-
Notifications
You must be signed in to change notification settings - Fork 472
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
1 changed file
with
368 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,368 @@ | ||
| # SPDX-License-Identifier: GPL-2.0-only | ||
| # | ||
| # IP netfilter configuration | ||
| # | ||
|
|
||
| menu "IP: Netfilter Configuration" | ||
| depends on INET && NETFILTER | ||
|
|
||
| config NF_DEFRAG_IPV4 | ||
| tristate | ||
| default n | ||
|
|
||
| config NF_SOCKET_IPV4 | ||
| tristate "IPv4 socket lookup support" | ||
| help | ||
| This option enables the IPv4 socket lookup infrastructure. This is | ||
| is required by the {ip,nf}tables socket match. | ||
|
|
||
| config NF_TPROXY_IPV4 | ||
| tristate "IPv4 tproxy support" | ||
|
|
||
| if NF_TABLES | ||
|
|
||
| config NF_TABLES_IPV4 | ||
| bool "IPv4 nf_tables support" | ||
| help | ||
| This option enables the IPv4 support for nf_tables. | ||
|
|
||
| if NF_TABLES_IPV4 | ||
|
|
||
| config NFT_REJECT_IPV4 | ||
| select NF_REJECT_IPV4 | ||
| default NFT_REJECT | ||
| tristate | ||
|
|
||
| config NFT_DUP_IPV4 | ||
| tristate "IPv4 nf_tables packet duplication support" | ||
| depends on !NF_CONNTRACK || NF_CONNTRACK | ||
| select NF_DUP_IPV4 | ||
| help | ||
| This module enables IPv4 packet duplication support for nf_tables. | ||
|
|
||
| config NFT_FIB_IPV4 | ||
| select NFT_FIB | ||
| tristate "nf_tables fib / ip route lookup support" | ||
| help | ||
| This module enables IPv4 FIB lookups, e.g. for reverse path filtering. | ||
| It also allows query of the FIB for the route type, e.g. local, unicast, | ||
| multicast or blackhole. | ||
|
|
||
| endif # NF_TABLES_IPV4 | ||
|
|
||
| config NF_TABLES_ARP | ||
| bool "ARP nf_tables support" | ||
| select NETFILTER_FAMILY_ARP | ||
| help | ||
| This option enables the ARP support for nf_tables. | ||
|
|
||
| endif # NF_TABLES | ||
|
|
||
| config NF_FLOW_TABLE_IPV4 | ||
| tristate "Netfilter flow table IPv4 module" | ||
| depends on NF_FLOW_TABLE | ||
| help | ||
| This option adds the flow table IPv4 support. | ||
|
|
||
| To compile it as a module, choose M here. | ||
|
|
||
| config NF_DUP_IPV4 | ||
| tristate "Netfilter IPv4 packet duplication to alternate destination" | ||
| depends on !NF_CONNTRACK || NF_CONNTRACK | ||
| help | ||
| This option enables the nf_dup_ipv4 core, which duplicates an IPv4 | ||
| packet to be rerouted to another destination. | ||
|
|
||
| config NF_LOG_ARP | ||
| tristate "ARP packet logging" | ||
| default m if NETFILTER_ADVANCED=n | ||
| select NF_LOG_COMMON | ||
|
|
||
| config NF_LOG_IPV4 | ||
| tristate "IPv4 packet logging" | ||
| default m if NETFILTER_ADVANCED=n | ||
| select NF_LOG_COMMON | ||
|
|
||
| config NF_REJECT_IPV4 | ||
| tristate "IPv4 packet rejection" | ||
| default m if NETFILTER_ADVANCED=n | ||
|
|
||
| if NF_NAT | ||
| config NF_NAT_SNMP_BASIC | ||
| tristate "Basic SNMP-ALG support" | ||
| depends on NF_CONNTRACK_SNMP | ||
| depends on NETFILTER_ADVANCED | ||
| default NF_NAT && NF_CONNTRACK_SNMP | ||
| select ASN1 | ||
| ---help--- | ||
|
|
||
| This module implements an Application Layer Gateway (ALG) for | ||
| SNMP payloads. In conjunction with NAT, it allows a network | ||
| management system to access multiple private networks with | ||
| conflicting addresses. It works by modifying IP addresses | ||
| inside SNMP payloads to match IP-layer NAT mapping. | ||
|
|
||
| This is the "basic" form of SNMP-ALG, as described in RFC 2962 | ||
|
|
||
| To compile it as a module, choose M here. If unsure, say N. | ||
|
|
||
| config NF_NAT_PPTP | ||
| tristate | ||
| depends on NF_CONNTRACK | ||
| default NF_CONNTRACK_PPTP | ||
|
|
||
| config NF_NAT_H323 | ||
| tristate | ||
| depends on NF_CONNTRACK | ||
| default NF_CONNTRACK_H323 | ||
|
|
||
| endif # NF_NAT | ||
|
|
||
| config IP_NF_IPTABLES | ||
| tristate "IP tables support (required for filtering/masq/NAT)" | ||
| default m if NETFILTER_ADVANCED=n | ||
| select NETFILTER_XTABLES | ||
| help | ||
| iptables is a general, extensible packet identification framework. | ||
| The packet filtering and full NAT (masquerading, port forwarding, | ||
| etc) subsystems now use this: say `Y' or `M' here if you want to use | ||
| either of those. | ||
|
|
||
| To compile it as a module, choose M here. If unsure, say N. | ||
|
|
||
| if IP_NF_IPTABLES | ||
|
|
||
| # The matches. | ||
| config IP_NF_MATCH_AH | ||
| tristate '"ah" match support' | ||
| depends on NETFILTER_ADVANCED | ||
| help | ||
| This match extension allows you to match a range of SPIs | ||
| inside AH header of IPSec packets. | ||
|
|
||
| To compile it as a module, choose M here. If unsure, say N. | ||
|
|
||
| config IP_NF_MATCH_ECN | ||
| tristate '"ecn" match support' | ||
| depends on NETFILTER_ADVANCED | ||
| select NETFILTER_XT_MATCH_ECN | ||
| ---help--- | ||
| This is a backwards-compat option for the user's convenience | ||
| (e.g. when running oldconfig). It selects | ||
| CONFIG_NETFILTER_XT_MATCH_ECN. | ||
|
|
||
| config IP_NF_MATCH_RPFILTER | ||
| tristate '"rpfilter" reverse path filter match support' | ||
| depends on NETFILTER_ADVANCED | ||
| depends on IP_NF_MANGLE || IP_NF_RAW | ||
| ---help--- | ||
| This option allows you to match packets whose replies would | ||
| go out via the interface the packet came in. | ||
|
|
||
| To compile it as a module, choose M here. If unsure, say N. | ||
| The module will be called ipt_rpfilter. | ||
|
|
||
| config IP_NF_MATCH_TTL | ||
| tristate '"ttl" match support' | ||
| depends on NETFILTER_ADVANCED | ||
| select NETFILTER_XT_MATCH_HL | ||
| ---help--- | ||
| This is a backwards-compat option for the user's convenience | ||
| (e.g. when running oldconfig). It selects | ||
| CONFIG_NETFILTER_XT_MATCH_HL. | ||
|
|
||
| # `filter', generic and specific targets | ||
| config IP_NF_FILTER | ||
| tristate "Packet filtering" | ||
| default m if NETFILTER_ADVANCED=n | ||
| help | ||
| Packet filtering defines a table `filter', which has a series of | ||
| rules for simple packet filtering at local input, forwarding and | ||
| local output. See the man page for iptables(8). | ||
|
|
||
| To compile it as a module, choose M here. If unsure, say N. | ||
|
|
||
| config IP_NF_TARGET_REJECT | ||
| tristate "REJECT target support" | ||
| depends on IP_NF_FILTER | ||
| select NF_REJECT_IPV4 | ||
| default m if NETFILTER_ADVANCED=n | ||
| help | ||
| The REJECT target allows a filtering rule to specify that an ICMP | ||
| error should be issued in response to an incoming packet, rather | ||
| than silently being dropped. | ||
|
|
||
| To compile it as a module, choose M here. If unsure, say N. | ||
|
|
||
| config IP_NF_TARGET_SYNPROXY | ||
| tristate "SYNPROXY target support" | ||
| depends on NF_CONNTRACK && NETFILTER_ADVANCED | ||
| select NETFILTER_SYNPROXY | ||
| select SYN_COOKIES | ||
| help | ||
| The SYNPROXY target allows you to intercept TCP connections and | ||
| establish them using syncookies before they are passed on to the | ||
| server. This allows to avoid conntrack and server resource usage | ||
| during SYN-flood attacks. | ||
|
|
||
| To compile it as a module, choose M here. If unsure, say N. | ||
|
|
||
| # NAT + specific targets: nf_conntrack | ||
| config IP_NF_NAT | ||
| tristate "iptables NAT support" | ||
| depends on NF_CONNTRACK | ||
| default m if NETFILTER_ADVANCED=n | ||
| select NF_NAT | ||
| select NETFILTER_XT_NAT | ||
| help | ||
| This enables the `nat' table in iptables. This allows masquerading, | ||
| port forwarding and other forms of full Network Address Port | ||
| Translation. | ||
|
|
||
| To compile it as a module, choose M here. If unsure, say N. | ||
|
|
||
| if IP_NF_NAT | ||
|
|
||
| config IP_NF_TARGET_MASQUERADE | ||
| tristate "MASQUERADE target support" | ||
| select NETFILTER_XT_TARGET_MASQUERADE | ||
| help | ||
| This is a backwards-compat option for the user's convenience | ||
| (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE. | ||
|
|
||
| config IP_NF_TARGET_NETMAP | ||
| tristate "NETMAP target support" | ||
| depends on NETFILTER_ADVANCED | ||
| select NETFILTER_XT_TARGET_NETMAP | ||
| ---help--- | ||
| This is a backwards-compat option for the user's convenience | ||
| (e.g. when running oldconfig). It selects | ||
| CONFIG_NETFILTER_XT_TARGET_NETMAP. | ||
|
|
||
| config IP_NF_TARGET_FULLCONENAT | ||
| tristate "FULLCONENAT target support" | ||
| depends on NETFILTER_ADVANCED | ||
| select NETFILTER_XT_TARGET_FULLCONENAT | ||
| ---help--- | ||
| This is a backwards-compat option for the user's convenience | ||
| (e.g. when running oldconfig). It selects | ||
| CONFIG_NETFILTER_XT_TARGET_FULLCONENAT. | ||
|
|
||
| config IP_NF_TARGET_REDIRECT | ||
| tristate "REDIRECT target support" | ||
| depends on NETFILTER_ADVANCED | ||
| select NETFILTER_XT_TARGET_REDIRECT | ||
| ---help--- | ||
| This is a backwards-compat option for the user's convenience | ||
| (e.g. when running oldconfig). It selects | ||
| CONFIG_NETFILTER_XT_TARGET_REDIRECT. | ||
|
|
||
| endif # IP_NF_NAT | ||
|
|
||
| # mangle + specific targets | ||
| config IP_NF_MANGLE | ||
| tristate "Packet mangling" | ||
| default m if NETFILTER_ADVANCED=n | ||
| help | ||
| This option adds a `mangle' table to iptables: see the man page for | ||
| iptables(8). This table is used for various packet alterations | ||
| which can effect how the packet is routed. | ||
|
|
||
| To compile it as a module, choose M here. If unsure, say N. | ||
|
|
||
| config IP_NF_TARGET_CLUSTERIP | ||
| tristate "CLUSTERIP target support" | ||
| depends on IP_NF_MANGLE | ||
| depends on NF_CONNTRACK | ||
| depends on NETFILTER_ADVANCED | ||
| select NF_CONNTRACK_MARK | ||
| select NETFILTER_FAMILY_ARP | ||
| help | ||
| The CLUSTERIP target allows you to build load-balancing clusters of | ||
| network servers without having a dedicated load-balancing | ||
| router/server/switch. | ||
|
|
||
| To compile it as a module, choose M here. If unsure, say N. | ||
|
|
||
| config IP_NF_TARGET_ECN | ||
| tristate "ECN target support" | ||
| depends on IP_NF_MANGLE | ||
| depends on NETFILTER_ADVANCED | ||
| ---help--- | ||
| This option adds a `ECN' target, which can be used in the iptables mangle | ||
| table. | ||
|
|
||
| You can use this target to remove the ECN bits from the IPv4 header of | ||
| an IP packet. This is particularly useful, if you need to work around | ||
| existing ECN blackholes on the internet, but don't want to disable | ||
| ECN support in general. | ||
|
|
||
| To compile it as a module, choose M here. If unsure, say N. | ||
|
|
||
| config IP_NF_TARGET_TTL | ||
| tristate '"TTL" target support' | ||
| depends on NETFILTER_ADVANCED && IP_NF_MANGLE | ||
| select NETFILTER_XT_TARGET_HL | ||
| ---help--- | ||
| This is a backwards-compatible option for the user's convenience | ||
| (e.g. when running oldconfig). It selects | ||
| CONFIG_NETFILTER_XT_TARGET_HL. | ||
|
|
||
| # raw + specific targets | ||
| config IP_NF_RAW | ||
| tristate 'raw table support (required for NOTRACK/TRACE)' | ||
| help | ||
| This option adds a `raw' table to iptables. This table is the very | ||
| first in the netfilter framework and hooks in at the PREROUTING | ||
| and OUTPUT chains. | ||
|
|
||
| If you want to compile it as a module, say M here and read | ||
| <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. | ||
|
|
||
| # security table for MAC policy | ||
| config IP_NF_SECURITY | ||
| tristate "Security table" | ||
| depends on SECURITY | ||
| depends on NETFILTER_ADVANCED | ||
| help | ||
| This option adds a `security' table to iptables, for use | ||
| with Mandatory Access Control (MAC) policy. | ||
|
|
||
| If unsure, say N. | ||
|
|
||
| endif # IP_NF_IPTABLES | ||
|
|
||
| # ARP tables | ||
| config IP_NF_ARPTABLES | ||
| tristate "ARP tables support" | ||
| select NETFILTER_XTABLES | ||
| select NETFILTER_FAMILY_ARP | ||
| depends on NETFILTER_ADVANCED | ||
| help | ||
| arptables is a general, extensible packet identification framework. | ||
| The ARP packet filtering and mangling (manipulation)subsystems | ||
| use this: say Y or M here if you want to use either of those. | ||
|
|
||
| To compile it as a module, choose M here. If unsure, say N. | ||
|
|
||
| if IP_NF_ARPTABLES | ||
|
|
||
| config IP_NF_ARPFILTER | ||
| tristate "ARP packet filtering" | ||
| help | ||
| ARP packet filtering defines a table `filter', which has a series of | ||
| rules for simple ARP packet filtering at local input and | ||
| local output. On a bridge, you can also specify filtering rules | ||
| for forwarded ARP packets. See the man page for arptables(8). | ||
|
|
||
| To compile it as a module, choose M here. If unsure, say N. | ||
|
|
||
| config IP_NF_ARP_MANGLE | ||
| tristate "ARP payload mangling" | ||
| help | ||
| Allows altering the ARP packet payload: source and destination | ||
| hardware and network addresses. | ||
|
|
||
| endif # IP_NF_ARPTABLES | ||
|
|
||
| endmenu |