net/ipv4/netfilter/Kconfig at v3.9

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / ipv4 / netfilter / Kconfig
at v3.9 324 lines 10 kB view raw
wrap content
  1#
  2# IP netfilter configuration
  3#
  4
  5menu "IP: Netfilter Configuration"
  6	depends on INET && NETFILTER
  7
  8config NF_DEFRAG_IPV4
  9	tristate
 10	default n
 11
 12config NF_CONNTRACK_IPV4
 13	tristate "IPv4 connection tracking support (required for NAT)"
 14	depends on NF_CONNTRACK
 15	default m if NETFILTER_ADVANCED=n
 16	select NF_DEFRAG_IPV4
 17	---help---
 18	  Connection tracking keeps a record of what packets have passed
 19	  through your machine, in order to figure out how they are related
 20	  into connections.
 21
 22	  This is IPv4 support on Layer 3 independent connection tracking.
 23	  Layer 3 independent connection tracking is experimental scheme
 24	  which generalize ip_conntrack to support other layer 3 protocols.
 25
 26	  To compile it as a module, choose M here.  If unsure, say N.
 27
 28config NF_CONNTRACK_PROC_COMPAT
 29	bool "proc/sysctl compatibility with old connection tracking"
 30	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
 31	default y
 32	help
 33	  This option enables /proc and sysctl compatibility with the old
 34	  layer 3 dependent connection tracking. This is needed to keep
 35	  old programs that have not been adapted to the new names working.
 36
 37	  If unsure, say Y.
 38
 39config IP_NF_IPTABLES
 40	tristate "IP tables support (required for filtering/masq/NAT)"
 41	default m if NETFILTER_ADVANCED=n
 42	select NETFILTER_XTABLES
 43	help
 44	  iptables is a general, extensible packet identification framework.
 45	  The packet filtering and full NAT (masquerading, port forwarding,
 46	  etc) subsystems now use this: say `Y' or `M' here if you want to use
 47	  either of those.
 48
 49	  To compile it as a module, choose M here.  If unsure, say N.
 50
 51if IP_NF_IPTABLES
 52
 53# The matches.
 54config IP_NF_MATCH_AH
 55	tristate '"ah" match support'
 56	depends on NETFILTER_ADVANCED
 57	help
 58	  This match extension allows you to match a range of SPIs
 59	  inside AH header of IPSec packets.
 60
 61	  To compile it as a module, choose M here.  If unsure, say N.
 62
 63config IP_NF_MATCH_ECN
 64	tristate '"ecn" match support'
 65	depends on NETFILTER_ADVANCED
 66	select NETFILTER_XT_MATCH_ECN
 67	---help---
 68	This is a backwards-compat option for the user's convenience
 69	(e.g. when running oldconfig). It selects
 70	CONFIG_NETFILTER_XT_MATCH_ECN.
 71
 72config IP_NF_MATCH_RPFILTER
 73	tristate '"rpfilter" reverse path filter match support'
 74	depends on NETFILTER_ADVANCED
 75	---help---
 76	  This option allows you to match packets whose replies would
 77	  go out via the interface the packet came in.
 78
 79	  To compile it as a module, choose M here.  If unsure, say N.
 80	  The module will be called ipt_rpfilter.
 81
 82config IP_NF_MATCH_TTL
 83	tristate '"ttl" match support'
 84	depends on NETFILTER_ADVANCED
 85	select NETFILTER_XT_MATCH_HL
 86	---help---
 87	This is a backwards-compat option for the user's convenience
 88	(e.g. when running oldconfig). It selects
 89	CONFIG_NETFILTER_XT_MATCH_HL.
 90
 91# `filter', generic and specific targets
 92config IP_NF_FILTER
 93	tristate "Packet filtering"
 94	default m if NETFILTER_ADVANCED=n
 95	help
 96	  Packet filtering defines a table `filter', which has a series of
 97	  rules for simple packet filtering at local input, forwarding and
 98	  local output.  See the man page for iptables(8).
 99
100	  To compile it as a module, choose M here.  If unsure, say N.
101
102config IP_NF_TARGET_REJECT
103	tristate "REJECT target support"
104	depends on IP_NF_FILTER
105	default m if NETFILTER_ADVANCED=n
106	help
107	  The REJECT target allows a filtering rule to specify that an ICMP
108	  error should be issued in response to an incoming packet, rather
109	  than silently being dropped.
110
111	  To compile it as a module, choose M here.  If unsure, say N.
112
113config IP_NF_TARGET_ULOG
114	tristate "ULOG target support"
115	default m if NETFILTER_ADVANCED=n
116	---help---
117
118	  This option enables the old IPv4-only "ipt_ULOG" implementation
119	  which has been obsoleted by the new "nfnetlink_log" code (see
120	  CONFIG_NETFILTER_NETLINK_LOG).
121
122	  This option adds a `ULOG' target, which allows you to create rules in
123	  any iptables table. The packet is passed to a userspace logging
124	  daemon using netlink multicast sockets; unlike the LOG target
125	  which can only be viewed through syslog.
126
127	  The appropriate userspace logging daemon (ulogd) may be obtained from
128	  <http://www.netfilter.org/projects/ulogd/index.html>
129
130	  To compile it as a module, choose M here.  If unsure, say N.
131
132# NAT + specific targets: nf_conntrack
133config NF_NAT_IPV4
134	tristate "IPv4 NAT"
135	depends on NF_CONNTRACK_IPV4
136	default m if NETFILTER_ADVANCED=n
137	select NF_NAT
138	help
139	  The IPv4 NAT option allows masquerading, port forwarding and other
140	  forms of full Network Address Port Translation.  It is controlled by
141	  the `nat' table in iptables: see the man page for iptables(8).
142
143	  To compile it as a module, choose M here.  If unsure, say N.
144
145if NF_NAT_IPV4
146
147config IP_NF_TARGET_MASQUERADE
148	tristate "MASQUERADE target support"
149	default m if NETFILTER_ADVANCED=n
150	help
151	  Masquerading is a special case of NAT: all outgoing connections are
152	  changed to seem to come from a particular interface's address, and
153	  if the interface goes down, those connections are lost.  This is
154	  only useful for dialup accounts with dynamic IP address (ie. your IP
155	  address will be different on next dialup).
156
157	  To compile it as a module, choose M here.  If unsure, say N.
158
159config IP_NF_TARGET_NETMAP
160	tristate "NETMAP target support"
161	depends on NETFILTER_ADVANCED
162	select NETFILTER_XT_TARGET_NETMAP
163	---help---
164	This is a backwards-compat option for the user's convenience
165	(e.g. when running oldconfig). It selects
166	CONFIG_NETFILTER_XT_TARGET_NETMAP.
167
168config IP_NF_TARGET_REDIRECT
169	tristate "REDIRECT target support"
170	depends on NETFILTER_ADVANCED
171	select NETFILTER_XT_TARGET_REDIRECT
172	---help---
173	This is a backwards-compat option for the user's convenience
174	(e.g. when running oldconfig). It selects
175	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
176
177endif
178
179config NF_NAT_SNMP_BASIC
180	tristate "Basic SNMP-ALG support"
181	depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4
182	depends on NETFILTER_ADVANCED
183	default NF_NAT && NF_CONNTRACK_SNMP
184	---help---
185
186	  This module implements an Application Layer Gateway (ALG) for
187	  SNMP payloads.  In conjunction with NAT, it allows a network
188	  management system to access multiple private networks with
189	  conflicting addresses.  It works by modifying IP addresses
190	  inside SNMP payloads to match IP-layer NAT mapping.
191
192	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
193
194	  To compile it as a module, choose M here.  If unsure, say N.
195
196# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
197# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
198# From kconfig-language.txt:
199#
200#           <expr> '&&' <expr>                   (6)
201#
202# (6) Returns the result of min(/expr/, /expr/).
203
204config NF_NAT_PROTO_GRE
205	tristate
206	depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE
207
208config NF_NAT_PPTP
209	tristate
210	depends on NF_CONNTRACK && NF_NAT_IPV4
211	default NF_NAT_IPV4 && NF_CONNTRACK_PPTP
212	select NF_NAT_PROTO_GRE
213
214config NF_NAT_H323
215	tristate
216	depends on NF_CONNTRACK && NF_NAT_IPV4
217	default NF_NAT_IPV4 && NF_CONNTRACK_H323
218
219# mangle + specific targets
220config IP_NF_MANGLE
221	tristate "Packet mangling"
222	default m if NETFILTER_ADVANCED=n
223	help
224	  This option adds a `mangle' table to iptables: see the man page for
225	  iptables(8).  This table is used for various packet alterations
226	  which can effect how the packet is routed.
227
228	  To compile it as a module, choose M here.  If unsure, say N.
229
230config IP_NF_TARGET_CLUSTERIP
231	tristate "CLUSTERIP target support"
232	depends on IP_NF_MANGLE
233	depends on NF_CONNTRACK_IPV4
234	depends on NETFILTER_ADVANCED
235	select NF_CONNTRACK_MARK
236	help
237	  The CLUSTERIP target allows you to build load-balancing clusters of
238	  network servers without having a dedicated load-balancing
239	  router/server/switch.
240	
241	  To compile it as a module, choose M here.  If unsure, say N.
242
243config IP_NF_TARGET_ECN
244	tristate "ECN target support"
245	depends on IP_NF_MANGLE
246	depends on NETFILTER_ADVANCED
247	---help---
248	  This option adds a `ECN' target, which can be used in the iptables mangle
249	  table.  
250
251	  You can use this target to remove the ECN bits from the IPv4 header of
252	  an IP packet.  This is particularly useful, if you need to work around
253	  existing ECN blackholes on the internet, but don't want to disable
254	  ECN support in general.
255
256	  To compile it as a module, choose M here.  If unsure, say N.
257
258config IP_NF_TARGET_TTL
259	tristate '"TTL" target support'
260	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
261	select NETFILTER_XT_TARGET_HL
262	---help---
263	This is a backwards-compatible option for the user's convenience
264	(e.g. when running oldconfig). It selects
265	CONFIG_NETFILTER_XT_TARGET_HL.
266
267# raw + specific targets
268config IP_NF_RAW
269	tristate  'raw table support (required for NOTRACK/TRACE)'
270	help
271	  This option adds a `raw' table to iptables. This table is the very
272	  first in the netfilter framework and hooks in at the PREROUTING
273	  and OUTPUT chains.
274	
275	  If you want to compile it as a module, say M here and read
276	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
277
278# security table for MAC policy
279config IP_NF_SECURITY
280	tristate "Security table"
281	depends on SECURITY
282	depends on NETFILTER_ADVANCED
283	help
284	  This option adds a `security' table to iptables, for use
285	  with Mandatory Access Control (MAC) policy.
286	 
287	  If unsure, say N.
288
289endif # IP_NF_IPTABLES
290
291# ARP tables
292config IP_NF_ARPTABLES
293	tristate "ARP tables support"
294	select NETFILTER_XTABLES
295	depends on NETFILTER_ADVANCED
296	help
297	  arptables is a general, extensible packet identification framework.
298	  The ARP packet filtering and mangling (manipulation)subsystems
299	  use this: say Y or M here if you want to use either of those.
300
301	  To compile it as a module, choose M here.  If unsure, say N.
302
303if IP_NF_ARPTABLES
304
305config IP_NF_ARPFILTER
306	tristate "ARP packet filtering"
307	help
308	  ARP packet filtering defines a table `filter', which has a series of
309	  rules for simple ARP packet filtering at local input and
310	  local output.  On a bridge, you can also specify filtering rules
311	  for forwarded ARP packets. See the man page for arptables(8).
312
313	  To compile it as a module, choose M here.  If unsure, say N.
314
315config IP_NF_ARP_MANGLE
316	tristate "ARP payload mangling"
317	help
318	  Allows altering the ARP packet payload: source and destination
319	  hardware and network addresses.
320
321endif # IP_NF_ARPTABLES
322
323endmenu
324
Configure Feed

Configure Feed
