projects / deliverable / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
/spare/repo/netdev-2.6 branch 'master'
[deliverable/linux.git] / net / ipv4 / netfilter / Kconfig
CommitLineData
1da177e4
LT		 1#
2# IP netfilter configuration
3#
4
5menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
7
8# connection tracking, helpers and protocols
9config IP_NF_CONNTRACK
10 tristate "Connection tracking (required for masq/NAT)"
11 ---help---
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
14 into connections.
15
16 This is required to do Masquerading or other kinds of Network
17 Address Translation (except for Fast NAT). It can also be used to
18 enhance packet filtering (see `Connection state match support'
19 below).
20
21 To compile it as a module, choose M here. If unsure, say N.
22
23config IP_NF_CT_ACCT
24 bool "Connection tracking flow accounting"
25 depends on IP_NF_CONNTRACK
26 help
27 If this option is enabled, the connection tracking code will
28 keep per-flow packet and byte counters.
29
30 Those counters can be used for flow-based accounting or the
31 `connbytes' match.
32
33 If unsure, say `N'.
34
35config IP_NF_CONNTRACK_MARK
36 bool 'Connection mark tracking support'
37 help
38 This option enables support for connection marks, used by the
39 `CONNMARK' target and `connmark' match. Similar to the mark value
40 of packets, but this mark value is kept in the conntrack session
41 instead of the individual packets.
42
ac3247ba
HW		 43config IP_NF_CONNTRACK_EVENTS
44 bool "Connection tracking events"
45 depends on IP_NF_CONNTRACK
46 help
47 If this option is enabled, the connection tracking code will
48 provide a notifier chain that can be used by other kernel code
49 to get notified about changes in the connection tracking state.
50
51 IF unsure, say `N'.
52
1da177e4
LT		 53config IP_NF_CT_PROTO_SCTP
54 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
55 depends on IP_NF_CONNTRACK && EXPERIMENTAL
56 help
57 With this option enabled, the connection tracking code will
58 be able to do state tracking on SCTP connections.
59
60 If you want to compile it as a module, say M here and read
61 <file:Documentation/modules.txt>. If unsure, say `N'.
62
63config IP_NF_FTP
64 tristate "FTP protocol support"
65 depends on IP_NF_CONNTRACK
66 help
67 Tracking FTP connections is problematic: special helpers are
68 required for tracking them, and doing masquerading and other forms
69 of Network Address Translation on them.
70
71 To compile it as a module, choose M here. If unsure, say Y.
72
73config IP_NF_IRC
74 tristate "IRC protocol support"
75 depends on IP_NF_CONNTRACK
76 ---help---
77 There is a commonly-used extension to IRC called
78 Direct Client-to-Client Protocol (DCC). This enables users to send
79 files to each other, and also chat to each other without the need
80 of a server. DCC Sending is used anywhere you send files over IRC,
81 and DCC Chat is most commonly used by Eggdrop bots. If you are
82 using NAT, this extension will enable you to send files and initiate
83 chats. Note that you do NOT need this extension to get files or
84 have others initiate chats, or everything else in IRC.
85
86 To compile it as a module, choose M here. If unsure, say Y.
87
88config IP_NF_TFTP
89 tristate "TFTP protocol support"
90 depends on IP_NF_CONNTRACK
91 help
92 TFTP connection tracking helper, this is required depending
93 on how restrictive your ruleset is.
94 If you are using a tftp client behind -j SNAT or -j MASQUERADING
95 you will need this.
96
97 To compile it as a module, choose M here. If unsure, say Y.
98
99config IP_NF_AMANDA
100 tristate "Amanda backup protocol support"
101 depends on IP_NF_CONNTRACK
102 help
103 If you are running the Amanda backup package <http://www.amanda.org/>
104 on this machine or machines that will be MASQUERADED through this
105 machine, then you may want to enable this feature. This allows the
106 connection tracking and natting code to allow the sub-channels that
107 Amanda requires for communication of the backup data, messages and
108 index.
109
110 To compile it as a module, choose M here. If unsure, say Y.
111
112config IP_NF_QUEUE
7af4cc3f 113 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
1da177e4
LT		 114 help
115 Netfilter has the ability to queue packets to user space: the
116 netlink device can be used to access them using this driver.
117
7af4cc3f
HW		 118 This option enables the old IPv4-only "ip_queue" implementation
119 which has been obsoleted by the new "nfnetlink_queue" code (see
120 CONFIG_NETFILTER_NETLINK_QUEUE).
121
1da177e4
LT		 122 To compile it as a module, choose M here. If unsure, say N.
123
124config IP_NF_IPTABLES
125 tristate "IP tables support (required for filtering/masq/NAT)"
126 help
127 iptables is a general, extensible packet identification framework.
128 The packet filtering and full NAT (masquerading, port forwarding,
129 etc) subsystems now use this: say `Y' or `M' here if you want to use
130 either of those.
131
132 To compile it as a module, choose M here. If unsure, say N.
133
134# The matches.
135config IP_NF_MATCH_LIMIT
136 tristate "limit match support"
137 depends on IP_NF_IPTABLES
138 help
139 limit matching allows you to control the rate at which a rule can be
140 matched: mainly useful in combination with the LOG target ("LOG
141 target support", below) and to avoid some Denial of Service attacks.
142
143 To compile it as a module, choose M here. If unsure, say N.
144
145config IP_NF_MATCH_IPRANGE
146 tristate "IP range match support"
147 depends on IP_NF_IPTABLES
148 help
149 This option makes possible to match IP addresses against IP address
150 ranges.
151
152 To compile it as a module, choose M here. If unsure, say N.
153
154config IP_NF_MATCH_MAC
155 tristate "MAC address match support"
156 depends on IP_NF_IPTABLES
157 help
158 MAC matching allows you to match packets based on the source
159 Ethernet address of the packet.
160
161 To compile it as a module, choose M here. If unsure, say N.
162
163config IP_NF_MATCH_PKTTYPE
164 tristate "Packet type match support"
165 depends on IP_NF_IPTABLES
166 help
167 Packet type matching allows you to match a packet by
168 its "class", eg. BROADCAST, MULTICAST, ...
169
170 Typical usage:
171 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
172
173 To compile it as a module, choose M here. If unsure, say N.
174
175config IP_NF_MATCH_MARK
176 tristate "netfilter MARK match support"
177 depends on IP_NF_IPTABLES
178 help
179 Netfilter mark matching allows you to match packets based on the
180 `nfmark' value in the packet. This can be set by the MARK target
181 (see below).
182
183 To compile it as a module, choose M here. If unsure, say N.
184
185config IP_NF_MATCH_MULTIPORT
186 tristate "Multiple port match support"
187 depends on IP_NF_IPTABLES
188 help
189 Multiport matching allows you to match TCP or UDP packets based on
190 a series of source or destination ports: normally a rule can only
191 match a single range of ports.
192
193 To compile it as a module, choose M here. If unsure, say N.
194
195config IP_NF_MATCH_TOS
196 tristate "TOS match support"
197 depends on IP_NF_IPTABLES
198 help
199 TOS matching allows you to match packets based on the Type Of
200 Service fields of the IP packet.
201
202 To compile it as a module, choose M here. If unsure, say N.
203
204config IP_NF_MATCH_RECENT
205 tristate "recent match support"
206 depends on IP_NF_IPTABLES
207 help
208 This match is used for creating one or many lists of recently
209 used addresses and then matching against that/those list(s).
210
211 Short options are available by using 'iptables -m recent -h'
212 Official Website: <http://snowman.net/projects/ipt_recent/>
213
214 To compile it as a module, choose M here. If unsure, say N.
215
216config IP_NF_MATCH_ECN
217 tristate "ECN match support"
218 depends on IP_NF_IPTABLES
219 help
220 This option adds a `ECN' match, which allows you to match against
221 the IPv4 and TCP header ECN fields.
222
223 To compile it as a module, choose M here. If unsure, say N.
224
225config IP_NF_MATCH_DSCP
226 tristate "DSCP match support"
227 depends on IP_NF_IPTABLES
228 help
229 This option adds a `DSCP' match, which allows you to match against
230 the IPv4 header DSCP field (DSCP codepoint).
231
232 The DSCP codepoint can have any value between 0x0 and 0x4f.
233
234 To compile it as a module, choose M here. If unsure, say N.
235
236config IP_NF_MATCH_AH_ESP
237 tristate "AH/ESP match support"
238 depends on IP_NF_IPTABLES
239 help
240 These two match extensions (`ah' and `esp') allow you to match a
241 range of SPIs inside AH or ESP headers of IPSec packets.
242
243 To compile it as a module, choose M here. If unsure, say N.
244
245config IP_NF_MATCH_LENGTH
246 tristate "LENGTH match support"
247 depends on IP_NF_IPTABLES
248 help
249 This option allows you to match the length of a packet against a
250 specific value or range of values.
251
252 To compile it as a module, choose M here. If unsure, say N.
253
254config IP_NF_MATCH_TTL
255 tristate "TTL match support"
256 depends on IP_NF_IPTABLES
257 help
258 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
259 to match packets by their TTL value.
260
261 To compile it as a module, choose M here. If unsure, say N.
262
263config IP_NF_MATCH_TCPMSS
264 tristate "tcpmss match support"
265 depends on IP_NF_IPTABLES
266 help
267 This option adds a `tcpmss' match, which allows you to examine the
268 MSS value of TCP SYN packets, which control the maximum packet size
269 for that connection.
270
271 To compile it as a module, choose M here. If unsure, say N.
272
273config IP_NF_MATCH_HELPER
274 tristate "Helper match support"
275 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
276 help
277 Helper matching allows you to match packets in dynamic connections
278 tracked by a conntrack-helper, ie. ip_conntrack_ftp
279
280 To compile it as a module, choose M here. If unsure, say Y.
281
282config IP_NF_MATCH_STATE
283 tristate "Connection state match support"
284 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
285 help
286 Connection state matching allows you to match packets based on their
287 relationship to a tracked connection (ie. previous packets). This
288 is a powerful tool for packet classification.
289
290 To compile it as a module, choose M here. If unsure, say N.
291
292config IP_NF_MATCH_CONNTRACK
293 tristate "Connection tracking match support"
294 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
295 help
296 This is a general conntrack match module, a superset of the state match.
297
298 It allows matching on additional conntrack information, which is
299 useful in complex configurations, such as NAT gateways with multiple
300 internet links or tunnels.
301
302 To compile it as a module, choose M here. If unsure, say N.
303
304config IP_NF_MATCH_OWNER
305 tristate "Owner match support"
306 depends on IP_NF_IPTABLES
307 help
308 Packet owner matching allows you to match locally-generated packets
309 based on who created them: the user, group, process or session.
310
311 To compile it as a module, choose M here. If unsure, say N.
312
313config IP_NF_MATCH_PHYSDEV
314 tristate "Physdev match support"
315 depends on IP_NF_IPTABLES && BRIDGE_NETFILTER
316 help
317 Physdev packet matching matches against the physical bridge ports
318 the IP packet arrived on or will leave by.
319
320 To compile it as a module, choose M here. If unsure, say N.
321
322config IP_NF_MATCH_ADDRTYPE
323 tristate 'address type match support'
324 depends on IP_NF_IPTABLES
325 help
326 This option allows you to match what routing thinks of an address,
327 eg. UNICAST, LOCAL, BROADCAST, ...
328
329 If you want to compile it as a module, say M here and read
330 <file:Documentation/modules.txt>. If unsure, say `N'.
331
332config IP_NF_MATCH_REALM
333 tristate 'realm match support'
334 depends on IP_NF_IPTABLES
335 select NET_CLS_ROUTE
336 help
337 This option adds a `realm' match, which allows you to use the realm
338 key from the routing subsystem inside iptables.
339
340 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
341 in tc world.
342
343 If you want to compile it as a module, say M here and read
344 <file:Documentation/modules.txt>. If unsure, say `N'.
345
346config IP_NF_MATCH_SCTP
347 tristate 'SCTP protocol match support'
348 depends on IP_NF_IPTABLES
349 help
350 With this option enabled, you will be able to use the iptables
351 `sctp' match in order to match on SCTP source/destination ports
352 and SCTP chunk types.
353
354 If you want to compile it as a module, say M here and read
355 <file:Documentation/modules.txt>. If unsure, say `N'.
356
1d3de414
HW		 357config IP_NF_MATCH_DCCP
358 tristate 'DCCP protocol match support'
359 depends on IP_NF_IPTABLES
360 help
361 With this option enabled, you will be able to use the iptables
362 `dccp' match in order to match on DCCP source/destination ports
363 and DCCP flags.
364
365 If you want to compile it as a module, say M here and read
366 <file:Documentation/modules.txt>. If unsure, say `N'.
367
1da177e4
LT		 368config IP_NF_MATCH_COMMENT
369 tristate 'comment match support'
370 depends on IP_NF_IPTABLES
371 help
372 This option adds a `comment' dummy-match, which allows you to put
373 comments in your iptables ruleset.
374
375 If you want to compile it as a module, say M here and read
376 <file:Documentation/modules.txt>. If unsure, say `N'.
377
378config IP_NF_MATCH_CONNMARK
379 tristate 'Connection mark match support'
380 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES
381 help
382 This option adds a `connmark' match, which allows you to match the
383 connection mark value previously set for the session by `CONNMARK'.
384
385 If you want to compile it as a module, say M here and read
386 <file:Documentation/modules.txt>. The module will be called
387 ipt_connmark.o. If unsure, say `N'.
388
9d810fd2
HW		 389config IP_NF_MATCH_CONNBYTES
390 tristate 'Connection byte/packet counter match support'
391 depends on IP_NF_CT_ACCT && IP_NF_IPTABLES
392 help
393 This option adds a `connbytes' match, which allows you to match the
394 number of bytes and/or packets for each direction within a connection.
395
396 If you want to compile it as a module, say M here and read
397 <file:Documentation/modules.txt>. If unsure, say `N'.
398
1da177e4
LT		 399config IP_NF_MATCH_HASHLIMIT
400 tristate 'hashlimit match support'
401 depends on IP_NF_IPTABLES
402 help
403 This option adds a new iptables `hashlimit' match.
404
405 As opposed to `limit', this match dynamically crates a hash table
406 of limit buckets, based on your selection of source/destination
407 ip addresses and/or ports.
408
409 It enables you to express policies like `10kpps for any given
410 destination IP' or `500pps from any given source IP' with a single
411 IPtables rule.
412
7567662b
PNA		 413config IP_NF_MATCH_STRING
414 tristate 'string match support'
415 depends on IP_NF_IPTABLES
416 select TEXTSEARCH
417 select TEXTSEARCH_KMP
29cb9f9c 418 select TEXTSEARCH_BM
7567662b
PNA		 419 select TEXTSEARCH_FSM
420 help
421 This option adds a `string' match, which allows you to look for
422 pattern matchings in packets.
423
424 To compile it as a module, choose M here. If unsure, say N.
425
1da177e4
LT		 426# `filter', generic and specific targets
427config IP_NF_FILTER
428 tristate "Packet filtering"
429 depends on IP_NF_IPTABLES
430 help
431 Packet filtering defines a table `filter', which has a series of
432 rules for simple packet filtering at local input, forwarding and
433 local output. See the man page for iptables(8).
434
435 To compile it as a module, choose M here. If unsure, say N.
436
437config IP_NF_TARGET_REJECT
438 tristate "REJECT target support"
439 depends on IP_NF_FILTER
440 help
441 The REJECT target allows a filtering rule to specify that an ICMP
442 error should be issued in response to an incoming packet, rather
443 than silently being dropped.
444
445 To compile it as a module, choose M here. If unsure, say N.
446
447config IP_NF_TARGET_LOG
448 tristate "LOG target support"
449 depends on IP_NF_IPTABLES
450 help
451 This option adds a `LOG' target, which allows you to create rules in
452 any iptables table which records the packet header to the syslog.
453
454 To compile it as a module, choose M here. If unsure, say N.
455
456config IP_NF_TARGET_ULOG
457 tristate "ULOG target support"
458 depends on IP_NF_IPTABLES
459 ---help---
460 This option adds a `ULOG' target, which allows you to create rules in
461 any iptables table. The packet is passed to a userspace logging
462 daemon using netlink multicast sockets; unlike the LOG target
463 which can only be viewed through syslog.
464
465 The apropriate userspace logging daemon (ulogd) may be obtained from
466 <http://www.gnumonks.org/projects/ulogd/>
467
468 To compile it as a module, choose M here. If unsure, say N.
469
470config IP_NF_TARGET_TCPMSS
471 tristate "TCPMSS target support"
472 depends on IP_NF_IPTABLES
473 ---help---
474 This option adds a `TCPMSS' target, which allows you to alter the
475 MSS value of TCP SYN packets, to control the maximum size for that
476 connection (usually limiting it to your outgoing interface's MTU
477 minus 40).
478
479 This is used to overcome criminally braindead ISPs or servers which
480 block ICMP Fragmentation Needed packets. The symptoms of this
481 problem are that everything works fine from your Linux
482 firewall/router, but machines behind it can never exchange large
483 packets:
484 1) Web browsers connect, then hang with no data received.
485 2) Small mail works fine, but large emails hang.
486 3) ssh works fine, but scp hangs after initial handshaking.
487
488 Workaround: activate this option and add a rule to your firewall
489 configuration like:
490
491 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
492 -j TCPMSS --clamp-mss-to-pmtu
493
494 To compile it as a module, choose M here. If unsure, say N.
495
496# NAT + specific targets
497config IP_NF_NAT
498 tristate "Full NAT"
499 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
500 help
501 The Full NAT option allows masquerading, port forwarding and other
502 forms of full Network Address Port Translation. It is controlled by
503 the `nat' table in iptables: see the man page for iptables(8).
504
505 To compile it as a module, choose M here. If unsure, say N.
506
507config IP_NF_NAT_NEEDED
508 bool
509 depends on IP_NF_NAT != n
510 default y
511
512config IP_NF_TARGET_MASQUERADE
513 tristate "MASQUERADE target support"
514 depends on IP_NF_NAT
515 help
516 Masquerading is a special case of NAT: all outgoing connections are
517 changed to seem to come from a particular interface's address, and
518 if the interface goes down, those connections are lost. This is
519 only useful for dialup accounts with dynamic IP address (ie. your IP
520 address will be different on next dialup).
521
522 To compile it as a module, choose M here. If unsure, say N.
523
524config IP_NF_TARGET_REDIRECT
525 tristate "REDIRECT target support"
526 depends on IP_NF_NAT
527 help
528 REDIRECT is a special case of NAT: all incoming connections are
529 mapped onto the incoming interface's address, causing the packets to
530 come to the local machine instead of passing through. This is
531 useful for transparent proxies.
532
533 To compile it as a module, choose M here. If unsure, say N.
534
535config IP_NF_TARGET_NETMAP
536 tristate "NETMAP target support"
537 depends on IP_NF_NAT
538 help
539 NETMAP is an implementation of static 1:1 NAT mapping of network
540 addresses. It maps the network address part, while keeping the host
541 address part intact. It is similar to Fast NAT, except that
542 Netfilter's connection tracking doesn't work well with Fast NAT.
543
544 To compile it as a module, choose M here. If unsure, say N.
545
546config IP_NF_TARGET_SAME
547 tristate "SAME target support"
548 depends on IP_NF_NAT
549 help
550 This option adds a `SAME' target, which works like the standard SNAT
551 target, but attempts to give clients the same IP for all connections.
552
553 To compile it as a module, choose M here. If unsure, say N.
554
555config IP_NF_NAT_SNMP_BASIC
556 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
557 depends on EXPERIMENTAL && IP_NF_NAT
558 ---help---
559
560 This module implements an Application Layer Gateway (ALG) for
561 SNMP payloads. In conjunction with NAT, it allows a network
562 management system to access multiple private networks with
563 conflicting addresses. It works by modifying IP addresses
564 inside SNMP payloads to match IP-layer NAT mapping.
565
566 This is the "basic" form of SNMP-ALG, as described in RFC 2962
567
568 To compile it as a module, choose M here. If unsure, say N.
569
570config IP_NF_NAT_IRC
571 tristate
572 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
573 default IP_NF_NAT if IP_NF_IRC=y
574 default m if IP_NF_IRC=m
575
576# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
577# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
578config IP_NF_NAT_FTP
579 tristate
580 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
581 default IP_NF_NAT if IP_NF_FTP=y
582 default m if IP_NF_FTP=m
583
584config IP_NF_NAT_TFTP
585 tristate
586 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
587 default IP_NF_NAT if IP_NF_TFTP=y
588 default m if IP_NF_TFTP=m
589
590config IP_NF_NAT_AMANDA
591 tristate
592 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
593 default IP_NF_NAT if IP_NF_AMANDA=y
594 default m if IP_NF_AMANDA=m
595
596# mangle + specific targets
597config IP_NF_MANGLE
598 tristate "Packet mangling"
599 depends on IP_NF_IPTABLES
600 help
601 This option adds a `mangle' table to iptables: see the man page for
602 iptables(8). This table is used for various packet alterations
603 which can effect how the packet is routed.
604
605 To compile it as a module, choose M here. If unsure, say N.
606
607config IP_NF_TARGET_TOS
608 tristate "TOS target support"
609 depends on IP_NF_MANGLE
610 help
611 This option adds a `TOS' target, which allows you to create rules in
612 the `mangle' table which alter the Type Of Service field of an IP
613 packet prior to routing.
614
615 To compile it as a module, choose M here. If unsure, say N.
616
617config IP_NF_TARGET_ECN
618 tristate "ECN target support"
619 depends on IP_NF_MANGLE
620 ---help---
621 This option adds a `ECN' target, which can be used in the iptables mangle
622 table.
623
624 You can use this target to remove the ECN bits from the IPv4 header of
625 an IP packet. This is particularly useful, if you need to work around
626 existing ECN blackholes on the internet, but don't want to disable
627 ECN support in general.
628
629 To compile it as a module, choose M here. If unsure, say N.
630
631config IP_NF_TARGET_DSCP
632 tristate "DSCP target support"
633 depends on IP_NF_MANGLE
634 help
635 This option adds a `DSCP' match, which allows you to match against
636 the IPv4 header DSCP field (DSCP codepoint).
637
638 The DSCP codepoint can have any value between 0x0 and 0x4f.
639
640 To compile it as a module, choose M here. If unsure, say N.
641
642config IP_NF_TARGET_MARK
643 tristate "MARK target support"
644 depends on IP_NF_MANGLE
645 help
646 This option adds a `MARK' target, which allows you to create rules
647 in the `mangle' table which alter the netfilter mark (nfmark) field
648 associated with the packet prior to routing. This can change
649 the routing method (see `Use netfilter MARK value as routing
650 key') and can also be used by other subsystems to change their
651 behavior.
652
653 To compile it as a module, choose M here. If unsure, say N.
654
655config IP_NF_TARGET_CLASSIFY
656 tristate "CLASSIFY target support"
657 depends on IP_NF_MANGLE
658 help
659 This option adds a `CLASSIFY' target, which enables the user to set
660 the priority of a packet. Some qdiscs can use this value for
661 classification, among these are:
662
663 atm, cbq, dsmark, pfifo_fast, htb, prio
664
665 To compile it as a module, choose M here. If unsure, say N.
666
5f2c3b91
HW		 667config IP_NF_TARGET_TTL
668 tristate 'TTL target support'
669 depends on IP_NF_MANGLE
670 help
671 This option adds a `TTL' target, which enables the user to modify
672 the TTL value of the IP header.
673
674 While it is safe to decrement/lower the TTL, this target also enables
675 functionality to increment and set the TTL value of the IP header to
676 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
677 create immortal packets that loop forever on the network.
678
679 To compile it as a module, choose M here. If unsure, say N.
680
1da177e4
LT		 681config IP_NF_TARGET_CONNMARK
682 tristate 'CONNMARK target support'
683 depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE
684 help
685 This option adds a `CONNMARK' target, which allows one to manipulate
686 the connection mark value. Similar to the MARK target, but
687 affects the connection mark value rather than the packet mark value.
688
689 If you want to compile it as a module, say M here and read
690 <file:Documentation/modules.txt>. The module will be called
691 ipt_CONNMARK.o. If unsure, say `N'.
692
693config IP_NF_TARGET_CLUSTERIP
694 tristate "CLUSTERIP target support (EXPERIMENTAL)"
695 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES && EXPERIMENTAL
696 help
697 The CLUSTERIP target allows you to build load-balancing clusters of
698 network servers without having a dedicated load-balancing
699 router/server/switch.
700
701 To compile it as a module, choose M here. If unsure, say N.
702
703# raw + specific targets
704config IP_NF_RAW
705 tristate 'raw table support (required for NOTRACK/TRACE)'
706 depends on IP_NF_IPTABLES
707 help
708 This option adds a `raw' table to iptables. This table is the very
709 first in the netfilter framework and hooks in at the PREROUTING
710 and OUTPUT chains.
711
712 If you want to compile it as a module, say M here and read
713 <file:Documentation/modules.txt>. If unsure, say `N'.
714
715config IP_NF_TARGET_NOTRACK
716 tristate 'NOTRACK target support'
717 depends on IP_NF_RAW
718 depends on IP_NF_CONNTRACK
719 help
720 The NOTRACK target allows a select rule to specify
721 which packets *not* to enter the conntrack/NAT
722 subsystem with all the consequences (no ICMP error tracking,
723 no protocol helpers for the selected packets).
724
725 If you want to compile it as a module, say M here and read
726 <file:Documentation/modules.txt>. If unsure, say `N'.
727
728
729# ARP tables
730config IP_NF_ARPTABLES
731 tristate "ARP tables support"
732 help
733 arptables is a general, extensible packet identification framework.
734 The ARP packet filtering and mangling (manipulation)subsystems
735 use this: say Y or M here if you want to use either of those.
736
737 To compile it as a module, choose M here. If unsure, say N.
738
739config IP_NF_ARPFILTER
740 tristate "ARP packet filtering"
741 depends on IP_NF_ARPTABLES
742 help
743 ARP packet filtering defines a table `filter', which has a series of
744 rules for simple ARP packet filtering at local input and
745 local output. On a bridge, you can also specify filtering rules
746 for forwarded ARP packets. See the man page for arptables(8).
747
748 To compile it as a module, choose M here. If unsure, say N.
749
750config IP_NF_ARP_MANGLE
751 tristate "ARP payload mangling"
752 depends on IP_NF_ARPTABLES
753 help
754 Allows altering the ARP packet payload: source and destination
755 hardware and network addresses.
756
080774a2
HW		 757config IP_NF_CONNTRACK_NETLINK
758 tristate 'Connection tracking netlink interface'
759 depends on IP_NF_CONNTRACK && NETFILTER_NETLINK
760 help
761 This option enables support for a netlink-based userspace interface
762
1da177e4
LT		 763endmenu
764
Linux kernel - Deliverables
This page took 0.176785 seconds and 5 git commands to generate.