tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / net / ipv4 / netfilter / Kconfig
at v2.6.22 406 lines 13 kB view raw
1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_CONNTRACK_IPV4 9 tristate "IPv4 connection tracking support (required for NAT)" 10 depends on NF_CONNTRACK 11 ---help--- 12 Connection tracking keeps a record of what packets have passed 13 through your machine, in order to figure out how they are related 14 into connections. 15 16 This is IPv4 support on Layer 3 independent connection tracking. 17 Layer 3 independent connection tracking is experimental scheme 18 which generalize ip_conntrack to support other layer 3 protocols. 19 20 To compile it as a module, choose M here. If unsure, say N. 21 22config NF_CONNTRACK_PROC_COMPAT 23 bool "proc/sysctl compatibility with old connection tracking" 24 depends on NF_CONNTRACK_IPV4 25 default y 26 help 27 This option enables /proc and sysctl compatibility with the old 28 layer 3 dependant connection tracking. This is needed to keep 29 old programs that have not been adapted to the new names working. 30 31 If unsure, say Y. 32 33config IP_NF_QUEUE 34 tristate "IP Userspace queueing via NETLINK (OBSOLETE)" 35 help 36 Netfilter has the ability to queue packets to user space: the 37 netlink device can be used to access them using this driver. 38 39 This option enables the old IPv4-only "ip_queue" implementation 40 which has been obsoleted by the new "nfnetlink_queue" code (see 41 CONFIG_NETFILTER_NETLINK_QUEUE). 42 43 To compile it as a module, choose M here. If unsure, say N. 44 45config IP_NF_IPTABLES 46 tristate "IP tables support (required for filtering/masq/NAT)" 47 select NETFILTER_XTABLES 48 help 49 iptables is a general, extensible packet identification framework. 50 The packet filtering and full NAT (masquerading, port forwarding, 51 etc) subsystems now use this: say `Y' or `M' here if you want to use 52 either of those. 53 54 To compile it as a module, choose M here. If unsure, say N. 55 56# The matches. 57config IP_NF_MATCH_IPRANGE 58 tristate "IP range match support" 59 depends on IP_NF_IPTABLES 60 help 61 This option makes possible to match IP addresses against IP address 62 ranges. 63 64 To compile it as a module, choose M here. If unsure, say N. 65 66config IP_NF_MATCH_TOS 67 tristate "TOS match support" 68 depends on IP_NF_IPTABLES 69 help 70 TOS matching allows you to match packets based on the Type Of 71 Service fields of the IP packet. 72 73 To compile it as a module, choose M here. If unsure, say N. 74 75config IP_NF_MATCH_RECENT 76 tristate "recent match support" 77 depends on IP_NF_IPTABLES 78 help 79 This match is used for creating one or many lists of recently 80 used addresses and then matching against that/those list(s). 81 82 Short options are available by using 'iptables -m recent -h' 83 Official Website: <http://snowman.net/projects/ipt_recent/> 84 85 To compile it as a module, choose M here. If unsure, say N. 86 87config IP_NF_MATCH_ECN 88 tristate "ECN match support" 89 depends on IP_NF_IPTABLES 90 help 91 This option adds a `ECN' match, which allows you to match against 92 the IPv4 and TCP header ECN fields. 93 94 To compile it as a module, choose M here. If unsure, say N. 95 96config IP_NF_MATCH_AH 97 tristate "AH match support" 98 depends on IP_NF_IPTABLES 99 help 100 This match extension allows you to match a range of SPIs 101 inside AH header of IPSec packets. 102 103 To compile it as a module, choose M here. If unsure, say N. 104 105config IP_NF_MATCH_TTL 106 tristate "TTL match support" 107 depends on IP_NF_IPTABLES 108 help 109 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user 110 to match packets by their TTL value. 111 112 To compile it as a module, choose M here. If unsure, say N. 113 114config IP_NF_MATCH_OWNER 115 tristate "Owner match support" 116 depends on IP_NF_IPTABLES 117 help 118 Packet owner matching allows you to match locally-generated packets 119 based on who created them: the user, group, process or session. 120 121 To compile it as a module, choose M here. If unsure, say N. 122 123config IP_NF_MATCH_ADDRTYPE 124 tristate 'address type match support' 125 depends on IP_NF_IPTABLES 126 help 127 This option allows you to match what routing thinks of an address, 128 eg. UNICAST, LOCAL, BROADCAST, ... 129 130 If you want to compile it as a module, say M here and read 131 <file:Documentation/modules.txt>. If unsure, say `N'. 132 133# `filter', generic and specific targets 134config IP_NF_FILTER 135 tristate "Packet filtering" 136 depends on IP_NF_IPTABLES 137 help 138 Packet filtering defines a table `filter', which has a series of 139 rules for simple packet filtering at local input, forwarding and 140 local output. See the man page for iptables(8). 141 142 To compile it as a module, choose M here. If unsure, say N. 143 144config IP_NF_TARGET_REJECT 145 tristate "REJECT target support" 146 depends on IP_NF_FILTER 147 help 148 The REJECT target allows a filtering rule to specify that an ICMP 149 error should be issued in response to an incoming packet, rather 150 than silently being dropped. 151 152 To compile it as a module, choose M here. If unsure, say N. 153 154config IP_NF_TARGET_LOG 155 tristate "LOG target support" 156 depends on IP_NF_IPTABLES 157 help 158 This option adds a `LOG' target, which allows you to create rules in 159 any iptables table which records the packet header to the syslog. 160 161 To compile it as a module, choose M here. If unsure, say N. 162 163config IP_NF_TARGET_ULOG 164 tristate "ULOG target support" 165 depends on IP_NF_IPTABLES 166 ---help--- 167 168 This option enables the old IPv4-only "ipt_ULOG" implementation 169 which has been obsoleted by the new "nfnetlink_log" code (see 170 CONFIG_NETFILTER_NETLINK_LOG). 171 172 This option adds a `ULOG' target, which allows you to create rules in 173 any iptables table. The packet is passed to a userspace logging 174 daemon using netlink multicast sockets; unlike the LOG target 175 which can only be viewed through syslog. 176 177 The appropriate userspace logging daemon (ulogd) may be obtained from 178 <http://www.gnumonks.org/projects/ulogd/> 179 180 To compile it as a module, choose M here. If unsure, say N. 181 182# NAT + specific targets: nf_conntrack 183config NF_NAT 184 tristate "Full NAT" 185 depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4 186 help 187 The Full NAT option allows masquerading, port forwarding and other 188 forms of full Network Address Port Translation. It is controlled by 189 the `nat' table in iptables: see the man page for iptables(8). 190 191 To compile it as a module, choose M here. If unsure, say N. 192 193config NF_NAT_NEEDED 194 bool 195 depends on NF_NAT 196 default y 197 198config IP_NF_TARGET_MASQUERADE 199 tristate "MASQUERADE target support" 200 depends on NF_NAT 201 help 202 Masquerading is a special case of NAT: all outgoing connections are 203 changed to seem to come from a particular interface's address, and 204 if the interface goes down, those connections are lost. This is 205 only useful for dialup accounts with dynamic IP address (ie. your IP 206 address will be different on next dialup). 207 208 To compile it as a module, choose M here. If unsure, say N. 209 210config IP_NF_TARGET_REDIRECT 211 tristate "REDIRECT target support" 212 depends on NF_NAT 213 help 214 REDIRECT is a special case of NAT: all incoming connections are 215 mapped onto the incoming interface's address, causing the packets to 216 come to the local machine instead of passing through. This is 217 useful for transparent proxies. 218 219 To compile it as a module, choose M here. If unsure, say N. 220 221config IP_NF_TARGET_NETMAP 222 tristate "NETMAP target support" 223 depends on NF_NAT 224 help 225 NETMAP is an implementation of static 1:1 NAT mapping of network 226 addresses. It maps the network address part, while keeping the host 227 address part intact. It is similar to Fast NAT, except that 228 Netfilter's connection tracking doesn't work well with Fast NAT. 229 230 To compile it as a module, choose M here. If unsure, say N. 231 232config IP_NF_TARGET_SAME 233 tristate "SAME target support" 234 depends on NF_NAT 235 help 236 This option adds a `SAME' target, which works like the standard SNAT 237 target, but attempts to give clients the same IP for all connections. 238 239 To compile it as a module, choose M here. If unsure, say N. 240 241config NF_NAT_SNMP_BASIC 242 tristate "Basic SNMP-ALG support (EXPERIMENTAL)" 243 depends on EXPERIMENTAL && NF_NAT 244 ---help--- 245 246 This module implements an Application Layer Gateway (ALG) for 247 SNMP payloads. In conjunction with NAT, it allows a network 248 management system to access multiple private networks with 249 conflicting addresses. It works by modifying IP addresses 250 inside SNMP payloads to match IP-layer NAT mapping. 251 252 This is the "basic" form of SNMP-ALG, as described in RFC 2962 253 254 To compile it as a module, choose M here. If unsure, say N. 255 256# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 257# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. 258# From kconfig-language.txt: 259# 260# <expr> '&&' <expr> (6) 261# 262# (6) Returns the result of min(/expr/, /expr/). 263config NF_NAT_PROTO_GRE 264 tristate 265 depends on NF_NAT && NF_CT_PROTO_GRE 266 267config NF_NAT_FTP 268 tristate 269 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT 270 default NF_NAT && NF_CONNTRACK_FTP 271 272config NF_NAT_IRC 273 tristate 274 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT 275 default NF_NAT && NF_CONNTRACK_IRC 276 277config NF_NAT_TFTP 278 tristate 279 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT 280 default NF_NAT && NF_CONNTRACK_TFTP 281 282config NF_NAT_AMANDA 283 tristate 284 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT 285 default NF_NAT && NF_CONNTRACK_AMANDA 286 287config NF_NAT_PPTP 288 tristate 289 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT 290 default NF_NAT && NF_CONNTRACK_PPTP 291 select NF_NAT_PROTO_GRE 292 293config NF_NAT_H323 294 tristate 295 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT 296 default NF_NAT && NF_CONNTRACK_H323 297 298config NF_NAT_SIP 299 tristate 300 depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT 301 default NF_NAT && NF_CONNTRACK_SIP 302 303# mangle + specific targets 304config IP_NF_MANGLE 305 tristate "Packet mangling" 306 depends on IP_NF_IPTABLES 307 help 308 This option adds a `mangle' table to iptables: see the man page for 309 iptables(8). This table is used for various packet alterations 310 which can effect how the packet is routed. 311 312 To compile it as a module, choose M here. If unsure, say N. 313 314config IP_NF_TARGET_TOS 315 tristate "TOS target support" 316 depends on IP_NF_MANGLE 317 help 318 This option adds a `TOS' target, which allows you to create rules in 319 the `mangle' table which alter the Type Of Service field of an IP 320 packet prior to routing. 321 322 To compile it as a module, choose M here. If unsure, say N. 323 324config IP_NF_TARGET_ECN 325 tristate "ECN target support" 326 depends on IP_NF_MANGLE 327 ---help--- 328 This option adds a `ECN' target, which can be used in the iptables mangle 329 table. 330 331 You can use this target to remove the ECN bits from the IPv4 header of 332 an IP packet. This is particularly useful, if you need to work around 333 existing ECN blackholes on the internet, but don't want to disable 334 ECN support in general. 335 336 To compile it as a module, choose M here. If unsure, say N. 337 338config IP_NF_TARGET_TTL 339 tristate 'TTL target support' 340 depends on IP_NF_MANGLE 341 help 342 This option adds a `TTL' target, which enables the user to modify 343 the TTL value of the IP header. 344 345 While it is safe to decrement/lower the TTL, this target also enables 346 functionality to increment and set the TTL value of the IP header to 347 arbitrary values. This is EXTREMELY DANGEROUS since you can easily 348 create immortal packets that loop forever on the network. 349 350 To compile it as a module, choose M here. If unsure, say N. 351 352config IP_NF_TARGET_CLUSTERIP 353 tristate "CLUSTERIP target support (EXPERIMENTAL)" 354 depends on IP_NF_MANGLE && EXPERIMENTAL 355 depends on NF_CONNTRACK_IPV4 356 select NF_CONNTRACK_MARK 357 help 358 The CLUSTERIP target allows you to build load-balancing clusters of 359 network servers without having a dedicated load-balancing 360 router/server/switch. 361 362 To compile it as a module, choose M here. If unsure, say N. 363 364# raw + specific targets 365config IP_NF_RAW 366 tristate 'raw table support (required for NOTRACK/TRACE)' 367 depends on IP_NF_IPTABLES 368 help 369 This option adds a `raw' table to iptables. This table is the very 370 first in the netfilter framework and hooks in at the PREROUTING 371 and OUTPUT chains. 372 373 If you want to compile it as a module, say M here and read 374 <file:Documentation/modules.txt>. If unsure, say `N'. 375 376# ARP tables 377config IP_NF_ARPTABLES 378 tristate "ARP tables support" 379 select NETFILTER_XTABLES 380 help 381 arptables is a general, extensible packet identification framework. 382 The ARP packet filtering and mangling (manipulation)subsystems 383 use this: say Y or M here if you want to use either of those. 384 385 To compile it as a module, choose M here. If unsure, say N. 386 387config IP_NF_ARPFILTER 388 tristate "ARP packet filtering" 389 depends on IP_NF_ARPTABLES 390 help 391 ARP packet filtering defines a table `filter', which has a series of 392 rules for simple ARP packet filtering at local input and 393 local output. On a bridge, you can also specify filtering rules 394 for forwarded ARP packets. See the man page for arptables(8). 395 396 To compile it as a module, choose M here. If unsure, say N. 397 398config IP_NF_ARP_MANGLE 399 tristate "ARP payload mangling" 400 depends on IP_NF_ARPTABLES 401 help 402 Allows altering the ARP packet payload: source and destination 403 hardware and network addresses. 404 405endmenu 406