net/ipv4/netfilter/Kconfig at v2.6.25-rc5

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / ipv4 / netfilter / Kconfig
at v2.6.25-rc5 383 lines 13 kB view raw
wrap content
  1#
  2# IP netfilter configuration
  3#
  4
  5menu "IP: Netfilter Configuration"
  6	depends on INET && NETFILTER
  7
  8config NF_CONNTRACK_IPV4
  9	tristate "IPv4 connection tracking support (required for NAT)"
 10	depends on NF_CONNTRACK
 11	default m if NETFILTER_ADVANCED=n
 12	---help---
 13	  Connection tracking keeps a record of what packets have passed
 14	  through your machine, in order to figure out how they are related
 15	  into connections.
 16
 17	  This is IPv4 support on Layer 3 independent connection tracking.
 18	  Layer 3 independent connection tracking is experimental scheme
 19	  which generalize ip_conntrack to support other layer 3 protocols.
 20
 21	  To compile it as a module, choose M here.  If unsure, say N.
 22
 23config NF_CONNTRACK_PROC_COMPAT
 24	bool "proc/sysctl compatibility with old connection tracking"
 25	depends on NF_CONNTRACK_IPV4
 26	default y
 27	help
 28	  This option enables /proc and sysctl compatibility with the old
 29	  layer 3 dependant connection tracking. This is needed to keep
 30	  old programs that have not been adapted to the new names working.
 31
 32	  If unsure, say Y.
 33
 34config IP_NF_QUEUE
 35	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
 36	depends on NETFILTER_ADVANCED
 37	help
 38	  Netfilter has the ability to queue packets to user space: the
 39	  netlink device can be used to access them using this driver.
 40
 41	  This option enables the old IPv4-only "ip_queue" implementation
 42	  which has been obsoleted by the new "nfnetlink_queue" code (see
 43	  CONFIG_NETFILTER_NETLINK_QUEUE).
 44
 45	  To compile it as a module, choose M here.  If unsure, say N.
 46
 47config IP_NF_IPTABLES
 48	tristate "IP tables support (required for filtering/masq/NAT)"
 49	default m if NETFILTER_ADVANCED=n
 50	select NETFILTER_XTABLES
 51	help
 52	  iptables is a general, extensible packet identification framework.
 53	  The packet filtering and full NAT (masquerading, port forwarding,
 54	  etc) subsystems now use this: say `Y' or `M' here if you want to use
 55	  either of those.
 56
 57	  To compile it as a module, choose M here.  If unsure, say N.
 58
 59# The matches.
 60config IP_NF_MATCH_RECENT
 61	tristate '"recent" match support'
 62	depends on IP_NF_IPTABLES
 63	depends on NETFILTER_ADVANCED
 64	help
 65	  This match is used for creating one or many lists of recently
 66	  used addresses and then matching against that/those list(s).
 67
 68	  Short options are available by using 'iptables -m recent -h'
 69	  Official Website: <http://snowman.net/projects/ipt_recent/>
 70
 71	  To compile it as a module, choose M here.  If unsure, say N.
 72
 73config IP_NF_MATCH_ECN
 74	tristate '"ecn" match support'
 75	depends on IP_NF_IPTABLES
 76	depends on NETFILTER_ADVANCED
 77	help
 78	  This option adds a `ECN' match, which allows you to match against
 79	  the IPv4 and TCP header ECN fields.
 80
 81	  To compile it as a module, choose M here.  If unsure, say N.
 82
 83config IP_NF_MATCH_AH
 84	tristate '"ah" match support'
 85	depends on IP_NF_IPTABLES
 86	depends on NETFILTER_ADVANCED
 87	help
 88	  This match extension allows you to match a range of SPIs
 89	  inside AH header of IPSec packets.
 90
 91	  To compile it as a module, choose M here.  If unsure, say N.
 92
 93config IP_NF_MATCH_TTL
 94	tristate '"ttl" match support'
 95	depends on IP_NF_IPTABLES
 96	depends on NETFILTER_ADVANCED
 97	help
 98	  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
 99	  to match packets by their TTL value.
100
101	  To compile it as a module, choose M here.  If unsure, say N.
102
103config IP_NF_MATCH_ADDRTYPE
104	tristate '"addrtype" address type match support'
105	depends on IP_NF_IPTABLES
106	depends on NETFILTER_ADVANCED
107	help
108	  This option allows you to match what routing thinks of an address,
109	  eg. UNICAST, LOCAL, BROADCAST, ...
110
111	  If you want to compile it as a module, say M here and read
112	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
113
114# `filter', generic and specific targets
115config IP_NF_FILTER
116	tristate "Packet filtering"
117	depends on IP_NF_IPTABLES
118	default m if NETFILTER_ADVANCED=n
119	help
120	  Packet filtering defines a table `filter', which has a series of
121	  rules for simple packet filtering at local input, forwarding and
122	  local output.  See the man page for iptables(8).
123
124	  To compile it as a module, choose M here.  If unsure, say N.
125
126config IP_NF_TARGET_REJECT
127	tristate "REJECT target support"
128	depends on IP_NF_FILTER
129	default m if NETFILTER_ADVANCED=n
130	help
131	  The REJECT target allows a filtering rule to specify that an ICMP
132	  error should be issued in response to an incoming packet, rather
133	  than silently being dropped.
134
135	  To compile it as a module, choose M here.  If unsure, say N.
136
137config IP_NF_TARGET_LOG
138	tristate "LOG target support"
139	depends on IP_NF_IPTABLES
140	default m if NETFILTER_ADVANCED=n
141	help
142	  This option adds a `LOG' target, which allows you to create rules in
143	  any iptables table which records the packet header to the syslog.
144
145	  To compile it as a module, choose M here.  If unsure, say N.
146
147config IP_NF_TARGET_ULOG
148	tristate "ULOG target support"
149	depends on IP_NF_IPTABLES
150	default m if NETFILTER_ADVANCED=n
151	---help---
152
153	  This option enables the old IPv4-only "ipt_ULOG" implementation
154	  which has been obsoleted by the new "nfnetlink_log" code (see
155	  CONFIG_NETFILTER_NETLINK_LOG).
156
157	  This option adds a `ULOG' target, which allows you to create rules in
158	  any iptables table. The packet is passed to a userspace logging
159	  daemon using netlink multicast sockets; unlike the LOG target
160	  which can only be viewed through syslog.
161
162	  The appropriate userspace logging daemon (ulogd) may be obtained from
163	  <http://www.gnumonks.org/projects/ulogd/>
164
165	  To compile it as a module, choose M here.  If unsure, say N.
166
167# NAT + specific targets: nf_conntrack
168config NF_NAT
169	tristate "Full NAT"
170	depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
171	default m if NETFILTER_ADVANCED=n
172	help
173	  The Full NAT option allows masquerading, port forwarding and other
174	  forms of full Network Address Port Translation.  It is controlled by
175	  the `nat' table in iptables: see the man page for iptables(8).
176
177	  To compile it as a module, choose M here.  If unsure, say N.
178
179config NF_NAT_NEEDED
180	bool
181	depends on NF_NAT
182	default y
183
184config IP_NF_TARGET_MASQUERADE
185	tristate "MASQUERADE target support"
186	depends on NF_NAT
187	default m if NETFILTER_ADVANCED=n
188	help
189	  Masquerading is a special case of NAT: all outgoing connections are
190	  changed to seem to come from a particular interface's address, and
191	  if the interface goes down, those connections are lost.  This is
192	  only useful for dialup accounts with dynamic IP address (ie. your IP
193	  address will be different on next dialup).
194
195	  To compile it as a module, choose M here.  If unsure, say N.
196
197config IP_NF_TARGET_REDIRECT
198	tristate "REDIRECT target support"
199	depends on NF_NAT
200	depends on NETFILTER_ADVANCED
201	help
202	  REDIRECT is a special case of NAT: all incoming connections are
203	  mapped onto the incoming interface's address, causing the packets to
204	  come to the local machine instead of passing through.  This is
205	  useful for transparent proxies.
206
207	  To compile it as a module, choose M here.  If unsure, say N.
208
209config IP_NF_TARGET_NETMAP
210	tristate "NETMAP target support"
211	depends on NF_NAT
212	depends on NETFILTER_ADVANCED
213	help
214	  NETMAP is an implementation of static 1:1 NAT mapping of network
215	  addresses. It maps the network address part, while keeping the host
216	  address part intact. It is similar to Fast NAT, except that
217	  Netfilter's connection tracking doesn't work well with Fast NAT.
218
219	  To compile it as a module, choose M here.  If unsure, say N.
220
221config NF_NAT_SNMP_BASIC
222	tristate "Basic SNMP-ALG support"
223	depends on NF_NAT
224	depends on NETFILTER_ADVANCED
225	---help---
226
227	  This module implements an Application Layer Gateway (ALG) for
228	  SNMP payloads.  In conjunction with NAT, it allows a network
229	  management system to access multiple private networks with
230	  conflicting addresses.  It works by modifying IP addresses
231	  inside SNMP payloads to match IP-layer NAT mapping.
232
233	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
234
235	  To compile it as a module, choose M here.  If unsure, say N.
236
237# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
238# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
239# From kconfig-language.txt:
240#
241#           <expr> '&&' <expr>                   (6)
242#
243# (6) Returns the result of min(/expr/, /expr/).
244config NF_NAT_PROTO_GRE
245	tristate
246	depends on NF_NAT && NF_CT_PROTO_GRE
247
248config NF_NAT_FTP
249	tristate
250	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
251	default NF_NAT && NF_CONNTRACK_FTP
252
253config NF_NAT_IRC
254	tristate
255	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
256	default NF_NAT && NF_CONNTRACK_IRC
257
258config NF_NAT_TFTP
259	tristate
260	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
261	default NF_NAT && NF_CONNTRACK_TFTP
262
263config NF_NAT_AMANDA
264	tristate
265	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
266	default NF_NAT && NF_CONNTRACK_AMANDA
267
268config NF_NAT_PPTP
269	tristate
270	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
271	default NF_NAT && NF_CONNTRACK_PPTP
272	select NF_NAT_PROTO_GRE
273
274config NF_NAT_H323
275	tristate
276	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
277	default NF_NAT && NF_CONNTRACK_H323
278
279config NF_NAT_SIP
280	tristate
281	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
282	default NF_NAT && NF_CONNTRACK_SIP
283
284# mangle + specific targets
285config IP_NF_MANGLE
286	tristate "Packet mangling"
287	depends on IP_NF_IPTABLES
288	default m if NETFILTER_ADVANCED=n
289	help
290	  This option adds a `mangle' table to iptables: see the man page for
291	  iptables(8).  This table is used for various packet alterations
292	  which can effect how the packet is routed.
293
294	  To compile it as a module, choose M here.  If unsure, say N.
295
296config IP_NF_TARGET_ECN
297	tristate "ECN target support"
298	depends on IP_NF_MANGLE
299	depends on NETFILTER_ADVANCED
300	---help---
301	  This option adds a `ECN' target, which can be used in the iptables mangle
302	  table.  
303
304	  You can use this target to remove the ECN bits from the IPv4 header of
305	  an IP packet.  This is particularly useful, if you need to work around
306	  existing ECN blackholes on the internet, but don't want to disable
307	  ECN support in general.
308
309	  To compile it as a module, choose M here.  If unsure, say N.
310
311config IP_NF_TARGET_TTL
312	tristate  'TTL target support'
313	depends on IP_NF_MANGLE
314	depends on NETFILTER_ADVANCED
315	help
316	  This option adds a `TTL' target, which enables the user to modify
317	  the TTL value of the IP header.
318
319	  While it is safe to decrement/lower the TTL, this target also enables
320	  functionality to increment and set the TTL value of the IP header to
321	  arbitrary values.  This is EXTREMELY DANGEROUS since you can easily
322	  create immortal packets that loop forever on the network.
323
324	  To compile it as a module, choose M here.  If unsure, say N.
325
326config IP_NF_TARGET_CLUSTERIP
327	tristate "CLUSTERIP target support (EXPERIMENTAL)"
328	depends on IP_NF_MANGLE && EXPERIMENTAL
329	depends on NF_CONNTRACK_IPV4
330	depends on NETFILTER_ADVANCED
331	select NF_CONNTRACK_MARK
332	help
333	  The CLUSTERIP target allows you to build load-balancing clusters of
334	  network servers without having a dedicated load-balancing
335	  router/server/switch.
336	
337	  To compile it as a module, choose M here.  If unsure, say N.
338
339# raw + specific targets
340config IP_NF_RAW
341	tristate  'raw table support (required for NOTRACK/TRACE)'
342	depends on IP_NF_IPTABLES
343	depends on NETFILTER_ADVANCED
344	help
345	  This option adds a `raw' table to iptables. This table is the very
346	  first in the netfilter framework and hooks in at the PREROUTING
347	  and OUTPUT chains.
348	
349	  If you want to compile it as a module, say M here and read
350	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
351
352# ARP tables
353config IP_NF_ARPTABLES
354	tristate "ARP tables support"
355	select NETFILTER_XTABLES
356	depends on NETFILTER_ADVANCED
357	help
358	  arptables is a general, extensible packet identification framework.
359	  The ARP packet filtering and mangling (manipulation)subsystems
360	  use this: say Y or M here if you want to use either of those.
361
362	  To compile it as a module, choose M here.  If unsure, say N.
363
364config IP_NF_ARPFILTER
365	tristate "ARP packet filtering"
366	depends on IP_NF_ARPTABLES
367	help
368	  ARP packet filtering defines a table `filter', which has a series of
369	  rules for simple ARP packet filtering at local input and
370	  local output.  On a bridge, you can also specify filtering rules
371	  for forwarded ARP packets. See the man page for arptables(8).
372
373	  To compile it as a module, choose M here.  If unsure, say N.
374
375config IP_NF_ARP_MANGLE
376	tristate "ARP payload mangling"
377	depends on IP_NF_ARPTABLES
378	help
379	  Allows altering the ARP packet payload: source and destination
380	  hardware and network addresses.
381
382endmenu
383
Configure Feed

Configure Feed
