K2.6 patches and update.

[tomato.git] / release / src-rt / linux / linux-2.6 / net / ipv4 / netfilter / Kconfig

#
# IP netfilter configuration
#

menu "IP: Netfilter Configuration"
        depends on INET && NETFILTER

config NF_CONNTRACK_IPV4
        tristate "IPv4 connection tracking support (required for NAT)"
        depends on NF_CONNTRACK
        ---help---
          Connection tracking keeps a record of what packets have passed
          through your machine, in order to figure out how they are related
          into connections.

          This is IPv4 support on Layer 3 independent connection tracking.
          Layer 3 independent connection tracking is experimental scheme
          which generalize ip_conntrack to support other layer 3 protocols.

          To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_PROC_COMPAT
        bool "proc/sysctl compatibility with old connection tracking"
        depends on NF_CONNTRACK_IPV4
        default y
        help
          This option enables /proc and sysctl compatibility with the old
          layer 3 dependant connection tracking. This is needed to keep
          old programs that have not been adapted to the new names working.

          If unsure, say Y.

config IP_NF_QUEUE
        tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
        help
          Netfilter has the ability to queue packets to user space: the
          netlink device can be used to access them using this driver.

          This option enables the old IPv4-only "ip_queue" implementation
          which has been obsoleted by the new "nfnetlink_queue" code (see
          CONFIG_NETFILTER_NETLINK_QUEUE).

          To compile it as a module, choose M here.  If unsure, say N.

config BCM_NAT
        tristate "Broadcom proprietary NAT support"
        depends on NF_CONNTRACK && NF_NAT
        help
                This helps packets pass through netfilter faster when a packet
                is an established or reply traffic.

config IP_NF_IPTABLES
        tristate "IP tables support (required for filtering/masq/NAT)"
        select NETFILTER_XTABLES
        help
          iptables is a general, extensible packet identification framework.
          The packet filtering and full NAT (masquerading, port forwarding,
          etc) subsystems now use this: say `Y' or `M' here if you want to use
          either of those.

          To compile it as a module, choose M here.  If unsure, say N.

# The matches.
config IP_NF_MATCH_TOS
        tristate "TOS match support"
        depends on IP_NF_IPTABLES
        help
          TOS matching allows you to match packets based on the Type Of
          Service fields of the IP packet.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_TIME
        tristate  'TIME match support'
        depends on IP_NF_IPTABLES
        help
          This option adds a `time' match, which allows you
          to match based on the packet arrival time/date
          (arrival time/date at the machine which netfilter is running on) or
          departure time/date (for locally generated packets).

          If you say Y here, try iptables -m time --help for more information.
          If you want to compile it as a module, say M here and read

          Documentation/modules.txt.  If unsure, say `N'.

config IP_NF_MATCH_ECN
        tristate "ECN match support"
        depends on IP_NF_IPTABLES
        help
          This option adds a `ECN' match, which allows you to match against
          the IPv4 and TCP header ECN fields.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_AH
        tristate "AH match support"
        depends on IP_NF_IPTABLES
        help
          This match extension allows you to match a range of SPIs
          inside AH header of IPSec packets.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_OWNER
        tristate "Owner match support"
        depends on IP_NF_IPTABLES
        help
          Packet owner matching allows you to match locally-generated packets
          based on who created them: the user, group, process or session.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ADDRTYPE
        tristate  'address type match support'
        depends on IP_NF_IPTABLES
        help
          This option allows you to match what routing thinks of an address,
          eg. UNICAST, LOCAL, BROADCAST, ...
        
          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.

config IP_NF_MATCH_MPORT
        tristate  'Multiple port with ranges match support'
        depends on IP_NF_IPTABLES
        help
          Multiple port with ranges match support.

          To compile it as a module, choose M here.  If unsure, say N.

# `filter', generic and specific targets
config IP_NF_FILTER
        tristate "Packet filtering"
        depends on IP_NF_IPTABLES
        help
          Packet filtering defines a table `filter', which has a series of
          rules for simple packet filtering at local input, forwarding and
          local output.  See the man page for iptables(8).

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REJECT
        tristate "REJECT target support"
        depends on IP_NF_FILTER
        help
          The REJECT target allows a filtering rule to specify that an ICMP
          error should be issued in response to an incoming packet, rather
          than silently being dropped.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_LOG
        tristate "LOG target support"
        depends on IP_NF_IPTABLES
        help
          This option adds a `LOG' target, which allows you to create rules in
          any iptables table which records the packet header to the syslog.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ULOG
        tristate "ULOG target support"
        depends on IP_NF_IPTABLES
        ---help---

          This option enables the old IPv4-only "ipt_ULOG" implementation
          which has been obsoleted by the new "nfnetlink_log" code (see
          CONFIG_NETFILTER_NETLINK_LOG).

          This option adds a `ULOG' target, which allows you to create rules in
          any iptables table. The packet is passed to a userspace logging
          daemon using netlink multicast sockets; unlike the LOG target
          which can only be viewed through syslog.

          The appropriate userspace logging daemon (ulogd) may be obtained from
          <http://www.gnumonks.org/projects/ulogd/>

          To compile it as a module, choose M here.  If unsure, say N.

# NAT + specific targets: nf_conntrack
config NF_NAT
        tristate "Full NAT"
        depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
        help
          The Full NAT option allows masquerading, port forwarding and other
          forms of full Network Address Port Translation.  It is controlled by
          the `nat' table in iptables: see the man page for iptables(8).

          To compile it as a module, choose M here.  If unsure, say N.

config NF_NAT_NEEDED
        bool
        depends on NF_NAT
        default y

config IP_NF_TARGET_MASQUERADE
        tristate "MASQUERADE target support"
        depends on NF_NAT
        help
          Masquerading is a special case of NAT: all outgoing connections are
          changed to seem to come from a particular interface's address, and
          if the interface goes down, those connections are lost.  This is
          only useful for dialup accounts with dynamic IP address (ie. your IP
          address will be different on next dialup).

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REDIRECT
        tristate "REDIRECT target support"
        depends on NF_NAT
        help
          REDIRECT is a special case of NAT: all incoming connections are
          mapped onto the incoming interface's address, causing the packets to
          come to the local machine instead of passing through.  This is
          useful for transparent proxies.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_NETMAP
        tristate "NETMAP target support"
        depends on NF_NAT
        help
          NETMAP is an implementation of static 1:1 NAT mapping of network
          addresses. It maps the network address part, while keeping the host
          address part intact. It is similar to Fast NAT, except that
          Netfilter's connection tracking doesn't work well with Fast NAT.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_SAME
        tristate "SAME target support"
        depends on NF_NAT
        help
          This option adds a `SAME' target, which works like the standard SNAT
          target, but attempts to give clients the same IP for all connections.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TRIGGER
        tristate "TRIGGER target support (port-trigger)"
        depends on NF_NAT
        help
          To compile it as a module, choose M here.  If unsure, say N.

config NF_NAT_SNMP_BASIC
        tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
        depends on EXPERIMENTAL && NF_NAT
        ---help---

          This module implements an Application Layer Gateway (ALG) for
          SNMP payloads.  In conjunction with NAT, it allows a network
          management system to access multiple private networks with
          conflicting addresses.  It works by modifying IP addresses
          inside SNMP payloads to match IP-layer NAT mapping.

          This is the "basic" form of SNMP-ALG, as described in RFC 2962

          To compile it as a module, choose M here.  If unsure, say N.

config NF_NAT_AUTOFW
        tristate "Automatic port forwarding (autofw) target support"
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        help
          To compile it as a module, choose M here.  If unsure, say N.

# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
# From kconfig-language.txt:
#
#           <expr> '&&' <expr>                   (6)
#
# (6) Returns the result of min(/expr/, /expr/).
config NF_NAT_PROTO_GRE
        tristate
        depends on NF_NAT && NF_CT_PROTO_GRE

config NF_NAT_FTP
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_FTP

config NF_NAT_IRC
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_IRC

config NF_NAT_RTSP
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_RTSP

config NF_NAT_TFTP
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_TFTP

config NF_NAT_AMANDA
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_AMANDA

config NF_NAT_PPTP
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_PPTP
        select NF_NAT_PROTO_GRE

config NF_NAT_H323
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_H323

config NF_NAT_SIP
        tristate
        depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
        default NF_NAT && NF_CONNTRACK_SIP

# mangle + specific targets
config IP_NF_MANGLE
        tristate "Packet mangling"
        depends on IP_NF_IPTABLES
        help
          This option adds a `mangle' table to iptables: see the man page for
          iptables(8).  This table is used for various packet alterations
          which can effect how the packet is routed.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TOS
        tristate "TOS target support"
        depends on IP_NF_MANGLE
        help
          This option adds a `TOS' target, which allows you to create rules in
          the `mangle' table which alter the Type Of Service field of an IP
          packet prior to routing.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ECN
        tristate "ECN target support"
        depends on IP_NF_MANGLE
        ---help---
          This option adds a `ECN' target, which can be used in the iptables mangle
          table.  

          You can use this target to remove the ECN bits from the IPv4 header of
          an IP packet.  This is particularly useful, if you need to work around
          existing ECN blackholes on the internet, but don't want to disable
          ECN support in general.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_CLUSTERIP
        tristate "CLUSTERIP target support (EXPERIMENTAL)"
        depends on IP_NF_MANGLE && EXPERIMENTAL
        depends on NF_CONNTRACK_IPV4
        select NF_CONNTRACK_MARK
        help
          The CLUSTERIP target allows you to build load-balancing clusters of
          network servers without having a dedicated load-balancing
          router/server/switch.
        
          To compile it as a module, choose M here.  If unsure, say N.

# raw + specific targets
config IP_NF_RAW
        tristate  'raw table support (required for NOTRACK/TRACE)'
        depends on IP_NF_IPTABLES
        help
          This option adds a `raw' table to iptables. This table is the very
          first in the netfilter framework and hooks in at the PREROUTING
          and OUTPUT chains.
        
          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.

# ARP tables
config IP_NF_ARPTABLES
        tristate "ARP tables support"
        select NETFILTER_XTABLES
        help
          arptables is a general, extensible packet identification framework.
          The ARP packet filtering and mangling (manipulation)subsystems
          use this: say Y or M here if you want to use either of those.

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARPFILTER
        tristate "ARP packet filtering"
        depends on IP_NF_ARPTABLES
        help
          ARP packet filtering defines a table `filter', which has a series of
          rules for simple ARP packet filtering at local input and
          local output.  On a bridge, you can also specify filtering rules
          for forwarded ARP packets. See the man page for arptables(8).

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARP_MANGLE
        tristate "ARP payload mangling"
        depends on IP_NF_ARPTABLES
        help
          Allows altering the ARP packet payload: source and destination
          hardware and network addresses.

config IP_NF_MATCH_U32
        tristate  'U32 match support'
        depends on IP_NF_IPTABLES
        help
          U32 allows you to extract quantities of up to 4 bytes from a packet,
          AND them with specified masks, shift them by specified amounts and
          test whether the results are in any of a set of specified ranges.
          The specification of what to extract is general enough to skip over
          headers with lengths stored in the packet, as in IP or TCP header
          lengths.
        
          Details and examples are in the kernel module source.

config IP_NF_TARGET_ROUTE
        tristate  'ROUTE target support'
        depends on IP_NF_MANGLE
        help
          This option adds a `ROUTE' target, which enables you to setup unusual
          routes. For example, the ROUTE lets you route a received packet through 
          an interface or towards a host, even if the regular destination of the 
          packet is the router itself. The ROUTE target is also able to change the 
          incoming interface of a packet.
        
          The target can be or not a final target. It has to be used inside the 
          mangle table.
          
          If you want to compile it as a module, say M here and read
          Documentation/modules.txt.  The module will be called ipt_ROUTE.o.
          If unsure, say `N'.

config IP_NF_TARGET_TARPIT
        tristate 'TARPIT target support'
        depends on IP_NF_FILTER
        help
          Adds a TARPIT target to iptables, which captures and holds
          incoming TCP connections using no local per-connection resources.
          Connections are accepted, but immediately switched to the persist
          state (0 byte window), in which the remote side stops sending data
          and asks to continue every 60-240 seconds.  Attempts to close the
          connection are ignored, forcing the remote side to time out the
          connection in 12-24 minutes.
        
          This offers similar functionality to LaBrea
          <http://www.hackbusters.net/LaBrea/> but doesn't require dedicated
          hardware or IPs.  Any TCP port that you would normally DROP or REJECT
          can instead become a tarpit.

config IP_NF_MATCH_IPP2P
        tristate  'IPP2P match support'
        depends on IP_NF_IPTABLES
        help
          This option makes possible to match some P2P packets
          therefore helps controlling such traffic.
        
          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.

config IP_NF_MATCH_IPV4OPTIONS
        tristate  'IPV4OPTIONS match support'
        depends on IP_NF_IPTABLES
        help
          This option adds a IPV4OPTIONS match.
          It allows you to filter options like source routing,
          record route, timestamp and router-altert.
        
          If you say Y here, try iptables -m ipv4options --help for more information.
         
          If you want to compile it as a module, say M here and read
          Documentation/modules.txt.  If unsure, say `N'.

config IP_NF_TARGET_BCOUNT
        tristate  'BCOUNT target'
        depends on IP_NF_IPTABLES

config IP_NF_MATCH_BCOUNT
        tristate  'bcount match'
        depends on IP_NF_TARGET_BCOUNT

config IP_NF_TARGET_MACSAVE
        tristate  'MACSAVE target'
        depends on IP_NF_IPTABLES

config IP_NF_MATCH_MACSAVE
        tristate  'macsave match'
        depends on IP_NF_TARGET_MACSAVE

config IP_NF_MATCH_EXP
        tristate  'exp match (experimental rig - do not use)'
        depends on IP_NF_IPTABLES && EXPERIMENTAL

config IP_NF_TOMATOCT
        tristate  'tomato_ct'
        depends on NF_CONNTRACK_MARK && EXPERIMENTAL

config IP_NF_MATCH_ACCOUNT
        tristate "account match support"
        depends on IP_NF_IPTABLES
        help
          This patch adds the account match

          The account match provides simple traffic accounting for continuous networks.
          --aaddr   subnet for which enable traffic accounting
          --aname   table name with traffic counters, it can be accessed by reading
                    /proc/net/ipt_account/<table name>
          --ashort  do simple statistics (no tcp/udp/icmp counters)

          More options can be found on project homepage.

          Project homepage:
          http://www.svn.barbara.eu.org/ipt_account/

          To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_DNSMQ
        tristate  'dnsmq'
        depends on NF_CONNTRACK
        default n

endmenu