1#
2# IP netfilter configuration
3#
4
5menu "IP: Netfilter Configuration"
6	depends on INET && NETFILTER
7
8config NF_DEFRAG_IPV4
9	tristate
10	default n
11
12config NF_CONNTRACK_IPV4
13	tristate "IPv4 connection tracking support (required for NAT)"
14	depends on NF_CONNTRACK
15	default m if NETFILTER_ADVANCED=n
16	select NF_DEFRAG_IPV4
17	---help---
18	  Connection tracking keeps a record of what packets have passed
19	  through your machine, in order to figure out how they are related
20	  into connections.
21
22	  This is IPv4 support on Layer 3 independent connection tracking.
23	  Layer 3 independent connection tracking is experimental scheme
24	  which generalize ip_conntrack to support other layer 3 protocols.
25
26	  To compile it as a module, choose M here.  If unsure, say N.
27
28config NF_CONNTRACK_PROC_COMPAT
29	bool "proc/sysctl compatibility with old connection tracking"
30	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
31	default y
32	help
33	  This option enables /proc and sysctl compatibility with the old
34	  layer 3 dependent connection tracking. This is needed to keep
35	  old programs that have not been adapted to the new names working.
36
37	  If unsure, say Y.
38
39config IP_NF_QUEUE
40	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
41	depends on NETFILTER_ADVANCED
42	help
43	  Netfilter has the ability to queue packets to user space: the
44	  netlink device can be used to access them using this driver.
45
46	  This option enables the old IPv4-only "ip_queue" implementation
47	  which has been obsoleted by the new "nfnetlink_queue" code (see
48	  CONFIG_NETFILTER_NETLINK_QUEUE).
49
50	  To compile it as a module, choose M here.  If unsure, say N.
51
52config IP_NF_IPTABLES
53	tristate "IP tables support (required for filtering/masq/NAT)"
54	default m if NETFILTER_ADVANCED=n
55	select NETFILTER_XTABLES
56	help
57	  iptables is a general, extensible packet identification framework.
58	  The packet filtering and full NAT (masquerading, port forwarding,
59	  etc) subsystems now use this: say `Y' or `M' here if you want to use
60	  either of those.
61
62	  To compile it as a module, choose M here.  If unsure, say N.
63
64if IP_NF_IPTABLES
65
66# The matches.
67config IP_NF_MATCH_AH
68	tristate '"ah" match support'
69	depends on NETFILTER_ADVANCED
70	help
71	  This match extension allows you to match a range of SPIs
72	  inside AH header of IPSec packets.
73
74	  To compile it as a module, choose M here.  If unsure, say N.
75
76config IP_NF_MATCH_ECN
77	tristate '"ecn" match support'
78	depends on NETFILTER_ADVANCED
79	select NETFILTER_XT_MATCH_ECN
80	---help---
81	This is a backwards-compat option for the user's convenience
82	(e.g. when running oldconfig). It selects
83	CONFIG_NETFILTER_XT_MATCH_ECN.
84
85config IP_NF_MATCH_RPFILTER
86	tristate '"rpfilter" reverse path filter match support'
87	depends on NETFILTER_ADVANCED
88	---help---
89	  This option allows you to match packets whose replies would
90	  go out via the interface the packet came in.
91
92	  To compile it as a module, choose M here.  If unsure, say N.
93	  The module will be called ipt_rpfilter.
94
95config IP_NF_MATCH_TTL
96	tristate '"ttl" match support'
97	depends on NETFILTER_ADVANCED
98	select NETFILTER_XT_MATCH_HL
99	---help---
100	This is a backwards-compat option for the user's convenience
101	(e.g. when running oldconfig). It selects
102	CONFIG_NETFILTER_XT_MATCH_HL.
103
104# `filter', generic and specific targets
105config IP_NF_FILTER
106	tristate "Packet filtering"
107	default m if NETFILTER_ADVANCED=n
108	help
109	  Packet filtering defines a table `filter', which has a series of
110	  rules for simple packet filtering at local input, forwarding and
111	  local output.  See the man page for iptables(8).
112
113	  To compile it as a module, choose M here.  If unsure, say N.
114
115config IP_NF_TARGET_REJECT
116	tristate "REJECT target support"
117	depends on IP_NF_FILTER
118	default m if NETFILTER_ADVANCED=n
119	help
120	  The REJECT target allows a filtering rule to specify that an ICMP
121	  error should be issued in response to an incoming packet, rather
122	  than silently being dropped.
123
124	  To compile it as a module, choose M here.  If unsure, say N.
125
126config IP_NF_TARGET_ULOG
127	tristate "ULOG target support"
128	default m if NETFILTER_ADVANCED=n
129	---help---
130
131	  This option enables the old IPv4-only "ipt_ULOG" implementation
132	  which has been obsoleted by the new "nfnetlink_log" code (see
133	  CONFIG_NETFILTER_NETLINK_LOG).
134
135	  This option adds a `ULOG' target, which allows you to create rules in
136	  any iptables table. The packet is passed to a userspace logging
137	  daemon using netlink multicast sockets; unlike the LOG target
138	  which can only be viewed through syslog.
139
140	  The appropriate userspace logging daemon (ulogd) may be obtained from
141	  <http://www.netfilter.org/projects/ulogd/index.html>
142
143	  To compile it as a module, choose M here.  If unsure, say N.
144
145# NAT + specific targets: nf_conntrack
146config NF_NAT
147	tristate "Full NAT"
148	depends on NF_CONNTRACK_IPV4
149	default m if NETFILTER_ADVANCED=n
150	help
151	  The Full NAT option allows masquerading, port forwarding and other
152	  forms of full Network Address Port Translation.  It is controlled by
153	  the `nat' table in iptables: see the man page for iptables(8).
154
155	  To compile it as a module, choose M here.  If unsure, say N.
156
157config NF_NAT_NEEDED
158	bool
159	depends on NF_NAT
160	default y
161
162config IP_NF_TARGET_MASQUERADE
163	tristate "MASQUERADE target support"
164	depends on NF_NAT
165	default m if NETFILTER_ADVANCED=n
166	help
167	  Masquerading is a special case of NAT: all outgoing connections are
168	  changed to seem to come from a particular interface's address, and
169	  if the interface goes down, those connections are lost.  This is
170	  only useful for dialup accounts with dynamic IP address (ie. your IP
171	  address will be different on next dialup).
172
173	  To compile it as a module, choose M here.  If unsure, say N.
174
175config IP_NF_TARGET_NETMAP
176	tristate "NETMAP target support"
177	depends on NF_NAT
178	depends on NETFILTER_ADVANCED
179	help
180	  NETMAP is an implementation of static 1:1 NAT mapping of network
181	  addresses. It maps the network address part, while keeping the host
182	  address part intact.
183
184	  To compile it as a module, choose M here.  If unsure, say N.
185
186config IP_NF_TARGET_REDIRECT
187	tristate "REDIRECT target support"
188	depends on NF_NAT
189	depends on NETFILTER_ADVANCED
190	help
191	  REDIRECT is a special case of NAT: all incoming connections are
192	  mapped onto the incoming interface's address, causing the packets to
193	  come to the local machine instead of passing through.  This is
194	  useful for transparent proxies.
195
196	  To compile it as a module, choose M here.  If unsure, say N.
197
198config NF_NAT_SNMP_BASIC
199	tristate "Basic SNMP-ALG support"
200	depends on NF_CONNTRACK_SNMP && NF_NAT
201	depends on NETFILTER_ADVANCED
202	default NF_NAT && NF_CONNTRACK_SNMP
203	---help---
204
205	  This module implements an Application Layer Gateway (ALG) for
206	  SNMP payloads.  In conjunction with NAT, it allows a network
207	  management system to access multiple private networks with
208	  conflicting addresses.  It works by modifying IP addresses
209	  inside SNMP payloads to match IP-layer NAT mapping.
210
211	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
212
213	  To compile it as a module, choose M here.  If unsure, say N.
214
215# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
216# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
217# From kconfig-language.txt:
218#
219#           <expr> '&&' <expr>                   (6)
220#
221# (6) Returns the result of min(/expr/, /expr/).
222config NF_NAT_PROTO_DCCP
223	tristate
224	depends on NF_NAT && NF_CT_PROTO_DCCP
225	default NF_NAT && NF_CT_PROTO_DCCP
226
227config NF_NAT_PROTO_GRE
228	tristate
229	depends on NF_NAT && NF_CT_PROTO_GRE
230
231config NF_NAT_PROTO_UDPLITE
232	tristate
233	depends on NF_NAT && NF_CT_PROTO_UDPLITE
234	default NF_NAT && NF_CT_PROTO_UDPLITE
235
236config NF_NAT_PROTO_SCTP
237	tristate
238	default NF_NAT && NF_CT_PROTO_SCTP
239	depends on NF_NAT && NF_CT_PROTO_SCTP
240	select LIBCRC32C
241
242config NF_NAT_FTP
243	tristate
244	depends on NF_CONNTRACK && NF_NAT
245	default NF_NAT && NF_CONNTRACK_FTP
246
247config NF_NAT_IRC
248	tristate
249	depends on NF_CONNTRACK && NF_NAT
250	default NF_NAT && NF_CONNTRACK_IRC
251
252config NF_NAT_TFTP
253	tristate
254	depends on NF_CONNTRACK && NF_NAT
255	default NF_NAT && NF_CONNTRACK_TFTP
256
257config NF_NAT_AMANDA
258	tristate
259	depends on NF_CONNTRACK && NF_NAT
260	default NF_NAT && NF_CONNTRACK_AMANDA
261
262config NF_NAT_PPTP
263	tristate
264	depends on NF_CONNTRACK && NF_NAT
265	default NF_NAT && NF_CONNTRACK_PPTP
266	select NF_NAT_PROTO_GRE
267
268config NF_NAT_H323
269	tristate
270	depends on NF_CONNTRACK && NF_NAT
271	default NF_NAT && NF_CONNTRACK_H323
272
273config NF_NAT_SIP
274	tristate
275	depends on NF_CONNTRACK && NF_NAT
276	default NF_NAT && NF_CONNTRACK_SIP
277
278# mangle + specific targets
279config IP_NF_MANGLE
280	tristate "Packet mangling"
281	default m if NETFILTER_ADVANCED=n
282	help
283	  This option adds a `mangle' table to iptables: see the man page for
284	  iptables(8).  This table is used for various packet alterations
285	  which can effect how the packet is routed.
286
287	  To compile it as a module, choose M here.  If unsure, say N.
288
289config IP_NF_TARGET_CLUSTERIP
290	tristate "CLUSTERIP target support (EXPERIMENTAL)"
291	depends on IP_NF_MANGLE && EXPERIMENTAL
292	depends on NF_CONNTRACK_IPV4
293	depends on NETFILTER_ADVANCED
294	select NF_CONNTRACK_MARK
295	help
296	  The CLUSTERIP target allows you to build load-balancing clusters of
297	  network servers without having a dedicated load-balancing
298	  router/server/switch.
299
300	  To compile it as a module, choose M here.  If unsure, say N.
301
302config IP_NF_TARGET_ECN
303	tristate "ECN target support"
304	depends on IP_NF_MANGLE
305	depends on NETFILTER_ADVANCED
306	---help---
307	  This option adds a `ECN' target, which can be used in the iptables mangle
308	  table.
309
310	  You can use this target to remove the ECN bits from the IPv4 header of
311	  an IP packet.  This is particularly useful, if you need to work around
312	  existing ECN blackholes on the internet, but don't want to disable
313	  ECN support in general.
314
315	  To compile it as a module, choose M here.  If unsure, say N.
316
317config IP_NF_TARGET_TTL
318	tristate '"TTL" target support'
319	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
320	select NETFILTER_XT_TARGET_HL
321	---help---
322	This is a backwards-compatible option for the user's convenience
323	(e.g. when running oldconfig). It selects
324	CONFIG_NETFILTER_XT_TARGET_HL.
325
326# raw + specific targets
327config IP_NF_RAW
328	tristate  'raw table support (required for NOTRACK/TRACE)'
329	help
330	  This option adds a `raw' table to iptables. This table is the very
331	  first in the netfilter framework and hooks in at the PREROUTING
332	  and OUTPUT chains.
333
334	  If you want to compile it as a module, say M here and read
335	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
336
337# security table for MAC policy
338config IP_NF_SECURITY
339	tristate "Security table"
340	depends on SECURITY
341	depends on NETFILTER_ADVANCED
342	help
343	  This option adds a `security' table to iptables, for use
344	  with Mandatory Access Control (MAC) policy.
345
346	  If unsure, say N.
347
348endif # IP_NF_IPTABLES
349
350# ARP tables
351config IP_NF_ARPTABLES
352	tristate "ARP tables support"
353	select NETFILTER_XTABLES
354	depends on NETFILTER_ADVANCED
355	help
356	  arptables is a general, extensible packet identification framework.
357	  The ARP packet filtering and mangling (manipulation)subsystems
358	  use this: say Y or M here if you want to use either of those.
359
360	  To compile it as a module, choose M here.  If unsure, say N.
361
362if IP_NF_ARPTABLES
363
364config IP_NF_ARPFILTER
365	tristate "ARP packet filtering"
366	help
367	  ARP packet filtering defines a table `filter', which has a series of
368	  rules for simple ARP packet filtering at local input and
369	  local output.  On a bridge, you can also specify filtering rules
370	  for forwarded ARP packets. See the man page for arptables(8).
371
372	  To compile it as a module, choose M here.  If unsure, say N.
373
374config IP_NF_ARP_MANGLE
375	tristate "ARP payload mangling"
376	help
377	  Allows altering the ARP packet payload: source and destination
378	  hardware and network addresses.
379
380endif # IP_NF_ARPTABLES
381
382endmenu
383
384