2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 # connection tracking, helpers and protocols
10 tristate "Connection tracking (required for masq/NAT)"
11 select NETFILTER_NETLINK if IP_NF_CONNTRACK_NETLINK!=n
13 Connection tracking keeps a record of what packets have passed
14 through your machine, in order to figure out how they are related
17 This is required to do Masquerading or other kinds of Network
18 Address Translation (except for Fast NAT). It can also be used to
19 enhance packet filtering (see `Connection state match support'
22 To compile it as a module, choose M here. If unsure, say N.
25 bool "Connection tracking flow accounting"
26 depends on IP_NF_CONNTRACK
28 If this option is enabled, the connection tracking code will
29 keep per-flow packet and byte counters.
31 Those counters can be used for flow-based accounting or the
36 config IP_NF_CONNTRACK_MARK
37 bool 'Connection mark tracking support'
38 depends on IP_NF_CONNTRACK
40 This option enables support for connection marks, used by the
41 `CONNMARK' target and `connmark' match. Similar to the mark value
42 of packets, but this mark value is kept in the conntrack session
43 instead of the individual packets.
45 config IP_NF_CONNTRACK_EVENTS
46 bool "Connection tracking events"
47 depends on IP_NF_CONNTRACK
49 If this option is enabled, the connection tracking code will
50 provide a notifier chain that can be used by other kernel code
51 to get notified about changes in the connection tracking state.
55 config IP_NF_CONNTRACK_NETLINK
56 tristate 'Connection tracking netlink interface'
57 depends on IP_NF_CONNTRACK && NETFILTER_NETLINK
58 default IP_NF_CONNTRACK if NETFILTER_NETLINK=y
59 default m if NETFILTER_NETLINK=m
61 This option enables support for a netlink-based userspace interface
64 config IP_NF_CT_PROTO_SCTP
65 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
66 depends on IP_NF_CONNTRACK && EXPERIMENTAL
68 With this option enabled, the connection tracking code will
69 be able to do state tracking on SCTP connections.
71 If you want to compile it as a module, say M here and read
72 <file:Documentation/modules.txt>. If unsure, say `N'.
75 tristate "FTP protocol support"
76 depends on IP_NF_CONNTRACK
78 Tracking FTP connections is problematic: special helpers are
79 required for tracking them, and doing masquerading and other forms
80 of Network Address Translation on them.
82 To compile it as a module, choose M here. If unsure, say Y.
85 tristate "IRC protocol support"
86 depends on IP_NF_CONNTRACK
88 There is a commonly-used extension to IRC called
89 Direct Client-to-Client Protocol (DCC). This enables users to send
90 files to each other, and also chat to each other without the need
91 of a server. DCC Sending is used anywhere you send files over IRC,
92 and DCC Chat is most commonly used by Eggdrop bots. If you are
93 using NAT, this extension will enable you to send files and initiate
94 chats. Note that you do NOT need this extension to get files or
95 have others initiate chats, or everything else in IRC.
97 To compile it as a module, choose M here. If unsure, say Y.
99 config IP_NF_NETBIOS_NS
100 tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
101 depends on IP_NF_CONNTRACK && EXPERIMENTAL
103 NetBIOS name service requests are sent as broadcast messages from an
104 unprivileged port and responded to with unicast messages to the
105 same port. This make them hard to firewall properly because connection
106 tracking doesn't deal with broadcasts. This helper tracks locally
107 originating NetBIOS name service requests and the corresponding
108 responses. It relies on correct IP address configuration, specifically
109 netmask and broadcast address. When properly configured, the output
110 of "ip address show" should look similar to this:
112 $ ip -4 address show eth0
113 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
114 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
116 To compile it as a module, choose M here. If unsure, say N.
119 tristate "TFTP protocol support"
120 depends on IP_NF_CONNTRACK
122 TFTP connection tracking helper, this is required depending
123 on how restrictive your ruleset is.
124 If you are using a tftp client behind -j SNAT or -j MASQUERADING
127 To compile it as a module, choose M here. If unsure, say Y.
130 tristate "Amanda backup protocol support"
131 depends on IP_NF_CONNTRACK
133 If you are running the Amanda backup package <http://www.amanda.org/>
134 on this machine or machines that will be MASQUERADED through this
135 machine, then you may want to enable this feature. This allows the
136 connection tracking and natting code to allow the sub-channels that
137 Amanda requires for communication of the backup data, messages and
140 To compile it as a module, choose M here. If unsure, say Y.
143 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
145 Netfilter has the ability to queue packets to user space: the
146 netlink device can be used to access them using this driver.
148 This option enables the old IPv4-only "ip_queue" implementation
149 which has been obsoleted by the new "nfnetlink_queue" code (see
150 CONFIG_NETFILTER_NETLINK_QUEUE).
152 To compile it as a module, choose M here. If unsure, say N.
154 config IP_NF_IPTABLES
155 tristate "IP tables support (required for filtering/masq/NAT)"
157 iptables is a general, extensible packet identification framework.
158 The packet filtering and full NAT (masquerading, port forwarding,
159 etc) subsystems now use this: say `Y' or `M' here if you want to use
162 To compile it as a module, choose M here. If unsure, say N.
165 config IP_NF_MATCH_LIMIT
166 tristate "limit match support"
167 depends on IP_NF_IPTABLES
169 limit matching allows you to control the rate at which a rule can be
170 matched: mainly useful in combination with the LOG target ("LOG
171 target support", below) and to avoid some Denial of Service attacks.
173 To compile it as a module, choose M here. If unsure, say N.
175 config IP_NF_MATCH_IPRANGE
176 tristate "IP range match support"
177 depends on IP_NF_IPTABLES
179 This option makes possible to match IP addresses against IP address
182 To compile it as a module, choose M here. If unsure, say N.
184 config IP_NF_MATCH_MAC
185 tristate "MAC address match support"
186 depends on IP_NF_IPTABLES
188 MAC matching allows you to match packets based on the source
189 Ethernet address of the packet.
191 To compile it as a module, choose M here. If unsure, say N.
193 config IP_NF_MATCH_PKTTYPE
194 tristate "Packet type match support"
195 depends on IP_NF_IPTABLES
197 Packet type matching allows you to match a packet by
198 its "class", eg. BROADCAST, MULTICAST, ...
201 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
203 To compile it as a module, choose M here. If unsure, say N.
205 config IP_NF_MATCH_MARK
206 tristate "netfilter MARK match support"
207 depends on IP_NF_IPTABLES
209 Netfilter mark matching allows you to match packets based on the
210 `nfmark' value in the packet. This can be set by the MARK target
213 To compile it as a module, choose M here. If unsure, say N.
215 config IP_NF_MATCH_MULTIPORT
216 tristate "Multiple port match support"
217 depends on IP_NF_IPTABLES
219 Multiport matching allows you to match TCP or UDP packets based on
220 a series of source or destination ports: normally a rule can only
221 match a single range of ports.
223 To compile it as a module, choose M here. If unsure, say N.
225 config IP_NF_MATCH_TOS
226 tristate "TOS match support"
227 depends on IP_NF_IPTABLES
229 TOS matching allows you to match packets based on the Type Of
230 Service fields of the IP packet.
232 To compile it as a module, choose M here. If unsure, say N.
234 config IP_NF_MATCH_RECENT
235 tristate "recent match support"
236 depends on IP_NF_IPTABLES
238 This match is used for creating one or many lists of recently
239 used addresses and then matching against that/those list(s).
241 Short options are available by using 'iptables -m recent -h'
242 Official Website: <http://snowman.net/projects/ipt_recent/>
244 To compile it as a module, choose M here. If unsure, say N.
246 config IP_NF_MATCH_ECN
247 tristate "ECN match support"
248 depends on IP_NF_IPTABLES
250 This option adds a `ECN' match, which allows you to match against
251 the IPv4 and TCP header ECN fields.
253 To compile it as a module, choose M here. If unsure, say N.
255 config IP_NF_MATCH_DSCP
256 tristate "DSCP match support"
257 depends on IP_NF_IPTABLES
259 This option adds a `DSCP' match, which allows you to match against
260 the IPv4 header DSCP field (DSCP codepoint).
262 The DSCP codepoint can have any value between 0x0 and 0x4f.
264 To compile it as a module, choose M here. If unsure, say N.
266 config IP_NF_MATCH_AH_ESP
267 tristate "AH/ESP match support"
268 depends on IP_NF_IPTABLES
270 These two match extensions (`ah' and `esp') allow you to match a
271 range of SPIs inside AH or ESP headers of IPSec packets.
273 To compile it as a module, choose M here. If unsure, say N.
275 config IP_NF_MATCH_LENGTH
276 tristate "LENGTH match support"
277 depends on IP_NF_IPTABLES
279 This option allows you to match the length of a packet against a
280 specific value or range of values.
282 To compile it as a module, choose M here. If unsure, say N.
284 config IP_NF_MATCH_TTL
285 tristate "TTL match support"
286 depends on IP_NF_IPTABLES
288 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
289 to match packets by their TTL value.
291 To compile it as a module, choose M here. If unsure, say N.
293 config IP_NF_MATCH_TCPMSS
294 tristate "tcpmss match support"
295 depends on IP_NF_IPTABLES
297 This option adds a `tcpmss' match, which allows you to examine the
298 MSS value of TCP SYN packets, which control the maximum packet size
301 To compile it as a module, choose M here. If unsure, say N.
303 config IP_NF_MATCH_HELPER
304 tristate "Helper match support"
305 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
307 Helper matching allows you to match packets in dynamic connections
308 tracked by a conntrack-helper, ie. ip_conntrack_ftp
310 To compile it as a module, choose M here. If unsure, say Y.
312 config IP_NF_MATCH_STATE
313 tristate "Connection state match support"
314 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
316 Connection state matching allows you to match packets based on their
317 relationship to a tracked connection (ie. previous packets). This
318 is a powerful tool for packet classification.
320 To compile it as a module, choose M here. If unsure, say N.
322 config IP_NF_MATCH_CONNTRACK
323 tristate "Connection tracking match support"
324 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
326 This is a general conntrack match module, a superset of the state match.
328 It allows matching on additional conntrack information, which is
329 useful in complex configurations, such as NAT gateways with multiple
330 internet links or tunnels.
332 To compile it as a module, choose M here. If unsure, say N.
334 config IP_NF_MATCH_OWNER
335 tristate "Owner match support"
336 depends on IP_NF_IPTABLES
338 Packet owner matching allows you to match locally-generated packets
339 based on who created them: the user, group, process or session.
341 To compile it as a module, choose M here. If unsure, say N.
343 config IP_NF_MATCH_PHYSDEV
344 tristate "Physdev match support"
345 depends on IP_NF_IPTABLES && BRIDGE_NETFILTER
347 Physdev packet matching matches against the physical bridge ports
348 the IP packet arrived on or will leave by.
350 To compile it as a module, choose M here. If unsure, say N.
352 config IP_NF_MATCH_ADDRTYPE
353 tristate 'address type match support'
354 depends on IP_NF_IPTABLES
356 This option allows you to match what routing thinks of an address,
357 eg. UNICAST, LOCAL, BROADCAST, ...
359 If you want to compile it as a module, say M here and read
360 <file:Documentation/modules.txt>. If unsure, say `N'.
362 config IP_NF_MATCH_REALM
363 tristate 'realm match support'
364 depends on IP_NF_IPTABLES
367 This option adds a `realm' match, which allows you to use the realm
368 key from the routing subsystem inside iptables.
370 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
373 If you want to compile it as a module, say M here and read
374 <file:Documentation/modules.txt>. If unsure, say `N'.
376 config IP_NF_MATCH_SCTP
377 tristate 'SCTP protocol match support'
378 depends on IP_NF_IPTABLES
380 With this option enabled, you will be able to use the iptables
381 `sctp' match in order to match on SCTP source/destination ports
382 and SCTP chunk types.
384 If you want to compile it as a module, say M here and read
385 <file:Documentation/modules.txt>. If unsure, say `N'.
387 config IP_NF_MATCH_DCCP
388 tristate 'DCCP protocol match support'
389 depends on IP_NF_IPTABLES
391 With this option enabled, you will be able to use the iptables
392 `dccp' match in order to match on DCCP source/destination ports
395 If you want to compile it as a module, say M here and read
396 <file:Documentation/modules.txt>. If unsure, say `N'.
398 config IP_NF_MATCH_COMMENT
399 tristate 'comment match support'
400 depends on IP_NF_IPTABLES
402 This option adds a `comment' dummy-match, which allows you to put
403 comments in your iptables ruleset.
405 If you want to compile it as a module, say M here and read
406 <file:Documentation/modules.txt>. If unsure, say `N'.
408 config IP_NF_MATCH_CONNMARK
409 tristate 'Connection mark match support'
410 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES
412 This option adds a `connmark' match, which allows you to match the
413 connection mark value previously set for the session by `CONNMARK'.
415 If you want to compile it as a module, say M here and read
416 <file:Documentation/modules.txt>. The module will be called
417 ipt_connmark.o. If unsure, say `N'.
419 config IP_NF_MATCH_CONNBYTES
420 tristate 'Connection byte/packet counter match support'
421 depends on IP_NF_CT_ACCT && IP_NF_IPTABLES
423 This option adds a `connbytes' match, which allows you to match the
424 number of bytes and/or packets for each direction within a connection.
426 If you want to compile it as a module, say M here and read
427 <file:Documentation/modules.txt>. If unsure, say `N'.
429 config IP_NF_MATCH_HASHLIMIT
430 tristate 'hashlimit match support'
431 depends on IP_NF_IPTABLES
433 This option adds a new iptables `hashlimit' match.
435 As opposed to `limit', this match dynamically crates a hash table
436 of limit buckets, based on your selection of source/destination
437 ip addresses and/or ports.
439 It enables you to express policies like `10kpps for any given
440 destination IP' or `500pps from any given source IP' with a single
443 config IP_NF_MATCH_STRING
444 tristate 'string match support'
445 depends on IP_NF_IPTABLES
447 select TEXTSEARCH_KMP
449 select TEXTSEARCH_FSM
451 This option adds a `string' match, which allows you to look for
452 pattern matchings in packets.
454 To compile it as a module, choose M here. If unsure, say N.
456 # `filter', generic and specific targets
458 tristate "Packet filtering"
459 depends on IP_NF_IPTABLES
461 Packet filtering defines a table `filter', which has a series of
462 rules for simple packet filtering at local input, forwarding and
463 local output. See the man page for iptables(8).
465 To compile it as a module, choose M here. If unsure, say N.
467 config IP_NF_TARGET_REJECT
468 tristate "REJECT target support"
469 depends on IP_NF_FILTER
471 The REJECT target allows a filtering rule to specify that an ICMP
472 error should be issued in response to an incoming packet, rather
473 than silently being dropped.
475 To compile it as a module, choose M here. If unsure, say N.
477 config IP_NF_TARGET_LOG
478 tristate "LOG target support"
479 depends on IP_NF_IPTABLES
481 This option adds a `LOG' target, which allows you to create rules in
482 any iptables table which records the packet header to the syslog.
484 To compile it as a module, choose M here. If unsure, say N.
486 config IP_NF_TARGET_ULOG
487 tristate "ULOG target support"
488 depends on IP_NF_IPTABLES
490 This option adds a `ULOG' target, which allows you to create rules in
491 any iptables table. The packet is passed to a userspace logging
492 daemon using netlink multicast sockets; unlike the LOG target
493 which can only be viewed through syslog.
495 The apropriate userspace logging daemon (ulogd) may be obtained from
496 <http://www.gnumonks.org/projects/ulogd/>
498 To compile it as a module, choose M here. If unsure, say N.
500 config IP_NF_TARGET_TCPMSS
501 tristate "TCPMSS target support"
502 depends on IP_NF_IPTABLES
504 This option adds a `TCPMSS' target, which allows you to alter the
505 MSS value of TCP SYN packets, to control the maximum size for that
506 connection (usually limiting it to your outgoing interface's MTU
509 This is used to overcome criminally braindead ISPs or servers which
510 block ICMP Fragmentation Needed packets. The symptoms of this
511 problem are that everything works fine from your Linux
512 firewall/router, but machines behind it can never exchange large
514 1) Web browsers connect, then hang with no data received.
515 2) Small mail works fine, but large emails hang.
516 3) ssh works fine, but scp hangs after initial handshaking.
518 Workaround: activate this option and add a rule to your firewall
521 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
522 -j TCPMSS --clamp-mss-to-pmtu
524 To compile it as a module, choose M here. If unsure, say N.
526 # NAT + specific targets
529 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
531 The Full NAT option allows masquerading, port forwarding and other
532 forms of full Network Address Port Translation. It is controlled by
533 the `nat' table in iptables: see the man page for iptables(8).
535 To compile it as a module, choose M here. If unsure, say N.
537 config IP_NF_NAT_NEEDED
539 depends on IP_NF_NAT != n
542 config IP_NF_TARGET_MASQUERADE
543 tristate "MASQUERADE target support"
546 Masquerading is a special case of NAT: all outgoing connections are
547 changed to seem to come from a particular interface's address, and
548 if the interface goes down, those connections are lost. This is
549 only useful for dialup accounts with dynamic IP address (ie. your IP
550 address will be different on next dialup).
552 To compile it as a module, choose M here. If unsure, say N.
554 config IP_NF_TARGET_REDIRECT
555 tristate "REDIRECT target support"
558 REDIRECT is a special case of NAT: all incoming connections are
559 mapped onto the incoming interface's address, causing the packets to
560 come to the local machine instead of passing through. This is
561 useful for transparent proxies.
563 To compile it as a module, choose M here. If unsure, say N.
565 config IP_NF_TARGET_NETMAP
566 tristate "NETMAP target support"
569 NETMAP is an implementation of static 1:1 NAT mapping of network
570 addresses. It maps the network address part, while keeping the host
571 address part intact. It is similar to Fast NAT, except that
572 Netfilter's connection tracking doesn't work well with Fast NAT.
574 To compile it as a module, choose M here. If unsure, say N.
576 config IP_NF_TARGET_SAME
577 tristate "SAME target support"
580 This option adds a `SAME' target, which works like the standard SNAT
581 target, but attempts to give clients the same IP for all connections.
583 To compile it as a module, choose M here. If unsure, say N.
585 config IP_NF_NAT_SNMP_BASIC
586 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
587 depends on EXPERIMENTAL && IP_NF_NAT
590 This module implements an Application Layer Gateway (ALG) for
591 SNMP payloads. In conjunction with NAT, it allows a network
592 management system to access multiple private networks with
593 conflicting addresses. It works by modifying IP addresses
594 inside SNMP payloads to match IP-layer NAT mapping.
596 This is the "basic" form of SNMP-ALG, as described in RFC 2962
598 To compile it as a module, choose M here. If unsure, say N.
602 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
603 default IP_NF_NAT if IP_NF_IRC=y
604 default m if IP_NF_IRC=m
606 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
607 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
610 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
611 default IP_NF_NAT if IP_NF_FTP=y
612 default m if IP_NF_FTP=m
614 config IP_NF_NAT_TFTP
616 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
617 default IP_NF_NAT if IP_NF_TFTP=y
618 default m if IP_NF_TFTP=m
620 config IP_NF_NAT_AMANDA
622 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
623 default IP_NF_NAT if IP_NF_AMANDA=y
624 default m if IP_NF_AMANDA=m
626 # mangle + specific targets
628 tristate "Packet mangling"
629 depends on IP_NF_IPTABLES
631 This option adds a `mangle' table to iptables: see the man page for
632 iptables(8). This table is used for various packet alterations
633 which can effect how the packet is routed.
635 To compile it as a module, choose M here. If unsure, say N.
637 config IP_NF_TARGET_TOS
638 tristate "TOS target support"
639 depends on IP_NF_MANGLE
641 This option adds a `TOS' target, which allows you to create rules in
642 the `mangle' table which alter the Type Of Service field of an IP
643 packet prior to routing.
645 To compile it as a module, choose M here. If unsure, say N.
647 config IP_NF_TARGET_ECN
648 tristate "ECN target support"
649 depends on IP_NF_MANGLE
651 This option adds a `ECN' target, which can be used in the iptables mangle
654 You can use this target to remove the ECN bits from the IPv4 header of
655 an IP packet. This is particularly useful, if you need to work around
656 existing ECN blackholes on the internet, but don't want to disable
657 ECN support in general.
659 To compile it as a module, choose M here. If unsure, say N.
661 config IP_NF_TARGET_DSCP
662 tristate "DSCP target support"
663 depends on IP_NF_MANGLE
665 This option adds a `DSCP' match, which allows you to match against
666 the IPv4 header DSCP field (DSCP codepoint).
668 The DSCP codepoint can have any value between 0x0 and 0x4f.
670 To compile it as a module, choose M here. If unsure, say N.
672 config IP_NF_TARGET_MARK
673 tristate "MARK target support"
674 depends on IP_NF_MANGLE
676 This option adds a `MARK' target, which allows you to create rules
677 in the `mangle' table which alter the netfilter mark (nfmark) field
678 associated with the packet prior to routing. This can change
679 the routing method (see `Use netfilter MARK value as routing
680 key') and can also be used by other subsystems to change their
683 To compile it as a module, choose M here. If unsure, say N.
685 config IP_NF_TARGET_CLASSIFY
686 tristate "CLASSIFY target support"
687 depends on IP_NF_MANGLE
689 This option adds a `CLASSIFY' target, which enables the user to set
690 the priority of a packet. Some qdiscs can use this value for
691 classification, among these are:
693 atm, cbq, dsmark, pfifo_fast, htb, prio
695 To compile it as a module, choose M here. If unsure, say N.
697 config IP_NF_TARGET_TTL
698 tristate 'TTL target support'
699 depends on IP_NF_MANGLE
701 This option adds a `TTL' target, which enables the user to modify
702 the TTL value of the IP header.
704 While it is safe to decrement/lower the TTL, this target also enables
705 functionality to increment and set the TTL value of the IP header to
706 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
707 create immortal packets that loop forever on the network.
709 To compile it as a module, choose M here. If unsure, say N.
711 config IP_NF_TARGET_CONNMARK
712 tristate 'CONNMARK target support'
713 depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE
715 This option adds a `CONNMARK' target, which allows one to manipulate
716 the connection mark value. Similar to the MARK target, but
717 affects the connection mark value rather than the packet mark value.
719 If you want to compile it as a module, say M here and read
720 <file:Documentation/modules.txt>. The module will be called
721 ipt_CONNMARK.o. If unsure, say `N'.
723 config IP_NF_TARGET_CLUSTERIP
724 tristate "CLUSTERIP target support (EXPERIMENTAL)"
725 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES && EXPERIMENTAL
727 The CLUSTERIP target allows you to build load-balancing clusters of
728 network servers without having a dedicated load-balancing
729 router/server/switch.
731 To compile it as a module, choose M here. If unsure, say N.
733 # raw + specific targets
735 tristate 'raw table support (required for NOTRACK/TRACE)'
736 depends on IP_NF_IPTABLES
738 This option adds a `raw' table to iptables. This table is the very
739 first in the netfilter framework and hooks in at the PREROUTING
742 If you want to compile it as a module, say M here and read
743 <file:Documentation/modules.txt>. If unsure, say `N'.
745 config IP_NF_TARGET_NOTRACK
746 tristate 'NOTRACK target support'
748 depends on IP_NF_CONNTRACK
750 The NOTRACK target allows a select rule to specify
751 which packets *not* to enter the conntrack/NAT
752 subsystem with all the consequences (no ICMP error tracking,
753 no protocol helpers for the selected packets).
755 If you want to compile it as a module, say M here and read
756 <file:Documentation/modules.txt>. If unsure, say `N'.
760 config IP_NF_ARPTABLES
761 tristate "ARP tables support"
763 arptables is a general, extensible packet identification framework.
764 The ARP packet filtering and mangling (manipulation)subsystems
765 use this: say Y or M here if you want to use either of those.
767 To compile it as a module, choose M here. If unsure, say N.
769 config IP_NF_ARPFILTER
770 tristate "ARP packet filtering"
771 depends on IP_NF_ARPTABLES
773 ARP packet filtering defines a table `filter', which has a series of
774 rules for simple ARP packet filtering at local input and
775 local output. On a bridge, you can also specify filtering rules
776 for forwarded ARP packets. See the man page for arptables(8).
778 To compile it as a module, choose M here. If unsure, say N.
780 config IP_NF_ARP_MANGLE
781 tristate "ARP payload mangling"
782 depends on IP_NF_ARPTABLES
784 Allows altering the ARP packet payload: source and destination
785 hardware and network addresses.