tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / net / ipv4 / netfilter / Kconfig
at v3.12-rc5 337 lines 11 kB view raw
1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8config NF_DEFRAG_IPV4 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV4 13 tristate "IPv4 connection tracking support (required for NAT)" 14 depends on NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV4 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv4 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_CONNTRACK_PROC_COMPAT 29 bool "proc/sysctl compatibility with old connection tracking" 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 31 default y 32 help 33 This option enables /proc and sysctl compatibility with the old 34 layer 3 dependent connection tracking. This is needed to keep 35 old programs that have not been adapted to the new names working. 36 37 If unsure, say Y. 38 39config IP_NF_IPTABLES 40 tristate "IP tables support (required for filtering/masq/NAT)" 41 default m if NETFILTER_ADVANCED=n 42 select NETFILTER_XTABLES 43 help 44 iptables is a general, extensible packet identification framework. 45 The packet filtering and full NAT (masquerading, port forwarding, 46 etc) subsystems now use this: say `Y' or `M' here if you want to use 47 either of those. 48 49 To compile it as a module, choose M here. If unsure, say N. 50 51if IP_NF_IPTABLES 52 53# The matches. 54config IP_NF_MATCH_AH 55 tristate '"ah" match support' 56 depends on NETFILTER_ADVANCED 57 help 58 This match extension allows you to match a range of SPIs 59 inside AH header of IPSec packets. 60 61 To compile it as a module, choose M here. If unsure, say N. 62 63config IP_NF_MATCH_ECN 64 tristate '"ecn" match support' 65 depends on NETFILTER_ADVANCED 66 select NETFILTER_XT_MATCH_ECN 67 ---help--- 68 This is a backwards-compat option for the user's convenience 69 (e.g. when running oldconfig). It selects 70 CONFIG_NETFILTER_XT_MATCH_ECN. 71 72config IP_NF_MATCH_RPFILTER 73 tristate '"rpfilter" reverse path filter match support' 74 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW) 75 ---help--- 76 This option allows you to match packets whose replies would 77 go out via the interface the packet came in. 78 79 To compile it as a module, choose M here. If unsure, say N. 80 The module will be called ipt_rpfilter. 81 82config IP_NF_MATCH_TTL 83 tristate '"ttl" match support' 84 depends on NETFILTER_ADVANCED 85 select NETFILTER_XT_MATCH_HL 86 ---help--- 87 This is a backwards-compat option for the user's convenience 88 (e.g. when running oldconfig). It selects 89 CONFIG_NETFILTER_XT_MATCH_HL. 90 91# `filter', generic and specific targets 92config IP_NF_FILTER 93 tristate "Packet filtering" 94 default m if NETFILTER_ADVANCED=n 95 help 96 Packet filtering defines a table `filter', which has a series of 97 rules for simple packet filtering at local input, forwarding and 98 local output. See the man page for iptables(8). 99 100 To compile it as a module, choose M here. If unsure, say N. 101 102config IP_NF_TARGET_REJECT 103 tristate "REJECT target support" 104 depends on IP_NF_FILTER 105 default m if NETFILTER_ADVANCED=n 106 help 107 The REJECT target allows a filtering rule to specify that an ICMP 108 error should be issued in response to an incoming packet, rather 109 than silently being dropped. 110 111 To compile it as a module, choose M here. If unsure, say N. 112 113config IP_NF_TARGET_SYNPROXY 114 tristate "SYNPROXY target support" 115 depends on NF_CONNTRACK && NETFILTER_ADVANCED 116 select NETFILTER_SYNPROXY 117 select SYN_COOKIES 118 help 119 The SYNPROXY target allows you to intercept TCP connections and 120 establish them using syncookies before they are passed on to the 121 server. This allows to avoid conntrack and server resource usage 122 during SYN-flood attacks. 123 124 To compile it as a module, choose M here. If unsure, say N. 125 126config IP_NF_TARGET_ULOG 127 tristate "ULOG target support (obsolete)" 128 default m if NETFILTER_ADVANCED=n 129 ---help--- 130 131 This option enables the old IPv4-only "ipt_ULOG" implementation 132 which has been obsoleted by the new "nfnetlink_log" code (see 133 CONFIG_NETFILTER_NETLINK_LOG). 134 135 This option adds a `ULOG' target, which allows you to create rules in 136 any iptables table. The packet is passed to a userspace logging 137 daemon using netlink multicast sockets; unlike the LOG target 138 which can only be viewed through syslog. 139 140 The appropriate userspace logging daemon (ulogd) may be obtained from 141 <http://www.netfilter.org/projects/ulogd/index.html> 142 143 To compile it as a module, choose M here. If unsure, say N. 144 145# NAT + specific targets: nf_conntrack 146config NF_NAT_IPV4 147 tristate "IPv4 NAT" 148 depends on NF_CONNTRACK_IPV4 149 default m if NETFILTER_ADVANCED=n 150 select NF_NAT 151 help 152 The IPv4 NAT option allows masquerading, port forwarding and other 153 forms of full Network Address Port Translation. It is controlled by 154 the `nat' table in iptables: see the man page for iptables(8). 155 156 To compile it as a module, choose M here. If unsure, say N. 157 158if NF_NAT_IPV4 159 160config IP_NF_TARGET_MASQUERADE 161 tristate "MASQUERADE target support" 162 default m if NETFILTER_ADVANCED=n 163 help 164 Masquerading is a special case of NAT: all outgoing connections are 165 changed to seem to come from a particular interface's address, and 166 if the interface goes down, those connections are lost. This is 167 only useful for dialup accounts with dynamic IP address (ie. your IP 168 address will be different on next dialup). 169 170 To compile it as a module, choose M here. If unsure, say N. 171 172config IP_NF_TARGET_NETMAP 173 tristate "NETMAP target support" 174 depends on NETFILTER_ADVANCED 175 select NETFILTER_XT_TARGET_NETMAP 176 ---help--- 177 This is a backwards-compat option for the user's convenience 178 (e.g. when running oldconfig). It selects 179 CONFIG_NETFILTER_XT_TARGET_NETMAP. 180 181config IP_NF_TARGET_REDIRECT 182 tristate "REDIRECT target support" 183 depends on NETFILTER_ADVANCED 184 select NETFILTER_XT_TARGET_REDIRECT 185 ---help--- 186 This is a backwards-compat option for the user's convenience 187 (e.g. when running oldconfig). It selects 188 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 189 190endif 191 192config NF_NAT_SNMP_BASIC 193 tristate "Basic SNMP-ALG support" 194 depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4 195 depends on NETFILTER_ADVANCED 196 default NF_NAT && NF_CONNTRACK_SNMP 197 ---help--- 198 199 This module implements an Application Layer Gateway (ALG) for 200 SNMP payloads. In conjunction with NAT, it allows a network 201 management system to access multiple private networks with 202 conflicting addresses. It works by modifying IP addresses 203 inside SNMP payloads to match IP-layer NAT mapping. 204 205 This is the "basic" form of SNMP-ALG, as described in RFC 2962 206 207 To compile it as a module, choose M here. If unsure, say N. 208 209# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 210# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. 211# From kconfig-language.txt: 212# 213# <expr> '&&' <expr> (6) 214# 215# (6) Returns the result of min(/expr/, /expr/). 216 217config NF_NAT_PROTO_GRE 218 tristate 219 depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE 220 221config NF_NAT_PPTP 222 tristate 223 depends on NF_CONNTRACK && NF_NAT_IPV4 224 default NF_NAT_IPV4 && NF_CONNTRACK_PPTP 225 select NF_NAT_PROTO_GRE 226 227config NF_NAT_H323 228 tristate 229 depends on NF_CONNTRACK && NF_NAT_IPV4 230 default NF_NAT_IPV4 && NF_CONNTRACK_H323 231 232# mangle + specific targets 233config IP_NF_MANGLE 234 tristate "Packet mangling" 235 default m if NETFILTER_ADVANCED=n 236 help 237 This option adds a `mangle' table to iptables: see the man page for 238 iptables(8). This table is used for various packet alterations 239 which can effect how the packet is routed. 240 241 To compile it as a module, choose M here. If unsure, say N. 242 243config IP_NF_TARGET_CLUSTERIP 244 tristate "CLUSTERIP target support" 245 depends on IP_NF_MANGLE 246 depends on NF_CONNTRACK_IPV4 247 depends on NETFILTER_ADVANCED 248 select NF_CONNTRACK_MARK 249 help 250 The CLUSTERIP target allows you to build load-balancing clusters of 251 network servers without having a dedicated load-balancing 252 router/server/switch. 253 254 To compile it as a module, choose M here. If unsure, say N. 255 256config IP_NF_TARGET_ECN 257 tristate "ECN target support" 258 depends on IP_NF_MANGLE 259 depends on NETFILTER_ADVANCED 260 ---help--- 261 This option adds a `ECN' target, which can be used in the iptables mangle 262 table. 263 264 You can use this target to remove the ECN bits from the IPv4 header of 265 an IP packet. This is particularly useful, if you need to work around 266 existing ECN blackholes on the internet, but don't want to disable 267 ECN support in general. 268 269 To compile it as a module, choose M here. If unsure, say N. 270 271config IP_NF_TARGET_TTL 272 tristate '"TTL" target support' 273 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 274 select NETFILTER_XT_TARGET_HL 275 ---help--- 276 This is a backwards-compatible option for the user's convenience 277 (e.g. when running oldconfig). It selects 278 CONFIG_NETFILTER_XT_TARGET_HL. 279 280# raw + specific targets 281config IP_NF_RAW 282 tristate 'raw table support (required for NOTRACK/TRACE)' 283 help 284 This option adds a `raw' table to iptables. This table is the very 285 first in the netfilter framework and hooks in at the PREROUTING 286 and OUTPUT chains. 287 288 If you want to compile it as a module, say M here and read 289 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 290 291# security table for MAC policy 292config IP_NF_SECURITY 293 tristate "Security table" 294 depends on SECURITY 295 depends on NETFILTER_ADVANCED 296 help 297 This option adds a `security' table to iptables, for use 298 with Mandatory Access Control (MAC) policy. 299 300 If unsure, say N. 301 302endif # IP_NF_IPTABLES 303 304# ARP tables 305config IP_NF_ARPTABLES 306 tristate "ARP tables support" 307 select NETFILTER_XTABLES 308 depends on NETFILTER_ADVANCED 309 help 310 arptables is a general, extensible packet identification framework. 311 The ARP packet filtering and mangling (manipulation)subsystems 312 use this: say Y or M here if you want to use either of those. 313 314 To compile it as a module, choose M here. If unsure, say N. 315 316if IP_NF_ARPTABLES 317 318config IP_NF_ARPFILTER 319 tristate "ARP packet filtering" 320 help 321 ARP packet filtering defines a table `filter', which has a series of 322 rules for simple ARP packet filtering at local input and 323 local output. On a bridge, you can also specify filtering rules 324 for forwarded ARP packets. See the man page for arptables(8). 325 326 To compile it as a module, choose M here. If unsure, say N. 327 328config IP_NF_ARP_MANGLE 329 tristate "ARP payload mangling" 330 help 331 Allows altering the ARP packet payload: source and destination 332 hardware and network addresses. 333 334endif # IP_NF_ARPTABLES 335 336endmenu 337