2019-05-19 06:07:45 -06:00
|
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
2005-04-16 16:20:36 -06:00
|
|
|
#
|
|
|
|
|
# IP netfilter configuration
|
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
menu "IP: Netfilter Configuration"
|
|
|
|
|
depends on INET && NETFILTER
|
|
|
|
|
|
2008-10-08 03:35:12 -06:00
|
|
|
config NF_DEFRAG_IPV4
|
|
|
|
|
tristate
|
|
|
|
|
default n
|
|
|
|
|
|
2016-10-27 12:49:48 -06:00
|
|
|
config NF_SOCKET_IPV4
|
|
|
|
|
tristate "IPv4 socket lookup support"
|
|
|
|
|
help
|
|
|
|
|
This option enables the IPv4 socket lookup infrastructure. This is
|
2018-06-01 12:44:56 -06:00
|
|
|
is required by the {ip,nf}tables socket match.
|
|
|
|
|
|
|
|
|
|
config NF_TPROXY_IPV4
|
|
|
|
|
tristate "IPv4 tproxy support"
|
2016-10-27 12:49:48 -06:00
|
|
|
|
2015-03-05 06:56:15 -07:00
|
|
|
if NF_TABLES
|
2014-06-28 10:39:01 -06:00
|
|
|
|
netfilter: add nftables
This patch adds nftables which is the intended successor of iptables.
This packet filtering framework reuses the existing netfilter hooks,
the connection tracking system, the NAT subsystem, the transparent
proxying engine, the logging infrastructure and the userspace packet
queueing facilities.
In a nutshell, nftables provides a pseudo-state machine with 4 general
purpose registers of 128 bits and 1 specific purpose register to store
verdicts. This pseudo-machine comes with an extensible instruction set,
a.k.a. "expressions" in the nftables jargon. The expressions included
in this patch provide the basic functionality, they are:
* bitwise: to perform bitwise operations.
* byteorder: to change from host/network endianess.
* cmp: to compare data with the content of the registers.
* counter: to enable counters on rules.
* ct: to store conntrack keys into register.
* exthdr: to match IPv6 extension headers.
* immediate: to load data into registers.
* limit: to limit matching based on packet rate.
* log: to log packets.
* meta: to match metainformation that usually comes with the skbuff.
* nat: to perform Network Address Translation.
* payload: to fetch data from the packet payload and store it into
registers.
* reject (IPv4 only): to explicitly close connection, eg. TCP RST.
Using this instruction-set, the userspace utility 'nft' can transform
the rules expressed in human-readable text representation (using a
new syntax, inspired by tcpdump) to nftables bytecode.
nftables also inherits the table, chain and rule objects from
iptables, but in a more configurable way, and it also includes the
original datatype-agnostic set infrastructure with mapping support.
This set infrastructure is enhanced in the follow up patch (netfilter:
nf_tables: add netlink set API).
This patch includes the following components:
* the netlink API: net/netfilter/nf_tables_api.c and
include/uapi/netfilter/nf_tables.h
* the packet filter core: net/netfilter/nf_tables_core.c
* the expressions (described above): net/netfilter/nft_*.c
* the filter tables: arp, IPv4, IPv6 and bridge:
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv4/netfilter/nf_tables_arp.c
net/bridge/netfilter/nf_tables_bridge.c
* the NAT table (IPv4 only):
net/ipv4/netfilter/nf_table_nat_ipv4.c
* the route table (similar to mangle):
net/ipv4/netfilter/nf_table_route_ipv4.c
net/ipv6/netfilter/nf_table_route_ipv6.c
* internal definitions under:
include/net/netfilter/nf_tables.h
include/net/netfilter/nf_tables_core.h
* It also includes an skeleton expression:
net/netfilter/nft_expr_template.c
and the preliminary implementation of the meta target
net/netfilter/nft_meta_target.c
It also includes a change in struct nf_hook_ops to add a new
pointer to store private data to the hook, that is used to store
the rule list per chain.
This patch is based on the patch from Patrick McHardy, plus merged
accumulated cleanups, fixes and small enhancements to the nftables
code that has been done since 2009, which are:
From Patrick McHardy:
* nf_tables: adjust netlink handler function signatures
* nf_tables: only retry table lookup after successful table module load
* nf_tables: fix event notification echo and avoid unnecessary messages
* nft_ct: add l3proto support
* nf_tables: pass expression context to nft_validate_data_load()
* nf_tables: remove redundant definition
* nft_ct: fix maxattr initialization
* nf_tables: fix invalid event type in nf_tables_getrule()
* nf_tables: simplify nft_data_init() usage
* nf_tables: build in more core modules
* nf_tables: fix double lookup expression unregistation
* nf_tables: move expression initialization to nf_tables_core.c
* nf_tables: build in payload module
* nf_tables: use NFPROTO constants
* nf_tables: rename pid variables to portid
* nf_tables: save 48 bits per rule
* nf_tables: introduce chain rename
* nf_tables: check for duplicate names on chain rename
* nf_tables: remove ability to specify handles for new rules
* nf_tables: return error for rule change request
* nf_tables: return error for NLM_F_REPLACE without rule handle
* nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
* nf_tables: fix NLM_F_MULTI usage in netlink notifications
* nf_tables: include NLM_F_APPEND in rule dumps
From Pablo Neira Ayuso:
* nf_tables: fix stack overflow in nf_tables_newrule
* nf_tables: nft_ct: fix compilation warning
* nf_tables: nft_ct: fix crash with invalid packets
* nft_log: group and qthreshold are 2^16
* nf_tables: nft_meta: fix socket uid,gid handling
* nft_counter: allow to restore counters
* nf_tables: fix module autoload
* nf_tables: allow to remove all rules placed in one chain
* nf_tables: use 64-bits rule handle instead of 16-bits
* nf_tables: fix chain after rule deletion
* nf_tables: improve deletion performance
* nf_tables: add missing code in route chain type
* nf_tables: rise maximum number of expressions from 12 to 128
* nf_tables: don't delete table if in use
* nf_tables: fix basechain release
From Tomasz Bursztyka:
* nf_tables: Add support for changing users chain's name
* nf_tables: Change chain's name to be fixed sized
* nf_tables: Add support for replacing a rule by another one
* nf_tables: Update uapi nftables netlink header documentation
From Florian Westphal:
* nft_log: group is u16, snaplen u32
From Phil Oester:
* nf_tables: operational limit match
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-14 03:00:02 -06:00
|
|
|
config NF_TABLES_IPV4
|
2018-03-27 03:53:07 -06:00
|
|
|
bool "IPv4 nf_tables support"
|
2013-12-30 07:09:18 -07:00
|
|
|
help
|
|
|
|
|
This option enables the IPv4 support for nf_tables.
|
netfilter: add nftables
This patch adds nftables which is the intended successor of iptables.
This packet filtering framework reuses the existing netfilter hooks,
the connection tracking system, the NAT subsystem, the transparent
proxying engine, the logging infrastructure and the userspace packet
queueing facilities.
In a nutshell, nftables provides a pseudo-state machine with 4 general
purpose registers of 128 bits and 1 specific purpose register to store
verdicts. This pseudo-machine comes with an extensible instruction set,
a.k.a. "expressions" in the nftables jargon. The expressions included
in this patch provide the basic functionality, they are:
* bitwise: to perform bitwise operations.
* byteorder: to change from host/network endianess.
* cmp: to compare data with the content of the registers.
* counter: to enable counters on rules.
* ct: to store conntrack keys into register.
* exthdr: to match IPv6 extension headers.
* immediate: to load data into registers.
* limit: to limit matching based on packet rate.
* log: to log packets.
* meta: to match metainformation that usually comes with the skbuff.
* nat: to perform Network Address Translation.
* payload: to fetch data from the packet payload and store it into
registers.
* reject (IPv4 only): to explicitly close connection, eg. TCP RST.
Using this instruction-set, the userspace utility 'nft' can transform
the rules expressed in human-readable text representation (using a
new syntax, inspired by tcpdump) to nftables bytecode.
nftables also inherits the table, chain and rule objects from
iptables, but in a more configurable way, and it also includes the
original datatype-agnostic set infrastructure with mapping support.
This set infrastructure is enhanced in the follow up patch (netfilter:
nf_tables: add netlink set API).
This patch includes the following components:
* the netlink API: net/netfilter/nf_tables_api.c and
include/uapi/netfilter/nf_tables.h
* the packet filter core: net/netfilter/nf_tables_core.c
* the expressions (described above): net/netfilter/nft_*.c
* the filter tables: arp, IPv4, IPv6 and bridge:
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv4/netfilter/nf_tables_arp.c
net/bridge/netfilter/nf_tables_bridge.c
* the NAT table (IPv4 only):
net/ipv4/netfilter/nf_table_nat_ipv4.c
* the route table (similar to mangle):
net/ipv4/netfilter/nf_table_route_ipv4.c
net/ipv6/netfilter/nf_table_route_ipv6.c
* internal definitions under:
include/net/netfilter/nf_tables.h
include/net/netfilter/nf_tables_core.h
* It also includes an skeleton expression:
net/netfilter/nft_expr_template.c
and the preliminary implementation of the meta target
net/netfilter/nft_meta_target.c
It also includes a change in struct nf_hook_ops to add a new
pointer to store private data to the hook, that is used to store
the rule list per chain.
This patch is based on the patch from Patrick McHardy, plus merged
accumulated cleanups, fixes and small enhancements to the nftables
code that has been done since 2009, which are:
From Patrick McHardy:
* nf_tables: adjust netlink handler function signatures
* nf_tables: only retry table lookup after successful table module load
* nf_tables: fix event notification echo and avoid unnecessary messages
* nft_ct: add l3proto support
* nf_tables: pass expression context to nft_validate_data_load()
* nf_tables: remove redundant definition
* nft_ct: fix maxattr initialization
* nf_tables: fix invalid event type in nf_tables_getrule()
* nf_tables: simplify nft_data_init() usage
* nf_tables: build in more core modules
* nf_tables: fix double lookup expression unregistation
* nf_tables: move expression initialization to nf_tables_core.c
* nf_tables: build in payload module
* nf_tables: use NFPROTO constants
* nf_tables: rename pid variables to portid
* nf_tables: save 48 bits per rule
* nf_tables: introduce chain rename
* nf_tables: check for duplicate names on chain rename
* nf_tables: remove ability to specify handles for new rules
* nf_tables: return error for rule change request
* nf_tables: return error for NLM_F_REPLACE without rule handle
* nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
* nf_tables: fix NLM_F_MULTI usage in netlink notifications
* nf_tables: include NLM_F_APPEND in rule dumps
From Pablo Neira Ayuso:
* nf_tables: fix stack overflow in nf_tables_newrule
* nf_tables: nft_ct: fix compilation warning
* nf_tables: nft_ct: fix crash with invalid packets
* nft_log: group and qthreshold are 2^16
* nf_tables: nft_meta: fix socket uid,gid handling
* nft_counter: allow to restore counters
* nf_tables: fix module autoload
* nf_tables: allow to remove all rules placed in one chain
* nf_tables: use 64-bits rule handle instead of 16-bits
* nf_tables: fix chain after rule deletion
* nf_tables: improve deletion performance
* nf_tables: add missing code in route chain type
* nf_tables: rise maximum number of expressions from 12 to 128
* nf_tables: don't delete table if in use
* nf_tables: fix basechain release
From Tomasz Bursztyka:
* nf_tables: Add support for changing users chain's name
* nf_tables: Change chain's name to be fixed sized
* nf_tables: Add support for replacing a rule by another one
* nf_tables: Update uapi nftables netlink header documentation
From Florian Westphal:
* nft_log: group is u16, snaplen u32
From Phil Oester:
* nf_tables: operational limit match
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-14 03:00:02 -06:00
|
|
|
|
2015-03-05 06:56:15 -07:00
|
|
|
if NF_TABLES_IPV4
|
|
|
|
|
|
2014-02-05 08:03:38 -07:00
|
|
|
config NFT_REJECT_IPV4
|
2014-09-26 06:35:15 -06:00
|
|
|
select NF_REJECT_IPV4
|
2014-02-05 08:03:38 -07:00
|
|
|
default NFT_REJECT
|
|
|
|
|
tristate
|
|
|
|
|
|
2015-05-31 10:04:11 -06:00
|
|
|
config NFT_DUP_IPV4
|
|
|
|
|
tristate "IPv4 nf_tables packet duplication support"
|
2015-12-09 14:06:59 -07:00
|
|
|
depends on !NF_CONNTRACK || NF_CONNTRACK
|
2015-05-31 10:04:11 -06:00
|
|
|
select NF_DUP_IPV4
|
|
|
|
|
help
|
|
|
|
|
This module enables IPv4 packet duplication support for nf_tables.
|
|
|
|
|
|
2016-10-24 08:56:40 -06:00
|
|
|
config NFT_FIB_IPV4
|
|
|
|
|
select NFT_FIB
|
|
|
|
|
tristate "nf_tables fib / ip route lookup support"
|
|
|
|
|
help
|
|
|
|
|
This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
|
|
|
|
|
It also allows query of the FIB for the route type, e.g. local, unicast,
|
|
|
|
|
multicast or blackhole.
|
|
|
|
|
|
2015-03-05 06:56:15 -07:00
|
|
|
endif # NF_TABLES_IPV4
|
|
|
|
|
|
2013-10-07 14:53:08 -06:00
|
|
|
config NF_TABLES_ARP
|
2018-03-27 03:53:07 -06:00
|
|
|
bool "ARP nf_tables support"
|
2017-12-07 08:28:26 -07:00
|
|
|
select NETFILTER_FAMILY_ARP
|
2013-12-30 07:09:18 -07:00
|
|
|
help
|
|
|
|
|
This option enables the ARP support for nf_tables.
|
2013-10-07 14:53:08 -06:00
|
|
|
|
2015-03-05 06:56:15 -07:00
|
|
|
endif # NF_TABLES
|
|
|
|
|
|
2018-01-06 17:04:15 -07:00
|
|
|
config NF_FLOW_TABLE_IPV4
|
|
|
|
|
tristate "Netfilter flow table IPv4 module"
|
2018-01-31 10:13:39 -07:00
|
|
|
depends on NF_FLOW_TABLE
|
2018-01-06 17:04:15 -07:00
|
|
|
help
|
|
|
|
|
This option adds the flow table IPv4 support.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here.
|
|
|
|
|
|
2015-05-31 09:54:44 -06:00
|
|
|
config NF_DUP_IPV4
|
|
|
|
|
tristate "Netfilter IPv4 packet duplication to alternate destination"
|
2015-09-29 13:10:05 -06:00
|
|
|
depends on !NF_CONNTRACK || NF_CONNTRACK
|
2015-05-31 09:54:44 -06:00
|
|
|
help
|
|
|
|
|
This option enables the nf_dup_ipv4 core, which duplicates an IPv4
|
|
|
|
|
packet to be rerouted to another destination.
|
|
|
|
|
|
2015-03-05 06:56:15 -07:00
|
|
|
config NF_LOG_ARP
|
|
|
|
|
tristate "ARP packet logging"
|
|
|
|
|
default m if NETFILTER_ADVANCED=n
|
|
|
|
|
select NF_LOG_COMMON
|
|
|
|
|
|
|
|
|
|
config NF_LOG_IPV4
|
|
|
|
|
tristate "IPv4 packet logging"
|
|
|
|
|
default m if NETFILTER_ADVANCED=n
|
|
|
|
|
select NF_LOG_COMMON
|
|
|
|
|
|
|
|
|
|
config NF_REJECT_IPV4
|
|
|
|
|
tristate "IPv4 packet rejection"
|
|
|
|
|
default m if NETFILTER_ADVANCED=n
|
|
|
|
|
|
2019-02-19 09:38:21 -07:00
|
|
|
if NF_NAT
|
2014-08-11 10:21:49 -06:00
|
|
|
config NF_NAT_SNMP_BASIC
|
|
|
|
|
tristate "Basic SNMP-ALG support"
|
|
|
|
|
depends on NF_CONNTRACK_SNMP
|
|
|
|
|
depends on NETFILTER_ADVANCED
|
|
|
|
|
default NF_NAT && NF_CONNTRACK_SNMP
|
netfilter: nf_nat_snmp_basic: use asn1 decoder library
The basic SNMP ALG parse snmp ASN.1 payload
however, since 2012 linux kernel provide ASN.1 decoder library.
If we use ASN.1 decoder in the /lib/asn1_decoder.c, we can remove
about 1000 line of ASN.1 parsing routine.
To use asn1_decoder.c, we should write mib file(nf_nat_snmp_basic.asn1)
then /script/asn1_compiler.c makes *-asn1.c and *-asn1.h file
at the compiletime.(nf_nat_snmp_basic-asn1.c, nf_nat_snmp_basic-asn1.h)
The nf_nat_snmp_basic.asn1 is made by RFC1155, RFC1157, RFC1902, RFC1905,
RFC2578, RFC3416. of course that mib file supports only the basic SNMP ALG.
Previous SNMP ALG mangles only first octet of IPv4 address.
but after this patch, the SNMP ALG mangles whole IPv4 Address.
And SNMPv3 is not supported.
I tested with snmp commands such ans snmpd, snmpwalk, snmptrap.
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2018-01-07 08:10:33 -07:00
|
|
|
select ASN1
|
2014-08-11 10:21:49 -06:00
|
|
|
---help---
|
|
|
|
|
|
|
|
|
|
This module implements an Application Layer Gateway (ALG) for
|
|
|
|
|
SNMP payloads. In conjunction with NAT, it allows a network
|
|
|
|
|
management system to access multiple private networks with
|
|
|
|
|
conflicting addresses. It works by modifying IP addresses
|
|
|
|
|
inside SNMP payloads to match IP-layer NAT mapping.
|
|
|
|
|
|
|
|
|
|
This is the "basic" form of SNMP-ALG, as described in RFC 2962
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config NF_NAT_PPTP
|
|
|
|
|
tristate
|
|
|
|
|
depends on NF_CONNTRACK
|
|
|
|
|
default NF_CONNTRACK_PPTP
|
|
|
|
|
|
|
|
|
|
config NF_NAT_H323
|
|
|
|
|
tristate
|
|
|
|
|
depends on NF_CONNTRACK
|
|
|
|
|
default NF_CONNTRACK_H323
|
|
|
|
|
|
2019-02-19 09:38:21 -07:00
|
|
|
endif # NF_NAT
|
2014-08-11 10:21:49 -06:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
config IP_NF_IPTABLES
|
|
|
|
|
tristate "IP tables support (required for filtering/masq/NAT)"
|
2007-12-17 23:47:05 -07:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2007-02-12 12:15:02 -07:00
|
|
|
select NETFILTER_XTABLES
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
|
|
|
|
iptables is a general, extensible packet identification framework.
|
|
|
|
|
The packet filtering and full NAT (masquerading, port forwarding,
|
|
|
|
|
etc) subsystems now use this: say `Y' or `M' here if you want to use
|
|
|
|
|
either of those.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2008-10-08 03:35:18 -06:00
|
|
|
if IP_NF_IPTABLES
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
# The matches.
|
2006-04-01 03:22:30 -07:00
|
|
|
config IP_NF_MATCH_AH
|
2007-12-05 00:31:59 -07:00
|
|
|
tristate '"ah" match support'
|
2007-12-17 23:47:05 -07:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
2006-04-01 03:22:30 -07:00
|
|
|
This match extension allows you to match a range of SPIs
|
|
|
|
|
inside AH header of IPSec packets.
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2008-10-08 03:35:17 -06:00
|
|
|
config IP_NF_MATCH_ECN
|
|
|
|
|
tristate '"ecn" match support'
|
2007-12-17 23:47:05 -07:00
|
|
|
depends on NETFILTER_ADVANCED
|
2011-06-09 13:03:07 -06:00
|
|
|
select NETFILTER_XT_MATCH_ECN
|
|
|
|
|
---help---
|
|
|
|
|
This is a backwards-compat option for the user's convenience
|
|
|
|
|
(e.g. when running oldconfig). It selects
|
|
|
|
|
CONFIG_NETFILTER_XT_MATCH_ECN.
|
2005-04-16 16:20:36 -06:00
|
|
|
|
netfilter: add ipv4 reverse path filter match
This tries to do the same thing as fib_validate_source(), but differs
in several aspects.
The most important difference is that the reverse path filter built into
fib_validate_source uses the oif as iif when performing the reverse
lookup. We do not do this, as the oif is not yet known by the time the
PREROUTING hook is invoked.
We can't wait until FORWARD chain because by the time FORWARD is invoked
ipv4 forward path may have already sent icmp messages is response
to to-be-discarded-via-rpfilter packets.
To avoid the such an additional lookup in PREROUTING, Patrick McHardy
suggested to attach the path information directly in the match
(i.e., just do what the standard ipv4 path does a bit earlier in PREROUTING).
This works, but it also has a few caveats. Most importantly, when using
marks in PREROUTING to re-route traffic based on the nfmark, -m rpfilter
would have to be used after the nfmark has been set; otherwise the nfmark
would have no effect (because the route is already attached).
Another problem would be interaction with -j TPROXY, as this target sets an
nfmark and uses ACCEPT instead of continue, i.e. such a version of
-m rpfilter cannot be used for the initial to-be-intercepted packets.
In case in turns out that the oif is required, we can add Patricks
suggestion with a new match option (e.g. --rpf-use-oif) to keep ruleset
compatibility.
Another difference to current builtin ipv4 rpfilter is that packets subject to ipsec
transformation are not automatically excluded. If you want this, simply
combine -m rpfilter with the policy match.
Packets arriving on loopback interfaces always match.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-07-04 15:48:10 -06:00
|
|
|
config IP_NF_MATCH_RPFILTER
|
|
|
|
|
tristate '"rpfilter" reverse path filter match support'
|
2015-06-12 05:58:52 -06:00
|
|
|
depends on NETFILTER_ADVANCED
|
|
|
|
|
depends on IP_NF_MANGLE || IP_NF_RAW
|
netfilter: add ipv4 reverse path filter match
This tries to do the same thing as fib_validate_source(), but differs
in several aspects.
The most important difference is that the reverse path filter built into
fib_validate_source uses the oif as iif when performing the reverse
lookup. We do not do this, as the oif is not yet known by the time the
PREROUTING hook is invoked.
We can't wait until FORWARD chain because by the time FORWARD is invoked
ipv4 forward path may have already sent icmp messages is response
to to-be-discarded-via-rpfilter packets.
To avoid the such an additional lookup in PREROUTING, Patrick McHardy
suggested to attach the path information directly in the match
(i.e., just do what the standard ipv4 path does a bit earlier in PREROUTING).
This works, but it also has a few caveats. Most importantly, when using
marks in PREROUTING to re-route traffic based on the nfmark, -m rpfilter
would have to be used after the nfmark has been set; otherwise the nfmark
would have no effect (because the route is already attached).
Another problem would be interaction with -j TPROXY, as this target sets an
nfmark and uses ACCEPT instead of continue, i.e. such a version of
-m rpfilter cannot be used for the initial to-be-intercepted packets.
In case in turns out that the oif is required, we can add Patricks
suggestion with a new match option (e.g. --rpf-use-oif) to keep ruleset
compatibility.
Another difference to current builtin ipv4 rpfilter is that packets subject to ipsec
transformation are not automatically excluded. If you want this, simply
combine -m rpfilter with the policy match.
Packets arriving on loopback interfaces always match.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2011-07-04 15:48:10 -06:00
|
|
|
---help---
|
|
|
|
|
This option allows you to match packets whose replies would
|
|
|
|
|
go out via the interface the packet came in.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
The module will be called ipt_rpfilter.
|
|
|
|
|
|
2009-02-19 03:16:03 -07:00
|
|
|
config IP_NF_MATCH_TTL
|
|
|
|
|
tristate '"ttl" match support'
|
|
|
|
|
depends on NETFILTER_ADVANCED
|
|
|
|
|
select NETFILTER_XT_MATCH_HL
|
|
|
|
|
---help---
|
|
|
|
|
This is a backwards-compat option for the user's convenience
|
|
|
|
|
(e.g. when running oldconfig). It selects
|
2009-03-16 08:17:23 -06:00
|
|
|
CONFIG_NETFILTER_XT_MATCH_HL.
|
2009-02-19 03:16:03 -07:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
# `filter', generic and specific targets
|
|
|
|
|
config IP_NF_FILTER
|
|
|
|
|
tristate "Packet filtering"
|
2007-12-17 23:47:05 -07:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
|
|
|
|
Packet filtering defines a table `filter', which has a series of
|
|
|
|
|
rules for simple packet filtering at local input, forwarding and
|
|
|
|
|
local output. See the man page for iptables(8).
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config IP_NF_TARGET_REJECT
|
|
|
|
|
tristate "REJECT target support"
|
|
|
|
|
depends on IP_NF_FILTER
|
2014-09-26 06:35:15 -06:00
|
|
|
select NF_REJECT_IPV4
|
2007-12-17 23:47:05 -07:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
|
|
|
|
The REJECT target allows a filtering rule to specify that an ICMP
|
|
|
|
|
error should be issued in response to an incoming packet, rather
|
|
|
|
|
than silently being dropped.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2013-08-27 00:50:14 -06:00
|
|
|
config IP_NF_TARGET_SYNPROXY
|
|
|
|
|
tristate "SYNPROXY target support"
|
|
|
|
|
depends on NF_CONNTRACK && NETFILTER_ADVANCED
|
|
|
|
|
select NETFILTER_SYNPROXY
|
|
|
|
|
select SYN_COOKIES
|
|
|
|
|
help
|
|
|
|
|
The SYNPROXY target allows you to intercept TCP connections and
|
|
|
|
|
establish them using syncookies before they are passed on to the
|
|
|
|
|
server. This allows to avoid conntrack and server resource usage
|
|
|
|
|
during SYN-flood attacks.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2006-12-02 23:07:13 -07:00
|
|
|
# NAT + specific targets: nf_conntrack
|
2014-08-11 10:21:49 -06:00
|
|
|
config IP_NF_NAT
|
|
|
|
|
tristate "iptables NAT support"
|
2018-06-28 23:46:51 -06:00
|
|
|
depends on NF_CONNTRACK
|
2007-12-17 23:47:05 -07:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2012-08-26 11:14:06 -06:00
|
|
|
select NF_NAT
|
2014-08-11 10:21:49 -06:00
|
|
|
select NETFILTER_XT_NAT
|
2006-12-02 23:07:13 -07:00
|
|
|
help
|
2014-08-11 10:21:49 -06:00
|
|
|
This enables the `nat' table in iptables. This allows masquerading,
|
|
|
|
|
port forwarding and other forms of full Network Address Port
|
|
|
|
|
Translation.
|
2006-12-02 23:07:13 -07:00
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2014-08-11 10:21:49 -06:00
|
|
|
if IP_NF_NAT
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
config IP_NF_TARGET_MASQUERADE
|
|
|
|
|
tristate "MASQUERADE target support"
|
2019-04-09 02:44:07 -06:00
|
|
|
select NETFILTER_XT_TARGET_MASQUERADE
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
2019-04-09 02:44:07 -06:00
|
|
|
This is a backwards-compat option for the user's convenience
|
|
|
|
|
(e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2008-10-08 03:35:17 -06:00
|
|
|
config IP_NF_TARGET_NETMAP
|
|
|
|
|
tristate "NETMAP target support"
|
2007-12-17 23:47:05 -07:00
|
|
|
depends on NETFILTER_ADVANCED
|
2012-09-21 03:37:59 -06:00
|
|
|
select NETFILTER_XT_TARGET_NETMAP
|
|
|
|
|
---help---
|
|
|
|
|
This is a backwards-compat option for the user's convenience
|
|
|
|
|
(e.g. when running oldconfig). It selects
|
|
|
|
|
CONFIG_NETFILTER_XT_TARGET_NETMAP.
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2008-10-08 03:35:17 -06:00
|
|
|
config IP_NF_TARGET_REDIRECT
|
|
|
|
|
tristate "REDIRECT target support"
|
2007-12-17 23:47:05 -07:00
|
|
|
depends on NETFILTER_ADVANCED
|
2012-09-21 03:41:34 -06:00
|
|
|
select NETFILTER_XT_TARGET_REDIRECT
|
|
|
|
|
---help---
|
|
|
|
|
This is a backwards-compat option for the user's convenience
|
|
|
|
|
(e.g. when running oldconfig). It selects
|
|
|
|
|
CONFIG_NETFILTER_XT_TARGET_REDIRECT.
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2014-08-11 10:21:49 -06:00
|
|
|
endif # IP_NF_NAT
|
2006-12-02 23:08:46 -07:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
# mangle + specific targets
|
|
|
|
|
config IP_NF_MANGLE
|
|
|
|
|
tristate "Packet mangling"
|
2007-12-17 23:47:05 -07:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
|
|
|
|
This option adds a `mangle' table to iptables: see the man page for
|
|
|
|
|
iptables(8). This table is used for various packet alterations
|
|
|
|
|
which can effect how the packet is routed.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2008-10-08 03:35:17 -06:00
|
|
|
config IP_NF_TARGET_CLUSTERIP
|
2012-10-02 12:19:48 -06:00
|
|
|
tristate "CLUSTERIP target support"
|
|
|
|
|
depends on IP_NF_MANGLE
|
2018-06-28 23:46:51 -06:00
|
|
|
depends on NF_CONNTRACK
|
2008-10-08 03:35:17 -06:00
|
|
|
depends on NETFILTER_ADVANCED
|
|
|
|
|
select NF_CONNTRACK_MARK
|
2018-01-11 01:21:29 -07:00
|
|
|
select NETFILTER_FAMILY_ARP
|
2008-10-08 03:35:17 -06:00
|
|
|
help
|
|
|
|
|
The CLUSTERIP target allows you to build load-balancing clusters of
|
|
|
|
|
network servers without having a dedicated load-balancing
|
|
|
|
|
router/server/switch.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
config IP_NF_TARGET_ECN
|
|
|
|
|
tristate "ECN target support"
|
|
|
|
|
depends on IP_NF_MANGLE
|
2007-12-17 23:47:05 -07:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 16:20:36 -06:00
|
|
|
---help---
|
|
|
|
|
This option adds a `ECN' target, which can be used in the iptables mangle
|
|
|
|
|
table.
|
|
|
|
|
|
|
|
|
|
You can use this target to remove the ECN bits from the IPv4 header of
|
|
|
|
|
an IP packet. This is particularly useful, if you need to work around
|
|
|
|
|
existing ECN blackholes on the internet, but don't want to disable
|
|
|
|
|
ECN support in general.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2009-02-19 03:16:03 -07:00
|
|
|
config IP_NF_TARGET_TTL
|
|
|
|
|
tristate '"TTL" target support'
|
2010-10-18 03:13:30 -06:00
|
|
|
depends on NETFILTER_ADVANCED && IP_NF_MANGLE
|
2009-02-19 03:16:03 -07:00
|
|
|
select NETFILTER_XT_TARGET_HL
|
|
|
|
|
---help---
|
2010-10-18 03:13:30 -06:00
|
|
|
This is a backwards-compatible option for the user's convenience
|
2009-02-19 03:16:03 -07:00
|
|
|
(e.g. when running oldconfig). It selects
|
2009-03-16 08:17:23 -06:00
|
|
|
CONFIG_NETFILTER_XT_TARGET_HL.
|
2009-02-19 03:16:03 -07:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
# raw + specific targets
|
|
|
|
|
config IP_NF_RAW
|
|
|
|
|
tristate 'raw table support (required for NOTRACK/TRACE)'
|
|
|
|
|
help
|
|
|
|
|
This option adds a `raw' table to iptables. This table is the very
|
|
|
|
|
first in the netfilter framework and hooks in at the PREROUTING
|
|
|
|
|
and OUTPUT chains.
|
|
|
|
|
|
|
|
|
|
If you want to compile it as a module, say M here and read
|
2019-06-12 11:52:48 -06:00
|
|
|
<file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
|
2008-06-09 16:57:24 -06:00
|
|
|
|
|
|
|
|
# security table for MAC policy
|
|
|
|
|
config IP_NF_SECURITY
|
|
|
|
|
tristate "Security table"
|
|
|
|
|
depends on SECURITY
|
2008-07-23 17:42:42 -06:00
|
|
|
depends on NETFILTER_ADVANCED
|
2008-06-09 16:57:24 -06:00
|
|
|
help
|
|
|
|
|
This option adds a `security' table to iptables, for use
|
|
|
|
|
with Mandatory Access Control (MAC) policy.
|
|
|
|
|
|
|
|
|
|
If unsure, say N.
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2008-10-08 03:35:18 -06:00
|
|
|
endif # IP_NF_IPTABLES
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
# ARP tables
|
|
|
|
|
config IP_NF_ARPTABLES
|
|
|
|
|
tristate "ARP tables support"
|
2007-02-12 12:15:02 -07:00
|
|
|
select NETFILTER_XTABLES
|
2017-12-07 08:28:26 -07:00
|
|
|
select NETFILTER_FAMILY_ARP
|
2007-12-17 23:47:05 -07:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
|
|
|
|
arptables is a general, extensible packet identification framework.
|
|
|
|
|
The ARP packet filtering and mangling (manipulation)subsystems
|
|
|
|
|
use this: say Y or M here if you want to use either of those.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2008-10-08 03:35:18 -06:00
|
|
|
if IP_NF_ARPTABLES
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
config IP_NF_ARPFILTER
|
|
|
|
|
tristate "ARP packet filtering"
|
|
|
|
|
help
|
|
|
|
|
ARP packet filtering defines a table `filter', which has a series of
|
|
|
|
|
rules for simple ARP packet filtering at local input and
|
|
|
|
|
local output. On a bridge, you can also specify filtering rules
|
|
|
|
|
for forwarded ARP packets. See the man page for arptables(8).
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config IP_NF_ARP_MANGLE
|
|
|
|
|
tristate "ARP payload mangling"
|
|
|
|
|
help
|
|
|
|
|
Allows altering the ARP packet payload: source and destination
|
|
|
|
|
hardware and network addresses.
|
|
|
|
|
|
2008-10-08 03:35:18 -06:00
|
|
|
endif # IP_NF_ARPTABLES
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
endmenu
|
|
|
|
|
|