2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
12 config NF_CONNTRACK_IPV4
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
33 This option enables /proc and sysctl compatibility with the old
34 layer 3 dependent connection tracking. This is needed to keep
35 old programs that have not been adapted to the new names working.
42 tristate "IPv4 nf_tables support"
44 This option enables the IPv4 support for nf_tables.
48 config NFT_CHAIN_ROUTE_IPV4
49 tristate "IPv4 nf_tables route chain support"
51 This option enables the "route" chain for IPv4 in nf_tables. This
52 chain type is used to force packet re-routing after mangling header
53 fields such as the source, destination, type of service and
56 config NFT_REJECT_IPV4
62 tristate "IPv4 nf_tables packet duplication support"
65 This module enables IPv4 packet duplication support for nf_tables.
67 endif # NF_TABLES_IPV4
70 tristate "ARP nf_tables support"
72 This option enables the ARP support for nf_tables.
77 tristate "Netfilter IPv4 packet duplication to alternate destination"
78 depends on !NF_CONNTRACK || NF_CONNTRACK
80 This option enables the nf_dup_ipv4 core, which duplicates an IPv4
81 packet to be rerouted to another destination.
84 tristate "ARP packet logging"
85 default m if NETFILTER_ADVANCED=n
89 tristate "IPv4 packet logging"
90 default m if NETFILTER_ADVANCED=n
94 tristate "IPv4 packet rejection"
95 default m if NETFILTER_ADVANCED=n
99 depends on NF_CONNTRACK_IPV4
100 default m if NETFILTER_ADVANCED=n
103 The IPv4 NAT option allows masquerading, port forwarding and other
104 forms of full Network Address Port Translation. This can be
105 controlled by iptables or nft.
109 config NFT_CHAIN_NAT_IPV4
110 depends on NF_TABLES_IPV4
111 tristate "IPv4 nf_tables nat chain support"
113 This option enables the "nat" chain for IPv4 in nf_tables. This
114 chain type is used to perform Network Address Translation (NAT)
115 packet transformations such as the source, destination address and
116 source and destination ports.
118 config NF_NAT_MASQUERADE_IPV4
119 tristate "IPv4 masquerade support"
121 This is the kernel functionality to provide NAT in the masquerade
122 flavour (automatic source address selection).
125 tristate "IPv4 masquerading support for nf_tables"
126 depends on NF_TABLES_IPV4
128 select NF_NAT_MASQUERADE_IPV4
130 This is the expression that provides IPv4 masquerading support for
133 config NFT_REDIR_IPV4
134 tristate "IPv4 redirect support for nf_tables"
135 depends on NF_TABLES_IPV4
137 select NF_NAT_REDIRECT
139 This is the expression that provides IPv4 redirect support for
142 config NF_NAT_SNMP_BASIC
143 tristate "Basic SNMP-ALG support"
144 depends on NF_CONNTRACK_SNMP
145 depends on NETFILTER_ADVANCED
146 default NF_NAT && NF_CONNTRACK_SNMP
149 This module implements an Application Layer Gateway (ALG) for
150 SNMP payloads. In conjunction with NAT, it allows a network
151 management system to access multiple private networks with
152 conflicting addresses. It works by modifying IP addresses
153 inside SNMP payloads to match IP-layer NAT mapping.
155 This is the "basic" form of SNMP-ALG, as described in RFC 2962
157 To compile it as a module, choose M here. If unsure, say N.
159 config NF_NAT_PROTO_GRE
161 depends on NF_CT_PROTO_GRE
165 depends on NF_CONNTRACK
166 default NF_CONNTRACK_PPTP
167 select NF_NAT_PROTO_GRE
171 depends on NF_CONNTRACK
172 default NF_CONNTRACK_H323
176 config IP_NF_IPTABLES
177 tristate "IP tables support (required for filtering/masq/NAT)"
178 default m if NETFILTER_ADVANCED=n
179 select NETFILTER_XTABLES
181 iptables is a general, extensible packet identification framework.
182 The packet filtering and full NAT (masquerading, port forwarding,
183 etc) subsystems now use this: say `Y' or `M' here if you want to use
186 To compile it as a module, choose M here. If unsure, say N.
191 config IP_NF_MATCH_AH
192 tristate '"ah" match support'
193 depends on NETFILTER_ADVANCED
195 This match extension allows you to match a range of SPIs
196 inside AH header of IPSec packets.
198 To compile it as a module, choose M here. If unsure, say N.
200 config IP_NF_MATCH_ECN
201 tristate '"ecn" match support'
202 depends on NETFILTER_ADVANCED
203 select NETFILTER_XT_MATCH_ECN
205 This is a backwards-compat option for the user's convenience
206 (e.g. when running oldconfig). It selects
207 CONFIG_NETFILTER_XT_MATCH_ECN.
209 config IP_NF_MATCH_RPFILTER
210 tristate '"rpfilter" reverse path filter match support'
211 depends on NETFILTER_ADVANCED
212 depends on IP_NF_MANGLE || IP_NF_RAW
214 This option allows you to match packets whose replies would
215 go out via the interface the packet came in.
217 To compile it as a module, choose M here. If unsure, say N.
218 The module will be called ipt_rpfilter.
220 config IP_NF_MATCH_TTL
221 tristate '"ttl" match support'
222 depends on NETFILTER_ADVANCED
223 select NETFILTER_XT_MATCH_HL
225 This is a backwards-compat option for the user's convenience
226 (e.g. when running oldconfig). It selects
227 CONFIG_NETFILTER_XT_MATCH_HL.
229 # `filter', generic and specific targets
231 tristate "Packet filtering"
232 default m if NETFILTER_ADVANCED=n
234 Packet filtering defines a table `filter', which has a series of
235 rules for simple packet filtering at local input, forwarding and
236 local output. See the man page for iptables(8).
238 To compile it as a module, choose M here. If unsure, say N.
240 config IP_NF_TARGET_REJECT
241 tristate "REJECT target support"
242 depends on IP_NF_FILTER
243 select NF_REJECT_IPV4
244 default m if NETFILTER_ADVANCED=n
246 The REJECT target allows a filtering rule to specify that an ICMP
247 error should be issued in response to an incoming packet, rather
248 than silently being dropped.
250 To compile it as a module, choose M here. If unsure, say N.
252 config IP_NF_TARGET_SYNPROXY
253 tristate "SYNPROXY target support"
254 depends on NF_CONNTRACK && NETFILTER_ADVANCED
255 select NETFILTER_SYNPROXY
258 The SYNPROXY target allows you to intercept TCP connections and
259 establish them using syncookies before they are passed on to the
260 server. This allows to avoid conntrack and server resource usage
261 during SYN-flood attacks.
263 To compile it as a module, choose M here. If unsure, say N.
265 # NAT + specific targets: nf_conntrack
267 tristate "iptables NAT support"
268 depends on NF_CONNTRACK_IPV4
269 default m if NETFILTER_ADVANCED=n
272 select NETFILTER_XT_NAT
274 This enables the `nat' table in iptables. This allows masquerading,
275 port forwarding and other forms of full Network Address Port
278 To compile it as a module, choose M here. If unsure, say N.
282 config IP_NF_TARGET_MASQUERADE
283 tristate "MASQUERADE target support"
284 select NF_NAT_MASQUERADE_IPV4
285 default m if NETFILTER_ADVANCED=n
287 Masquerading is a special case of NAT: all outgoing connections are
288 changed to seem to come from a particular interface's address, and
289 if the interface goes down, those connections are lost. This is
290 only useful for dialup accounts with dynamic IP address (ie. your IP
291 address will be different on next dialup).
293 To compile it as a module, choose M here. If unsure, say N.
295 config IP_NF_TARGET_NETMAP
296 tristate "NETMAP target support"
297 depends on NETFILTER_ADVANCED
298 select NETFILTER_XT_TARGET_NETMAP
300 This is a backwards-compat option for the user's convenience
301 (e.g. when running oldconfig). It selects
302 CONFIG_NETFILTER_XT_TARGET_NETMAP.
304 config IP_NF_TARGET_REDIRECT
305 tristate "REDIRECT target support"
306 depends on NETFILTER_ADVANCED
307 select NETFILTER_XT_TARGET_REDIRECT
309 This is a backwards-compat option for the user's convenience
310 (e.g. when running oldconfig). It selects
311 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
315 # mangle + specific targets
317 tristate "Packet mangling"
318 default m if NETFILTER_ADVANCED=n
320 This option adds a `mangle' table to iptables: see the man page for
321 iptables(8). This table is used for various packet alterations
322 which can effect how the packet is routed.
324 To compile it as a module, choose M here. If unsure, say N.
326 config IP_NF_TARGET_CLUSTERIP
327 tristate "CLUSTERIP target support"
328 depends on IP_NF_MANGLE
329 depends on NF_CONNTRACK_IPV4
330 depends on NETFILTER_ADVANCED
331 select NF_CONNTRACK_MARK
333 The CLUSTERIP target allows you to build load-balancing clusters of
334 network servers without having a dedicated load-balancing
335 router/server/switch.
337 To compile it as a module, choose M here. If unsure, say N.
339 config IP_NF_TARGET_ECN
340 tristate "ECN target support"
341 depends on IP_NF_MANGLE
342 depends on NETFILTER_ADVANCED
344 This option adds a `ECN' target, which can be used in the iptables mangle
347 You can use this target to remove the ECN bits from the IPv4 header of
348 an IP packet. This is particularly useful, if you need to work around
349 existing ECN blackholes on the internet, but don't want to disable
350 ECN support in general.
352 To compile it as a module, choose M here. If unsure, say N.
354 config IP_NF_TARGET_TTL
355 tristate '"TTL" target support'
356 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
357 select NETFILTER_XT_TARGET_HL
359 This is a backwards-compatible option for the user's convenience
360 (e.g. when running oldconfig). It selects
361 CONFIG_NETFILTER_XT_TARGET_HL.
363 # raw + specific targets
365 tristate 'raw table support (required for NOTRACK/TRACE)'
367 This option adds a `raw' table to iptables. This table is the very
368 first in the netfilter framework and hooks in at the PREROUTING
371 If you want to compile it as a module, say M here and read
372 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
374 # security table for MAC policy
375 config IP_NF_SECURITY
376 tristate "Security table"
378 depends on NETFILTER_ADVANCED
380 This option adds a `security' table to iptables, for use
381 with Mandatory Access Control (MAC) policy.
385 endif # IP_NF_IPTABLES
388 config IP_NF_ARPTABLES
389 tristate "ARP tables support"
390 select NETFILTER_XTABLES
391 depends on NETFILTER_ADVANCED
393 arptables is a general, extensible packet identification framework.
394 The ARP packet filtering and mangling (manipulation)subsystems
395 use this: say Y or M here if you want to use either of those.
397 To compile it as a module, choose M here. If unsure, say N.
401 config IP_NF_ARPFILTER
402 tristate "ARP packet filtering"
404 ARP packet filtering defines a table `filter', which has a series of
405 rules for simple ARP packet filtering at local input and
406 local output. On a bridge, you can also specify filtering rules
407 for forwarded ARP packets. See the man page for arptables(8).
409 To compile it as a module, choose M here. If unsure, say N.
411 config IP_NF_ARP_MANGLE
412 tristate "ARP payload mangling"
414 Allows altering the ARP packet payload: source and destination
415 hardware and network addresses.
417 endif # IP_NF_ARPTABLES
projects / karo-tx-linux.git / blob