1#
2# IP netfilter configuration
3#
4
5menu "IP: Netfilter Configuration"
6	depends on INET && NETFILTER
7
8config NF_DEFRAG_IPV4
9	tristate
10	default n
11
12config NF_CONNTRACK_IPV4
13	tristate "IPv4 connection tracking support (required for NAT)"
14	depends on NF_CONNTRACK
15	default m if NETFILTER_ADVANCED=n
16	select NF_DEFRAG_IPV4
17	---help---
18	  Connection tracking keeps a record of what packets have passed
19	  through your machine, in order to figure out how they are related
20	  into connections.
21
22	  This is IPv4 support on Layer 3 independent connection tracking.
23	  Layer 3 independent connection tracking is experimental scheme
24	  which generalize ip_conntrack to support other layer 3 protocols.
25
26	  To compile it as a module, choose M here.  If unsure, say N.
27
28config NF_CONNTRACK_PROC_COMPAT
29	bool "proc/sysctl compatibility with old connection tracking"
30	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
31	default y
32	help
33	  This option enables /proc and sysctl compatibility with the old
34	  layer 3 dependent connection tracking. This is needed to keep
35	  old programs that have not been adapted to the new names working.
36
37	  If unsure, say Y.
38
39config IP_NF_QUEUE
40	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
41	depends on NETFILTER_ADVANCED
42	help
43	  Netfilter has the ability to queue packets to user space: the
44	  netlink device can be used to access them using this driver.
45
46	  This option enables the old IPv4-only "ip_queue" implementation
47	  which has been obsoleted by the new "nfnetlink_queue" code (see
48	  CONFIG_NETFILTER_NETLINK_QUEUE).
49
50	  To compile it as a module, choose M here.  If unsure, say N.
51
52config IP_NF_IPTABLES
53	tristate "IP tables support (required for filtering/masq/NAT)"
54	default m if NETFILTER_ADVANCED=n
55	select NETFILTER_XTABLES
56	help
57	  iptables is a general, extensible packet identification framework.
58	  The packet filtering and full NAT (masquerading, port forwarding,
59	  etc) subsystems now use this: say `Y' or `M' here if you want to use
60	  either of those.
61
62	  To compile it as a module, choose M here.  If unsure, say N.
63
64if IP_NF_IPTABLES
65
66# The matches.
67config IP_NF_MATCH_AH
68	tristate '"ah" match support'
69	depends on NETFILTER_ADVANCED
70	help
71	  This match extension allows you to match a range of SPIs
72	  inside AH header of IPSec packets.
73
74	  To compile it as a module, choose M here.  If unsure, say N.
75
76config IP_NF_MATCH_ECN
77	tristate '"ecn" match support'
78	depends on NETFILTER_ADVANCED
79	select NETFILTER_XT_MATCH_ECN
80	---help---
81	This is a backwards-compat option for the user's convenience
82	(e.g. when running oldconfig). It selects
83	CONFIG_NETFILTER_XT_MATCH_ECN.
84
85config IP_NF_MATCH_RPFILTER
86	tristate '"rpfilter" reverse path filter match support'
87	depends on NETFILTER_ADVANCED
88	---help---
89	  This option allows you to match packets whose replies would
90	  go out via the interface the packet came in.
91
92	  To compile it as a module, choose M here.  If unsure, say N.
93	  The module will be called ipt_rpfilter.
94
95config IP_NF_MATCH_TTL
96	tristate '"ttl" match support'
97	depends on NETFILTER_ADVANCED
98	select NETFILTER_XT_MATCH_HL
99	---help---
100	This is a backwards-compat option for the user's convenience
101	(e.g. when running oldconfig). It selects
102	CONFIG_NETFILTER_XT_MATCH_HL.
103
104# `filter', generic and specific targets
105config IP_NF_FILTER
106	tristate "Packet filtering"
107	default m if NETFILTER_ADVANCED=n
108	help
109	  Packet filtering defines a table `filter', which has a series of
110	  rules for simple packet filtering at local input, forwarding and
111	  local output.  See the man page for iptables(8).
112
113	  To compile it as a module, choose M here.  If unsure, say N.
114
115config IP_NF_TARGET_REJECT
116	tristate "REJECT target support"
117	depends on IP_NF_FILTER
118	default m if NETFILTER_ADVANCED=n
119	help
120	  The REJECT target allows a filtering rule to specify that an ICMP
121	  error should be issued in response to an incoming packet, rather
122	  than silently being dropped.
123
124	  To compile it as a module, choose M here.  If unsure, say N.
125
126config IP_NF_TARGET_LOG
127	tristate "LOG target support"
128	default m if NETFILTER_ADVANCED=n
129	help
130	  This option adds a `LOG' target, which allows you to create rules in
131	  any iptables table which records the packet header to the syslog.
132
133	  To compile it as a module, choose M here.  If unsure, say N.
134
135config IP_NF_TARGET_ULOG
136	tristate "ULOG target support"
137	default m if NETFILTER_ADVANCED=n
138	---help---
139
140	  This option enables the old IPv4-only "ipt_ULOG" implementation
141	  which has been obsoleted by the new "nfnetlink_log" code (see
142	  CONFIG_NETFILTER_NETLINK_LOG).
143
144	  This option adds a `ULOG' target, which allows you to create rules in
145	  any iptables table. The packet is passed to a userspace logging
146	  daemon using netlink multicast sockets; unlike the LOG target
147	  which can only be viewed through syslog.
148
149	  The appropriate userspace logging daemon (ulogd) may be obtained from
150	  <http://www.netfilter.org/projects/ulogd/index.html>
151
152	  To compile it as a module, choose M here.  If unsure, say N.
153
154# NAT + specific targets: nf_conntrack
155config NF_NAT
156	tristate "Full NAT"
157	depends on NF_CONNTRACK_IPV4
158	default m if NETFILTER_ADVANCED=n
159	help
160	  The Full NAT option allows masquerading, port forwarding and other
161	  forms of full Network Address Port Translation.  It is controlled by
162	  the `nat' table in iptables: see the man page for iptables(8).
163
164	  To compile it as a module, choose M here.  If unsure, say N.
165
166config NF_NAT_NEEDED
167	bool
168	depends on NF_NAT
169	default y
170
171config IP_NF_TARGET_MASQUERADE
172	tristate "MASQUERADE target support"
173	depends on NF_NAT
174	default m if NETFILTER_ADVANCED=n
175	help
176	  Masquerading is a special case of NAT: all outgoing connections are
177	  changed to seem to come from a particular interface's address, and
178	  if the interface goes down, those connections are lost.  This is
179	  only useful for dialup accounts with dynamic IP address (ie. your IP
180	  address will be different on next dialup).
181
182	  To compile it as a module, choose M here.  If unsure, say N.
183
184config IP_NF_TARGET_NETMAP
185	tristate "NETMAP target support"
186	depends on NF_NAT
187	depends on NETFILTER_ADVANCED
188	help
189	  NETMAP is an implementation of static 1:1 NAT mapping of network
190	  addresses. It maps the network address part, while keeping the host
191	  address part intact.
192
193	  To compile it as a module, choose M here.  If unsure, say N.
194
195config IP_NF_TARGET_REDIRECT
196	tristate "REDIRECT target support"
197	depends on NF_NAT
198	depends on NETFILTER_ADVANCED
199	help
200	  REDIRECT is a special case of NAT: all incoming connections are
201	  mapped onto the incoming interface's address, causing the packets to
202	  come to the local machine instead of passing through.  This is
203	  useful for transparent proxies.
204
205	  To compile it as a module, choose M here.  If unsure, say N.
206
207config NF_NAT_SNMP_BASIC
208	tristate "Basic SNMP-ALG support"
209	depends on NF_CONNTRACK_SNMP && NF_NAT
210	depends on NETFILTER_ADVANCED
211	default NF_NAT && NF_CONNTRACK_SNMP
212	---help---
213
214	  This module implements an Application Layer Gateway (ALG) for
215	  SNMP payloads.  In conjunction with NAT, it allows a network
216	  management system to access multiple private networks with
217	  conflicting addresses.  It works by modifying IP addresses
218	  inside SNMP payloads to match IP-layer NAT mapping.
219
220	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
221
222	  To compile it as a module, choose M here.  If unsure, say N.
223
224# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
225# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
226# From kconfig-language.txt:
227#
228#           <expr> '&&' <expr>                   (6)
229#
230# (6) Returns the result of min(/expr/, /expr/).
231config NF_NAT_PROTO_DCCP
232	tristate
233	depends on NF_NAT && NF_CT_PROTO_DCCP
234	default NF_NAT && NF_CT_PROTO_DCCP
235
236config NF_NAT_PROTO_GRE
237	tristate
238	depends on NF_NAT && NF_CT_PROTO_GRE
239
240config NF_NAT_PROTO_UDPLITE
241	tristate
242	depends on NF_NAT && NF_CT_PROTO_UDPLITE
243	default NF_NAT && NF_CT_PROTO_UDPLITE
244
245config NF_NAT_PROTO_SCTP
246	tristate
247	default NF_NAT && NF_CT_PROTO_SCTP
248	depends on NF_NAT && NF_CT_PROTO_SCTP
249	select LIBCRC32C
250
251config NF_NAT_FTP
252	tristate
253	depends on NF_CONNTRACK && NF_NAT
254	default NF_NAT && NF_CONNTRACK_FTP
255
256config NF_NAT_IRC
257	tristate
258	depends on NF_CONNTRACK && NF_NAT
259	default NF_NAT && NF_CONNTRACK_IRC
260
261config NF_NAT_TFTP
262	tristate
263	depends on NF_CONNTRACK && NF_NAT
264	default NF_NAT && NF_CONNTRACK_TFTP
265
266config NF_NAT_AMANDA
267	tristate
268	depends on NF_CONNTRACK && NF_NAT
269	default NF_NAT && NF_CONNTRACK_AMANDA
270
271config NF_NAT_PPTP
272	tristate
273	depends on NF_CONNTRACK && NF_NAT
274	default NF_NAT && NF_CONNTRACK_PPTP
275	select NF_NAT_PROTO_GRE
276
277config NF_NAT_H323
278	tristate
279	depends on NF_CONNTRACK && NF_NAT
280	default NF_NAT && NF_CONNTRACK_H323
281
282config NF_NAT_SIP
283	tristate
284	depends on NF_CONNTRACK && NF_NAT
285	default NF_NAT && NF_CONNTRACK_SIP
286
287# mangle + specific targets
288config IP_NF_MANGLE
289	tristate "Packet mangling"
290	default m if NETFILTER_ADVANCED=n
291	help
292	  This option adds a `mangle' table to iptables: see the man page for
293	  iptables(8).  This table is used for various packet alterations
294	  which can effect how the packet is routed.
295
296	  To compile it as a module, choose M here.  If unsure, say N.
297
298config IP_NF_TARGET_CLUSTERIP
299	tristate "CLUSTERIP target support (EXPERIMENTAL)"
300	depends on IP_NF_MANGLE && EXPERIMENTAL
301	depends on NF_CONNTRACK_IPV4
302	depends on NETFILTER_ADVANCED
303	select NF_CONNTRACK_MARK
304	help
305	  The CLUSTERIP target allows you to build load-balancing clusters of
306	  network servers without having a dedicated load-balancing
307	  router/server/switch.
308
309	  To compile it as a module, choose M here.  If unsure, say N.
310
311config IP_NF_TARGET_ECN
312	tristate "ECN target support"
313	depends on IP_NF_MANGLE
314	depends on NETFILTER_ADVANCED
315	---help---
316	  This option adds a `ECN' target, which can be used in the iptables mangle
317	  table.
318
319	  You can use this target to remove the ECN bits from the IPv4 header of
320	  an IP packet.  This is particularly useful, if you need to work around
321	  existing ECN blackholes on the internet, but don't want to disable
322	  ECN support in general.
323
324	  To compile it as a module, choose M here.  If unsure, say N.
325
326config IP_NF_TARGET_TTL
327	tristate '"TTL" target support'
328	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
329	select NETFILTER_XT_TARGET_HL
330	---help---
331	This is a backwards-compatible option for the user's convenience
332	(e.g. when running oldconfig). It selects
333	CONFIG_NETFILTER_XT_TARGET_HL.
334
335# raw + specific targets
336config IP_NF_RAW
337	tristate  'raw table support (required for NOTRACK/TRACE)'
338	help
339	  This option adds a `raw' table to iptables. This table is the very
340	  first in the netfilter framework and hooks in at the PREROUTING
341	  and OUTPUT chains.
342
343	  If you want to compile it as a module, say M here and read
344	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
345
346# security table for MAC policy
347config IP_NF_SECURITY
348	tristate "Security table"
349	depends on SECURITY
350	depends on NETFILTER_ADVANCED
351	help
352	  This option adds a `security' table to iptables, for use
353	  with Mandatory Access Control (MAC) policy.
354
355	  If unsure, say N.
356
357endif # IP_NF_IPTABLES
358
359# ARP tables
360config IP_NF_ARPTABLES
361	tristate "ARP tables support"
362	select NETFILTER_XTABLES
363	depends on NETFILTER_ADVANCED
364	help
365	  arptables is a general, extensible packet identification framework.
366	  The ARP packet filtering and mangling (manipulation)subsystems
367	  use this: say Y or M here if you want to use either of those.
368
369	  To compile it as a module, choose M here.  If unsure, say N.
370
371if IP_NF_ARPTABLES
372
373config IP_NF_ARPFILTER
374	tristate "ARP packet filtering"
375	help
376	  ARP packet filtering defines a table `filter', which has a series of
377	  rules for simple ARP packet filtering at local input and
378	  local output.  On a bridge, you can also specify filtering rules
379	  for forwarded ARP packets. See the man page for arptables(8).
380
381	  To compile it as a module, choose M here.  If unsure, say N.
382
383config IP_NF_ARP_MANGLE
384	tristate "ARP payload mangling"
385	help
386	  Allows altering the ARP packet payload: source and destination
387	  hardware and network addresses.
388
389endif # IP_NF_ARPTABLES
390
391endmenu
392
393