net/ipv4/netfilter/Kconfig at v4.3-rc6

tjh.dev / kernel
fork atom
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / net / ipv4 / netfilter / Kconfig
at v4.3-rc6 419 lines 12 kB view raw
wrap content
  1#
  2# IP netfilter configuration
  3#
  4
  5menu "IP: Netfilter Configuration"
  6	depends on INET && NETFILTER
  7
  8config NF_DEFRAG_IPV4
  9	tristate
 10	default n
 11
 12config NF_CONNTRACK_IPV4
 13	tristate "IPv4 connection tracking support (required for NAT)"
 14	depends on NF_CONNTRACK
 15	default m if NETFILTER_ADVANCED=n
 16	select NF_DEFRAG_IPV4
 17	---help---
 18	  Connection tracking keeps a record of what packets have passed
 19	  through your machine, in order to figure out how they are related
 20	  into connections.
 21
 22	  This is IPv4 support on Layer 3 independent connection tracking.
 23	  Layer 3 independent connection tracking is experimental scheme
 24	  which generalize ip_conntrack to support other layer 3 protocols.
 25
 26	  To compile it as a module, choose M here.  If unsure, say N.
 27
 28config NF_CONNTRACK_PROC_COMPAT
 29	bool "proc/sysctl compatibility with old connection tracking"
 30	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
 31	default y
 32	help
 33	  This option enables /proc and sysctl compatibility with the old
 34	  layer 3 dependent connection tracking. This is needed to keep
 35	  old programs that have not been adapted to the new names working.
 36
 37	  If unsure, say Y.
 38
 39if NF_TABLES
 40
 41config NF_TABLES_IPV4
 42	tristate "IPv4 nf_tables support"
 43	help
 44	  This option enables the IPv4 support for nf_tables.
 45
 46if NF_TABLES_IPV4
 47
 48config NFT_CHAIN_ROUTE_IPV4
 49	tristate "IPv4 nf_tables route chain support"
 50	help
 51	  This option enables the "route" chain for IPv4 in nf_tables. This
 52	  chain type is used to force packet re-routing after mangling header
 53	  fields such as the source, destination, type of service and
 54	  the packet mark.
 55
 56config NFT_REJECT_IPV4
 57	select NF_REJECT_IPV4
 58	default NFT_REJECT
 59	tristate
 60
 61config NFT_DUP_IPV4
 62	tristate "IPv4 nf_tables packet duplication support"
 63	select NF_DUP_IPV4
 64	help
 65	  This module enables IPv4 packet duplication support for nf_tables.
 66
 67endif # NF_TABLES_IPV4
 68
 69config NF_TABLES_ARP
 70	tristate "ARP nf_tables support"
 71	help
 72	  This option enables the ARP support for nf_tables.
 73
 74endif # NF_TABLES
 75
 76config NF_DUP_IPV4
 77	tristate "Netfilter IPv4 packet duplication to alternate destination"
 78	help
 79	  This option enables the nf_dup_ipv4 core, which duplicates an IPv4
 80	  packet to be rerouted to another destination.
 81
 82config NF_LOG_ARP
 83	tristate "ARP packet logging"
 84	default m if NETFILTER_ADVANCED=n
 85	select NF_LOG_COMMON
 86
 87config NF_LOG_IPV4
 88	tristate "IPv4 packet logging"
 89	default m if NETFILTER_ADVANCED=n
 90	select NF_LOG_COMMON
 91
 92config NF_REJECT_IPV4
 93	tristate "IPv4 packet rejection"
 94	default m if NETFILTER_ADVANCED=n
 95
 96config NF_NAT_IPV4
 97	tristate "IPv4 NAT"
 98	depends on NF_CONNTRACK_IPV4
 99	default m if NETFILTER_ADVANCED=n
100	select NF_NAT
101	help
102	  The IPv4 NAT option allows masquerading, port forwarding and other
103	  forms of full Network Address Port Translation. This can be
104	  controlled by iptables or nft.
105
106if NF_NAT_IPV4
107
108config NFT_CHAIN_NAT_IPV4
109	depends on NF_TABLES_IPV4
110	tristate "IPv4 nf_tables nat chain support"
111	help
112	  This option enables the "nat" chain for IPv4 in nf_tables. This
113	  chain type is used to perform Network Address Translation (NAT)
114	  packet transformations such as the source, destination address and
115	  source and destination ports.
116
117config NF_NAT_MASQUERADE_IPV4
118	tristate "IPv4 masquerade support"
119	help
120	  This is the kernel functionality to provide NAT in the masquerade
121	  flavour (automatic source address selection).
122
123config NFT_MASQ_IPV4
124	tristate "IPv4 masquerading support for nf_tables"
125	depends on NF_TABLES_IPV4
126	depends on NFT_MASQ
127	select NF_NAT_MASQUERADE_IPV4
128	help
129	  This is the expression that provides IPv4 masquerading support for
130	  nf_tables.
131
132config NFT_REDIR_IPV4
133	tristate "IPv4 redirect support for nf_tables"
134	depends on NF_TABLES_IPV4
135	depends on NFT_REDIR
136	select NF_NAT_REDIRECT
137	help
138	  This is the expression that provides IPv4 redirect support for
139	  nf_tables.
140
141config NF_NAT_SNMP_BASIC
142	tristate "Basic SNMP-ALG support"
143	depends on NF_CONNTRACK_SNMP
144	depends on NETFILTER_ADVANCED
145	default NF_NAT && NF_CONNTRACK_SNMP
146	---help---
147
148	  This module implements an Application Layer Gateway (ALG) for
149	  SNMP payloads.  In conjunction with NAT, it allows a network
150	  management system to access multiple private networks with
151	  conflicting addresses.  It works by modifying IP addresses
152	  inside SNMP payloads to match IP-layer NAT mapping.
153
154	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
155
156	  To compile it as a module, choose M here.  If unsure, say N.
157
158config NF_NAT_PROTO_GRE
159	tristate
160	depends on NF_CT_PROTO_GRE
161
162config NF_NAT_PPTP
163	tristate
164	depends on NF_CONNTRACK
165	default NF_CONNTRACK_PPTP
166	select NF_NAT_PROTO_GRE
167
168config NF_NAT_H323
169	tristate
170	depends on NF_CONNTRACK
171	default NF_CONNTRACK_H323
172
173endif # NF_NAT_IPV4
174
175config IP_NF_IPTABLES
176	tristate "IP tables support (required for filtering/masq/NAT)"
177	default m if NETFILTER_ADVANCED=n
178	select NETFILTER_XTABLES
179	help
180	  iptables is a general, extensible packet identification framework.
181	  The packet filtering and full NAT (masquerading, port forwarding,
182	  etc) subsystems now use this: say `Y' or `M' here if you want to use
183	  either of those.
184
185	  To compile it as a module, choose M here.  If unsure, say N.
186
187if IP_NF_IPTABLES
188
189# The matches.
190config IP_NF_MATCH_AH
191	tristate '"ah" match support'
192	depends on NETFILTER_ADVANCED
193	help
194	  This match extension allows you to match a range of SPIs
195	  inside AH header of IPSec packets.
196
197	  To compile it as a module, choose M here.  If unsure, say N.
198
199config IP_NF_MATCH_ECN
200	tristate '"ecn" match support'
201	depends on NETFILTER_ADVANCED
202	select NETFILTER_XT_MATCH_ECN
203	---help---
204	This is a backwards-compat option for the user's convenience
205	(e.g. when running oldconfig). It selects
206	CONFIG_NETFILTER_XT_MATCH_ECN.
207
208config IP_NF_MATCH_RPFILTER
209	tristate '"rpfilter" reverse path filter match support'
210	depends on NETFILTER_ADVANCED
211	depends on IP_NF_MANGLE || IP_NF_RAW
212	---help---
213	  This option allows you to match packets whose replies would
214	  go out via the interface the packet came in.
215
216	  To compile it as a module, choose M here.  If unsure, say N.
217	  The module will be called ipt_rpfilter.
218
219config IP_NF_MATCH_TTL
220	tristate '"ttl" match support'
221	depends on NETFILTER_ADVANCED
222	select NETFILTER_XT_MATCH_HL
223	---help---
224	This is a backwards-compat option for the user's convenience
225	(e.g. when running oldconfig). It selects
226	CONFIG_NETFILTER_XT_MATCH_HL.
227
228# `filter', generic and specific targets
229config IP_NF_FILTER
230	tristate "Packet filtering"
231	default m if NETFILTER_ADVANCED=n
232	help
233	  Packet filtering defines a table `filter', which has a series of
234	  rules for simple packet filtering at local input, forwarding and
235	  local output.  See the man page for iptables(8).
236
237	  To compile it as a module, choose M here.  If unsure, say N.
238
239config IP_NF_TARGET_REJECT
240	tristate "REJECT target support"
241	depends on IP_NF_FILTER
242	select NF_REJECT_IPV4
243	default m if NETFILTER_ADVANCED=n
244	help
245	  The REJECT target allows a filtering rule to specify that an ICMP
246	  error should be issued in response to an incoming packet, rather
247	  than silently being dropped.
248
249	  To compile it as a module, choose M here.  If unsure, say N.
250
251config IP_NF_TARGET_SYNPROXY
252	tristate "SYNPROXY target support"
253	depends on NF_CONNTRACK && NETFILTER_ADVANCED
254	select NETFILTER_SYNPROXY
255	select SYN_COOKIES
256	help
257	  The SYNPROXY target allows you to intercept TCP connections and
258	  establish them using syncookies before they are passed on to the
259	  server. This allows to avoid conntrack and server resource usage
260	  during SYN-flood attacks.
261
262	  To compile it as a module, choose M here. If unsure, say N.
263
264# NAT + specific targets: nf_conntrack
265config IP_NF_NAT
266	tristate "iptables NAT support"
267	depends on NF_CONNTRACK_IPV4
268	default m if NETFILTER_ADVANCED=n
269	select NF_NAT
270	select NF_NAT_IPV4
271	select NETFILTER_XT_NAT
272	help
273	  This enables the `nat' table in iptables. This allows masquerading,
274	  port forwarding and other forms of full Network Address Port
275	  Translation.
276
277	  To compile it as a module, choose M here.  If unsure, say N.
278
279if IP_NF_NAT
280
281config IP_NF_TARGET_MASQUERADE
282	tristate "MASQUERADE target support"
283	select NF_NAT_MASQUERADE_IPV4
284	default m if NETFILTER_ADVANCED=n
285	help
286	  Masquerading is a special case of NAT: all outgoing connections are
287	  changed to seem to come from a particular interface's address, and
288	  if the interface goes down, those connections are lost.  This is
289	  only useful for dialup accounts with dynamic IP address (ie. your IP
290	  address will be different on next dialup).
291
292	  To compile it as a module, choose M here.  If unsure, say N.
293
294config IP_NF_TARGET_NETMAP
295	tristate "NETMAP target support"
296	depends on NETFILTER_ADVANCED
297	select NETFILTER_XT_TARGET_NETMAP
298	---help---
299	This is a backwards-compat option for the user's convenience
300	(e.g. when running oldconfig). It selects
301	CONFIG_NETFILTER_XT_TARGET_NETMAP.
302
303config IP_NF_TARGET_REDIRECT
304	tristate "REDIRECT target support"
305	depends on NETFILTER_ADVANCED
306	select NETFILTER_XT_TARGET_REDIRECT
307	---help---
308	This is a backwards-compat option for the user's convenience
309	(e.g. when running oldconfig). It selects
310	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
311
312endif # IP_NF_NAT
313
314# mangle + specific targets
315config IP_NF_MANGLE
316	tristate "Packet mangling"
317	default m if NETFILTER_ADVANCED=n
318	help
319	  This option adds a `mangle' table to iptables: see the man page for
320	  iptables(8).  This table is used for various packet alterations
321	  which can effect how the packet is routed.
322
323	  To compile it as a module, choose M here.  If unsure, say N.
324
325config IP_NF_TARGET_CLUSTERIP
326	tristate "CLUSTERIP target support"
327	depends on IP_NF_MANGLE
328	depends on NF_CONNTRACK_IPV4
329	depends on NETFILTER_ADVANCED
330	select NF_CONNTRACK_MARK
331	help
332	  The CLUSTERIP target allows you to build load-balancing clusters of
333	  network servers without having a dedicated load-balancing
334	  router/server/switch.
335	
336	  To compile it as a module, choose M here.  If unsure, say N.
337
338config IP_NF_TARGET_ECN
339	tristate "ECN target support"
340	depends on IP_NF_MANGLE
341	depends on NETFILTER_ADVANCED
342	---help---
343	  This option adds a `ECN' target, which can be used in the iptables mangle
344	  table.  
345
346	  You can use this target to remove the ECN bits from the IPv4 header of
347	  an IP packet.  This is particularly useful, if you need to work around
348	  existing ECN blackholes on the internet, but don't want to disable
349	  ECN support in general.
350
351	  To compile it as a module, choose M here.  If unsure, say N.
352
353config IP_NF_TARGET_TTL
354	tristate '"TTL" target support'
355	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
356	select NETFILTER_XT_TARGET_HL
357	---help---
358	This is a backwards-compatible option for the user's convenience
359	(e.g. when running oldconfig). It selects
360	CONFIG_NETFILTER_XT_TARGET_HL.
361
362# raw + specific targets
363config IP_NF_RAW
364	tristate  'raw table support (required for NOTRACK/TRACE)'
365	help
366	  This option adds a `raw' table to iptables. This table is the very
367	  first in the netfilter framework and hooks in at the PREROUTING
368	  and OUTPUT chains.
369	
370	  If you want to compile it as a module, say M here and read
371	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
372
373# security table for MAC policy
374config IP_NF_SECURITY
375	tristate "Security table"
376	depends on SECURITY
377	depends on NETFILTER_ADVANCED
378	help
379	  This option adds a `security' table to iptables, for use
380	  with Mandatory Access Control (MAC) policy.
381	 
382	  If unsure, say N.
383
384endif # IP_NF_IPTABLES
385
386# ARP tables
387config IP_NF_ARPTABLES
388	tristate "ARP tables support"
389	select NETFILTER_XTABLES
390	depends on NETFILTER_ADVANCED
391	help
392	  arptables is a general, extensible packet identification framework.
393	  The ARP packet filtering and mangling (manipulation)subsystems
394	  use this: say Y or M here if you want to use either of those.
395
396	  To compile it as a module, choose M here.  If unsure, say N.
397
398if IP_NF_ARPTABLES
399
400config IP_NF_ARPFILTER
401	tristate "ARP packet filtering"
402	help
403	  ARP packet filtering defines a table `filter', which has a series of
404	  rules for simple ARP packet filtering at local input and
405	  local output.  On a bridge, you can also specify filtering rules
406	  for forwarded ARP packets. See the man page for arptables(8).
407
408	  To compile it as a module, choose M here.  If unsure, say N.
409
410config IP_NF_ARP_MANGLE
411	tristate "ARP payload mangling"
412	help
413	  Allows altering the ARP packet payload: source and destination
414	  hardware and network addresses.
415
416endif # IP_NF_ARPTABLES
417
418endmenu
419