net/ipv4/netfilter/Kconfig

   1 #
   2 # IP netfilter configuration
   3 #
   4
   5 menu "IP: Netfilter Configuration"
   6         depends on INET && NETFILTER
   7
   8 config NF_DEFRAG_IPV4
   9         tristate
  10         default n
  11
  12 config NF_CONNTRACK_IPV4
  13         tristate "IPv4 connection tracking support (required for NAT)"
  14         depends on NF_CONNTRACK
  15         default m if NETFILTER_ADVANCED=n
  16         select NF_DEFRAG_IPV4
  17         ---help---
  18           Connection tracking keeps a record of what packets have passed
  19           through your machine, in order to figure out how they are related
  20           into connections.
  21
  22           This is IPv4 support on Layer 3 independent connection tracking.
  23           Layer 3 independent connection tracking is experimental scheme
  24           which generalize ip_conntrack to support other layer 3 protocols.
  25
  26           To compile it as a module, choose M here.  If unsure, say N.
  27
  28 config NF_CONNTRACK_PROC_COMPAT
  29         bool "proc/sysctl compatibility with old connection tracking"
  30         depends on NF_CONNTRACK_IPV4
  31         default y
  32         help
  33           This option enables /proc and sysctl compatibility with the old
  34           layer 3 dependent connection tracking. This is needed to keep
  35           old programs that have not been adapted to the new names working.
  36
  37           If unsure, say Y.
  38
  39 config IP_NF_QUEUE
  40         tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
  41         depends on NETFILTER_ADVANCED
  42         help
  43           Netfilter has the ability to queue packets to user space: the
  44           netlink device can be used to access them using this driver.
  45
  46           This option enables the old IPv4-only "ip_queue" implementation
  47           which has been obsoleted by the new "nfnetlink_queue" code (see
  48           CONFIG_NETFILTER_NETLINK_QUEUE).
  49
  50           To compile it as a module, choose M here.  If unsure, say N.
  51
  52 config IP_NF_IPTABLES
  53         tristate "IP tables support (required for filtering/masq/NAT)"
  54         default m if NETFILTER_ADVANCED=n
  55         select NETFILTER_XTABLES
  56         help
  57           iptables is a general, extensible packet identification framework.
  58           The packet filtering and full NAT (masquerading, port forwarding,
  59           etc) subsystems now use this: say `Y' or `M' here if you want to use
  60           either of those.
  61
  62           To compile it as a module, choose M here.  If unsure, say N.
  63
  64 if IP_NF_IPTABLES
  65
  66 # The matches.
  67 config IP_NF_MATCH_AH
  68         tristate '"ah" match support'
  69         depends on NETFILTER_ADVANCED
  70         help
  71           This match extension allows you to match a range of SPIs
  72           inside AH header of IPSec packets.
  73
  74           To compile it as a module, choose M here.  If unsure, say N.
  75
  76 config IP_NF_MATCH_ECN
  77         tristate '"ecn" match support'
  78         depends on NETFILTER_ADVANCED
  79         help
  80           This option adds a `ECN' match, which allows you to match against
  81           the IPv4 and TCP header ECN fields.
  82
  83           To compile it as a module, choose M here.  If unsure, say N.
  84
  85 config IP_NF_MATCH_TTL
  86         tristate '"ttl" match support'
  87         depends on NETFILTER_ADVANCED
  88         select NETFILTER_XT_MATCH_HL
  89         ---help---
  90         This is a backwards-compat option for the user's convenience
  91         (e.g. when running oldconfig). It selects
  92         CONFIG_NETFILTER_XT_MATCH_HL.
  93
  94 # `filter', generic and specific targets
  95 config IP_NF_FILTER
  96         tristate "Packet filtering"
  97         default m if NETFILTER_ADVANCED=n
  98         help
  99           Packet filtering defines a table `filter', which has a series of
 100           rules for simple packet filtering at local input, forwarding and
 101           local output.  See the man page for iptables(8).
 102
 103           To compile it as a module, choose M here.  If unsure, say N.
 104
 105 config IP_NF_TARGET_REJECT
 106         tristate "REJECT target support"
 107         depends on IP_NF_FILTER
 108         default m if NETFILTER_ADVANCED=n
 109         help
 110           The REJECT target allows a filtering rule to specify that an ICMP
 111           error should be issued in response to an incoming packet, rather
 112           than silently being dropped.
 113
 114           To compile it as a module, choose M here.  If unsure, say N.
 115
 116 config IP_NF_TARGET_LOG
 117         tristate "LOG target support"
 118         default m if NETFILTER_ADVANCED=n
 119         help
 120           This option adds a `LOG' target, which allows you to create rules in
 121           any iptables table which records the packet header to the syslog.
 122
 123           To compile it as a module, choose M here.  If unsure, say N.
 124
 125 config IP_NF_TARGET_ULOG
 126         tristate "ULOG target support"
 127         default m if NETFILTER_ADVANCED=n
 128         ---help---
 129
 130           This option enables the old IPv4-only "ipt_ULOG" implementation
 131           which has been obsoleted by the new "nfnetlink_log" code (see
 132           CONFIG_NETFILTER_NETLINK_LOG).
 133
 134           This option adds a `ULOG' target, which allows you to create rules in
 135           any iptables table. The packet is passed to a userspace logging
 136           daemon using netlink multicast sockets; unlike the LOG target
 137           which can only be viewed through syslog.
 138
 139           The appropriate userspace logging daemon (ulogd) may be obtained from
 140           <http://www.netfilter.org/projects/ulogd/index.html>
 141
 142           To compile it as a module, choose M here.  If unsure, say N.
 143
 144 # NAT + specific targets: nf_conntrack
 145 config NF_NAT
 146         tristate "Full NAT"
 147         depends on NF_CONNTRACK_IPV4
 148         default m if NETFILTER_ADVANCED=n
 149         help
 150           The Full NAT option allows masquerading, port forwarding and other
 151           forms of full Network Address Port Translation.  It is controlled by
 152           the `nat' table in iptables: see the man page for iptables(8).
 153
 154           To compile it as a module, choose M here.  If unsure, say N.
 155
 156 config NF_NAT_NEEDED
 157         bool
 158         depends on NF_NAT
 159         default y
 160
 161 config IP_NF_TARGET_MASQUERADE
 162         tristate "MASQUERADE target support"
 163         depends on NF_NAT
 164         default m if NETFILTER_ADVANCED=n
 165         help
 166           Masquerading is a special case of NAT: all outgoing connections are
 167           changed to seem to come from a particular interface's address, and
 168           if the interface goes down, those connections are lost.  This is
 169           only useful for dialup accounts with dynamic IP address (ie. your IP
 170           address will be different on next dialup).
 171
 172           To compile it as a module, choose M here.  If unsure, say N.
 173
 174 config IP_NF_TARGET_NETMAP
 175         tristate "NETMAP target support"
 176         depends on NF_NAT
 177         depends on NETFILTER_ADVANCED
 178         help
 179           NETMAP is an implementation of static 1:1 NAT mapping of network
 180           addresses. It maps the network address part, while keeping the host
 181           address part intact.
 182
 183           To compile it as a module, choose M here.  If unsure, say N.
 184
 185 config IP_NF_TARGET_REDIRECT
 186         tristate "REDIRECT target support"
 187         depends on NF_NAT
 188         depends on NETFILTER_ADVANCED
 189         help
 190           REDIRECT is a special case of NAT: all incoming connections are
 191           mapped onto the incoming interface's address, causing the packets to
 192           come to the local machine instead of passing through.  This is
 193           useful for transparent proxies.
 194
 195           To compile it as a module, choose M here.  If unsure, say N.
 196
 197 config NF_NAT_SNMP_BASIC
 198         tristate "Basic SNMP-ALG support"
 199         depends on NF_CONNTRACK_SNMP && NF_NAT
 200         depends on NETFILTER_ADVANCED
 201         default NF_NAT && NF_CONNTRACK_SNMP
 202         ---help---
 203
 204           This module implements an Application Layer Gateway (ALG) for
 205           SNMP payloads.  In conjunction with NAT, it allows a network
 206           management system to access multiple private networks with
 207           conflicting addresses.  It works by modifying IP addresses
 208           inside SNMP payloads to match IP-layer NAT mapping.
 209
 210           This is the "basic" form of SNMP-ALG, as described in RFC 2962
 211
 212           To compile it as a module, choose M here.  If unsure, say N.
 213
 214 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
 215 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
 216 # From kconfig-language.txt:
 217 #
 218 #           <expr> '&&' <expr>                   (6)
 219 #
 220 # (6) Returns the result of min(/expr/, /expr/).
 221 config NF_NAT_PROTO_DCCP
 222         tristate
 223         depends on NF_NAT && NF_CT_PROTO_DCCP
 224         default NF_NAT && NF_CT_PROTO_DCCP
 225
 226 config NF_NAT_PROTO_GRE
 227         tristate
 228         depends on NF_NAT && NF_CT_PROTO_GRE
 229
 230 config NF_NAT_PROTO_UDPLITE
 231         tristate
 232         depends on NF_NAT && NF_CT_PROTO_UDPLITE
 233         default NF_NAT && NF_CT_PROTO_UDPLITE
 234
 235 config NF_NAT_PROTO_SCTP
 236         tristate
 237         default NF_NAT && NF_CT_PROTO_SCTP
 238         depends on NF_NAT && NF_CT_PROTO_SCTP
 239         select LIBCRC32C
 240
 241 config NF_NAT_FTP
 242         tristate
 243         depends on NF_CONNTRACK && NF_NAT
 244         default NF_NAT && NF_CONNTRACK_FTP
 245
 246 config NF_NAT_IRC
 247         tristate
 248         depends on NF_CONNTRACK && NF_NAT
 249         default NF_NAT && NF_CONNTRACK_IRC
 250
 251 config NF_NAT_TFTP
 252         tristate
 253         depends on NF_CONNTRACK && NF_NAT
 254         default NF_NAT && NF_CONNTRACK_TFTP
 255
 256 config NF_NAT_AMANDA
 257         tristate
 258         depends on NF_CONNTRACK && NF_NAT
 259         default NF_NAT && NF_CONNTRACK_AMANDA
 260
 261 config NF_NAT_PPTP
 262         tristate
 263         depends on NF_CONNTRACK && NF_NAT
 264         default NF_NAT && NF_CONNTRACK_PPTP
 265         select NF_NAT_PROTO_GRE
 266
 267 config NF_NAT_H323
 268         tristate
 269         depends on NF_CONNTRACK && NF_NAT
 270         default NF_NAT && NF_CONNTRACK_H323
 271
 272 config NF_NAT_SIP
 273         tristate
 274         depends on NF_CONNTRACK && NF_NAT
 275         default NF_NAT && NF_CONNTRACK_SIP
 276
 277 # mangle + specific targets
 278 config IP_NF_MANGLE
 279         tristate "Packet mangling"
 280         default m if NETFILTER_ADVANCED=n
 281         help
 282           This option adds a `mangle' table to iptables: see the man page for
 283           iptables(8).  This table is used for various packet alterations
 284           which can effect how the packet is routed.
 285
 286           To compile it as a module, choose M here.  If unsure, say N.
 287
 288 config IP_NF_TARGET_CLUSTERIP
 289         tristate "CLUSTERIP target support (EXPERIMENTAL)"
 290         depends on IP_NF_MANGLE && EXPERIMENTAL
 291         depends on NF_CONNTRACK_IPV4
 292         depends on NETFILTER_ADVANCED
 293         select NF_CONNTRACK_MARK
 294         help
 295           The CLUSTERIP target allows you to build load-balancing clusters of
 296           network servers without having a dedicated load-balancing
 297           router/server/switch.
 298
 299           To compile it as a module, choose M here.  If unsure, say N.
 300
 301 config IP_NF_TARGET_ECN
 302         tristate "ECN target support"
 303         depends on IP_NF_MANGLE
 304         depends on NETFILTER_ADVANCED
 305         ---help---
 306           This option adds a `ECN' target, which can be used in the iptables mangle
 307           table.
 308
 309           You can use this target to remove the ECN bits from the IPv4 header of
 310           an IP packet.  This is particularly useful, if you need to work around
 311           existing ECN blackholes on the internet, but don't want to disable
 312           ECN support in general.
 313
 314           To compile it as a module, choose M here.  If unsure, say N.
 315
 316 config IP_NF_TARGET_TTL
 317         tristate '"TTL" target support'
 318         depends on NETFILTER_ADVANCED && IP_NF_MANGLE
 319         select NETFILTER_XT_TARGET_HL
 320         ---help---
 321         This is a backwards-compatible option for the user's convenience
 322         (e.g. when running oldconfig). It selects
 323         CONFIG_NETFILTER_XT_TARGET_HL.
 324
 325 # raw + specific targets
 326 config IP_NF_RAW
 327         tristate  'raw table support (required for NOTRACK/TRACE)'
 328         help
 329           This option adds a `raw' table to iptables. This table is the very
 330           first in the netfilter framework and hooks in at the PREROUTING
 331           and OUTPUT chains.
 332
 333           If you want to compile it as a module, say M here and read
 334           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 335
 336 # security table for MAC policy
 337 config IP_NF_SECURITY
 338         tristate "Security table"
 339         depends on SECURITY
 340         depends on NETFILTER_ADVANCED
 341         help
 342           This option adds a `security' table to iptables, for use
 343           with Mandatory Access Control (MAC) policy.
 344
 345           If unsure, say N.
 346
 347 endif # IP_NF_IPTABLES
 348
 349 # ARP tables
 350 config IP_NF_ARPTABLES
 351         tristate "ARP tables support"
 352         select NETFILTER_XTABLES
 353         depends on NETFILTER_ADVANCED
 354         help
 355           arptables is a general, extensible packet identification framework.
 356           The ARP packet filtering and mangling (manipulation)subsystems
 357           use this: say Y or M here if you want to use either of those.
 358
 359           To compile it as a module, choose M here.  If unsure, say N.
 360
 361 if IP_NF_ARPTABLES
 362
 363 config IP_NF_ARPFILTER
 364         tristate "ARP packet filtering"
 365         help
 366           ARP packet filtering defines a table `filter', which has a series of
 367           rules for simple ARP packet filtering at local input and
 368           local output.  On a bridge, you can also specify filtering rules
 369           for forwarded ARP packets. See the man page for arptables(8).
 370
 371           To compile it as a module, choose M here.  If unsure, say N.
 372
 373 config IP_NF_ARP_MANGLE
 374         tristate "ARP payload mangling"
 375         help
 376           Allows altering the ARP packet payload: source and destination
 377           hardware and network addresses.
 378
 379 endif # IP_NF_ARPTABLES
 380
 381 endmenu
 382