net/ipv4/netfilter/Kconfig at v3.15-rc3

tjh.dev / kernel
fork atom
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / net / ipv4 / netfilter / Kconfig
at v3.15-rc3 373 lines 12 kB view raw
wrap content
  1#
  2# IP netfilter configuration
  3#
  4
  5menu "IP: Netfilter Configuration"
  6	depends on INET && NETFILTER
  7
  8config NF_DEFRAG_IPV4
  9	tristate
 10	default n
 11
 12config NF_CONNTRACK_IPV4
 13	tristate "IPv4 connection tracking support (required for NAT)"
 14	depends on NF_CONNTRACK
 15	default m if NETFILTER_ADVANCED=n
 16	select NF_DEFRAG_IPV4
 17	---help---
 18	  Connection tracking keeps a record of what packets have passed
 19	  through your machine, in order to figure out how they are related
 20	  into connections.
 21
 22	  This is IPv4 support on Layer 3 independent connection tracking.
 23	  Layer 3 independent connection tracking is experimental scheme
 24	  which generalize ip_conntrack to support other layer 3 protocols.
 25
 26	  To compile it as a module, choose M here.  If unsure, say N.
 27
 28config NF_CONNTRACK_PROC_COMPAT
 29	bool "proc/sysctl compatibility with old connection tracking"
 30	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
 31	default y
 32	help
 33	  This option enables /proc and sysctl compatibility with the old
 34	  layer 3 dependent connection tracking. This is needed to keep
 35	  old programs that have not been adapted to the new names working.
 36
 37	  If unsure, say Y.
 38
 39config NF_TABLES_IPV4
 40	depends on NF_TABLES
 41	tristate "IPv4 nf_tables support"
 42	help
 43	  This option enables the IPv4 support for nf_tables.
 44
 45config NFT_CHAIN_ROUTE_IPV4
 46	depends on NF_TABLES_IPV4
 47	tristate "IPv4 nf_tables route chain support"
 48	help
 49	  This option enables the "route" chain for IPv4 in nf_tables. This
 50	  chain type is used to force packet re-routing after mangling header
 51	  fields such as the source, destination, type of service and
 52	  the packet mark.
 53
 54config NFT_CHAIN_NAT_IPV4
 55	depends on NF_TABLES_IPV4
 56	depends on NF_NAT_IPV4 && NFT_NAT
 57	tristate "IPv4 nf_tables nat chain support"
 58	help
 59	  This option enables the "nat" chain for IPv4 in nf_tables. This
 60	  chain type is used to perform Network Address Translation (NAT)
 61	  packet transformations such as the source, destination address and
 62	  source and destination ports.
 63
 64config NFT_REJECT_IPV4
 65	depends on NF_TABLES_IPV4
 66	default NFT_REJECT
 67	tristate
 68
 69config NF_TABLES_ARP
 70	depends on NF_TABLES
 71	tristate "ARP nf_tables support"
 72	help
 73	  This option enables the ARP support for nf_tables.
 74
 75config IP_NF_IPTABLES
 76	tristate "IP tables support (required for filtering/masq/NAT)"
 77	default m if NETFILTER_ADVANCED=n
 78	select NETFILTER_XTABLES
 79	help
 80	  iptables is a general, extensible packet identification framework.
 81	  The packet filtering and full NAT (masquerading, port forwarding,
 82	  etc) subsystems now use this: say `Y' or `M' here if you want to use
 83	  either of those.
 84
 85	  To compile it as a module, choose M here.  If unsure, say N.
 86
 87if IP_NF_IPTABLES
 88
 89# The matches.
 90config IP_NF_MATCH_AH
 91	tristate '"ah" match support'
 92	depends on NETFILTER_ADVANCED
 93	help
 94	  This match extension allows you to match a range of SPIs
 95	  inside AH header of IPSec packets.
 96
 97	  To compile it as a module, choose M here.  If unsure, say N.
 98
 99config IP_NF_MATCH_ECN
100	tristate '"ecn" match support'
101	depends on NETFILTER_ADVANCED
102	select NETFILTER_XT_MATCH_ECN
103	---help---
104	This is a backwards-compat option for the user's convenience
105	(e.g. when running oldconfig). It selects
106	CONFIG_NETFILTER_XT_MATCH_ECN.
107
108config IP_NF_MATCH_RPFILTER
109	tristate '"rpfilter" reverse path filter match support'
110	depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
111	---help---
112	  This option allows you to match packets whose replies would
113	  go out via the interface the packet came in.
114
115	  To compile it as a module, choose M here.  If unsure, say N.
116	  The module will be called ipt_rpfilter.
117
118config IP_NF_MATCH_TTL
119	tristate '"ttl" match support'
120	depends on NETFILTER_ADVANCED
121	select NETFILTER_XT_MATCH_HL
122	---help---
123	This is a backwards-compat option for the user's convenience
124	(e.g. when running oldconfig). It selects
125	CONFIG_NETFILTER_XT_MATCH_HL.
126
127# `filter', generic and specific targets
128config IP_NF_FILTER
129	tristate "Packet filtering"
130	default m if NETFILTER_ADVANCED=n
131	help
132	  Packet filtering defines a table `filter', which has a series of
133	  rules for simple packet filtering at local input, forwarding and
134	  local output.  See the man page for iptables(8).
135
136	  To compile it as a module, choose M here.  If unsure, say N.
137
138config IP_NF_TARGET_REJECT
139	tristate "REJECT target support"
140	depends on IP_NF_FILTER
141	default m if NETFILTER_ADVANCED=n
142	help
143	  The REJECT target allows a filtering rule to specify that an ICMP
144	  error should be issued in response to an incoming packet, rather
145	  than silently being dropped.
146
147	  To compile it as a module, choose M here.  If unsure, say N.
148
149config IP_NF_TARGET_SYNPROXY
150	tristate "SYNPROXY target support"
151	depends on NF_CONNTRACK && NETFILTER_ADVANCED
152	select NETFILTER_SYNPROXY
153	select SYN_COOKIES
154	help
155	  The SYNPROXY target allows you to intercept TCP connections and
156	  establish them using syncookies before they are passed on to the
157	  server. This allows to avoid conntrack and server resource usage
158	  during SYN-flood attacks.
159
160	  To compile it as a module, choose M here. If unsure, say N.
161
162config IP_NF_TARGET_ULOG
163	tristate "ULOG target support (obsolete)"
164	default m if NETFILTER_ADVANCED=n
165	---help---
166
167	  This option enables the old IPv4-only "ipt_ULOG" implementation
168	  which has been obsoleted by the new "nfnetlink_log" code (see
169	  CONFIG_NETFILTER_NETLINK_LOG).
170
171	  This option adds a `ULOG' target, which allows you to create rules in
172	  any iptables table. The packet is passed to a userspace logging
173	  daemon using netlink multicast sockets; unlike the LOG target
174	  which can only be viewed through syslog.
175
176	  The appropriate userspace logging daemon (ulogd) may be obtained from
177	  <http://www.netfilter.org/projects/ulogd/index.html>
178
179	  To compile it as a module, choose M here.  If unsure, say N.
180
181# NAT + specific targets: nf_conntrack
182config NF_NAT_IPV4
183	tristate "IPv4 NAT"
184	depends on NF_CONNTRACK_IPV4
185	default m if NETFILTER_ADVANCED=n
186	select NF_NAT
187	help
188	  The IPv4 NAT option allows masquerading, port forwarding and other
189	  forms of full Network Address Port Translation.  It is controlled by
190	  the `nat' table in iptables: see the man page for iptables(8).
191
192	  To compile it as a module, choose M here.  If unsure, say N.
193
194if NF_NAT_IPV4
195
196config IP_NF_TARGET_MASQUERADE
197	tristate "MASQUERADE target support"
198	default m if NETFILTER_ADVANCED=n
199	help
200	  Masquerading is a special case of NAT: all outgoing connections are
201	  changed to seem to come from a particular interface's address, and
202	  if the interface goes down, those connections are lost.  This is
203	  only useful for dialup accounts with dynamic IP address (ie. your IP
204	  address will be different on next dialup).
205
206	  To compile it as a module, choose M here.  If unsure, say N.
207
208config IP_NF_TARGET_NETMAP
209	tristate "NETMAP target support"
210	depends on NETFILTER_ADVANCED
211	select NETFILTER_XT_TARGET_NETMAP
212	---help---
213	This is a backwards-compat option for the user's convenience
214	(e.g. when running oldconfig). It selects
215	CONFIG_NETFILTER_XT_TARGET_NETMAP.
216
217config IP_NF_TARGET_REDIRECT
218	tristate "REDIRECT target support"
219	depends on NETFILTER_ADVANCED
220	select NETFILTER_XT_TARGET_REDIRECT
221	---help---
222	This is a backwards-compat option for the user's convenience
223	(e.g. when running oldconfig). It selects
224	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
225
226endif
227
228config NF_NAT_SNMP_BASIC
229	tristate "Basic SNMP-ALG support"
230	depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4
231	depends on NETFILTER_ADVANCED
232	default NF_NAT && NF_CONNTRACK_SNMP
233	---help---
234
235	  This module implements an Application Layer Gateway (ALG) for
236	  SNMP payloads.  In conjunction with NAT, it allows a network
237	  management system to access multiple private networks with
238	  conflicting addresses.  It works by modifying IP addresses
239	  inside SNMP payloads to match IP-layer NAT mapping.
240
241	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
242
243	  To compile it as a module, choose M here.  If unsure, say N.
244
245# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
246# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
247# From kconfig-language.txt:
248#
249#           <expr> '&&' <expr>                   (6)
250#
251# (6) Returns the result of min(/expr/, /expr/).
252
253config NF_NAT_PROTO_GRE
254	tristate
255	depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE
256
257config NF_NAT_PPTP
258	tristate
259	depends on NF_CONNTRACK && NF_NAT_IPV4
260	default NF_NAT_IPV4 && NF_CONNTRACK_PPTP
261	select NF_NAT_PROTO_GRE
262
263config NF_NAT_H323
264	tristate
265	depends on NF_CONNTRACK && NF_NAT_IPV4
266	default NF_NAT_IPV4 && NF_CONNTRACK_H323
267
268# mangle + specific targets
269config IP_NF_MANGLE
270	tristate "Packet mangling"
271	default m if NETFILTER_ADVANCED=n
272	help
273	  This option adds a `mangle' table to iptables: see the man page for
274	  iptables(8).  This table is used for various packet alterations
275	  which can effect how the packet is routed.
276
277	  To compile it as a module, choose M here.  If unsure, say N.
278
279config IP_NF_TARGET_CLUSTERIP
280	tristate "CLUSTERIP target support"
281	depends on IP_NF_MANGLE
282	depends on NF_CONNTRACK_IPV4
283	depends on NETFILTER_ADVANCED
284	select NF_CONNTRACK_MARK
285	help
286	  The CLUSTERIP target allows you to build load-balancing clusters of
287	  network servers without having a dedicated load-balancing
288	  router/server/switch.
289	
290	  To compile it as a module, choose M here.  If unsure, say N.
291
292config IP_NF_TARGET_ECN
293	tristate "ECN target support"
294	depends on IP_NF_MANGLE
295	depends on NETFILTER_ADVANCED
296	---help---
297	  This option adds a `ECN' target, which can be used in the iptables mangle
298	  table.  
299
300	  You can use this target to remove the ECN bits from the IPv4 header of
301	  an IP packet.  This is particularly useful, if you need to work around
302	  existing ECN blackholes on the internet, but don't want to disable
303	  ECN support in general.
304
305	  To compile it as a module, choose M here.  If unsure, say N.
306
307config IP_NF_TARGET_TTL
308	tristate '"TTL" target support'
309	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
310	select NETFILTER_XT_TARGET_HL
311	---help---
312	This is a backwards-compatible option for the user's convenience
313	(e.g. when running oldconfig). It selects
314	CONFIG_NETFILTER_XT_TARGET_HL.
315
316# raw + specific targets
317config IP_NF_RAW
318	tristate  'raw table support (required for NOTRACK/TRACE)'
319	help
320	  This option adds a `raw' table to iptables. This table is the very
321	  first in the netfilter framework and hooks in at the PREROUTING
322	  and OUTPUT chains.
323	
324	  If you want to compile it as a module, say M here and read
325	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
326
327# security table for MAC policy
328config IP_NF_SECURITY
329	tristate "Security table"
330	depends on SECURITY
331	depends on NETFILTER_ADVANCED
332	help
333	  This option adds a `security' table to iptables, for use
334	  with Mandatory Access Control (MAC) policy.
335	 
336	  If unsure, say N.
337
338endif # IP_NF_IPTABLES
339
340# ARP tables
341config IP_NF_ARPTABLES
342	tristate "ARP tables support"
343	select NETFILTER_XTABLES
344	depends on NETFILTER_ADVANCED
345	help
346	  arptables is a general, extensible packet identification framework.
347	  The ARP packet filtering and mangling (manipulation)subsystems
348	  use this: say Y or M here if you want to use either of those.
349
350	  To compile it as a module, choose M here.  If unsure, say N.
351
352if IP_NF_ARPTABLES
353
354config IP_NF_ARPFILTER
355	tristate "ARP packet filtering"
356	help
357	  ARP packet filtering defines a table `filter', which has a series of
358	  rules for simple ARP packet filtering at local input and
359	  local output.  On a bridge, you can also specify filtering rules
360	  for forwarded ARP packets. See the man page for arptables(8).
361
362	  To compile it as a module, choose M here.  If unsure, say N.
363
364config IP_NF_ARP_MANGLE
365	tristate "ARP payload mangling"
366	help
367	  Allows altering the ARP packet payload: source and destination
368	  hardware and network addresses.
369
370endif # IP_NF_ARPTABLES
371
372endmenu
373