net/ipv4/netfilter/Kconfig at master · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / net / ipv4 / netfilter / Kconfig
at master 11 kB view raw
  1# SPDX-License-Identifier: GPL-2.0-only
  2#
  3# IP netfilter configuration
  4#
  5
  6menu "IP: Netfilter Configuration"
  7	depends on INET && NETFILTER
  8
  9config NF_DEFRAG_IPV4
 10	tristate
 11	default n
 12
 13# old sockopt interface and eval loop
 14config IP_NF_IPTABLES_LEGACY
 15	tristate "Legacy IP tables support"
 16	depends on NETFILTER_XTABLES_LEGACY
 17	depends on NETFILTER_XTABLES
 18	default	m if NETFILTER_XTABLES_LEGACY
 19	help
 20	  iptables is a legacy packet classifier.
 21	  This is not needed if you are using iptables over nftables
 22	  (iptables-nft).
 23
 24config NF_SOCKET_IPV4
 25	tristate "IPv4 socket lookup support"
 26	help
 27	  This option enables the IPv4 socket lookup infrastructure. This is
 28	  is required by the {ip,nf}tables socket match.
 29
 30config NF_TPROXY_IPV4
 31	tristate "IPv4 tproxy support"
 32
 33if NF_TABLES
 34
 35config NF_TABLES_IPV4
 36	bool "IPv4 nf_tables support"
 37	help
 38	  This option enables the IPv4 support for nf_tables.
 39
 40if NF_TABLES_IPV4
 41
 42config NFT_REJECT_IPV4
 43	select NF_REJECT_IPV4
 44	default NFT_REJECT
 45	tristate
 46
 47config NFT_DUP_IPV4
 48	tristate "IPv4 nf_tables packet duplication support"
 49	depends on !NF_CONNTRACK || NF_CONNTRACK
 50	select NF_DUP_IPV4
 51	help
 52	  This module enables IPv4 packet duplication support for nf_tables.
 53
 54config NFT_FIB_IPV4
 55	select NFT_FIB
 56	tristate "nf_tables fib / ip route lookup support"
 57	help
 58	  This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
 59	  It also allows query of the FIB for the route type, e.g. local, unicast,
 60	  multicast or blackhole.
 61
 62endif # NF_TABLES_IPV4
 63
 64config NF_TABLES_ARP
 65	bool "ARP nf_tables support"
 66	select NETFILTER_FAMILY_ARP
 67	help
 68	  This option enables the ARP support for nf_tables.
 69
 70endif # NF_TABLES
 71
 72config NF_DUP_IPV4
 73	tristate "Netfilter IPv4 packet duplication to alternate destination"
 74	depends on !NF_CONNTRACK || NF_CONNTRACK
 75	help
 76	  This option enables the nf_dup_ipv4 core, which duplicates an IPv4
 77	  packet to be rerouted to another destination.
 78
 79config NF_LOG_ARP
 80	tristate "ARP packet logging"
 81	default m if NETFILTER_ADVANCED=n
 82	select NF_LOG_SYSLOG
 83	help
 84	This is a backwards-compat option for the user's convenience
 85	(e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.
 86
 87config NF_LOG_IPV4
 88	tristate "IPv4 packet logging"
 89	default m if NETFILTER_ADVANCED=n
 90	select NF_LOG_SYSLOG
 91	help
 92	This is a backwards-compat option for the user's convenience
 93	(e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.
 94
 95config NF_REJECT_IPV4
 96	tristate "IPv4 packet rejection"
 97	default m if NETFILTER_ADVANCED=n
 98
 99if NF_NAT
100config NF_NAT_SNMP_BASIC
101	tristate "Basic SNMP-ALG support"
102	depends on NF_CONNTRACK_SNMP
103	depends on NETFILTER_ADVANCED
104	default NF_NAT && NF_CONNTRACK_SNMP
105	select ASN1
106	help
107
108	  This module implements an Application Layer Gateway (ALG) for
109	  SNMP payloads.  In conjunction with NAT, it allows a network
110	  management system to access multiple private networks with
111	  conflicting addresses.  It works by modifying IP addresses
112	  inside SNMP payloads to match IP-layer NAT mapping.
113
114	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
115
116	  To compile it as a module, choose M here.  If unsure, say N.
117
118config NF_NAT_PPTP
119	tristate
120	depends on NF_CONNTRACK
121	default NF_CONNTRACK_PPTP
122
123config NF_NAT_H323
124	tristate
125	depends on NF_CONNTRACK
126	default NF_CONNTRACK_H323
127
128endif # NF_NAT
129
130config IP_NF_IPTABLES
131	tristate "IP tables support (required for filtering/masq/NAT)"
132	default m if NETFILTER_ADVANCED=n
133	select NETFILTER_XTABLES
134	help
135	  iptables is a general, extensible packet identification framework.
136	  The packet filtering and full NAT (masquerading, port forwarding,
137	  etc) subsystems now use this: say `Y' or `M' here if you want to use
138	  either of those.
139
140	  To compile it as a module, choose M here.  If unsure, say N.
141
142if IP_NF_IPTABLES
143
144# The matches.
145config IP_NF_MATCH_AH
146	tristate '"ah" match support'
147	depends on NETFILTER_ADVANCED
148	help
149	  This match extension allows you to match a range of SPIs
150	  inside AH header of IPSec packets.
151
152	  To compile it as a module, choose M here.  If unsure, say N.
153
154config IP_NF_MATCH_ECN
155	tristate '"ecn" match support'
156	depends on NETFILTER_ADVANCED
157	select NETFILTER_XT_MATCH_ECN
158	help
159	This is a backwards-compat option for the user's convenience
160	(e.g. when running oldconfig). It selects
161	CONFIG_NETFILTER_XT_MATCH_ECN.
162
163config IP_NF_MATCH_RPFILTER
164	tristate '"rpfilter" reverse path filter match support'
165	depends on NETFILTER_ADVANCED
166	depends on IP_NF_MANGLE || IP_NF_RAW || NFT_COMPAT
167	help
168	  This option allows you to match packets whose replies would
169	  go out via the interface the packet came in.
170
171	  To compile it as a module, choose M here.  If unsure, say N.
172	  The module will be called ipt_rpfilter.
173
174config IP_NF_MATCH_TTL
175	tristate '"ttl" match support'
176	depends on NETFILTER_ADVANCED
177	select NETFILTER_XT_MATCH_HL
178	help
179	This is a backwards-compat option for the user's convenience
180	(e.g. when running oldconfig). It selects
181	CONFIG_NETFILTER_XT_MATCH_HL.
182
183# `filter', generic and specific targets
184config IP_NF_FILTER
185	tristate "Packet filtering"
186	default m if NETFILTER_ADVANCED=n || IP_NF_IPTABLES_LEGACY
187	depends on IP_NF_IPTABLES_LEGACY
188	help
189	  Packet filtering defines a table `filter', which has a series of
190	  rules for simple packet filtering at local input, forwarding and
191	  local output.  See the man page for iptables(8).
192
193	  To compile it as a module, choose M here.  If unsure, say N.
194
195config IP_NF_TARGET_REJECT
196	tristate "REJECT target support"
197	depends on IP_NF_FILTER || NFT_COMPAT
198	select NF_REJECT_IPV4
199	default m if NETFILTER_ADVANCED=n
200	help
201	  The REJECT target allows a filtering rule to specify that an ICMP
202	  error should be issued in response to an incoming packet, rather
203	  than silently being dropped.
204
205	  To compile it as a module, choose M here.  If unsure, say N.
206
207config IP_NF_TARGET_SYNPROXY
208	tristate "SYNPROXY target support"
209	depends on NF_CONNTRACK && NETFILTER_ADVANCED
210	select NETFILTER_SYNPROXY
211	select SYN_COOKIES
212	help
213	  The SYNPROXY target allows you to intercept TCP connections and
214	  establish them using syncookies before they are passed on to the
215	  server. This allows to avoid conntrack and server resource usage
216	  during SYN-flood attacks.
217
218	  To compile it as a module, choose M here. If unsure, say N.
219
220# NAT + specific targets: nf_conntrack
221config IP_NF_NAT
222	tristate "iptables NAT support"
223	depends on NF_CONNTRACK
224	depends on IP_NF_IPTABLES_LEGACY
225	default m if NETFILTER_ADVANCED=n
226	select NF_NAT
227	select NETFILTER_XT_NAT
228	help
229	  This enables the `nat' table in iptables. This allows masquerading,
230	  port forwarding and other forms of full Network Address Port
231	  Translation.
232
233	  To compile it as a module, choose M here.  If unsure, say N.
234
235if IP_NF_NAT
236
237config IP_NF_TARGET_MASQUERADE
238	tristate "MASQUERADE target support"
239	select NETFILTER_XT_TARGET_MASQUERADE
240	help
241	  This is a backwards-compat option for the user's convenience
242	  (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
243
244config IP_NF_TARGET_NETMAP
245	tristate "NETMAP target support"
246	depends on NETFILTER_ADVANCED
247	select NETFILTER_XT_TARGET_NETMAP
248	help
249	This is a backwards-compat option for the user's convenience
250	(e.g. when running oldconfig). It selects
251	CONFIG_NETFILTER_XT_TARGET_NETMAP.
252
253config IP_NF_TARGET_REDIRECT
254	tristate "REDIRECT target support"
255	depends on NETFILTER_ADVANCED
256	select NETFILTER_XT_TARGET_REDIRECT
257	help
258	This is a backwards-compat option for the user's convenience
259	(e.g. when running oldconfig). It selects
260	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
261
262endif # IP_NF_NAT
263
264# mangle + specific targets
265config IP_NF_MANGLE
266	tristate "Packet mangling"
267	default m if NETFILTER_ADVANCED=n || IP_NF_IPTABLES_LEGACY
268	depends on IP_NF_IPTABLES_LEGACY
269	help
270	  This option adds a `mangle' table to iptables: see the man page for
271	  iptables(8).  This table is used for various packet alterations
272	  which can effect how the packet is routed.
273
274	  To compile it as a module, choose M here.  If unsure, say N.
275
276config IP_NF_TARGET_ECN
277	tristate "ECN target support"
278	depends on IP_NF_MANGLE || NFT_COMPAT
279	depends on NETFILTER_ADVANCED
280	help
281	  This option adds a `ECN' target, which can be used in the iptables mangle
282	  table.
283
284	  You can use this target to remove the ECN bits from the IPv4 header of
285	  an IP packet.  This is particularly useful, if you need to work around
286	  existing ECN blackholes on the internet, but don't want to disable
287	  ECN support in general.
288
289	  To compile it as a module, choose M here.  If unsure, say N.
290
291config IP_NF_TARGET_TTL
292	tristate '"TTL" target support'
293	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
294	select NETFILTER_XT_TARGET_HL
295	help
296	This is a backwards-compatible option for the user's convenience
297	(e.g. when running oldconfig). It selects
298	CONFIG_NETFILTER_XT_TARGET_HL.
299
300# raw + specific targets
301config IP_NF_RAW
302	tristate  'raw table support (required for NOTRACK/TRACE)'
303	depends on IP_NF_IPTABLES_LEGACY
304	help
305	  This option adds a `raw' table to iptables. This table is the very
306	  first in the netfilter framework and hooks in at the PREROUTING
307	  and OUTPUT chains.
308
309	  If you want to compile it as a module, say M here and read
310	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
311
312# security table for MAC policy
313config IP_NF_SECURITY
314	tristate "Security table"
315	depends on SECURITY
316	depends on NETFILTER_ADVANCED
317	depends on IP_NF_IPTABLES_LEGACY
318	help
319	  This option adds a `security' table to iptables, for use
320	  with Mandatory Access Control (MAC) policy.
321
322	  If unsure, say N.
323
324endif # IP_NF_IPTABLES
325
326# ARP tables
327config IP_NF_ARPTABLES
328	tristate "Legacy ARPTABLES support"
329	depends on NETFILTER_XTABLES_LEGACY
330	depends on NETFILTER_XTABLES
331	default	n
332	help
333	  arptables is a legacy packet classifier.
334	  This is not needed if you are using arptables over nftables
335	  (iptables-nft).
336
337config NFT_COMPAT_ARP
338	tristate
339	depends on NF_TABLES_ARP && NFT_COMPAT
340	default m if NFT_COMPAT=m
341	default y if NFT_COMPAT=y
342
343config IP_NF_ARPFILTER
344	tristate "arptables-legacy packet filtering support"
345	select IP_NF_ARPTABLES
346	select NETFILTER_FAMILY_ARP
347	depends on NETFILTER_XTABLES_LEGACY
348	depends on NETFILTER_XTABLES
349	help
350	  ARP packet filtering defines a table `filter', which has a series of
351	  rules for simple ARP packet filtering at local input and
352	  local output.  This is only needed for arptables-legacy(8).
353	  Neither arptables-nft nor nftables need this to work.
354
355	  To compile it as a module, choose M here.  If unsure, say N.
356
357config IP_NF_ARP_MANGLE
358	tristate "ARP payload mangling"
359	depends on IP_NF_ARPTABLES || NFT_COMPAT_ARP
360	help
361	  Allows altering the ARP packet payload: source and destination
362	  hardware and network addresses.
363
364	  This option is needed by both arptables-legacy and arptables-nft.
365	  It is not used by nftables.
366
367endmenu
368