#
# IP netfilter configuration
#

menu "IP: Netfilter Configuration"
        depends on INET && NETFILTER

config NF_DEFRAG_IPV4
        tristate
        default n

config NF_CONNTRACK_IPV4
        tristate "IPv4 connection tracking support (required for NAT)"
        depends on NF_CONNTRACK
        default m if NETFILTER_ADVANCED=n
        select NF_DEFRAG_IPV4
        ---help---
          Connection tracking keeps a record of what packets have passed
          through your machine, in order to figure out how they are related
          into connections.

          This is IPv4 support on Layer 3 independent connection tracking.
          Layer 3 independent connection tracking is experimental scheme
          which generalize ip_conntrack to support other layer 3 protocols.

          To compile it as a module, choose M here.  If unsure, say N.

config NF_SOCKET_IPV4
        tristate "IPv4 socket lookup support"
        help
          This option enables the IPv4 socket lookup infrastructure. This is
          is required by the iptables socket match.

if NF_TABLES

config NF_TABLES_IPV4
        tristate "IPv4 nf_tables support"
        help
          This option enables the IPv4 support for nf_tables.

if NF_TABLES_IPV4

config NFT_CHAIN_ROUTE_IPV4
        tristate "IPv4 nf_tables route chain support"
        help
          This option enables the "route" chain for IPv4 in nf_tables. This
          chain type is used to force packet re-routing after mangling header
          fields such as the source, destination, type of service and
          the packet mark.

config NFT_REJECT_IPV4
        select NF_REJECT_IPV4
        default NFT_REJECT
        tristate

config NFT_DUP_IPV4
        tristate "IPv4 nf_tables packet duplication support"
        depends on !NF_CONNTRACK || NF_CONNTRACK
        select NF_DUP_IPV4
        help
          This module enables IPv4 packet duplication support for nf_tables.

config NFT_FIB_IPV4
        select NFT_FIB
        tristate "nf_tables fib / ip route lookup support"
        help
          This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
          It also allows query of the FIB for the route type, e.g. local, unicast,
          multicast or blackhole.

endif # NF_TABLES_IPV4

config NF_TABLES_ARP
        tristate "ARP nf_tables support"
        help
          This option enables the ARP support for nf_tables.

endif # NF_TABLES

config NF_DUP_IPV4
        tristate "Netfilter IPv4 packet duplication to alternate destination"
        depends on !NF_CONNTRACK || NF_CONNTRACK
        help
          This option enables the nf_dup_ipv4 core, which duplicates an IPv4
          packet to be rerouted to another destination.

config NF_LOG_ARP
        tristate "ARP packet logging"
        default m if NETFILTER_ADVANCED=n
        select NF_LOG_COMMON

config NF_LOG_IPV4
        tristate "IPv4 packet logging"
        default m if NETFILTER_ADVANCED=n
        select NF_LOG_COMMON

config NF_REJECT_IPV4
        tristate "IPv4 packet rejection"
        default m if NETFILTER_ADVANCED=n

config NF_NAT_IPV4
        tristate "IPv4 NAT"
        depends on NF_CONNTRACK_IPV4
        default m if NETFILTER_ADVANCED=n
        select NF_NAT
        help
          The IPv4 NAT option allows masquerading, port forwarding and other
          forms of full Network Address Port Translation. This can be
          controlled by iptables or nft.

if NF_NAT_IPV4

config NFT_CHAIN_NAT_IPV4
        depends on NF_TABLES_IPV4
        tristate "IPv4 nf_tables nat chain support"
        help
          This option enables the "nat" chain for IPv4 in nf_tables. This
          chain type is used to perform Network Address Translation (NAT)
          packet transformations such as the source, destination address and
          source and destination ports.

config NF_NAT_MASQUERADE_IPV4
        tristate "IPv4 masquerade support"
        help
          This is the kernel functionality to provide NAT in the masquerade
          flavour (automatic source address selection).

config NFT_MASQ_IPV4
        tristate "IPv4 masquerading support for nf_tables"
        depends on NF_TABLES_IPV4
        depends on NFT_MASQ
        select NF_NAT_MASQUERADE_IPV4
        help
          This is the expression that provides IPv4 masquerading support for
          nf_tables.

config NFT_REDIR_IPV4
        tristate "IPv4 redirect support for nf_tables"
        depends on NF_TABLES_IPV4
        depends on NFT_REDIR
        select NF_NAT_REDIRECT
        help
          This is the expression that provides IPv4 redirect support for
          nf_tables.

config NF_NAT_SNMP_BASIC
        tristate "Basic SNMP-ALG support"
        depends on NF_CONNTRACK_SNMP
        depends on NETFILTER_ADVANCED
        default NF_NAT && NF_CONNTRACK_SNMP
        ---help---

          This module implements an Application Layer Gateway (ALG) for
          SNMP payloads.  In conjunction with NAT, it allows a network
          management system to access multiple private networks with
          conflicting addresses.  It works by modifying IP addresses
          inside SNMP payloads to match IP-layer NAT mapping.

          This is the "basic" form of SNMP-ALG, as described in RFC 2962

          To compile it as a module, choose M here.  If unsure, say N.

config NF_NAT_PROTO_GRE
        tristate
        depends on NF_CT_PROTO_GRE

config NF_NAT_PPTP
        tristate
        depends on NF_CONNTRACK
        default NF_CONNTRACK_PPTP
        select NF_NAT_PROTO_GRE

config NF_NAT_H323
        tristate
        depends on NF_CONNTRACK
        default NF_CONNTRACK_H323

endif # NF_NAT_IPV4

config IP_NF_IPTABLES
        tristate "IP tables support (required for filtering/masq/NAT)"
        default m if NETFILTER_ADVANCED=n
        select NETFILTER_XTABLES
        help
          iptables is a general, extensible packet identification framework.
          The packet filtering and full NAT (masquerading, port forwarding,
          etc) subsystems now use this: say `Y' or `M' here if you want to use
          either of those.

          To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_IPTABLES

# The matches.
config IP_NF_MATCH_AH
        tristate '"ah" match support'
        depends on NETFILTER_ADVANCED
        help
          This match extension allows you to match a range of SPIs
          inside AH header of IPSec packets.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ECN
        tristate '"ecn" match support'
        depends on NETFILTER_ADVANCED
        select NETFILTER_XT_MATCH_ECN
        ---help---
        This is a backwards-compat option for the user's convenience
        (e.g. when running oldconfig). It selects
        CONFIG_NETFILTER_XT_MATCH_ECN.

config IP_NF_MATCH_RPFILTER
        tristate '"rpfilter" reverse path filter match support'
        depends on NETFILTER_ADVANCED
        depends on IP_NF_MANGLE || IP_NF_RAW
        ---help---
          This option allows you to match packets whose replies would
          go out via the interface the packet came in.

          To compile it as a module, choose M here.  If unsure, say N.
          The module will be called ipt_rpfilter.

config IP_NF_MATCH_TTL
        tristate '"ttl" match support'
        depends on NETFILTER_ADVANCED
        select NETFILTER_XT_MATCH_HL
        ---help---
        This is a backwards-compat option for the user's convenience
        (e.g. when running oldconfig). It selects
        CONFIG_NETFILTER_XT_MATCH_HL.

# `filter', generic and specific targets
config IP_NF_FILTER
        tristate "Packet filtering"
        default m if NETFILTER_ADVANCED=n
        help
          Packet filtering defines a table `filter', which has a series of
          rules for simple packet filtering at local input, forwarding and
          local output.  See the man page for iptables(8).

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REJECT
        tristate "REJECT target support"
        depends on IP_NF_FILTER
        select NF_REJECT_IPV4
        default m if NETFILTER_ADVANCED=n
        help
          The REJECT target allows a filtering rule to specify that an ICMP
          error should be issued in response to an incoming packet, rather
          than silently being dropped.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_SYNPROXY
        tristate "SYNPROXY target support"
        depends on NF_CONNTRACK && NETFILTER_ADVANCED
        select NETFILTER_SYNPROXY
        select SYN_COOKIES
        help
          The SYNPROXY target allows you to intercept TCP connections and
          establish them using syncookies before they are passed on to the
          server. This allows to avoid conntrack and server resource usage
          during SYN-flood attacks.

          To compile it as a module, choose M here. If unsure, say N.

# NAT + specific targets: nf_conntrack
config IP_NF_NAT
        tristate "iptables NAT support"
        depends on NF_CONNTRACK_IPV4
        default m if NETFILTER_ADVANCED=n
        select NF_NAT
        select NF_NAT_IPV4
        select NETFILTER_XT_NAT
        help
          This enables the `nat' table in iptables. This allows masquerading,
          port forwarding and other forms of full Network Address Port
          Translation.

          To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_NAT

config IP_NF_TARGET_MASQUERADE
        tristate "MASQUERADE target support"
        select NF_NAT_MASQUERADE_IPV4
        default m if NETFILTER_ADVANCED=n
        help
          Masquerading is a special case of NAT: all outgoing connections are
          changed to seem to come from a particular interface's address, and
          if the interface goes down, those connections are lost.  This is
          only useful for dialup accounts with dynamic IP address (ie. your IP
          address will be different on next dialup).

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_NETMAP
        tristate "NETMAP target support"
        depends on NETFILTER_ADVANCED
        select NETFILTER_XT_TARGET_NETMAP
        ---help---
        This is a backwards-compat option for the user's convenience
        (e.g. when running oldconfig). It selects
        CONFIG_NETFILTER_XT_TARGET_NETMAP.

config IP_NF_TARGET_REDIRECT
        tristate "REDIRECT target support"
        depends on NETFILTER_ADVANCED
        select NETFILTER_XT_TARGET_REDIRECT
        ---help---
        This is a backwards-compat option for the user's convenience
        (e.g. when running oldconfig). It selects
        CONFIG_NETFILTER_XT_TARGET_REDIRECT.

endif # IP_NF_NAT

# mangle + specific targets
config IP_NF_MANGLE
        tristate "Packet mangling"
        default m if NETFILTER_ADVANCED=n
        help
          This option adds a `mangle' table to iptables: see the man page for
          iptables(8).  This table is used for various packet alterations
          which can effect how the packet is routed.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_CLUSTERIP
        tristate "CLUSTERIP target support"
        depends on IP_NF_MANGLE
        depends on NF_CONNTRACK_IPV4
        depends on NETFILTER_ADVANCED
        select NF_CONNTRACK_MARK
        help
          The CLUSTERIP target allows you to build load-balancing clusters of
          network servers without having a dedicated load-balancing
          router/server/switch.
        
          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ECN
        tristate "ECN target support"
        depends on IP_NF_MANGLE
        depends on NETFILTER_ADVANCED
        ---help---
          This option adds a `ECN' target, which can be used in the iptables mangle
          table.  

          You can use this target to remove the ECN bits from the IPv4 header of
          an IP packet.  This is particularly useful, if you need to work around
          existing ECN blackholes on the internet, but don't want to disable
          ECN support in general.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TTL
        tristate '"TTL" target support'
        depends on NETFILTER_ADVANCED && IP_NF_MANGLE
        select NETFILTER_XT_TARGET_HL
        ---help---
        This is a backwards-compatible option for the user's convenience
        (e.g. when running oldconfig). It selects
        CONFIG_NETFILTER_XT_TARGET_HL.

# raw + specific targets
config IP_NF_RAW
        tristate  'raw table support (required for NOTRACK/TRACE)'
        help
          This option adds a `raw' table to iptables. This table is the very
          first in the netfilter framework and hooks in at the PREROUTING
          and OUTPUT chains.
        
          If you want to compile it as a module, say M here and read
          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

# security table for MAC policy
config IP_NF_SECURITY
        tristate "Security table"
        depends on SECURITY
        depends on NETFILTER_ADVANCED
        help
          This option adds a `security' table to iptables, for use
          with Mandatory Access Control (MAC) policy.
         
          If unsure, say N.

endif # IP_NF_IPTABLES

# ARP tables
config IP_NF_ARPTABLES
        tristate "ARP tables support"
        select NETFILTER_XTABLES
        depends on NETFILTER_ADVANCED
        help
          arptables is a general, extensible packet identification framework.
          The ARP packet filtering and mangling (manipulation)subsystems
          use this: say Y or M here if you want to use either of those.

          To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_ARPTABLES

config IP_NF_ARPFILTER
        tristate "ARP packet filtering"
        help
          ARP packet filtering defines a table `filter', which has a series of
          rules for simple ARP packet filtering at local input and
          local output.  On a bridge, you can also specify filtering rules
          for forwarded ARP packets. See the man page for arptables(8).

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARP_MANGLE
        tristate "ARP payload mangling"
        help
          Allows altering the ARP packet payload: source and destination
          hardware and network addresses.

endif # IP_NF_ARPTABLES

endmenu