[deliverable/linux.git] / net / ipv4 / netfilter / Kconfig

#
# IP netfilter configuration
#

menu "IP: Netfilter Configuration"
	depends on INET && NETFILTER

config NF_DEFRAG_IPV4
	tristate
	default n

config NF_CONNTRACK_IPV4
	tristate "IPv4 connection tracking support (required for NAT)"
	depends on NF_CONNTRACK
	default m if NETFILTER_ADVANCED=n
	select NF_DEFRAG_IPV4
	---help---
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is IPv4 support on Layer 3 independent connection tracking.
	  Layer 3 independent connection tracking is experimental scheme
	  which generalize ip_conntrack to support other layer 3 protocols.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_PROC_COMPAT
	bool "proc/sysctl compatibility with old connection tracking"
	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
	default y
	help
	  This option enables /proc and sysctl compatibility with the old
	  layer 3 dependent connection tracking. This is needed to keep
	  old programs that have not been adapted to the new names working.

	  If unsure, say Y.

config NF_LOG_ARP
	tristate "ARP packet logging"
	default m if NETFILTER_ADVANCED=n
	select NF_LOG_COMMON

config NF_LOG_IPV4
	tristate "IPv4 packet logging"
	default m if NETFILTER_ADVANCED=n
	select NF_LOG_COMMON

config NF_TABLES_IPV4
	depends on NF_TABLES
	tristate "IPv4 nf_tables support"
	help
	  This option enables the IPv4 support for nf_tables.

config NFT_CHAIN_ROUTE_IPV4
	depends on NF_TABLES_IPV4
	tristate "IPv4 nf_tables route chain support"
	help
	  This option enables the "route" chain for IPv4 in nf_tables. This
	  chain type is used to force packet re-routing after mangling header
	  fields such as the source, destination, type of service and
	  the packet mark.

config NFT_REJECT_IPV4
	depends on NF_TABLES_IPV4
	default NFT_REJECT
	tristate

config NF_TABLES_ARP
	depends on NF_TABLES
	tristate "ARP nf_tables support"
	help
	  This option enables the ARP support for nf_tables.

config NF_NAT_IPV4
	tristate "IPv4 NAT"
	depends on NF_CONNTRACK_IPV4
	default m if NETFILTER_ADVANCED=n
	select NF_NAT
	help
	  The IPv4 NAT option allows masquerading, port forwarding and other
	  forms of full Network Address Port Translation. This can be
	  controlled by iptables or nft.

if NF_NAT_IPV4

config NFT_CHAIN_NAT_IPV4
	depends on NF_TABLES_IPV4
	tristate "IPv4 nf_tables nat chain support"
	help
	  This option enables the "nat" chain for IPv4 in nf_tables. This
	  chain type is used to perform Network Address Translation (NAT)
	  packet transformations such as the source, destination address and
	  source and destination ports.

config NF_NAT_MASQUERADE_IPV4
	tristate "IPv4 masquerade support"
	help
	  This is the kernel functionality to provide NAT in the masquerade
	  flavour (automatic source address selection).

config NFT_MASQ_IPV4
	tristate "IPv4 masquerading support for nf_tables"
	depends on NF_TABLES_IPV4
	depends on NFT_MASQ
	select NF_NAT_MASQUERADE_IPV4
	help
	  This is the expression that provides IPv4 masquerading support for
	  nf_tables.

config NF_NAT_SNMP_BASIC
	tristate "Basic SNMP-ALG support"
	depends on NF_CONNTRACK_SNMP
	depends on NETFILTER_ADVANCED
	default NF_NAT && NF_CONNTRACK_SNMP
	---help---

	  This module implements an Application Layer Gateway (ALG) for
	  SNMP payloads.  In conjunction with NAT, it allows a network
	  management system to access multiple private networks with
	  conflicting addresses.  It works by modifying IP addresses
	  inside SNMP payloads to match IP-layer NAT mapping.

	  This is the "basic" form of SNMP-ALG, as described in RFC 2962

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_NAT_PROTO_GRE
	tristate
	depends on NF_CT_PROTO_GRE

config NF_NAT_PPTP
	tristate
	depends on NF_CONNTRACK
	default NF_CONNTRACK_PPTP
	select NF_NAT_PROTO_GRE

config NF_NAT_H323
	tristate
	depends on NF_CONNTRACK
	default NF_CONNTRACK_H323

endif # NF_NAT_IPV4

config IP_NF_IPTABLES
	tristate "IP tables support (required for filtering/masq/NAT)"
	default m if NETFILTER_ADVANCED=n
	select NETFILTER_XTABLES
	help
	  iptables is a general, extensible packet identification framework.
	  The packet filtering and full NAT (masquerading, port forwarding,
	  etc) subsystems now use this: say `Y' or `M' here if you want to use
	  either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_IPTABLES

# The matches.
config IP_NF_MATCH_AH
	tristate '"ah" match support'
	depends on NETFILTER_ADVANCED
	help
	  This match extension allows you to match a range of SPIs
	  inside AH header of IPSec packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ECN
	tristate '"ecn" match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_ECN
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_ECN.

config IP_NF_MATCH_RPFILTER
	tristate '"rpfilter" reverse path filter match support'
	depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
	---help---
	  This option allows you to match packets whose replies would
	  go out via the interface the packet came in.

	  To compile it as a module, choose M here.  If unsure, say N.
	  The module will be called ipt_rpfilter.

config IP_NF_MATCH_TTL
	tristate '"ttl" match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_HL
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_HL.

# `filter', generic and specific targets
config IP_NF_FILTER
	tristate "Packet filtering"
	default m if NETFILTER_ADVANCED=n
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on IP_NF_FILTER
	default m if NETFILTER_ADVANCED=n
	help
	  The REJECT target allows a filtering rule to specify that an ICMP
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_SYNPROXY
	tristate "SYNPROXY target support"
	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	select NETFILTER_SYNPROXY
	select SYN_COOKIES
	help
	  The SYNPROXY target allows you to intercept TCP connections and
	  establish them using syncookies before they are passed on to the
	  server. This allows to avoid conntrack and server resource usage
	  during SYN-flood attacks.

	  To compile it as a module, choose M here. If unsure, say N.

# NAT + specific targets: nf_conntrack
config IP_NF_NAT
	tristate "iptables NAT support"
	depends on NF_CONNTRACK_IPV4
	default m if NETFILTER_ADVANCED=n
	select NF_NAT
	select NF_NAT_IPV4
	select NETFILTER_XT_NAT
	help
	  This enables the `nat' table in iptables. This allows masquerading,
	  port forwarding and other forms of full Network Address Port
	  Translation.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_NAT

config IP_NF_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	select NF_NAT_MASQUERADE_IPV4
	default m if NETFILTER_ADVANCED=n
	help
	  Masquerading is a special case of NAT: all outgoing connections are
	  changed to seem to come from a particular interface's address, and
	  if the interface goes down, those connections are lost.  This is
	  only useful for dialup accounts with dynamic IP address (ie. your IP
	  address will be different on next dialup).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_NETMAP
	tristate "NETMAP target support"
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_TARGET_NETMAP
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_NETMAP.

config IP_NF_TARGET_REDIRECT
	tristate "REDIRECT target support"
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_TARGET_REDIRECT
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_REDIRECT.

endif # IP_NF_NAT

# mangle + specific targets
config IP_NF_MANGLE
	tristate "Packet mangling"
	default m if NETFILTER_ADVANCED=n
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_CLUSTERIP
	tristate "CLUSTERIP target support"
	depends on IP_NF_MANGLE
	depends on NF_CONNTRACK_IPV4
	depends on NETFILTER_ADVANCED
	select NF_CONNTRACK_MARK
	help
	  The CLUSTERIP target allows you to build load-balancing clusters of
	  network servers without having a dedicated load-balancing
	  router/server/switch.
	
	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ECN
	tristate "ECN target support"
	depends on IP_NF_MANGLE
	depends on NETFILTER_ADVANCED
	---help---
	  This option adds a `ECN' target, which can be used in the iptables mangle
	  table.  

	  You can use this target to remove the ECN bits from the IPv4 header of
	  an IP packet.  This is particularly useful, if you need to work around
	  existing ECN blackholes on the internet, but don't want to disable
	  ECN support in general.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TTL
	tristate '"TTL" target support'
	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
	select NETFILTER_XT_TARGET_HL
	---help---
	This is a backwards-compatible option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_HL.

# raw + specific targets
config IP_NF_RAW
	tristate  'raw table support (required for NOTRACK/TRACE)'
	help
	  This option adds a `raw' table to iptables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

# security table for MAC policy
config IP_NF_SECURITY
	tristate "Security table"
	depends on SECURITY
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `security' table to iptables, for use
	  with Mandatory Access Control (MAC) policy.
	 
	  If unsure, say N.

endif # IP_NF_IPTABLES

# ARP tables
config IP_NF_ARPTABLES
	tristate "ARP tables support"
	select NETFILTER_XTABLES
	depends on NETFILTER_ADVANCED
	help
	  arptables is a general, extensible packet identification framework.
	  The ARP packet filtering and mangling (manipulation)subsystems
	  use this: say Y or M here if you want to use either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_ARPTABLES

config IP_NF_ARPFILTER
	tristate "ARP packet filtering"
	help
	  ARP packet filtering defines a table `filter', which has a series of
	  rules for simple ARP packet filtering at local input and
	  local output.  On a bridge, you can also specify filtering rules
	  for forwarded ARP packets. See the man page for arptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARP_MANGLE
	tristate "ARP payload mangling"
	help
	  Allows altering the ARP packet payload: source and destination
	  hardware and network addresses.

endif # IP_NF_ARPTABLES

endmenu
Commit	Line	Data
1da177e4 LT	1	#
	2	# IP netfilter configuration
	3	#
	4
	5	menu "IP: Netfilter Configuration"
	6	depends on INET && NETFILTER
	7
73e4022f KK	8	config NF_DEFRAG_IPV4
	9	tristate
	10	default n
	11
9fb9cbb1	12	config NF_CONNTRACK_IPV4
c9386cfd PM	13	tristate "IPv4 connection tracking support (required for NAT)"
c9386cfd PM	14	depends on NF_CONNTRACK
33b8e776	15	default m if NETFILTER_ADVANCED=n
73e4022f	16	select NF_DEFRAG_IPV4
9fb9cbb1 YK	17	---help---
	18	Connection tracking keeps a record of what packets have passed
	19	through your machine, in order to figure out how they are related
	20	into connections.
	21
	22	This is IPv4 support on Layer 3 independent connection tracking.
	23	Layer 3 independent connection tracking is experimental scheme
	24	which generalize ip_conntrack to support other layer 3 protocols.
	25
	26	To compile it as a module, choose M here. If unsure, say N.
	27
a999e683 PM	28	config NF_CONNTRACK_PROC_COMPAT
a999e683 PM	29	bool "proc/sysctl compatibility with old connection tracking"
54b07dca	30	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
a999e683 PM	31	default y
	32	help
	33	This option enables /proc and sysctl compatibility with the old
67c0d579	34	layer 3 dependent connection tracking. This is needed to keep
a999e683 PM	35	old programs that have not been adapted to the new names working.
	36
	37	If unsure, say Y.
	38
c1878869 PNA	39	config NF_LOG_ARP
	40	tristate "ARP packet logging"
	41	default m if NETFILTER_ADVANCED=n
	42	select NF_LOG_COMMON
	43
	44	config NF_LOG_IPV4
	45	tristate "IPv4 packet logging"
	46	default m if NETFILTER_ADVANCED=n
	47	select NF_LOG_COMMON
	48
96518518 PM	49	config NF_TABLES_IPV4
	50	depends on NF_TABLES
	51	tristate "IPv4 nf_tables support"
d497c635 PNA	52	help
d497c635 PNA	53	This option enables the IPv4 support for nf_tables.
96518518	54
9370761c	55	config NFT_CHAIN_ROUTE_IPV4
96518518	56	depends on NF_TABLES_IPV4
9370761c	57	tristate "IPv4 nf_tables route chain support"
d497c635 PNA	58	help
	59	This option enables the "route" chain for IPv4 in nf_tables. This
	60	chain type is used to force packet re-routing after mangling header
	61	fields such as the source, destination, type of service and
	62	the packet mark.
96518518	63
cc4723ca PM	64	config NFT_REJECT_IPV4
	65	depends on NF_TABLES_IPV4
	66	default NFT_REJECT
	67	tristate
	68
ed683f13 PNA	69	config NF_TABLES_ARP
	70	depends on NF_TABLES
	71	tristate "ARP nf_tables support"
d497c635 PNA	72	help
d497c635 PNA	73	This option enables the ARP support for nf_tables.
ed683f13	74
8993cf8e PNA	75	config NF_NAT_IPV4
	76	tristate "IPv4 NAT"
	77	depends on NF_CONNTRACK_IPV4
	78	default m if NETFILTER_ADVANCED=n
	79	select NF_NAT
	80	help
	81	The IPv4 NAT option allows masquerading, port forwarding and other
	82	forms of full Network Address Port Translation. This can be
	83	controlled by iptables or nft.
	84
	85	if NF_NAT_IPV4
	86
3e8dc212 PNA	87	config NFT_CHAIN_NAT_IPV4
	88	depends on NF_TABLES_IPV4
	89	tristate "IPv4 nf_tables nat chain support"
	90	help
	91	This option enables the "nat" chain for IPv4 in nf_tables. This
	92	chain type is used to perform Network Address Translation (NAT)
	93	packet transformations such as the source, destination address and
	94	source and destination ports.
	95
0bbe80e5 PNA	96	config NF_NAT_MASQUERADE_IPV4
	97	tristate "IPv4 masquerade support"
	98	help
	99	This is the kernel functionality to provide NAT in the masquerade
	100	flavour (automatic source address selection).
	101
	102	config NFT_MASQ_IPV4
	103	tristate "IPv4 masquerading support for nf_tables"
	104	depends on NF_TABLES_IPV4
	105	depends on NFT_MASQ
	106	select NF_NAT_MASQUERADE_IPV4
	107	help
	108	This is the expression that provides IPv4 masquerading support for
	109	nf_tables.
	110
8993cf8e PNA	111	config NF_NAT_SNMP_BASIC
	112	tristate "Basic SNMP-ALG support"
	113	depends on NF_CONNTRACK_SNMP
	114	depends on NETFILTER_ADVANCED
	115	default NF_NAT && NF_CONNTRACK_SNMP
	116	---help---
	117
	118	This module implements an Application Layer Gateway (ALG) for
	119	SNMP payloads. In conjunction with NAT, it allows a network
	120	management system to access multiple private networks with
	121	conflicting addresses. It works by modifying IP addresses
	122	inside SNMP payloads to match IP-layer NAT mapping.
	123
	124	This is the "basic" form of SNMP-ALG, as described in RFC 2962
	125
	126	To compile it as a module, choose M here. If unsure, say N.
	127
	128	config NF_NAT_PROTO_GRE
	129	tristate
	130	depends on NF_CT_PROTO_GRE
	131
	132	config NF_NAT_PPTP
	133	tristate
	134	depends on NF_CONNTRACK
	135	default NF_CONNTRACK_PPTP
	136	select NF_NAT_PROTO_GRE
	137
	138	config NF_NAT_H323
	139	tristate
	140	depends on NF_CONNTRACK
	141	default NF_CONNTRACK_H323
	142
	143	endif # NF_NAT_IPV4
	144
1da177e4 LT	145	config IP_NF_IPTABLES
1da177e4 LT	146	tristate "IP tables support (required for filtering/masq/NAT)"
33b8e776	147	default m if NETFILTER_ADVANCED=n
a3c941b0	148	select NETFILTER_XTABLES
1da177e4 LT	149	help
	150	iptables is a general, extensible packet identification framework.
	151	The packet filtering and full NAT (masquerading, port forwarding,
	152	etc) subsystems now use this: say `Y' or `M' here if you want to use
	153	either of those.
	154
	155	To compile it as a module, choose M here. If unsure, say N.
	156
c2df73de JE	157	if IP_NF_IPTABLES
c2df73de JE	158
1da177e4	159	# The matches.
dc5ab2fa	160	config IP_NF_MATCH_AH
4c37799c	161	tristate '"ah" match support'
33b8e776	162	depends on NETFILTER_ADVANCED
1da177e4	163	help
dc5ab2fa YK	164	This match extension allows you to match a range of SPIs
dc5ab2fa YK	165	inside AH header of IPSec packets.
1da177e4 LT	166
	167	To compile it as a module, choose M here. If unsure, say N.
	168
aba0d348 JE	169	config IP_NF_MATCH_ECN
aba0d348 JE	170	tristate '"ecn" match support'
33b8e776	171	depends on NETFILTER_ADVANCED
d446a820 JE	172	select NETFILTER_XT_MATCH_ECN
	173	---help---
	174	This is a backwards-compat option for the user's convenience
	175	(e.g. when running oldconfig). It selects
	176	CONFIG_NETFILTER_XT_MATCH_ECN.
1da177e4	177
8f97339d FW	178	config IP_NF_MATCH_RPFILTER
8f97339d FW	179	tristate '"rpfilter" reverse path filter match support'
d37d6968	180	depends on NETFILTER_ADVANCED && (IP_NF_MANGLE \|\| IP_NF_RAW)
8f97339d FW	181	---help---
	182	This option allows you to match packets whose replies would
	183	go out via the interface the packet came in.
	184
	185	To compile it as a module, choose M here. If unsure, say N.
	186	The module will be called ipt_rpfilter.
	187
4323362e JE	188	config IP_NF_MATCH_TTL
	189	tristate '"ttl" match support'
	190	depends on NETFILTER_ADVANCED
	191	select NETFILTER_XT_MATCH_HL
	192	---help---
	193	This is a backwards-compat option for the user's convenience
	194	(e.g. when running oldconfig). It selects
67c0d579	195	CONFIG_NETFILTER_XT_MATCH_HL.
4323362e	196
1da177e4 LT	197	# `filter', generic and specific targets
	198	config IP_NF_FILTER
	199	tristate "Packet filtering"
33b8e776	200	default m if NETFILTER_ADVANCED=n
1da177e4 LT	201	help
	202	Packet filtering defines a table `filter', which has a series of
	203	rules for simple packet filtering at local input, forwarding and
	204	local output. See the man page for iptables(8).
	205
	206	To compile it as a module, choose M here. If unsure, say N.
	207
	208	config IP_NF_TARGET_REJECT
	209	tristate "REJECT target support"
	210	depends on IP_NF_FILTER
33b8e776	211	default m if NETFILTER_ADVANCED=n
1da177e4 LT	212	help
	213	The REJECT target allows a filtering rule to specify that an ICMP
	214	error should be issued in response to an incoming packet, rather
	215	than silently being dropped.
	216
	217	To compile it as a module, choose M here. If unsure, say N.
	218
48b1de4c PM	219	config IP_NF_TARGET_SYNPROXY
	220	tristate "SYNPROXY target support"
	221	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	222	select NETFILTER_SYNPROXY
	223	select SYN_COOKIES
	224	help
	225	The SYNPROXY target allows you to intercept TCP connections and
	226	establish them using syncookies before they are passed on to the
	227	server. This allows to avoid conntrack and server resource usage
	228	during SYN-flood attacks.
	229
	230	To compile it as a module, choose M here. If unsure, say N.
	231
5b1158e9	232	# NAT + specific targets: nf_conntrack
8993cf8e PNA	233	config IP_NF_NAT
8993cf8e PNA	234	tristate "iptables NAT support"
c2df73de	235	depends on NF_CONNTRACK_IPV4
33b8e776	236	default m if NETFILTER_ADVANCED=n
c7232c99	237	select NF_NAT
8993cf8e PNA	238	select NF_NAT_IPV4
8993cf8e PNA	239	select NETFILTER_XT_NAT
5b1158e9	240	help
8993cf8e PNA	241	This enables the `nat' table in iptables. This allows masquerading,
	242	port forwarding and other forms of full Network Address Port
	243	Translation.
5b1158e9 JK	244
	245	To compile it as a module, choose M here. If unsure, say N.
	246
8993cf8e	247	if IP_NF_NAT
1da177e4 LT	248
	249	config IP_NF_TARGET_MASQUERADE
	250	tristate "MASQUERADE target support"
8dd33cc9	251	select NF_NAT_MASQUERADE_IPV4
33b8e776	252	default m if NETFILTER_ADVANCED=n
1da177e4 LT	253	help
	254	Masquerading is a special case of NAT: all outgoing connections are
	255	changed to seem to come from a particular interface's address, and
	256	if the interface goes down, those connections are lost. This is
	257	only useful for dialup accounts with dynamic IP address (ie. your IP
	258	address will be different on next dialup).
	259
	260	To compile it as a module, choose M here. If unsure, say N.
	261
aba0d348 JE	262	config IP_NF_TARGET_NETMAP
aba0d348 JE	263	tristate "NETMAP target support"
33b8e776	264	depends on NETFILTER_ADVANCED
b3d54b3e JE	265	select NETFILTER_XT_TARGET_NETMAP
	266	---help---
	267	This is a backwards-compat option for the user's convenience
	268	(e.g. when running oldconfig). It selects
	269	CONFIG_NETFILTER_XT_TARGET_NETMAP.
1da177e4	270
aba0d348 JE	271	config IP_NF_TARGET_REDIRECT
aba0d348 JE	272	tristate "REDIRECT target support"
33b8e776	273	depends on NETFILTER_ADVANCED
2cbc78a2 JE	274	select NETFILTER_XT_TARGET_REDIRECT
	275	---help---
	276	This is a backwards-compat option for the user's convenience
	277	(e.g. when running oldconfig). It selects
	278	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
1da177e4	279
8993cf8e	280	endif # IP_NF_NAT
f587de0e	281
1da177e4 LT	282	# mangle + specific targets
	283	config IP_NF_MANGLE
	284	tristate "Packet mangling"
33b8e776	285	default m if NETFILTER_ADVANCED=n
1da177e4 LT	286	help
	287	This option adds a `mangle' table to iptables: see the man page for
	288	iptables(8). This table is used for various packet alterations
	289	which can effect how the packet is routed.
	290
	291	To compile it as a module, choose M here. If unsure, say N.
	292
aba0d348	293	config IP_NF_TARGET_CLUSTERIP
aec9a0eb KC	294	tristate "CLUSTERIP target support"
aec9a0eb KC	295	depends on IP_NF_MANGLE
aba0d348 JE	296	depends on NF_CONNTRACK_IPV4
	297	depends on NETFILTER_ADVANCED
	298	select NF_CONNTRACK_MARK
	299	help
	300	The CLUSTERIP target allows you to build load-balancing clusters of
	301	network servers without having a dedicated load-balancing
	302	router/server/switch.
	303
	304	To compile it as a module, choose M here. If unsure, say N.
	305
1da177e4 LT	306	config IP_NF_TARGET_ECN
	307	tristate "ECN target support"
	308	depends on IP_NF_MANGLE
33b8e776	309	depends on NETFILTER_ADVANCED
1da177e4 LT	310	---help---
	311	This option adds a `ECN' target, which can be used in the iptables mangle
	312	table.
	313
	314	You can use this target to remove the ECN bits from the IPv4 header of
	315	an IP packet. This is particularly useful, if you need to work around
	316	existing ECN blackholes on the internet, but don't want to disable
	317	ECN support in general.
	318
	319	To compile it as a module, choose M here. If unsure, say N.
	320
4323362e JE	321	config IP_NF_TARGET_TTL
4323362e JE	322	tristate '"TTL" target support'
76b6717b	323	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
4323362e JE	324	select NETFILTER_XT_TARGET_HL
4323362e JE	325	---help---
76b6717b	326	This is a backwards-compatible option for the user's convenience
4323362e	327	(e.g. when running oldconfig). It selects
67c0d579	328	CONFIG_NETFILTER_XT_TARGET_HL.
4323362e	329
1da177e4 LT	330	# raw + specific targets
	331	config IP_NF_RAW
	332	tristate 'raw table support (required for NOTRACK/TRACE)'
1da177e4 LT	333	help
	334	This option adds a `raw' table to iptables. This table is the very
	335	first in the netfilter framework and hooks in at the PREROUTING
	336	and OUTPUT chains.
	337
	338	If you want to compile it as a module, say M here and read
e403149c	339	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
560ee653 JM	340
	341	# security table for MAC policy
	342	config IP_NF_SECURITY
	343	tristate "Security table"
560ee653	344	depends on SECURITY
70eed75d	345	depends on NETFILTER_ADVANCED
560ee653 JM	346	help
	347	This option adds a `security' table to iptables, for use
	348	with Mandatory Access Control (MAC) policy.
	349
	350	If unsure, say N.
1da177e4	351
c2df73de JE	352	endif # IP_NF_IPTABLES
c2df73de JE	353
1da177e4 LT	354	# ARP tables
	355	config IP_NF_ARPTABLES
	356	tristate "ARP tables support"
a3c941b0	357	select NETFILTER_XTABLES
33b8e776	358	depends on NETFILTER_ADVANCED
1da177e4 LT	359	help
	360	arptables is a general, extensible packet identification framework.
	361	The ARP packet filtering and mangling (manipulation)subsystems
	362	use this: say Y or M here if you want to use either of those.
	363
	364	To compile it as a module, choose M here. If unsure, say N.
	365
c2df73de JE	366	if IP_NF_ARPTABLES
c2df73de JE	367
1da177e4 LT	368	config IP_NF_ARPFILTER
1da177e4 LT	369	tristate "ARP packet filtering"
1da177e4 LT	370	help
	371	ARP packet filtering defines a table `filter', which has a series of
	372	rules for simple ARP packet filtering at local input and
	373	local output. On a bridge, you can also specify filtering rules
	374	for forwarded ARP packets. See the man page for arptables(8).
	375
	376	To compile it as a module, choose M here. If unsure, say N.
	377
	378	config IP_NF_ARP_MANGLE
	379	tristate "ARP payload mangling"
1da177e4 LT	380	help
	381	Allows altering the ARP packet payload: source and destination
	382	hardware and network addresses.
	383
c2df73de JE	384	endif # IP_NF_ARPTABLES
c2df73de JE	385
1da177e4 LT	386	endmenu
1da177e4 LT	387