288           To compile it as a module, choose M here.  If unsure, say N.
 289
 290 config IP_NF_TARGET_NETMAP
 291         tristate "NETMAP target support"
 292         depends on NETFILTER_ADVANCED
 293         select NETFILTER_XT_TARGET_NETMAP
 294         ---help---
 295         This is a backwards-compat option for the user's convenience
 296         (e.g. when running oldconfig). It selects
 297         CONFIG_NETFILTER_XT_TARGET_NETMAP.
 298
 299 config IP_NF_TARGET_REDIRECT
 300         tristate "REDIRECT target support"
 301         depends on NETFILTER_ADVANCED
 302         select NETFILTER_XT_TARGET_REDIRECT
 303         ---help---
 304         This is a backwards-compat option for the user's convenience
 305         (e.g. when running oldconfig). It selects
 306         CONFIG_NETFILTER_XT_TARGET_REDIRECT.
 307
 308 endif # IP_NF_NAT
 309
 310 # mangle + specific targets
 311 config IP_NF_MANGLE
 312         tristate "Packet mangling"
 313         default m if NETFILTER_ADVANCED=n
 314         help
 315           This option adds a `mangle' table to iptables: see the man page for
 316           iptables(8).  This table is used for various packet alterations
 317           which can effect how the packet is routed.
 318
 319           To compile it as a module, choose M here.  If unsure, say N.
 320
 321 config IP_NF_TARGET_CLUSTERIP
 322         tristate "CLUSTERIP target support"
 323         depends on IP_NF_MANGLE
 324         depends on NF_CONNTRACK
 325         depends on NETFILTER_ADVANCED
 326         select NF_CONNTRACK_MARK
 327         select NETFILTER_FAMILY_ARP
 328         help
 329           The CLUSTERIP target allows you to build load-balancing clusters of
 330           network servers without having a dedicated load-balancing
 331           router/server/switch.
 332
 333           To compile it as a module, choose M here.  If unsure, say N.
 334
 335 config IP_NF_TARGET_ECN
 336         tristate "ECN target support"
 337         depends on IP_NF_MANGLE
 338         depends on NETFILTER_ADVANCED
 339         ---help---
 340           This option adds a `ECN' target, which can be used in the iptables mangle
 341           table.
 342
 343           You can use this target to remove the ECN bits from the IPv4 header of
 344           an IP packet.  This is particularly useful, if you need to work around
 345           existing ECN blackholes on the internet, but don't want to disable
 346           ECN support in general.
 347
 348           To compile it as a module, choose M here.  If unsure, say N.
 349
 350 config IP_NF_TARGET_TTL
 351         tristate '"TTL" target support'
 352         depends on NETFILTER_ADVANCED && IP_NF_MANGLE
 353         select NETFILTER_XT_TARGET_HL
 354         ---help---
 355         This is a backwards-compatible option for the user's convenience
 356         (e.g. when running oldconfig). It selects
 357         CONFIG_NETFILTER_XT_TARGET_HL.
 358
 359 # raw + specific targets
 360 config IP_NF_RAW
 361         tristate  'raw table support (required for NOTRACK/TRACE)'
 362         help
 363           This option adds a `raw' table to iptables. This table is the very
 364           first in the netfilter framework and hooks in at the PREROUTING
 365           and OUTPUT chains.
 366
 367           If you want to compile it as a module, say M here and read
 368           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 369
 370 # security table for MAC policy
 371 config IP_NF_SECURITY
 372         tristate "Security table"
 373         depends on SECURITY
 374         depends on NETFILTER_ADVANCED
 375         help
 376           This option adds a `security' table to iptables, for use
 377           with Mandatory Access Control (MAC) policy.
 378
 379           If unsure, say N.
 380
 381 endif # IP_NF_IPTABLES
 382
 383 # ARP tables
 384 config IP_NF_ARPTABLES
 385         tristate "ARP tables support"
 386         select NETFILTER_XTABLES
 387         select NETFILTER_FAMILY_ARP
 388         depends on NETFILTER_ADVANCED
 389         help
 390           arptables is a general, extensible packet identification framework.
 391           The ARP packet filtering and mangling (manipulation)subsystems
 392           use this: say Y or M here if you want to use either of those.
 393
 394           To compile it as a module, choose M here.  If unsure, say N.
 395
 396 if IP_NF_ARPTABLES
 397
 398 config IP_NF_ARPFILTER
 399         tristate "ARP packet filtering"
 400         help
 401           ARP packet filtering defines a table `filter', which has a series of
 402           rules for simple ARP packet filtering at local input and
 403           local output.  On a bridge, you can also specify filtering rules
 404           for forwarded ARP packets. See the man page for arptables(8).
 405
 406           To compile it as a module, choose M here.  If unsure, say N.
 407
 408 config IP_NF_ARP_MANGLE
 409         tristate "ARP payload mangling"
 410         help
 411           Allows altering the ARP packet payload: source and destination
 412           hardware and network addresses.
 413
 414 endif # IP_NF_ARPTABLES
 415
 416 endmenu
 417