[deliverable/linux.git] / net / ipv4 / netfilter / Kconfig

#
# IP netfilter configuration
#

menu "IP: Netfilter Configuration"
	depends on INET && NETFILTER

config NF_CONNTRACK_IPV4
	tristate "IPv4 connection tracking support (required for NAT)"
	depends on NF_CONNTRACK
	---help---
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is IPv4 support on Layer 3 independent connection tracking.
	  Layer 3 independent connection tracking is experimental scheme
	  which generalize ip_conntrack to support other layer 3 protocols.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_CONNTRACK_PROC_COMPAT
	bool "proc/sysctl compatibility with old connection tracking"
	depends on NF_CONNTRACK_IPV4
	default y
	help
	  This option enables /proc and sysctl compatibility with the old
	  layer 3 dependant connection tracking. This is needed to keep
	  old programs that have not been adapted to the new names working.

	  If unsure, say Y.

config IP_NF_QUEUE
	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
	help
	  Netfilter has the ability to queue packets to user space: the
	  netlink device can be used to access them using this driver.

	  This option enables the old IPv4-only "ip_queue" implementation
	  which has been obsoleted by the new "nfnetlink_queue" code (see
	  CONFIG_NETFILTER_NETLINK_QUEUE).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_IPTABLES
	tristate "IP tables support (required for filtering/masq/NAT)"
	select NETFILTER_XTABLES
	help
	  iptables is a general, extensible packet identification framework.
	  The packet filtering and full NAT (masquerading, port forwarding,
	  etc) subsystems now use this: say `Y' or `M' here if you want to use
	  either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

# The matches.
config IP_NF_MATCH_IPRANGE
	tristate "IP range match support"
	depends on IP_NF_IPTABLES
	help
	  This option makes possible to match IP addresses against IP address
	  ranges.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_TOS
	tristate "TOS match support"
	depends on IP_NF_IPTABLES
	help
	  TOS matching allows you to match packets based on the Type Of
	  Service fields of the IP packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_RECENT
	tristate "recent match support"
	depends on IP_NF_IPTABLES
	help
	  This match is used for creating one or many lists of recently
	  used addresses and then matching against that/those list(s).

	  Short options are available by using 'iptables -m recent -h'
	  Official Website: <http://snowman.net/projects/ipt_recent/>

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ECN
	tristate "ECN match support"
	depends on IP_NF_IPTABLES
	help
	  This option adds a `ECN' match, which allows you to match against
	  the IPv4 and TCP header ECN fields.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_AH
	tristate "AH match support"
	depends on IP_NF_IPTABLES
	help
	  This match extension allows you to match a range of SPIs
	  inside AH header of IPSec packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_TTL
	tristate "TTL match support"
	depends on IP_NF_IPTABLES
	help
	  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
	  to match packets by their TTL value.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ADDRTYPE
	tristate  'address type match support'
	depends on IP_NF_IPTABLES
	help
	  This option allows you to match what routing thinks of an address,
	  eg. UNICAST, LOCAL, BROADCAST, ...
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

# `filter', generic and specific targets
config IP_NF_FILTER
	tristate "Packet filtering"
	depends on IP_NF_IPTABLES
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on IP_NF_FILTER
	help
	  The REJECT target allows a filtering rule to specify that an ICMP
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_LOG
	tristate "LOG target support"
	depends on IP_NF_IPTABLES
	help
	  This option adds a `LOG' target, which allows you to create rules in
	  any iptables table which records the packet header to the syslog.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ULOG
	tristate "ULOG target support"
	depends on IP_NF_IPTABLES
	---help---

	  This option enables the old IPv4-only "ipt_ULOG" implementation
	  which has been obsoleted by the new "nfnetlink_log" code (see
	  CONFIG_NETFILTER_NETLINK_LOG).

	  This option adds a `ULOG' target, which allows you to create rules in
	  any iptables table. The packet is passed to a userspace logging
	  daemon using netlink multicast sockets; unlike the LOG target
	  which can only be viewed through syslog.

	  The appropriate userspace logging daemon (ulogd) may be obtained from
	  <http://www.gnumonks.org/projects/ulogd/>

	  To compile it as a module, choose M here.  If unsure, say N.

# NAT + specific targets: nf_conntrack
config NF_NAT
	tristate "Full NAT"
	depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
	help
	  The Full NAT option allows masquerading, port forwarding and other
	  forms of full Network Address Port Translation.  It is controlled by
	  the `nat' table in iptables: see the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_NAT_NEEDED
	bool
	depends on NF_NAT
	default y

config IP_NF_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	depends on NF_NAT
	help
	  Masquerading is a special case of NAT: all outgoing connections are
	  changed to seem to come from a particular interface's address, and
	  if the interface goes down, those connections are lost.  This is
	  only useful for dialup accounts with dynamic IP address (ie. your IP
	  address will be different on next dialup).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REDIRECT
	tristate "REDIRECT target support"
	depends on NF_NAT
	help
	  REDIRECT is a special case of NAT: all incoming connections are
	  mapped onto the incoming interface's address, causing the packets to
	  come to the local machine instead of passing through.  This is
	  useful for transparent proxies.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_NETMAP
	tristate "NETMAP target support"
	depends on NF_NAT
	help
	  NETMAP is an implementation of static 1:1 NAT mapping of network
	  addresses. It maps the network address part, while keeping the host
	  address part intact. It is similar to Fast NAT, except that
	  Netfilter's connection tracking doesn't work well with Fast NAT.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_SAME
	tristate "SAME target support (OBSOLETE)"
	depends on NF_NAT
	help
	  This option adds a `SAME' target, which works like the standard SNAT
	  target, but attempts to give clients the same IP for all connections.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_NAT_SNMP_BASIC
	tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
	depends on EXPERIMENTAL && NF_NAT
	---help---

	  This module implements an Application Layer Gateway (ALG) for
	  SNMP payloads.  In conjunction with NAT, it allows a network
	  management system to access multiple private networks with
	  conflicting addresses.  It works by modifying IP addresses
	  inside SNMP payloads to match IP-layer NAT mapping.

	  This is the "basic" form of SNMP-ALG, as described in RFC 2962

	  To compile it as a module, choose M here.  If unsure, say N.

# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
# From kconfig-language.txt:
#
#           <expr> '&&' <expr>                   (6)
#
# (6) Returns the result of min(/expr/, /expr/).
config NF_NAT_PROTO_GRE
	tristate
	depends on NF_NAT && NF_CT_PROTO_GRE

config NF_NAT_FTP
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_FTP

config NF_NAT_IRC
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_IRC

config NF_NAT_TFTP
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_TFTP

config NF_NAT_AMANDA
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_AMANDA

config NF_NAT_PPTP
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_PPTP
	select NF_NAT_PROTO_GRE

config NF_NAT_H323
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_H323

config NF_NAT_SIP
	tristate
	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	default NF_NAT && NF_CONNTRACK_SIP

# mangle + specific targets
config IP_NF_MANGLE
	tristate "Packet mangling"
	depends on IP_NF_IPTABLES
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TOS
	tristate "TOS target support"
	depends on IP_NF_MANGLE
	help
	  This option adds a `TOS' target, which allows you to create rules in
	  the `mangle' table which alter the Type Of Service field of an IP
	  packet prior to routing.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ECN
	tristate "ECN target support"
	depends on IP_NF_MANGLE
	---help---
	  This option adds a `ECN' target, which can be used in the iptables mangle
	  table.  

	  You can use this target to remove the ECN bits from the IPv4 header of
	  an IP packet.  This is particularly useful, if you need to work around
	  existing ECN blackholes on the internet, but don't want to disable
	  ECN support in general.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TTL
	tristate  'TTL target support'
	depends on IP_NF_MANGLE
	help
	  This option adds a `TTL' target, which enables the user to modify
	  the TTL value of the IP header.

	  While it is safe to decrement/lower the TTL, this target also enables
	  functionality to increment and set the TTL value of the IP header to
	  arbitrary values.  This is EXTREMELY DANGEROUS since you can easily
	  create immortal packets that loop forever on the network.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_CLUSTERIP
	tristate "CLUSTERIP target support (EXPERIMENTAL)"
	depends on IP_NF_MANGLE && EXPERIMENTAL
	depends on NF_CONNTRACK_IPV4
	select NF_CONNTRACK_MARK
	help
	  The CLUSTERIP target allows you to build load-balancing clusters of
	  network servers without having a dedicated load-balancing
	  router/server/switch.
	
	  To compile it as a module, choose M here.  If unsure, say N.

# raw + specific targets
config IP_NF_RAW
	tristate  'raw table support (required for NOTRACK/TRACE)'
	depends on IP_NF_IPTABLES
	help
	  This option adds a `raw' table to iptables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

# ARP tables
config IP_NF_ARPTABLES
	tristate "ARP tables support"
	select NETFILTER_XTABLES
	help
	  arptables is a general, extensible packet identification framework.
	  The ARP packet filtering and mangling (manipulation)subsystems
	  use this: say Y or M here if you want to use either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARPFILTER
	tristate "ARP packet filtering"
	depends on IP_NF_ARPTABLES
	help
	  ARP packet filtering defines a table `filter', which has a series of
	  rules for simple ARP packet filtering at local input and
	  local output.  On a bridge, you can also specify filtering rules
	  for forwarded ARP packets. See the man page for arptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARP_MANGLE
	tristate "ARP payload mangling"
	depends on IP_NF_ARPTABLES
	help
	  Allows altering the ARP packet payload: source and destination
	  hardware and network addresses.

endmenu
Commit	Line	Data
1da177e4 LT	1	#
	2	# IP netfilter configuration
	3	#
	4
	5	menu "IP: Netfilter Configuration"
	6	depends on INET && NETFILTER
	7
9fb9cbb1	8	config NF_CONNTRACK_IPV4
c9386cfd PM	9	tristate "IPv4 connection tracking support (required for NAT)"
c9386cfd PM	10	depends on NF_CONNTRACK
9fb9cbb1 YK	11	---help---
	12	Connection tracking keeps a record of what packets have passed
	13	through your machine, in order to figure out how they are related
	14	into connections.
	15
	16	This is IPv4 support on Layer 3 independent connection tracking.
	17	Layer 3 independent connection tracking is experimental scheme
	18	which generalize ip_conntrack to support other layer 3 protocols.
	19
	20	To compile it as a module, choose M here. If unsure, say N.
	21
a999e683 PM	22	config NF_CONNTRACK_PROC_COMPAT
a999e683 PM	23	bool "proc/sysctl compatibility with old connection tracking"
0c4ca1bd	24	depends on NF_CONNTRACK_IPV4
a999e683 PM	25	default y
	26	help
	27	This option enables /proc and sysctl compatibility with the old
	28	layer 3 dependant connection tracking. This is needed to keep
	29	old programs that have not been adapted to the new names working.
	30
	31	If unsure, say Y.
	32
1da177e4	33	config IP_NF_QUEUE
7af4cc3f	34	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
1da177e4 LT	35	help
	36	Netfilter has the ability to queue packets to user space: the
	37	netlink device can be used to access them using this driver.
	38
7af4cc3f HW	39	This option enables the old IPv4-only "ip_queue" implementation
	40	which has been obsoleted by the new "nfnetlink_queue" code (see
	41	CONFIG_NETFILTER_NETLINK_QUEUE).
	42
1da177e4 LT	43	To compile it as a module, choose M here. If unsure, say N.
	44
	45	config IP_NF_IPTABLES
	46	tristate "IP tables support (required for filtering/masq/NAT)"
a3c941b0	47	select NETFILTER_XTABLES
1da177e4 LT	48	help
	49	iptables is a general, extensible packet identification framework.
	50	The packet filtering and full NAT (masquerading, port forwarding,
	51	etc) subsystems now use this: say `Y' or `M' here if you want to use
	52	either of those.
	53
	54	To compile it as a module, choose M here. If unsure, say N.
	55
	56	# The matches.
1da177e4 LT	57	config IP_NF_MATCH_IPRANGE
	58	tristate "IP range match support"
	59	depends on IP_NF_IPTABLES
	60	help
	61	This option makes possible to match IP addresses against IP address
	62	ranges.
	63
	64	To compile it as a module, choose M here. If unsure, say N.
	65
1da177e4 LT	66	config IP_NF_MATCH_TOS
	67	tristate "TOS match support"
	68	depends on IP_NF_IPTABLES
	69	help
	70	TOS matching allows you to match packets based on the Type Of
	71	Service fields of the IP packet.
	72
	73	To compile it as a module, choose M here. If unsure, say N.
	74
	75	config IP_NF_MATCH_RECENT
	76	tristate "recent match support"
	77	depends on IP_NF_IPTABLES
	78	help
	79	This match is used for creating one or many lists of recently
	80	used addresses and then matching against that/those list(s).
	81
	82	Short options are available by using 'iptables -m recent -h'
	83	Official Website: <http://snowman.net/projects/ipt_recent/>
	84
	85	To compile it as a module, choose M here. If unsure, say N.
	86
	87	config IP_NF_MATCH_ECN
	88	tristate "ECN match support"
	89	depends on IP_NF_IPTABLES
	90	help
	91	This option adds a `ECN' match, which allows you to match against
	92	the IPv4 and TCP header ECN fields.
	93
	94	To compile it as a module, choose M here. If unsure, say N.
	95
dc5ab2fa YK	96	config IP_NF_MATCH_AH
dc5ab2fa YK	97	tristate "AH match support"
1da177e4 LT	98	depends on IP_NF_IPTABLES
1da177e4 LT	99	help
dc5ab2fa YK	100	This match extension allows you to match a range of SPIs
dc5ab2fa YK	101	inside AH header of IPSec packets.
1da177e4 LT	102
	103	To compile it as a module, choose M here. If unsure, say N.
	104
1da177e4 LT	105	config IP_NF_MATCH_TTL
	106	tristate "TTL match support"
	107	depends on IP_NF_IPTABLES
	108	help
	109	This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
	110	to match packets by their TTL value.
	111
	112	To compile it as a module, choose M here. If unsure, say N.
	113
1da177e4 LT	114	config IP_NF_MATCH_ADDRTYPE
	115	tristate 'address type match support'
	116	depends on IP_NF_IPTABLES
	117	help
	118	This option allows you to match what routing thinks of an address,
	119	eg. UNICAST, LOCAL, BROADCAST, ...
	120
	121	If you want to compile it as a module, say M here and read
e403149c	122	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1da177e4	123
1da177e4 LT	124	# `filter', generic and specific targets
	125	config IP_NF_FILTER
	126	tristate "Packet filtering"
	127	depends on IP_NF_IPTABLES
	128	help
	129	Packet filtering defines a table `filter', which has a series of
	130	rules for simple packet filtering at local input, forwarding and
	131	local output. See the man page for iptables(8).
	132
	133	To compile it as a module, choose M here. If unsure, say N.
	134
	135	config IP_NF_TARGET_REJECT
	136	tristate "REJECT target support"
	137	depends on IP_NF_FILTER
	138	help
	139	The REJECT target allows a filtering rule to specify that an ICMP
	140	error should be issued in response to an incoming packet, rather
	141	than silently being dropped.
	142
	143	To compile it as a module, choose M here. If unsure, say N.
	144
	145	config IP_NF_TARGET_LOG
	146	tristate "LOG target support"
	147	depends on IP_NF_IPTABLES
	148	help
	149	This option adds a `LOG' target, which allows you to create rules in
	150	any iptables table which records the packet header to the syslog.
	151
	152	To compile it as a module, choose M here. If unsure, say N.
	153
	154	config IP_NF_TARGET_ULOG
44adf28f	155	tristate "ULOG target support"
1da177e4 LT	156	depends on IP_NF_IPTABLES
1da177e4 LT	157	---help---
f40863ce HW	158
	159	This option enables the old IPv4-only "ipt_ULOG" implementation
	160	which has been obsoleted by the new "nfnetlink_log" code (see
	161	CONFIG_NETFILTER_NETLINK_LOG).
	162
1da177e4 LT	163	This option adds a `ULOG' target, which allows you to create rules in
	164	any iptables table. The packet is passed to a userspace logging
	165	daemon using netlink multicast sockets; unlike the LOG target
	166	which can only be viewed through syslog.
	167
44c09201	168	The appropriate userspace logging daemon (ulogd) may be obtained from
1da177e4 LT	169	<http://www.gnumonks.org/projects/ulogd/>
	170
	171	To compile it as a module, choose M here. If unsure, say N.
	172
5b1158e9 JK	173	# NAT + specific targets: nf_conntrack
	174	config NF_NAT
	175	tristate "Full NAT"
083e69e9	176	depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
5b1158e9 JK	177	help
	178	The Full NAT option allows masquerading, port forwarding and other
	179	forms of full Network Address Port Translation. It is controlled by
	180	the `nat' table in iptables: see the man page for iptables(8).
	181
	182	To compile it as a module, choose M here. If unsure, say N.
	183
5b1158e9 JK	184	config NF_NAT_NEEDED
	185	bool
	186	depends on NF_NAT
1da177e4 LT	187	default y
	188
	189	config IP_NF_TARGET_MASQUERADE
	190	tristate "MASQUERADE target support"
587aa641	191	depends on NF_NAT
1da177e4 LT	192	help
	193	Masquerading is a special case of NAT: all outgoing connections are
	194	changed to seem to come from a particular interface's address, and
	195	if the interface goes down, those connections are lost. This is
	196	only useful for dialup accounts with dynamic IP address (ie. your IP
	197	address will be different on next dialup).
	198
	199	To compile it as a module, choose M here. If unsure, say N.
	200
	201	config IP_NF_TARGET_REDIRECT
	202	tristate "REDIRECT target support"
587aa641	203	depends on NF_NAT
1da177e4 LT	204	help
	205	REDIRECT is a special case of NAT: all incoming connections are
	206	mapped onto the incoming interface's address, causing the packets to
	207	come to the local machine instead of passing through. This is
	208	useful for transparent proxies.
	209
	210	To compile it as a module, choose M here. If unsure, say N.
	211
	212	config IP_NF_TARGET_NETMAP
	213	tristate "NETMAP target support"
587aa641	214	depends on NF_NAT
1da177e4 LT	215	help
	216	NETMAP is an implementation of static 1:1 NAT mapping of network
	217	addresses. It maps the network address part, while keeping the host
	218	address part intact. It is similar to Fast NAT, except that
	219	Netfilter's connection tracking doesn't work well with Fast NAT.
	220
	221	To compile it as a module, choose M here. If unsure, say N.
	222
	223	config IP_NF_TARGET_SAME
3569b621	224	tristate "SAME target support (OBSOLETE)"
587aa641	225	depends on NF_NAT
1da177e4 LT	226	help
	227	This option adds a `SAME' target, which works like the standard SNAT
	228	target, but attempts to give clients the same IP for all connections.
	229
	230	To compile it as a module, choose M here. If unsure, say N.
	231
807467c2 PM	232	config NF_NAT_SNMP_BASIC
	233	tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
	234	depends on EXPERIMENTAL && NF_NAT
	235	---help---
	236
	237	This module implements an Application Layer Gateway (ALG) for
	238	SNMP payloads. In conjunction with NAT, it allows a network
1da177e4 LT	239	management system to access multiple private networks with
	240	conflicting addresses. It works by modifying IP addresses
	241	inside SNMP payloads to match IP-layer NAT mapping.
	242
	243	This is the "basic" form of SNMP-ALG, as described in RFC 2962
	244
	245	To compile it as a module, choose M here. If unsure, say N.
	246
55a73324 JK	247	# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
	248	# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.
	249	# From kconfig-language.txt:
	250	#
	251	# <expr> '&&' <expr> (6)
	252	#
	253	# (6) Returns the result of min(/expr/, /expr/).
f09943fe PM	254	config NF_NAT_PROTO_GRE
	255	tristate
	256	depends on NF_NAT && NF_CT_PROTO_GRE
	257
55a73324 JK	258	config NF_NAT_FTP
	259	tristate
	260	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	261	default NF_NAT && NF_CONNTRACK_FTP
	262
869f37d8 PM	263	config NF_NAT_IRC
	264	tristate
	265	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	266	default NF_NAT && NF_CONNTRACK_IRC
	267
a536df35 PM	268	config NF_NAT_TFTP
	269	tristate
	270	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	271	default NF_NAT && NF_CONNTRACK_TFTP
	272
16958900 PM	273	config NF_NAT_AMANDA
	274	tristate
	275	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	276	default NF_NAT && NF_CONNTRACK_AMANDA
	277
f09943fe PM	278	config NF_NAT_PPTP
	279	tristate
	280	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	281	default NF_NAT && NF_CONNTRACK_PPTP
	282	select NF_NAT_PROTO_GRE
	283
f587de0e PM	284	config NF_NAT_H323
	285	tristate
	286	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	287	default NF_NAT && NF_CONNTRACK_H323
	288
9fafcd7b PM	289	config NF_NAT_SIP
	290	tristate
	291	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT
	292	default NF_NAT && NF_CONNTRACK_SIP
	293
1da177e4 LT	294	# mangle + specific targets
	295	config IP_NF_MANGLE
	296	tristate "Packet mangling"
	297	depends on IP_NF_IPTABLES
	298	help
	299	This option adds a `mangle' table to iptables: see the man page for
	300	iptables(8). This table is used for various packet alterations
	301	which can effect how the packet is routed.
	302
	303	To compile it as a module, choose M here. If unsure, say N.
	304
	305	config IP_NF_TARGET_TOS
	306	tristate "TOS target support"
	307	depends on IP_NF_MANGLE
	308	help
	309	This option adds a `TOS' target, which allows you to create rules in
	310	the `mangle' table which alter the Type Of Service field of an IP
	311	packet prior to routing.
	312
	313	To compile it as a module, choose M here. If unsure, say N.
	314
	315	config IP_NF_TARGET_ECN
	316	tristate "ECN target support"
	317	depends on IP_NF_MANGLE
	318	---help---
	319	This option adds a `ECN' target, which can be used in the iptables mangle
	320	table.
	321
	322	You can use this target to remove the ECN bits from the IPv4 header of
	323	an IP packet. This is particularly useful, if you need to work around
	324	existing ECN blackholes on the internet, but don't want to disable
	325	ECN support in general.
	326
	327	To compile it as a module, choose M here. If unsure, say N.
	328
5f2c3b91 HW	329	config IP_NF_TARGET_TTL
	330	tristate 'TTL target support'
	331	depends on IP_NF_MANGLE
	332	help
	333	This option adds a `TTL' target, which enables the user to modify
	334	the TTL value of the IP header.
	335
	336	While it is safe to decrement/lower the TTL, this target also enables
	337	functionality to increment and set the TTL value of the IP header to
	338	arbitrary values. This is EXTREMELY DANGEROUS since you can easily
	339	create immortal packets that loop forever on the network.
	340
	341	To compile it as a module, choose M here. If unsure, say N.
	342
1da177e4 LT	343	config IP_NF_TARGET_CLUSTERIP
1da177e4 LT	344	tristate "CLUSTERIP target support (EXPERIMENTAL)"
2b8f2ff6	345	depends on IP_NF_MANGLE && EXPERIMENTAL
587aa641 PM	346	depends on NF_CONNTRACK_IPV4
587aa641 PM	347	select NF_CONNTRACK_MARK
1da177e4 LT	348	help
	349	The CLUSTERIP target allows you to build load-balancing clusters of
	350	network servers without having a dedicated load-balancing
	351	router/server/switch.
	352
	353	To compile it as a module, choose M here. If unsure, say N.
	354
	355	# raw + specific targets
	356	config IP_NF_RAW
	357	tristate 'raw table support (required for NOTRACK/TRACE)'
	358	depends on IP_NF_IPTABLES
	359	help
	360	This option adds a `raw' table to iptables. This table is the very
	361	first in the netfilter framework and hooks in at the PREROUTING
	362	and OUTPUT chains.
	363
	364	If you want to compile it as a module, say M here and read
e403149c	365	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1da177e4	366
1da177e4 LT	367	# ARP tables
	368	config IP_NF_ARPTABLES
	369	tristate "ARP tables support"
a3c941b0	370	select NETFILTER_XTABLES
1da177e4 LT	371	help
	372	arptables is a general, extensible packet identification framework.
	373	The ARP packet filtering and mangling (manipulation)subsystems
	374	use this: say Y or M here if you want to use either of those.
	375
	376	To compile it as a module, choose M here. If unsure, say N.
	377
	378	config IP_NF_ARPFILTER
	379	tristate "ARP packet filtering"
	380	depends on IP_NF_ARPTABLES
	381	help
	382	ARP packet filtering defines a table `filter', which has a series of
	383	rules for simple ARP packet filtering at local input and
	384	local output. On a bridge, you can also specify filtering rules
	385	for forwarded ARP packets. See the man page for arptables(8).
	386
	387	To compile it as a module, choose M here. If unsure, say N.
	388
	389	config IP_NF_ARP_MANGLE
	390	tristate "ARP payload mangling"
	391	depends on IP_NF_ARPTABLES
	392	help
	393	Allows altering the ARP packet payload: source and destination
	394	hardware and network addresses.
	395
	396	endmenu
	397