Home Explore Help
Register Sign In
dingyu
/
CooCenter-System-kernel
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
CooCenter-Sy...
/
net
/
ipv4
/
netfilter
/
Kconfig

Kconfig 12 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421 
  1. #
    2. 

  2. # IP netfilter configuration
    3. 

  3. #
    4. 

  4. 

  5. menu "IP: Netfilter Configuration"
    6. 

  6. 	depends on INET && NETFILTER
    7. 

  7. 

  8. config NF_DEFRAG_IPV4
    9. 

  9. 	tristate
    10. 

  10. 	default n
    11. 

  11. 

  12. config NF_CONNTRACK_IPV4
    13. 

  13. 	tristate "IPv4 connection tracking support (required for NAT)"
    14. 

  14. 	depends on NF_CONNTRACK
    15. 

  15. 	default m if NETFILTER_ADVANCED=n
    16. 

  16. 	select NF_DEFRAG_IPV4
    17. 

  17. 	---help---
    18. 

  18. 	  Connection tracking keeps a record of what packets have passed
    19. 

  19. 	  through your machine, in order to figure out how they are related
    20. 

  20. 	  into connections.
    21. 

  21. 

  22. 	  This is IPv4 support on Layer 3 independent connection tracking.
    23. 

  23. 	  Layer 3 independent connection tracking is experimental scheme
    24. 

  24. 	  which generalize ip_conntrack to support other layer 3 protocols.
    25. 

  25. 

  26. 	  To compile it as a module, choose M here.  If unsure, say N.
    27. 

  27. 

  28. config NF_CONNTRACK_PROC_COMPAT
    29. 

  29. 	bool "proc/sysctl compatibility with old connection tracking"
    30. 

  30. 	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
    31. 

  31. 	default y
    32. 

  32. 	help
    33. 

  33. 	  This option enables /proc and sysctl compatibility with the old
    34. 

  34. 	  layer 3 dependent connection tracking. This is needed to keep
    35. 

  35. 	  old programs that have not been adapted to the new names working.
    36. 

  36. 

  37. 	  If unsure, say Y.
    38. 

  38. 

  39. if NF_TABLES
    40. 

  40. 

  41. config NF_TABLES_IPV4
    42. 

  42. 	tristate "IPv4 nf_tables support"
    43. 

  43. 	help
    44. 

  44. 	  This option enables the IPv4 support for nf_tables.
    45. 

  45. 

  46. if NF_TABLES_IPV4
    47. 

  47. 

  48. config NFT_CHAIN_ROUTE_IPV4
    49. 

  49. 	tristate "IPv4 nf_tables route chain support"
    50. 

  50. 	help
    51. 

  51. 	  This option enables the "route" chain for IPv4 in nf_tables. This
    52. 

  52. 	  chain type is used to force packet re-routing after mangling header
    53. 

  53. 	  fields such as the source, destination, type of service and
    54. 

  54. 	  the packet mark.
    55. 

  55. 

  56. config NFT_REJECT_IPV4
    57. 

  57. 	select NF_REJECT_IPV4
    58. 

  58. 	default NFT_REJECT
    59. 

  59. 	tristate
    60. 

  60. 

  61. config NFT_DUP_IPV4
    62. 

  62. 	tristate "IPv4 nf_tables packet duplication support"
    63. 

  63. 	depends on !NF_CONNTRACK || NF_CONNTRACK
    64. 

  64. 	select NF_DUP_IPV4
    65. 

  65. 	help
    66. 

  66. 	  This module enables IPv4 packet duplication support for nf_tables.
    67. 

  67. 

  68. endif # NF_TABLES_IPV4
    69. 

  69. 

  70. config NF_TABLES_ARP
    71. 

  71. 	tristate "ARP nf_tables support"
    72. 

  72. 	help
    73. 

  73. 	  This option enables the ARP support for nf_tables.
    74. 

  74. 

  75. endif # NF_TABLES
    76. 

  76. 

  77. config NF_DUP_IPV4
    78. 

  78. 	tristate "Netfilter IPv4 packet duplication to alternate destination"
    79. 

  79. 	depends on !NF_CONNTRACK || NF_CONNTRACK
    80. 

  80. 	help
    81. 

  81. 	  This option enables the nf_dup_ipv4 core, which duplicates an IPv4
    82. 

  82. 	  packet to be rerouted to another destination.
    83. 

  83. 

  84. config NF_LOG_ARP
    85. 

  85. 	tristate "ARP packet logging"
    86. 

  86. 	default m if NETFILTER_ADVANCED=n
    87. 

  87. 	select NF_LOG_COMMON
    88. 

  88. 

  89. config NF_LOG_IPV4
    90. 

  90. 	tristate "IPv4 packet logging"
    91. 

  91. 	default m if NETFILTER_ADVANCED=n
    92. 

  92. 	select NF_LOG_COMMON
    93. 

  93. 

  94. config NF_REJECT_IPV4
    95. 

  95. 	tristate "IPv4 packet rejection"
    96. 

  96. 	default m if NETFILTER_ADVANCED=n
    97. 

  97. 

  98. config NF_NAT_IPV4
    99. 

  99. 	tristate "IPv4 NAT"
    100. 

  100. 	depends on NF_CONNTRACK_IPV4
    101. 

  101. 	default m if NETFILTER_ADVANCED=n
    102. 

  102. 	select NF_NAT
    103. 

  103. 	help
    104. 

  104. 	  The IPv4 NAT option allows masquerading, port forwarding and other
    105. 

  105. 	  forms of full Network Address Port Translation. This can be
    106. 

  106. 	  controlled by iptables or nft.
    107. 

  107. 

  108. if NF_NAT_IPV4
    109. 

  109. 

  110. config NFT_CHAIN_NAT_IPV4
    111. 

  111. 	depends on NF_TABLES_IPV4
    112. 

  112. 	tristate "IPv4 nf_tables nat chain support"
    113. 

  113. 	help
    114. 

  114. 	  This option enables the "nat" chain for IPv4 in nf_tables. This
    115. 

  115. 	  chain type is used to perform Network Address Translation (NAT)
    116. 

  116. 	  packet transformations such as the source, destination address and
    117. 

  117. 	  source and destination ports.
    118. 

  118. 

  119. config NF_NAT_MASQUERADE_IPV4
    120. 

  120. 	tristate "IPv4 masquerade support"
    121. 

  121. 	help
    122. 

  122. 	  This is the kernel functionality to provide NAT in the masquerade
    123. 

  123. 	  flavour (automatic source address selection).
    124. 

  124. 

  125. config NFT_MASQ_IPV4
    126. 

  126. 	tristate "IPv4 masquerading support for nf_tables"
    127. 

  127. 	depends on NF_TABLES_IPV4
    128. 

  128. 	depends on NFT_MASQ
    129. 

  129. 	select NF_NAT_MASQUERADE_IPV4
    130. 

  130. 	help
    131. 

  131. 	  This is the expression that provides IPv4 masquerading support for
    132. 

  132. 	  nf_tables.
    133. 

  133. 

  134. config NFT_REDIR_IPV4
    135. 

  135. 	tristate "IPv4 redirect support for nf_tables"
    136. 

  136. 	depends on NF_TABLES_IPV4
    137. 

  137. 	depends on NFT_REDIR
    138. 

  138. 	select NF_NAT_REDIRECT
    139. 

  139. 	help
    140. 

  140. 	  This is the expression that provides IPv4 redirect support for
    141. 

  141. 	  nf_tables.
    142. 

  142. 

  143. config NF_NAT_SNMP_BASIC
    144. 

  144. 	tristate "Basic SNMP-ALG support"
    145. 

  145. 	depends on NF_CONNTRACK_SNMP
    146. 

  146. 	depends on NETFILTER_ADVANCED
    147. 

  147. 	default NF_NAT && NF_CONNTRACK_SNMP
    148. 

  148. 	---help---
    149. 

  149. 

  150. 	  This module implements an Application Layer Gateway (ALG) for
    151. 

  151. 	  SNMP payloads.  In conjunction with NAT, it allows a network
    152. 

  152. 	  management system to access multiple private networks with
    153. 

  153. 	  conflicting addresses.  It works by modifying IP addresses
    154. 

  154. 	  inside SNMP payloads to match IP-layer NAT mapping.
    155. 

  155. 

  156. 	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
    157. 

  157. 

  158. 	  To compile it as a module, choose M here.  If unsure, say N.
    159. 

  159. 

  160. config NF_NAT_PROTO_GRE
    161. 

  161. 	tristate
    162. 

  162. 	depends on NF_CT_PROTO_GRE
    163. 

  163. 

  164. config NF_NAT_PPTP
    165. 

  165. 	tristate
    166. 

  166. 	depends on NF_CONNTRACK
    167. 

  167. 	default NF_CONNTRACK_PPTP
    168. 

  168. 	select NF_NAT_PROTO_GRE
    169. 

  169. 

  170. config NF_NAT_H323
    171. 

  171. 	tristate
    172. 

  172. 	depends on NF_CONNTRACK
    173. 

  173. 	default NF_CONNTRACK_H323
    174. 

  174. 

  175. endif # NF_NAT_IPV4
    176. 

  176. 

  177. config IP_NF_IPTABLES
    178. 

  178. 	tristate "IP tables support (required for filtering/masq/NAT)"
    179. 

  179. 	default m if NETFILTER_ADVANCED=n
    180. 

  180. 	select NETFILTER_XTABLES
    181. 

  181. 	help
    182. 

  182. 	  iptables is a general, extensible packet identification framework.
    183. 

  183. 	  The packet filtering and full NAT (masquerading, port forwarding,
    184. 

  184. 	  etc) subsystems now use this: say `Y' or `M' here if you want to use
    185. 

  185. 	  either of those.
    186. 

  186. 

  187. 	  To compile it as a module, choose M here.  If unsure, say N.
    188. 

  188. 

  189. if IP_NF_IPTABLES
    190. 

  190. 

  191. # The matches.
    192. 

  192. config IP_NF_MATCH_AH
    193. 

  193. 	tristate '"ah" match support'
    194. 

  194. 	depends on NETFILTER_ADVANCED
    195. 

  195. 	help
    196. 

  196. 	  This match extension allows you to match a range of SPIs
    197. 

  197. 	  inside AH header of IPSec packets.
    198. 

  198. 

  199. 	  To compile it as a module, choose M here.  If unsure, say N.
    200. 

  200. 

  201. config IP_NF_MATCH_ECN
    202. 

  202. 	tristate '"ecn" match support'
    203. 

  203. 	depends on NETFILTER_ADVANCED
    204. 

  204. 	select NETFILTER_XT_MATCH_ECN
    205. 

  205. 	---help---
    206. 

  206. 	This is a backwards-compat option for the user's convenience
    207. 

  207. 	(e.g. when running oldconfig). It selects
    208. 

  208. 	CONFIG_NETFILTER_XT_MATCH_ECN.
    209. 

  209. 

  210. config IP_NF_MATCH_RPFILTER
    211. 

  211. 	tristate '"rpfilter" reverse path filter match support'
    212. 

  212. 	depends on NETFILTER_ADVANCED
    213. 

  213. 	depends on IP_NF_MANGLE || IP_NF_RAW
    214. 

  214. 	---help---
    215. 

  215. 	  This option allows you to match packets whose replies would
    216. 

  216. 	  go out via the interface the packet came in.
    217. 

  217. 

  218. 	  To compile it as a module, choose M here.  If unsure, say N.
    219. 

  219. 	  The module will be called ipt_rpfilter.
    220. 

  220. 

  221. config IP_NF_MATCH_TTL
    222. 

  222. 	tristate '"ttl" match support'
    223. 

  223. 	depends on NETFILTER_ADVANCED
    224. 

  224. 	select NETFILTER_XT_MATCH_HL
    225. 

  225. 	---help---
    226. 

  226. 	This is a backwards-compat option for the user's convenience
    227. 

  227. 	(e.g. when running oldconfig). It selects
    228. 

  228. 	CONFIG_NETFILTER_XT_MATCH_HL.
    229. 

  229. 

  230. # `filter', generic and specific targets
    231. 

  231. config IP_NF_FILTER
    232. 

  232. 	tristate "Packet filtering"
    233. 

  233. 	default m if NETFILTER_ADVANCED=n
    234. 

  234. 	help
    235. 

  235. 	  Packet filtering defines a table `filter', which has a series of
    236. 

  236. 	  rules for simple packet filtering at local input, forwarding and
    237. 

  237. 	  local output.  See the man page for iptables(8).
    238. 

  238. 

  239. 	  To compile it as a module, choose M here.  If unsure, say N.
    240. 

  240. 

  241. config IP_NF_TARGET_REJECT
    242. 

  242. 	tristate "REJECT target support"
    243. 

  243. 	depends on IP_NF_FILTER
    244. 

  244. 	select NF_REJECT_IPV4
    245. 

  245. 	default m if NETFILTER_ADVANCED=n
    246. 

  246. 	help
    247. 

  247. 	  The REJECT target allows a filtering rule to specify that an ICMP
    248. 

  248. 	  error should be issued in response to an incoming packet, rather
    249. 

  249. 	  than silently being dropped.
    250. 

  250. 

  251. 	  To compile it as a module, choose M here.  If unsure, say N.
    252. 

  252. 

  253. config IP_NF_TARGET_SYNPROXY
    254. 

  254. 	tristate "SYNPROXY target support"
    255. 

  255. 	depends on NF_CONNTRACK && NETFILTER_ADVANCED
    256. 

  256. 	select NETFILTER_SYNPROXY
    257. 

  257. 	select SYN_COOKIES
    258. 

  258. 	help
    259. 

  259. 	  The SYNPROXY target allows you to intercept TCP connections and
    260. 

  260. 	  establish them using syncookies before they are passed on to the
    261. 

  261. 	  server. This allows to avoid conntrack and server resource usage
    262. 

  262. 	  during SYN-flood attacks.
    263. 

  263. 

  264. 	  To compile it as a module, choose M here. If unsure, say N.
    265. 

  265. 

  266. # NAT + specific targets: nf_conntrack
    267. 

  267. config IP_NF_NAT
    268. 

  268. 	tristate "iptables NAT support"
    269. 

  269. 	depends on NF_CONNTRACK_IPV4
    270. 

  270. 	default m if NETFILTER_ADVANCED=n
    271. 

  271. 	select NF_NAT
    272. 

  272. 	select NF_NAT_IPV4
    273. 

  273. 	select NETFILTER_XT_NAT
    274. 

  274. 	help
    275. 

  275. 	  This enables the `nat' table in iptables. This allows masquerading,
    276. 

  276. 	  port forwarding and other forms of full Network Address Port
    277. 

  277. 	  Translation.
    278. 

  278. 

  279. 	  To compile it as a module, choose M here.  If unsure, say N.
    280. 

  280. 

  281. if IP_NF_NAT
    282. 

  282. 

  283. config IP_NF_TARGET_MASQUERADE
    284. 

  284. 	tristate "MASQUERADE target support"
    285. 

  285. 	select NF_NAT_MASQUERADE_IPV4
    286. 

  286. 	default m if NETFILTER_ADVANCED=n
    287. 

  287. 	help
    288. 

  288. 	  Masquerading is a special case of NAT: all outgoing connections are
    289. 

  289. 	  changed to seem to come from a particular interface's address, and
    290. 

  290. 	  if the interface goes down, those connections are lost.  This is
    291. 

  291. 	  only useful for dialup accounts with dynamic IP address (ie. your IP
    292. 

  292. 	  address will be different on next dialup).
    293. 

  293. 

  294. 	  To compile it as a module, choose M here.  If unsure, say N.
    295. 

  295. 

  296. config IP_NF_TARGET_NETMAP
    297. 

  297. 	tristate "NETMAP target support"
    298. 

  298. 	depends on NETFILTER_ADVANCED
    299. 

  299. 	select NETFILTER_XT_TARGET_NETMAP
    300. 

  300. 	---help---
    301. 

  301. 	This is a backwards-compat option for the user's convenience
    302. 

  302. 	(e.g. when running oldconfig). It selects
    303. 

  303. 	CONFIG_NETFILTER_XT_TARGET_NETMAP.
    304. 

  304. 

  305. config IP_NF_TARGET_REDIRECT
    306. 

  306. 	tristate "REDIRECT target support"
    307. 

  307. 	depends on NETFILTER_ADVANCED
    308. 

  308. 	select NETFILTER_XT_TARGET_REDIRECT
    309. 

  309. 	---help---
    310. 

  310. 	This is a backwards-compat option for the user's convenience
    311. 

  311. 	(e.g. when running oldconfig). It selects
    312. 

  312. 	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
    313. 

  313. 

  314. endif # IP_NF_NAT
    315. 

  315. 

  316. # mangle + specific targets
    317. 

  317. config IP_NF_MANGLE
    318. 

  318. 	tristate "Packet mangling"
    319. 

  319. 	default m if NETFILTER_ADVANCED=n
    320. 

  320. 	help
    321. 

  321. 	  This option adds a `mangle' table to iptables: see the man page for
    322. 

  322. 	  iptables(8).  This table is used for various packet alterations
    323. 

  323. 	  which can effect how the packet is routed.
    324. 

  324. 

  325. 	  To compile it as a module, choose M here.  If unsure, say N.
    326. 

  326. 

  327. config IP_NF_TARGET_CLUSTERIP
    328. 

  328. 	tristate "CLUSTERIP target support"
    329. 

  329. 	depends on IP_NF_MANGLE
    330. 

  330. 	depends on NF_CONNTRACK_IPV4
    331. 

  331. 	depends on NETFILTER_ADVANCED
    332. 

  332. 	select NF_CONNTRACK_MARK
    333. 

  333. 	help
    334. 

  334. 	  The CLUSTERIP target allows you to build load-balancing clusters of
    335. 

  335. 	  network servers without having a dedicated load-balancing
    336. 

  336. 	  router/server/switch.
    337. 

  337. 	
    338. 

  338. 	  To compile it as a module, choose M here.  If unsure, say N.
    339. 

  339. 

  340. config IP_NF_TARGET_ECN
    341. 

  341. 	tristate "ECN target support"
    342. 

  342. 	depends on IP_NF_MANGLE
    343. 

  343. 	depends on NETFILTER_ADVANCED
    344. 

  344. 	---help---
    345. 

  345. 	  This option adds a `ECN' target, which can be used in the iptables mangle
    346. 

  346. 	  table.  
    347. 

  347. 

  348. 	  You can use this target to remove the ECN bits from the IPv4 header of
    349. 

  349. 	  an IP packet.  This is particularly useful, if you need to work around
    350. 

  350. 	  existing ECN blackholes on the internet, but don't want to disable
    351. 

  351. 	  ECN support in general.
    352. 

  352. 

  353. 	  To compile it as a module, choose M here.  If unsure, say N.
    354. 

  354. 

  355. config IP_NF_TARGET_TTL
    356. 

  356. 	tristate '"TTL" target support'
    357. 

  357. 	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
    358. 

  358. 	select NETFILTER_XT_TARGET_HL
    359. 

  359. 	---help---
    360. 

  360. 	This is a backwards-compatible option for the user's convenience
    361. 

  361. 	(e.g. when running oldconfig). It selects
    362. 

  362. 	CONFIG_NETFILTER_XT_TARGET_HL.
    363. 

  363. 

  364. # raw + specific targets
    365. 

  365. config IP_NF_RAW
    366. 

  366. 	tristate  'raw table support (required for NOTRACK/TRACE)'
    367. 

  367. 	help
    368. 

  368. 	  This option adds a `raw' table to iptables. This table is the very
    369. 

  369. 	  first in the netfilter framework and hooks in at the PREROUTING
    370. 

  370. 	  and OUTPUT chains.
    371. 

  371. 	
    372. 

  372. 	  If you want to compile it as a module, say M here and read
    373. 

  373. 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
    374. 

  374. 

  375. # security table for MAC policy
    376. 

  376. config IP_NF_SECURITY
    377. 

  377. 	tristate "Security table"
    378. 

  378. 	depends on SECURITY
    379. 

  379. 	depends on NETFILTER_ADVANCED
    380. 

  380. 	help
    381. 

  381. 	  This option adds a `security' table to iptables, for use
    382. 

  382. 	  with Mandatory Access Control (MAC) policy.
    383. 

  383. 	 
    384. 

  384. 	  If unsure, say N.
    385. 

  385. 

  386. endif # IP_NF_IPTABLES
    387. 

  387. 

  388. # ARP tables
    389. 

  389. config IP_NF_ARPTABLES
    390. 

  390. 	tristate "ARP tables support"
    391. 

  391. 	select NETFILTER_XTABLES
    392. 

  392. 	depends on NETFILTER_ADVANCED
    393. 

  393. 	help
    394. 

  394. 	  arptables is a general, extensible packet identification framework.
    395. 

  395. 	  The ARP packet filtering and mangling (manipulation)subsystems
    396. 

  396. 	  use this: say Y or M here if you want to use either of those.
    397. 

  397. 

  398. 	  To compile it as a module, choose M here.  If unsure, say N.
    399. 

  399. 

  400. if IP_NF_ARPTABLES
    401. 

  401. 

  402. config IP_NF_ARPFILTER
    403. 

  403. 	tristate "ARP packet filtering"
    404. 

  404. 	help
    405. 

  405. 	  ARP packet filtering defines a table `filter', which has a series of
    406. 

  406. 	  rules for simple ARP packet filtering at local input and
    407. 

  407. 	  local output.  On a bridge, you can also specify filtering rules
    408. 

  408. 	  for forwarded ARP packets. See the man page for arptables(8).
    409. 

  409. 

  410. 	  To compile it as a module, choose M here.  If unsure, say N.
    411. 

  411. 

  412. config IP_NF_ARP_MANGLE
    413. 

  413. 	tristate "ARP payload mangling"
    414. 

  414. 	help
    415. 

  415. 	  Allows altering the ARP packet payload: source and destination
    416. 

  416. 	  hardware and network addresses.
    417. 

  417. 

  418. endif # IP_NF_ARPTABLES
    419. 

  419. 

  420. endmenu
    421. 

  421.