1 # SPDX-License-Identifier: GPL-2.0-only
2 #
3 # IP netfilter configuration
4 #
5
6 menu "IP: Netfilter Configuration"
7 depends on INET && NETFILTER
8
9 config NF_DEFRAG_IPV4
10 tristate
11 default n
12
13 # old sockopt interface and eval loop
14 config IP_NF_IPTABLES_LEGACY
15 tristate
16
17 config NF_SOCKET_IPV4
18 tristate "IPv4 socket lookup support"
19 help
20 This option enables the IPv4 socket lookup infrastructure. This is
21 is required by the {ip,nf}tables socket match.
22
23 config NF_TPROXY_IPV4
24 tristate "IPv4 tproxy support"
25
26 if NF_TABLES
27
28 config NF_TABLES_IPV4
29 bool "IPv4 nf_tables support"
30 help
31 This option enables the IPv4 support for nf_tables.
32
33 if NF_TABLES_IPV4
34
35 config NFT_REJECT_IPV4
36 select NF_REJECT_IPV4
37 default NFT_REJECT
38 tristate
39
40 config NFT_DUP_IPV4
41 tristate "IPv4 nf_tables packet duplication support"
42 depends on !NF_CONNTRACK || NF_CONNTRACK
43 select NF_DUP_IPV4
44 help
45 This module enables IPv4 packet duplication support for nf_tables.
46
47 config NFT_FIB_IPV4
48 select NFT_FIB
49 tristate "nf_tables fib / ip route lookup support"
50 help
51 This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
52 It also allows query of the FIB for the route type, e.g. local, unicast,
53 multicast or blackhole.
54
55 endif # NF_TABLES_IPV4
56
57 config NF_TABLES_ARP
58 bool "ARP nf_tables support"
59 select NETFILTER_FAMILY_ARP
60 help
61 This option enables the ARP support for nf_tables.
62
63 endif # NF_TABLES
64
65 config NF_DUP_IPV4
66 tristate "Netfilter IPv4 packet duplication to alternate destination"
67 depends on !NF_CONNTRACK || NF_CONNTRACK
68 help
69 This option enables the nf_dup_ipv4 core, which duplicates an IPv4
70 packet to be rerouted to another destination.
71
72 config NF_LOG_ARP
73 tristate "ARP packet logging"
74 default m if NETFILTER_ADVANCED=n
75 select NF_LOG_SYSLOG
76 help
77 This is a backwards-compat option for the user's convenience
78 (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.
79
80 config NF_LOG_IPV4
81 tristate "IPv4 packet logging"
82 default m if NETFILTER_ADVANCED=n
83 select NF_LOG_SYSLOG
84 help
85 This is a backwards-compat option for the user's convenience
86 (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.
87
88 config NF_REJECT_IPV4
89 tristate "IPv4 packet rejection"
90 default m if NETFILTER_ADVANCED=n
91
92 if NF_NAT
93 config NF_NAT_SNMP_BASIC
94 tristate "Basic SNMP-ALG support"
95 depends on NF_CONNTRACK_SNMP
96 depends on NETFILTER_ADVANCED
97 default NF_NAT && NF_CONNTRACK_SNMP
98 select ASN1
99 help
100
101 This module implements an Application Layer Gateway (ALG) for
102 SNMP payloads. In conjunction with NAT, it allows a network
103 management system to access multiple private networks with
104 conflicting addresses. It works by modifying IP addresses
105 inside SNMP payloads to match IP-layer NAT mapping.
106
107 This is the "basic" form of SNMP-ALG, as described in RFC 2962
108
109 To compile it as a module, choose M here. If unsure, say N.
110
111 config NF_NAT_PPTP
112 tristate
113 depends on NF_CONNTRACK
114 default NF_CONNTRACK_PPTP
115
116 config NF_NAT_H323
117 tristate
118 depends on NF_CONNTRACK
119 default NF_CONNTRACK_H323
120
121 endif # NF_NAT
122
123 config IP_NF_IPTABLES
124 tristate "IP tables support (required for filtering/masq/NAT)"
125 default m if NETFILTER_ADVANCED=n
126 select NETFILTER_XTABLES
127 help
128 iptables is a general, extensible packet identification framework.
129 The packet filtering and full NAT (masquerading, port forwarding,
130 etc) subsystems now use this: say `Y' or `M' here if you want to use
131 either of those.
132
133 To compile it as a module, choose M here. If unsure, say N.
134
135 if IP_NF_IPTABLES
136
137 # The matches.
138 config IP_NF_MATCH_AH
139 tristate '"ah" match support'
140 depends on NETFILTER_ADVANCED
141 help
142 This match extension allows you to match a range of SPIs
143 inside AH header of IPSec packets.
144
145 To compile it as a module, choose M here. If unsure, say N.
146
147 config IP_NF_MATCH_ECN
148 tristate '"ecn" match support'
149 depends on NETFILTER_ADVANCED
150 select NETFILTER_XT_MATCH_ECN
151 help
152 This is a backwards-compat option for the user's convenience
153 (e.g. when running oldconfig). It selects
154 CONFIG_NETFILTER_XT_MATCH_ECN.
155
156 config IP_NF_MATCH_RPFILTER
157 tristate '"rpfilter" reverse path filter match support'
158 depends on NETFILTER_ADVANCED
159 depends on IP_NF_MANGLE || IP_NF_RAW || NFT_COMPAT
160 help
161 This option allows you to match packets whose replies would
162 go out via the interface the packet came in.
163
164 To compile it as a module, choose M here. If unsure, say N.
165 The module will be called ipt_rpfilter.
166
167 config IP_NF_MATCH_TTL
168 tristate '"ttl" match support'
169 depends on NETFILTER_ADVANCED
170 select NETFILTER_XT_MATCH_HL
171 help
172 This is a backwards-compat option for the user's convenience
173 (e.g. when running oldconfig). It selects
174 CONFIG_NETFILTER_XT_MATCH_HL.
175
176 # `filter', generic and specific targets
177 config IP_NF_FILTER
178 tristate "Packet filtering"
179 default m if NETFILTER_ADVANCED=n
180 select IP_NF_IPTABLES_LEGACY
181 help
182 Packet filtering defines a table `filter', which has a series of
183 rules for simple packet filtering at local input, forwarding and
184 local output. See the man page for iptables(8).
185
186 To compile it as a module, choose M here. If unsure, say N.
187
188 config IP_NF_TARGET_REJECT
189 tristate "REJECT target support"
190 depends on IP_NF_FILTER || NFT_COMPAT
191 select NF_REJECT_IPV4
192 default m if NETFILTER_ADVANCED=n
193 help
194 The REJECT target allows a filtering rule to specify that an ICMP
195 error should be issued in response to an incoming packet, rather
196 than silently being dropped.
197
198 To compile it as a module, choose M here. If unsure, say N.
199
200 config IP_NF_TARGET_SYNPROXY
201 tristate "SYNPROXY target support"
202 depends on NF_CONNTRACK && NETFILTER_ADVANCED
203 select NETFILTER_SYNPROXY
204 select SYN_COOKIES
205 help
206 The SYNPROXY target allows you to intercept TCP connections and
207 establish them using syncookies before they are passed on to the
208 server. This allows to avoid conntrack and server resource usage
209 during SYN-flood attacks.
210
211 To compile it as a module, choose M here. If unsure, say N.
212
213 # NAT + specific targets: nf_conntrack
214 config IP_NF_NAT
215 tristate "iptables NAT support"
216 depends on NF_CONNTRACK
217 default m if NETFILTER_ADVANCED=n
218 select NF_NAT
219 select NETFILTER_XT_NAT
220 select IP_NF_IPTABLES_LEGACY
221 help
222 This enables the `nat' table in iptables. This allows masquerading,
223 port forwarding and other forms of full Network Address Port
224 Translation.
225
226 To compile it as a module, choose M here. If unsure, say N.
227
228 if IP_NF_NAT
229
230 config IP_NF_TARGET_MASQUERADE
231 tristate "MASQUERADE target support"
232 select NETFILTER_XT_TARGET_MASQUERADE
233 help
234 This is a backwards-compat option for the user's convenience
235 (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
236
237 config IP_NF_TARGET_NETMAP
238 tristate "NETMAP target support"
239 depends on NETFILTER_ADVANCED
240 select NETFILTER_XT_TARGET_NETMAP
241 help
242 This is a backwards-compat option for the user's convenience
243 (e.g. when running oldconfig). It selects
244 CONFIG_NETFILTER_XT_TARGET_NETMAP.
245
246 config IP_NF_TARGET_REDIRECT
247 tristate "REDIRECT target support"
248 depends on NETFILTER_ADVANCED
249 select NETFILTER_XT_TARGET_REDIRECT
250 help
251 This is a backwards-compat option for the user's convenience
252 (e.g. when running oldconfig). It selects
253 CONFIG_NETFILTER_XT_TARGET_REDIRECT.
254
255 endif # IP_NF_NAT
256
257 # mangle + specific targets
258 config IP_NF_MANGLE
259 tristate "Packet mangling"
260 default m if NETFILTER_ADVANCED=n
261 select IP_NF_IPTABLES_LEGACY
262 help
263 This option adds a `mangle' table to iptables: see the man page for
264 iptables(8). This table is used for various packet alterations
265 which can effect how the packet is routed.
266
267 To compile it as a module, choose M here. If unsure, say N.
268
269 config IP_NF_TARGET_ECN
270 tristate "ECN target support"
271 depends on IP_NF_MANGLE || NFT_COMPAT
272 depends on NETFILTER_ADVANCED
273 help
274 This option adds a `ECN' target, which can be used in the iptables mangle
275 table.
276
277 You can use this target to remove the ECN bits from the IPv4 header of
278 an IP packet. This is particularly useful, if you need to work around
279 existing ECN blackholes on the internet, but don't want to disable
280 ECN support in general.
281
282 To compile it as a module, choose M here. If unsure, say N.
283
284 config IP_NF_TARGET_TTL
285 tristate '"TTL" target support'
286 depends on NETFILTER_ADVANCED && IP_NF_MANGLE
287 select NETFILTER_XT_TARGET_HL
288 help
289 This is a backwards-compatible option for the user's convenience
290 (e.g. when running oldconfig). It selects
291 CONFIG_NETFILTER_XT_TARGET_HL.
292
293 # raw + specific targets
294 config IP_NF_RAW
295 tristate 'raw table support (required for NOTRACK/TRACE)'
296 select IP_NF_IPTABLES_LEGACY
297 help
298 This option adds a `raw' table to iptables. This table is the very
299 first in the netfilter framework and hooks in at the PREROUTING
300 and OUTPUT chains.
301
302 If you want to compile it as a module, say M here and read
303 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
304
305 # security table for MAC policy
306 config IP_NF_SECURITY
307 tristate "Security table"
308 depends on SECURITY
309 depends on NETFILTER_ADVANCED
310 select IP_NF_IPTABLES_LEGACY
311 help
312 This option adds a `security' table to iptables, for use
313 with Mandatory Access Control (MAC) policy.
314
315 If unsure, say N.
316
317 endif # IP_NF_IPTABLES
318
319 # ARP tables
320 config IP_NF_ARPTABLES
321 tristate
322
323 config NFT_COMPAT_ARP
324 tristate
325 depends on NF_TABLES_ARP && NFT_COMPAT
326 default m if NFT_COMPAT=m
327 default y if NFT_COMPAT=y
328
329 config IP_NF_ARPFILTER
330 tristate "arptables-legacy packet filtering support"
331 select IP_NF_ARPTABLES
332 select NETFILTER_FAMILY_ARP
333 depends on NETFILTER_XTABLES
334 help
335 ARP packet filtering defines a table `filter', which has a series of
336 rules for simple ARP packet filtering at local input and
337 local output. This is only needed for arptables-legacy(8).
338 Neither arptables-nft nor nftables need this to work.
339
340 To compile it as a module, choose M here. If unsure, say N.
341
342 config IP_NF_ARP_MANGLE
343 tristate "ARP payload mangling"
344 depends on IP_NF_ARPTABLES || NFT_COMPAT_ARP
345 help
346 Allows altering the ARP packet payload: source and destination
347 hardware and network addresses.
348
349 This option is needed by both arptables-legacy and arptables-nft.
350 It is not used by nftables.
351
352 endmenu
353
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.