1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8# connection tracking, helpers and protocols 9config IP_NF_CONNTRACK 10 tristate "Connection tracking (required for masq/NAT)" 11 ---help--- 12 Connection tracking keeps a record of what packets have passed 13 through your machine, in order to figure out how they are related 14 into connections. 15 16 This is required to do Masquerading or other kinds of Network 17 Address Translation (except for Fast NAT). It can also be used to 18 enhance packet filtering (see `Connection state match support' 19 below). 20 21 To compile it as a module, choose M here. If unsure, say N. 22 23config IP_NF_CT_ACCT 24 bool "Connection tracking flow accounting" 25 depends on IP_NF_CONNTRACK 26 help 27 If this option is enabled, the connection tracking code will 28 keep per-flow packet and byte counters. 29 30 Those counters can be used for flow-based accounting or the 31 `connbytes' match. 32 33 If unsure, say `N'. 34 35config IP_NF_CONNTRACK_MARK 36 bool 'Connection mark tracking support' 37 help 38 This option enables support for connection marks, used by the 39 `CONNMARK' target and `connmark' match. Similar to the mark value 40 of packets, but this mark value is kept in the conntrack session 41 instead of the individual packets. 42 43config IP_NF_CONNTRACK_EVENTS 44 bool "Connection tracking events" 45 depends on IP_NF_CONNTRACK 46 help 47 If this option is enabled, the connection tracking code will 48 provide a notifier chain that can be used by other kernel code 49 to get notified about changes in the connection tracking state. 50 51 IF unsure, say `N'. 52 53config IP_NF_CT_PROTO_SCTP 54 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 55 depends on IP_NF_CONNTRACK && EXPERIMENTAL 56 help 57 With this option enabled, the connection tracking code will 58 be able to do state tracking on SCTP connections. 59 60 If you want to compile it as a module, say M here and read 61 <file:Documentation/modules.txt>. If unsure, say `N'. 62 63config IP_NF_FTP 64 tristate "FTP protocol support" 65 depends on IP_NF_CONNTRACK 66 help 67 Tracking FTP connections is problematic: special helpers are 68 required for tracking them, and doing masquerading and other forms 69 of Network Address Translation on them. 70 71 To compile it as a module, choose M here. If unsure, say Y. 72 73config IP_NF_IRC 74 tristate "IRC protocol support" 75 depends on IP_NF_CONNTRACK 76 ---help--- 77 There is a commonly-used extension to IRC called 78 Direct Client-to-Client Protocol (DCC). This enables users to send 79 files to each other, and also chat to each other without the need 80 of a server. DCC Sending is used anywhere you send files over IRC, 81 and DCC Chat is most commonly used by Eggdrop bots. If you are 82 using NAT, this extension will enable you to send files and initiate 83 chats. Note that you do NOT need this extension to get files or 84 have others initiate chats, or everything else in IRC. 85 86 To compile it as a module, choose M here. If unsure, say Y. 87 88config IP_NF_TFTP 89 tristate "TFTP protocol support" 90 depends on IP_NF_CONNTRACK 91 help 92 TFTP connection tracking helper, this is required depending 93 on how restrictive your ruleset is. 94 If you are using a tftp client behind -j SNAT or -j MASQUERADING 95 you will need this. 96 97 To compile it as a module, choose M here. If unsure, say Y. 98 99config IP_NF_AMANDA 100 tristate "Amanda backup protocol support" 101 depends on IP_NF_CONNTRACK 102 help 103 If you are running the Amanda backup package <http://www.amanda.org/> 104 on this machine or machines that will be MASQUERADED through this 105 machine, then you may want to enable this feature. This allows the 106 connection tracking and natting code to allow the sub-channels that 107 Amanda requires for communication of the backup data, messages and 108 index. 109 110 To compile it as a module, choose M here. If unsure, say Y. 111 112config IP_NF_QUEUE 113 tristate "Userspace queueing via NETLINK" 114 help 115 Netfilter has the ability to queue packets to user space: the 116 netlink device can be used to access them using this driver. 117 118 To compile it as a module, choose M here. If unsure, say N. 119 120config IP_NF_IPTABLES 121 tristate "IP tables support (required for filtering/masq/NAT)" 122 help 123 iptables is a general, extensible packet identification framework. 124 The packet filtering and full NAT (masquerading, port forwarding, 125 etc) subsystems now use this: say `Y' or `M' here if you want to use 126 either of those. 127 128 To compile it as a module, choose M here. If unsure, say N. 129 130# The matches. 131config IP_NF_MATCH_LIMIT 132 tristate "limit match support" 133 depends on IP_NF_IPTABLES 134 help 135 limit matching allows you to control the rate at which a rule can be 136 matched: mainly useful in combination with the LOG target ("LOG 137 target support", below) and to avoid some Denial of Service attacks. 138 139 To compile it as a module, choose M here. If unsure, say N. 140 141config IP_NF_MATCH_IPRANGE 142 tristate "IP range match support" 143 depends on IP_NF_IPTABLES 144 help 145 This option makes possible to match IP addresses against IP address 146 ranges. 147 148 To compile it as a module, choose M here. If unsure, say N. 149 150config IP_NF_MATCH_MAC 151 tristate "MAC address match support" 152 depends on IP_NF_IPTABLES 153 help 154 MAC matching allows you to match packets based on the source 155 Ethernet address of the packet. 156 157 To compile it as a module, choose M here. If unsure, say N. 158 159config IP_NF_MATCH_PKTTYPE 160 tristate "Packet type match support" 161 depends on IP_NF_IPTABLES 162 help 163 Packet type matching allows you to match a packet by 164 its "class", eg. BROADCAST, MULTICAST, ... 165 166 Typical usage: 167 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 168 169 To compile it as a module, choose M here. If unsure, say N. 170 171config IP_NF_MATCH_MARK 172 tristate "netfilter MARK match support" 173 depends on IP_NF_IPTABLES 174 help 175 Netfilter mark matching allows you to match packets based on the 176 `nfmark' value in the packet. This can be set by the MARK target 177 (see below). 178 179 To compile it as a module, choose M here. If unsure, say N. 180 181config IP_NF_MATCH_MULTIPORT 182 tristate "Multiple port match support" 183 depends on IP_NF_IPTABLES 184 help 185 Multiport matching allows you to match TCP or UDP packets based on 186 a series of source or destination ports: normally a rule can only 187 match a single range of ports. 188 189 To compile it as a module, choose M here. If unsure, say N. 190 191config IP_NF_MATCH_TOS 192 tristate "TOS match support" 193 depends on IP_NF_IPTABLES 194 help 195 TOS matching allows you to match packets based on the Type Of 196 Service fields of the IP packet. 197 198 To compile it as a module, choose M here. If unsure, say N. 199 200config IP_NF_MATCH_RECENT 201 tristate "recent match support" 202 depends on IP_NF_IPTABLES 203 help 204 This match is used for creating one or many lists of recently 205 used addresses and then matching against that/those list(s). 206 207 Short options are available by using 'iptables -m recent -h' 208 Official Website: <http://snowman.net/projects/ipt_recent/> 209 210 To compile it as a module, choose M here. If unsure, say N. 211 212config IP_NF_MATCH_ECN 213 tristate "ECN match support" 214 depends on IP_NF_IPTABLES 215 help 216 This option adds a `ECN' match, which allows you to match against 217 the IPv4 and TCP header ECN fields. 218 219 To compile it as a module, choose M here. If unsure, say N. 220 221config IP_NF_MATCH_DSCP 222 tristate "DSCP match support" 223 depends on IP_NF_IPTABLES 224 help 225 This option adds a `DSCP' match, which allows you to match against 226 the IPv4 header DSCP field (DSCP codepoint). 227 228 The DSCP codepoint can have any value between 0x0 and 0x4f. 229 230 To compile it as a module, choose M here. If unsure, say N. 231 232config IP_NF_MATCH_AH_ESP 233 tristate "AH/ESP match support" 234 depends on IP_NF_IPTABLES 235 help 236 These two match extensions (`ah' and `esp') allow you to match a 237 range of SPIs inside AH or ESP headers of IPSec packets. 238 239 To compile it as a module, choose M here. If unsure, say N. 240 241config IP_NF_MATCH_LENGTH 242 tristate "LENGTH match support" 243 depends on IP_NF_IPTABLES 244 help 245 This option allows you to match the length of a packet against a 246 specific value or range of values. 247 248 To compile it as a module, choose M here. If unsure, say N. 249 250config IP_NF_MATCH_TTL 251 tristate "TTL match support" 252 depends on IP_NF_IPTABLES 253 help 254 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user 255 to match packets by their TTL value. 256 257 To compile it as a module, choose M here. If unsure, say N. 258 259config IP_NF_MATCH_TCPMSS 260 tristate "tcpmss match support" 261 depends on IP_NF_IPTABLES 262 help 263 This option adds a `tcpmss' match, which allows you to examine the 264 MSS value of TCP SYN packets, which control the maximum packet size 265 for that connection. 266 267 To compile it as a module, choose M here. If unsure, say N. 268 269config IP_NF_MATCH_HELPER 270 tristate "Helper match support" 271 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES 272 help 273 Helper matching allows you to match packets in dynamic connections 274 tracked by a conntrack-helper, ie. ip_conntrack_ftp 275 276 To compile it as a module, choose M here. If unsure, say Y. 277 278config IP_NF_MATCH_STATE 279 tristate "Connection state match support" 280 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES 281 help 282 Connection state matching allows you to match packets based on their 283 relationship to a tracked connection (ie. previous packets). This 284 is a powerful tool for packet classification. 285 286 To compile it as a module, choose M here. If unsure, say N. 287 288config IP_NF_MATCH_CONNTRACK 289 tristate "Connection tracking match support" 290 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES 291 help 292 This is a general conntrack match module, a superset of the state match. 293 294 It allows matching on additional conntrack information, which is 295 useful in complex configurations, such as NAT gateways with multiple 296 internet links or tunnels. 297 298 To compile it as a module, choose M here. If unsure, say N. 299 300config IP_NF_MATCH_OWNER 301 tristate "Owner match support" 302 depends on IP_NF_IPTABLES 303 help 304 Packet owner matching allows you to match locally-generated packets 305 based on who created them: the user, group, process or session. 306 307 To compile it as a module, choose M here. If unsure, say N. 308 309config IP_NF_MATCH_PHYSDEV 310 tristate "Physdev match support" 311 depends on IP_NF_IPTABLES && BRIDGE_NETFILTER 312 help 313 Physdev packet matching matches against the physical bridge ports 314 the IP packet arrived on or will leave by. 315 316 To compile it as a module, choose M here. If unsure, say N. 317 318config IP_NF_MATCH_ADDRTYPE 319 tristate 'address type match support' 320 depends on IP_NF_IPTABLES 321 help 322 This option allows you to match what routing thinks of an address, 323 eg. UNICAST, LOCAL, BROADCAST, ... 324 325 If you want to compile it as a module, say M here and read 326 <file:Documentation/modules.txt>. If unsure, say `N'. 327 328config IP_NF_MATCH_REALM 329 tristate 'realm match support' 330 depends on IP_NF_IPTABLES 331 select NET_CLS_ROUTE 332 help 333 This option adds a `realm' match, which allows you to use the realm 334 key from the routing subsystem inside iptables. 335 336 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 337 in tc world. 338 339 If you want to compile it as a module, say M here and read 340 <file:Documentation/modules.txt>. If unsure, say `N'. 341 342config IP_NF_MATCH_SCTP 343 tristate 'SCTP protocol match support' 344 depends on IP_NF_IPTABLES 345 help 346 With this option enabled, you will be able to use the iptables 347 `sctp' match in order to match on SCTP source/destination ports 348 and SCTP chunk types. 349 350 If you want to compile it as a module, say M here and read 351 <file:Documentation/modules.txt>. If unsure, say `N'. 352 353config IP_NF_MATCH_COMMENT 354 tristate 'comment match support' 355 depends on IP_NF_IPTABLES 356 help 357 This option adds a `comment' dummy-match, which allows you to put 358 comments in your iptables ruleset. 359 360 If you want to compile it as a module, say M here and read 361 <file:Documentation/modules.txt>. If unsure, say `N'. 362 363config IP_NF_MATCH_CONNMARK 364 tristate 'Connection mark match support' 365 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES 366 help 367 This option adds a `connmark' match, which allows you to match the 368 connection mark value previously set for the session by `CONNMARK'. 369 370 If you want to compile it as a module, say M here and read 371 <file:Documentation/modules.txt>. The module will be called 372 ipt_connmark.o. If unsure, say `N'. 373 374config IP_NF_MATCH_HASHLIMIT 375 tristate 'hashlimit match support' 376 depends on IP_NF_IPTABLES 377 help 378 This option adds a new iptables `hashlimit' match. 379 380 As opposed to `limit', this match dynamically crates a hash table 381 of limit buckets, based on your selection of source/destination 382 ip addresses and/or ports. 383 384 It enables you to express policies like `10kpps for any given 385 destination IP' or `500pps from any given source IP' with a single 386 IPtables rule. 387 388# `filter', generic and specific targets 389config IP_NF_FILTER 390 tristate "Packet filtering" 391 depends on IP_NF_IPTABLES 392 help 393 Packet filtering defines a table `filter', which has a series of 394 rules for simple packet filtering at local input, forwarding and 395 local output. See the man page for iptables(8). 396 397 To compile it as a module, choose M here. If unsure, say N. 398 399config IP_NF_TARGET_REJECT 400 tristate "REJECT target support" 401 depends on IP_NF_FILTER 402 help 403 The REJECT target allows a filtering rule to specify that an ICMP 404 error should be issued in response to an incoming packet, rather 405 than silently being dropped. 406 407 To compile it as a module, choose M here. If unsure, say N. 408 409config IP_NF_TARGET_LOG 410 tristate "LOG target support" 411 depends on IP_NF_IPTABLES 412 help 413 This option adds a `LOG' target, which allows you to create rules in 414 any iptables table which records the packet header to the syslog. 415 416 To compile it as a module, choose M here. If unsure, say N. 417 418config IP_NF_TARGET_ULOG 419 tristate "ULOG target support" 420 depends on IP_NF_IPTABLES 421 ---help--- 422 This option adds a `ULOG' target, which allows you to create rules in 423 any iptables table. The packet is passed to a userspace logging 424 daemon using netlink multicast sockets; unlike the LOG target 425 which can only be viewed through syslog. 426 427 The apropriate userspace logging daemon (ulogd) may be obtained from 428 <http://www.gnumonks.org/projects/ulogd/> 429 430 To compile it as a module, choose M here. If unsure, say N. 431 432config IP_NF_TARGET_TCPMSS 433 tristate "TCPMSS target support" 434 depends on IP_NF_IPTABLES 435 ---help--- 436 This option adds a `TCPMSS' target, which allows you to alter the 437 MSS value of TCP SYN packets, to control the maximum size for that 438 connection (usually limiting it to your outgoing interface's MTU 439 minus 40). 440 441 This is used to overcome criminally braindead ISPs or servers which 442 block ICMP Fragmentation Needed packets. The symptoms of this 443 problem are that everything works fine from your Linux 444 firewall/router, but machines behind it can never exchange large 445 packets: 446 1) Web browsers connect, then hang with no data received. 447 2) Small mail works fine, but large emails hang. 448 3) ssh works fine, but scp hangs after initial handshaking. 449 450 Workaround: activate this option and add a rule to your firewall 451 configuration like: 452 453 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 454 -j TCPMSS --clamp-mss-to-pmtu 455 456 To compile it as a module, choose M here. If unsure, say N. 457 458# NAT + specific targets 459config IP_NF_NAT 460 tristate "Full NAT" 461 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK 462 help 463 The Full NAT option allows masquerading, port forwarding and other 464 forms of full Network Address Port Translation. It is controlled by 465 the `nat' table in iptables: see the man page for iptables(8). 466 467 To compile it as a module, choose M here. If unsure, say N. 468 469config IP_NF_NAT_NEEDED 470 bool 471 depends on IP_NF_NAT != n 472 default y 473 474config IP_NF_TARGET_MASQUERADE 475 tristate "MASQUERADE target support" 476 depends on IP_NF_NAT 477 help 478 Masquerading is a special case of NAT: all outgoing connections are 479 changed to seem to come from a particular interface's address, and 480 if the interface goes down, those connections are lost. This is 481 only useful for dialup accounts with dynamic IP address (ie. your IP 482 address will be different on next dialup). 483 484 To compile it as a module, choose M here. If unsure, say N. 485 486config IP_NF_TARGET_REDIRECT 487 tristate "REDIRECT target support" 488 depends on IP_NF_NAT 489 help 490 REDIRECT is a special case of NAT: all incoming connections are 491 mapped onto the incoming interface's address, causing the packets to 492 come to the local machine instead of passing through. This is 493 useful for transparent proxies. 494 495 To compile it as a module, choose M here. If unsure, say N. 496 497config IP_NF_TARGET_NETMAP 498 tristate "NETMAP target support" 499 depends on IP_NF_NAT 500 help 501 NETMAP is an implementation of static 1:1 NAT mapping of network 502 addresses. It maps the network address part, while keeping the host 503 address part intact. It is similar to Fast NAT, except that 504 Netfilter's connection tracking doesn't work well with Fast NAT. 505 506 To compile it as a module, choose M here. If unsure, say N. 507 508config IP_NF_TARGET_SAME 509 tristate "SAME target support" 510 depends on IP_NF_NAT 511 help 512 This option adds a `SAME' target, which works like the standard SNAT 513 target, but attempts to give clients the same IP for all connections. 514 515 To compile it as a module, choose M here. If unsure, say N. 516 517config IP_NF_NAT_SNMP_BASIC 518 tristate "Basic SNMP-ALG support (EXPERIMENTAL)" 519 depends on EXPERIMENTAL && IP_NF_NAT 520 ---help--- 521 522 This module implements an Application Layer Gateway (ALG) for 523 SNMP payloads. In conjunction with NAT, it allows a network 524 management system to access multiple private networks with 525 conflicting addresses. It works by modifying IP addresses 526 inside SNMP payloads to match IP-layer NAT mapping. 527 528 This is the "basic" form of SNMP-ALG, as described in RFC 2962 529 530 To compile it as a module, choose M here. If unsure, say N. 531 532config IP_NF_NAT_IRC 533 tristate 534 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n 535 default IP_NF_NAT if IP_NF_IRC=y 536 default m if IP_NF_IRC=m 537 538# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 539# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh. 540config IP_NF_NAT_FTP 541 tristate 542 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n 543 default IP_NF_NAT if IP_NF_FTP=y 544 default m if IP_NF_FTP=m 545 546config IP_NF_NAT_TFTP 547 tristate 548 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n 549 default IP_NF_NAT if IP_NF_TFTP=y 550 default m if IP_NF_TFTP=m 551 552config IP_NF_NAT_AMANDA 553 tristate 554 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n 555 default IP_NF_NAT if IP_NF_AMANDA=y 556 default m if IP_NF_AMANDA=m 557 558# mangle + specific targets 559config IP_NF_MANGLE 560 tristate "Packet mangling" 561 depends on IP_NF_IPTABLES 562 help 563 This option adds a `mangle' table to iptables: see the man page for 564 iptables(8). This table is used for various packet alterations 565 which can effect how the packet is routed. 566 567 To compile it as a module, choose M here. If unsure, say N. 568 569config IP_NF_TARGET_TOS 570 tristate "TOS target support" 571 depends on IP_NF_MANGLE 572 help 573 This option adds a `TOS' target, which allows you to create rules in 574 the `mangle' table which alter the Type Of Service field of an IP 575 packet prior to routing. 576 577 To compile it as a module, choose M here. If unsure, say N. 578 579config IP_NF_TARGET_ECN 580 tristate "ECN target support" 581 depends on IP_NF_MANGLE 582 ---help--- 583 This option adds a `ECN' target, which can be used in the iptables mangle 584 table. 585 586 You can use this target to remove the ECN bits from the IPv4 header of 587 an IP packet. This is particularly useful, if you need to work around 588 existing ECN blackholes on the internet, but don't want to disable 589 ECN support in general. 590 591 To compile it as a module, choose M here. If unsure, say N. 592 593config IP_NF_TARGET_DSCP 594 tristate "DSCP target support" 595 depends on IP_NF_MANGLE 596 help 597 This option adds a `DSCP' match, which allows you to match against 598 the IPv4 header DSCP field (DSCP codepoint). 599 600 The DSCP codepoint can have any value between 0x0 and 0x4f. 601 602 To compile it as a module, choose M here. If unsure, say N. 603 604config IP_NF_TARGET_MARK 605 tristate "MARK target support" 606 depends on IP_NF_MANGLE 607 help 608 This option adds a `MARK' target, which allows you to create rules 609 in the `mangle' table which alter the netfilter mark (nfmark) field 610 associated with the packet prior to routing. This can change 611 the routing method (see `Use netfilter MARK value as routing 612 key') and can also be used by other subsystems to change their 613 behavior. 614 615 To compile it as a module, choose M here. If unsure, say N. 616 617config IP_NF_TARGET_CLASSIFY 618 tristate "CLASSIFY target support" 619 depends on IP_NF_MANGLE 620 help 621 This option adds a `CLASSIFY' target, which enables the user to set 622 the priority of a packet. Some qdiscs can use this value for 623 classification, among these are: 624 625 atm, cbq, dsmark, pfifo_fast, htb, prio 626 627 To compile it as a module, choose M here. If unsure, say N. 628 629config IP_NF_TARGET_CONNMARK 630 tristate 'CONNMARK target support' 631 depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE 632 help 633 This option adds a `CONNMARK' target, which allows one to manipulate 634 the connection mark value. Similar to the MARK target, but 635 affects the connection mark value rather than the packet mark value. 636 637 If you want to compile it as a module, say M here and read 638 <file:Documentation/modules.txt>. The module will be called 639 ipt_CONNMARK.o. If unsure, say `N'. 640 641config IP_NF_TARGET_CLUSTERIP 642 tristate "CLUSTERIP target support (EXPERIMENTAL)" 643 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES && EXPERIMENTAL 644 help 645 The CLUSTERIP target allows you to build load-balancing clusters of 646 network servers without having a dedicated load-balancing 647 router/server/switch. 648 649 To compile it as a module, choose M here. If unsure, say N. 650 651# raw + specific targets 652config IP_NF_RAW 653 tristate 'raw table support (required for NOTRACK/TRACE)' 654 depends on IP_NF_IPTABLES 655 help 656 This option adds a `raw' table to iptables. This table is the very 657 first in the netfilter framework and hooks in at the PREROUTING 658 and OUTPUT chains. 659 660 If you want to compile it as a module, say M here and read 661 <file:Documentation/modules.txt>. If unsure, say `N'. 662 663config IP_NF_TARGET_NOTRACK 664 tristate 'NOTRACK target support' 665 depends on IP_NF_RAW 666 depends on IP_NF_CONNTRACK 667 help 668 The NOTRACK target allows a select rule to specify 669 which packets *not* to enter the conntrack/NAT 670 subsystem with all the consequences (no ICMP error tracking, 671 no protocol helpers for the selected packets). 672 673 If you want to compile it as a module, say M here and read 674 <file:Documentation/modules.txt>. If unsure, say `N'. 675 676 677# ARP tables 678config IP_NF_ARPTABLES 679 tristate "ARP tables support" 680 help 681 arptables is a general, extensible packet identification framework. 682 The ARP packet filtering and mangling (manipulation)subsystems 683 use this: say Y or M here if you want to use either of those. 684 685 To compile it as a module, choose M here. If unsure, say N. 686 687config IP_NF_ARPFILTER 688 tristate "ARP packet filtering" 689 depends on IP_NF_ARPTABLES 690 help 691 ARP packet filtering defines a table `filter', which has a series of 692 rules for simple ARP packet filtering at local input and 693 local output. On a bridge, you can also specify filtering rules 694 for forwarded ARP packets. See the man page for arptables(8). 695 696 To compile it as a module, choose M here. If unsure, say N. 697 698config IP_NF_ARP_MANGLE 699 tristate "ARP payload mangling" 700 depends on IP_NF_ARPTABLES 701 help 702 Allows altering the ARP packet payload: source and destination 703 hardware and network addresses. 704 705config IP_NF_CONNTRACK_NETLINK 706 tristate 'Connection tracking netlink interface' 707 depends on IP_NF_CONNTRACK && NETFILTER_NETLINK 708 help 709 This option enables support for a netlink-based userspace interface 710 711 712endmenu 713 714