Kconfig 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411
  1. #
  2. # IP netfilter configuration
  3. #
  4. menu "IP: Netfilter Configuration"
  5. depends on INET && NETFILTER
  6. config NF_DEFRAG_IPV4
  7. tristate
  8. default n
  9. config NF_CONNTRACK_IPV4
  10. tristate "IPv4 connection tracking support (required for NAT)"
  11. depends on NF_CONNTRACK
  12. default m if NETFILTER_ADVANCED=n
  13. select NF_DEFRAG_IPV4
  14. ---help---
  15. Connection tracking keeps a record of what packets have passed
  16. through your machine, in order to figure out how they are related
  17. into connections.
  18. This is IPv4 support on Layer 3 independent connection tracking.
  19. Layer 3 independent connection tracking is experimental scheme
  20. which generalize ip_conntrack to support other layer 3 protocols.
  21. To compile it as a module, choose M here. If unsure, say N.
  22. if NF_TABLES
  23. config NF_TABLES_IPV4
  24. tristate "IPv4 nf_tables support"
  25. help
  26. This option enables the IPv4 support for nf_tables.
  27. if NF_TABLES_IPV4
  28. config NFT_CHAIN_ROUTE_IPV4
  29. tristate "IPv4 nf_tables route chain support"
  30. help
  31. This option enables the "route" chain for IPv4 in nf_tables. This
  32. chain type is used to force packet re-routing after mangling header
  33. fields such as the source, destination, type of service and
  34. the packet mark.
  35. config NFT_REJECT_IPV4
  36. select NF_REJECT_IPV4
  37. default NFT_REJECT
  38. tristate
  39. config NFT_DUP_IPV4
  40. tristate "IPv4 nf_tables packet duplication support"
  41. depends on !NF_CONNTRACK || NF_CONNTRACK
  42. select NF_DUP_IPV4
  43. help
  44. This module enables IPv4 packet duplication support for nf_tables.
  45. endif # NF_TABLES_IPV4
  46. config NF_TABLES_ARP
  47. tristate "ARP nf_tables support"
  48. help
  49. This option enables the ARP support for nf_tables.
  50. endif # NF_TABLES
  51. config NF_DUP_IPV4
  52. tristate "Netfilter IPv4 packet duplication to alternate destination"
  53. depends on !NF_CONNTRACK || NF_CONNTRACK
  54. help
  55. This option enables the nf_dup_ipv4 core, which duplicates an IPv4
  56. packet to be rerouted to another destination.
  57. config NF_LOG_ARP
  58. tristate "ARP packet logging"
  59. default m if NETFILTER_ADVANCED=n
  60. select NF_LOG_COMMON
  61. config NF_LOG_IPV4
  62. tristate "IPv4 packet logging"
  63. default m if NETFILTER_ADVANCED=n
  64. select NF_LOG_COMMON
  65. config NF_REJECT_IPV4
  66. tristate "IPv4 packet rejection"
  67. default m if NETFILTER_ADVANCED=n
  68. config NF_NAT_IPV4
  69. tristate "IPv4 NAT"
  70. depends on NF_CONNTRACK_IPV4
  71. default m if NETFILTER_ADVANCED=n
  72. select NF_NAT
  73. help
  74. The IPv4 NAT option allows masquerading, port forwarding and other
  75. forms of full Network Address Port Translation. This can be
  76. controlled by iptables or nft.
  77. if NF_NAT_IPV4
  78. config NFT_CHAIN_NAT_IPV4
  79. depends on NF_TABLES_IPV4
  80. tristate "IPv4 nf_tables nat chain support"
  81. help
  82. This option enables the "nat" chain for IPv4 in nf_tables. This
  83. chain type is used to perform Network Address Translation (NAT)
  84. packet transformations such as the source, destination address and
  85. source and destination ports.
  86. config NF_NAT_MASQUERADE_IPV4
  87. tristate "IPv4 masquerade support"
  88. help
  89. This is the kernel functionality to provide NAT in the masquerade
  90. flavour (automatic source address selection).
  91. config NFT_MASQ_IPV4
  92. tristate "IPv4 masquerading support for nf_tables"
  93. depends on NF_TABLES_IPV4
  94. depends on NFT_MASQ
  95. select NF_NAT_MASQUERADE_IPV4
  96. help
  97. This is the expression that provides IPv4 masquerading support for
  98. nf_tables.
  99. config NFT_REDIR_IPV4
  100. tristate "IPv4 redirect support for nf_tables"
  101. depends on NF_TABLES_IPV4
  102. depends on NFT_REDIR
  103. select NF_NAT_REDIRECT
  104. help
  105. This is the expression that provides IPv4 redirect support for
  106. nf_tables.
  107. config NF_NAT_SNMP_BASIC
  108. tristate "Basic SNMP-ALG support"
  109. depends on NF_CONNTRACK_SNMP
  110. depends on NETFILTER_ADVANCED
  111. default NF_NAT && NF_CONNTRACK_SNMP
  112. ---help---
  113. This module implements an Application Layer Gateway (ALG) for
  114. SNMP payloads. In conjunction with NAT, it allows a network
  115. management system to access multiple private networks with
  116. conflicting addresses. It works by modifying IP addresses
  117. inside SNMP payloads to match IP-layer NAT mapping.
  118. This is the "basic" form of SNMP-ALG, as described in RFC 2962
  119. To compile it as a module, choose M here. If unsure, say N.
  120. config NF_NAT_PROTO_GRE
  121. tristate
  122. depends on NF_CT_PROTO_GRE
  123. config NF_NAT_PPTP
  124. tristate
  125. depends on NF_CONNTRACK
  126. default NF_CONNTRACK_PPTP
  127. select NF_NAT_PROTO_GRE
  128. config NF_NAT_H323
  129. tristate
  130. depends on NF_CONNTRACK
  131. default NF_CONNTRACK_H323
  132. endif # NF_NAT_IPV4
  133. config IP_NF_IPTABLES
  134. tristate "IP tables support (required for filtering/masq/NAT)"
  135. default m if NETFILTER_ADVANCED=n
  136. select NETFILTER_XTABLES
  137. help
  138. iptables is a general, extensible packet identification framework.
  139. The packet filtering and full NAT (masquerading, port forwarding,
  140. etc) subsystems now use this: say `Y' or `M' here if you want to use
  141. either of those.
  142. To compile it as a module, choose M here. If unsure, say N.
  143. if IP_NF_IPTABLES
  144. # The matches.
  145. config IP_NF_MATCH_AH
  146. tristate '"ah" match support'
  147. depends on NETFILTER_ADVANCED
  148. help
  149. This match extension allows you to match a range of SPIs
  150. inside AH header of IPSec packets.
  151. To compile it as a module, choose M here. If unsure, say N.
  152. config IP_NF_MATCH_ECN
  153. tristate '"ecn" match support'
  154. depends on NETFILTER_ADVANCED
  155. select NETFILTER_XT_MATCH_ECN
  156. ---help---
  157. This is a backwards-compat option for the user's convenience
  158. (e.g. when running oldconfig). It selects
  159. CONFIG_NETFILTER_XT_MATCH_ECN.
  160. config IP_NF_MATCH_RPFILTER
  161. tristate '"rpfilter" reverse path filter match support'
  162. depends on NETFILTER_ADVANCED
  163. depends on IP_NF_MANGLE || IP_NF_RAW
  164. ---help---
  165. This option allows you to match packets whose replies would
  166. go out via the interface the packet came in.
  167. To compile it as a module, choose M here. If unsure, say N.
  168. The module will be called ipt_rpfilter.
  169. config IP_NF_MATCH_TTL
  170. tristate '"ttl" match support'
  171. depends on NETFILTER_ADVANCED
  172. select NETFILTER_XT_MATCH_HL
  173. ---help---
  174. This is a backwards-compat option for the user's convenience
  175. (e.g. when running oldconfig). It selects
  176. CONFIG_NETFILTER_XT_MATCH_HL.
  177. # `filter', generic and specific targets
  178. config IP_NF_FILTER
  179. tristate "Packet filtering"
  180. default m if NETFILTER_ADVANCED=n
  181. help
  182. Packet filtering defines a table `filter', which has a series of
  183. rules for simple packet filtering at local input, forwarding and
  184. local output. See the man page for iptables(8).
  185. To compile it as a module, choose M here. If unsure, say N.
  186. config IP_NF_TARGET_REJECT
  187. tristate "REJECT target support"
  188. depends on IP_NF_FILTER
  189. select NF_REJECT_IPV4
  190. default m if NETFILTER_ADVANCED=n
  191. help
  192. The REJECT target allows a filtering rule to specify that an ICMP
  193. error should be issued in response to an incoming packet, rather
  194. than silently being dropped.
  195. To compile it as a module, choose M here. If unsure, say N.
  196. config IP_NF_TARGET_SYNPROXY
  197. tristate "SYNPROXY target support"
  198. depends on NF_CONNTRACK && NETFILTER_ADVANCED
  199. select NETFILTER_SYNPROXY
  200. select SYN_COOKIES
  201. help
  202. The SYNPROXY target allows you to intercept TCP connections and
  203. establish them using syncookies before they are passed on to the
  204. server. This allows to avoid conntrack and server resource usage
  205. during SYN-flood attacks.
  206. To compile it as a module, choose M here. If unsure, say N.
  207. # NAT + specific targets: nf_conntrack
  208. config IP_NF_NAT
  209. tristate "iptables NAT support"
  210. depends on NF_CONNTRACK_IPV4
  211. default m if NETFILTER_ADVANCED=n
  212. select NF_NAT
  213. select NF_NAT_IPV4
  214. select NETFILTER_XT_NAT
  215. help
  216. This enables the `nat' table in iptables. This allows masquerading,
  217. port forwarding and other forms of full Network Address Port
  218. Translation.
  219. To compile it as a module, choose M here. If unsure, say N.
  220. if IP_NF_NAT
  221. config IP_NF_TARGET_MASQUERADE
  222. tristate "MASQUERADE target support"
  223. select NF_NAT_MASQUERADE_IPV4
  224. default m if NETFILTER_ADVANCED=n
  225. help
  226. Masquerading is a special case of NAT: all outgoing connections are
  227. changed to seem to come from a particular interface's address, and
  228. if the interface goes down, those connections are lost. This is
  229. only useful for dialup accounts with dynamic IP address (ie. your IP
  230. address will be different on next dialup).
  231. To compile it as a module, choose M here. If unsure, say N.
  232. config IP_NF_TARGET_NETMAP
  233. tristate "NETMAP target support"
  234. depends on NETFILTER_ADVANCED
  235. select NETFILTER_XT_TARGET_NETMAP
  236. ---help---
  237. This is a backwards-compat option for the user's convenience
  238. (e.g. when running oldconfig). It selects
  239. CONFIG_NETFILTER_XT_TARGET_NETMAP.
  240. config IP_NF_TARGET_REDIRECT
  241. tristate "REDIRECT target support"
  242. depends on NETFILTER_ADVANCED
  243. select NETFILTER_XT_TARGET_REDIRECT
  244. ---help---
  245. This is a backwards-compat option for the user's convenience
  246. (e.g. when running oldconfig). It selects
  247. CONFIG_NETFILTER_XT_TARGET_REDIRECT.
  248. endif # IP_NF_NAT
  249. # mangle + specific targets
  250. config IP_NF_MANGLE
  251. tristate "Packet mangling"
  252. default m if NETFILTER_ADVANCED=n
  253. help
  254. This option adds a `mangle' table to iptables: see the man page for
  255. iptables(8). This table is used for various packet alterations
  256. which can effect how the packet is routed.
  257. To compile it as a module, choose M here. If unsure, say N.
  258. config IP_NF_TARGET_CLUSTERIP
  259. tristate "CLUSTERIP target support"
  260. depends on IP_NF_MANGLE
  261. depends on NF_CONNTRACK_IPV4
  262. depends on NETFILTER_ADVANCED
  263. select NF_CONNTRACK_MARK
  264. help
  265. The CLUSTERIP target allows you to build load-balancing clusters of
  266. network servers without having a dedicated load-balancing
  267. router/server/switch.
  268. To compile it as a module, choose M here. If unsure, say N.
  269. config IP_NF_TARGET_ECN
  270. tristate "ECN target support"
  271. depends on IP_NF_MANGLE
  272. depends on NETFILTER_ADVANCED
  273. ---help---
  274. This option adds a `ECN' target, which can be used in the iptables mangle
  275. table.
  276. You can use this target to remove the ECN bits from the IPv4 header of
  277. an IP packet. This is particularly useful, if you need to work around
  278. existing ECN blackholes on the internet, but don't want to disable
  279. ECN support in general.
  280. To compile it as a module, choose M here. If unsure, say N.
  281. config IP_NF_TARGET_TTL
  282. tristate '"TTL" target support'
  283. depends on NETFILTER_ADVANCED && IP_NF_MANGLE
  284. select NETFILTER_XT_TARGET_HL
  285. ---help---
  286. This is a backwards-compatible option for the user's convenience
  287. (e.g. when running oldconfig). It selects
  288. CONFIG_NETFILTER_XT_TARGET_HL.
  289. # raw + specific targets
  290. config IP_NF_RAW
  291. tristate 'raw table support (required for NOTRACK/TRACE)'
  292. help
  293. This option adds a `raw' table to iptables. This table is the very
  294. first in the netfilter framework and hooks in at the PREROUTING
  295. and OUTPUT chains.
  296. If you want to compile it as a module, say M here and read
  297. <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
  298. # security table for MAC policy
  299. config IP_NF_SECURITY
  300. tristate "Security table"
  301. depends on SECURITY
  302. depends on NETFILTER_ADVANCED
  303. help
  304. This option adds a `security' table to iptables, for use
  305. with Mandatory Access Control (MAC) policy.
  306. If unsure, say N.
  307. endif # IP_NF_IPTABLES
  308. # ARP tables
  309. config IP_NF_ARPTABLES
  310. tristate "ARP tables support"
  311. select NETFILTER_XTABLES
  312. depends on NETFILTER_ADVANCED
  313. help
  314. arptables is a general, extensible packet identification framework.
  315. The ARP packet filtering and mangling (manipulation)subsystems
  316. use this: say Y or M here if you want to use either of those.
  317. To compile it as a module, choose M here. If unsure, say N.
  318. if IP_NF_ARPTABLES
  319. config IP_NF_ARPFILTER
  320. tristate "ARP packet filtering"
  321. help
  322. ARP packet filtering defines a table `filter', which has a series of
  323. rules for simple ARP packet filtering at local input and
  324. local output. On a bridge, you can also specify filtering rules
  325. for forwarded ARP packets. See the man page for arptables(8).
  326. To compile it as a module, choose M here. If unsure, say N.
  327. config IP_NF_ARP_MANGLE
  328. tristate "ARP payload mangling"
  329. help
  330. Allows altering the ARP packet payload: source and destination
  331. hardware and network addresses.
  332. endif # IP_NF_ARPTABLES
  333. endmenu