1# SPDX-License-Identifier: GPL-2.0-only 2# 3# IP netfilter configuration 4# 5 6menu "IP: Netfilter Configuration" 7 depends on INET && NETFILTER 8 9config NF_DEFRAG_IPV4 10 tristate 11 default n 12 13# old sockopt interface and eval loop 14config IP_NF_IPTABLES_LEGACY 15 tristate "Legacy IP tables support" 16 depends on NETFILTER_XTABLES_LEGACY 17 depends on NETFILTER_XTABLES 18 default m if NETFILTER_XTABLES_LEGACY 19 help 20 iptables is a legacy packet classifier. 21 This is not needed if you are using iptables over nftables 22 (iptables-nft). 23 24config NF_SOCKET_IPV4 25 tristate "IPv4 socket lookup support" 26 help 27 This option enables the IPv4 socket lookup infrastructure. This is 28 is required by the {ip,nf}tables socket match. 29 30config NF_TPROXY_IPV4 31 tristate "IPv4 tproxy support" 32 33if NF_TABLES 34 35config NF_TABLES_IPV4 36 bool "IPv4 nf_tables support" 37 help 38 This option enables the IPv4 support for nf_tables. 39 40if NF_TABLES_IPV4 41 42config NFT_REJECT_IPV4 43 select NF_REJECT_IPV4 44 default NFT_REJECT 45 tristate 46 47config NFT_DUP_IPV4 48 tristate "IPv4 nf_tables packet duplication support" 49 depends on !NF_CONNTRACK || NF_CONNTRACK 50 select NF_DUP_IPV4 51 help 52 This module enables IPv4 packet duplication support for nf_tables. 53 54config NFT_FIB_IPV4 55 select NFT_FIB 56 tristate "nf_tables fib / ip route lookup support" 57 help 58 This module enables IPv4 FIB lookups, e.g. for reverse path filtering. 59 It also allows query of the FIB for the route type, e.g. local, unicast, 60 multicast or blackhole. 61 62endif # NF_TABLES_IPV4 63 64config NF_TABLES_ARP 65 bool "ARP nf_tables support" 66 select NETFILTER_FAMILY_ARP 67 help 68 This option enables the ARP support for nf_tables. 69 70endif # NF_TABLES 71 72config NF_DUP_IPV4 73 tristate "Netfilter IPv4 packet duplication to alternate destination" 74 depends on !NF_CONNTRACK || NF_CONNTRACK 75 help 76 This option enables the nf_dup_ipv4 core, which duplicates an IPv4 77 packet to be rerouted to another destination. 78 79config NF_LOG_ARP 80 tristate "ARP packet logging" 81 default m if NETFILTER_ADVANCED=n 82 select NF_LOG_SYSLOG 83 help 84 This is a backwards-compat option for the user's convenience 85 (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG. 86 87config NF_LOG_IPV4 88 tristate "IPv4 packet logging" 89 default m if NETFILTER_ADVANCED=n 90 select NF_LOG_SYSLOG 91 help 92 This is a backwards-compat option for the user's convenience 93 (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG. 94 95config NF_REJECT_IPV4 96 tristate "IPv4 packet rejection" 97 default m if NETFILTER_ADVANCED=n 98 99if NF_NAT 100config NF_NAT_SNMP_BASIC 101 tristate "Basic SNMP-ALG support" 102 depends on NF_CONNTRACK_SNMP 103 depends on NETFILTER_ADVANCED 104 default NF_NAT && NF_CONNTRACK_SNMP 105 select ASN1 106 help 107 108 This module implements an Application Layer Gateway (ALG) for 109 SNMP payloads. In conjunction with NAT, it allows a network 110 management system to access multiple private networks with 111 conflicting addresses. It works by modifying IP addresses 112 inside SNMP payloads to match IP-layer NAT mapping. 113 114 This is the "basic" form of SNMP-ALG, as described in RFC 2962 115 116 To compile it as a module, choose M here. If unsure, say N. 117 118config NF_NAT_PPTP 119 tristate 120 depends on NF_CONNTRACK 121 default NF_CONNTRACK_PPTP 122 123config NF_NAT_H323 124 tristate 125 depends on NF_CONNTRACK 126 default NF_CONNTRACK_H323 127 128endif # NF_NAT 129 130config IP_NF_IPTABLES 131 tristate "IP tables support (required for filtering/masq/NAT)" 132 default m if NETFILTER_ADVANCED=n 133 select NETFILTER_XTABLES 134 help 135 iptables is a general, extensible packet identification framework. 136 The packet filtering and full NAT (masquerading, port forwarding, 137 etc) subsystems now use this: say `Y' or `M' here if you want to use 138 either of those. 139 140 To compile it as a module, choose M here. If unsure, say N. 141 142if IP_NF_IPTABLES 143 144# The matches. 145config IP_NF_MATCH_AH 146 tristate '"ah" match support' 147 depends on NETFILTER_ADVANCED 148 help 149 This match extension allows you to match a range of SPIs 150 inside AH header of IPSec packets. 151 152 To compile it as a module, choose M here. If unsure, say N. 153 154config IP_NF_MATCH_ECN 155 tristate '"ecn" match support' 156 depends on NETFILTER_ADVANCED 157 select NETFILTER_XT_MATCH_ECN 158 help 159 This is a backwards-compat option for the user's convenience 160 (e.g. when running oldconfig). It selects 161 CONFIG_NETFILTER_XT_MATCH_ECN. 162 163config IP_NF_MATCH_RPFILTER 164 tristate '"rpfilter" reverse path filter match support' 165 depends on NETFILTER_ADVANCED 166 depends on IP_NF_MANGLE || IP_NF_RAW || NFT_COMPAT 167 help 168 This option allows you to match packets whose replies would 169 go out via the interface the packet came in. 170 171 To compile it as a module, choose M here. If unsure, say N. 172 The module will be called ipt_rpfilter. 173 174config IP_NF_MATCH_TTL 175 tristate '"ttl" match support' 176 depends on NETFILTER_ADVANCED 177 select NETFILTER_XT_MATCH_HL 178 help 179 This is a backwards-compat option for the user's convenience 180 (e.g. when running oldconfig). It selects 181 CONFIG_NETFILTER_XT_MATCH_HL. 182 183# `filter', generic and specific targets 184config IP_NF_FILTER 185 tristate "Packet filtering" 186 default m if NETFILTER_ADVANCED=n || IP_NF_IPTABLES_LEGACY 187 depends on IP_NF_IPTABLES_LEGACY 188 help 189 Packet filtering defines a table `filter', which has a series of 190 rules for simple packet filtering at local input, forwarding and 191 local output. See the man page for iptables(8). 192 193 To compile it as a module, choose M here. If unsure, say N. 194 195config IP_NF_TARGET_REJECT 196 tristate "REJECT target support" 197 depends on IP_NF_FILTER || NFT_COMPAT 198 select NF_REJECT_IPV4 199 default m if NETFILTER_ADVANCED=n 200 help 201 The REJECT target allows a filtering rule to specify that an ICMP 202 error should be issued in response to an incoming packet, rather 203 than silently being dropped. 204 205 To compile it as a module, choose M here. If unsure, say N. 206 207config IP_NF_TARGET_SYNPROXY 208 tristate "SYNPROXY target support" 209 depends on NF_CONNTRACK && NETFILTER_ADVANCED 210 select NETFILTER_SYNPROXY 211 select SYN_COOKIES 212 help 213 The SYNPROXY target allows you to intercept TCP connections and 214 establish them using syncookies before they are passed on to the 215 server. This allows to avoid conntrack and server resource usage 216 during SYN-flood attacks. 217 218 To compile it as a module, choose M here. If unsure, say N. 219 220# NAT + specific targets: nf_conntrack 221config IP_NF_NAT 222 tristate "iptables NAT support" 223 depends on NF_CONNTRACK 224 depends on IP_NF_IPTABLES_LEGACY 225 default m if NETFILTER_ADVANCED=n 226 select NF_NAT 227 select NETFILTER_XT_NAT 228 help 229 This enables the `nat' table in iptables. This allows masquerading, 230 port forwarding and other forms of full Network Address Port 231 Translation. 232 233 To compile it as a module, choose M here. If unsure, say N. 234 235if IP_NF_NAT 236 237config IP_NF_TARGET_MASQUERADE 238 tristate "MASQUERADE target support" 239 select NETFILTER_XT_TARGET_MASQUERADE 240 help 241 This is a backwards-compat option for the user's convenience 242 (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE. 243 244config IP_NF_TARGET_NETMAP 245 tristate "NETMAP target support" 246 depends on NETFILTER_ADVANCED 247 select NETFILTER_XT_TARGET_NETMAP 248 help 249 This is a backwards-compat option for the user's convenience 250 (e.g. when running oldconfig). It selects 251 CONFIG_NETFILTER_XT_TARGET_NETMAP. 252 253config IP_NF_TARGET_REDIRECT 254 tristate "REDIRECT target support" 255 depends on NETFILTER_ADVANCED 256 select NETFILTER_XT_TARGET_REDIRECT 257 help 258 This is a backwards-compat option for the user's convenience 259 (e.g. when running oldconfig). It selects 260 CONFIG_NETFILTER_XT_TARGET_REDIRECT. 261 262endif # IP_NF_NAT 263 264# mangle + specific targets 265config IP_NF_MANGLE 266 tristate "Packet mangling" 267 default m if NETFILTER_ADVANCED=n || IP_NF_IPTABLES_LEGACY 268 depends on IP_NF_IPTABLES_LEGACY 269 help 270 This option adds a `mangle' table to iptables: see the man page for 271 iptables(8). This table is used for various packet alterations 272 which can effect how the packet is routed. 273 274 To compile it as a module, choose M here. If unsure, say N. 275 276config IP_NF_TARGET_ECN 277 tristate "ECN target support" 278 depends on IP_NF_MANGLE || NFT_COMPAT 279 depends on NETFILTER_ADVANCED 280 help 281 This option adds a `ECN' target, which can be used in the iptables mangle 282 table. 283 284 You can use this target to remove the ECN bits from the IPv4 header of 285 an IP packet. This is particularly useful, if you need to work around 286 existing ECN blackholes on the internet, but don't want to disable 287 ECN support in general. 288 289 To compile it as a module, choose M here. If unsure, say N. 290 291config IP_NF_TARGET_TTL 292 tristate '"TTL" target support' 293 depends on NETFILTER_ADVANCED && IP_NF_MANGLE 294 select NETFILTER_XT_TARGET_HL 295 help 296 This is a backwards-compatible option for the user's convenience 297 (e.g. when running oldconfig). It selects 298 CONFIG_NETFILTER_XT_TARGET_HL. 299 300# raw + specific targets 301config IP_NF_RAW 302 tristate 'raw table support (required for NOTRACK/TRACE)' 303 depends on IP_NF_IPTABLES_LEGACY 304 help 305 This option adds a `raw' table to iptables. This table is the very 306 first in the netfilter framework and hooks in at the PREROUTING 307 and OUTPUT chains. 308 309 If you want to compile it as a module, say M here and read 310 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 311 312# security table for MAC policy 313config IP_NF_SECURITY 314 tristate "Security table" 315 depends on SECURITY 316 depends on NETFILTER_ADVANCED 317 depends on IP_NF_IPTABLES_LEGACY 318 help 319 This option adds a `security' table to iptables, for use 320 with Mandatory Access Control (MAC) policy. 321 322 If unsure, say N. 323 324endif # IP_NF_IPTABLES 325 326# ARP tables 327config IP_NF_ARPTABLES 328 tristate "Legacy ARPTABLES support" 329 depends on NETFILTER_XTABLES_LEGACY 330 depends on NETFILTER_XTABLES 331 default n 332 help 333 arptables is a legacy packet classifier. 334 This is not needed if you are using arptables over nftables 335 (iptables-nft). 336 337config NFT_COMPAT_ARP 338 tristate 339 depends on NF_TABLES_ARP && NFT_COMPAT 340 default m if NFT_COMPAT=m 341 default y if NFT_COMPAT=y 342 343config IP_NF_ARPFILTER 344 tristate "arptables-legacy packet filtering support" 345 select IP_NF_ARPTABLES 346 select NETFILTER_FAMILY_ARP 347 depends on NETFILTER_XTABLES_LEGACY 348 depends on NETFILTER_XTABLES 349 help 350 ARP packet filtering defines a table `filter', which has a series of 351 rules for simple ARP packet filtering at local input and 352 local output. This is only needed for arptables-legacy(8). 353 Neither arptables-nft nor nftables need this to work. 354 355 To compile it as a module, choose M here. If unsure, say N. 356 357config IP_NF_ARP_MANGLE 358 tristate "ARP payload mangling" 359 depends on IP_NF_ARPTABLES || NFT_COMPAT_ARP 360 help 361 Allows altering the ARP packet payload: source and destination 362 hardware and network addresses. 363 364 This option is needed by both arptables-legacy and arptables-nft. 365 It is not used by nftables. 366 367endmenu 368 369