2005-04-16 22:20:36 +00:00
|
|
|
#
|
|
|
|
# IP netfilter configuration
|
|
|
|
#
|
|
|
|
|
|
|
|
menu "IP: Netfilter Configuration"
|
|
|
|
depends on INET && NETFILTER
|
|
|
|
|
2008-10-08 09:35:12 +00:00
|
|
|
config NF_DEFRAG_IPV4
|
|
|
|
tristate
|
|
|
|
default n
|
|
|
|
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 00:38:16 +00:00
|
|
|
config NF_CONNTRACK_IPV4
|
2007-01-04 20:16:06 +00:00
|
|
|
tristate "IPv4 connection tracking support (required for NAT)"
|
|
|
|
depends on NF_CONNTRACK
|
2007-12-18 06:47:05 +00:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2008-10-08 09:35:12 +00:00
|
|
|
select NF_DEFRAG_IPV4
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 00:38:16 +00:00
|
|
|
---help---
|
|
|
|
Connection tracking keeps a record of what packets have passed
|
|
|
|
through your machine, in order to figure out how they are related
|
|
|
|
into connections.
|
|
|
|
|
|
|
|
This is IPv4 support on Layer 3 independent connection tracking.
|
|
|
|
Layer 3 independent connection tracking is experimental scheme
|
|
|
|
which generalize ip_conntrack to support other layer 3 protocols.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2006-11-29 01:35:20 +00:00
|
|
|
config NF_CONNTRACK_PROC_COMPAT
|
|
|
|
bool "proc/sysctl compatibility with old connection tracking"
|
2011-04-21 07:32:45 +00:00
|
|
|
depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
|
2006-11-29 01:35:20 +00:00
|
|
|
default y
|
|
|
|
help
|
|
|
|
This option enables /proc and sysctl compatibility with the old
|
2009-03-16 14:17:23 +00:00
|
|
|
layer 3 dependent connection tracking. This is needed to keep
|
2006-11-29 01:35:20 +00:00
|
|
|
old programs that have not been adapted to the new names working.
|
|
|
|
|
|
|
|
If unsure, say Y.
|
|
|
|
|
2014-06-28 16:39:01 +00:00
|
|
|
config NF_LOG_ARP
|
|
|
|
tristate "ARP packet logging"
|
|
|
|
default m if NETFILTER_ADVANCED=n
|
|
|
|
select NF_LOG_COMMON
|
|
|
|
|
|
|
|
config NF_LOG_IPV4
|
|
|
|
tristate "IPv4 packet logging"
|
|
|
|
default m if NETFILTER_ADVANCED=n
|
|
|
|
select NF_LOG_COMMON
|
|
|
|
|
netfilter: add nftables
This patch adds nftables which is the intended successor of iptables.
This packet filtering framework reuses the existing netfilter hooks,
the connection tracking system, the NAT subsystem, the transparent
proxying engine, the logging infrastructure and the userspace packet
queueing facilities.
In a nutshell, nftables provides a pseudo-state machine with 4 general
purpose registers of 128 bits and 1 specific purpose register to store
verdicts. This pseudo-machine comes with an extensible instruction set,
a.k.a. "expressions" in the nftables jargon. The expressions included
in this patch provide the basic functionality, they are:
* bitwise: to perform bitwise operations.
* byteorder: to change from host/network endianess.
* cmp: to compare data with the content of the registers.
* counter: to enable counters on rules.
* ct: to store conntrack keys into register.
* exthdr: to match IPv6 extension headers.
* immediate: to load data into registers.
* limit: to limit matching based on packet rate.
* log: to log packets.
* meta: to match metainformation that usually comes with the skbuff.
* nat: to perform Network Address Translation.
* payload: to fetch data from the packet payload and store it into
registers.
* reject (IPv4 only): to explicitly close connection, eg. TCP RST.
Using this instruction-set, the userspace utility 'nft' can transform
the rules expressed in human-readable text representation (using a
new syntax, inspired by tcpdump) to nftables bytecode.
nftables also inherits the table, chain and rule objects from
iptables, but in a more configurable way, and it also includes the
original datatype-agnostic set infrastructure with mapping support.
This set infrastructure is enhanced in the follow up patch (netfilter:
nf_tables: add netlink set API).
This patch includes the following components:
* the netlink API: net/netfilter/nf_tables_api.c and
include/uapi/netfilter/nf_tables.h
* the packet filter core: net/netfilter/nf_tables_core.c
* the expressions (described above): net/netfilter/nft_*.c
* the filter tables: arp, IPv4, IPv6 and bridge:
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv4/netfilter/nf_tables_arp.c
net/bridge/netfilter/nf_tables_bridge.c
* the NAT table (IPv4 only):
net/ipv4/netfilter/nf_table_nat_ipv4.c
* the route table (similar to mangle):
net/ipv4/netfilter/nf_table_route_ipv4.c
net/ipv6/netfilter/nf_table_route_ipv6.c
* internal definitions under:
include/net/netfilter/nf_tables.h
include/net/netfilter/nf_tables_core.h
* It also includes an skeleton expression:
net/netfilter/nft_expr_template.c
and the preliminary implementation of the meta target
net/netfilter/nft_meta_target.c
It also includes a change in struct nf_hook_ops to add a new
pointer to store private data to the hook, that is used to store
the rule list per chain.
This patch is based on the patch from Patrick McHardy, plus merged
accumulated cleanups, fixes and small enhancements to the nftables
code that has been done since 2009, which are:
From Patrick McHardy:
* nf_tables: adjust netlink handler function signatures
* nf_tables: only retry table lookup after successful table module load
* nf_tables: fix event notification echo and avoid unnecessary messages
* nft_ct: add l3proto support
* nf_tables: pass expression context to nft_validate_data_load()
* nf_tables: remove redundant definition
* nft_ct: fix maxattr initialization
* nf_tables: fix invalid event type in nf_tables_getrule()
* nf_tables: simplify nft_data_init() usage
* nf_tables: build in more core modules
* nf_tables: fix double lookup expression unregistation
* nf_tables: move expression initialization to nf_tables_core.c
* nf_tables: build in payload module
* nf_tables: use NFPROTO constants
* nf_tables: rename pid variables to portid
* nf_tables: save 48 bits per rule
* nf_tables: introduce chain rename
* nf_tables: check for duplicate names on chain rename
* nf_tables: remove ability to specify handles for new rules
* nf_tables: return error for rule change request
* nf_tables: return error for NLM_F_REPLACE without rule handle
* nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
* nf_tables: fix NLM_F_MULTI usage in netlink notifications
* nf_tables: include NLM_F_APPEND in rule dumps
From Pablo Neira Ayuso:
* nf_tables: fix stack overflow in nf_tables_newrule
* nf_tables: nft_ct: fix compilation warning
* nf_tables: nft_ct: fix crash with invalid packets
* nft_log: group and qthreshold are 2^16
* nf_tables: nft_meta: fix socket uid,gid handling
* nft_counter: allow to restore counters
* nf_tables: fix module autoload
* nf_tables: allow to remove all rules placed in one chain
* nf_tables: use 64-bits rule handle instead of 16-bits
* nf_tables: fix chain after rule deletion
* nf_tables: improve deletion performance
* nf_tables: add missing code in route chain type
* nf_tables: rise maximum number of expressions from 12 to 128
* nf_tables: don't delete table if in use
* nf_tables: fix basechain release
From Tomasz Bursztyka:
* nf_tables: Add support for changing users chain's name
* nf_tables: Change chain's name to be fixed sized
* nf_tables: Add support for replacing a rule by another one
* nf_tables: Update uapi nftables netlink header documentation
From Florian Westphal:
* nft_log: group is u16, snaplen u32
From Phil Oester:
* nf_tables: operational limit match
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-14 09:00:02 +00:00
|
|
|
config NF_TABLES_IPV4
|
|
|
|
depends on NF_TABLES
|
|
|
|
tristate "IPv4 nf_tables support"
|
2013-12-30 14:09:18 +00:00
|
|
|
help
|
|
|
|
This option enables the IPv4 support for nf_tables.
|
netfilter: add nftables
This patch adds nftables which is the intended successor of iptables.
This packet filtering framework reuses the existing netfilter hooks,
the connection tracking system, the NAT subsystem, the transparent
proxying engine, the logging infrastructure and the userspace packet
queueing facilities.
In a nutshell, nftables provides a pseudo-state machine with 4 general
purpose registers of 128 bits and 1 specific purpose register to store
verdicts. This pseudo-machine comes with an extensible instruction set,
a.k.a. "expressions" in the nftables jargon. The expressions included
in this patch provide the basic functionality, they are:
* bitwise: to perform bitwise operations.
* byteorder: to change from host/network endianess.
* cmp: to compare data with the content of the registers.
* counter: to enable counters on rules.
* ct: to store conntrack keys into register.
* exthdr: to match IPv6 extension headers.
* immediate: to load data into registers.
* limit: to limit matching based on packet rate.
* log: to log packets.
* meta: to match metainformation that usually comes with the skbuff.
* nat: to perform Network Address Translation.
* payload: to fetch data from the packet payload and store it into
registers.
* reject (IPv4 only): to explicitly close connection, eg. TCP RST.
Using this instruction-set, the userspace utility 'nft' can transform
the rules expressed in human-readable text representation (using a
new syntax, inspired by tcpdump) to nftables bytecode.
nftables also inherits the table, chain and rule objects from
iptables, but in a more configurable way, and it also includes the
original datatype-agnostic set infrastructure with mapping support.
This set infrastructure is enhanced in the follow up patch (netfilter:
nf_tables: add netlink set API).
This patch includes the following components:
* the netlink API: net/netfilter/nf_tables_api.c and
include/uapi/netfilter/nf_tables.h
* the packet filter core: net/netfilter/nf_tables_core.c
* the expressions (described above): net/netfilter/nft_*.c
* the filter tables: arp, IPv4, IPv6 and bridge:
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv4/netfilter/nf_tables_arp.c
net/bridge/netfilter/nf_tables_bridge.c
* the NAT table (IPv4 only):
net/ipv4/netfilter/nf_table_nat_ipv4.c
* the route table (similar to mangle):
net/ipv4/netfilter/nf_table_route_ipv4.c
net/ipv6/netfilter/nf_table_route_ipv6.c
* internal definitions under:
include/net/netfilter/nf_tables.h
include/net/netfilter/nf_tables_core.h
* It also includes an skeleton expression:
net/netfilter/nft_expr_template.c
and the preliminary implementation of the meta target
net/netfilter/nft_meta_target.c
It also includes a change in struct nf_hook_ops to add a new
pointer to store private data to the hook, that is used to store
the rule list per chain.
This patch is based on the patch from Patrick McHardy, plus merged
accumulated cleanups, fixes and small enhancements to the nftables
code that has been done since 2009, which are:
From Patrick McHardy:
* nf_tables: adjust netlink handler function signatures
* nf_tables: only retry table lookup after successful table module load
* nf_tables: fix event notification echo and avoid unnecessary messages
* nft_ct: add l3proto support
* nf_tables: pass expression context to nft_validate_data_load()
* nf_tables: remove redundant definition
* nft_ct: fix maxattr initialization
* nf_tables: fix invalid event type in nf_tables_getrule()
* nf_tables: simplify nft_data_init() usage
* nf_tables: build in more core modules
* nf_tables: fix double lookup expression unregistation
* nf_tables: move expression initialization to nf_tables_core.c
* nf_tables: build in payload module
* nf_tables: use NFPROTO constants
* nf_tables: rename pid variables to portid
* nf_tables: save 48 bits per rule
* nf_tables: introduce chain rename
* nf_tables: check for duplicate names on chain rename
* nf_tables: remove ability to specify handles for new rules
* nf_tables: return error for rule change request
* nf_tables: return error for NLM_F_REPLACE without rule handle
* nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
* nf_tables: fix NLM_F_MULTI usage in netlink notifications
* nf_tables: include NLM_F_APPEND in rule dumps
From Pablo Neira Ayuso:
* nf_tables: fix stack overflow in nf_tables_newrule
* nf_tables: nft_ct: fix compilation warning
* nf_tables: nft_ct: fix crash with invalid packets
* nft_log: group and qthreshold are 2^16
* nf_tables: nft_meta: fix socket uid,gid handling
* nft_counter: allow to restore counters
* nf_tables: fix module autoload
* nf_tables: allow to remove all rules placed in one chain
* nf_tables: use 64-bits rule handle instead of 16-bits
* nf_tables: fix chain after rule deletion
* nf_tables: improve deletion performance
* nf_tables: add missing code in route chain type
* nf_tables: rise maximum number of expressions from 12 to 128
* nf_tables: don't delete table if in use
* nf_tables: fix basechain release
From Tomasz Bursztyka:
* nf_tables: Add support for changing users chain's name
* nf_tables: Change chain's name to be fixed sized
* nf_tables: Add support for replacing a rule by another one
* nf_tables: Update uapi nftables netlink header documentation
From Florian Westphal:
* nft_log: group is u16, snaplen u32
From Phil Oester:
* nf_tables: operational limit match
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-14 09:00:02 +00:00
|
|
|
|
2013-10-10 21:21:26 +00:00
|
|
|
config NFT_CHAIN_ROUTE_IPV4
|
netfilter: add nftables
This patch adds nftables which is the intended successor of iptables.
This packet filtering framework reuses the existing netfilter hooks,
the connection tracking system, the NAT subsystem, the transparent
proxying engine, the logging infrastructure and the userspace packet
queueing facilities.
In a nutshell, nftables provides a pseudo-state machine with 4 general
purpose registers of 128 bits and 1 specific purpose register to store
verdicts. This pseudo-machine comes with an extensible instruction set,
a.k.a. "expressions" in the nftables jargon. The expressions included
in this patch provide the basic functionality, they are:
* bitwise: to perform bitwise operations.
* byteorder: to change from host/network endianess.
* cmp: to compare data with the content of the registers.
* counter: to enable counters on rules.
* ct: to store conntrack keys into register.
* exthdr: to match IPv6 extension headers.
* immediate: to load data into registers.
* limit: to limit matching based on packet rate.
* log: to log packets.
* meta: to match metainformation that usually comes with the skbuff.
* nat: to perform Network Address Translation.
* payload: to fetch data from the packet payload and store it into
registers.
* reject (IPv4 only): to explicitly close connection, eg. TCP RST.
Using this instruction-set, the userspace utility 'nft' can transform
the rules expressed in human-readable text representation (using a
new syntax, inspired by tcpdump) to nftables bytecode.
nftables also inherits the table, chain and rule objects from
iptables, but in a more configurable way, and it also includes the
original datatype-agnostic set infrastructure with mapping support.
This set infrastructure is enhanced in the follow up patch (netfilter:
nf_tables: add netlink set API).
This patch includes the following components:
* the netlink API: net/netfilter/nf_tables_api.c and
include/uapi/netfilter/nf_tables.h
* the packet filter core: net/netfilter/nf_tables_core.c
* the expressions (described above): net/netfilter/nft_*.c
* the filter tables: arp, IPv4, IPv6 and bridge:
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv4/netfilter/nf_tables_arp.c
net/bridge/netfilter/nf_tables_bridge.c
* the NAT table (IPv4 only):
net/ipv4/netfilter/nf_table_nat_ipv4.c
* the route table (similar to mangle):
net/ipv4/netfilter/nf_table_route_ipv4.c
net/ipv6/netfilter/nf_table_route_ipv6.c
* internal definitions under:
include/net/netfilter/nf_tables.h
include/net/netfilter/nf_tables_core.h
* It also includes an skeleton expression:
net/netfilter/nft_expr_template.c
and the preliminary implementation of the meta target
net/netfilter/nft_meta_target.c
It also includes a change in struct nf_hook_ops to add a new
pointer to store private data to the hook, that is used to store
the rule list per chain.
This patch is based on the patch from Patrick McHardy, plus merged
accumulated cleanups, fixes and small enhancements to the nftables
code that has been done since 2009, which are:
From Patrick McHardy:
* nf_tables: adjust netlink handler function signatures
* nf_tables: only retry table lookup after successful table module load
* nf_tables: fix event notification echo and avoid unnecessary messages
* nft_ct: add l3proto support
* nf_tables: pass expression context to nft_validate_data_load()
* nf_tables: remove redundant definition
* nft_ct: fix maxattr initialization
* nf_tables: fix invalid event type in nf_tables_getrule()
* nf_tables: simplify nft_data_init() usage
* nf_tables: build in more core modules
* nf_tables: fix double lookup expression unregistation
* nf_tables: move expression initialization to nf_tables_core.c
* nf_tables: build in payload module
* nf_tables: use NFPROTO constants
* nf_tables: rename pid variables to portid
* nf_tables: save 48 bits per rule
* nf_tables: introduce chain rename
* nf_tables: check for duplicate names on chain rename
* nf_tables: remove ability to specify handles for new rules
* nf_tables: return error for rule change request
* nf_tables: return error for NLM_F_REPLACE without rule handle
* nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
* nf_tables: fix NLM_F_MULTI usage in netlink notifications
* nf_tables: include NLM_F_APPEND in rule dumps
From Pablo Neira Ayuso:
* nf_tables: fix stack overflow in nf_tables_newrule
* nf_tables: nft_ct: fix compilation warning
* nf_tables: nft_ct: fix crash with invalid packets
* nft_log: group and qthreshold are 2^16
* nf_tables: nft_meta: fix socket uid,gid handling
* nft_counter: allow to restore counters
* nf_tables: fix module autoload
* nf_tables: allow to remove all rules placed in one chain
* nf_tables: use 64-bits rule handle instead of 16-bits
* nf_tables: fix chain after rule deletion
* nf_tables: improve deletion performance
* nf_tables: add missing code in route chain type
* nf_tables: rise maximum number of expressions from 12 to 128
* nf_tables: don't delete table if in use
* nf_tables: fix basechain release
From Tomasz Bursztyka:
* nf_tables: Add support for changing users chain's name
* nf_tables: Change chain's name to be fixed sized
* nf_tables: Add support for replacing a rule by another one
* nf_tables: Update uapi nftables netlink header documentation
From Florian Westphal:
* nft_log: group is u16, snaplen u32
From Phil Oester:
* nf_tables: operational limit match
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-14 09:00:02 +00:00
|
|
|
depends on NF_TABLES_IPV4
|
2013-10-10 21:21:26 +00:00
|
|
|
tristate "IPv4 nf_tables route chain support"
|
2013-12-30 14:09:18 +00:00
|
|
|
help
|
|
|
|
This option enables the "route" chain for IPv4 in nf_tables. This
|
|
|
|
chain type is used to force packet re-routing after mangling header
|
|
|
|
fields such as the source, destination, type of service and
|
|
|
|
the packet mark.
|
netfilter: add nftables
This patch adds nftables which is the intended successor of iptables.
This packet filtering framework reuses the existing netfilter hooks,
the connection tracking system, the NAT subsystem, the transparent
proxying engine, the logging infrastructure and the userspace packet
queueing facilities.
In a nutshell, nftables provides a pseudo-state machine with 4 general
purpose registers of 128 bits and 1 specific purpose register to store
verdicts. This pseudo-machine comes with an extensible instruction set,
a.k.a. "expressions" in the nftables jargon. The expressions included
in this patch provide the basic functionality, they are:
* bitwise: to perform bitwise operations.
* byteorder: to change from host/network endianess.
* cmp: to compare data with the content of the registers.
* counter: to enable counters on rules.
* ct: to store conntrack keys into register.
* exthdr: to match IPv6 extension headers.
* immediate: to load data into registers.
* limit: to limit matching based on packet rate.
* log: to log packets.
* meta: to match metainformation that usually comes with the skbuff.
* nat: to perform Network Address Translation.
* payload: to fetch data from the packet payload and store it into
registers.
* reject (IPv4 only): to explicitly close connection, eg. TCP RST.
Using this instruction-set, the userspace utility 'nft' can transform
the rules expressed in human-readable text representation (using a
new syntax, inspired by tcpdump) to nftables bytecode.
nftables also inherits the table, chain and rule objects from
iptables, but in a more configurable way, and it also includes the
original datatype-agnostic set infrastructure with mapping support.
This set infrastructure is enhanced in the follow up patch (netfilter:
nf_tables: add netlink set API).
This patch includes the following components:
* the netlink API: net/netfilter/nf_tables_api.c and
include/uapi/netfilter/nf_tables.h
* the packet filter core: net/netfilter/nf_tables_core.c
* the expressions (described above): net/netfilter/nft_*.c
* the filter tables: arp, IPv4, IPv6 and bridge:
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv4/netfilter/nf_tables_arp.c
net/bridge/netfilter/nf_tables_bridge.c
* the NAT table (IPv4 only):
net/ipv4/netfilter/nf_table_nat_ipv4.c
* the route table (similar to mangle):
net/ipv4/netfilter/nf_table_route_ipv4.c
net/ipv6/netfilter/nf_table_route_ipv6.c
* internal definitions under:
include/net/netfilter/nf_tables.h
include/net/netfilter/nf_tables_core.h
* It also includes an skeleton expression:
net/netfilter/nft_expr_template.c
and the preliminary implementation of the meta target
net/netfilter/nft_meta_target.c
It also includes a change in struct nf_hook_ops to add a new
pointer to store private data to the hook, that is used to store
the rule list per chain.
This patch is based on the patch from Patrick McHardy, plus merged
accumulated cleanups, fixes and small enhancements to the nftables
code that has been done since 2009, which are:
From Patrick McHardy:
* nf_tables: adjust netlink handler function signatures
* nf_tables: only retry table lookup after successful table module load
* nf_tables: fix event notification echo and avoid unnecessary messages
* nft_ct: add l3proto support
* nf_tables: pass expression context to nft_validate_data_load()
* nf_tables: remove redundant definition
* nft_ct: fix maxattr initialization
* nf_tables: fix invalid event type in nf_tables_getrule()
* nf_tables: simplify nft_data_init() usage
* nf_tables: build in more core modules
* nf_tables: fix double lookup expression unregistation
* nf_tables: move expression initialization to nf_tables_core.c
* nf_tables: build in payload module
* nf_tables: use NFPROTO constants
* nf_tables: rename pid variables to portid
* nf_tables: save 48 bits per rule
* nf_tables: introduce chain rename
* nf_tables: check for duplicate names on chain rename
* nf_tables: remove ability to specify handles for new rules
* nf_tables: return error for rule change request
* nf_tables: return error for NLM_F_REPLACE without rule handle
* nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
* nf_tables: fix NLM_F_MULTI usage in netlink notifications
* nf_tables: include NLM_F_APPEND in rule dumps
From Pablo Neira Ayuso:
* nf_tables: fix stack overflow in nf_tables_newrule
* nf_tables: nft_ct: fix compilation warning
* nf_tables: nft_ct: fix crash with invalid packets
* nft_log: group and qthreshold are 2^16
* nf_tables: nft_meta: fix socket uid,gid handling
* nft_counter: allow to restore counters
* nf_tables: fix module autoload
* nf_tables: allow to remove all rules placed in one chain
* nf_tables: use 64-bits rule handle instead of 16-bits
* nf_tables: fix chain after rule deletion
* nf_tables: improve deletion performance
* nf_tables: add missing code in route chain type
* nf_tables: rise maximum number of expressions from 12 to 128
* nf_tables: don't delete table if in use
* nf_tables: fix basechain release
From Tomasz Bursztyka:
* nf_tables: Add support for changing users chain's name
* nf_tables: Change chain's name to be fixed sized
* nf_tables: Add support for replacing a rule by another one
* nf_tables: Update uapi nftables netlink header documentation
From Florian Westphal:
* nft_log: group is u16, snaplen u32
From Phil Oester:
* nf_tables: operational limit match
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-14 09:00:02 +00:00
|
|
|
|
2013-10-10 21:21:26 +00:00
|
|
|
config NFT_CHAIN_NAT_IPV4
|
netfilter: add nftables
This patch adds nftables which is the intended successor of iptables.
This packet filtering framework reuses the existing netfilter hooks,
the connection tracking system, the NAT subsystem, the transparent
proxying engine, the logging infrastructure and the userspace packet
queueing facilities.
In a nutshell, nftables provides a pseudo-state machine with 4 general
purpose registers of 128 bits and 1 specific purpose register to store
verdicts. This pseudo-machine comes with an extensible instruction set,
a.k.a. "expressions" in the nftables jargon. The expressions included
in this patch provide the basic functionality, they are:
* bitwise: to perform bitwise operations.
* byteorder: to change from host/network endianess.
* cmp: to compare data with the content of the registers.
* counter: to enable counters on rules.
* ct: to store conntrack keys into register.
* exthdr: to match IPv6 extension headers.
* immediate: to load data into registers.
* limit: to limit matching based on packet rate.
* log: to log packets.
* meta: to match metainformation that usually comes with the skbuff.
* nat: to perform Network Address Translation.
* payload: to fetch data from the packet payload and store it into
registers.
* reject (IPv4 only): to explicitly close connection, eg. TCP RST.
Using this instruction-set, the userspace utility 'nft' can transform
the rules expressed in human-readable text representation (using a
new syntax, inspired by tcpdump) to nftables bytecode.
nftables also inherits the table, chain and rule objects from
iptables, but in a more configurable way, and it also includes the
original datatype-agnostic set infrastructure with mapping support.
This set infrastructure is enhanced in the follow up patch (netfilter:
nf_tables: add netlink set API).
This patch includes the following components:
* the netlink API: net/netfilter/nf_tables_api.c and
include/uapi/netfilter/nf_tables.h
* the packet filter core: net/netfilter/nf_tables_core.c
* the expressions (described above): net/netfilter/nft_*.c
* the filter tables: arp, IPv4, IPv6 and bridge:
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv4/netfilter/nf_tables_arp.c
net/bridge/netfilter/nf_tables_bridge.c
* the NAT table (IPv4 only):
net/ipv4/netfilter/nf_table_nat_ipv4.c
* the route table (similar to mangle):
net/ipv4/netfilter/nf_table_route_ipv4.c
net/ipv6/netfilter/nf_table_route_ipv6.c
* internal definitions under:
include/net/netfilter/nf_tables.h
include/net/netfilter/nf_tables_core.h
* It also includes an skeleton expression:
net/netfilter/nft_expr_template.c
and the preliminary implementation of the meta target
net/netfilter/nft_meta_target.c
It also includes a change in struct nf_hook_ops to add a new
pointer to store private data to the hook, that is used to store
the rule list per chain.
This patch is based on the patch from Patrick McHardy, plus merged
accumulated cleanups, fixes and small enhancements to the nftables
code that has been done since 2009, which are:
From Patrick McHardy:
* nf_tables: adjust netlink handler function signatures
* nf_tables: only retry table lookup after successful table module load
* nf_tables: fix event notification echo and avoid unnecessary messages
* nft_ct: add l3proto support
* nf_tables: pass expression context to nft_validate_data_load()
* nf_tables: remove redundant definition
* nft_ct: fix maxattr initialization
* nf_tables: fix invalid event type in nf_tables_getrule()
* nf_tables: simplify nft_data_init() usage
* nf_tables: build in more core modules
* nf_tables: fix double lookup expression unregistation
* nf_tables: move expression initialization to nf_tables_core.c
* nf_tables: build in payload module
* nf_tables: use NFPROTO constants
* nf_tables: rename pid variables to portid
* nf_tables: save 48 bits per rule
* nf_tables: introduce chain rename
* nf_tables: check for duplicate names on chain rename
* nf_tables: remove ability to specify handles for new rules
* nf_tables: return error for rule change request
* nf_tables: return error for NLM_F_REPLACE without rule handle
* nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
* nf_tables: fix NLM_F_MULTI usage in netlink notifications
* nf_tables: include NLM_F_APPEND in rule dumps
From Pablo Neira Ayuso:
* nf_tables: fix stack overflow in nf_tables_newrule
* nf_tables: nft_ct: fix compilation warning
* nf_tables: nft_ct: fix crash with invalid packets
* nft_log: group and qthreshold are 2^16
* nf_tables: nft_meta: fix socket uid,gid handling
* nft_counter: allow to restore counters
* nf_tables: fix module autoload
* nf_tables: allow to remove all rules placed in one chain
* nf_tables: use 64-bits rule handle instead of 16-bits
* nf_tables: fix chain after rule deletion
* nf_tables: improve deletion performance
* nf_tables: add missing code in route chain type
* nf_tables: rise maximum number of expressions from 12 to 128
* nf_tables: don't delete table if in use
* nf_tables: fix basechain release
From Tomasz Bursztyka:
* nf_tables: Add support for changing users chain's name
* nf_tables: Change chain's name to be fixed sized
* nf_tables: Add support for replacing a rule by another one
* nf_tables: Update uapi nftables netlink header documentation
From Florian Westphal:
* nft_log: group is u16, snaplen u32
From Phil Oester:
* nf_tables: operational limit match
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-14 09:00:02 +00:00
|
|
|
depends on NF_TABLES_IPV4
|
2013-10-10 11:39:19 +00:00
|
|
|
depends on NF_NAT_IPV4 && NFT_NAT
|
2013-10-10 21:21:26 +00:00
|
|
|
tristate "IPv4 nf_tables nat chain support"
|
2013-12-30 14:09:18 +00:00
|
|
|
help
|
|
|
|
This option enables the "nat" chain for IPv4 in nf_tables. This
|
|
|
|
chain type is used to perform Network Address Translation (NAT)
|
|
|
|
packet transformations such as the source, destination address and
|
|
|
|
source and destination ports.
|
netfilter: add nftables
This patch adds nftables which is the intended successor of iptables.
This packet filtering framework reuses the existing netfilter hooks,
the connection tracking system, the NAT subsystem, the transparent
proxying engine, the logging infrastructure and the userspace packet
queueing facilities.
In a nutshell, nftables provides a pseudo-state machine with 4 general
purpose registers of 128 bits and 1 specific purpose register to store
verdicts. This pseudo-machine comes with an extensible instruction set,
a.k.a. "expressions" in the nftables jargon. The expressions included
in this patch provide the basic functionality, they are:
* bitwise: to perform bitwise operations.
* byteorder: to change from host/network endianess.
* cmp: to compare data with the content of the registers.
* counter: to enable counters on rules.
* ct: to store conntrack keys into register.
* exthdr: to match IPv6 extension headers.
* immediate: to load data into registers.
* limit: to limit matching based on packet rate.
* log: to log packets.
* meta: to match metainformation that usually comes with the skbuff.
* nat: to perform Network Address Translation.
* payload: to fetch data from the packet payload and store it into
registers.
* reject (IPv4 only): to explicitly close connection, eg. TCP RST.
Using this instruction-set, the userspace utility 'nft' can transform
the rules expressed in human-readable text representation (using a
new syntax, inspired by tcpdump) to nftables bytecode.
nftables also inherits the table, chain and rule objects from
iptables, but in a more configurable way, and it also includes the
original datatype-agnostic set infrastructure with mapping support.
This set infrastructure is enhanced in the follow up patch (netfilter:
nf_tables: add netlink set API).
This patch includes the following components:
* the netlink API: net/netfilter/nf_tables_api.c and
include/uapi/netfilter/nf_tables.h
* the packet filter core: net/netfilter/nf_tables_core.c
* the expressions (described above): net/netfilter/nft_*.c
* the filter tables: arp, IPv4, IPv6 and bridge:
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv4/netfilter/nf_tables_arp.c
net/bridge/netfilter/nf_tables_bridge.c
* the NAT table (IPv4 only):
net/ipv4/netfilter/nf_table_nat_ipv4.c
* the route table (similar to mangle):
net/ipv4/netfilter/nf_table_route_ipv4.c
net/ipv6/netfilter/nf_table_route_ipv6.c
* internal definitions under:
include/net/netfilter/nf_tables.h
include/net/netfilter/nf_tables_core.h
* It also includes an skeleton expression:
net/netfilter/nft_expr_template.c
and the preliminary implementation of the meta target
net/netfilter/nft_meta_target.c
It also includes a change in struct nf_hook_ops to add a new
pointer to store private data to the hook, that is used to store
the rule list per chain.
This patch is based on the patch from Patrick McHardy, plus merged
accumulated cleanups, fixes and small enhancements to the nftables
code that has been done since 2009, which are:
From Patrick McHardy:
* nf_tables: adjust netlink handler function signatures
* nf_tables: only retry table lookup after successful table module load
* nf_tables: fix event notification echo and avoid unnecessary messages
* nft_ct: add l3proto support
* nf_tables: pass expression context to nft_validate_data_load()
* nf_tables: remove redundant definition
* nft_ct: fix maxattr initialization
* nf_tables: fix invalid event type in nf_tables_getrule()
* nf_tables: simplify nft_data_init() usage
* nf_tables: build in more core modules
* nf_tables: fix double lookup expression unregistation
* nf_tables: move expression initialization to nf_tables_core.c
* nf_tables: build in payload module
* nf_tables: use NFPROTO constants
* nf_tables: rename pid variables to portid
* nf_tables: save 48 bits per rule
* nf_tables: introduce chain rename
* nf_tables: check for duplicate names on chain rename
* nf_tables: remove ability to specify handles for new rules
* nf_tables: return error for rule change request
* nf_tables: return error for NLM_F_REPLACE without rule handle
* nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
* nf_tables: fix NLM_F_MULTI usage in netlink notifications
* nf_tables: include NLM_F_APPEND in rule dumps
From Pablo Neira Ayuso:
* nf_tables: fix stack overflow in nf_tables_newrule
* nf_tables: nft_ct: fix compilation warning
* nf_tables: nft_ct: fix crash with invalid packets
* nft_log: group and qthreshold are 2^16
* nf_tables: nft_meta: fix socket uid,gid handling
* nft_counter: allow to restore counters
* nf_tables: fix module autoload
* nf_tables: allow to remove all rules placed in one chain
* nf_tables: use 64-bits rule handle instead of 16-bits
* nf_tables: fix chain after rule deletion
* nf_tables: improve deletion performance
* nf_tables: add missing code in route chain type
* nf_tables: rise maximum number of expressions from 12 to 128
* nf_tables: don't delete table if in use
* nf_tables: fix basechain release
From Tomasz Bursztyka:
* nf_tables: Add support for changing users chain's name
* nf_tables: Change chain's name to be fixed sized
* nf_tables: Add support for replacing a rule by another one
* nf_tables: Update uapi nftables netlink header documentation
From Florian Westphal:
* nft_log: group is u16, snaplen u32
From Phil Oester:
* nf_tables: operational limit match
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-14 09:00:02 +00:00
|
|
|
|
2014-02-05 15:03:38 +00:00
|
|
|
config NFT_REJECT_IPV4
|
|
|
|
depends on NF_TABLES_IPV4
|
|
|
|
default NFT_REJECT
|
|
|
|
tristate
|
|
|
|
|
2013-10-07 20:53:08 +00:00
|
|
|
config NF_TABLES_ARP
|
|
|
|
depends on NF_TABLES
|
|
|
|
tristate "ARP nf_tables support"
|
2013-12-30 14:09:18 +00:00
|
|
|
help
|
|
|
|
This option enables the ARP support for nf_tables.
|
2013-10-07 20:53:08 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
config IP_NF_IPTABLES
|
|
|
|
tristate "IP tables support (required for filtering/masq/NAT)"
|
2007-12-18 06:47:05 +00:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2007-02-12 19:15:02 +00:00
|
|
|
select NETFILTER_XTABLES
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
iptables is a general, extensible packet identification framework.
|
|
|
|
The packet filtering and full NAT (masquerading, port forwarding,
|
|
|
|
etc) subsystems now use this: say `Y' or `M' here if you want to use
|
|
|
|
either of those.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2008-10-08 09:35:18 +00:00
|
|
|
if IP_NF_IPTABLES
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
# The matches.
|
2006-04-01 10:22:30 +00:00
|
|
|
config IP_NF_MATCH_AH
|
2007-12-05 07:31:59 +00:00
|
|
|
tristate '"ah" match support'
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
2006-04-01 10:22:30 +00:00
|
|
|
This match extension allows you to match a range of SPIs
|
|
|
|
inside AH header of IPSec packets.
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2008-10-08 09:35:17 +00:00
|
|
|
config IP_NF_MATCH_ECN
|
|
|
|
tristate '"ecn" match support'
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2011-06-09 19:03:07 +00:00
|
|
|
select NETFILTER_XT_MATCH_ECN
|
|
|
|
---help---
|
|
|
|
This is a backwards-compat option for the user's convenience
|
|
|
|
(e.g. when running oldconfig). It selects
|
|
|
|
CONFIG_NETFILTER_XT_MATCH_ECN.
|
2005-04-16 22:20:36 +00:00
|
|
|
|
netfilter: add ipv4 reverse path filter match
This tries to do the same thing as fib_validate_source(), but differs
in several aspects.
The most important difference is that the reverse path filter built into
fib_validate_source uses the oif as iif when performing the reverse
lookup. We do not do this, as the oif is not yet known by the time the
PREROUTING hook is invoked.
We can't wait until FORWARD chain because by the time FORWARD is invoked
ipv4 forward path may have already sent icmp messages is response
to to-be-discarded-via-rpfilter packets.
To avoid the such an additional lookup in PREROUTING, Patrick McHardy
suggested to attach the path information directly in the match
(i.e., just do what the standard ipv4 path does a bit earlier in PREROUTING).
This works, but it also has a few caveats. Most importantly, when using
marks in PREROUTING to re-route traffic based on the nfmark, -m rpfilter
would have to be used after the nfmark has been set; otherwise the nfmark
would have no effect (because the route is already attached).
Another problem would be interaction with -j TPROXY, as this target sets an
nfmark and uses ACCEPT instead of continue, i.e. such a version of
-m rpfilter cannot be used for the initial to-be-intercepted packets.
In case in turns out that the oif is required, we can add Patricks
suggestion with a new match option (e.g. --rpf-use-oif) to keep ruleset
compatibility.
Another difference to current builtin ipv4 rpfilter is that packets subject to ipsec
transformation are not automatically excluded. If you want this, simply
combine -m rpfilter with the policy match.
Packets arriving on loopback interfaces always match.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-07-04 21:48:10 +00:00
|
|
|
config IP_NF_MATCH_RPFILTER
|
|
|
|
tristate '"rpfilter" reverse path filter match support'
|
2013-04-17 22:45:25 +00:00
|
|
|
depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
|
netfilter: add ipv4 reverse path filter match
This tries to do the same thing as fib_validate_source(), but differs
in several aspects.
The most important difference is that the reverse path filter built into
fib_validate_source uses the oif as iif when performing the reverse
lookup. We do not do this, as the oif is not yet known by the time the
PREROUTING hook is invoked.
We can't wait until FORWARD chain because by the time FORWARD is invoked
ipv4 forward path may have already sent icmp messages is response
to to-be-discarded-via-rpfilter packets.
To avoid the such an additional lookup in PREROUTING, Patrick McHardy
suggested to attach the path information directly in the match
(i.e., just do what the standard ipv4 path does a bit earlier in PREROUTING).
This works, but it also has a few caveats. Most importantly, when using
marks in PREROUTING to re-route traffic based on the nfmark, -m rpfilter
would have to be used after the nfmark has been set; otherwise the nfmark
would have no effect (because the route is already attached).
Another problem would be interaction with -j TPROXY, as this target sets an
nfmark and uses ACCEPT instead of continue, i.e. such a version of
-m rpfilter cannot be used for the initial to-be-intercepted packets.
In case in turns out that the oif is required, we can add Patricks
suggestion with a new match option (e.g. --rpf-use-oif) to keep ruleset
compatibility.
Another difference to current builtin ipv4 rpfilter is that packets subject to ipsec
transformation are not automatically excluded. If you want this, simply
combine -m rpfilter with the policy match.
Packets arriving on loopback interfaces always match.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-07-04 21:48:10 +00:00
|
|
|
---help---
|
|
|
|
This option allows you to match packets whose replies would
|
|
|
|
go out via the interface the packet came in.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
The module will be called ipt_rpfilter.
|
|
|
|
|
2009-02-19 10:16:03 +00:00
|
|
|
config IP_NF_MATCH_TTL
|
|
|
|
tristate '"ttl" match support'
|
|
|
|
depends on NETFILTER_ADVANCED
|
|
|
|
select NETFILTER_XT_MATCH_HL
|
|
|
|
---help---
|
|
|
|
This is a backwards-compat option for the user's convenience
|
|
|
|
(e.g. when running oldconfig). It selects
|
2009-03-16 14:17:23 +00:00
|
|
|
CONFIG_NETFILTER_XT_MATCH_HL.
|
2009-02-19 10:16:03 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
# `filter', generic and specific targets
|
|
|
|
config IP_NF_FILTER
|
|
|
|
tristate "Packet filtering"
|
2007-12-18 06:47:05 +00:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
Packet filtering defines a table `filter', which has a series of
|
|
|
|
rules for simple packet filtering at local input, forwarding and
|
|
|
|
local output. See the man page for iptables(8).
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP_NF_TARGET_REJECT
|
|
|
|
tristate "REJECT target support"
|
|
|
|
depends on IP_NF_FILTER
|
2007-12-18 06:47:05 +00:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
The REJECT target allows a filtering rule to specify that an ICMP
|
|
|
|
error should be issued in response to an incoming packet, rather
|
|
|
|
than silently being dropped.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2013-08-27 06:50:14 +00:00
|
|
|
config IP_NF_TARGET_SYNPROXY
|
|
|
|
tristate "SYNPROXY target support"
|
|
|
|
depends on NF_CONNTRACK && NETFILTER_ADVANCED
|
|
|
|
select NETFILTER_SYNPROXY
|
|
|
|
select SYN_COOKIES
|
|
|
|
help
|
|
|
|
The SYNPROXY target allows you to intercept TCP connections and
|
|
|
|
establish them using syncookies before they are passed on to the
|
|
|
|
server. This allows to avoid conntrack and server resource usage
|
|
|
|
during SYN-flood attacks.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2006-12-03 06:07:13 +00:00
|
|
|
# NAT + specific targets: nf_conntrack
|
2012-08-26 17:14:06 +00:00
|
|
|
config NF_NAT_IPV4
|
|
|
|
tristate "IPv4 NAT"
|
2008-10-08 09:35:18 +00:00
|
|
|
depends on NF_CONNTRACK_IPV4
|
2007-12-18 06:47:05 +00:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2012-08-26 17:14:06 +00:00
|
|
|
select NF_NAT
|
2006-12-03 06:07:13 +00:00
|
|
|
help
|
2012-08-26 17:14:06 +00:00
|
|
|
The IPv4 NAT option allows masquerading, port forwarding and other
|
2006-12-03 06:07:13 +00:00
|
|
|
forms of full Network Address Port Translation. It is controlled by
|
|
|
|
the `nat' table in iptables: see the man page for iptables(8).
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
if NF_NAT_IPV4
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
config IP_NF_TARGET_MASQUERADE
|
|
|
|
tristate "MASQUERADE target support"
|
2007-12-18 06:47:05 +00:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
Masquerading is a special case of NAT: all outgoing connections are
|
|
|
|
changed to seem to come from a particular interface's address, and
|
|
|
|
if the interface goes down, those connections are lost. This is
|
|
|
|
only useful for dialup accounts with dynamic IP address (ie. your IP
|
|
|
|
address will be different on next dialup).
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2008-10-08 09:35:17 +00:00
|
|
|
config IP_NF_TARGET_NETMAP
|
|
|
|
tristate "NETMAP target support"
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2012-09-21 09:37:59 +00:00
|
|
|
select NETFILTER_XT_TARGET_NETMAP
|
|
|
|
---help---
|
|
|
|
This is a backwards-compat option for the user's convenience
|
|
|
|
(e.g. when running oldconfig). It selects
|
|
|
|
CONFIG_NETFILTER_XT_TARGET_NETMAP.
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-10-08 09:35:17 +00:00
|
|
|
config IP_NF_TARGET_REDIRECT
|
|
|
|
tristate "REDIRECT target support"
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2012-09-21 09:41:34 +00:00
|
|
|
select NETFILTER_XT_TARGET_REDIRECT
|
|
|
|
---help---
|
|
|
|
This is a backwards-compat option for the user's convenience
|
|
|
|
(e.g. when running oldconfig). It selects
|
|
|
|
CONFIG_NETFILTER_XT_TARGET_REDIRECT.
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2012-08-26 17:14:06 +00:00
|
|
|
endif
|
|
|
|
|
2006-12-03 06:10:34 +00:00
|
|
|
config NF_NAT_SNMP_BASIC
|
2008-01-15 07:31:36 +00:00
|
|
|
tristate "Basic SNMP-ALG support"
|
2012-08-26 17:14:06 +00:00
|
|
|
depends on NF_CONNTRACK_SNMP && NF_NAT_IPV4
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2011-01-18 17:12:24 +00:00
|
|
|
default NF_NAT && NF_CONNTRACK_SNMP
|
2006-12-03 06:10:34 +00:00
|
|
|
---help---
|
|
|
|
|
|
|
|
This module implements an Application Layer Gateway (ALG) for
|
|
|
|
SNMP payloads. In conjunction with NAT, it allows a network
|
2005-04-16 22:20:36 +00:00
|
|
|
management system to access multiple private networks with
|
|
|
|
conflicting addresses. It works by modifying IP addresses
|
|
|
|
inside SNMP payloads to match IP-layer NAT mapping.
|
|
|
|
|
|
|
|
This is the "basic" form of SNMP-ALG, as described in RFC 2962
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2006-12-03 06:07:44 +00:00
|
|
|
# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
|
|
|
|
# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
|
|
|
|
# From kconfig-language.txt:
|
|
|
|
#
|
|
|
|
# <expr> '&&' <expr> (6)
|
|
|
|
#
|
|
|
|
# (6) Returns the result of min(/expr/, /expr/).
|
2008-03-20 14:15:57 +00:00
|
|
|
|
2006-12-03 06:09:41 +00:00
|
|
|
config NF_NAT_PROTO_GRE
|
|
|
|
tristate
|
2012-08-26 17:14:06 +00:00
|
|
|
depends on NF_NAT_IPV4 && NF_CT_PROTO_GRE
|
2008-04-14 09:15:50 +00:00
|
|
|
|
2006-12-03 06:09:41 +00:00
|
|
|
config NF_NAT_PPTP
|
|
|
|
tristate
|
2012-08-26 17:14:06 +00:00
|
|
|
depends on NF_CONNTRACK && NF_NAT_IPV4
|
|
|
|
default NF_NAT_IPV4 && NF_CONNTRACK_PPTP
|
2006-12-03 06:09:41 +00:00
|
|
|
select NF_NAT_PROTO_GRE
|
|
|
|
|
2006-12-03 06:08:46 +00:00
|
|
|
config NF_NAT_H323
|
|
|
|
tristate
|
2012-08-26 17:14:06 +00:00
|
|
|
depends on NF_CONNTRACK && NF_NAT_IPV4
|
|
|
|
default NF_NAT_IPV4 && NF_CONNTRACK_H323
|
2006-12-03 06:08:46 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
# mangle + specific targets
|
|
|
|
config IP_NF_MANGLE
|
|
|
|
tristate "Packet mangling"
|
2007-12-18 06:47:05 +00:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
This option adds a `mangle' table to iptables: see the man page for
|
|
|
|
iptables(8). This table is used for various packet alterations
|
|
|
|
which can effect how the packet is routed.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2008-10-08 09:35:17 +00:00
|
|
|
config IP_NF_TARGET_CLUSTERIP
|
2012-10-02 18:19:48 +00:00
|
|
|
tristate "CLUSTERIP target support"
|
|
|
|
depends on IP_NF_MANGLE
|
2008-10-08 09:35:17 +00:00
|
|
|
depends on NF_CONNTRACK_IPV4
|
|
|
|
depends on NETFILTER_ADVANCED
|
|
|
|
select NF_CONNTRACK_MARK
|
|
|
|
help
|
|
|
|
The CLUSTERIP target allows you to build load-balancing clusters of
|
|
|
|
network servers without having a dedicated load-balancing
|
|
|
|
router/server/switch.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
config IP_NF_TARGET_ECN
|
|
|
|
tristate "ECN target support"
|
|
|
|
depends on IP_NF_MANGLE
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 22:20:36 +00:00
|
|
|
---help---
|
|
|
|
This option adds a `ECN' target, which can be used in the iptables mangle
|
|
|
|
table.
|
|
|
|
|
|
|
|
You can use this target to remove the ECN bits from the IPv4 header of
|
|
|
|
an IP packet. This is particularly useful, if you need to work around
|
|
|
|
existing ECN blackholes on the internet, but don't want to disable
|
|
|
|
ECN support in general.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2009-02-19 10:16:03 +00:00
|
|
|
config IP_NF_TARGET_TTL
|
|
|
|
tristate '"TTL" target support'
|
2010-10-18 09:13:30 +00:00
|
|
|
depends on NETFILTER_ADVANCED && IP_NF_MANGLE
|
2009-02-19 10:16:03 +00:00
|
|
|
select NETFILTER_XT_TARGET_HL
|
|
|
|
---help---
|
2010-10-18 09:13:30 +00:00
|
|
|
This is a backwards-compatible option for the user's convenience
|
2009-02-19 10:16:03 +00:00
|
|
|
(e.g. when running oldconfig). It selects
|
2009-03-16 14:17:23 +00:00
|
|
|
CONFIG_NETFILTER_XT_TARGET_HL.
|
2009-02-19 10:16:03 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
# raw + specific targets
|
|
|
|
config IP_NF_RAW
|
|
|
|
tristate 'raw table support (required for NOTRACK/TRACE)'
|
|
|
|
help
|
|
|
|
This option adds a `raw' table to iptables. This table is the very
|
|
|
|
first in the netfilter framework and hooks in at the PREROUTING
|
|
|
|
and OUTPUT chains.
|
|
|
|
|
|
|
|
If you want to compile it as a module, say M here and read
|
2007-10-30 20:37:19 +00:00
|
|
|
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
|
2008-06-09 22:57:24 +00:00
|
|
|
|
|
|
|
# security table for MAC policy
|
|
|
|
config IP_NF_SECURITY
|
|
|
|
tristate "Security table"
|
|
|
|
depends on SECURITY
|
2008-07-23 23:42:42 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2008-06-09 22:57:24 +00:00
|
|
|
help
|
|
|
|
This option adds a `security' table to iptables, for use
|
|
|
|
with Mandatory Access Control (MAC) policy.
|
|
|
|
|
|
|
|
If unsure, say N.
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-10-08 09:35:18 +00:00
|
|
|
endif # IP_NF_IPTABLES
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
# ARP tables
|
|
|
|
config IP_NF_ARPTABLES
|
|
|
|
tristate "ARP tables support"
|
2007-02-12 19:15:02 +00:00
|
|
|
select NETFILTER_XTABLES
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
arptables is a general, extensible packet identification framework.
|
|
|
|
The ARP packet filtering and mangling (manipulation)subsystems
|
|
|
|
use this: say Y or M here if you want to use either of those.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2008-10-08 09:35:18 +00:00
|
|
|
if IP_NF_ARPTABLES
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
config IP_NF_ARPFILTER
|
|
|
|
tristate "ARP packet filtering"
|
|
|
|
help
|
|
|
|
ARP packet filtering defines a table `filter', which has a series of
|
|
|
|
rules for simple ARP packet filtering at local input and
|
|
|
|
local output. On a bridge, you can also specify filtering rules
|
|
|
|
for forwarded ARP packets. See the man page for arptables(8).
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP_NF_ARP_MANGLE
|
|
|
|
tristate "ARP payload mangling"
|
|
|
|
help
|
|
|
|
Allows altering the ARP packet payload: source and destination
|
|
|
|
hardware and network addresses.
|
|
|
|
|
2008-10-08 09:35:18 +00:00
|
|
|
endif # IP_NF_ARPTABLES
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
endmenu
|
|
|
|
|