Loading net/ipv4/netfilter/Kconfig +14 −0 Original line number Diff line number Diff line Loading @@ -39,19 +39,33 @@ config NF_CONNTRACK_PROC_COMPAT config NF_TABLES_IPV4 depends on NF_TABLES tristate "IPv4 nf_tables support" help This option enables the IPv4 support for nf_tables. config NFT_CHAIN_ROUTE_IPV4 depends on NF_TABLES_IPV4 tristate "IPv4 nf_tables route chain support" help This option enables the "route" chain for IPv4 in nf_tables. This chain type is used to force packet re-routing after mangling header fields such as the source, destination, type of service and the packet mark. config NFT_CHAIN_NAT_IPV4 depends on NF_TABLES_IPV4 depends on NF_NAT_IPV4 && NFT_NAT tristate "IPv4 nf_tables nat chain support" help This option enables the "nat" chain for IPv4 in nf_tables. This chain type is used to perform Network Address Translation (NAT) packet transformations such as the source, destination address and source and destination ports. config NF_TABLES_ARP depends on NF_TABLES tristate "ARP nf_tables support" help This option enables the ARP support for nf_tables. config IP_NF_IPTABLES tristate "IP tables support (required for filtering/masq/NAT)" Loading net/ipv6/netfilter/Kconfig +12 −0 Original line number Diff line number Diff line Loading @@ -28,15 +28,27 @@ config NF_CONNTRACK_IPV6 config NF_TABLES_IPV6 depends on NF_TABLES tristate "IPv6 nf_tables support" help This option enables the IPv6 support for nf_tables. config NFT_CHAIN_ROUTE_IPV6 depends on NF_TABLES_IPV6 tristate "IPv6 nf_tables route chain support" help This option enables the "route" chain for IPv6 in nf_tables. This chain type is used to force packet re-routing after mangling header fields such as the source, destination, flowlabel, hop-limit and the packet mark. config NFT_CHAIN_NAT_IPV6 depends on NF_TABLES_IPV6 depends on NF_NAT_IPV6 && NFT_NAT tristate "IPv6 nf_tables nat chain support" help This option enables the "nat" chain for IPv6 in nf_tables. This chain type is used to perform Network Address Translation (NAT) packet transformations such as the source, destination address and source and destination ports. config IP6_NF_IPTABLES tristate "IP6 tables support (required for filtering)" Loading net/netfilter/Kconfig +42 −0 Original line number Diff line number Diff line Loading @@ -416,45 +416,83 @@ endif # NF_CONNTRACK config NF_TABLES select NETFILTER_NETLINK tristate "Netfilter nf_tables support" help nftables is the new packet classification framework that intends to replace the existing {ip,ip6,arp,eb}_tables infrastructure. It provides a pseudo-state machine with an extensible instruction-set (also known as expressions) that the userspace 'nft' utility (http://www.netfilter.org/projects/nftables) uses to build the rule-set. It also comes with the generic set infrastructure that allows you to construct mappings between matchings and actions for performance lookups. To compile it as a module, choose M here. config NFT_EXTHDR depends on NF_TABLES tristate "Netfilter nf_tables IPv6 exthdr module" help This option adds the "exthdr" expression that you can use to match IPv6 extension headers. config NFT_META depends on NF_TABLES tristate "Netfilter nf_tables meta module" help This option adds the "meta" expression that you can use to match and to set packet metainformation such as the packet mark. config NFT_CT depends on NF_TABLES depends on NF_CONNTRACK tristate "Netfilter nf_tables conntrack module" help This option adds the "meta" expression that you can use to match connection tracking information such as the flow state. config NFT_RBTREE depends on NF_TABLES tristate "Netfilter nf_tables rbtree set module" help This option adds the "rbtree" set type (Red Black tree) that is used to build interval-based sets. config NFT_HASH depends on NF_TABLES tristate "Netfilter nf_tables hash set module" help This option adds the "hash" set type that is used to build one-way mappings between matchings and actions. config NFT_COUNTER depends on NF_TABLES tristate "Netfilter nf_tables counter module" help This option adds the "counter" expression that you can use to include packet and byte counters in a rule. config NFT_LOG depends on NF_TABLES tristate "Netfilter nf_tables log module" help This option adds the "log" expression that you can use to log packets matching some criteria. config NFT_LIMIT depends on NF_TABLES tristate "Netfilter nf_tables limit module" help This option adds the "limit" expression that you can use to ratelimit rule matchings. config NFT_NAT depends on NF_TABLES depends on NF_CONNTRACK depends on NF_NAT tristate "Netfilter nf_tables nat module" help This option adds the "nat" expression that you can use to perform typical Network Address Translation (NAT) packet transformations. config NFT_QUEUE depends on NF_TABLES Loading @@ -470,6 +508,10 @@ config NFT_REJECT depends on NF_TABLES_IPV6 || !NF_TABLES_IPV6 default m if NETFILTER_ADVANCED=n tristate "Netfilter nf_tables reject support" help This option adds the "reject" expression that you can use to explicitly deny and notify via TCP reset/ICMP informational errors unallowed traffic. config NFT_COMPAT depends on NF_TABLES Loading Loading
net/ipv4/netfilter/Kconfig +14 −0 Original line number Diff line number Diff line Loading @@ -39,19 +39,33 @@ config NF_CONNTRACK_PROC_COMPAT config NF_TABLES_IPV4 depends on NF_TABLES tristate "IPv4 nf_tables support" help This option enables the IPv4 support for nf_tables. config NFT_CHAIN_ROUTE_IPV4 depends on NF_TABLES_IPV4 tristate "IPv4 nf_tables route chain support" help This option enables the "route" chain for IPv4 in nf_tables. This chain type is used to force packet re-routing after mangling header fields such as the source, destination, type of service and the packet mark. config NFT_CHAIN_NAT_IPV4 depends on NF_TABLES_IPV4 depends on NF_NAT_IPV4 && NFT_NAT tristate "IPv4 nf_tables nat chain support" help This option enables the "nat" chain for IPv4 in nf_tables. This chain type is used to perform Network Address Translation (NAT) packet transformations such as the source, destination address and source and destination ports. config NF_TABLES_ARP depends on NF_TABLES tristate "ARP nf_tables support" help This option enables the ARP support for nf_tables. config IP_NF_IPTABLES tristate "IP tables support (required for filtering/masq/NAT)" Loading
net/ipv6/netfilter/Kconfig +12 −0 Original line number Diff line number Diff line Loading @@ -28,15 +28,27 @@ config NF_CONNTRACK_IPV6 config NF_TABLES_IPV6 depends on NF_TABLES tristate "IPv6 nf_tables support" help This option enables the IPv6 support for nf_tables. config NFT_CHAIN_ROUTE_IPV6 depends on NF_TABLES_IPV6 tristate "IPv6 nf_tables route chain support" help This option enables the "route" chain for IPv6 in nf_tables. This chain type is used to force packet re-routing after mangling header fields such as the source, destination, flowlabel, hop-limit and the packet mark. config NFT_CHAIN_NAT_IPV6 depends on NF_TABLES_IPV6 depends on NF_NAT_IPV6 && NFT_NAT tristate "IPv6 nf_tables nat chain support" help This option enables the "nat" chain for IPv6 in nf_tables. This chain type is used to perform Network Address Translation (NAT) packet transformations such as the source, destination address and source and destination ports. config IP6_NF_IPTABLES tristate "IP6 tables support (required for filtering)" Loading
net/netfilter/Kconfig +42 −0 Original line number Diff line number Diff line Loading @@ -416,45 +416,83 @@ endif # NF_CONNTRACK config NF_TABLES select NETFILTER_NETLINK tristate "Netfilter nf_tables support" help nftables is the new packet classification framework that intends to replace the existing {ip,ip6,arp,eb}_tables infrastructure. It provides a pseudo-state machine with an extensible instruction-set (also known as expressions) that the userspace 'nft' utility (http://www.netfilter.org/projects/nftables) uses to build the rule-set. It also comes with the generic set infrastructure that allows you to construct mappings between matchings and actions for performance lookups. To compile it as a module, choose M here. config NFT_EXTHDR depends on NF_TABLES tristate "Netfilter nf_tables IPv6 exthdr module" help This option adds the "exthdr" expression that you can use to match IPv6 extension headers. config NFT_META depends on NF_TABLES tristate "Netfilter nf_tables meta module" help This option adds the "meta" expression that you can use to match and to set packet metainformation such as the packet mark. config NFT_CT depends on NF_TABLES depends on NF_CONNTRACK tristate "Netfilter nf_tables conntrack module" help This option adds the "meta" expression that you can use to match connection tracking information such as the flow state. config NFT_RBTREE depends on NF_TABLES tristate "Netfilter nf_tables rbtree set module" help This option adds the "rbtree" set type (Red Black tree) that is used to build interval-based sets. config NFT_HASH depends on NF_TABLES tristate "Netfilter nf_tables hash set module" help This option adds the "hash" set type that is used to build one-way mappings between matchings and actions. config NFT_COUNTER depends on NF_TABLES tristate "Netfilter nf_tables counter module" help This option adds the "counter" expression that you can use to include packet and byte counters in a rule. config NFT_LOG depends on NF_TABLES tristate "Netfilter nf_tables log module" help This option adds the "log" expression that you can use to log packets matching some criteria. config NFT_LIMIT depends on NF_TABLES tristate "Netfilter nf_tables limit module" help This option adds the "limit" expression that you can use to ratelimit rule matchings. config NFT_NAT depends on NF_TABLES depends on NF_CONNTRACK depends on NF_NAT tristate "Netfilter nf_tables nat module" help This option adds the "nat" expression that you can use to perform typical Network Address Translation (NAT) packet transformations. config NFT_QUEUE depends on NF_TABLES Loading @@ -470,6 +508,10 @@ config NFT_REJECT depends on NF_TABLES_IPV6 || !NF_TABLES_IPV6 default m if NETFILTER_ADVANCED=n tristate "Netfilter nf_tables reject support" help This option adds the "reject" expression that you can use to explicitly deny and notify via TCP reset/ICMP informational errors unallowed traffic. config NFT_COMPAT depends on NF_TABLES Loading
Pablo Neira Ayuso <pablo@netfilter.org>Pablo Neira Ayuso <pablo@netfilter.org>