Kconfig (10417B)
1# SPDX-License-Identifier: GPL-2.0-only 2# 3# IP netfilter configuration 4# 5 6menu "IP: Netfilter Configuration" 7 depends on INET && NETFILTER 8 9config NF_DEFRAG_IPV4 10 tristate 11 default n 12 13config NF_SOCKET_IPV4 14 tristate "IPv4 socket lookup support" 15 help 16 This option enables the IPv4 socket lookup infrastructure. This is 17 is required by the {ip,nf}tables socket match. 18 19config NF_TPROXY_IPV4 20 tristate "IPv4 tproxy support" 21 22if NF_TABLES 23 24config NF_TABLES_IPV4 25 bool "IPv4 nf_tables support" 26 help 27 This option enables the IPv4 support for nf_tables. 28 29if NF_TABLES_IPV4 30 31config NFT_REJECT_IPV4 32 select NF_REJECT_IPV4 33 default NFT_REJECT 34 tristate 35 36config NFT_DUP_IPV4 37 tristate "IPv4 nf_tables packet duplication support" 38 depends on !NF_CONNTRACK || NF_CONNTRACK 39 select NF_DUP_IPV4 40 help 41 This module enables IPv4 packet duplication support for nf_tables. 42 43config NFT_FIB_IPV4 44 select NFT_FIB 45 tristate "nf_tables fib / ip route lookup support" 46 help 47 This module enables IPv4 FIB lookups, e.g. for reverse path filtering. 48 It also allows query of the FIB for the route type, e.g. local, unicast, 49 multicast or blackhole. 50 51endif # NF_TABLES_IPV4 52 53config NF_TABLES_ARP 54 bool "ARP nf_tables support" 55 select NETFILTER_FAMILY_ARP 56 help 57 This option enables the ARP support for nf_tables. 58 59endif # NF_TABLES 60 61config NF_DUP_IPV4 62 tristate "Netfilter IPv4 packet duplication to alternate destination" 63 depends on !NF_CONNTRACK || NF_CONNTRACK 64 help 65 This option enables the nf_dup_ipv4 core, which duplicates an IPv4 66 packet to be rerouted to another destination. 67 68config NF_LOG_ARP 69 tristate "ARP packet logging" 70 default m if NETFILTER_ADVANCED=n 71 select NF_LOG_SYSLOG 72 help 73 This is a backwards-compat option for the user's convenience 74 (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG. 75 76config NF_LOG_IPV4 77 tristate "IPv4 packet logging" 78 default m if NETFILTER_ADVANCED=n 79 select NF_LOG_SYSLOG 80 help 81 This is a backwards-compat option for the user's convenience 82 (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG. 83 84config NF_REJECT_IPV4 85 tristate "IPv4 packet rejection" 86 default m if NETFILTER_ADVANCED=n 87 88if NF_NAT 89config NF_NAT_SNMP_BASIC 90 tristate "Basic SNMP-ALG support" 91 depends on NF_CONNTRACK_SNMP 92 depends on NETFILTER_ADVANCED 93 default NF_NAT && NF_CONNTRACK_SNMP 94 select ASN1 95 help 96 97 This module implements an Application Layer Gateway (ALG) for 98 SNMP payloads. In conjunction with NAT, it allows a network 99 management system to access multiple private networks with 100 conflicting addresses. It works by modifying IP addresses 101 inside SNMP payloads to match IP-layer NAT mapping. 102 103 This is the "basic" form of SNMP-ALG, as described in RFC 2962 104 105 To compile it as a module, choose M here. If unsure, say N. 106 107config NF_NAT_PPTP 108 tristate 109 depends on NF_CONNTRACK 110 default NF_CONNTRACK_PPTP 111 112config NF_NAT_H323 113 tristate 114 depends on NF_CONNTRACK 115 default NF_CONNTRACK_H323 116 117endif # NF_NAT 118 119config IP_NF_IPTABLES 120 tristate "IP tables support (required for filtering/masq/NAT)" 121 default m if NETFILTER_ADVANCED=n 122 select NETFILTER_XTABLES 123 help 124 iptables is a general, extensible packet identification framework. 125 The packet filtering and full NAT (masquerading, port forwarding, 126 etc) subsystems now use this: say `Y' or `M' here if you want to use 127 either of those. 128 129 To compile it as a module, choose M here. If unsure, say N. 130 131if IP_NF_IPTABLES 132 133# The matches. 134config IP_NF_MATCH_AH 135 tristate '"ah" match support' 136 depends on NETFILTER_ADVANCED 137 help 138 This match extension allows you to match a range of SPIs 139 inside AH header of IPSec packets. 140 141 To compile it as a module, choose M here. If unsure, say N. 142 143config IP_NF_MATCH_ECN 144 tristate '"ecn" match support' 145 depends on NETFILTER_ADVANCED 146 select NETFILTER_XT_MATCH_ECN 147 help 148 This is a backwards-compat option for the user's convenience 149 (e.g. when running oldconfig). It selects 150 CONFIG_NETFILTER_XT_MATCH_ECN. 151 152config IP_NF_MATCH_RPFILTER 153 tristate '"rpfilter" reverse path filter match support' 154 depends on NETFILTER_ADVANCED 155 depends on IP_NF_MANGLE || IP_NF_RAW 156 help 157 This option allows you to match packets whose replies would 158 go out via the interface the packet came in. 159 160 To compile it as a module, choose M here. If unsure, say N. 161 The module will be called ipt_rpfilter. 162 163config IP_NF_MATCH_TTL 164 tristate '"ttl" match support' 165 depends on NETFILTER_ADVANCED 166 select NETFILTER_XT_MATCH_HL 167 help 168 This is a backwards-compat option for the user's convenience 169 (e.g. when running oldconfig). It selects 170 CONFIG_NETFILTER_XT_MATCH_HL. 171 172# `filter', generic and specific targets 173config IP_NF_FILTER 174 tristate "Packet filtering" 175 default m if NETFILTER_ADVANCED=n 176 help 177 Packet filtering defines a table `filter', which has a series of 178 rules for simple packet filtering at local input, forwarding and 179 local output. See the man page for iptables(8). 180 181 To compile it as a module, choose M here. If unsure, say N. 182 183config IP_NF_TARGET_REJECT 184 tristate "REJECT target support" 185 depends on IP_NF_FILTER 186 select NF_REJECT_IPV4 187 default m if NETFILTER_ADVANCED=n 188 help 189 The REJECT target allows a filtering rule to specify that an ICMP 190 error should be issued in response to an incoming packet, rather 191 than silently being dropped. 192 193 To compile it as a module, choose M here. If unsure, say N. 194 195config IP_NF_TARGET_SYNPROXY 196 tristate "SYNPROXY target support" 197 depends on NF_CONNTRACK && NETFILTER_ADVANCED 198 select NETFILTER_SYNPROXY 199 select SYN_COOKIES 200 help 201 The SYNPROXY target allows you to intercept TCP connections and 202 establish them using syncookies before they are passed on to the 203 server. This allows to avoid conntrack and server resource usage 204 during SYN-flood attacks. 205 206 To compile it as a module, choose M here. If unsure, say N. 207 208# NAT + specific targets: nf_conntrack 209config IP_NF_NAT 210 tristate "iptables NAT support" 211 depends on NF_CONNTRACK 212 default m if NETFILTER_ADVANCED=n 213 select NF_NAT 214 select NETFILTER_XT_NAT 215 help 216 This enables the `nat' table in iptables. This allows masquerading, 217 port forwarding and other forms of full Network Address Port 218 Translation. 219 220 To compile it as a module, choose M here. If unsure, say N. 221 222if IP_NF_NAT 223 224config IP_NF_TARGET_MASQUERADE 225 tristate "MASQUERADE target support" 226 select NETFILTER_XT_TARGET_MASQUERADE 227 help 228 This is a backwards-compat option for the user's convenience 229 (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE. 230 231config IP_NF_TARGET_NETMAP 232 tristate "NETMAP target support" 233 depends on NETFILTER_ADVANCED 234 select NETFILTER_XT_TARGET_NETMAP 235 help 236 This is a backwards-compat option for the user's convenience 237 (e.g. when running oldconfig). It selects 238 CONFIG_NETFILTER_XT_TARGET_NETMAP. 239 240config IP_NF_TARGET_REDIRECT 241 tristate "REDIRECT target support" 242 depends on NETFILTER_ADVANCED 243 select NETFILTER_XT_TARGET_REDIRECT 244 help 245 This is a backwards-compat option for the user's convenience 246 (e.g. when running oldconfig). It selects 247 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 248 249endif # IP_NF_NAT 250 251# mangle + specific targets 252config IP_NF_MANGLE 253 tristate "Packet mangling" 254 default m if NETFILTER_ADVANCED=n 255 help 256 This option adds a `mangle' table to iptables: see the man page for 257 iptables(8). This table is used for various packet alterations 258 which can effect how the packet is routed. 259 260 To compile it as a module, choose M here. If unsure, say N. 261 262config IP_NF_TARGET_CLUSTERIP 263 tristate "CLUSTERIP target support" 264 depends on IP_NF_MANGLE 265 depends on NF_CONNTRACK 266 depends on NETFILTER_ADVANCED 267 select NF_CONNTRACK_MARK 268 select NETFILTER_FAMILY_ARP 269 help 270 The CLUSTERIP target allows you to build load-balancing clusters of 271 network servers without having a dedicated load-balancing 272 router/server/switch. 273 274 To compile it as a module, choose M here. If unsure, say N. 275 276config IP_NF_TARGET_ECN 277 tristate "ECN target support" 278 depends on IP_NF_MANGLE 279 depends on NETFILTER_ADVANCED 280 help 281 This option adds a `ECN' target, which can be used in the iptables mangle 282 table. 283 284 You can use this target to remove the ECN bits from the IPv4 header of 285 an IP packet. This is particularly useful, if you need to work around 286 existing ECN blackholes on the internet, but don't want to disable 287 ECN support in general. 288 289 To compile it as a module, choose M here. If unsure, say N. 290 291config IP_NF_TARGET_TTL 292 tristate '"TTL" target support' 293 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 294 select NETFILTER_XT_TARGET_HL 295 help 296 This is a backwards-compatible option for the user's convenience 297 (e.g. when running oldconfig). It selects 298 CONFIG_NETFILTER_XT_TARGET_HL. 299 300# raw + specific targets 301config IP_NF_RAW 302 tristate 'raw table support (required for NOTRACK/TRACE)' 303 help 304 This option adds a `raw' table to iptables. This table is the very 305 first in the netfilter framework and hooks in at the PREROUTING 306 and OUTPUT chains. 307 308 If you want to compile it as a module, say M here and read 309 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 310 311# security table for MAC policy 312config IP_NF_SECURITY 313 tristate "Security table" 314 depends on SECURITY 315 depends on NETFILTER_ADVANCED 316 help 317 This option adds a `security' table to iptables, for use 318 with Mandatory Access Control (MAC) policy. 319 320 If unsure, say N. 321 322endif # IP_NF_IPTABLES 323 324# ARP tables 325config IP_NF_ARPTABLES 326 tristate "ARP tables support" 327 select NETFILTER_XTABLES 328 select NETFILTER_FAMILY_ARP 329 depends on NETFILTER_ADVANCED 330 help 331 arptables is a general, extensible packet identification framework. 332 The ARP packet filtering and mangling (manipulation)subsystems 333 use this: say Y or M here if you want to use either of those. 334 335 To compile it as a module, choose M here. If unsure, say N. 336 337if IP_NF_ARPTABLES 338 339config IP_NF_ARPFILTER 340 tristate "ARP packet filtering" 341 help 342 ARP packet filtering defines a table `filter', which has a series of 343 rules for simple ARP packet filtering at local input and 344 local output. On a bridge, you can also specify filtering rules 345 for forwarded ARP packets. See the man page for arptables(8). 346 347 To compile it as a module, choose M here. If unsure, say N. 348 349config IP_NF_ARP_MANGLE 350 tristate "ARP payload mangling" 351 help 352 Allows altering the ARP packet payload: source and destination 353 hardware and network addresses. 354 355endif # IP_NF_ARPTABLES 356 357endmenu 358