Config.in.netfilter 14 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444
  1. menu "Netfilter (Firewall/Filtering)"
  2. config ADK_KERNEL_NETFILTER
  3. bool
  4. default n
  5. config ADK_KERNEL_NETFILTER_ADVANCED
  6. bool
  7. default n
  8. config ADK_KERNEL_NETFILTER_XTABLES
  9. bool
  10. select ADK_KERNEL_NETFILTER
  11. select ADK_KERNEL_NETFILTER_ADVANCED
  12. default n
  13. config ADK_KERNEL_NETFILTER_DEBUG
  14. bool
  15. default n
  16. config ADK_KERNEL_IP_NF_MATCH_LAYER7_DEBUG
  17. bool
  18. default n
  19. config ADK_KERNEL_IP_NF_TARGET_MIRROR
  20. tristate
  21. default n
  22. config ADK_KERNEL_IP_NF_NAT_SNMP_BASIC
  23. tristate
  24. default n
  25. config ADK_KERNEL_IP_NF_TARGET_DSCP
  26. tristate
  27. default n
  28. config ADK_KERNEL_IP_NF_TARGET_MARK
  29. tristate
  30. default n
  31. config ADK_KERNEL_IP_NF_TARGET_CLASSIFY
  32. tristate
  33. default n
  34. config ADK_KERNEL_IP_NF_TARGET_IMQ
  35. tristate
  36. default n
  37. config ADK_KERNEL_IP_NF_TARGET_CONNMARK
  38. tristate
  39. default n
  40. config ADK_KERNEL_IP_NF_ARPTABLES
  41. tristate
  42. default n
  43. config ADK_KERNEL_IP_NF_COMPAT_IPCHAINS
  44. tristate
  45. default n
  46. config ADK_KERNEL_IP_NF_COMPAT_IPFWADM
  47. tristate
  48. default n
  49. config ADK_KERNEL_IP6_NF_QUEUE
  50. tristate
  51. default n
  52. config ADK_KERNEL_IP6_NF_IPTABLES
  53. tristate
  54. default n
  55. config ADK_KERNEL_IP_ROUTE_FWMARK
  56. bool
  57. default n
  58. config ADK_KERNEL_IP_NF_QUEUE
  59. tristate
  60. default n
  61. config ADK_KERNEL_IP_NF_MATCH_TIME
  62. tristate
  63. default n
  64. config ADK_KERNEL_IP_NF_MATCH_CONDITION
  65. tristate
  66. default n
  67. config ADK_KERNEL_IP_NF_MATCH_DSCP
  68. tristate
  69. default n
  70. config ADK_KERNEL_IP_NF_MATCH_AH_ESP
  71. tristate
  72. default n
  73. config ADK_KERNEL_IP_NF_MATCH_LENGTH
  74. tristate
  75. default n
  76. config ADK_KERNEL_IP_NF_MATCH_HELPER
  77. tristate
  78. default n
  79. # cannot be ADK_KERNEL_IP_NF_MATCH_STATE because
  80. # netfilter is built as a module -> this'll always be
  81. # a module, too
  82. config ADK_KPACKAGE_KMOD_IP_NF_MATCH_STATE
  83. tristate
  84. select ADK_KPACKAGE_KMOD_NETFILTER_XT_MATCH_STATE
  85. default n
  86. config ADK_KPACKAGE_KMOD_NETFILTER_XT_MATCH_STATE
  87. tristate
  88. default n
  89. # cannot be ADK_KERNEL_IP_NF_MATCH_CONNTRACK because
  90. # netfilter is built as a module -> this'll always be
  91. # a module, too
  92. config ADK_KPACKAGE_KMOD_IP_NF_MATCH_CONNTRACK
  93. tristate
  94. default n
  95. config ADK_KERNEL_IP_NF_MATCH_CONNMARK
  96. tristate
  97. default n
  98. config ADK_KERNEL_IP_NF_MATCH_UNCLEAN
  99. tristate
  100. default n
  101. config ADK_KERNEL_IP_NF_MATCH_STRING
  102. tristate
  103. default n
  104. menu "Core Netfilter Configuration"
  105. config ADK_KPACKAGE_KMOD_NF_CONNTRACK
  106. tristate 'Netfilter connection tracking support'
  107. select ADK_KERNEL_NETFILTER_XTABLES
  108. help
  109. Connection tracking keeps a record of what packets have passed
  110. through your machine, in order to figure out how they are related
  111. into connections.
  112. Layer 3 independent connection tracking is experimental scheme
  113. which generalize ip_conntrack to support other layer 3 protocols.
  114. config ADK_KPACKAGE_KMOD_NETFILTER_XT_TARGET_CLASSIFY
  115. tristate '"CLASSIFY" target support'
  116. select ADK_KERNEL_NETFILTER_XTABLES
  117. help
  118. This option adds a `CLASSIFY' target, which enables the user to set
  119. the priority of a packet. Some qdiscs can use this value for
  120. classification, among these are:
  121. atm, cbq, dsmark, pfifo_fast, htb, prio
  122. config ADK_KPACKAGE_KMOD_NETFILTER_XT_TARGET_CONNMARK
  123. tristate '"CONNMARK" target support'
  124. select ADK_KERNEL_NETFILTER_XTABLES
  125. select ADK_KPACKAGE_KMOD_NF_CONNTRACK
  126. help
  127. This option adds a `CONNMARK' target, which allows one to manipulate
  128. the connection mark value. Similar to the MARK target, but
  129. affects the connection mark value rather than the packet mark value.
  130. config ADK_KPACKAGE_KMOD_NETFILTER_XT_TARGET_MARK
  131. tristate '"MARK" target support'
  132. select ADK_KERNEL_NETFILTER_XTABLES
  133. help
  134. This option adds a `MARK' target, which allows you to create rules
  135. in the `mangle' table which alter the netfilter mark (nfmark) field
  136. associated with the packet prior to routing. This can change
  137. the routing method (see `Use netfilter MARK value as routing
  138. key') and can also be used by other subsystems to change their
  139. behavior.
  140. config ADK_KPACKAGE_KMOD_NETFILTER_XT_TARGET_NFQUEUE
  141. tristate '"NFQUEUE" target support'
  142. select ADK_KERNEL_NETFILTER_XTABLES
  143. help
  144. This target replaced the old obsolete QUEUE target.
  145. As opposed to QUEUE, it supports 65535 different queues,
  146. not just one.
  147. endmenu
  148. menu "IP: Netfilter Configuration"
  149. config ADK_KPACKAGE_KMOD_NF_CONNTRACK_IPV4
  150. bool 'IPv4 connection tracking support (required for NAT)'
  151. select ADK_KPACKAGE_KMOD_NF_CONNTRACK
  152. help
  153. Connection tracking keeps a record of what packets have passed
  154. through your machine, in order to figure out how they are related
  155. into connections.
  156. config ADK_KPACKAGE_KMOD_IP_NF_CT_ACCT
  157. bool 'Connection tracking flow accounting'
  158. depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
  159. help
  160. If this option is enabled, the connection tracking code will
  161. keep per-flow packet and byte counters.
  162. Those counters can be used for flow-based accounting or the
  163. `connbytes' match.
  164. config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_MARK
  165. bool 'Connection mark tracking support'
  166. depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
  167. select ADK_KERNEL_IP_NF_MATCH_CONNMARK
  168. help
  169. This option enables support for connection marks, used by the
  170. `CONNMARK' target and `connmark' match. Similar to the mark value
  171. of packets, but this mark value is kept in the conntrack session
  172. instead of the individual packets.
  173. config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_SECMARK
  174. bool 'Connection tracking security mark support'
  175. depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
  176. #FIXME select NETWORK_SECMARK
  177. help
  178. This option enables security markings to be applied to
  179. connections. Typically they are copied to connections from
  180. packets using the CONNSECMARK target and copied back from
  181. connections to packets with the same target, with the packets
  182. being originally labeled via SECMARK.
  183. config ADK_KPACKAGE_KMOD_IP_NF_FTP
  184. tristate 'FTP protocol support'
  185. depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
  186. help
  187. Tracking FTP connections is problematic: special helpers are
  188. required for tracking them, and doing masquerading and other forms
  189. of Network Address Translation on them.
  190. config ADK_KPACKAGE_KMOD_IP_NF_IRC
  191. tristate 'IRC protocol support'
  192. depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
  193. help
  194. There is a commonly-used extension to IRC called
  195. Direct Client-to-Client Protocol (DCC). This enables users to send
  196. files to each other, and also chat to each other without the need
  197. of a server. DCC Sending is used anywhere you send files over IRC,
  198. and DCC Chat is most commonly used by Eggdrop bots. If you are
  199. using NAT, this extension will enable you to send files and initiate
  200. chats. Note that you do NOT need this extension to get files or
  201. have others initiate chats, or everything else in IRC.
  202. config ADK_KPACKAGE_KMOD_IP_NF_NETBIOS_NS
  203. tristate 'NetBIOS name service protocol support (EXPERIMENTAL)'
  204. depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
  205. help
  206. NetBIOS name service requests are sent as broadcast messages from an
  207. unprivileged port and responded to with unicast messages to the
  208. same port. This make them hard to firewall properly because connection
  209. tracking doesn't deal with broadcasts. This helper tracks locally
  210. originating NetBIOS name service requests and the corresponding
  211. responses. It relies on correct IP address configuration, specifically
  212. netmask and broadcast address. When properly configured, the output
  213. of "ip address show" should look similar to this:
  214. $ ip -4 address show eth0
  215. 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
  216. inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
  217. config ADK_KPACKAGE_KMOD_IP_NF_TFTP
  218. tristate 'TFTP protocol support'
  219. depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
  220. help
  221. TFTP connection tracking helper, this is required depending
  222. on how restrictive your ruleset is.
  223. If you are using a tftp client behind -j SNAT or -j MASQUERADING
  224. you will need this.
  225. config ADK_KPACKAGE_KMOD_IP_NF_AMANDA
  226. tristate 'Amanda backup protocol support'
  227. depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
  228. #FIXME TEXTSEARCH && TEXTSEARCH_KMP
  229. help
  230. If you are running the Amanda backup package <http://www.amanda.org/>
  231. on this machine or machines that will be MASQUERADED through this
  232. machine, then you may want to enable this feature. This allows the
  233. connection tracking and natting code to allow the sub-channels that
  234. Amanda requires for communication of the backup data, messages and
  235. index.
  236. config ADK_KPACKAGE_KMOD_IP_NF_PPTP
  237. tristate 'PPTP protocol support'
  238. depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
  239. help
  240. This module adds support for PPTP (Point to Point Tunnelling
  241. Protocol, RFC2637) connection tracking and NAT.
  242. If you are running PPTP sessions over a stateful firewall or NAT
  243. box, you may want to enable this feature.
  244. Please note that not all PPTP modes of operation are supported yet.
  245. For more info, read top of the file
  246. net/ipv4/netfilter/ip_conntrack_pptp.c
  247. config ADK_KPACKAGE_KMOD_IP_NF_H323
  248. tristate 'H.323 protocol support (EXPERIMENTAL)'
  249. depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
  250. help
  251. H.323 is a VoIP signalling protocol from ITU-T. As one of the most
  252. important VoIP protocols, it is widely used by voice hardware and
  253. software including voice gateways, IP phones, Netmeeting, OpenPhone,
  254. Gnomemeeting, etc.
  255. With this module you can support H.323 on a connection tracking/NAT
  256. firewall.
  257. This module supports RAS, Fast Start, H.245 Tunnelling, Call
  258. Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
  259. whiteboard, file transfer, etc. For more information, please
  260. visit http://nath323.sourceforge.net/.
  261. config ADK_KPACKAGE_KMOD_IP_NF_SIP
  262. tristate 'SIP protocol support (EXPERIMENTAL)'
  263. depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
  264. help
  265. SIP is an application-layer control protocol that can establish,
  266. modify, and terminate multimedia sessions (conferences) such as
  267. Internet telephony calls. With the ip_conntrack_sip and
  268. the ip_nat_sip modules you can support the protocol on a connection
  269. tracking/NATing firewall.
  270. config ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
  271. tristate 'IP tables support (required for filtering/masq/NAT)'
  272. select ADK_KERNEL_NETFILTER_XTABLES
  273. help
  274. iptables is a general, extensible packet identification framework.
  275. The packet filtering and full NAT (masquerading, port forwarding,
  276. etc) subsystems now use this: say `Y' or `M' here if you want to use
  277. either of those.
  278. config ADK_KPACKAGE_KMOD_IP_NF_FILTER
  279. tristate 'Packet Filtering'
  280. depends on ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
  281. help
  282. Packet filtering defines a table `filter', which has a series of
  283. rules for simple packet filtering at local input, forwarding and
  284. local output. See the man page for iptables(8).
  285. config ADK_KPACKAGE_KMOD_NF_NAT
  286. tristate 'Full NAT'
  287. depends on ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
  288. help
  289. The Full NAT option allows masquerading, port forwarding and other
  290. forms of full Network Address Port Translation. It is controlled by
  291. the `nat' table in iptables: see the man page for iptables(8).
  292. config ADK_KPACKAGE_KMOD_IP_NF_TARGET_MASQUERADE
  293. tristate 'MASQUERADE target support'
  294. depends on ADK_KPACKAGE_KMOD_NF_NAT
  295. help
  296. Masquerading is a special case of NAT: all outgoing connections are
  297. changed to seem to come from a particular interface's address, and
  298. if the interface goes down, those connections are lost. This is
  299. only useful for dialup accounts with dynamic IP address (ie. your IP
  300. address will be different on next dialup).
  301. config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REJECT
  302. tristate 'REJECT target support'
  303. depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
  304. help
  305. The REJECT target allows a filtering rule to specify that an ICMP
  306. error should be issued in response to an incoming packet, rather
  307. than silently being dropped.
  308. config ADK_KPACKAGE_KMOD_IP_NF_TARGET_LOG
  309. tristate 'LOG target support'
  310. depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
  311. help
  312. This option adds a `LOG' target, which allows you to create rules in
  313. any iptables table which records the packet header to the syslog.
  314. config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ULOG
  315. tristate 'ULOG target support (ipv4 only)'
  316. depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
  317. help
  318. This option enables the old IPv4-only "ipt_ULOG" implementation
  319. which has been obsoleted by the new "nfnetlink_log" code (see
  320. CONFIG_NETFILTER_NETLINK_LOG).
  321. This option adds a `ULOG' target, which allows you to create rules in
  322. any iptables table. The packet is passed to a userspace logging
  323. daemon using netlink multicast sockets; unlike the LOG target
  324. which can only be viewed through syslog.
  325. The appropriate userspace logging daemon (ulogd) may be obtained from
  326. <http://www.gnumonks.org/projects/ulogd/>
  327. config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REDIRECT
  328. tristate 'REDIRECT target support'
  329. depends on ADK_KPACKAGE_KMOD_IP_NF_NAT
  330. help
  331. REDIRECT is a special case of NAT: all incoming connections are
  332. mapped onto the incoming interface's address, causing the packets to
  333. come to the local machine instead of passing through. This is
  334. useful for transparent proxies.
  335. config ADK_KPACKAGE_KMOD_IP_NF_TARGET_NETMAP
  336. tristate 'NETMAP target support'
  337. depends on ADK_KPACKAGE_KMOD_IP_NF_NAT
  338. help
  339. NETMAP is an implementation of static 1:1 NAT mapping of network
  340. addresses. It maps the network address part, while keeping the host
  341. address part intact. It is similar to Fast NAT, except that
  342. Netfilter's connection tracking doesn't work well with Fast NAT.
  343. config ADK_KPACKAGE_KMOD_IP_NF_TARGET_SAME
  344. tristate 'SAME target support'
  345. depends on ADK_KPACKAGE_KMOD_IP_NF_NAT
  346. help
  347. This option adds a `SAME' target, which works like the standard SNAT
  348. target, but attempts to give clients the same IP for all connections.
  349. config ADK_KPACKAGE_KMOD_IP_NF_MANGLE
  350. tristate 'Packet mangling'
  351. depends on ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
  352. help
  353. This option adds a `mangle' table to iptables: see the man page for
  354. iptables(8). This table is used for various packet alterations
  355. which can effect how the packet is routed.
  356. config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ECN
  357. tristate 'ECN target support'
  358. depends on ADK_KPACKAGE_KMOD_IP_NF_MANGLE
  359. help
  360. This option adds a `ECN' target, which can be used in the iptables mangle
  361. table.
  362. You can use this target to remove the ECN bits from the IPv4 header of
  363. an IP packet. This is particularly useful, if you need to work around
  364. existing ECN blackholes on the internet, but don't want to disable
  365. ECN support in general.
  366. endmenu
  367. endmenu