net/ipv4/netfilter/Kconfig at v3.19-rc1

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / ipv4 / netfilter / Kconfig
at v3.19-rc1 402 lines 12 kB view raw
wrap content
  1#
  2# IP netfilter configuration
  3#
  4
  5menu "IP: Netfilter Configuration"
  6	depends on INET && NETFILTER
  7
  8config NF_DEFRAG_IPV4
  9	tristate
 10	default n
 11
 12config NF_CONNTRACK_IPV4
 13	tristate "IPv4 connection tracking support (required for NAT)"
 14	depends on NF_CONNTRACK
 15	default m if NETFILTER_ADVANCED=n
 16	select NF_DEFRAG_IPV4
 17	---help---
 18	  Connection tracking keeps a record of what packets have passed
 19	  through your machine, in order to figure out how they are related
 20	  into connections.
 21
 22	  This is IPv4 support on Layer 3 independent connection tracking.
 23	  Layer 3 independent connection tracking is experimental scheme
 24	  which generalize ip_conntrack to support other layer 3 protocols.
 25
 26	  To compile it as a module, choose M here.  If unsure, say N.
 27
 28config NF_CONNTRACK_PROC_COMPAT
 29	bool "proc/sysctl compatibility with old connection tracking"
 30	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
 31	default y
 32	help
 33	  This option enables /proc and sysctl compatibility with the old
 34	  layer 3 dependent connection tracking. This is needed to keep
 35	  old programs that have not been adapted to the new names working.
 36
 37	  If unsure, say Y.
 38
 39config NF_LOG_ARP
 40	tristate "ARP packet logging"
 41	default m if NETFILTER_ADVANCED=n
 42	select NF_LOG_COMMON
 43
 44config NF_LOG_IPV4
 45	tristate "IPv4 packet logging"
 46	default m if NETFILTER_ADVANCED=n
 47	select NF_LOG_COMMON
 48
 49config NF_TABLES_IPV4
 50	depends on NF_TABLES
 51	tristate "IPv4 nf_tables support"
 52	help
 53	  This option enables the IPv4 support for nf_tables.
 54
 55config NFT_CHAIN_ROUTE_IPV4
 56	depends on NF_TABLES_IPV4
 57	tristate "IPv4 nf_tables route chain support"
 58	help
 59	  This option enables the "route" chain for IPv4 in nf_tables. This
 60	  chain type is used to force packet re-routing after mangling header
 61	  fields such as the source, destination, type of service and
 62	  the packet mark.
 63
 64config NF_REJECT_IPV4
 65	tristate "IPv4 packet rejection"
 66	default m if NETFILTER_ADVANCED=n
 67
 68config NFT_REJECT_IPV4
 69	depends on NF_TABLES_IPV4
 70	select NF_REJECT_IPV4
 71	default NFT_REJECT
 72	tristate
 73
 74config NF_TABLES_ARP
 75	depends on NF_TABLES
 76	tristate "ARP nf_tables support"
 77	help
 78	  This option enables the ARP support for nf_tables.
 79
 80config NF_NAT_IPV4
 81	tristate "IPv4 NAT"
 82	depends on NF_CONNTRACK_IPV4
 83	default m if NETFILTER_ADVANCED=n
 84	select NF_NAT
 85	help
 86	  The IPv4 NAT option allows masquerading, port forwarding and other
 87	  forms of full Network Address Port Translation. This can be
 88	  controlled by iptables or nft.
 89
 90if NF_NAT_IPV4
 91
 92config NFT_CHAIN_NAT_IPV4
 93	depends on NF_TABLES_IPV4
 94	tristate "IPv4 nf_tables nat chain support"
 95	help
 96	  This option enables the "nat" chain for IPv4 in nf_tables. This
 97	  chain type is used to perform Network Address Translation (NAT)
 98	  packet transformations such as the source, destination address and
 99	  source and destination ports.
100
101config NF_NAT_MASQUERADE_IPV4
102	tristate "IPv4 masquerade support"
103	help
104	  This is the kernel functionality to provide NAT in the masquerade
105	  flavour (automatic source address selection).
106
107config NFT_MASQ_IPV4
108	tristate "IPv4 masquerading support for nf_tables"
109	depends on NF_TABLES_IPV4
110	depends on NFT_MASQ
111	select NF_NAT_MASQUERADE_IPV4
112	help
113	  This is the expression that provides IPv4 masquerading support for
114	  nf_tables.
115
116config NFT_REDIR_IPV4
117	tristate "IPv4 redirect support for nf_tables"
118	depends on NF_TABLES_IPV4
119	depends on NFT_REDIR
120	select NF_NAT_REDIRECT
121	help
122	  This is the expression that provides IPv4 redirect support for
123	  nf_tables.
124
125config NF_NAT_SNMP_BASIC
126	tristate "Basic SNMP-ALG support"
127	depends on NF_CONNTRACK_SNMP
128	depends on NETFILTER_ADVANCED
129	default NF_NAT && NF_CONNTRACK_SNMP
130	---help---
131
132	  This module implements an Application Layer Gateway (ALG) for
133	  SNMP payloads.  In conjunction with NAT, it allows a network
134	  management system to access multiple private networks with
135	  conflicting addresses.  It works by modifying IP addresses
136	  inside SNMP payloads to match IP-layer NAT mapping.
137
138	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
139
140	  To compile it as a module, choose M here.  If unsure, say N.
141
142config NF_NAT_PROTO_GRE
143	tristate
144	depends on NF_CT_PROTO_GRE
145
146config NF_NAT_PPTP
147	tristate
148	depends on NF_CONNTRACK
149	default NF_CONNTRACK_PPTP
150	select NF_NAT_PROTO_GRE
151
152config NF_NAT_H323
153	tristate
154	depends on NF_CONNTRACK
155	default NF_CONNTRACK_H323
156
157endif # NF_NAT_IPV4
158
159config IP_NF_IPTABLES
160	tristate "IP tables support (required for filtering/masq/NAT)"
161	default m if NETFILTER_ADVANCED=n
162	select NETFILTER_XTABLES
163	help
164	  iptables is a general, extensible packet identification framework.
165	  The packet filtering and full NAT (masquerading, port forwarding,
166	  etc) subsystems now use this: say `Y' or `M' here if you want to use
167	  either of those.
168
169	  To compile it as a module, choose M here.  If unsure, say N.
170
171if IP_NF_IPTABLES
172
173# The matches.
174config IP_NF_MATCH_AH
175	tristate '"ah" match support'
176	depends on NETFILTER_ADVANCED
177	help
178	  This match extension allows you to match a range of SPIs
179	  inside AH header of IPSec packets.
180
181	  To compile it as a module, choose M here.  If unsure, say N.
182
183config IP_NF_MATCH_ECN
184	tristate '"ecn" match support'
185	depends on NETFILTER_ADVANCED
186	select NETFILTER_XT_MATCH_ECN
187	---help---
188	This is a backwards-compat option for the user's convenience
189	(e.g. when running oldconfig). It selects
190	CONFIG_NETFILTER_XT_MATCH_ECN.
191
192config IP_NF_MATCH_RPFILTER
193	tristate '"rpfilter" reverse path filter match support'
194	depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
195	---help---
196	  This option allows you to match packets whose replies would
197	  go out via the interface the packet came in.
198
199	  To compile it as a module, choose M here.  If unsure, say N.
200	  The module will be called ipt_rpfilter.
201
202config IP_NF_MATCH_TTL
203	tristate '"ttl" match support'
204	depends on NETFILTER_ADVANCED
205	select NETFILTER_XT_MATCH_HL
206	---help---
207	This is a backwards-compat option for the user's convenience
208	(e.g. when running oldconfig). It selects
209	CONFIG_NETFILTER_XT_MATCH_HL.
210
211# `filter', generic and specific targets
212config IP_NF_FILTER
213	tristate "Packet filtering"
214	default m if NETFILTER_ADVANCED=n
215	help
216	  Packet filtering defines a table `filter', which has a series of
217	  rules for simple packet filtering at local input, forwarding and
218	  local output.  See the man page for iptables(8).
219
220	  To compile it as a module, choose M here.  If unsure, say N.
221
222config IP_NF_TARGET_REJECT
223	tristate "REJECT target support"
224	depends on IP_NF_FILTER
225	select NF_REJECT_IPV4
226	default m if NETFILTER_ADVANCED=n
227	help
228	  The REJECT target allows a filtering rule to specify that an ICMP
229	  error should be issued in response to an incoming packet, rather
230	  than silently being dropped.
231
232	  To compile it as a module, choose M here.  If unsure, say N.
233
234config IP_NF_TARGET_SYNPROXY
235	tristate "SYNPROXY target support"
236	depends on NF_CONNTRACK && NETFILTER_ADVANCED
237	select NETFILTER_SYNPROXY
238	select SYN_COOKIES
239	help
240	  The SYNPROXY target allows you to intercept TCP connections and
241	  establish them using syncookies before they are passed on to the
242	  server. This allows to avoid conntrack and server resource usage
243	  during SYN-flood attacks.
244
245	  To compile it as a module, choose M here. If unsure, say N.
246
247# NAT + specific targets: nf_conntrack
248config IP_NF_NAT
249	tristate "iptables NAT support"
250	depends on NF_CONNTRACK_IPV4
251	default m if NETFILTER_ADVANCED=n
252	select NF_NAT
253	select NF_NAT_IPV4
254	select NETFILTER_XT_NAT
255	help
256	  This enables the `nat' table in iptables. This allows masquerading,
257	  port forwarding and other forms of full Network Address Port
258	  Translation.
259
260	  To compile it as a module, choose M here.  If unsure, say N.
261
262if IP_NF_NAT
263
264config IP_NF_TARGET_MASQUERADE
265	tristate "MASQUERADE target support"
266	select NF_NAT_MASQUERADE_IPV4
267	default m if NETFILTER_ADVANCED=n
268	help
269	  Masquerading is a special case of NAT: all outgoing connections are
270	  changed to seem to come from a particular interface's address, and
271	  if the interface goes down, those connections are lost.  This is
272	  only useful for dialup accounts with dynamic IP address (ie. your IP
273	  address will be different on next dialup).
274
275	  To compile it as a module, choose M here.  If unsure, say N.
276
277config IP_NF_TARGET_NETMAP
278	tristate "NETMAP target support"
279	depends on NETFILTER_ADVANCED
280	select NETFILTER_XT_TARGET_NETMAP
281	---help---
282	This is a backwards-compat option for the user's convenience
283	(e.g. when running oldconfig). It selects
284	CONFIG_NETFILTER_XT_TARGET_NETMAP.
285
286config IP_NF_TARGET_REDIRECT
287	tristate "REDIRECT target support"
288	depends on NETFILTER_ADVANCED
289	select NETFILTER_XT_TARGET_REDIRECT
290	---help---
291	This is a backwards-compat option for the user's convenience
292	(e.g. when running oldconfig). It selects
293	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
294
295endif # IP_NF_NAT
296
297# mangle + specific targets
298config IP_NF_MANGLE
299	tristate "Packet mangling"
300	default m if NETFILTER_ADVANCED=n
301	help
302	  This option adds a `mangle' table to iptables: see the man page for
303	  iptables(8).  This table is used for various packet alterations
304	  which can effect how the packet is routed.
305
306	  To compile it as a module, choose M here.  If unsure, say N.
307
308config IP_NF_TARGET_CLUSTERIP
309	tristate "CLUSTERIP target support"
310	depends on IP_NF_MANGLE
311	depends on NF_CONNTRACK_IPV4
312	depends on NETFILTER_ADVANCED
313	select NF_CONNTRACK_MARK
314	help
315	  The CLUSTERIP target allows you to build load-balancing clusters of
316	  network servers without having a dedicated load-balancing
317	  router/server/switch.
318	
319	  To compile it as a module, choose M here.  If unsure, say N.
320
321config IP_NF_TARGET_ECN
322	tristate "ECN target support"
323	depends on IP_NF_MANGLE
324	depends on NETFILTER_ADVANCED
325	---help---
326	  This option adds a `ECN' target, which can be used in the iptables mangle
327	  table.  
328
329	  You can use this target to remove the ECN bits from the IPv4 header of
330	  an IP packet.  This is particularly useful, if you need to work around
331	  existing ECN blackholes on the internet, but don't want to disable
332	  ECN support in general.
333
334	  To compile it as a module, choose M here.  If unsure, say N.
335
336config IP_NF_TARGET_TTL
337	tristate '"TTL" target support'
338	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
339	select NETFILTER_XT_TARGET_HL
340	---help---
341	This is a backwards-compatible option for the user's convenience
342	(e.g. when running oldconfig). It selects
343	CONFIG_NETFILTER_XT_TARGET_HL.
344
345# raw + specific targets
346config IP_NF_RAW
347	tristate  'raw table support (required for NOTRACK/TRACE)'
348	help
349	  This option adds a `raw' table to iptables. This table is the very
350	  first in the netfilter framework and hooks in at the PREROUTING
351	  and OUTPUT chains.
352	
353	  If you want to compile it as a module, say M here and read
354	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
355
356# security table for MAC policy
357config IP_NF_SECURITY
358	tristate "Security table"
359	depends on SECURITY
360	depends on NETFILTER_ADVANCED
361	help
362	  This option adds a `security' table to iptables, for use
363	  with Mandatory Access Control (MAC) policy.
364	 
365	  If unsure, say N.
366
367endif # IP_NF_IPTABLES
368
369# ARP tables
370config IP_NF_ARPTABLES
371	tristate "ARP tables support"
372	select NETFILTER_XTABLES
373	depends on NETFILTER_ADVANCED
374	help
375	  arptables is a general, extensible packet identification framework.
376	  The ARP packet filtering and mangling (manipulation)subsystems
377	  use this: say Y or M here if you want to use either of those.
378
379	  To compile it as a module, choose M here.  If unsure, say N.
380
381if IP_NF_ARPTABLES
382
383config IP_NF_ARPFILTER
384	tristate "ARP packet filtering"
385	help
386	  ARP packet filtering defines a table `filter', which has a series of
387	  rules for simple ARP packet filtering at local input and
388	  local output.  On a bridge, you can also specify filtering rules
389	  for forwarded ARP packets. See the man page for arptables(8).
390
391	  To compile it as a module, choose M here.  If unsure, say N.
392
393config IP_NF_ARP_MANGLE
394	tristate "ARP payload mangling"
395	help
396	  Allows altering the ARP packet payload: source and destination
397	  hardware and network addresses.
398
399endif # IP_NF_ARPTABLES
400
401endmenu
402
Configure Feed

Configure Feed
