Merge tag 'v3.19-rockchip-dts4' of git://git.kernel.org/pub/scm/linux/kernel/git...
[deliverable/linux.git] / net / ipv4 / netfilter / Kconfig
CommitLineData
1da177e4
LT
1#
2# IP netfilter configuration
3#
4
5menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
7
73e4022f
KK
8config NF_DEFRAG_IPV4
9 tristate
10 default n
11
9fb9cbb1 12config NF_CONNTRACK_IPV4
c9386cfd
PM
13 tristate "IPv4 connection tracking support (required for NAT)"
14 depends on NF_CONNTRACK
33b8e776 15 default m if NETFILTER_ADVANCED=n
73e4022f 16 select NF_DEFRAG_IPV4
9fb9cbb1
YK
17 ---help---
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
20 into connections.
21
22 This is IPv4 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
25
26 To compile it as a module, choose M here. If unsure, say N.
27
a999e683
PM
28config NF_CONNTRACK_PROC_COMPAT
29 bool "proc/sysctl compatibility with old connection tracking"
54b07dca 30 depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
a999e683
PM
31 default y
32 help
33 This option enables /proc and sysctl compatibility with the old
67c0d579 34 layer 3 dependent connection tracking. This is needed to keep
a999e683
PM
35 old programs that have not been adapted to the new names working.
36
37 If unsure, say Y.
38
c1878869
PNA
39config NF_LOG_ARP
40 tristate "ARP packet logging"
41 default m if NETFILTER_ADVANCED=n
42 select NF_LOG_COMMON
43
44config NF_LOG_IPV4
45 tristate "IPv4 packet logging"
46 default m if NETFILTER_ADVANCED=n
47 select NF_LOG_COMMON
48
96518518
PM
49config NF_TABLES_IPV4
50 depends on NF_TABLES
51 tristate "IPv4 nf_tables support"
d497c635
PNA
52 help
53 This option enables the IPv4 support for nf_tables.
96518518 54
9370761c 55config NFT_CHAIN_ROUTE_IPV4
96518518 56 depends on NF_TABLES_IPV4
9370761c 57 tristate "IPv4 nf_tables route chain support"
d497c635
PNA
58 help
59 This option enables the "route" chain for IPv4 in nf_tables. This
60 chain type is used to force packet re-routing after mangling header
61 fields such as the source, destination, type of service and
62 the packet mark.
96518518 63
c8d7b98b
PNA
64config NF_REJECT_IPV4
65 tristate "IPv4 packet rejection"
66 default m if NETFILTER_ADVANCED=n
67
cc4723ca
PM
68config NFT_REJECT_IPV4
69 depends on NF_TABLES_IPV4
c8d7b98b 70 select NF_REJECT_IPV4
cc4723ca
PM
71 default NFT_REJECT
72 tristate
73
ed683f13
PNA
74config NF_TABLES_ARP
75 depends on NF_TABLES
76 tristate "ARP nf_tables support"
d497c635
PNA
77 help
78 This option enables the ARP support for nf_tables.
ed683f13 79
8993cf8e
PNA
80config NF_NAT_IPV4
81 tristate "IPv4 NAT"
82 depends on NF_CONNTRACK_IPV4
83 default m if NETFILTER_ADVANCED=n
84 select NF_NAT
85 help
86 The IPv4 NAT option allows masquerading, port forwarding and other
87 forms of full Network Address Port Translation. This can be
88 controlled by iptables or nft.
89
90if NF_NAT_IPV4
91
3e8dc212
PNA
92config NFT_CHAIN_NAT_IPV4
93 depends on NF_TABLES_IPV4
94 tristate "IPv4 nf_tables nat chain support"
95 help
96 This option enables the "nat" chain for IPv4 in nf_tables. This
97 chain type is used to perform Network Address Translation (NAT)
98 packet transformations such as the source, destination address and
99 source and destination ports.
100
0bbe80e5
PNA
101config NF_NAT_MASQUERADE_IPV4
102 tristate "IPv4 masquerade support"
103 help
104 This is the kernel functionality to provide NAT in the masquerade
105 flavour (automatic source address selection).
106
107config NFT_MASQ_IPV4
108 tristate "IPv4 masquerading support for nf_tables"
109 depends on NF_TABLES_IPV4
110 depends on NFT_MASQ
111 select NF_NAT_MASQUERADE_IPV4
112 help
113 This is the expression that provides IPv4 masquerading support for
114 nf_tables.
115
8993cf8e
PNA
116config NF_NAT_SNMP_BASIC
117 tristate "Basic SNMP-ALG support"
118 depends on NF_CONNTRACK_SNMP
119 depends on NETFILTER_ADVANCED
120 default NF_NAT && NF_CONNTRACK_SNMP
121 ---help---
122
123 This module implements an Application Layer Gateway (ALG) for
124 SNMP payloads. In conjunction with NAT, it allows a network
125 management system to access multiple private networks with
126 conflicting addresses. It works by modifying IP addresses
127 inside SNMP payloads to match IP-layer NAT mapping.
128
129 This is the "basic" form of SNMP-ALG, as described in RFC 2962
130
131 To compile it as a module, choose M here. If unsure, say N.
132
133config NF_NAT_PROTO_GRE
134 tristate
135 depends on NF_CT_PROTO_GRE
136
137config NF_NAT_PPTP
138 tristate
139 depends on NF_CONNTRACK
140 default NF_CONNTRACK_PPTP
141 select NF_NAT_PROTO_GRE
142
143config NF_NAT_H323
144 tristate
145 depends on NF_CONNTRACK
146 default NF_CONNTRACK_H323
147
148endif # NF_NAT_IPV4
149
1da177e4
LT
150config IP_NF_IPTABLES
151 tristate "IP tables support (required for filtering/masq/NAT)"
33b8e776 152 default m if NETFILTER_ADVANCED=n
a3c941b0 153 select NETFILTER_XTABLES
1da177e4
LT
154 help
155 iptables is a general, extensible packet identification framework.
156 The packet filtering and full NAT (masquerading, port forwarding,
157 etc) subsystems now use this: say `Y' or `M' here if you want to use
158 either of those.
159
160 To compile it as a module, choose M here. If unsure, say N.
161
c2df73de
JE
162if IP_NF_IPTABLES
163
1da177e4 164# The matches.
dc5ab2fa 165config IP_NF_MATCH_AH
4c37799c 166 tristate '"ah" match support'
33b8e776 167 depends on NETFILTER_ADVANCED
1da177e4 168 help
dc5ab2fa
YK
169 This match extension allows you to match a range of SPIs
170 inside AH header of IPSec packets.
1da177e4
LT
171
172 To compile it as a module, choose M here. If unsure, say N.
173
aba0d348
JE
174config IP_NF_MATCH_ECN
175 tristate '"ecn" match support'
33b8e776 176 depends on NETFILTER_ADVANCED
d446a820
JE
177 select NETFILTER_XT_MATCH_ECN
178 ---help---
179 This is a backwards-compat option for the user's convenience
180 (e.g. when running oldconfig). It selects
181 CONFIG_NETFILTER_XT_MATCH_ECN.
1da177e4 182
8f97339d
FW
183config IP_NF_MATCH_RPFILTER
184 tristate '"rpfilter" reverse path filter match support'
d37d6968 185 depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
8f97339d
FW
186 ---help---
187 This option allows you to match packets whose replies would
188 go out via the interface the packet came in.
189
190 To compile it as a module, choose M here. If unsure, say N.
191 The module will be called ipt_rpfilter.
192
4323362e
JE
193config IP_NF_MATCH_TTL
194 tristate '"ttl" match support'
195 depends on NETFILTER_ADVANCED
196 select NETFILTER_XT_MATCH_HL
197 ---help---
198 This is a backwards-compat option for the user's convenience
199 (e.g. when running oldconfig). It selects
67c0d579 200 CONFIG_NETFILTER_XT_MATCH_HL.
4323362e 201
1da177e4
LT
202# `filter', generic and specific targets
203config IP_NF_FILTER
204 tristate "Packet filtering"
33b8e776 205 default m if NETFILTER_ADVANCED=n
1da177e4
LT
206 help
207 Packet filtering defines a table `filter', which has a series of
208 rules for simple packet filtering at local input, forwarding and
209 local output. See the man page for iptables(8).
210
211 To compile it as a module, choose M here. If unsure, say N.
212
213config IP_NF_TARGET_REJECT
214 tristate "REJECT target support"
215 depends on IP_NF_FILTER
c8d7b98b 216 select NF_REJECT_IPV4
33b8e776 217 default m if NETFILTER_ADVANCED=n
1da177e4
LT
218 help
219 The REJECT target allows a filtering rule to specify that an ICMP
220 error should be issued in response to an incoming packet, rather
221 than silently being dropped.
222
223 To compile it as a module, choose M here. If unsure, say N.
224
48b1de4c
PM
225config IP_NF_TARGET_SYNPROXY
226 tristate "SYNPROXY target support"
227 depends on NF_CONNTRACK && NETFILTER_ADVANCED
228 select NETFILTER_SYNPROXY
229 select SYN_COOKIES
230 help
231 The SYNPROXY target allows you to intercept TCP connections and
232 establish them using syncookies before they are passed on to the
233 server. This allows to avoid conntrack and server resource usage
234 during SYN-flood attacks.
235
236 To compile it as a module, choose M here. If unsure, say N.
237
5b1158e9 238# NAT + specific targets: nf_conntrack
8993cf8e
PNA
239config IP_NF_NAT
240 tristate "iptables NAT support"
c2df73de 241 depends on NF_CONNTRACK_IPV4
33b8e776 242 default m if NETFILTER_ADVANCED=n
c7232c99 243 select NF_NAT
8993cf8e
PNA
244 select NF_NAT_IPV4
245 select NETFILTER_XT_NAT
5b1158e9 246 help
8993cf8e
PNA
247 This enables the `nat' table in iptables. This allows masquerading,
248 port forwarding and other forms of full Network Address Port
249 Translation.
5b1158e9
JK
250
251 To compile it as a module, choose M here. If unsure, say N.
252
8993cf8e 253if IP_NF_NAT
1da177e4
LT
254
255config IP_NF_TARGET_MASQUERADE
256 tristate "MASQUERADE target support"
8dd33cc9 257 select NF_NAT_MASQUERADE_IPV4
33b8e776 258 default m if NETFILTER_ADVANCED=n
1da177e4
LT
259 help
260 Masquerading is a special case of NAT: all outgoing connections are
261 changed to seem to come from a particular interface's address, and
262 if the interface goes down, those connections are lost. This is
263 only useful for dialup accounts with dynamic IP address (ie. your IP
264 address will be different on next dialup).
265
266 To compile it as a module, choose M here. If unsure, say N.
267
aba0d348
JE
268config IP_NF_TARGET_NETMAP
269 tristate "NETMAP target support"
33b8e776 270 depends on NETFILTER_ADVANCED
b3d54b3e
JE
271 select NETFILTER_XT_TARGET_NETMAP
272 ---help---
273 This is a backwards-compat option for the user's convenience
274 (e.g. when running oldconfig). It selects
275 CONFIG_NETFILTER_XT_TARGET_NETMAP.
1da177e4 276
aba0d348
JE
277config IP_NF_TARGET_REDIRECT
278 tristate "REDIRECT target support"
33b8e776 279 depends on NETFILTER_ADVANCED
2cbc78a2
JE
280 select NETFILTER_XT_TARGET_REDIRECT
281 ---help---
282 This is a backwards-compat option for the user's convenience
283 (e.g. when running oldconfig). It selects
284 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
1da177e4 285
8993cf8e 286endif # IP_NF_NAT
f587de0e 287
1da177e4
LT
288# mangle + specific targets
289config IP_NF_MANGLE
290 tristate "Packet mangling"
33b8e776 291 default m if NETFILTER_ADVANCED=n
1da177e4
LT
292 help
293 This option adds a `mangle' table to iptables: see the man page for
294 iptables(8). This table is used for various packet alterations
295 which can effect how the packet is routed.
296
297 To compile it as a module, choose M here. If unsure, say N.
298
aba0d348 299config IP_NF_TARGET_CLUSTERIP
aec9a0eb
KC
300 tristate "CLUSTERIP target support"
301 depends on IP_NF_MANGLE
aba0d348
JE
302 depends on NF_CONNTRACK_IPV4
303 depends on NETFILTER_ADVANCED
304 select NF_CONNTRACK_MARK
305 help
306 The CLUSTERIP target allows you to build load-balancing clusters of
307 network servers without having a dedicated load-balancing
308 router/server/switch.
309
310 To compile it as a module, choose M here. If unsure, say N.
311
1da177e4
LT
312config IP_NF_TARGET_ECN
313 tristate "ECN target support"
314 depends on IP_NF_MANGLE
33b8e776 315 depends on NETFILTER_ADVANCED
1da177e4
LT
316 ---help---
317 This option adds a `ECN' target, which can be used in the iptables mangle
318 table.
319
320 You can use this target to remove the ECN bits from the IPv4 header of
321 an IP packet. This is particularly useful, if you need to work around
322 existing ECN blackholes on the internet, but don't want to disable
323 ECN support in general.
324
325 To compile it as a module, choose M here. If unsure, say N.
326
4323362e
JE
327config IP_NF_TARGET_TTL
328 tristate '"TTL" target support'
76b6717b 329 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
4323362e
JE
330 select NETFILTER_XT_TARGET_HL
331 ---help---
76b6717b 332 This is a backwards-compatible option for the user's convenience
4323362e 333 (e.g. when running oldconfig). It selects
67c0d579 334 CONFIG_NETFILTER_XT_TARGET_HL.
4323362e 335
1da177e4
LT
336# raw + specific targets
337config IP_NF_RAW
338 tristate 'raw table support (required for NOTRACK/TRACE)'
1da177e4
LT
339 help
340 This option adds a `raw' table to iptables. This table is the very
341 first in the netfilter framework and hooks in at the PREROUTING
342 and OUTPUT chains.
343
344 If you want to compile it as a module, say M here and read
e403149c 345 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
560ee653
JM
346
347# security table for MAC policy
348config IP_NF_SECURITY
349 tristate "Security table"
560ee653 350 depends on SECURITY
70eed75d 351 depends on NETFILTER_ADVANCED
560ee653
JM
352 help
353 This option adds a `security' table to iptables, for use
354 with Mandatory Access Control (MAC) policy.
355
356 If unsure, say N.
1da177e4 357
c2df73de
JE
358endif # IP_NF_IPTABLES
359
1da177e4
LT
360# ARP tables
361config IP_NF_ARPTABLES
362 tristate "ARP tables support"
a3c941b0 363 select NETFILTER_XTABLES
33b8e776 364 depends on NETFILTER_ADVANCED
1da177e4
LT
365 help
366 arptables is a general, extensible packet identification framework.
367 The ARP packet filtering and mangling (manipulation)subsystems
368 use this: say Y or M here if you want to use either of those.
369
370 To compile it as a module, choose M here. If unsure, say N.
371
c2df73de
JE
372if IP_NF_ARPTABLES
373
1da177e4
LT
374config IP_NF_ARPFILTER
375 tristate "ARP packet filtering"
1da177e4
LT
376 help
377 ARP packet filtering defines a table `filter', which has a series of
378 rules for simple ARP packet filtering at local input and
379 local output. On a bridge, you can also specify filtering rules
380 for forwarded ARP packets. See the man page for arptables(8).
381
382 To compile it as a module, choose M here. If unsure, say N.
383
384config IP_NF_ARP_MANGLE
385 tristate "ARP payload mangling"
1da177e4
LT
386 help
387 Allows altering the ARP packet payload: source and destination
388 hardware and network addresses.
389
c2df73de
JE
390endif # IP_NF_ARPTABLES
391
1da177e4
LT
392endmenu
393
This page took 0.690634 seconds and 5 git commands to generate.