Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | # |
| 2 | # IP netfilter configuration |
| 3 | # |
| 4 | |
| 5 | menu "IP: Netfilter Configuration" |
| 6 | depends on INET && NETFILTER |
| 7 | |
KOVACS Krisztian | 73e4022 | 2008-10-08 11:35:12 +0200 | [diff] [blame] | 8 | config NF_DEFRAG_IPV4 |
| 9 | tristate |
| 10 | default n |
| 11 | |
Yasuyuki Kozakai | 9fb9cbb | 2005-11-09 16:38:16 -0800 | [diff] [blame] | 12 | config NF_CONNTRACK_IPV4 |
Patrick McHardy | c9386cf | 2007-01-04 12:16:06 -0800 | [diff] [blame] | 13 | tristate "IPv4 connection tracking support (required for NAT)" |
| 14 | depends on NF_CONNTRACK |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 15 | default m if NETFILTER_ADVANCED=n |
KOVACS Krisztian | 73e4022 | 2008-10-08 11:35:12 +0200 | [diff] [blame] | 16 | select NF_DEFRAG_IPV4 |
Yasuyuki Kozakai | 9fb9cbb | 2005-11-09 16:38:16 -0800 | [diff] [blame] | 17 | ---help--- |
| 18 | Connection tracking keeps a record of what packets have passed |
| 19 | through your machine, in order to figure out how they are related |
| 20 | into connections. |
| 21 | |
| 22 | This is IPv4 support on Layer 3 independent connection tracking. |
| 23 | Layer 3 independent connection tracking is experimental scheme |
| 24 | which generalize ip_conntrack to support other layer 3 protocols. |
| 25 | |
| 26 | To compile it as a module, choose M here. If unsure, say N. |
| 27 | |
Patrick McHardy | a999e68 | 2006-11-29 02:35:20 +0100 | [diff] [blame] | 28 | config NF_CONNTRACK_PROC_COMPAT |
| 29 | bool "proc/sysctl compatibility with old connection tracking" |
Jan Engelhardt | 54b07dc | 2011-04-21 09:32:45 +0200 | [diff] [blame] | 30 | depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4 |
Patrick McHardy | a999e68 | 2006-11-29 02:35:20 +0100 | [diff] [blame] | 31 | default y |
| 32 | help |
| 33 | This option enables /proc and sysctl compatibility with the old |
Stephen Hemminger | 67c0d57 | 2009-03-16 15:17:23 +0100 | [diff] [blame] | 34 | layer 3 dependent connection tracking. This is needed to keep |
Patrick McHardy | a999e68 | 2006-11-29 02:35:20 +0100 | [diff] [blame] | 35 | old programs that have not been adapted to the new names working. |
| 36 | |
| 37 | If unsure, say Y. |
| 38 | |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 39 | config NF_TABLES_IPV4 |
| 40 | depends on NF_TABLES |
| 41 | tristate "IPv4 nf_tables support" |
Pablo Neira Ayuso | d497c63 | 2013-12-30 15:09:18 +0100 | [diff] [blame] | 42 | help |
| 43 | This option enables the IPv4 support for nf_tables. |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 44 | |
Pablo Neira Ayuso | 9370761 | 2013-10-10 23:21:26 +0200 | [diff] [blame] | 45 | config NFT_CHAIN_ROUTE_IPV4 |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 46 | depends on NF_TABLES_IPV4 |
Pablo Neira Ayuso | 9370761 | 2013-10-10 23:21:26 +0200 | [diff] [blame] | 47 | tristate "IPv4 nf_tables route chain support" |
Pablo Neira Ayuso | d497c63 | 2013-12-30 15:09:18 +0100 | [diff] [blame] | 48 | help |
| 49 | This option enables the "route" chain for IPv4 in nf_tables. This |
| 50 | chain type is used to force packet re-routing after mangling header |
| 51 | fields such as the source, destination, type of service and |
| 52 | the packet mark. |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 53 | |
Pablo Neira Ayuso | 9370761 | 2013-10-10 23:21:26 +0200 | [diff] [blame] | 54 | config NFT_CHAIN_NAT_IPV4 |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 55 | depends on NF_TABLES_IPV4 |
Tomasz Bursztyka | eb31628 | 2013-10-10 13:39:19 +0200 | [diff] [blame] | 56 | depends on NF_NAT_IPV4 && NFT_NAT |
Pablo Neira Ayuso | 9370761 | 2013-10-10 23:21:26 +0200 | [diff] [blame] | 57 | tristate "IPv4 nf_tables nat chain support" |
Pablo Neira Ayuso | d497c63 | 2013-12-30 15:09:18 +0100 | [diff] [blame] | 58 | help |
| 59 | This option enables the "nat" chain for IPv4 in nf_tables. This |
| 60 | chain type is used to perform Network Address Translation (NAT) |
| 61 | packet transformations such as the source, destination address and |
| 62 | source and destination ports. |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 63 | |
Patrick McHardy | cc4723c | 2014-02-05 15:03:38 +0000 | [diff] [blame] | 64 | config NFT_REJECT_IPV4 |
| 65 | depends on NF_TABLES_IPV4 |
| 66 | default NFT_REJECT |
| 67 | tristate |
| 68 | |
Pablo Neira Ayuso | ed683f1 | 2013-10-07 22:53:08 +0200 | [diff] [blame] | 69 | config NF_TABLES_ARP |
| 70 | depends on NF_TABLES |
| 71 | tristate "ARP nf_tables support" |
Pablo Neira Ayuso | d497c63 | 2013-12-30 15:09:18 +0100 | [diff] [blame] | 72 | help |
| 73 | This option enables the ARP support for nf_tables. |
Pablo Neira Ayuso | ed683f1 | 2013-10-07 22:53:08 +0200 | [diff] [blame] | 74 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 75 | config IP_NF_IPTABLES |
| 76 | tristate "IP tables support (required for filtering/masq/NAT)" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 77 | default m if NETFILTER_ADVANCED=n |
Patrick McHardy | a3c941b | 2007-02-12 11:15:02 -0800 | [diff] [blame] | 78 | select NETFILTER_XTABLES |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 79 | help |
| 80 | iptables is a general, extensible packet identification framework. |
| 81 | The packet filtering and full NAT (masquerading, port forwarding, |
| 82 | etc) subsystems now use this: say `Y' or `M' here if you want to use |
| 83 | either of those. |
| 84 | |
| 85 | To compile it as a module, choose M here. If unsure, say N. |
| 86 | |
Jan Engelhardt | c2df73d | 2008-10-08 11:35:18 +0200 | [diff] [blame] | 87 | if IP_NF_IPTABLES |
| 88 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 89 | # The matches. |
Yasuyuki Kozakai | dc5ab2f | 2006-04-01 02:22:30 -0800 | [diff] [blame] | 90 | config IP_NF_MATCH_AH |
Jan Engelhardt | 4c37799 | 2007-12-04 23:31:59 -0800 | [diff] [blame] | 91 | tristate '"ah" match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 92 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 93 | help |
Yasuyuki Kozakai | dc5ab2f | 2006-04-01 02:22:30 -0800 | [diff] [blame] | 94 | This match extension allows you to match a range of SPIs |
| 95 | inside AH header of IPSec packets. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 96 | |
| 97 | To compile it as a module, choose M here. If unsure, say N. |
| 98 | |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 99 | config IP_NF_MATCH_ECN |
| 100 | tristate '"ecn" match support' |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 101 | depends on NETFILTER_ADVANCED |
Jan Engelhardt | d446a820 | 2011-06-09 21:03:07 +0200 | [diff] [blame] | 102 | select NETFILTER_XT_MATCH_ECN |
| 103 | ---help--- |
| 104 | This is a backwards-compat option for the user's convenience |
| 105 | (e.g. when running oldconfig). It selects |
| 106 | CONFIG_NETFILTER_XT_MATCH_ECN. |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 107 | |
Florian Westphal | 8f97339 | 2011-07-04 22:48:10 +0100 | [diff] [blame] | 108 | config IP_NF_MATCH_RPFILTER |
| 109 | tristate '"rpfilter" reverse path filter match support' |
Florian Westphal | d37d696 | 2013-04-17 22:45:25 +0000 | [diff] [blame] | 110 | depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW) |
Florian Westphal | 8f97339 | 2011-07-04 22:48:10 +0100 | [diff] [blame] | 111 | ---help--- |
| 112 | This option allows you to match packets whose replies would |
| 113 | go out via the interface the packet came in. |
| 114 | |
| 115 | To compile it as a module, choose M here. If unsure, say N. |
| 116 | The module will be called ipt_rpfilter. |
| 117 | |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 118 | config IP_NF_MATCH_TTL |
| 119 | tristate '"ttl" match support' |
| 120 | depends on NETFILTER_ADVANCED |
| 121 | select NETFILTER_XT_MATCH_HL |
| 122 | ---help--- |
| 123 | This is a backwards-compat option for the user's convenience |
| 124 | (e.g. when running oldconfig). It selects |
Stephen Hemminger | 67c0d57 | 2009-03-16 15:17:23 +0100 | [diff] [blame] | 125 | CONFIG_NETFILTER_XT_MATCH_HL. |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 126 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 127 | # `filter', generic and specific targets |
| 128 | config IP_NF_FILTER |
| 129 | tristate "Packet filtering" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 130 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 131 | help |
| 132 | Packet filtering defines a table `filter', which has a series of |
| 133 | rules for simple packet filtering at local input, forwarding and |
| 134 | local output. See the man page for iptables(8). |
| 135 | |
| 136 | To compile it as a module, choose M here. If unsure, say N. |
| 137 | |
| 138 | config IP_NF_TARGET_REJECT |
| 139 | tristate "REJECT target support" |
| 140 | depends on IP_NF_FILTER |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 141 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 142 | help |
| 143 | The REJECT target allows a filtering rule to specify that an ICMP |
| 144 | error should be issued in response to an incoming packet, rather |
| 145 | than silently being dropped. |
| 146 | |
| 147 | To compile it as a module, choose M here. If unsure, say N. |
| 148 | |
Patrick McHardy | 48b1de4 | 2013-08-27 08:50:14 +0200 | [diff] [blame] | 149 | config IP_NF_TARGET_SYNPROXY |
| 150 | tristate "SYNPROXY target support" |
| 151 | depends on NF_CONNTRACK && NETFILTER_ADVANCED |
| 152 | select NETFILTER_SYNPROXY |
| 153 | select SYN_COOKIES |
| 154 | help |
| 155 | The SYNPROXY target allows you to intercept TCP connections and |
| 156 | establish them using syncookies before they are passed on to the |
| 157 | server. This allows to avoid conntrack and server resource usage |
| 158 | during SYN-flood attacks. |
| 159 | |
| 160 | To compile it as a module, choose M here. If unsure, say N. |
| 161 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 162 | config IP_NF_TARGET_ULOG |
Pablo Neira Ayuso | de94c45 | 2013-05-22 22:42:37 +0000 | [diff] [blame] | 163 | tristate "ULOG target support (obsolete)" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 164 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 165 | ---help--- |
Harald Welte | f40863c | 2005-10-10 20:51:53 -0700 | [diff] [blame] | 166 | |
| 167 | This option enables the old IPv4-only "ipt_ULOG" implementation |
| 168 | which has been obsoleted by the new "nfnetlink_log" code (see |
| 169 | CONFIG_NETFILTER_NETLINK_LOG). |
| 170 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 171 | This option adds a `ULOG' target, which allows you to create rules in |
| 172 | any iptables table. The packet is passed to a userspace logging |
| 173 | daemon using netlink multicast sockets; unlike the LOG target |
| 174 | which can only be viewed through syslog. |
| 175 | |
Matt LaPlante | 44c0920 | 2006-10-03 22:34:14 +0200 | [diff] [blame] | 176 | The appropriate userspace logging daemon (ulogd) may be obtained from |
Justin P. Mattock | 631dd1a | 2010-10-18 11:03:14 +0200 | [diff] [blame] | 177 | <http://www.netfilter.org/projects/ulogd/index.html> |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 178 | |
| 179 | To compile it as a module, choose M here. If unsure, say N. |
| 180 | |
Jozsef Kadlecsik | 5b1158e | 2006-12-02 22:07:13 -0800 | [diff] [blame] | 181 | # NAT + specific targets: nf_conntrack |
Patrick McHardy | c7232c9 | 2012-08-26 19:14:06 +0200 | [diff] [blame] | 182 | config NF_NAT_IPV4 |
| 183 | tristate "IPv4 NAT" |
Jan Engelhardt | c2df73d | 2008-10-08 11:35:18 +0200 | [diff] [blame] | 184 | depends on NF_CONNTRACK_IPV4 |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 185 | default m if NETFILTER_ADVANCED=n |
Patrick McHardy | c7232c9 | 2012-08-26 19:14:06 +0200 | [diff] [blame] | 186 | select NF_NAT |
Jozsef Kadlecsik | 5b1158e | 2006-12-02 22:07:13 -0800 | [diff] [blame] | 187 | help |
Patrick McHardy | c7232c9 | 2012-08-26 19:14:06 +0200 | [diff] [blame] | 188 | The IPv4 NAT option allows masquerading, port forwarding and other |
Jozsef Kadlecsik | 5b1158e | 2006-12-02 22:07:13 -0800 | [diff] [blame] | 189 | forms of full Network Address Port Translation. It is controlled by |
| 190 | the `nat' table in iptables: see the man page for iptables(8). |
| 191 | |
| 192 | To compile it as a module, choose M here. If unsure, say N. |
| 193 | |
Patrick McHardy | c7232c9 | 2012-08-26 19:14:06 +0200 | [diff] [blame] | 194 | if NF_NAT_IPV4 |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 195 | |
| 196 | config IP_NF_TARGET_MASQUERADE |
| 197 | tristate "MASQUERADE target support" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 198 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 199 | help |
| 200 | Masquerading is a special case of NAT: all outgoing connections are |
| 201 | changed to seem to come from a particular interface's address, and |
| 202 | if the interface goes down, those connections are lost. This is |
| 203 | only useful for dialup accounts with dynamic IP address (ie. your IP |
| 204 | address will be different on next dialup). |
| 205 | |
| 206 | To compile it as a module, choose M here. If unsure, say N. |
| 207 | |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 208 | config IP_NF_TARGET_NETMAP |
| 209 | tristate "NETMAP target support" |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 210 | depends on NETFILTER_ADVANCED |
Jan Engelhardt | b3d54b3 | 2012-09-21 11:37:59 +0200 | [diff] [blame] | 211 | select NETFILTER_XT_TARGET_NETMAP |
| 212 | ---help--- |
| 213 | This is a backwards-compat option for the user's convenience |
| 214 | (e.g. when running oldconfig). It selects |
| 215 | CONFIG_NETFILTER_XT_TARGET_NETMAP. |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 216 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 217 | config IP_NF_TARGET_REDIRECT |
| 218 | tristate "REDIRECT target support" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 219 | depends on NETFILTER_ADVANCED |
Jan Engelhardt | 2cbc78a | 2012-09-21 11:41:34 +0200 | [diff] [blame] | 220 | select NETFILTER_XT_TARGET_REDIRECT |
| 221 | ---help--- |
| 222 | This is a backwards-compat option for the user's convenience |
| 223 | (e.g. when running oldconfig). It selects |
| 224 | CONFIG_NETFILTER_XT_TARGET_REDIRECT. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 225 | |
Patrick McHardy | c7232c9 | 2012-08-26 19:14:06 +0200 | [diff] [blame] | 226 | endif |
| 227 | |
Patrick McHardy | 807467c | 2006-12-02 22:10:34 -0800 | [diff] [blame] | 228 | config NF_NAT_SNMP_BASIC |
Patrick McHardy | 8ce22fc | 2008-01-14 23:31:36 -0800 | [diff] [blame] | 229 | tristate "Basic SNMP-ALG support" |
Patrick McHardy | c7232c9 | 2012-08-26 19:14:06 +0200 | [diff] [blame] | 230 | depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4 |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 231 | depends on NETFILTER_ADVANCED |
Jiri Olsa | 93557f5 | 2011-01-18 18:12:24 +0100 | [diff] [blame] | 232 | default NF_NAT && NF_CONNTRACK_SNMP |
Patrick McHardy | 807467c | 2006-12-02 22:10:34 -0800 | [diff] [blame] | 233 | ---help--- |
| 234 | |
| 235 | This module implements an Application Layer Gateway (ALG) for |
| 236 | SNMP payloads. In conjunction with NAT, it allows a network |
| 237 | management system to access multiple private networks with |
| 238 | conflicting addresses. It works by modifying IP addresses |
| 239 | inside SNMP payloads to match IP-layer NAT mapping. |
| 240 | |
| 241 | This is the "basic" form of SNMP-ALG, as described in RFC 2962 |
| 242 | |
| 243 | To compile it as a module, choose M here. If unsure, say N. |
| 244 | |
Jozsef Kadlecsik | 55a7332 | 2006-12-02 22:07:44 -0800 | [diff] [blame] | 245 | # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), |
| 246 | # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. |
| 247 | # From kconfig-language.txt: |
| 248 | # |
| 249 | # <expr> '&&' <expr> (6) |
| 250 | # |
| 251 | # (6) Returns the result of min(/expr/, /expr/). |
Patrick McHardy | 4910a08 | 2008-03-20 15:15:57 +0100 | [diff] [blame] | 252 | |
Patrick McHardy | f09943f | 2006-12-02 22:09:41 -0800 | [diff] [blame] | 253 | config NF_NAT_PROTO_GRE |
| 254 | tristate |
Patrick McHardy | c7232c9 | 2012-08-26 19:14:06 +0200 | [diff] [blame] | 255 | depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE |
Patrick McHardy | 9d908a6 | 2008-04-14 11:15:50 +0200 | [diff] [blame] | 256 | |
Patrick McHardy | f09943f | 2006-12-02 22:09:41 -0800 | [diff] [blame] | 257 | config NF_NAT_PPTP |
| 258 | tristate |
Patrick McHardy | c7232c9 | 2012-08-26 19:14:06 +0200 | [diff] [blame] | 259 | depends on NF_CONNTRACK && NF_NAT_IPV4 |
| 260 | default NF_NAT_IPV4 && NF_CONNTRACK_PPTP |
Patrick McHardy | f09943f | 2006-12-02 22:09:41 -0800 | [diff] [blame] | 261 | select NF_NAT_PROTO_GRE |
| 262 | |
Patrick McHardy | f587de0 | 2006-12-02 22:08:46 -0800 | [diff] [blame] | 263 | config NF_NAT_H323 |
| 264 | tristate |
Patrick McHardy | c7232c9 | 2012-08-26 19:14:06 +0200 | [diff] [blame] | 265 | depends on NF_CONNTRACK && NF_NAT_IPV4 |
| 266 | default NF_NAT_IPV4 && NF_CONNTRACK_H323 |
Patrick McHardy | f587de0 | 2006-12-02 22:08:46 -0800 | [diff] [blame] | 267 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 268 | # mangle + specific targets |
| 269 | config IP_NF_MANGLE |
| 270 | tristate "Packet mangling" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 271 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 272 | help |
| 273 | This option adds a `mangle' table to iptables: see the man page for |
| 274 | iptables(8). This table is used for various packet alterations |
| 275 | which can effect how the packet is routed. |
| 276 | |
| 277 | To compile it as a module, choose M here. If unsure, say N. |
| 278 | |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 279 | config IP_NF_TARGET_CLUSTERIP |
Kees Cook | aec9a0e | 2012-10-02 11:19:48 -0700 | [diff] [blame] | 280 | tristate "CLUSTERIP target support" |
| 281 | depends on IP_NF_MANGLE |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 282 | depends on NF_CONNTRACK_IPV4 |
| 283 | depends on NETFILTER_ADVANCED |
| 284 | select NF_CONNTRACK_MARK |
| 285 | help |
| 286 | The CLUSTERIP target allows you to build load-balancing clusters of |
| 287 | network servers without having a dedicated load-balancing |
| 288 | router/server/switch. |
| 289 | |
| 290 | To compile it as a module, choose M here. If unsure, say N. |
| 291 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 292 | config IP_NF_TARGET_ECN |
| 293 | tristate "ECN target support" |
| 294 | depends on IP_NF_MANGLE |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 295 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 296 | ---help--- |
| 297 | This option adds a `ECN' target, which can be used in the iptables mangle |
| 298 | table. |
| 299 | |
| 300 | You can use this target to remove the ECN bits from the IPv4 header of |
| 301 | an IP packet. This is particularly useful, if you need to work around |
| 302 | existing ECN blackholes on the internet, but don't want to disable |
| 303 | ECN support in general. |
| 304 | |
| 305 | To compile it as a module, choose M here. If unsure, say N. |
| 306 | |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 307 | config IP_NF_TARGET_TTL |
| 308 | tristate '"TTL" target support' |
Randy Dunlap | 76b6717 | 2010-10-18 11:13:30 +0200 | [diff] [blame] | 309 | depends on NETFILTER_ADVANCED && IP_NF_MANGLE |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 310 | select NETFILTER_XT_TARGET_HL |
| 311 | ---help--- |
Randy Dunlap | 76b6717 | 2010-10-18 11:13:30 +0200 | [diff] [blame] | 312 | This is a backwards-compatible option for the user's convenience |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 313 | (e.g. when running oldconfig). It selects |
Stephen Hemminger | 67c0d57 | 2009-03-16 15:17:23 +0100 | [diff] [blame] | 314 | CONFIG_NETFILTER_XT_TARGET_HL. |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 315 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 316 | # raw + specific targets |
| 317 | config IP_NF_RAW |
| 318 | tristate 'raw table support (required for NOTRACK/TRACE)' |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 319 | help |
| 320 | This option adds a `raw' table to iptables. This table is the very |
| 321 | first in the netfilter framework and hooks in at the PREROUTING |
| 322 | and OUTPUT chains. |
| 323 | |
| 324 | If you want to compile it as a module, say M here and read |
Dirk Hohndel | e403149 | 2007-10-30 13:37:19 -0700 | [diff] [blame] | 325 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 326 | |
James Morris | 560ee65 | 2008-06-09 15:57:24 -0700 | [diff] [blame] | 327 | # security table for MAC policy |
| 328 | config IP_NF_SECURITY |
| 329 | tristate "Security table" |
James Morris | 560ee65 | 2008-06-09 15:57:24 -0700 | [diff] [blame] | 330 | depends on SECURITY |
Patrick McHardy | 70eed75 | 2008-07-23 16:42:42 -0700 | [diff] [blame] | 331 | depends on NETFILTER_ADVANCED |
James Morris | 560ee65 | 2008-06-09 15:57:24 -0700 | [diff] [blame] | 332 | help |
| 333 | This option adds a `security' table to iptables, for use |
| 334 | with Mandatory Access Control (MAC) policy. |
| 335 | |
| 336 | If unsure, say N. |
| 337 | |
Jan Engelhardt | c2df73d | 2008-10-08 11:35:18 +0200 | [diff] [blame] | 338 | endif # IP_NF_IPTABLES |
| 339 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 340 | # ARP tables |
| 341 | config IP_NF_ARPTABLES |
| 342 | tristate "ARP tables support" |
Patrick McHardy | a3c941b | 2007-02-12 11:15:02 -0800 | [diff] [blame] | 343 | select NETFILTER_XTABLES |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 344 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 345 | help |
| 346 | arptables is a general, extensible packet identification framework. |
| 347 | The ARP packet filtering and mangling (manipulation)subsystems |
| 348 | use this: say Y or M here if you want to use either of those. |
| 349 | |
| 350 | To compile it as a module, choose M here. If unsure, say N. |
| 351 | |
Jan Engelhardt | c2df73d | 2008-10-08 11:35:18 +0200 | [diff] [blame] | 352 | if IP_NF_ARPTABLES |
| 353 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 354 | config IP_NF_ARPFILTER |
| 355 | tristate "ARP packet filtering" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 356 | help |
| 357 | ARP packet filtering defines a table `filter', which has a series of |
| 358 | rules for simple ARP packet filtering at local input and |
| 359 | local output. On a bridge, you can also specify filtering rules |
| 360 | for forwarded ARP packets. See the man page for arptables(8). |
| 361 | |
| 362 | To compile it as a module, choose M here. If unsure, say N. |
| 363 | |
| 364 | config IP_NF_ARP_MANGLE |
| 365 | tristate "ARP payload mangling" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 366 | help |
| 367 | Allows altering the ARP packet payload: source and destination |
| 368 | hardware and network addresses. |
| 369 | |
Jan Engelhardt | c2df73d | 2008-10-08 11:35:18 +0200 | [diff] [blame] | 370 | endif # IP_NF_ARPTABLES |
| 371 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 372 | endmenu |
| 373 | |