[deliverable/linux.git] / net / ipv4 / netfilter / Kconfig

#
# IP netfilter configuration
#

menu "IP: Netfilter Configuration"
	depends on INET && NETFILTER

config NF_DEFRAG_IPV4
	tristate
	default n

config NF_CONNTRACK_IPV4
	tristate "IPv4 connection tracking support (required for NAT)"
	depends on NF_CONNTRACK
	default m if NETFILTER_ADVANCED=n
	select NF_DEFRAG_IPV4
	---help---
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is IPv4 support on Layer 3 independent connection tracking.
	  Layer 3 independent connection tracking is experimental scheme
	  which generalize ip_conntrack to support other layer 3 protocols.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_PROC_COMPAT
	bool "proc/sysctl compatibility with old connection tracking"
	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
	default y
	help
	  This option enables /proc and sysctl compatibility with the old
	  layer 3 dependent connection tracking. This is needed to keep
	  old programs that have not been adapted to the new names working.

	  If unsure, say Y.

if NF_TABLES

config NF_TABLES_IPV4
	tristate "IPv4 nf_tables support"
	help
	  This option enables the IPv4 support for nf_tables.

if NF_TABLES_IPV4

config NFT_CHAIN_ROUTE_IPV4
	tristate "IPv4 nf_tables route chain support"
	help
	  This option enables the "route" chain for IPv4 in nf_tables. This
	  chain type is used to force packet re-routing after mangling header
	  fields such as the source, destination, type of service and
	  the packet mark.

config NFT_REJECT_IPV4
	select NF_REJECT_IPV4
	default NFT_REJECT
	tristate

config NFT_DUP_IPV4
	tristate "IPv4 nf_tables packet duplication support"
	depends on !NF_CONNTRACK || NF_CONNTRACK
	select NF_DUP_IPV4
	help
	  This module enables IPv4 packet duplication support for nf_tables.

endif # NF_TABLES_IPV4

config NF_TABLES_ARP
	tristate "ARP nf_tables support"
	help
	  This option enables the ARP support for nf_tables.

endif # NF_TABLES

config NF_DUP_IPV4
	tristate "Netfilter IPv4 packet duplication to alternate destination"
	depends on !NF_CONNTRACK || NF_CONNTRACK
	help
	  This option enables the nf_dup_ipv4 core, which duplicates an IPv4
	  packet to be rerouted to another destination.

config NF_LOG_ARP
	tristate "ARP packet logging"
	default m if NETFILTER_ADVANCED=n
	select NF_LOG_COMMON

config NF_LOG_IPV4
	tristate "IPv4 packet logging"
	default m if NETFILTER_ADVANCED=n
	select NF_LOG_COMMON

config NF_REJECT_IPV4
	tristate "IPv4 packet rejection"
	default m if NETFILTER_ADVANCED=n

config NF_NAT_IPV4
	tristate "IPv4 NAT"
	depends on NF_CONNTRACK_IPV4
	default m if NETFILTER_ADVANCED=n
	select NF_NAT
	help
	  The IPv4 NAT option allows masquerading, port forwarding and other
	  forms of full Network Address Port Translation. This can be
	  controlled by iptables or nft.

if NF_NAT_IPV4

config NFT_CHAIN_NAT_IPV4
	depends on NF_TABLES_IPV4
	tristate "IPv4 nf_tables nat chain support"
	help
	  This option enables the "nat" chain for IPv4 in nf_tables. This
	  chain type is used to perform Network Address Translation (NAT)
	  packet transformations such as the source, destination address and
	  source and destination ports.

config NF_NAT_MASQUERADE_IPV4
	tristate "IPv4 masquerade support"
	help
	  This is the kernel functionality to provide NAT in the masquerade
	  flavour (automatic source address selection).

config NFT_MASQ_IPV4
	tristate "IPv4 masquerading support for nf_tables"
	depends on NF_TABLES_IPV4
	depends on NFT_MASQ
	select NF_NAT_MASQUERADE_IPV4
	help
	  This is the expression that provides IPv4 masquerading support for
	  nf_tables.

config NFT_REDIR_IPV4
	tristate "IPv4 redirect support for nf_tables"
	depends on NF_TABLES_IPV4
	depends on NFT_REDIR
	select NF_NAT_REDIRECT
	help
	  This is the expression that provides IPv4 redirect support for
	  nf_tables.

config NF_NAT_SNMP_BASIC
	tristate "Basic SNMP-ALG support"
	depends on NF_CONNTRACK_SNMP
	depends on NETFILTER_ADVANCED
	default NF_NAT && NF_CONNTRACK_SNMP
	---help---

	  This module implements an Application Layer Gateway (ALG) for
	  SNMP payloads.  In conjunction with NAT, it allows a network
	  management system to access multiple private networks with
	  conflicting addresses.  It works by modifying IP addresses
	  inside SNMP payloads to match IP-layer NAT mapping.

	  This is the "basic" form of SNMP-ALG, as described in RFC 2962

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_NAT_PROTO_GRE
	tristate
	depends on NF_CT_PROTO_GRE

config NF_NAT_PPTP
	tristate
	depends on NF_CONNTRACK
	default NF_CONNTRACK_PPTP
	select NF_NAT_PROTO_GRE

config NF_NAT_H323
	tristate
	depends on NF_CONNTRACK
	default NF_CONNTRACK_H323

endif # NF_NAT_IPV4

config IP_NF_IPTABLES
	tristate "IP tables support (required for filtering/masq/NAT)"
	default m if NETFILTER_ADVANCED=n
	select NETFILTER_XTABLES
	help
	  iptables is a general, extensible packet identification framework.
	  The packet filtering and full NAT (masquerading, port forwarding,
	  etc) subsystems now use this: say `Y' or `M' here if you want to use
	  either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_IPTABLES

# The matches.
config IP_NF_MATCH_AH
	tristate '"ah" match support'
	depends on NETFILTER_ADVANCED
	help
	  This match extension allows you to match a range of SPIs
	  inside AH header of IPSec packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ECN
	tristate '"ecn" match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_ECN
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_ECN.

config IP_NF_MATCH_RPFILTER
	tristate '"rpfilter" reverse path filter match support'
	depends on NETFILTER_ADVANCED
	depends on IP_NF_MANGLE || IP_NF_RAW
	---help---
	  This option allows you to match packets whose replies would
	  go out via the interface the packet came in.

	  To compile it as a module, choose M here.  If unsure, say N.
	  The module will be called ipt_rpfilter.

config IP_NF_MATCH_TTL
	tristate '"ttl" match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_HL
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_HL.

# `filter', generic and specific targets
config IP_NF_FILTER
	tristate "Packet filtering"
	default m if NETFILTER_ADVANCED=n
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on IP_NF_FILTER
	select NF_REJECT_IPV4
	default m if NETFILTER_ADVANCED=n
	help
	  The REJECT target allows a filtering rule to specify that an ICMP
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_SYNPROXY
	tristate "SYNPROXY target support"
	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	select NETFILTER_SYNPROXY
	select SYN_COOKIES
	help
	  The SYNPROXY target allows you to intercept TCP connections and
	  establish them using syncookies before they are passed on to the
	  server. This allows to avoid conntrack and server resource usage
	  during SYN-flood attacks.

	  To compile it as a module, choose M here. If unsure, say N.

# NAT + specific targets: nf_conntrack
config IP_NF_NAT
	tristate "iptables NAT support"
	depends on NF_CONNTRACK_IPV4
	default m if NETFILTER_ADVANCED=n
	select NF_NAT
	select NF_NAT_IPV4
	select NETFILTER_XT_NAT
	help
	  This enables the `nat' table in iptables. This allows masquerading,
	  port forwarding and other forms of full Network Address Port
	  Translation.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_NAT

config IP_NF_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	select NF_NAT_MASQUERADE_IPV4
	default m if NETFILTER_ADVANCED=n
	help
	  Masquerading is a special case of NAT: all outgoing connections are
	  changed to seem to come from a particular interface's address, and
	  if the interface goes down, those connections are lost.  This is
	  only useful for dialup accounts with dynamic IP address (ie. your IP
	  address will be different on next dialup).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_NETMAP
	tristate "NETMAP target support"
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_TARGET_NETMAP
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_NETMAP.

config IP_NF_TARGET_REDIRECT
	tristate "REDIRECT target support"
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_TARGET_REDIRECT
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_REDIRECT.

endif # IP_NF_NAT

# mangle + specific targets
config IP_NF_MANGLE
	tristate "Packet mangling"
	default m if NETFILTER_ADVANCED=n
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_CLUSTERIP
	tristate "CLUSTERIP target support"
	depends on IP_NF_MANGLE
	depends on NF_CONNTRACK_IPV4
	depends on NETFILTER_ADVANCED
	select NF_CONNTRACK_MARK
	help
	  The CLUSTERIP target allows you to build load-balancing clusters of
	  network servers without having a dedicated load-balancing
	  router/server/switch.
	
	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ECN
	tristate "ECN target support"
	depends on IP_NF_MANGLE
	depends on NETFILTER_ADVANCED
	---help---
	  This option adds a `ECN' target, which can be used in the iptables mangle
	  table.  

	  You can use this target to remove the ECN bits from the IPv4 header of
	  an IP packet.  This is particularly useful, if you need to work around
	  existing ECN blackholes on the internet, but don't want to disable
	  ECN support in general.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TTL
	tristate '"TTL" target support'
	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
	select NETFILTER_XT_TARGET_HL
	---help---
	This is a backwards-compatible option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_HL.

# raw + specific targets
config IP_NF_RAW
	tristate  'raw table support (required for NOTRACK/TRACE)'
	help
	  This option adds a `raw' table to iptables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

# security table for MAC policy
config IP_NF_SECURITY
	tristate "Security table"
	depends on SECURITY
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `security' table to iptables, for use
	  with Mandatory Access Control (MAC) policy.
	 
	  If unsure, say N.

endif # IP_NF_IPTABLES

# ARP tables
config IP_NF_ARPTABLES
	tristate "ARP tables support"
	select NETFILTER_XTABLES
	depends on NETFILTER_ADVANCED
	help
	  arptables is a general, extensible packet identification framework.
	  The ARP packet filtering and mangling (manipulation)subsystems
	  use this: say Y or M here if you want to use either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_ARPTABLES

config IP_NF_ARPFILTER
	tristate "ARP packet filtering"
	help
	  ARP packet filtering defines a table `filter', which has a series of
	  rules for simple ARP packet filtering at local input and
	  local output.  On a bridge, you can also specify filtering rules
	  for forwarded ARP packets. See the man page for arptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARP_MANGLE
	tristate "ARP payload mangling"
	help
	  Allows altering the ARP packet payload: source and destination
	  hardware and network addresses.

endif # IP_NF_ARPTABLES

endmenu
Commit	Line	Data
1da177e4 LT	1	#
	2	# IP netfilter configuration
	3	#
	4
	5	menu "IP: Netfilter Configuration"
	6	depends on INET && NETFILTER
	7
73e4022f KK	8	config NF_DEFRAG_IPV4
	9	tristate
	10	default n
	11
9fb9cbb1	12	config NF_CONNTRACK_IPV4
c9386cfd PM	13	tristate "IPv4 connection tracking support (required for NAT)"
c9386cfd PM	14	depends on NF_CONNTRACK
33b8e776	15	default m if NETFILTER_ADVANCED=n
73e4022f	16	select NF_DEFRAG_IPV4
9fb9cbb1 YK	17	---help---
	18	Connection tracking keeps a record of what packets have passed
	19	through your machine, in order to figure out how they are related
	20	into connections.
	21
	22	This is IPv4 support on Layer 3 independent connection tracking.
	23	Layer 3 independent connection tracking is experimental scheme
	24	which generalize ip_conntrack to support other layer 3 protocols.
	25
	26	To compile it as a module, choose M here. If unsure, say N.
	27
a999e683 PM	28	config NF_CONNTRACK_PROC_COMPAT
a999e683 PM	29	bool "proc/sysctl compatibility with old connection tracking"
54b07dca	30	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
a999e683 PM	31	default y
	32	help
	33	This option enables /proc and sysctl compatibility with the old
67c0d579	34	layer 3 dependent connection tracking. This is needed to keep
a999e683 PM	35	old programs that have not been adapted to the new names working.
	36
	37	If unsure, say Y.
	38
f04e599e	39	if NF_TABLES
c1878869	40
96518518	41	config NF_TABLES_IPV4
96518518	42	tristate "IPv4 nf_tables support"
d497c635 PNA	43	help
d497c635 PNA	44	This option enables the IPv4 support for nf_tables.
96518518	45
f04e599e PNA	46	if NF_TABLES_IPV4
f04e599e PNA	47
9370761c	48	config NFT_CHAIN_ROUTE_IPV4
9370761c	49	tristate "IPv4 nf_tables route chain support"
d497c635 PNA	50	help
	51	This option enables the "route" chain for IPv4 in nf_tables. This
	52	chain type is used to force packet re-routing after mangling header
	53	fields such as the source, destination, type of service and
	54	the packet mark.
96518518	55
cc4723ca	56	config NFT_REJECT_IPV4
c8d7b98b	57	select NF_REJECT_IPV4
cc4723ca PM	58	default NFT_REJECT
	59	tristate
	60
d877f071 PNA	61	config NFT_DUP_IPV4
d877f071 PNA	62	tristate "IPv4 nf_tables packet duplication support"
d3340b79	63	depends on !NF_CONNTRACK \|\| NF_CONNTRACK
d877f071 PNA	64	select NF_DUP_IPV4
	65	help
	66	This module enables IPv4 packet duplication support for nf_tables.
	67
f04e599e PNA	68	endif # NF_TABLES_IPV4
f04e599e PNA	69
ed683f13	70	config NF_TABLES_ARP
ed683f13	71	tristate "ARP nf_tables support"
d497c635 PNA	72	help
d497c635 PNA	73	This option enables the ARP support for nf_tables.
ed683f13	74
f04e599e PNA	75	endif # NF_TABLES
f04e599e PNA	76
bbde9fc1 PNA	77	config NF_DUP_IPV4
bbde9fc1 PNA	78	tristate "Netfilter IPv4 packet duplication to alternate destination"
6ece90f9	79	depends on !NF_CONNTRACK \|\| NF_CONNTRACK
bbde9fc1 PNA	80	help
	81	This option enables the nf_dup_ipv4 core, which duplicates an IPv4
	82	packet to be rerouted to another destination.
	83
f04e599e PNA	84	config NF_LOG_ARP
	85	tristate "ARP packet logging"
	86	default m if NETFILTER_ADVANCED=n
	87	select NF_LOG_COMMON
	88
	89	config NF_LOG_IPV4
	90	tristate "IPv4 packet logging"
	91	default m if NETFILTER_ADVANCED=n
	92	select NF_LOG_COMMON
	93
	94	config NF_REJECT_IPV4
	95	tristate "IPv4 packet rejection"
	96	default m if NETFILTER_ADVANCED=n
	97
8993cf8e PNA	98	config NF_NAT_IPV4
	99	tristate "IPv4 NAT"
	100	depends on NF_CONNTRACK_IPV4
	101	default m if NETFILTER_ADVANCED=n
	102	select NF_NAT
	103	help
	104	The IPv4 NAT option allows masquerading, port forwarding and other
	105	forms of full Network Address Port Translation. This can be
	106	controlled by iptables or nft.
	107
	108	if NF_NAT_IPV4
	109
3e8dc212 PNA	110	config NFT_CHAIN_NAT_IPV4
	111	depends on NF_TABLES_IPV4
	112	tristate "IPv4 nf_tables nat chain support"
	113	help
	114	This option enables the "nat" chain for IPv4 in nf_tables. This
	115	chain type is used to perform Network Address Translation (NAT)
	116	packet transformations such as the source, destination address and
	117	source and destination ports.
	118
0bbe80e5 PNA	119	config NF_NAT_MASQUERADE_IPV4
	120	tristate "IPv4 masquerade support"
	121	help
	122	This is the kernel functionality to provide NAT in the masquerade
	123	flavour (automatic source address selection).
	124
	125	config NFT_MASQ_IPV4
	126	tristate "IPv4 masquerading support for nf_tables"
	127	depends on NF_TABLES_IPV4
	128	depends on NFT_MASQ
	129	select NF_NAT_MASQUERADE_IPV4
	130	help
	131	This is the expression that provides IPv4 masquerading support for
	132	nf_tables.
	133
e9105f1b AB	134	config NFT_REDIR_IPV4
	135	tristate "IPv4 redirect support for nf_tables"
	136	depends on NF_TABLES_IPV4
	137	depends on NFT_REDIR
b59eaf9e	138	select NF_NAT_REDIRECT
e9105f1b AB	139	help
	140	This is the expression that provides IPv4 redirect support for
	141	nf_tables.
	142
8993cf8e PNA	143	config NF_NAT_SNMP_BASIC
	144	tristate "Basic SNMP-ALG support"
	145	depends on NF_CONNTRACK_SNMP
	146	depends on NETFILTER_ADVANCED
	147	default NF_NAT && NF_CONNTRACK_SNMP
	148	---help---
	149
	150	This module implements an Application Layer Gateway (ALG) for
	151	SNMP payloads. In conjunction with NAT, it allows a network
	152	management system to access multiple private networks with
	153	conflicting addresses. It works by modifying IP addresses
	154	inside SNMP payloads to match IP-layer NAT mapping.
	155
	156	This is the "basic" form of SNMP-ALG, as described in RFC 2962
	157
	158	To compile it as a module, choose M here. If unsure, say N.
	159
	160	config NF_NAT_PROTO_GRE
	161	tristate
	162	depends on NF_CT_PROTO_GRE
	163
	164	config NF_NAT_PPTP
	165	tristate
	166	depends on NF_CONNTRACK
	167	default NF_CONNTRACK_PPTP
	168	select NF_NAT_PROTO_GRE
	169
	170	config NF_NAT_H323
	171	tristate
	172	depends on NF_CONNTRACK
	173	default NF_CONNTRACK_H323
	174
	175	endif # NF_NAT_IPV4
	176
1da177e4 LT	177	config IP_NF_IPTABLES
1da177e4 LT	178	tristate "IP tables support (required for filtering/masq/NAT)"
33b8e776	179	default m if NETFILTER_ADVANCED=n
a3c941b0	180	select NETFILTER_XTABLES
1da177e4 LT	181	help
	182	iptables is a general, extensible packet identification framework.
	183	The packet filtering and full NAT (masquerading, port forwarding,
	184	etc) subsystems now use this: say `Y' or `M' here if you want to use
	185	either of those.
	186
	187	To compile it as a module, choose M here. If unsure, say N.
	188
c2df73de JE	189	if IP_NF_IPTABLES
c2df73de JE	190
1da177e4	191	# The matches.
dc5ab2fa	192	config IP_NF_MATCH_AH
4c37799c	193	tristate '"ah" match support'
33b8e776	194	depends on NETFILTER_ADVANCED
1da177e4	195	help
dc5ab2fa YK	196	This match extension allows you to match a range of SPIs
dc5ab2fa YK	197	inside AH header of IPSec packets.
1da177e4 LT	198
	199	To compile it as a module, choose M here. If unsure, say N.
	200
aba0d348 JE	201	config IP_NF_MATCH_ECN
aba0d348 JE	202	tristate '"ecn" match support'
33b8e776	203	depends on NETFILTER_ADVANCED
d446a820 JE	204	select NETFILTER_XT_MATCH_ECN
	205	---help---
	206	This is a backwards-compat option for the user's convenience
	207	(e.g. when running oldconfig). It selects
	208	CONFIG_NETFILTER_XT_MATCH_ECN.
1da177e4	209
8f97339d FW	210	config IP_NF_MATCH_RPFILTER
8f97339d FW	211	tristate '"rpfilter" reverse path filter match support'
f09becc7 PNA	212	depends on NETFILTER_ADVANCED
f09becc7 PNA	213	depends on IP_NF_MANGLE \|\| IP_NF_RAW
8f97339d FW	214	---help---
	215	This option allows you to match packets whose replies would
	216	go out via the interface the packet came in.
	217
	218	To compile it as a module, choose M here. If unsure, say N.
	219	The module will be called ipt_rpfilter.
	220
4323362e JE	221	config IP_NF_MATCH_TTL
	222	tristate '"ttl" match support'
	223	depends on NETFILTER_ADVANCED
	224	select NETFILTER_XT_MATCH_HL
	225	---help---
	226	This is a backwards-compat option for the user's convenience
	227	(e.g. when running oldconfig). It selects
67c0d579	228	CONFIG_NETFILTER_XT_MATCH_HL.
4323362e	229
1da177e4 LT	230	# `filter', generic and specific targets
	231	config IP_NF_FILTER
	232	tristate "Packet filtering"
33b8e776	233	default m if NETFILTER_ADVANCED=n
1da177e4 LT	234	help
	235	Packet filtering defines a table `filter', which has a series of
	236	rules for simple packet filtering at local input, forwarding and
	237	local output. See the man page for iptables(8).
	238
	239	To compile it as a module, choose M here. If unsure, say N.
	240
	241	config IP_NF_TARGET_REJECT
	242	tristate "REJECT target support"
	243	depends on IP_NF_FILTER
c8d7b98b	244	select NF_REJECT_IPV4
33b8e776	245	default m if NETFILTER_ADVANCED=n
1da177e4 LT	246	help
	247	The REJECT target allows a filtering rule to specify that an ICMP
	248	error should be issued in response to an incoming packet, rather
	249	than silently being dropped.
	250
	251	To compile it as a module, choose M here. If unsure, say N.
	252
48b1de4c PM	253	config IP_NF_TARGET_SYNPROXY
	254	tristate "SYNPROXY target support"
	255	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	256	select NETFILTER_SYNPROXY
	257	select SYN_COOKIES
	258	help
	259	The SYNPROXY target allows you to intercept TCP connections and
	260	establish them using syncookies before they are passed on to the
	261	server. This allows to avoid conntrack and server resource usage
	262	during SYN-flood attacks.
	263
	264	To compile it as a module, choose M here. If unsure, say N.
	265
5b1158e9	266	# NAT + specific targets: nf_conntrack
8993cf8e PNA	267	config IP_NF_NAT
8993cf8e PNA	268	tristate "iptables NAT support"
c2df73de	269	depends on NF_CONNTRACK_IPV4
33b8e776	270	default m if NETFILTER_ADVANCED=n
c7232c99	271	select NF_NAT
8993cf8e PNA	272	select NF_NAT_IPV4
8993cf8e PNA	273	select NETFILTER_XT_NAT
5b1158e9	274	help
8993cf8e PNA	275	This enables the `nat' table in iptables. This allows masquerading,
	276	port forwarding and other forms of full Network Address Port
	277	Translation.
5b1158e9 JK	278
	279	To compile it as a module, choose M here. If unsure, say N.
	280
8993cf8e	281	if IP_NF_NAT
1da177e4 LT	282
	283	config IP_NF_TARGET_MASQUERADE
	284	tristate "MASQUERADE target support"
8dd33cc9	285	select NF_NAT_MASQUERADE_IPV4
33b8e776	286	default m if NETFILTER_ADVANCED=n
1da177e4 LT	287	help
	288	Masquerading is a special case of NAT: all outgoing connections are
	289	changed to seem to come from a particular interface's address, and
	290	if the interface goes down, those connections are lost. This is
	291	only useful for dialup accounts with dynamic IP address (ie. your IP
	292	address will be different on next dialup).
	293
	294	To compile it as a module, choose M here. If unsure, say N.
	295
aba0d348 JE	296	config IP_NF_TARGET_NETMAP
aba0d348 JE	297	tristate "NETMAP target support"
33b8e776	298	depends on NETFILTER_ADVANCED
b3d54b3e JE	299	select NETFILTER_XT_TARGET_NETMAP
	300	---help---
	301	This is a backwards-compat option for the user's convenience
	302	(e.g. when running oldconfig). It selects
	303	CONFIG_NETFILTER_XT_TARGET_NETMAP.
1da177e4	304
aba0d348 JE	305	config IP_NF_TARGET_REDIRECT
aba0d348 JE	306	tristate "REDIRECT target support"
33b8e776	307	depends on NETFILTER_ADVANCED
2cbc78a2 JE	308	select NETFILTER_XT_TARGET_REDIRECT
	309	---help---
	310	This is a backwards-compat option for the user's convenience
	311	(e.g. when running oldconfig). It selects
	312	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
1da177e4	313
8993cf8e	314	endif # IP_NF_NAT
f587de0e	315
1da177e4 LT	316	# mangle + specific targets
	317	config IP_NF_MANGLE
	318	tristate "Packet mangling"
33b8e776	319	default m if NETFILTER_ADVANCED=n
1da177e4 LT	320	help
	321	This option adds a `mangle' table to iptables: see the man page for
	322	iptables(8). This table is used for various packet alterations
	323	which can effect how the packet is routed.
	324
	325	To compile it as a module, choose M here. If unsure, say N.
	326
aba0d348	327	config IP_NF_TARGET_CLUSTERIP
aec9a0eb KC	328	tristate "CLUSTERIP target support"
aec9a0eb KC	329	depends on IP_NF_MANGLE
aba0d348 JE	330	depends on NF_CONNTRACK_IPV4
	331	depends on NETFILTER_ADVANCED
	332	select NF_CONNTRACK_MARK
	333	help
	334	The CLUSTERIP target allows you to build load-balancing clusters of
	335	network servers without having a dedicated load-balancing
	336	router/server/switch.
	337
	338	To compile it as a module, choose M here. If unsure, say N.
	339
1da177e4 LT	340	config IP_NF_TARGET_ECN
	341	tristate "ECN target support"
	342	depends on IP_NF_MANGLE
33b8e776	343	depends on NETFILTER_ADVANCED
1da177e4 LT	344	---help---
	345	This option adds a `ECN' target, which can be used in the iptables mangle
	346	table.
	347
	348	You can use this target to remove the ECN bits from the IPv4 header of
	349	an IP packet. This is particularly useful, if you need to work around
	350	existing ECN blackholes on the internet, but don't want to disable
	351	ECN support in general.
	352
	353	To compile it as a module, choose M here. If unsure, say N.
	354
4323362e JE	355	config IP_NF_TARGET_TTL
4323362e JE	356	tristate '"TTL" target support'
76b6717b	357	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
4323362e JE	358	select NETFILTER_XT_TARGET_HL
4323362e JE	359	---help---
76b6717b	360	This is a backwards-compatible option for the user's convenience
4323362e	361	(e.g. when running oldconfig). It selects
67c0d579	362	CONFIG_NETFILTER_XT_TARGET_HL.
4323362e	363
1da177e4 LT	364	# raw + specific targets
	365	config IP_NF_RAW
	366	tristate 'raw table support (required for NOTRACK/TRACE)'
1da177e4 LT	367	help
	368	This option adds a `raw' table to iptables. This table is the very
	369	first in the netfilter framework and hooks in at the PREROUTING
	370	and OUTPUT chains.
	371
	372	If you want to compile it as a module, say M here and read
e403149c	373	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
560ee653 JM	374
	375	# security table for MAC policy
	376	config IP_NF_SECURITY
	377	tristate "Security table"
560ee653	378	depends on SECURITY
70eed75d	379	depends on NETFILTER_ADVANCED
560ee653 JM	380	help
	381	This option adds a `security' table to iptables, for use
	382	with Mandatory Access Control (MAC) policy.
	383
	384	If unsure, say N.
1da177e4	385
c2df73de JE	386	endif # IP_NF_IPTABLES
c2df73de JE	387
1da177e4 LT	388	# ARP tables
	389	config IP_NF_ARPTABLES
	390	tristate "ARP tables support"
a3c941b0	391	select NETFILTER_XTABLES
33b8e776	392	depends on NETFILTER_ADVANCED
1da177e4 LT	393	help
	394	arptables is a general, extensible packet identification framework.
	395	The ARP packet filtering and mangling (manipulation)subsystems
	396	use this: say Y or M here if you want to use either of those.
	397
	398	To compile it as a module, choose M here. If unsure, say N.
	399
c2df73de JE	400	if IP_NF_ARPTABLES
c2df73de JE	401
1da177e4 LT	402	config IP_NF_ARPFILTER
1da177e4 LT	403	tristate "ARP packet filtering"
1da177e4 LT	404	help
	405	ARP packet filtering defines a table `filter', which has a series of
	406	rules for simple ARP packet filtering at local input and
	407	local output. On a bridge, you can also specify filtering rules
	408	for forwarded ARP packets. See the man page for arptables(8).
	409
	410	To compile it as a module, choose M here. If unsure, say N.
	411
	412	config IP_NF_ARP_MANGLE
	413	tristate "ARP payload mangling"
1da177e4 LT	414	help
	415	Allows altering the ARP packet payload: source and destination
	416	hardware and network addresses.
	417
c2df73de JE	418	endif # IP_NF_ARPTABLES
c2df73de JE	419
1da177e4 LT	420	endmenu
1da177e4 LT	421