net/ipv4/netfilter/Kconfig at v4.1-rc3

tjh.dev / kernel
fork atom
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / net / ipv4 / netfilter / Kconfig
at v4.1-rc3 406 lines 12 kB view raw
wrap content
  1#
  2# IP netfilter configuration
  3#
  4
  5menu "IP: Netfilter Configuration"
  6	depends on INET && NETFILTER
  7
  8config NF_DEFRAG_IPV4
  9	tristate
 10	default n
 11
 12config NF_CONNTRACK_IPV4
 13	tristate "IPv4 connection tracking support (required for NAT)"
 14	depends on NF_CONNTRACK
 15	default m if NETFILTER_ADVANCED=n
 16	select NF_DEFRAG_IPV4
 17	---help---
 18	  Connection tracking keeps a record of what packets have passed
 19	  through your machine, in order to figure out how they are related
 20	  into connections.
 21
 22	  This is IPv4 support on Layer 3 independent connection tracking.
 23	  Layer 3 independent connection tracking is experimental scheme
 24	  which generalize ip_conntrack to support other layer 3 protocols.
 25
 26	  To compile it as a module, choose M here.  If unsure, say N.
 27
 28config NF_CONNTRACK_PROC_COMPAT
 29	bool "proc/sysctl compatibility with old connection tracking"
 30	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
 31	default y
 32	help
 33	  This option enables /proc and sysctl compatibility with the old
 34	  layer 3 dependent connection tracking. This is needed to keep
 35	  old programs that have not been adapted to the new names working.
 36
 37	  If unsure, say Y.
 38
 39if NF_TABLES
 40
 41config NF_TABLES_IPV4
 42	tristate "IPv4 nf_tables support"
 43	help
 44	  This option enables the IPv4 support for nf_tables.
 45
 46if NF_TABLES_IPV4
 47
 48config NFT_CHAIN_ROUTE_IPV4
 49	tristate "IPv4 nf_tables route chain support"
 50	help
 51	  This option enables the "route" chain for IPv4 in nf_tables. This
 52	  chain type is used to force packet re-routing after mangling header
 53	  fields such as the source, destination, type of service and
 54	  the packet mark.
 55
 56config NFT_REJECT_IPV4
 57	select NF_REJECT_IPV4
 58	default NFT_REJECT
 59	tristate
 60
 61endif # NF_TABLES_IPV4
 62
 63config NF_TABLES_ARP
 64	tristate "ARP nf_tables support"
 65	help
 66	  This option enables the ARP support for nf_tables.
 67
 68endif # NF_TABLES
 69
 70config NF_LOG_ARP
 71	tristate "ARP packet logging"
 72	default m if NETFILTER_ADVANCED=n
 73	select NF_LOG_COMMON
 74
 75config NF_LOG_IPV4
 76	tristate "IPv4 packet logging"
 77	default m if NETFILTER_ADVANCED=n
 78	select NF_LOG_COMMON
 79
 80config NF_REJECT_IPV4
 81	tristate "IPv4 packet rejection"
 82	default m if NETFILTER_ADVANCED=n
 83
 84config NF_NAT_IPV4
 85	tristate "IPv4 NAT"
 86	depends on NF_CONNTRACK_IPV4
 87	default m if NETFILTER_ADVANCED=n
 88	select NF_NAT
 89	help
 90	  The IPv4 NAT option allows masquerading, port forwarding and other
 91	  forms of full Network Address Port Translation. This can be
 92	  controlled by iptables or nft.
 93
 94if NF_NAT_IPV4
 95
 96config NFT_CHAIN_NAT_IPV4
 97	depends on NF_TABLES_IPV4
 98	tristate "IPv4 nf_tables nat chain support"
 99	help
100	  This option enables the "nat" chain for IPv4 in nf_tables. This
101	  chain type is used to perform Network Address Translation (NAT)
102	  packet transformations such as the source, destination address and
103	  source and destination ports.
104
105config NF_NAT_MASQUERADE_IPV4
106	tristate "IPv4 masquerade support"
107	help
108	  This is the kernel functionality to provide NAT in the masquerade
109	  flavour (automatic source address selection).
110
111config NFT_MASQ_IPV4
112	tristate "IPv4 masquerading support for nf_tables"
113	depends on NF_TABLES_IPV4
114	depends on NFT_MASQ
115	select NF_NAT_MASQUERADE_IPV4
116	help
117	  This is the expression that provides IPv4 masquerading support for
118	  nf_tables.
119
120config NFT_REDIR_IPV4
121	tristate "IPv4 redirect support for nf_tables"
122	depends on NF_TABLES_IPV4
123	depends on NFT_REDIR
124	select NF_NAT_REDIRECT
125	help
126	  This is the expression that provides IPv4 redirect support for
127	  nf_tables.
128
129config NF_NAT_SNMP_BASIC
130	tristate "Basic SNMP-ALG support"
131	depends on NF_CONNTRACK_SNMP
132	depends on NETFILTER_ADVANCED
133	default NF_NAT && NF_CONNTRACK_SNMP
134	---help---
135
136	  This module implements an Application Layer Gateway (ALG) for
137	  SNMP payloads.  In conjunction with NAT, it allows a network
138	  management system to access multiple private networks with
139	  conflicting addresses.  It works by modifying IP addresses
140	  inside SNMP payloads to match IP-layer NAT mapping.
141
142	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
143
144	  To compile it as a module, choose M here.  If unsure, say N.
145
146config NF_NAT_PROTO_GRE
147	tristate
148	depends on NF_CT_PROTO_GRE
149
150config NF_NAT_PPTP
151	tristate
152	depends on NF_CONNTRACK
153	default NF_CONNTRACK_PPTP
154	select NF_NAT_PROTO_GRE
155
156config NF_NAT_H323
157	tristate
158	depends on NF_CONNTRACK
159	default NF_CONNTRACK_H323
160
161endif # NF_NAT_IPV4
162
163config IP_NF_IPTABLES
164	tristate "IP tables support (required for filtering/masq/NAT)"
165	default m if NETFILTER_ADVANCED=n
166	select NETFILTER_XTABLES
167	help
168	  iptables is a general, extensible packet identification framework.
169	  The packet filtering and full NAT (masquerading, port forwarding,
170	  etc) subsystems now use this: say `Y' or `M' here if you want to use
171	  either of those.
172
173	  To compile it as a module, choose M here.  If unsure, say N.
174
175if IP_NF_IPTABLES
176
177# The matches.
178config IP_NF_MATCH_AH
179	tristate '"ah" match support'
180	depends on NETFILTER_ADVANCED
181	help
182	  This match extension allows you to match a range of SPIs
183	  inside AH header of IPSec packets.
184
185	  To compile it as a module, choose M here.  If unsure, say N.
186
187config IP_NF_MATCH_ECN
188	tristate '"ecn" match support'
189	depends on NETFILTER_ADVANCED
190	select NETFILTER_XT_MATCH_ECN
191	---help---
192	This is a backwards-compat option for the user's convenience
193	(e.g. when running oldconfig). It selects
194	CONFIG_NETFILTER_XT_MATCH_ECN.
195
196config IP_NF_MATCH_RPFILTER
197	tristate '"rpfilter" reverse path filter match support'
198	depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
199	---help---
200	  This option allows you to match packets whose replies would
201	  go out via the interface the packet came in.
202
203	  To compile it as a module, choose M here.  If unsure, say N.
204	  The module will be called ipt_rpfilter.
205
206config IP_NF_MATCH_TTL
207	tristate '"ttl" match support'
208	depends on NETFILTER_ADVANCED
209	select NETFILTER_XT_MATCH_HL
210	---help---
211	This is a backwards-compat option for the user's convenience
212	(e.g. when running oldconfig). It selects
213	CONFIG_NETFILTER_XT_MATCH_HL.
214
215# `filter', generic and specific targets
216config IP_NF_FILTER
217	tristate "Packet filtering"
218	default m if NETFILTER_ADVANCED=n
219	help
220	  Packet filtering defines a table `filter', which has a series of
221	  rules for simple packet filtering at local input, forwarding and
222	  local output.  See the man page for iptables(8).
223
224	  To compile it as a module, choose M here.  If unsure, say N.
225
226config IP_NF_TARGET_REJECT
227	tristate "REJECT target support"
228	depends on IP_NF_FILTER
229	select NF_REJECT_IPV4
230	default m if NETFILTER_ADVANCED=n
231	help
232	  The REJECT target allows a filtering rule to specify that an ICMP
233	  error should be issued in response to an incoming packet, rather
234	  than silently being dropped.
235
236	  To compile it as a module, choose M here.  If unsure, say N.
237
238config IP_NF_TARGET_SYNPROXY
239	tristate "SYNPROXY target support"
240	depends on NF_CONNTRACK && NETFILTER_ADVANCED
241	select NETFILTER_SYNPROXY
242	select SYN_COOKIES
243	help
244	  The SYNPROXY target allows you to intercept TCP connections and
245	  establish them using syncookies before they are passed on to the
246	  server. This allows to avoid conntrack and server resource usage
247	  during SYN-flood attacks.
248
249	  To compile it as a module, choose M here. If unsure, say N.
250
251# NAT + specific targets: nf_conntrack
252config IP_NF_NAT
253	tristate "iptables NAT support"
254	depends on NF_CONNTRACK_IPV4
255	default m if NETFILTER_ADVANCED=n
256	select NF_NAT
257	select NF_NAT_IPV4
258	select NETFILTER_XT_NAT
259	help
260	  This enables the `nat' table in iptables. This allows masquerading,
261	  port forwarding and other forms of full Network Address Port
262	  Translation.
263
264	  To compile it as a module, choose M here.  If unsure, say N.
265
266if IP_NF_NAT
267
268config IP_NF_TARGET_MASQUERADE
269	tristate "MASQUERADE target support"
270	select NF_NAT_MASQUERADE_IPV4
271	default m if NETFILTER_ADVANCED=n
272	help
273	  Masquerading is a special case of NAT: all outgoing connections are
274	  changed to seem to come from a particular interface's address, and
275	  if the interface goes down, those connections are lost.  This is
276	  only useful for dialup accounts with dynamic IP address (ie. your IP
277	  address will be different on next dialup).
278
279	  To compile it as a module, choose M here.  If unsure, say N.
280
281config IP_NF_TARGET_NETMAP
282	tristate "NETMAP target support"
283	depends on NETFILTER_ADVANCED
284	select NETFILTER_XT_TARGET_NETMAP
285	---help---
286	This is a backwards-compat option for the user's convenience
287	(e.g. when running oldconfig). It selects
288	CONFIG_NETFILTER_XT_TARGET_NETMAP.
289
290config IP_NF_TARGET_REDIRECT
291	tristate "REDIRECT target support"
292	depends on NETFILTER_ADVANCED
293	select NETFILTER_XT_TARGET_REDIRECT
294	---help---
295	This is a backwards-compat option for the user's convenience
296	(e.g. when running oldconfig). It selects
297	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
298
299endif # IP_NF_NAT
300
301# mangle + specific targets
302config IP_NF_MANGLE
303	tristate "Packet mangling"
304	default m if NETFILTER_ADVANCED=n
305	help
306	  This option adds a `mangle' table to iptables: see the man page for
307	  iptables(8).  This table is used for various packet alterations
308	  which can effect how the packet is routed.
309
310	  To compile it as a module, choose M here.  If unsure, say N.
311
312config IP_NF_TARGET_CLUSTERIP
313	tristate "CLUSTERIP target support"
314	depends on IP_NF_MANGLE
315	depends on NF_CONNTRACK_IPV4
316	depends on NETFILTER_ADVANCED
317	select NF_CONNTRACK_MARK
318	help
319	  The CLUSTERIP target allows you to build load-balancing clusters of
320	  network servers without having a dedicated load-balancing
321	  router/server/switch.
322	
323	  To compile it as a module, choose M here.  If unsure, say N.
324
325config IP_NF_TARGET_ECN
326	tristate "ECN target support"
327	depends on IP_NF_MANGLE
328	depends on NETFILTER_ADVANCED
329	---help---
330	  This option adds a `ECN' target, which can be used in the iptables mangle
331	  table.  
332
333	  You can use this target to remove the ECN bits from the IPv4 header of
334	  an IP packet.  This is particularly useful, if you need to work around
335	  existing ECN blackholes on the internet, but don't want to disable
336	  ECN support in general.
337
338	  To compile it as a module, choose M here.  If unsure, say N.
339
340config IP_NF_TARGET_TTL
341	tristate '"TTL" target support'
342	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
343	select NETFILTER_XT_TARGET_HL
344	---help---
345	This is a backwards-compatible option for the user's convenience
346	(e.g. when running oldconfig). It selects
347	CONFIG_NETFILTER_XT_TARGET_HL.
348
349# raw + specific targets
350config IP_NF_RAW
351	tristate  'raw table support (required for NOTRACK/TRACE)'
352	help
353	  This option adds a `raw' table to iptables. This table is the very
354	  first in the netfilter framework and hooks in at the PREROUTING
355	  and OUTPUT chains.
356	
357	  If you want to compile it as a module, say M here and read
358	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
359
360# security table for MAC policy
361config IP_NF_SECURITY
362	tristate "Security table"
363	depends on SECURITY
364	depends on NETFILTER_ADVANCED
365	help
366	  This option adds a `security' table to iptables, for use
367	  with Mandatory Access Control (MAC) policy.
368	 
369	  If unsure, say N.
370
371endif # IP_NF_IPTABLES
372
373# ARP tables
374config IP_NF_ARPTABLES
375	tristate "ARP tables support"
376	select NETFILTER_XTABLES
377	depends on NETFILTER_ADVANCED
378	help
379	  arptables is a general, extensible packet identification framework.
380	  The ARP packet filtering and mangling (manipulation)subsystems
381	  use this: say Y or M here if you want to use either of those.
382
383	  To compile it as a module, choose M here.  If unsure, say N.
384
385if IP_NF_ARPTABLES
386
387config IP_NF_ARPFILTER
388	tristate "ARP packet filtering"
389	help
390	  ARP packet filtering defines a table `filter', which has a series of
391	  rules for simple ARP packet filtering at local input and
392	  local output.  On a bridge, you can also specify filtering rules
393	  for forwarded ARP packets. See the man page for arptables(8).
394
395	  To compile it as a module, choose M here.  If unsure, say N.
396
397config IP_NF_ARP_MANGLE
398	tristate "ARP payload mangling"
399	help
400	  Allows altering the ARP packet payload: source and destination
401	  hardware and network addresses.
402
403endif # IP_NF_ARPTABLES
404
405endmenu
406