| # |
| # IP netfilter configuration |
| # |
| |
| menu "IP: Netfilter Configuration" |
| depends on INET && NETFILTER |
| |
| config NF_DEFRAG_IPV4 |
| tristate |
| default n |
| |
| config NF_CONNTRACK_IPV4 |
| tristate "IPv4 connection tracking support (required for NAT)" |
| depends on NF_CONNTRACK |
| default m if NETFILTER_ADVANCED=n |
| select NF_DEFRAG_IPV4 |
| ---help--- |
| Connection tracking keeps a record of what packets have passed |
| through your machine, in order to figure out how they are related |
| into connections. |
| |
| This is IPv4 support on Layer 3 independent connection tracking. |
| Layer 3 independent connection tracking is experimental scheme |
| which generalize ip_conntrack to support other layer 3 protocols. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_CONNTRACK_PROC_COMPAT |
| bool "proc/sysctl compatibility with old connection tracking" |
| depends on NF_CONNTRACK_IPV4 |
| default y |
| help |
| This option enables /proc and sysctl compatibility with the old |
| layer 3 dependant connection tracking. This is needed to keep |
| old programs that have not been adapted to the new names working. |
| |
| If unsure, say Y. |
| |
| config IP_NF_QUEUE |
| tristate "IP Userspace queueing via NETLINK (OBSOLETE)" |
| depends on NETFILTER_ADVANCED |
| help |
| Netfilter has the ability to queue packets to user space: the |
| netlink device can be used to access them using this driver. |
| |
| This option enables the old IPv4-only "ip_queue" implementation |
| which has been obsoleted by the new "nfnetlink_queue" code (see |
| CONFIG_NETFILTER_NETLINK_QUEUE). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP_NF_IPTABLES |
| tristate "IP tables support (required for filtering/masq/NAT)" |
| default m if NETFILTER_ADVANCED=n |
| select NETFILTER_XTABLES |
| help |
| iptables is a general, extensible packet identification framework. |
| The packet filtering and full NAT (masquerading, port forwarding, |
| etc) subsystems now use this: say `Y' or `M' here if you want to use |
| either of those. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| if IP_NF_IPTABLES |
| |
| # The matches. |
| config IP_NF_MATCH_ADDRTYPE |
| tristate '"addrtype" address type match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option allows you to match what routing thinks of an address, |
| eg. UNICAST, LOCAL, BROADCAST, ... |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| |
| config IP_NF_MATCH_AH |
| tristate '"ah" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This match extension allows you to match a range of SPIs |
| inside AH header of IPSec packets. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP_NF_MATCH_ECN |
| tristate '"ecn" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `ECN' match, which allows you to match against |
| the IPv4 and TCP header ECN fields. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP_NF_MATCH_TTL |
| tristate '"ttl" match support' |
| depends on NETFILTER_ADVANCED |
| help |
| This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user |
| to match packets by their TTL value. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| # `filter', generic and specific targets |
| config IP_NF_FILTER |
| tristate "Packet filtering" |
| default m if NETFILTER_ADVANCED=n |
| help |
| Packet filtering defines a table `filter', which has a series of |
| rules for simple packet filtering at local input, forwarding and |
| local output. See the man page for iptables(8). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP_NF_TARGET_REJECT |
| tristate "REJECT target support" |
| depends on IP_NF_FILTER |
| default m if NETFILTER_ADVANCED=n |
| help |
| The REJECT target allows a filtering rule to specify that an ICMP |
| error should be issued in response to an incoming packet, rather |
| than silently being dropped. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP_NF_TARGET_LOG |
| tristate "LOG target support" |
| default m if NETFILTER_ADVANCED=n |
| help |
| This option adds a `LOG' target, which allows you to create rules in |
| any iptables table which records the packet header to the syslog. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP_NF_TARGET_ULOG |
| tristate "ULOG target support" |
| default m if NETFILTER_ADVANCED=n |
| ---help--- |
| |
| This option enables the old IPv4-only "ipt_ULOG" implementation |
| which has been obsoleted by the new "nfnetlink_log" code (see |
| CONFIG_NETFILTER_NETLINK_LOG). |
| |
| This option adds a `ULOG' target, which allows you to create rules in |
| any iptables table. The packet is passed to a userspace logging |
| daemon using netlink multicast sockets; unlike the LOG target |
| which can only be viewed through syslog. |
| |
| The appropriate userspace logging daemon (ulogd) may be obtained from |
| <http://www.gnumonks.org/projects/ulogd/> |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| # NAT + specific targets: nf_conntrack |
| config NF_NAT |
| tristate "Full NAT" |
| depends on NF_CONNTRACK_IPV4 |
| default m if NETFILTER_ADVANCED=n |
| help |
| The Full NAT option allows masquerading, port forwarding and other |
| forms of full Network Address Port Translation. It is controlled by |
| the `nat' table in iptables: see the man page for iptables(8). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_NAT_NEEDED |
| bool |
| depends on NF_NAT |
| default y |
| |
| config IP_NF_TARGET_MASQUERADE |
| tristate "MASQUERADE target support" |
| depends on NF_NAT |
| default m if NETFILTER_ADVANCED=n |
| help |
| Masquerading is a special case of NAT: all outgoing connections are |
| changed to seem to come from a particular interface's address, and |
| if the interface goes down, those connections are lost. This is |
| only useful for dialup accounts with dynamic IP address (ie. your IP |
| address will be different on next dialup). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP_NF_TARGET_NETMAP |
| tristate "NETMAP target support" |
| depends on NF_NAT |
| depends on NETFILTER_ADVANCED |
| help |
| NETMAP is an implementation of static 1:1 NAT mapping of network |
| addresses. It maps the network address part, while keeping the host |
| address part intact. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP_NF_TARGET_REDIRECT |
| tristate "REDIRECT target support" |
| depends on NF_NAT |
| depends on NETFILTER_ADVANCED |
| help |
| REDIRECT is a special case of NAT: all incoming connections are |
| mapped onto the incoming interface's address, causing the packets to |
| come to the local machine instead of passing through. This is |
| useful for transparent proxies. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config NF_NAT_SNMP_BASIC |
| tristate "Basic SNMP-ALG support" |
| depends on NF_NAT |
| depends on NETFILTER_ADVANCED |
| ---help--- |
| |
| This module implements an Application Layer Gateway (ALG) for |
| SNMP payloads. In conjunction with NAT, it allows a network |
| management system to access multiple private networks with |
| conflicting addresses. It works by modifying IP addresses |
| inside SNMP payloads to match IP-layer NAT mapping. |
| |
| This is the "basic" form of SNMP-ALG, as described in RFC 2962 |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), |
| # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. |
| # From kconfig-language.txt: |
| # |
| # <expr> '&&' <expr> (6) |
| # |
| # (6) Returns the result of min(/expr/, /expr/). |
| config NF_NAT_PROTO_DCCP |
| tristate |
| depends on NF_NAT && NF_CT_PROTO_DCCP |
| default NF_NAT && NF_CT_PROTO_DCCP |
| |
| config NF_NAT_PROTO_GRE |
| tristate |
| depends on NF_NAT && NF_CT_PROTO_GRE |
| |
| config NF_NAT_PROTO_UDPLITE |
| tristate |
| depends on NF_NAT && NF_CT_PROTO_UDPLITE |
| default NF_NAT && NF_CT_PROTO_UDPLITE |
| |
| config NF_NAT_PROTO_SCTP |
| tristate |
| default NF_NAT && NF_CT_PROTO_SCTP |
| depends on NF_NAT && NF_CT_PROTO_SCTP |
| select LIBCRC32C |
| |
| config NF_NAT_FTP |
| tristate |
| depends on NF_CONNTRACK && NF_NAT |
| default NF_NAT && NF_CONNTRACK_FTP |
| |
| config NF_NAT_IRC |
| tristate |
| depends on NF_CONNTRACK && NF_NAT |
| default NF_NAT && NF_CONNTRACK_IRC |
| |
| config NF_NAT_TFTP |
| tristate |
| depends on NF_CONNTRACK && NF_NAT |
| default NF_NAT && NF_CONNTRACK_TFTP |
| |
| config NF_NAT_AMANDA |
| tristate |
| depends on NF_CONNTRACK && NF_NAT |
| default NF_NAT && NF_CONNTRACK_AMANDA |
| |
| config NF_NAT_PPTP |
| tristate |
| depends on NF_CONNTRACK && NF_NAT |
| default NF_NAT && NF_CONNTRACK_PPTP |
| select NF_NAT_PROTO_GRE |
| |
| config NF_NAT_H323 |
| tristate |
| depends on NF_CONNTRACK && NF_NAT |
| default NF_NAT && NF_CONNTRACK_H323 |
| |
| config NF_NAT_SIP |
| tristate |
| depends on NF_CONNTRACK && NF_NAT |
| default NF_NAT && NF_CONNTRACK_SIP |
| |
| # mangle + specific targets |
| config IP_NF_MANGLE |
| tristate "Packet mangling" |
| default m if NETFILTER_ADVANCED=n |
| help |
| This option adds a `mangle' table to iptables: see the man page for |
| iptables(8). This table is used for various packet alterations |
| which can effect how the packet is routed. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP_NF_TARGET_CLUSTERIP |
| tristate "CLUSTERIP target support (EXPERIMENTAL)" |
| depends on IP_NF_MANGLE && EXPERIMENTAL |
| depends on NF_CONNTRACK_IPV4 |
| depends on NETFILTER_ADVANCED |
| select NF_CONNTRACK_MARK |
| help |
| The CLUSTERIP target allows you to build load-balancing clusters of |
| network servers without having a dedicated load-balancing |
| router/server/switch. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP_NF_TARGET_ECN |
| tristate "ECN target support" |
| depends on IP_NF_MANGLE |
| depends on NETFILTER_ADVANCED |
| ---help--- |
| This option adds a `ECN' target, which can be used in the iptables mangle |
| table. |
| |
| You can use this target to remove the ECN bits from the IPv4 header of |
| an IP packet. This is particularly useful, if you need to work around |
| existing ECN blackholes on the internet, but don't want to disable |
| ECN support in general. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP_NF_TARGET_TTL |
| tristate 'TTL target support' |
| depends on IP_NF_MANGLE |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `TTL' target, which enables the user to modify |
| the TTL value of the IP header. |
| |
| While it is safe to decrement/lower the TTL, this target also enables |
| functionality to increment and set the TTL value of the IP header to |
| arbitrary values. This is EXTREMELY DANGEROUS since you can easily |
| create immortal packets that loop forever on the network. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| # raw + specific targets |
| config IP_NF_RAW |
| tristate 'raw table support (required for NOTRACK/TRACE)' |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `raw' table to iptables. This table is the very |
| first in the netfilter framework and hooks in at the PREROUTING |
| and OUTPUT chains. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| |
| # security table for MAC policy |
| config IP_NF_SECURITY |
| tristate "Security table" |
| depends on SECURITY |
| depends on NETFILTER_ADVANCED |
| help |
| This option adds a `security' table to iptables, for use |
| with Mandatory Access Control (MAC) policy. |
| |
| If unsure, say N. |
| |
| endif # IP_NF_IPTABLES |
| |
| # ARP tables |
| config IP_NF_ARPTABLES |
| tristate "ARP tables support" |
| select NETFILTER_XTABLES |
| depends on NETFILTER_ADVANCED |
| help |
| arptables is a general, extensible packet identification framework. |
| The ARP packet filtering and mangling (manipulation)subsystems |
| use this: say Y or M here if you want to use either of those. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| if IP_NF_ARPTABLES |
| |
| config IP_NF_ARPFILTER |
| tristate "ARP packet filtering" |
| help |
| ARP packet filtering defines a table `filter', which has a series of |
| rules for simple ARP packet filtering at local input and |
| local output. On a bridge, you can also specify filtering rules |
| for forwarded ARP packets. See the man page for arptables(8). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP_NF_ARP_MANGLE |
| tristate "ARP payload mangling" |
| help |
| Allows altering the ARP packet payload: source and destination |
| hardware and network addresses. |
| |
| endif # IP_NF_ARPTABLES |
| |
| endmenu |
| |