|
|
@@ -197,251 +197,12 @@ config ADK_KPACKAGE_KMOD_NETFILTER_XT_TARGET_TCPMSS
|
|
|
endmenu
|
|
|
|
|
|
menu "IP: Netfilter Configuration"
|
|
|
+source target/linux/config/Config.in.netfilter.ip4
|
|
|
+endmenu
|
|
|
|
|
|
-config ADK_KPACKAGE_KMOD_NF_CONNTRACK_IPV4
|
|
|
- bool 'IPv4 connection tracking support (required for NAT)'
|
|
|
- select ADK_KPACKAGE_KMOD_NF_CONNTRACK
|
|
|
- help
|
|
|
- Connection tracking keeps a record of what packets have passed
|
|
|
- through your machine, in order to figure out how they are related
|
|
|
- into connections.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_CT_ACCT
|
|
|
- bool 'Connection tracking flow accounting'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
|
|
|
- help
|
|
|
- If this option is enabled, the connection tracking code will
|
|
|
- keep per-flow packet and byte counters.
|
|
|
-
|
|
|
- Those counters can be used for flow-based accounting or the
|
|
|
- `connbytes' match.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_MARK
|
|
|
- bool 'Connection mark tracking support'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
|
|
|
- select ADK_KERNEL_IP_NF_MATCH_CONNMARK
|
|
|
- help
|
|
|
- This option enables support for connection marks, used by the
|
|
|
- `CONNMARK' target and `connmark' match. Similar to the mark value
|
|
|
- of packets, but this mark value is kept in the conntrack session
|
|
|
- instead of the individual packets.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_SECMARK
|
|
|
- bool 'Connection tracking security mark support'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
|
|
|
- #FIXME select NETWORK_SECMARK
|
|
|
- help
|
|
|
- This option enables security markings to be applied to
|
|
|
- connections. Typically they are copied to connections from
|
|
|
- packets using the CONNSECMARK target and copied back from
|
|
|
- connections to packets with the same target, with the packets
|
|
|
- being originally labeled via SECMARK.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_FTP
|
|
|
- tristate 'FTP protocol support'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
|
|
|
- help
|
|
|
- Tracking FTP connections is problematic: special helpers are
|
|
|
- required for tracking them, and doing masquerading and other forms
|
|
|
- of Network Address Translation on them.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_IRC
|
|
|
- tristate 'IRC protocol support'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
|
|
|
- help
|
|
|
- There is a commonly-used extension to IRC called
|
|
|
- Direct Client-to-Client Protocol (DCC). This enables users to send
|
|
|
- files to each other, and also chat to each other without the need
|
|
|
- of a server. DCC Sending is used anywhere you send files over IRC,
|
|
|
- and DCC Chat is most commonly used by Eggdrop bots. If you are
|
|
|
- using NAT, this extension will enable you to send files and initiate
|
|
|
- chats. Note that you do NOT need this extension to get files or
|
|
|
- have others initiate chats, or everything else in IRC.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_NETBIOS_NS
|
|
|
- tristate 'NetBIOS name service protocol support (EXPERIMENTAL)'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
|
|
|
- help
|
|
|
- NetBIOS name service requests are sent as broadcast messages from an
|
|
|
- unprivileged port and responded to with unicast messages to the
|
|
|
- same port. This make them hard to firewall properly because connection
|
|
|
- tracking doesn't deal with broadcasts. This helper tracks locally
|
|
|
- originating NetBIOS name service requests and the corresponding
|
|
|
- responses. It relies on correct IP address configuration, specifically
|
|
|
- netmask and broadcast address. When properly configured, the output
|
|
|
- of "ip address show" should look similar to this:
|
|
|
-
|
|
|
- $ ip -4 address show eth0
|
|
|
- 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
|
|
|
- inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_TFTP
|
|
|
- tristate 'TFTP protocol support'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
|
|
|
- help
|
|
|
- TFTP connection tracking helper, this is required depending
|
|
|
- on how restrictive your ruleset is.
|
|
|
- If you are using a tftp client behind -j SNAT or -j MASQUERADING
|
|
|
- you will need this.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_AMANDA
|
|
|
- tristate 'Amanda backup protocol support'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
|
|
|
- #FIXME TEXTSEARCH && TEXTSEARCH_KMP
|
|
|
- help
|
|
|
- If you are running the Amanda backup package <http://www.amanda.org/>
|
|
|
- on this machine or machines that will be MASQUERADED through this
|
|
|
- machine, then you may want to enable this feature. This allows the
|
|
|
- connection tracking and natting code to allow the sub-channels that
|
|
|
- Amanda requires for communication of the backup data, messages and
|
|
|
- index.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_PPTP
|
|
|
- tristate 'PPTP protocol support'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
|
|
|
- help
|
|
|
- This module adds support for PPTP (Point to Point Tunnelling
|
|
|
- Protocol, RFC2637) connection tracking and NAT.
|
|
|
-
|
|
|
- If you are running PPTP sessions over a stateful firewall or NAT
|
|
|
- box, you may want to enable this feature.
|
|
|
-
|
|
|
- Please note that not all PPTP modes of operation are supported yet.
|
|
|
- For more info, read top of the file
|
|
|
- net/ipv4/netfilter/ip_conntrack_pptp.c
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_H323
|
|
|
- tristate 'H.323 protocol support (EXPERIMENTAL)'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
|
|
|
- help
|
|
|
- H.323 is a VoIP signalling protocol from ITU-T. As one of the most
|
|
|
- important VoIP protocols, it is widely used by voice hardware and
|
|
|
- software including voice gateways, IP phones, Netmeeting, OpenPhone,
|
|
|
- Gnomemeeting, etc.
|
|
|
-
|
|
|
- With this module you can support H.323 on a connection tracking/NAT
|
|
|
- firewall.
|
|
|
-
|
|
|
- This module supports RAS, Fast Start, H.245 Tunnelling, Call
|
|
|
- Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
|
|
|
- whiteboard, file transfer, etc. For more information, please
|
|
|
- visit http://nath323.sourceforge.net/.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_SIP
|
|
|
- tristate 'SIP protocol support (EXPERIMENTAL)'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
|
|
|
- help
|
|
|
- SIP is an application-layer control protocol that can establish,
|
|
|
- modify, and terminate multimedia sessions (conferences) such as
|
|
|
- Internet telephony calls. With the ip_conntrack_sip and
|
|
|
- the ip_nat_sip modules you can support the protocol on a connection
|
|
|
- tracking/NATing firewall.
|
|
|
-
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
|
|
|
- tristate 'IP tables support (required for filtering/masq/NAT)'
|
|
|
- select ADK_KERNEL_NETFILTER_XTABLES
|
|
|
- help
|
|
|
- iptables is a general, extensible packet identification framework.
|
|
|
- The packet filtering and full NAT (masquerading, port forwarding,
|
|
|
- etc) subsystems now use this: say `Y' or `M' here if you want to use
|
|
|
- either of those.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_FILTER
|
|
|
- tristate 'Packet Filtering'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
|
|
|
- help
|
|
|
- Packet filtering defines a table `filter', which has a series of
|
|
|
- rules for simple packet filtering at local input, forwarding and
|
|
|
- local output. See the man page for iptables(8).
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_NF_NAT
|
|
|
- tristate 'Full NAT'
|
|
|
- depends on ADK_KPACKAGE_KMOD_NF_IP_IPTABLES
|
|
|
- help
|
|
|
- The Full NAT option allows masquerading, port forwarding and other
|
|
|
- forms of full Network Address Port Translation. It is controlled by
|
|
|
- the `nat' table in iptables: see the man page for iptables(8).
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_MASQUERADE
|
|
|
- tristate 'MASQUERADE target support'
|
|
|
- depends on ADK_KPACKAGE_KMOD_NF_NAT
|
|
|
- help
|
|
|
- Masquerading is a special case of NAT: all outgoing connections are
|
|
|
- changed to seem to come from a particular interface's address, and
|
|
|
- if the interface goes down, those connections are lost. This is
|
|
|
- only useful for dialup accounts with dynamic IP address (ie. your IP
|
|
|
- address will be different on next dialup).
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REJECT
|
|
|
- tristate 'REJECT target support'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
|
|
|
- help
|
|
|
- The REJECT target allows a filtering rule to specify that an ICMP
|
|
|
- error should be issued in response to an incoming packet, rather
|
|
|
- than silently being dropped.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_LOG
|
|
|
- tristate 'LOG target support'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
|
|
|
- help
|
|
|
- This option adds a `LOG' target, which allows you to create rules in
|
|
|
- any iptables table which records the packet header to the syslog.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ULOG
|
|
|
- tristate 'ULOG target support (ipv4 only)'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
|
|
|
- help
|
|
|
- This option enables the old IPv4-only "ipt_ULOG" implementation
|
|
|
- which has been obsoleted by the new "nfnetlink_log" code (see
|
|
|
- CONFIG_NETFILTER_NETLINK_LOG).
|
|
|
-
|
|
|
- This option adds a `ULOG' target, which allows you to create rules in
|
|
|
- any iptables table. The packet is passed to a userspace logging
|
|
|
- daemon using netlink multicast sockets; unlike the LOG target
|
|
|
- which can only be viewed through syslog.
|
|
|
-
|
|
|
- The appropriate userspace logging daemon (ulogd) may be obtained from
|
|
|
- <http://www.gnumonks.org/projects/ulogd/>
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REDIRECT
|
|
|
- tristate 'REDIRECT target support'
|
|
|
- depends on ADK_KPACKAGE_KMOD_NF_NAT
|
|
|
- help
|
|
|
- REDIRECT is a special case of NAT: all incoming connections are
|
|
|
- mapped onto the incoming interface's address, causing the packets to
|
|
|
- come to the local machine instead of passing through. This is
|
|
|
- useful for transparent proxies.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_NETMAP
|
|
|
- tristate 'NETMAP target support'
|
|
|
- depends on ADK_KPACKAGE_KMOD_NF_NAT
|
|
|
- help
|
|
|
- NETMAP is an implementation of static 1:1 NAT mapping of network
|
|
|
- addresses. It maps the network address part, while keeping the host
|
|
|
- address part intact. It is similar to Fast NAT, except that
|
|
|
- Netfilter's connection tracking doesn't work well with Fast NAT.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_MANGLE
|
|
|
- tristate 'Packet mangling'
|
|
|
- depends on ADK_KPACKAGE_KMOD_NF_NAT
|
|
|
- help
|
|
|
- This option adds a `mangle' table to iptables: see the man page for
|
|
|
- iptables(8). This table is used for various packet alterations
|
|
|
- which can effect how the packet is routed.
|
|
|
-
|
|
|
-config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ECN
|
|
|
- tristate 'ECN target support'
|
|
|
- depends on ADK_KPACKAGE_KMOD_IP_NF_MANGLE
|
|
|
- help
|
|
|
- This option adds a `ECN' target, which can be used in the iptables mangle
|
|
|
- table.
|
|
|
-
|
|
|
- You can use this target to remove the ECN bits from the IPv4 header of
|
|
|
- an IP packet. This is particularly useful, if you need to work around
|
|
|
- existing ECN blackholes on the internet, but don't want to disable
|
|
|
- ECN support in general.
|
|
|
-
|
|
|
+menu "IPv6: Netfilter Configuration"
|
|
|
+ depends on ADK_ENABLE_IPV6
|
|
|
+source target/linux/config/Config.in.netfilter.ip6
|
|
|
endmenu
|
|
|
|
|
|
menu "Ethernet bridge firewalling"
|
Phil Sutter