123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411 |
- #
- # IP netfilter configuration
- #
- menu "IP: Netfilter Configuration"
- depends on INET && NETFILTER
- config NF_DEFRAG_IPV4
- tristate
- default n
- config NF_CONNTRACK_IPV4
- tristate "IPv4 connection tracking support (required for NAT)"
- depends on NF_CONNTRACK
- default m if NETFILTER_ADVANCED=n
- select NF_DEFRAG_IPV4
- ---help---
- Connection tracking keeps a record of what packets have passed
- through your machine, in order to figure out how they are related
- into connections.
- This is IPv4 support on Layer 3 independent connection tracking.
- Layer 3 independent connection tracking is experimental scheme
- which generalize ip_conntrack to support other layer 3 protocols.
- To compile it as a module, choose M here. If unsure, say N.
- if NF_TABLES
- config NF_TABLES_IPV4
- tristate "IPv4 nf_tables support"
- help
- This option enables the IPv4 support for nf_tables.
- if NF_TABLES_IPV4
- config NFT_CHAIN_ROUTE_IPV4
- tristate "IPv4 nf_tables route chain support"
- help
- This option enables the "route" chain for IPv4 in nf_tables. This
- chain type is used to force packet re-routing after mangling header
- fields such as the source, destination, type of service and
- the packet mark.
- config NFT_REJECT_IPV4
- select NF_REJECT_IPV4
- default NFT_REJECT
- tristate
- config NFT_DUP_IPV4
- tristate "IPv4 nf_tables packet duplication support"
- depends on !NF_CONNTRACK || NF_CONNTRACK
- select NF_DUP_IPV4
- help
- This module enables IPv4 packet duplication support for nf_tables.
- endif # NF_TABLES_IPV4
- config NF_TABLES_ARP
- tristate "ARP nf_tables support"
- help
- This option enables the ARP support for nf_tables.
- endif # NF_TABLES
- config NF_DUP_IPV4
- tristate "Netfilter IPv4 packet duplication to alternate destination"
- depends on !NF_CONNTRACK || NF_CONNTRACK
- help
- This option enables the nf_dup_ipv4 core, which duplicates an IPv4
- packet to be rerouted to another destination.
- config NF_LOG_ARP
- tristate "ARP packet logging"
- default m if NETFILTER_ADVANCED=n
- select NF_LOG_COMMON
- config NF_LOG_IPV4
- tristate "IPv4 packet logging"
- default m if NETFILTER_ADVANCED=n
- select NF_LOG_COMMON
- config NF_REJECT_IPV4
- tristate "IPv4 packet rejection"
- default m if NETFILTER_ADVANCED=n
- config NF_NAT_IPV4
- tristate "IPv4 NAT"
- depends on NF_CONNTRACK_IPV4
- default m if NETFILTER_ADVANCED=n
- select NF_NAT
- help
- The IPv4 NAT option allows masquerading, port forwarding and other
- forms of full Network Address Port Translation. This can be
- controlled by iptables or nft.
- if NF_NAT_IPV4
- config NFT_CHAIN_NAT_IPV4
- depends on NF_TABLES_IPV4
- tristate "IPv4 nf_tables nat chain support"
- help
- This option enables the "nat" chain for IPv4 in nf_tables. This
- chain type is used to perform Network Address Translation (NAT)
- packet transformations such as the source, destination address and
- source and destination ports.
- config NF_NAT_MASQUERADE_IPV4
- tristate "IPv4 masquerade support"
- help
- This is the kernel functionality to provide NAT in the masquerade
- flavour (automatic source address selection).
- config NFT_MASQ_IPV4
- tristate "IPv4 masquerading support for nf_tables"
- depends on NF_TABLES_IPV4
- depends on NFT_MASQ
- select NF_NAT_MASQUERADE_IPV4
- help
- This is the expression that provides IPv4 masquerading support for
- nf_tables.
- config NFT_REDIR_IPV4
- tristate "IPv4 redirect support for nf_tables"
- depends on NF_TABLES_IPV4
- depends on NFT_REDIR
- select NF_NAT_REDIRECT
- help
- This is the expression that provides IPv4 redirect support for
- nf_tables.
- config NF_NAT_SNMP_BASIC
- tristate "Basic SNMP-ALG support"
- depends on NF_CONNTRACK_SNMP
- depends on NETFILTER_ADVANCED
- default NF_NAT && NF_CONNTRACK_SNMP
- ---help---
- This module implements an Application Layer Gateway (ALG) for
- SNMP payloads. In conjunction with NAT, it allows a network
- management system to access multiple private networks with
- conflicting addresses. It works by modifying IP addresses
- inside SNMP payloads to match IP-layer NAT mapping.
- This is the "basic" form of SNMP-ALG, as described in RFC 2962
- To compile it as a module, choose M here. If unsure, say N.
- config NF_NAT_PROTO_GRE
- tristate
- depends on NF_CT_PROTO_GRE
- config NF_NAT_PPTP
- tristate
- depends on NF_CONNTRACK
- default NF_CONNTRACK_PPTP
- select NF_NAT_PROTO_GRE
- config NF_NAT_H323
- tristate
- depends on NF_CONNTRACK
- default NF_CONNTRACK_H323
- endif # NF_NAT_IPV4
- config IP_NF_IPTABLES
- tristate "IP tables support (required for filtering/masq/NAT)"
- default m if NETFILTER_ADVANCED=n
- select NETFILTER_XTABLES
- help
- iptables is a general, extensible packet identification framework.
- The packet filtering and full NAT (masquerading, port forwarding,
- etc) subsystems now use this: say `Y' or `M' here if you want to use
- either of those.
- To compile it as a module, choose M here. If unsure, say N.
- if IP_NF_IPTABLES
- # The matches.
- config IP_NF_MATCH_AH
- tristate '"ah" match support'
- depends on NETFILTER_ADVANCED
- help
- This match extension allows you to match a range of SPIs
- inside AH header of IPSec packets.
- To compile it as a module, choose M here. If unsure, say N.
- config IP_NF_MATCH_ECN
- tristate '"ecn" match support'
- depends on NETFILTER_ADVANCED
- select NETFILTER_XT_MATCH_ECN
- ---help---
- This is a backwards-compat option for the user's convenience
- (e.g. when running oldconfig). It selects
- CONFIG_NETFILTER_XT_MATCH_ECN.
- config IP_NF_MATCH_RPFILTER
- tristate '"rpfilter" reverse path filter match support'
- depends on NETFILTER_ADVANCED
- depends on IP_NF_MANGLE || IP_NF_RAW
- ---help---
- This option allows you to match packets whose replies would
- go out via the interface the packet came in.
- To compile it as a module, choose M here. If unsure, say N.
- The module will be called ipt_rpfilter.
- config IP_NF_MATCH_TTL
- tristate '"ttl" match support'
- depends on NETFILTER_ADVANCED
- select NETFILTER_XT_MATCH_HL
- ---help---
- This is a backwards-compat option for the user's convenience
- (e.g. when running oldconfig). It selects
- CONFIG_NETFILTER_XT_MATCH_HL.
- # `filter', generic and specific targets
- config IP_NF_FILTER
- tristate "Packet filtering"
- default m if NETFILTER_ADVANCED=n
- help
- Packet filtering defines a table `filter', which has a series of
- rules for simple packet filtering at local input, forwarding and
- local output. See the man page for iptables(8).
- To compile it as a module, choose M here. If unsure, say N.
- config IP_NF_TARGET_REJECT
- tristate "REJECT target support"
- depends on IP_NF_FILTER
- select NF_REJECT_IPV4
- default m if NETFILTER_ADVANCED=n
- help
- The REJECT target allows a filtering rule to specify that an ICMP
- error should be issued in response to an incoming packet, rather
- than silently being dropped.
- To compile it as a module, choose M here. If unsure, say N.
- config IP_NF_TARGET_SYNPROXY
- tristate "SYNPROXY target support"
- depends on NF_CONNTRACK && NETFILTER_ADVANCED
- select NETFILTER_SYNPROXY
- select SYN_COOKIES
- help
- The SYNPROXY target allows you to intercept TCP connections and
- establish them using syncookies before they are passed on to the
- server. This allows to avoid conntrack and server resource usage
- during SYN-flood attacks.
- To compile it as a module, choose M here. If unsure, say N.
- # NAT + specific targets: nf_conntrack
- config IP_NF_NAT
- tristate "iptables NAT support"
- depends on NF_CONNTRACK_IPV4
- default m if NETFILTER_ADVANCED=n
- select NF_NAT
- select NF_NAT_IPV4
- select NETFILTER_XT_NAT
- help
- This enables the `nat' table in iptables. This allows masquerading,
- port forwarding and other forms of full Network Address Port
- Translation.
- To compile it as a module, choose M here. If unsure, say N.
- if IP_NF_NAT
- config IP_NF_TARGET_MASQUERADE
- tristate "MASQUERADE target support"
- select NF_NAT_MASQUERADE_IPV4
- default m if NETFILTER_ADVANCED=n
- help
- Masquerading is a special case of NAT: all outgoing connections are
- changed to seem to come from a particular interface's address, and
- if the interface goes down, those connections are lost. This is
- only useful for dialup accounts with dynamic IP address (ie. your IP
- address will be different on next dialup).
- To compile it as a module, choose M here. If unsure, say N.
- config IP_NF_TARGET_NETMAP
- tristate "NETMAP target support"
- depends on NETFILTER_ADVANCED
- select NETFILTER_XT_TARGET_NETMAP
- ---help---
- This is a backwards-compat option for the user's convenience
- (e.g. when running oldconfig). It selects
- CONFIG_NETFILTER_XT_TARGET_NETMAP.
- config IP_NF_TARGET_REDIRECT
- tristate "REDIRECT target support"
- depends on NETFILTER_ADVANCED
- select NETFILTER_XT_TARGET_REDIRECT
- ---help---
- This is a backwards-compat option for the user's convenience
- (e.g. when running oldconfig). It selects
- CONFIG_NETFILTER_XT_TARGET_REDIRECT.
- endif # IP_NF_NAT
- # mangle + specific targets
- config IP_NF_MANGLE
- tristate "Packet mangling"
- default m if NETFILTER_ADVANCED=n
- help
- This option adds a `mangle' table to iptables: see the man page for
- iptables(8). This table is used for various packet alterations
- which can effect how the packet is routed.
- To compile it as a module, choose M here. If unsure, say N.
- config IP_NF_TARGET_CLUSTERIP
- tristate "CLUSTERIP target support"
- depends on IP_NF_MANGLE
- depends on NF_CONNTRACK_IPV4
- depends on NETFILTER_ADVANCED
- select NF_CONNTRACK_MARK
- help
- The CLUSTERIP target allows you to build load-balancing clusters of
- network servers without having a dedicated load-balancing
- router/server/switch.
-
- To compile it as a module, choose M here. If unsure, say N.
- config IP_NF_TARGET_ECN
- tristate "ECN target support"
- depends on IP_NF_MANGLE
- depends on NETFILTER_ADVANCED
- ---help---
- This option adds a `ECN' target, which can be used in the iptables mangle
- table.
- You can use this target to remove the ECN bits from the IPv4 header of
- an IP packet. This is particularly useful, if you need to work around
- existing ECN blackholes on the internet, but don't want to disable
- ECN support in general.
- To compile it as a module, choose M here. If unsure, say N.
- config IP_NF_TARGET_TTL
- tristate '"TTL" target support'
- depends on NETFILTER_ADVANCED && IP_NF_MANGLE
- select NETFILTER_XT_TARGET_HL
- ---help---
- This is a backwards-compatible option for the user's convenience
- (e.g. when running oldconfig). It selects
- CONFIG_NETFILTER_XT_TARGET_HL.
- # raw + specific targets
- config IP_NF_RAW
- tristate 'raw table support (required for NOTRACK/TRACE)'
- help
- This option adds a `raw' table to iptables. This table is the very
- first in the netfilter framework and hooks in at the PREROUTING
- and OUTPUT chains.
-
- If you want to compile it as a module, say M here and read
- <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
- # security table for MAC policy
- config IP_NF_SECURITY
- tristate "Security table"
- depends on SECURITY
- depends on NETFILTER_ADVANCED
- help
- This option adds a `security' table to iptables, for use
- with Mandatory Access Control (MAC) policy.
-
- If unsure, say N.
- endif # IP_NF_IPTABLES
- # ARP tables
- config IP_NF_ARPTABLES
- tristate "ARP tables support"
- select NETFILTER_XTABLES
- depends on NETFILTER_ADVANCED
- help
- arptables is a general, extensible packet identification framework.
- The ARP packet filtering and mangling (manipulation)subsystems
- use this: say Y or M here if you want to use either of those.
- To compile it as a module, choose M here. If unsure, say N.
- if IP_NF_ARPTABLES
- config IP_NF_ARPFILTER
- tristate "ARP packet filtering"
- help
- ARP packet filtering defines a table `filter', which has a series of
- rules for simple ARP packet filtering at local input and
- local output. On a bridge, you can also specify filtering rules
- for forwarded ARP packets. See the man page for arptables(8).
- To compile it as a module, choose M here. If unsure, say N.
- config IP_NF_ARP_MANGLE
- tristate "ARP payload mangling"
- help
- Allows altering the ARP packet payload: source and destination
- hardware and network addresses.
- endif # IP_NF_ARPTABLES
- endmenu
|