[deliverable/linux.git] / net / ipv4 / netfilter / Kconfig

#
# IP netfilter configuration
#

menu "IP: Netfilter Configuration"
	depends on INET && NETFILTER

config NF_DEFRAG_IPV4
	tristate
	default n

config NF_CONNTRACK_IPV4
	tristate "IPv4 connection tracking support (required for NAT)"
	depends on NF_CONNTRACK
	default m if NETFILTER_ADVANCED=n
	select NF_DEFRAG_IPV4
	---help---
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is IPv4 support on Layer 3 independent connection tracking.
	  Layer 3 independent connection tracking is experimental scheme
	  which generalize ip_conntrack to support other layer 3 protocols.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_PROC_COMPAT
	bool "proc/sysctl compatibility with old connection tracking"
	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
	default y
	help
	  This option enables /proc and sysctl compatibility with the old
	  layer 3 dependent connection tracking. This is needed to keep
	  old programs that have not been adapted to the new names working.

	  If unsure, say Y.

config NF_LOG_ARP
	tristate "ARP packet logging"
	default m if NETFILTER_ADVANCED=n
	select NF_LOG_COMMON

config NF_LOG_IPV4
	tristate "IPv4 packet logging"
	default m if NETFILTER_ADVANCED=n
	select NF_LOG_COMMON

config NF_TABLES_IPV4
	depends on NF_TABLES
	tristate "IPv4 nf_tables support"
	help
	  This option enables the IPv4 support for nf_tables.

config NFT_CHAIN_ROUTE_IPV4
	depends on NF_TABLES_IPV4
	tristate "IPv4 nf_tables route chain support"
	help
	  This option enables the "route" chain for IPv4 in nf_tables. This
	  chain type is used to force packet re-routing after mangling header
	  fields such as the source, destination, type of service and
	  the packet mark.

config NFT_CHAIN_NAT_IPV4
	depends on NF_TABLES_IPV4
	depends on NF_NAT_IPV4 && NFT_NAT
	tristate "IPv4 nf_tables nat chain support"
	help
	  This option enables the "nat" chain for IPv4 in nf_tables. This
	  chain type is used to perform Network Address Translation (NAT)
	  packet transformations such as the source, destination address and
	  source and destination ports.

config NFT_REJECT_IPV4
	depends on NF_TABLES_IPV4
	default NFT_REJECT
	tristate

config NF_TABLES_ARP
	depends on NF_TABLES
	tristate "ARP nf_tables support"
	help
	  This option enables the ARP support for nf_tables.

config NF_NAT_IPV4
	tristate "IPv4 NAT"
	depends on NF_CONNTRACK_IPV4
	default m if NETFILTER_ADVANCED=n
	select NF_NAT
	help
	  The IPv4 NAT option allows masquerading, port forwarding and other
	  forms of full Network Address Port Translation. This can be
	  controlled by iptables or nft.

if NF_NAT_IPV4

config NF_NAT_SNMP_BASIC
	tristate "Basic SNMP-ALG support"
	depends on NF_CONNTRACK_SNMP
	depends on NETFILTER_ADVANCED
	default NF_NAT && NF_CONNTRACK_SNMP
	---help---

	  This module implements an Application Layer Gateway (ALG) for
	  SNMP payloads.  In conjunction with NAT, it allows a network
	  management system to access multiple private networks with
	  conflicting addresses.  It works by modifying IP addresses
	  inside SNMP payloads to match IP-layer NAT mapping.

	  This is the "basic" form of SNMP-ALG, as described in RFC 2962

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_NAT_PROTO_GRE
	tristate
	depends on NF_CT_PROTO_GRE

config NF_NAT_PPTP
	tristate
	depends on NF_CONNTRACK
	default NF_CONNTRACK_PPTP
	select NF_NAT_PROTO_GRE

config NF_NAT_H323
	tristate
	depends on NF_CONNTRACK
	default NF_CONNTRACK_H323

endif # NF_NAT_IPV4

config IP_NF_IPTABLES
	tristate "IP tables support (required for filtering/masq/NAT)"
	default m if NETFILTER_ADVANCED=n
	select NETFILTER_XTABLES
	help
	  iptables is a general, extensible packet identification framework.
	  The packet filtering and full NAT (masquerading, port forwarding,
	  etc) subsystems now use this: say `Y' or `M' here if you want to use
	  either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_IPTABLES

# The matches.
config IP_NF_MATCH_AH
	tristate '"ah" match support'
	depends on NETFILTER_ADVANCED
	help
	  This match extension allows you to match a range of SPIs
	  inside AH header of IPSec packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ECN
	tristate '"ecn" match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_ECN
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_ECN.

config IP_NF_MATCH_RPFILTER
	tristate '"rpfilter" reverse path filter match support'
	depends on NETFILTER_ADVANCED && (IP_NF_MANGLE || IP_NF_RAW)
	---help---
	  This option allows you to match packets whose replies would
	  go out via the interface the packet came in.

	  To compile it as a module, choose M here.  If unsure, say N.
	  The module will be called ipt_rpfilter.

config IP_NF_MATCH_TTL
	tristate '"ttl" match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_HL
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_HL.

# `filter', generic and specific targets
config IP_NF_FILTER
	tristate "Packet filtering"
	default m if NETFILTER_ADVANCED=n
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on IP_NF_FILTER
	default m if NETFILTER_ADVANCED=n
	help
	  The REJECT target allows a filtering rule to specify that an ICMP
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_SYNPROXY
	tristate "SYNPROXY target support"
	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	select NETFILTER_SYNPROXY
	select SYN_COOKIES
	help
	  The SYNPROXY target allows you to intercept TCP connections and
	  establish them using syncookies before they are passed on to the
	  server. This allows to avoid conntrack and server resource usage
	  during SYN-flood attacks.

	  To compile it as a module, choose M here. If unsure, say N.

# NAT + specific targets: nf_conntrack
config IP_NF_NAT
	tristate "iptables NAT support"
	depends on NF_CONNTRACK_IPV4
	default m if NETFILTER_ADVANCED=n
	select NF_NAT
	select NF_NAT_IPV4
	select NETFILTER_XT_NAT
	help
	  This enables the `nat' table in iptables. This allows masquerading,
	  port forwarding and other forms of full Network Address Port
	  Translation.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_NAT

config NF_NAT_MASQUERADE_IPV4
	tristate "IPv4 masquerade support"
	help
	This is the kernel functionality to provide NAT in the masquerade
	flavour (automatic source address selection).

config NFT_MASQ_IPV4
	tristate "IPv4 masquerading support for nf_tables"
	depends on NF_TABLES_IPV4
	depends on NFT_MASQ
	select NF_NAT_MASQUERADE_IPV4

config IP_NF_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	select NF_NAT_MASQUERADE_IPV4
	default m if NETFILTER_ADVANCED=n
	help
	  Masquerading is a special case of NAT: all outgoing connections are
	  changed to seem to come from a particular interface's address, and
	  if the interface goes down, those connections are lost.  This is
	  only useful for dialup accounts with dynamic IP address (ie. your IP
	  address will be different on next dialup).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_NETMAP
	tristate "NETMAP target support"
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_TARGET_NETMAP
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_NETMAP.

config IP_NF_TARGET_REDIRECT
	tristate "REDIRECT target support"
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_TARGET_REDIRECT
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_REDIRECT.

endif # IP_NF_NAT

# mangle + specific targets
config IP_NF_MANGLE
	tristate "Packet mangling"
	default m if NETFILTER_ADVANCED=n
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_CLUSTERIP
	tristate "CLUSTERIP target support"
	depends on IP_NF_MANGLE
	depends on NF_CONNTRACK_IPV4
	depends on NETFILTER_ADVANCED
	select NF_CONNTRACK_MARK
	help
	  The CLUSTERIP target allows you to build load-balancing clusters of
	  network servers without having a dedicated load-balancing
	  router/server/switch.
	
	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ECN
	tristate "ECN target support"
	depends on IP_NF_MANGLE
	depends on NETFILTER_ADVANCED
	---help---
	  This option adds a `ECN' target, which can be used in the iptables mangle
	  table.  

	  You can use this target to remove the ECN bits from the IPv4 header of
	  an IP packet.  This is particularly useful, if you need to work around
	  existing ECN blackholes on the internet, but don't want to disable
	  ECN support in general.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TTL
	tristate '"TTL" target support'
	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
	select NETFILTER_XT_TARGET_HL
	---help---
	This is a backwards-compatible option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_HL.

# raw + specific targets
config IP_NF_RAW
	tristate  'raw table support (required for NOTRACK/TRACE)'
	help
	  This option adds a `raw' table to iptables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

# security table for MAC policy
config IP_NF_SECURITY
	tristate "Security table"
	depends on SECURITY
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `security' table to iptables, for use
	  with Mandatory Access Control (MAC) policy.
	 
	  If unsure, say N.

endif # IP_NF_IPTABLES

# ARP tables
config IP_NF_ARPTABLES
	tristate "ARP tables support"
	select NETFILTER_XTABLES
	depends on NETFILTER_ADVANCED
	help
	  arptables is a general, extensible packet identification framework.
	  The ARP packet filtering and mangling (manipulation)subsystems
	  use this: say Y or M here if you want to use either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_ARPTABLES

config IP_NF_ARPFILTER
	tristate "ARP packet filtering"
	help
	  ARP packet filtering defines a table `filter', which has a series of
	  rules for simple ARP packet filtering at local input and
	  local output.  On a bridge, you can also specify filtering rules
	  for forwarded ARP packets. See the man page for arptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARP_MANGLE
	tristate "ARP payload mangling"
	help
	  Allows altering the ARP packet payload: source and destination
	  hardware and network addresses.

endif # IP_NF_ARPTABLES

endmenu
Commit	Line	Data
1da177e4 LT	1	#
	2	# IP netfilter configuration
	3	#
	4
	5	menu "IP: Netfilter Configuration"
	6	depends on INET && NETFILTER
	7
73e4022f KK	8	config NF_DEFRAG_IPV4
	9	tristate
	10	default n
	11
9fb9cbb1	12	config NF_CONNTRACK_IPV4
c9386cfd PM	13	tristate "IPv4 connection tracking support (required for NAT)"
c9386cfd PM	14	depends on NF_CONNTRACK
33b8e776	15	default m if NETFILTER_ADVANCED=n
73e4022f	16	select NF_DEFRAG_IPV4
9fb9cbb1 YK	17	---help---
	18	Connection tracking keeps a record of what packets have passed
	19	through your machine, in order to figure out how they are related
	20	into connections.
	21
	22	This is IPv4 support on Layer 3 independent connection tracking.
	23	Layer 3 independent connection tracking is experimental scheme
	24	which generalize ip_conntrack to support other layer 3 protocols.
	25
	26	To compile it as a module, choose M here. If unsure, say N.
	27
a999e683 PM	28	config NF_CONNTRACK_PROC_COMPAT
a999e683 PM	29	bool "proc/sysctl compatibility with old connection tracking"
54b07dca	30	depends on NF_CONNTRACK_PROCFS && NF_CONNTRACK_IPV4
a999e683 PM	31	default y
	32	help
	33	This option enables /proc and sysctl compatibility with the old
67c0d579	34	layer 3 dependent connection tracking. This is needed to keep
a999e683 PM	35	old programs that have not been adapted to the new names working.
	36
	37	If unsure, say Y.
	38
c1878869 PNA	39	config NF_LOG_ARP
	40	tristate "ARP packet logging"
	41	default m if NETFILTER_ADVANCED=n
	42	select NF_LOG_COMMON
	43
	44	config NF_LOG_IPV4
	45	tristate "IPv4 packet logging"
	46	default m if NETFILTER_ADVANCED=n
	47	select NF_LOG_COMMON
	48
96518518 PM	49	config NF_TABLES_IPV4
	50	depends on NF_TABLES
	51	tristate "IPv4 nf_tables support"
d497c635 PNA	52	help
d497c635 PNA	53	This option enables the IPv4 support for nf_tables.
96518518	54
9370761c	55	config NFT_CHAIN_ROUTE_IPV4
96518518	56	depends on NF_TABLES_IPV4
9370761c	57	tristate "IPv4 nf_tables route chain support"
d497c635 PNA	58	help
	59	This option enables the "route" chain for IPv4 in nf_tables. This
	60	chain type is used to force packet re-routing after mangling header
	61	fields such as the source, destination, type of service and
	62	the packet mark.
96518518	63
9370761c	64	config NFT_CHAIN_NAT_IPV4
96518518	65	depends on NF_TABLES_IPV4
eb31628e	66	depends on NF_NAT_IPV4 && NFT_NAT
9370761c	67	tristate "IPv4 nf_tables nat chain support"
d497c635 PNA	68	help
	69	This option enables the "nat" chain for IPv4 in nf_tables. This
	70	chain type is used to perform Network Address Translation (NAT)
	71	packet transformations such as the source, destination address and
	72	source and destination ports.
96518518	73
cc4723ca PM	74	config NFT_REJECT_IPV4
	75	depends on NF_TABLES_IPV4
	76	default NFT_REJECT
	77	tristate
	78
ed683f13 PNA	79	config NF_TABLES_ARP
	80	depends on NF_TABLES
	81	tristate "ARP nf_tables support"
d497c635 PNA	82	help
d497c635 PNA	83	This option enables the ARP support for nf_tables.
ed683f13	84
8993cf8e PNA	85	config NF_NAT_IPV4
	86	tristate "IPv4 NAT"
	87	depends on NF_CONNTRACK_IPV4
	88	default m if NETFILTER_ADVANCED=n
	89	select NF_NAT
	90	help
	91	The IPv4 NAT option allows masquerading, port forwarding and other
	92	forms of full Network Address Port Translation. This can be
	93	controlled by iptables or nft.
	94
	95	if NF_NAT_IPV4
	96
	97	config NF_NAT_SNMP_BASIC
	98	tristate "Basic SNMP-ALG support"
	99	depends on NF_CONNTRACK_SNMP
	100	depends on NETFILTER_ADVANCED
	101	default NF_NAT && NF_CONNTRACK_SNMP
	102	---help---
	103
	104	This module implements an Application Layer Gateway (ALG) for
	105	SNMP payloads. In conjunction with NAT, it allows a network
	106	management system to access multiple private networks with
	107	conflicting addresses. It works by modifying IP addresses
	108	inside SNMP payloads to match IP-layer NAT mapping.
	109
	110	This is the "basic" form of SNMP-ALG, as described in RFC 2962
	111
	112	To compile it as a module, choose M here. If unsure, say N.
	113
	114	config NF_NAT_PROTO_GRE
	115	tristate
	116	depends on NF_CT_PROTO_GRE
	117
	118	config NF_NAT_PPTP
	119	tristate
	120	depends on NF_CONNTRACK
	121	default NF_CONNTRACK_PPTP
	122	select NF_NAT_PROTO_GRE
	123
	124	config NF_NAT_H323
	125	tristate
	126	depends on NF_CONNTRACK
	127	default NF_CONNTRACK_H323
	128
	129	endif # NF_NAT_IPV4
	130
1da177e4 LT	131	config IP_NF_IPTABLES
1da177e4 LT	132	tristate "IP tables support (required for filtering/masq/NAT)"
33b8e776	133	default m if NETFILTER_ADVANCED=n
a3c941b0	134	select NETFILTER_XTABLES
1da177e4 LT	135	help
	136	iptables is a general, extensible packet identification framework.
	137	The packet filtering and full NAT (masquerading, port forwarding,
	138	etc) subsystems now use this: say `Y' or `M' here if you want to use
	139	either of those.
	140
	141	To compile it as a module, choose M here. If unsure, say N.
	142
c2df73de JE	143	if IP_NF_IPTABLES
c2df73de JE	144
1da177e4	145	# The matches.
dc5ab2fa	146	config IP_NF_MATCH_AH
4c37799c	147	tristate '"ah" match support'
33b8e776	148	depends on NETFILTER_ADVANCED
1da177e4	149	help
dc5ab2fa YK	150	This match extension allows you to match a range of SPIs
dc5ab2fa YK	151	inside AH header of IPSec packets.
1da177e4 LT	152
	153	To compile it as a module, choose M here. If unsure, say N.
	154
aba0d348 JE	155	config IP_NF_MATCH_ECN
aba0d348 JE	156	tristate '"ecn" match support'
33b8e776	157	depends on NETFILTER_ADVANCED
d446a820 JE	158	select NETFILTER_XT_MATCH_ECN
	159	---help---
	160	This is a backwards-compat option for the user's convenience
	161	(e.g. when running oldconfig). It selects
	162	CONFIG_NETFILTER_XT_MATCH_ECN.
1da177e4	163
8f97339d FW	164	config IP_NF_MATCH_RPFILTER
8f97339d FW	165	tristate '"rpfilter" reverse path filter match support'
d37d6968	166	depends on NETFILTER_ADVANCED && (IP_NF_MANGLE \|\| IP_NF_RAW)
8f97339d FW	167	---help---
	168	This option allows you to match packets whose replies would
	169	go out via the interface the packet came in.
	170
	171	To compile it as a module, choose M here. If unsure, say N.
	172	The module will be called ipt_rpfilter.
	173
4323362e JE	174	config IP_NF_MATCH_TTL
	175	tristate '"ttl" match support'
	176	depends on NETFILTER_ADVANCED
	177	select NETFILTER_XT_MATCH_HL
	178	---help---
	179	This is a backwards-compat option for the user's convenience
	180	(e.g. when running oldconfig). It selects
67c0d579	181	CONFIG_NETFILTER_XT_MATCH_HL.
4323362e	182
1da177e4 LT	183	# `filter', generic and specific targets
	184	config IP_NF_FILTER
	185	tristate "Packet filtering"
33b8e776	186	default m if NETFILTER_ADVANCED=n
1da177e4 LT	187	help
	188	Packet filtering defines a table `filter', which has a series of
	189	rules for simple packet filtering at local input, forwarding and
	190	local output. See the man page for iptables(8).
	191
	192	To compile it as a module, choose M here. If unsure, say N.
	193
	194	config IP_NF_TARGET_REJECT
	195	tristate "REJECT target support"
	196	depends on IP_NF_FILTER
33b8e776	197	default m if NETFILTER_ADVANCED=n
1da177e4 LT	198	help
	199	The REJECT target allows a filtering rule to specify that an ICMP
	200	error should be issued in response to an incoming packet, rather
	201	than silently being dropped.
	202
	203	To compile it as a module, choose M here. If unsure, say N.
	204
48b1de4c PM	205	config IP_NF_TARGET_SYNPROXY
	206	tristate "SYNPROXY target support"
	207	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	208	select NETFILTER_SYNPROXY
	209	select SYN_COOKIES
	210	help
	211	The SYNPROXY target allows you to intercept TCP connections and
	212	establish them using syncookies before they are passed on to the
	213	server. This allows to avoid conntrack and server resource usage
	214	during SYN-flood attacks.
	215
	216	To compile it as a module, choose M here. If unsure, say N.
	217
5b1158e9	218	# NAT + specific targets: nf_conntrack
8993cf8e PNA	219	config IP_NF_NAT
8993cf8e PNA	220	tristate "iptables NAT support"
c2df73de	221	depends on NF_CONNTRACK_IPV4
33b8e776	222	default m if NETFILTER_ADVANCED=n
c7232c99	223	select NF_NAT
8993cf8e PNA	224	select NF_NAT_IPV4
8993cf8e PNA	225	select NETFILTER_XT_NAT
5b1158e9	226	help
8993cf8e PNA	227	This enables the `nat' table in iptables. This allows masquerading,
	228	port forwarding and other forms of full Network Address Port
	229	Translation.
5b1158e9 JK	230
	231	To compile it as a module, choose M here. If unsure, say N.
	232
8993cf8e	233	if IP_NF_NAT
1da177e4	234
8dd33cc9 AB	235	config NF_NAT_MASQUERADE_IPV4
	236	tristate "IPv4 masquerade support"
	237	help
	238	This is the kernel functionality to provide NAT in the masquerade
	239	flavour (automatic source address selection).
	240
9ba1f726 AB	241	config NFT_MASQ_IPV4
	242	tristate "IPv4 masquerading support for nf_tables"
	243	depends on NF_TABLES_IPV4
	244	depends on NFT_MASQ
	245	select NF_NAT_MASQUERADE_IPV4
	246
1da177e4 LT	247	config IP_NF_TARGET_MASQUERADE
1da177e4 LT	248	tristate "MASQUERADE target support"
8dd33cc9	249	select NF_NAT_MASQUERADE_IPV4
33b8e776	250	default m if NETFILTER_ADVANCED=n
1da177e4 LT	251	help
	252	Masquerading is a special case of NAT: all outgoing connections are
	253	changed to seem to come from a particular interface's address, and
	254	if the interface goes down, those connections are lost. This is
	255	only useful for dialup accounts with dynamic IP address (ie. your IP
	256	address will be different on next dialup).
	257
	258	To compile it as a module, choose M here. If unsure, say N.
	259
aba0d348 JE	260	config IP_NF_TARGET_NETMAP
aba0d348 JE	261	tristate "NETMAP target support"
33b8e776	262	depends on NETFILTER_ADVANCED
b3d54b3e JE	263	select NETFILTER_XT_TARGET_NETMAP
	264	---help---
	265	This is a backwards-compat option for the user's convenience
	266	(e.g. when running oldconfig). It selects
	267	CONFIG_NETFILTER_XT_TARGET_NETMAP.
1da177e4	268
aba0d348 JE	269	config IP_NF_TARGET_REDIRECT
aba0d348 JE	270	tristate "REDIRECT target support"
33b8e776	271	depends on NETFILTER_ADVANCED
2cbc78a2 JE	272	select NETFILTER_XT_TARGET_REDIRECT
	273	---help---
	274	This is a backwards-compat option for the user's convenience
	275	(e.g. when running oldconfig). It selects
	276	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
1da177e4	277
8993cf8e	278	endif # IP_NF_NAT
f587de0e	279
1da177e4 LT	280	# mangle + specific targets
	281	config IP_NF_MANGLE
	282	tristate "Packet mangling"
33b8e776	283	default m if NETFILTER_ADVANCED=n
1da177e4 LT	284	help
	285	This option adds a `mangle' table to iptables: see the man page for
	286	iptables(8). This table is used for various packet alterations
	287	which can effect how the packet is routed.
	288
	289	To compile it as a module, choose M here. If unsure, say N.
	290
aba0d348	291	config IP_NF_TARGET_CLUSTERIP
aec9a0eb KC	292	tristate "CLUSTERIP target support"
aec9a0eb KC	293	depends on IP_NF_MANGLE
aba0d348 JE	294	depends on NF_CONNTRACK_IPV4
	295	depends on NETFILTER_ADVANCED
	296	select NF_CONNTRACK_MARK
	297	help
	298	The CLUSTERIP target allows you to build load-balancing clusters of
	299	network servers without having a dedicated load-balancing
	300	router/server/switch.
	301
	302	To compile it as a module, choose M here. If unsure, say N.
	303
1da177e4 LT	304	config IP_NF_TARGET_ECN
	305	tristate "ECN target support"
	306	depends on IP_NF_MANGLE
33b8e776	307	depends on NETFILTER_ADVANCED
1da177e4 LT	308	---help---
	309	This option adds a `ECN' target, which can be used in the iptables mangle
	310	table.
	311
	312	You can use this target to remove the ECN bits from the IPv4 header of
	313	an IP packet. This is particularly useful, if you need to work around
	314	existing ECN blackholes on the internet, but don't want to disable
	315	ECN support in general.
	316
	317	To compile it as a module, choose M here. If unsure, say N.
	318
4323362e JE	319	config IP_NF_TARGET_TTL
4323362e JE	320	tristate '"TTL" target support'
76b6717b	321	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
4323362e JE	322	select NETFILTER_XT_TARGET_HL
4323362e JE	323	---help---
76b6717b	324	This is a backwards-compatible option for the user's convenience
4323362e	325	(e.g. when running oldconfig). It selects
67c0d579	326	CONFIG_NETFILTER_XT_TARGET_HL.
4323362e	327
1da177e4 LT	328	# raw + specific targets
	329	config IP_NF_RAW
	330	tristate 'raw table support (required for NOTRACK/TRACE)'
1da177e4 LT	331	help
	332	This option adds a `raw' table to iptables. This table is the very
	333	first in the netfilter framework and hooks in at the PREROUTING
	334	and OUTPUT chains.
	335
	336	If you want to compile it as a module, say M here and read
e403149c	337	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
560ee653 JM	338
	339	# security table for MAC policy
	340	config IP_NF_SECURITY
	341	tristate "Security table"
560ee653	342	depends on SECURITY
70eed75d	343	depends on NETFILTER_ADVANCED
560ee653 JM	344	help
	345	This option adds a `security' table to iptables, for use
	346	with Mandatory Access Control (MAC) policy.
	347
	348	If unsure, say N.
1da177e4	349
c2df73de JE	350	endif # IP_NF_IPTABLES
c2df73de JE	351
1da177e4 LT	352	# ARP tables
	353	config IP_NF_ARPTABLES
	354	tristate "ARP tables support"
a3c941b0	355	select NETFILTER_XTABLES
33b8e776	356	depends on NETFILTER_ADVANCED
1da177e4 LT	357	help
	358	arptables is a general, extensible packet identification framework.
	359	The ARP packet filtering and mangling (manipulation)subsystems
	360	use this: say Y or M here if you want to use either of those.
	361
	362	To compile it as a module, choose M here. If unsure, say N.
	363
c2df73de JE	364	if IP_NF_ARPTABLES
c2df73de JE	365
1da177e4 LT	366	config IP_NF_ARPFILTER
1da177e4 LT	367	tristate "ARP packet filtering"
1da177e4 LT	368	help
	369	ARP packet filtering defines a table `filter', which has a series of
	370	rules for simple ARP packet filtering at local input and
	371	local output. On a bridge, you can also specify filtering rules
	372	for forwarded ARP packets. See the man page for arptables(8).
	373
	374	To compile it as a module, choose M here. If unsure, say N.
	375
	376	config IP_NF_ARP_MANGLE
	377	tristate "ARP payload mangling"
1da177e4 LT	378	help
	379	Allows altering the ARP packet payload: source and destination
	380	hardware and network addresses.
	381
c2df73de JE	382	endif # IP_NF_ARPTABLES
c2df73de JE	383
1da177e4 LT	384	endmenu
1da177e4 LT	385