projects / linux-2.6 / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge git://git.infradead.org/hdrinstall-2.6
[linux-2.6] / net / ipv4 / netfilter / Kconfig
CommitLineData
1da177e4
LT		 1#
2# IP netfilter configuration
3#
4
5menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
7
9fb9cbb1
YK		 8config NF_CONNTRACK_IPV4
9 tristate "IPv4 support for new connection tracking (EXPERIMENTAL)"
10 depends on EXPERIMENTAL && NF_CONNTRACK
11 ---help---
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
14 into connections.
15
16 This is IPv4 support on Layer 3 independent connection tracking.
17 Layer 3 independent connection tracking is experimental scheme
18 which generalize ip_conntrack to support other layer 3 protocols.
19
20 To compile it as a module, choose M here. If unsure, say N.
21
1da177e4
LT		 22# connection tracking, helpers and protocols
23config IP_NF_CONNTRACK
24 tristate "Connection tracking (required for masq/NAT)"
25 ---help---
26 Connection tracking keeps a record of what packets have passed
27 through your machine, in order to figure out how they are related
28 into connections.
29
30 This is required to do Masquerading or other kinds of Network
31 Address Translation (except for Fast NAT). It can also be used to
32 enhance packet filtering (see `Connection state match support'
33 below).
34
35 To compile it as a module, choose M here. If unsure, say N.
36
37config IP_NF_CT_ACCT
38 bool "Connection tracking flow accounting"
39 depends on IP_NF_CONNTRACK
40 help
41 If this option is enabled, the connection tracking code will
42 keep per-flow packet and byte counters.
43
44 Those counters can be used for flow-based accounting or the
45 `connbytes' match.
46
47 If unsure, say `N'.
48
49config IP_NF_CONNTRACK_MARK
50 bool 'Connection mark tracking support'
31c913e7 51 depends on IP_NF_CONNTRACK
1da177e4
LT		 52 help
53 This option enables support for connection marks, used by the
54 `CONNMARK' target and `connmark' match. Similar to the mark value
55 of packets, but this mark value is kept in the conntrack session
56 instead of the individual packets.
57
7c9728c3
JM		 58config IP_NF_CONNTRACK_SECMARK
59 bool 'Connection tracking security mark support'
60 depends on IP_NF_CONNTRACK && NETWORK_SECMARK
61 help
62 This option enables security markings to be applied to
63 connections. Typically they are copied to connections from
64 packets using the CONNSECMARK target and copied back from
65 connections to packets with the same target, with the packets
66 being originally labeled via SECMARK.
67
68 If unsure, say 'N'.
69
ac3247ba 70config IP_NF_CONNTRACK_EVENTS
a7957563
PM		 71 bool "Connection tracking events (EXPERIMENTAL)"
72 depends on EXPERIMENTAL && IP_NF_CONNTRACK
ac3247ba
HW		 73 help
74 If this option is enabled, the connection tracking code will
75 provide a notifier chain that can be used by other kernel code
76 to get notified about changes in the connection tracking state.
77
78 IF unsure, say `N'.
79
777ed97f 80config IP_NF_CONNTRACK_NETLINK
a7957563
PM		 81 tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
82 depends on EXPERIMENTAL && IP_NF_CONNTRACK && NETFILTER_NETLINK
628f87f3 83 depends on IP_NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
a0aed49b 84 depends on IP_NF_NAT=n || IP_NF_NAT
777ed97f
HW		 85 help
86 This option enables support for a netlink-based userspace interface
87
88
1da177e4
LT		 89config IP_NF_CT_PROTO_SCTP
90 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
91 depends on IP_NF_CONNTRACK && EXPERIMENTAL
92 help
93 With this option enabled, the connection tracking code will
94 be able to do state tracking on SCTP connections.
95
96 If you want to compile it as a module, say M here and read
97 <file:Documentation/modules.txt>. If unsure, say `N'.
98
99config IP_NF_FTP
100 tristate "FTP protocol support"
101 depends on IP_NF_CONNTRACK
102 help
103 Tracking FTP connections is problematic: special helpers are
104 required for tracking them, and doing masquerading and other forms
105 of Network Address Translation on them.
106
107 To compile it as a module, choose M here. If unsure, say Y.
108
109config IP_NF_IRC
110 tristate "IRC protocol support"
111 depends on IP_NF_CONNTRACK
112 ---help---
113 There is a commonly-used extension to IRC called
114 Direct Client-to-Client Protocol (DCC). This enables users to send
115 files to each other, and also chat to each other without the need
116 of a server. DCC Sending is used anywhere you send files over IRC,
117 and DCC Chat is most commonly used by Eggdrop bots. If you are
118 using NAT, this extension will enable you to send files and initiate
119 chats. Note that you do NOT need this extension to get files or
120 have others initiate chats, or everything else in IRC.
121
122 To compile it as a module, choose M here. If unsure, say Y.
123
a2978aea
PM		 124config IP_NF_NETBIOS_NS
125 tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
126 depends on IP_NF_CONNTRACK && EXPERIMENTAL
127 help
128 NetBIOS name service requests are sent as broadcast messages from an
129 unprivileged port and responded to with unicast messages to the
130 same port. This make them hard to firewall properly because connection
131 tracking doesn't deal with broadcasts. This helper tracks locally
132 originating NetBIOS name service requests and the corresponding
133 responses. It relies on correct IP address configuration, specifically
134 netmask and broadcast address. When properly configured, the output
135 of "ip address show" should look similar to this:
136
137 $ ip -4 address show eth0
138 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
139 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
140
141 To compile it as a module, choose M here. If unsure, say N.
142
1da177e4
LT		 143config IP_NF_TFTP
144 tristate "TFTP protocol support"
145 depends on IP_NF_CONNTRACK
146 help
147 TFTP connection tracking helper, this is required depending
148 on how restrictive your ruleset is.
149 If you are using a tftp client behind -j SNAT or -j MASQUERADING
150 you will need this.
151
152 To compile it as a module, choose M here. If unsure, say Y.
153
154config IP_NF_AMANDA
155 tristate "Amanda backup protocol support"
156 depends on IP_NF_CONNTRACK
c9526169
PM		 157 select TEXTSEARCH
158 select TEXTSEARCH_KMP
1da177e4
LT		 159 help
160 If you are running the Amanda backup package <http://www.amanda.org/>
161 on this machine or machines that will be MASQUERADED through this
162 machine, then you may want to enable this feature. This allows the
163 connection tracking and natting code to allow the sub-channels that
164 Amanda requires for communication of the backup data, messages and
165 index.
166
167 To compile it as a module, choose M here. If unsure, say Y.
168
926b50f9
HW		 169config IP_NF_PPTP
170 tristate 'PPTP protocol support'
85d9b05d 171 depends on IP_NF_CONNTRACK
926b50f9
HW		 172 help
173 This module adds support for PPTP (Point to Point Tunnelling
a5181ab0 174 Protocol, RFC2637) connection tracking and NAT.
926b50f9
HW		 175
176 If you are running PPTP sessions over a stateful firewall or NAT
177 box, you may want to enable this feature.
178
179 Please note that not all PPTP modes of operation are supported yet.
180 For more info, read top of the file
181 net/ipv4/netfilter/ip_conntrack_pptp.c
182
183 If you want to compile it as a module, say M here and read
184 Documentation/modules.txt. If unsure, say `N'.
185
5e35941d 186config IP_NF_H323
ca3ba88d
PM		 187 tristate 'H.323 protocol support (EXPERIMENTAL)'
188 depends on IP_NF_CONNTRACK && EXPERIMENTAL
5e35941d
JMZ		 189 help
190 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
191 important VoIP protocols, it is widely used by voice hardware and
192 software including voice gateways, IP phones, Netmeeting, OpenPhone,
193 Gnomemeeting, etc.
194
195 With this module you can support H.323 on a connection tracking/NAT
196 firewall.
197
c0d4cfd9
JMZ		 198 This module supports RAS, Fast Start, H.245 Tunnelling, Call
199 Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
200 whiteboard, file transfer, etc. For more information, please
201 visit http://nath323.sourceforge.net/.
5e35941d
JMZ		 202
203 If you want to compile it as a module, say 'M' here and read
204 Documentation/modules.txt. If unsure, say 'N'.
205
ae5b7d8b
PM		 206config IP_NF_SIP
207 tristate "SIP protocol support (EXPERIMENTAL)"
208 depends on IP_NF_CONNTRACK && EXPERIMENTAL
209 help
210 SIP is an application-layer control protocol that can establish,
211 modify, and terminate multimedia sessions (conferences) such as
212 Internet telephony calls. With the ip_conntrack_sip and
213 the ip_nat_sip modules you can support the protocol on a connection
214 tracking/NATing firewall.
215
216 To compile it as a module, choose M here. If unsure, say Y.
217
1da177e4 218config IP_NF_QUEUE
7af4cc3f 219 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
1da177e4
LT		 220 help
221 Netfilter has the ability to queue packets to user space: the
222 netlink device can be used to access them using this driver.
223
7af4cc3f
HW		 224 This option enables the old IPv4-only "ip_queue" implementation
225 which has been obsoleted by the new "nfnetlink_queue" code (see
226 CONFIG_NETFILTER_NETLINK_QUEUE).
227
1da177e4
LT		 228 To compile it as a module, choose M here. If unsure, say N.
229
230config IP_NF_IPTABLES
231 tristate "IP tables support (required for filtering/masq/NAT)"
2e4e6a17 232 depends on NETFILTER_XTABLES
1da177e4
LT		 233 help
234 iptables is a general, extensible packet identification framework.
235 The packet filtering and full NAT (masquerading, port forwarding,
236 etc) subsystems now use this: say `Y' or `M' here if you want to use
237 either of those.
238
239 To compile it as a module, choose M here. If unsure, say N.
240
241# The matches.
1da177e4
LT		 242config IP_NF_MATCH_IPRANGE
243 tristate "IP range match support"
244 depends on IP_NF_IPTABLES
245 help
246 This option makes possible to match IP addresses against IP address
247 ranges.
248
249 To compile it as a module, choose M here. If unsure, say N.
250
1da177e4
LT		 251config IP_NF_MATCH_TOS
252 tristate "TOS match support"
253 depends on IP_NF_IPTABLES
254 help
255 TOS matching allows you to match packets based on the Type Of
256 Service fields of the IP packet.
257
258 To compile it as a module, choose M here. If unsure, say N.
259
260config IP_NF_MATCH_RECENT
261 tristate "recent match support"
262 depends on IP_NF_IPTABLES
263 help
264 This match is used for creating one or many lists of recently
265 used addresses and then matching against that/those list(s).
266
267 Short options are available by using 'iptables -m recent -h'
268 Official Website: <http://snowman.net/projects/ipt_recent/>
269
270 To compile it as a module, choose M here. If unsure, say N.
271
272config IP_NF_MATCH_ECN
273 tristate "ECN match support"
274 depends on IP_NF_IPTABLES
275 help
276 This option adds a `ECN' match, which allows you to match against
277 the IPv4 and TCP header ECN fields.
278
279 To compile it as a module, choose M here. If unsure, say N.
280
281config IP_NF_MATCH_DSCP
282 tristate "DSCP match support"
283 depends on IP_NF_IPTABLES
284 help
285 This option adds a `DSCP' match, which allows you to match against
286 the IPv4 header DSCP field (DSCP codepoint).
287
288 The DSCP codepoint can have any value between 0x0 and 0x4f.
289
290 To compile it as a module, choose M here. If unsure, say N.
291
dc5ab2fa
YK		 292config IP_NF_MATCH_AH
293 tristate "AH match support"
1da177e4
LT		 294 depends on IP_NF_IPTABLES
295 help
dc5ab2fa
YK		 296 This match extension allows you to match a range of SPIs
297 inside AH header of IPSec packets.
1da177e4
LT		 298
299 To compile it as a module, choose M here. If unsure, say N.
300
1da177e4
LT		 301config IP_NF_MATCH_TTL
302 tristate "TTL match support"
303 depends on IP_NF_IPTABLES
304 help
305 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
306 to match packets by their TTL value.
307
308 To compile it as a module, choose M here. If unsure, say N.
309
1da177e4
LT		 310config IP_NF_MATCH_OWNER
311 tristate "Owner match support"
312 depends on IP_NF_IPTABLES
313 help
314 Packet owner matching allows you to match locally-generated packets
315 based on who created them: the user, group, process or session.
316
317 To compile it as a module, choose M here. If unsure, say N.
318
1da177e4
LT		 319config IP_NF_MATCH_ADDRTYPE
320 tristate 'address type match support'
321 depends on IP_NF_IPTABLES
322 help
323 This option allows you to match what routing thinks of an address,
324 eg. UNICAST, LOCAL, BROADCAST, ...
325
326 If you want to compile it as a module, say M here and read
327 <file:Documentation/modules.txt>. If unsure, say `N'.
328
1da177e4
LT		 329config IP_NF_MATCH_HASHLIMIT
330 tristate 'hashlimit match support'
331 depends on IP_NF_IPTABLES
332 help
333 This option adds a new iptables `hashlimit' match.
334
c22751b7 335 As opposed to `limit', this match dynamically creates a hash table
1da177e4
LT		 336 of limit buckets, based on your selection of source/destination
337 ip addresses and/or ports.
338
339 It enables you to express policies like `10kpps for any given
340 destination IP' or `500pps from any given source IP' with a single
341 IPtables rule.
342
343# `filter', generic and specific targets
344config IP_NF_FILTER
345 tristate "Packet filtering"
346 depends on IP_NF_IPTABLES
347 help
348 Packet filtering defines a table `filter', which has a series of
349 rules for simple packet filtering at local input, forwarding and
350 local output. See the man page for iptables(8).
351
352 To compile it as a module, choose M here. If unsure, say N.
353
354config IP_NF_TARGET_REJECT
355 tristate "REJECT target support"
356 depends on IP_NF_FILTER
357 help
358 The REJECT target allows a filtering rule to specify that an ICMP
359 error should be issued in response to an incoming packet, rather
360 than silently being dropped.
361
362 To compile it as a module, choose M here. If unsure, say N.
363
364config IP_NF_TARGET_LOG
365 tristate "LOG target support"
366 depends on IP_NF_IPTABLES
367 help
368 This option adds a `LOG' target, which allows you to create rules in
369 any iptables table which records the packet header to the syslog.
370
371 To compile it as a module, choose M here. If unsure, say N.
372
373config IP_NF_TARGET_ULOG
44adf28f 374 tristate "ULOG target support"
1da177e4
LT		 375 depends on IP_NF_IPTABLES
376 ---help---
f40863ce
HW		 377
378 This option enables the old IPv4-only "ipt_ULOG" implementation
379 which has been obsoleted by the new "nfnetlink_log" code (see
380 CONFIG_NETFILTER_NETLINK_LOG).
381
1da177e4
LT		 382 This option adds a `ULOG' target, which allows you to create rules in
383 any iptables table. The packet is passed to a userspace logging
384 daemon using netlink multicast sockets; unlike the LOG target
385 which can only be viewed through syslog.
386
387 The apropriate userspace logging daemon (ulogd) may be obtained from
388 <http://www.gnumonks.org/projects/ulogd/>
389
390 To compile it as a module, choose M here. If unsure, say N.
391
392config IP_NF_TARGET_TCPMSS
393 tristate "TCPMSS target support"
394 depends on IP_NF_IPTABLES
395 ---help---
396 This option adds a `TCPMSS' target, which allows you to alter the
397 MSS value of TCP SYN packets, to control the maximum size for that
398 connection (usually limiting it to your outgoing interface's MTU
399 minus 40).
400
401 This is used to overcome criminally braindead ISPs or servers which
402 block ICMP Fragmentation Needed packets. The symptoms of this
403 problem are that everything works fine from your Linux
404 firewall/router, but machines behind it can never exchange large
405 packets:
406 1) Web browsers connect, then hang with no data received.
407 2) Small mail works fine, but large emails hang.
408 3) ssh works fine, but scp hangs after initial handshaking.
409
410 Workaround: activate this option and add a rule to your firewall
411 configuration like:
412
413 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
414 -j TCPMSS --clamp-mss-to-pmtu
415
416 To compile it as a module, choose M here. If unsure, say N.
d67b24c4 417
1da177e4
LT		 418# NAT + specific targets
419config IP_NF_NAT
420 tristate "Full NAT"
421 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
422 help
423 The Full NAT option allows masquerading, port forwarding and other
424 forms of full Network Address Port Translation. It is controlled by
425 the `nat' table in iptables: see the man page for iptables(8).
426
427 To compile it as a module, choose M here. If unsure, say N.
428
429config IP_NF_NAT_NEEDED
430 bool
431 depends on IP_NF_NAT != n
432 default y
433
434config IP_NF_TARGET_MASQUERADE
435 tristate "MASQUERADE target support"
436 depends on IP_NF_NAT
437 help
438 Masquerading is a special case of NAT: all outgoing connections are
439 changed to seem to come from a particular interface's address, and
440 if the interface goes down, those connections are lost. This is
441 only useful for dialup accounts with dynamic IP address (ie. your IP
442 address will be different on next dialup).
443
444 To compile it as a module, choose M here. If unsure, say N.
445
446config IP_NF_TARGET_REDIRECT
447 tristate "REDIRECT target support"
448 depends on IP_NF_NAT
449 help
450 REDIRECT is a special case of NAT: all incoming connections are
451 mapped onto the incoming interface's address, causing the packets to
452 come to the local machine instead of passing through. This is
453 useful for transparent proxies.
454
455 To compile it as a module, choose M here. If unsure, say N.
456
457config IP_NF_TARGET_NETMAP
458 tristate "NETMAP target support"
459 depends on IP_NF_NAT
460 help
461 NETMAP is an implementation of static 1:1 NAT mapping of network
462 addresses. It maps the network address part, while keeping the host
463 address part intact. It is similar to Fast NAT, except that
464 Netfilter's connection tracking doesn't work well with Fast NAT.
465
466 To compile it as a module, choose M here. If unsure, say N.
467
468config IP_NF_TARGET_SAME
469 tristate "SAME target support"
470 depends on IP_NF_NAT
471 help
472 This option adds a `SAME' target, which works like the standard SNAT
473 target, but attempts to give clients the same IP for all connections.
474
475 To compile it as a module, choose M here. If unsure, say N.
476
477config IP_NF_NAT_SNMP_BASIC
478 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
479 depends on EXPERIMENTAL && IP_NF_NAT
480 ---help---
481
482 This module implements an Application Layer Gateway (ALG) for
483 SNMP payloads. In conjunction with NAT, it allows a network
484 management system to access multiple private networks with
485 conflicting addresses. It works by modifying IP addresses
486 inside SNMP payloads to match IP-layer NAT mapping.
487
488 This is the "basic" form of SNMP-ALG, as described in RFC 2962
489
490 To compile it as a module, choose M here. If unsure, say N.
491
492config IP_NF_NAT_IRC
493 tristate
494 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
495 default IP_NF_NAT if IP_NF_IRC=y
496 default m if IP_NF_IRC=m
497
498# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
499# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
500config IP_NF_NAT_FTP
501 tristate
502 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
503 default IP_NF_NAT if IP_NF_FTP=y
504 default m if IP_NF_FTP=m
505
506config IP_NF_NAT_TFTP
507 tristate
508 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
509 default IP_NF_NAT if IP_NF_TFTP=y
510 default m if IP_NF_TFTP=m
511
512config IP_NF_NAT_AMANDA
513 tristate
514 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
515 default IP_NF_NAT if IP_NF_AMANDA=y
516 default m if IP_NF_AMANDA=m
517
926b50f9
HW		 518config IP_NF_NAT_PPTP
519 tristate
520 depends on IP_NF_NAT!=n && IP_NF_PPTP!=n
521 default IP_NF_NAT if IP_NF_PPTP=y
522 default m if IP_NF_PPTP=m
523
5e35941d
JMZ		 524config IP_NF_NAT_H323
525 tristate
526 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
527 default IP_NF_NAT if IP_NF_H323=y
528 default m if IP_NF_H323=m
529
ae5b7d8b
PM		 530config IP_NF_NAT_SIP
531 tristate
532 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
533 default IP_NF_NAT if IP_NF_SIP=y
534 default m if IP_NF_SIP=m
535
1da177e4
LT		 536# mangle + specific targets
537config IP_NF_MANGLE
538 tristate "Packet mangling"
539 depends on IP_NF_IPTABLES
540 help
541 This option adds a `mangle' table to iptables: see the man page for
542 iptables(8). This table is used for various packet alterations
543 which can effect how the packet is routed.
544
545 To compile it as a module, choose M here. If unsure, say N.
546
547config IP_NF_TARGET_TOS
548 tristate "TOS target support"
549 depends on IP_NF_MANGLE
550 help
551 This option adds a `TOS' target, which allows you to create rules in
552 the `mangle' table which alter the Type Of Service field of an IP
553 packet prior to routing.
554
555 To compile it as a module, choose M here. If unsure, say N.
556
557config IP_NF_TARGET_ECN
558 tristate "ECN target support"
559 depends on IP_NF_MANGLE
560 ---help---
561 This option adds a `ECN' target, which can be used in the iptables mangle
562 table.
563
564 You can use this target to remove the ECN bits from the IPv4 header of
565 an IP packet. This is particularly useful, if you need to work around
566 existing ECN blackholes on the internet, but don't want to disable
567 ECN support in general.
568
569 To compile it as a module, choose M here. If unsure, say N.
570
571config IP_NF_TARGET_DSCP
572 tristate "DSCP target support"
573 depends on IP_NF_MANGLE
574 help
575 This option adds a `DSCP' match, which allows you to match against
576 the IPv4 header DSCP field (DSCP codepoint).
577
578 The DSCP codepoint can have any value between 0x0 and 0x4f.
579
580 To compile it as a module, choose M here. If unsure, say N.
581
5f2c3b91
HW		 582config IP_NF_TARGET_TTL
583 tristate 'TTL target support'
584 depends on IP_NF_MANGLE
585 help
586 This option adds a `TTL' target, which enables the user to modify
587 the TTL value of the IP header.
588
589 While it is safe to decrement/lower the TTL, this target also enables
590 functionality to increment and set the TTL value of the IP header to
591 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
592 create immortal packets that loop forever on the network.
593
594 To compile it as a module, choose M here. If unsure, say N.
595
1da177e4
LT		 596config IP_NF_TARGET_CLUSTERIP
597 tristate "CLUSTERIP target support (EXPERIMENTAL)"
2b8f2ff6
YK		 598 depends on IP_NF_MANGLE && EXPERIMENTAL
599 depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4)
1da177e4
LT		 600 help
601 The CLUSTERIP target allows you to build load-balancing clusters of
602 network servers without having a dedicated load-balancing
603 router/server/switch.
604
605 To compile it as a module, choose M here. If unsure, say N.
606
607# raw + specific targets
608config IP_NF_RAW
609 tristate 'raw table support (required for NOTRACK/TRACE)'
610 depends on IP_NF_IPTABLES
611 help
612 This option adds a `raw' table to iptables. This table is the very
613 first in the netfilter framework and hooks in at the PREROUTING
614 and OUTPUT chains.
615
616 If you want to compile it as a module, say M here and read
617 <file:Documentation/modules.txt>. If unsure, say `N'.
618
1da177e4
LT		 619# ARP tables
620config IP_NF_ARPTABLES
621 tristate "ARP tables support"
2e4e6a17 622 depends on NETFILTER_XTABLES
1da177e4
LT		 623 help
624 arptables is a general, extensible packet identification framework.
625 The ARP packet filtering and mangling (manipulation)subsystems
626 use this: say Y or M here if you want to use either of those.
627
628 To compile it as a module, choose M here. If unsure, say N.
629
630config IP_NF_ARPFILTER
631 tristate "ARP packet filtering"
632 depends on IP_NF_ARPTABLES
633 help
634 ARP packet filtering defines a table `filter', which has a series of
635 rules for simple ARP packet filtering at local input and
636 local output. On a bridge, you can also specify filtering rules
637 for forwarded ARP packets. See the man page for arptables(8).
638
639 To compile it as a module, choose M here. If unsure, say N.
640
641config IP_NF_ARP_MANGLE
642 tristate "ARP payload mangling"
643 depends on IP_NF_ARPTABLES
644 help
645 Allows altering the ARP packet payload: source and destination
646 hardware and network addresses.
647
648endmenu
649
Making Linux better for my computers