xref: /linux/net/ipv4/netfilter/Kconfig (revision 8b87f67b4c87452e21721887fa8dec1f4c6b2b7c)

# SPDX-License-Identifier: GPL-2.0-only
#
# IP netfilter configuration
#

menu "IP: Netfilter Configuration"
	depends on INET && NETFILTER

config NF_DEFRAG_IPV4
	tristate
	default n

# old sockopt interface and eval loop
config IP_NF_IPTABLES_LEGACY
	tristate "Legacy IP tables support"
	depends on NETFILTER_XTABLES_LEGACY
	depends on NETFILTER_XTABLES
	default	m if NETFILTER_XTABLES_LEGACY
	help
	  iptables is a legacy packet classifier.
	  This is not needed if you are using iptables over nftables
	  (iptables-nft).

config NF_SOCKET_IPV4
	tristate "IPv4 socket lookup support"
	help
	  This option enables the IPv4 socket lookup infrastructure. This is
	  is required by the {ip,nf}tables socket match.

config NF_TPROXY_IPV4
	tristate "IPv4 tproxy support"

if NF_TABLES

config NF_TABLES_IPV4
	bool "IPv4 nf_tables support"
	help
	  This option enables the IPv4 support for nf_tables.

if NF_TABLES_IPV4

config NFT_REJECT_IPV4
	select NF_REJECT_IPV4
	default NFT_REJECT
	tristate

config NFT_DUP_IPV4
	tristate "IPv4 nf_tables packet duplication support"
	depends on !NF_CONNTRACK || NF_CONNTRACK
	select NF_DUP_IPV4
	help
	  This module enables IPv4 packet duplication support for nf_tables.

config NFT_FIB_IPV4
	select NFT_FIB
	tristate "nf_tables fib / ip route lookup support"
	help
	  This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
	  It also allows query of the FIB for the route type, e.g. local, unicast,
	  multicast or blackhole.

endif # NF_TABLES_IPV4

config NF_TABLES_ARP
	bool "ARP nf_tables support"
	select NETFILTER_FAMILY_ARP
	help
	  This option enables the ARP support for nf_tables.

endif # NF_TABLES

config NF_DUP_IPV4
	tristate "Netfilter IPv4 packet duplication to alternate destination"
	depends on !NF_CONNTRACK || NF_CONNTRACK
	help
	  This option enables the nf_dup_ipv4 core, which duplicates an IPv4
	  packet to be rerouted to another destination.

config NF_LOG_ARP
	tristate "ARP packet logging"
	default m if NETFILTER_ADVANCED=n
	select NF_LOG_SYSLOG
	help
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.

config NF_LOG_IPV4
	tristate "IPv4 packet logging"
	default m if NETFILTER_ADVANCED=n
	select NF_LOG_SYSLOG
	help
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.

config NF_REJECT_IPV4
	tristate "IPv4 packet rejection"
	default m if NETFILTER_ADVANCED=n

if NF_NAT
config NF_NAT_SNMP_BASIC
	tristate "Basic SNMP-ALG support"
	depends on NF_CONNTRACK_SNMP
	depends on NETFILTER_ADVANCED
	default NF_NAT && NF_CONNTRACK_SNMP
	select ASN1
	help

	  This module implements an Application Layer Gateway (ALG) for
	  SNMP payloads.  In conjunction with NAT, it allows a network
	  management system to access multiple private networks with
	  conflicting addresses.  It works by modifying IP addresses
	  inside SNMP payloads to match IP-layer NAT mapping.

	  This is the "basic" form of SNMP-ALG, as described in RFC 2962

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_NAT_PPTP
	tristate
	depends on NF_CONNTRACK
	default NF_CONNTRACK_PPTP

config NF_NAT_H323
	tristate
	depends on NF_CONNTRACK
	default NF_CONNTRACK_H323

endif # NF_NAT

config IP_NF_IPTABLES
	tristate "IP tables support (required for filtering/masq/NAT)"
	default m if NETFILTER_ADVANCED=n
	select NETFILTER_XTABLES
	help
	  iptables is a general, extensible packet identification framework.
	  The packet filtering and full NAT (masquerading, port forwarding,
	  etc) subsystems now use this: say `Y' or `M' here if you want to use
	  either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_IPTABLES

# The matches.
config IP_NF_MATCH_AH
	tristate '"ah" match support'
	depends on NETFILTER_ADVANCED
	help
	  This match extension allows you to match a range of SPIs
	  inside AH header of IPSec packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ECN
	tristate '"ecn" match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_ECN
	help
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_ECN.

config IP_NF_MATCH_RPFILTER
	tristate '"rpfilter" reverse path filter match support'
	depends on NETFILTER_ADVANCED
	depends on IP_NF_MANGLE || IP_NF_RAW || NFT_COMPAT
	help
	  This option allows you to match packets whose replies would
	  go out via the interface the packet came in.

	  To compile it as a module, choose M here.  If unsure, say N.
	  The module will be called ipt_rpfilter.

config IP_NF_MATCH_TTL
	tristate '"ttl" match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_HL
	help
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_HL.

# `filter', generic and specific targets
config IP_NF_FILTER
	tristate "Packet filtering"
	default m if NETFILTER_ADVANCED=n || IP_NF_IPTABLES_LEGACY
	depends on IP_NF_IPTABLES_LEGACY
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on IP_NF_FILTER || NFT_COMPAT
	select NF_REJECT_IPV4
	default m if NETFILTER_ADVANCED=n
	help
	  The REJECT target allows a filtering rule to specify that an ICMP
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_SYNPROXY
	tristate "SYNPROXY target support"
	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	select NETFILTER_SYNPROXY
	select SYN_COOKIES
	help
	  The SYNPROXY target allows you to intercept TCP connections and
	  establish them using syncookies before they are passed on to the
	  server. This allows to avoid conntrack and server resource usage
	  during SYN-flood attacks.

	  To compile it as a module, choose M here. If unsure, say N.

# NAT + specific targets: nf_conntrack
config IP_NF_NAT
	tristate "iptables NAT support"
	depends on NF_CONNTRACK
	depends on IP_NF_IPTABLES_LEGACY
	default m if NETFILTER_ADVANCED=n
	select NF_NAT
	select NETFILTER_XT_NAT
	help
	  This enables the `nat' table in iptables. This allows masquerading,
	  port forwarding and other forms of full Network Address Port
	  Translation.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_NAT

config IP_NF_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	select NETFILTER_XT_TARGET_MASQUERADE
	help
	  This is a backwards-compat option for the user's convenience
	  (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.

config IP_NF_TARGET_NETMAP
	tristate "NETMAP target support"
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_TARGET_NETMAP
	help
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_NETMAP.

config IP_NF_TARGET_REDIRECT
	tristate "REDIRECT target support"
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_TARGET_REDIRECT
	help
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_REDIRECT.

endif # IP_NF_NAT

# mangle + specific targets
config IP_NF_MANGLE
	tristate "Packet mangling"
	default m if NETFILTER_ADVANCED=n || IP_NF_IPTABLES_LEGACY
	depends on IP_NF_IPTABLES_LEGACY
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ECN
	tristate "ECN target support"
	depends on IP_NF_MANGLE || NFT_COMPAT
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `ECN' target, which can be used in the iptables mangle
	  table.

	  You can use this target to remove the ECN bits from the IPv4 header of
	  an IP packet.  This is particularly useful, if you need to work around
	  existing ECN blackholes on the internet, but don't want to disable
	  ECN support in general.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TTL
	tristate '"TTL" target support'
	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
	select NETFILTER_XT_TARGET_HL
	help
	This is a backwards-compatible option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_HL.

# raw + specific targets
config IP_NF_RAW
	tristate  'raw table support (required for NOTRACK/TRACE)'
	depends on IP_NF_IPTABLES_LEGACY
	help
	  This option adds a `raw' table to iptables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.

# security table for MAC policy
config IP_NF_SECURITY
	tristate "Security table"
	depends on SECURITY
	depends on NETFILTER_ADVANCED
	depends on IP_NF_IPTABLES_LEGACY
	help
	  This option adds a `security' table to iptables, for use
	  with Mandatory Access Control (MAC) policy.

	  If unsure, say N.

endif # IP_NF_IPTABLES

# ARP tables
config IP_NF_ARPTABLES
	tristate "Legacy ARPTABLES support"
	depends on NETFILTER_XTABLES_LEGACY
	depends on NETFILTER_XTABLES
	default	n
	help
	  arptables is a legacy packet classifier.
	  This is not needed if you are using arptables over nftables
	  (iptables-nft).

config NFT_COMPAT_ARP
	tristate
	depends on NF_TABLES_ARP && NFT_COMPAT
	default m if NFT_COMPAT=m
	default y if NFT_COMPAT=y

config IP_NF_ARPFILTER
	tristate "arptables-legacy packet filtering support"
	select IP_NF_ARPTABLES
	select NETFILTER_FAMILY_ARP
	depends on NETFILTER_XTABLES_LEGACY
	depends on NETFILTER_XTABLES
	help
	  ARP packet filtering defines a table `filter', which has a series of
	  rules for simple ARP packet filtering at local input and
	  local output.  This is only needed for arptables-legacy(8).
	  Neither arptables-nft nor nftables need this to work.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARP_MANGLE
	tristate "ARP payload mangling"
	depends on IP_NF_ARPTABLES || NFT_COMPAT_ARP
	help
	  Allows altering the ARP packet payload: source and destination
	  hardware and network addresses.

	  This option is needed by both arptables-legacy and arptables-nft.
	  It is not used by nftables.

endmenu