summaryrefslogtreecommitdiff
path: root/target/linux/config/Config.in.netfilter.ip4
diff options
context:
space:
mode:
Diffstat (limited to 'target/linux/config/Config.in.netfilter.ip4')
-rw-r--r--target/linux/config/Config.in.netfilter.ip4244
1 files changed, 244 insertions, 0 deletions
diff --git a/target/linux/config/Config.in.netfilter.ip4 b/target/linux/config/Config.in.netfilter.ip4
new file mode 100644
index 000000000..34eb14449
--- /dev/null
+++ b/target/linux/config/Config.in.netfilter.ip4
@@ -0,0 +1,244 @@
+config ADK_KPACKAGE_KMOD_NF_CONNTRACK_IPV4
+ bool 'IPv4 connection tracking support (required for NAT)'
+ select ADK_KPACKAGE_KMOD_NF_CONNTRACK
+ help
+ Connection tracking keeps a record of what packets have passed
+ through your machine, in order to figure out how they are related
+ into connections.
+
+config ADK_KPACKAGE_KMOD_IP_NF_CT_ACCT
+ bool 'Connection tracking flow accounting'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+ help
+ If this option is enabled, the connection tracking code will
+ keep per-flow packet and byte counters.
+
+ Those counters can be used for flow-based accounting or the
+ `connbytes' match.
+
+config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_MARK
+ bool 'Connection mark tracking support'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+ select ADK_KERNEL_IP_NF_MATCH_CONNMARK
+ help
+ This option enables support for connection marks, used by the
+ `CONNMARK' target and `connmark' match. Similar to the mark value
+ of packets, but this mark value is kept in the conntrack session
+ instead of the individual packets.
+
+config ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK_SECMARK
+ bool 'Connection tracking security mark support'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+ #FIXME select NETWORK_SECMARK
+ help
+ This option enables security markings to be applied to
+ connections. Typically they are copied to connections from
+ packets using the CONNSECMARK target and copied back from
+ connections to packets with the same target, with the packets
+ being originally labeled via SECMARK.
+
+config ADK_KPACKAGE_KMOD_IP_NF_FTP
+ tristate 'FTP protocol support'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+ help
+ Tracking FTP connections is problematic: special helpers are
+ required for tracking them, and doing masquerading and other forms
+ of Network Address Translation on them.
+
+config ADK_KPACKAGE_KMOD_IP_NF_IRC
+ tristate 'IRC protocol support'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+ help
+ There is a commonly-used extension to IRC called
+ Direct Client-to-Client Protocol (DCC). This enables users to send
+ files to each other, and also chat to each other without the need
+ of a server. DCC Sending is used anywhere you send files over IRC,
+ and DCC Chat is most commonly used by Eggdrop bots. If you are
+ using NAT, this extension will enable you to send files and initiate
+ chats. Note that you do NOT need this extension to get files or
+ have others initiate chats, or everything else in IRC.
+
+config ADK_KPACKAGE_KMOD_IP_NF_NETBIOS_NS
+ tristate 'NetBIOS name service protocol support (EXPERIMENTAL)'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+ help
+ NetBIOS name service requests are sent as broadcast messages from an
+ unprivileged port and responded to with unicast messages to the
+ same port. This make them hard to firewall properly because connection
+ tracking doesn't deal with broadcasts. This helper tracks locally
+ originating NetBIOS name service requests and the corresponding
+ responses. It relies on correct IP address configuration, specifically
+ netmask and broadcast address. When properly configured, the output
+ of "ip address show" should look similar to this:
+
+ $ ip -4 address show eth0
+ 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
+ inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
+
+config ADK_KPACKAGE_KMOD_IP_NF_TFTP
+ tristate 'TFTP protocol support'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+ help
+ TFTP connection tracking helper, this is required depending
+ on how restrictive your ruleset is.
+ If you are using a tftp client behind -j SNAT or -j MASQUERADING
+ you will need this.
+
+config ADK_KPACKAGE_KMOD_IP_NF_AMANDA
+ tristate 'Amanda backup protocol support'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+ #FIXME TEXTSEARCH && TEXTSEARCH_KMP
+ help
+ If you are running the Amanda backup package <http://www.amanda.org/>
+ on this machine or machines that will be MASQUERADED through this
+ machine, then you may want to enable this feature. This allows the
+ connection tracking and natting code to allow the sub-channels that
+ Amanda requires for communication of the backup data, messages and
+ index.
+
+config ADK_KPACKAGE_KMOD_IP_NF_PPTP
+ tristate 'PPTP protocol support'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+ help
+ This module adds support for PPTP (Point to Point Tunnelling
+ Protocol, RFC2637) connection tracking and NAT.
+
+ If you are running PPTP sessions over a stateful firewall or NAT
+ box, you may want to enable this feature.
+
+ Please note that not all PPTP modes of operation are supported yet.
+ For more info, read top of the file
+ net/ipv4/netfilter/ip_conntrack_pptp.c
+
+config ADK_KPACKAGE_KMOD_IP_NF_H323
+ tristate 'H.323 protocol support (EXPERIMENTAL)'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+ help
+ H.323 is a VoIP signalling protocol from ITU-T. As one of the most
+ important VoIP protocols, it is widely used by voice hardware and
+ software including voice gateways, IP phones, Netmeeting, OpenPhone,
+ Gnomemeeting, etc.
+
+ With this module you can support H.323 on a connection tracking/NAT
+ firewall.
+
+ This module supports RAS, Fast Start, H.245 Tunnelling, Call
+ Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
+ whiteboard, file transfer, etc. For more information, please
+ visit http://nath323.sourceforge.net/.
+
+config ADK_KPACKAGE_KMOD_IP_NF_SIP
+ tristate 'SIP protocol support (EXPERIMENTAL)'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_CONNTRACK
+ help
+ SIP is an application-layer control protocol that can establish,
+ modify, and terminate multimedia sessions (conferences) such as
+ Internet telephony calls. With the ip_conntrack_sip and
+ the ip_nat_sip modules you can support the protocol on a connection
+ tracking/NATing firewall.
+
+
+config ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
+ tristate 'IP tables support (required for filtering/masq/NAT)'
+ select ADK_KERNEL_NETFILTER_XTABLES
+ help
+ iptables is a general, extensible packet identification framework.
+ The packet filtering and full NAT (masquerading, port forwarding,
+ etc) subsystems now use this: say `Y' or `M' here if you want to use
+ either of those.
+
+config ADK_KPACKAGE_KMOD_IP_NF_FILTER
+ tristate 'Packet Filtering'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
+ help
+ Packet filtering defines a table `filter', which has a series of
+ rules for simple packet filtering at local input, forwarding and
+ local output. See the man page for iptables(8).
+
+config ADK_KPACKAGE_KMOD_NF_NAT
+ tristate 'Full NAT'
+ depends on ADK_KPACKAGE_KMOD_NF_IP_IPTABLES
+ help
+ The Full NAT option allows masquerading, port forwarding and other
+ forms of full Network Address Port Translation. It is controlled by
+ the `nat' table in iptables: see the man page for iptables(8).
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_MASQUERADE
+ tristate 'MASQUERADE target support'
+ depends on ADK_KPACKAGE_KMOD_NF_NAT
+ help
+ Masquerading is a special case of NAT: all outgoing connections are
+ changed to seem to come from a particular interface's address, and
+ if the interface goes down, those connections are lost. This is
+ only useful for dialup accounts with dynamic IP address (ie. your IP
+ address will be different on next dialup).
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REJECT
+ tristate 'REJECT target support'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
+ help
+ The REJECT target allows a filtering rule to specify that an ICMP
+ error should be issued in response to an incoming packet, rather
+ than silently being dropped.
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_LOG
+ tristate 'LOG target support'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
+ help
+ This option adds a `LOG' target, which allows you to create rules in
+ any iptables table which records the packet header to the syslog.
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ULOG
+ tristate 'ULOG target support (ipv4 only)'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_FILTER
+ help
+ This option enables the old IPv4-only "ipt_ULOG" implementation
+ which has been obsoleted by the new "nfnetlink_log" code (see
+ CONFIG_NETFILTER_NETLINK_LOG).
+
+ This option adds a `ULOG' target, which allows you to create rules in
+ any iptables table. The packet is passed to a userspace logging
+ daemon using netlink multicast sockets; unlike the LOG target
+ which can only be viewed through syslog.
+
+ The appropriate userspace logging daemon (ulogd) may be obtained from
+ <http://www.gnumonks.org/projects/ulogd/>
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REDIRECT
+ tristate 'REDIRECT target support'
+ depends on ADK_KPACKAGE_KMOD_NF_NAT
+ help
+ REDIRECT is a special case of NAT: all incoming connections are
+ mapped onto the incoming interface's address, causing the packets to
+ come to the local machine instead of passing through. This is
+ useful for transparent proxies.
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_NETMAP
+ tristate 'NETMAP target support'
+ depends on ADK_KPACKAGE_KMOD_NF_NAT
+ help
+ NETMAP is an implementation of static 1:1 NAT mapping of network
+ addresses. It maps the network address part, while keeping the host
+ address part intact. It is similar to Fast NAT, except that
+ Netfilter's connection tracking doesn't work well with Fast NAT.
+
+config ADK_KPACKAGE_KMOD_IP_NF_MANGLE
+ tristate 'Packet mangling'
+ depends on ADK_KPACKAGE_KMOD_NF_NAT
+ help
+ This option adds a `mangle' table to iptables: see the man page for
+ iptables(8). This table is used for various packet alterations
+ which can effect how the packet is routed.
+
+config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ECN
+ tristate 'ECN target support'
+ depends on ADK_KPACKAGE_KMOD_IP_NF_MANGLE
+ help
+ This option adds a `ECN' target, which can be used in the iptables mangle
+ table.
+
+ You can use this target to remove the ECN bits from the IPv4 header of
+ an IP packet. This is particularly useful, if you need to work around
+ existing ECN blackholes on the internet, but don't want to disable
+ ECN support in general.
+
generated by cgit v1.2.3 (git 2.25.1) at 2024-07-26 20:31:59 +0000