path: root/net/netfilter/Kconfig

menu "Core Netfilter Configuration"
	depends on NET && INET && NETFILTER

config NETFILTER_NETLINK
	tristate

config NETFILTER_NETLINK_ACCT
tristate "Netfilter NFACCT over NFNETLINK interface"
	depends on NETFILTER_ADVANCED
	select NETFILTER_NETLINK
	help
	  If this option is enabled, the kernel will include support
	  for extended accounting via NFNETLINK.

config NETFILTER_NETLINK_QUEUE
	tristate "Netfilter NFQUEUE over NFNETLINK interface"
	depends on NETFILTER_ADVANCED
	select NETFILTER_NETLINK
	help
	  If this option is enabled, the kernel will include support
	  for queueing packets via NFNETLINK.
	  
config NETFILTER_NETLINK_LOG
	tristate "Netfilter LOG over NFNETLINK interface"
	default m if NETFILTER_ADVANCED=n
	select NETFILTER_NETLINK
	help
	  If this option is enabled, the kernel will include support
	  for logging packets via NFNETLINK.

	  This obsoletes the existing ipt_ULOG and ebg_ulog mechanisms,
	  and is also scheduled to replace the old syslog-based ipt_LOG
	  and ip6t_LOG modules.

config NF_CONNTRACK
	tristate "Netfilter connection tracking support"
	default m if NETFILTER_ADVANCED=n
	help
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is required to do Masquerading or other kinds of Network
	  Address Translation.  It can also be used to enhance packet
	  filtering (see `Connection state match support' below).

	  To compile it as a module, choose M here.  If unsure, say N.

if NF_CONNTRACK

config NF_CONNTRACK_MARK
	bool  'Connection mark tracking support'
	depends on NETFILTER_ADVANCED
	help
	  This option enables support for connection marks, used by the
	  `CONNMARK' target and `connmark' match. Similar to the mark value
	  of packets, but this mark value is kept in the conntrack session
	  instead of the individual packets.

config NF_CONNTRACK_SECMARK
	bool  'Connection tracking security mark support'
	depends on NETWORK_SECMARK
	default m if NETFILTER_ADVANCED=n
	help
	  This option enables security markings to be applied to
	  connections.  Typically they are copied to connections from
	  packets using the CONNSECMARK target and copied back from
	  connections to packets with the same target, with the packets
	  being originally labeled via SECMARK.

	  If unsure, say 'N'.

config NF_CONNTRACK_ZONES
	bool  'Connection tracking zones'
	depends on NETFILTER_ADVANCED
	depends on NETFILTER_XT_TARGET_CT
	help
	  This option enables support for connection tracking zones.
	  Normally, each connection needs to have a unique system wide
	  identity. Connection tracking zones allow to have multiple
	  connections using the same identity, as long as they are
	  contained in different zones.

	  If unsure, say `N'.

config NF_CONNTRACK_PROCFS
	bool "Supply CT list in procfs (OBSOLETE)"
	default y
	depends on PROC_FS
	---help---
	This option enables for the list of known conntrack entries
	to be shown in procfs under net/netfilter/nf_conntrack. This
	is considered obsolete in favor of using the conntrack(8)
	tool which uses Netlink.

config NF_CONNTRACK_EVENTS
	bool "Connection tracking events"
	depends on NETFILTER_ADVANCED
	help
	  If this option is enabled, the connection tracking code will
	  provide a notifier chain that can be used by other kernel code
	  to get notified about changes in the connection tracking state.

	  If unsure, say `N'.

config NF_CONNTRACK_TIMEOUT
	bool  'Connection tracking timeout'
	depends on NETFILTER_ADVANCED
	help
	  This option enables support for connection tracking timeout
	  extension. This allows you to attach timeout policies to flow
	  via the CT target.

	  If unsure, say `N'.

config NF_CONN