1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8# connection tracking, helpers and protocols 9config IP_NF_CONNTRACK 10 tristate "Connection tracking (required for masq/NAT)" 11 ---help--- 12 Connection tracking keeps a record of what packets have passed 13 through your machine, in order to figure out how they are related 14 into connections. 15 16 This is required to do Masquerading or other kinds of Network 17 Address Translation (except for Fast NAT). It can also be used to 18 enhance packet filtering (see `Connection state match support' 19 below). 20 21 To compile it as a module, choose M here. If unsure, say N. 22 23config IP_NF_CT_ACCT 24 bool "Connection tracking flow accounting" 25 depends on IP_NF_CONNTRACK 26 help 27 If this option is enabled, the connection tracking code will 28 keep per-flow packet and byte counters. 29 30 Those counters can be used for flow-based accounting or the 31 `connbytes' match. 32 33 If unsure, say `N'. 34 35config IP_NF_CONNTRACK_MARK 36 bool 'Connection mark tracking support' 37 help 38 This option enables support for connection marks, used by the 39 `CONNMARK' target and `connmark' match. Similar to the mark value 40 of packets, but this mark value is kept in the conntrack session 41 instead of the individual packets. 42 43config IP_NF_CT_PROTO_SCTP 44 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 45 depends on IP_NF_CONNTRACK && EXPERIMENTAL 46 help 47 With this option enabled, the connection tracking code will 48 be able to do state tracking on SCTP connections. 49 50 If you want to compile it as a module, say M here and read 51 <file:Documentation/modules.txt>. If unsure, say `N'. 52 53config IP_NF_FTP 54 tristate "FTP protocol support" 55 depends on IP_NF_CONNTRACK 56 help 57 Tracking FTP connections is problematic: special helpers are 58 required for tracking them, and doing masquerading and other forms 59 of Network Address Translation on them. 60 61 To compile it as a module, choose M here. If unsure, say Y. 62 63config IP_NF_IRC 64 tristate "IRC protocol support" 65 depends on IP_NF_CONNTRACK 66 ---help--- 67 There is a commonly-used extension to IRC called 68 Direct Client-to-Client Protocol (DCC). This enables users to send 69 files to each other, and also chat to each other without the need 70 of a server. DCC Sending is used anywhere you send files over IRC, 71 and DCC Chat is most commonly used by Eggdrop bots. If you are 72 using NAT, this extension will enable you to send files and initiate 73 chats. Note that you do NOT need this extension to get files or 74 have others initiate chats, or everything else in IRC. 75 76 To compile it as a module, choose M here. If unsure, say Y. 77 78config IP_NF_TFTP 79 tristate "TFTP protocol support" 80 depends on IP_NF_CONNTRACK 81 help 82 TFTP connection tracking helper, this is required depending 83 on how restrictive your ruleset is. 84 If you are using a tftp client behind -j SNAT or -j MASQUERADING 85 you will need this. 86 87 To compile it as a module, choose M here. If unsure, say Y. 88 89config IP_NF_AMANDA 90 tristate "Amanda backup protocol support" 91 depends on IP_NF_CONNTRACK 92 help 93 If you are running the Amanda backup package <http://www.amanda.org/> 94 on this machine or machines that will be MASQUERADED through this 95 machine, then you may want to enable this feature. This allows the 96 connection tracking and natting code to allow the sub-channels that 97 Amanda requires for communication of the backup data, messages and 98 index. 99 100 To compile it as a module, choose M here. If unsure, say Y. 101 102config IP_NF_QUEUE 103 tristate "Userspace queueing via NETLINK" 104 help 105 Netfilter has the ability to queue packets to user space: the 106 netlink device can be used to access them using this driver. 107 108 To compile it as a module, choose M here. If unsure, say N. 109 110config IP_NF_IPTABLES 111 tristate "IP tables support (required for filtering/masq/NAT)" 112 help 113 iptables is a general, extensible packet identification framework. 114 The packet filtering and full NAT (masquerading, port forwarding, 115 etc) subsystems now use this: say `Y' or `M' here if you want to use 116 either of those. 117 118 To compile it as a module, choose M here. If unsure, say N. 119 120# The matches. 121config IP_NF_MATCH_LIMIT 122 tristate "limit match support" 123 depends on IP_NF_IPTABLES 124 help 125 limit matching allows you to control the rate at which a rule can be 126 matched: mainly useful in combination with the LOG target ("LOG 127 target support", below) and to avoid some Denial of Service attacks. 128 129 To compile it as a module, choose M here. If unsure, say N. 130 131config IP_NF_MATCH_IPRANGE 132 tristate "IP range match support" 133 depends on IP_NF_IPTABLES 134 help 135 This option makes possible to match IP addresses against IP address 136 ranges. 137 138 To compile it as a module, choose M here. If unsure, say N. 139 140config IP_NF_MATCH_MAC 141 tristate "MAC address match support" 142 depends on IP_NF_IPTABLES 143 help 144 MAC matching allows you to match packets based on the source 145 Ethernet address of the packet. 146 147 To compile it as a module, choose M here. If unsure, say N. 148 149config IP_NF_MATCH_PKTTYPE 150 tristate "Packet type match support" 151 depends on IP_NF_IPTABLES 152 help 153 Packet type matching allows you to match a packet by 154 its "class", eg. BROADCAST, MULTICAST, ... 155 156 Typical usage: 157 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 158 159 To compile it as a module, choose M here. If unsure, say N. 160 161config IP_NF_MATCH_MARK 162 tristate "netfilter MARK match support" 163 depends on IP_NF_IPTABLES 164 help 165 Netfilter mark matching allows you to match packets based on the 166 `nfmark' value in the packet. This can be set by the MARK target 167 (see below). 168 169 To compile it as a module, choose M here. If unsure, say N. 170 171config IP_NF_MATCH_MULTIPORT 172 tristate "Multiple port match support" 173 depends on IP_NF_IPTABLES 174 help 175 Multiport matching allows you to match TCP or UDP packets based on 176 a series of source or destination ports: normally a rule can only 177 match a single range of ports. 178 179 To compile it as a module, choose M here. If unsure, say N. 180 181config IP_NF_MATCH_TOS 182 tristate "TOS match support" 183 depends on IP_NF_IPTABLES 184 help 185 TOS matching allows you to match packets based on the Type Of 186 Service fields of the IP packet. 187 188 To compile it as a module, choose M here. If unsure, say N. 189 190config IP_NF_MATCH_RECENT 191 tristate "recent match support" 192 depends on IP_NF_IPTABLES 193 help 194 This match is used for creating one or many lists of recently 195 used addresses and then matching against that/those list(s). 196 197 Short options are available by using 'iptables -m recent -h' 198 Official Website: <http://snowman.net/projects/ipt_recent/> 199 200 To compile it as a module, choose M here. If unsure, say N. 201 202config IP_NF_MATCH_ECN 203 tristate "ECN match support" 204 depends on IP_NF_IPTABLES 205 help 206 This option adds a `ECN' match, which allows you to match against 207 the IPv4 and TCP header ECN fields. 208 209 To compile it as a module, choose M here. If unsure, say N. 210 211config IP_NF_MATCH_DSCP 212 tristate "DSCP match support" 213 depends on IP_NF_IPTABLES 214 help 215 This option adds a `DSCP' match, which allows you to match against 216 the IPv4 header DSCP field (DSCP codepoint). 217 218 The DSCP codepoint can have any value between 0x0 and 0x4f. 219 220 To compile it as a module, choose M here. If unsure, say N. 221 222config IP_NF_MATCH_AH_ESP 223 tristate "AH/ESP match support" 224 depends on IP_NF_IPTABLES 225 help 226 These two match extensions (`ah' and `esp') allow you to match a 227 range of SPIs inside AH or ESP headers of IPSec packets. 228 229 To compile it as a module, choose M here. If unsure, say N. 230 231config IP_NF_MATCH_LENGTH 232 tristate "LENGTH match support" 233 depends on IP_NF_IPTABLES 234 help 235 This option allows you to match the length of a packet against a 236 specific value or range of values. 237 238 To compile it as a module, choose M here. If unsure, say N. 239 240config IP_NF_MATCH_TTL 241 tristate "TTL match support" 242 depends on IP_NF_IPTABLES 243 help 244 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user 245 to match packets by their TTL value. 246 247 To compile it as a module, choose M here. If unsure, say N. 248 249config IP_NF_MATCH_TCPMSS 250 tristate "tcpmss match support" 251 depends on IP_NF_IPTABLES 252 help 253 This option adds a `tcpmss' match, which allows you to examine the 254 MSS value of TCP SYN packets, which control the maximum packet size 255 for that connection. 256 257 To compile it as a module, choose M here. If unsure, say N. 258 259config IP_NF_MATCH_HELPER 260 tristate "Helper match support" 261 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES 262 help 263 Helper matching allows you to match packets in dynamic connections 264 tracked by a conntrack-helper, ie. ip_conntrack_ftp 265 266 To compile it as a module, choose M here. If unsure, say Y. 267 268config IP_NF_MATCH_STATE 269 tristate "Connection state match support" 270 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES 271 help 272 Connection state matching allows you to match packets based on their 273 relationship to a tracked connection (ie. previous packets). This 274 is a powerful tool for packet classification. 275 276 To compile it as a module, choose M here. If unsure, say N. 277 278config IP_NF_MATCH_CONNTRACK 279 tristate "Connection tracking match support" 280 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES 281 help 282 This is a general conntrack match module, a superset of the state match. 283 284 It allows matching on additional conntrack information, which is 285 useful in complex configurations, such as NAT gateways with multiple 286 internet links or tunnels. 287 288 To compile it as a module, choose M here. If unsure, say N. 289 290config IP_NF_MATCH_OWNER 291 tristate "Owner match support" 292 depends on IP_NF_IPTABLES 293 help 294 Packet owner matching allows you to match locally-generated packets 295 based on who created them: the user, group, process or session. 296 297 To compile it as a module, choose M here. If unsure, say N. 298 299config IP_NF_MATCH_PHYSDEV 300 tristate "Physdev match support" 301 depends on IP_NF_IPTABLES && BRIDGE_NETFILTER 302 help 303 Physdev packet matching matches against the physical bridge ports 304 the IP packet arrived on or will leave by. 305 306 To compile it as a module, choose M here. If unsure, say N. 307 308config IP_NF_MATCH_ADDRTYPE 309 tristate 'address type match support' 310 depends on IP_NF_IPTABLES 311 help 312 This option allows you to match what routing thinks of an address, 313 eg. UNICAST, LOCAL, BROADCAST, ... 314 315 If you want to compile it as a module, say M here and read 316 <file:Documentation/modules.txt>. If unsure, say `N'. 317 318config IP_NF_MATCH_REALM 319 tristate 'realm match support' 320 depends on IP_NF_IPTABLES 321 select NET_CLS_ROUTE 322 help 323 This option adds a `realm' match, which allows you to use the realm 324 key from the routing subsystem inside iptables. 325 326 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 327 in tc world. 328 329 If you want to compile it as a module, say M here and read 330 <file:Documentation/modules.txt>. If unsure, say `N'. 331 332config IP_NF_MATCH_SCTP 333 tristate 'SCTP protocol match support' 334 depends on IP_NF_IPTABLES 335 help 336 With this option enabled, you will be able to use the iptables 337 `sctp' match in order to match on SCTP source/destination ports 338 and SCTP chunk types. 339 340 If you want to compile it as a module, say M here and read 341 <file:Documentation/modules.txt>. If unsure, say `N'. 342 343config IP_NF_MATCH_COMMENT 344 tristate 'comment match support' 345 depends on IP_NF_IPTABLES 346 help 347 This option adds a `comment' dummy-match, which allows you to put 348 comments in your iptables ruleset. 349 350 If you want to compile it as a module, say M here and read 351 <file:Documentation/modules.txt>. If unsure, say `N'. 352 353config IP_NF_MATCH_CONNMARK 354 tristate 'Connection mark match support' 355 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES 356 help 357 This option adds a `connmark' match, which allows you to match the 358 connection mark value previously set for the session by `CONNMARK'. 359 360 If you want to compile it as a module, say M here and read 361 <file:Documentation/modules.txt>. The module will be called 362 ipt_connmark.o. If unsure, say `N'. 363 364config IP_NF_MATCH_HASHLIMIT 365 tristate 'hashlimit match support' 366 depends on IP_NF_IPTABLES 367 help 368 This option adds a new iptables `hashlimit' match. 369 370 As opposed to `limit', this match dynamically crates a hash table 371 of limit buckets, based on your selection of source/destination 372 ip addresses and/or ports. 373 374 It enables you to express policies like `10kpps for any given 375 destination IP' or `500pps from any given source IP' with a single 376 IPtables rule. 377 378# `filter', generic and specific targets 379config IP_NF_FILTER 380 tristate "Packet filtering" 381 depends on IP_NF_IPTABLES 382 help 383 Packet filtering defines a table `filter', which has a series of 384 rules for simple packet filtering at local input, forwarding and 385 local output. See the man page for iptables(8). 386 387 To compile it as a module, choose M here. If unsure, say N. 388 389config IP_NF_TARGET_REJECT 390 tristate "REJECT target support" 391 depends on IP_NF_FILTER 392 help 393 The REJECT target allows a filtering rule to specify that an ICMP 394 error should be issued in response to an incoming packet, rather 395 than silently being dropped. 396 397 To compile it as a module, choose M here. If unsure, say N. 398 399config IP_NF_TARGET_LOG 400 tristate "LOG target support" 401 depends on IP_NF_IPTABLES 402 help 403 This option adds a `LOG' target, which allows you to create rules in 404 any iptables table which records the packet header to the syslog. 405 406 To compile it as a module, choose M here. If unsure, say N. 407 408config IP_NF_TARGET_ULOG 409 tristate "ULOG target support" 410 depends on IP_NF_IPTABLES 411 ---help--- 412 This option adds a `ULOG' target, which allows you to create rules in 413 any iptables table. The packet is passed to a userspace logging 414 daemon using netlink multicast sockets; unlike the LOG target 415 which can only be viewed through syslog. 416 417 The apropriate userspace logging daemon (ulogd) may be obtained from 418 <http://www.gnumonks.org/projects/ulogd/> 419 420 To compile it as a module, choose M here. If unsure, say N. 421 422config IP_NF_TARGET_TCPMSS 423 tristate "TCPMSS target support" 424 depends on IP_NF_IPTABLES 425 ---help--- 426 This option adds a `TCPMSS' target, which allows you to alter the 427 MSS value of TCP SYN packets, to control the maximum size for that 428 connection (usually limiting it to your outgoing interface's MTU 429 minus 40). 430 431 This is used to overcome criminally braindead ISPs or servers which 432 block ICMP Fragmentation Needed packets. The symptoms of this 433 problem are that everything works fine from your Linux 434 firewall/router, but machines behind it can never exchange large 435 packets: 436 1) Web browsers connect, then hang with no data received. 437 2) Small mail works fine, but large emails hang. 438 3) ssh works fine, but scp hangs after initial handshaking. 439 440 Workaround: activate this option and add a rule to your firewall 441 configuration like: 442 443 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 444 -j TCPMSS --clamp-mss-to-pmtu 445 446 To compile it as a module, choose M here. If unsure, say N. 447 448# NAT + specific targets 449config IP_NF_NAT 450 tristate "Full NAT" 451 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK 452 help 453 The Full NAT option allows masquerading, port forwarding and other 454 forms of full Network Address Port Translation. It is controlled by 455 the `nat' table in iptables: see the man page for iptables(8). 456 457 To compile it as a module, choose M here. If unsure, say N. 458 459config IP_NF_NAT_NEEDED 460 bool 461 depends on IP_NF_NAT != n 462 default y 463 464config IP_NF_TARGET_MASQUERADE 465 tristate "MASQUERADE target support" 466 depends on IP_NF_NAT 467 help 468 Masquerading is a special case of NAT: all outgoing connections are 469 changed to seem to come from a particular interface's address, and 470 if the interface goes down, those connections are lost. This is 471 only useful for dialup accounts with dynamic IP address (ie. your IP 472 address will be different on next dialup). 473 474 To compile it as a module, choose M here. If unsure, say N. 475 476config IP_NF_TARGET_REDIRECT 477 tristate "REDIRECT target support" 478 depends on IP_NF_NAT 479 help 480 REDIRECT is a special case of NAT: all incoming connections are 481 mapped onto the incoming interface's address, causing the packets to 482 come to the local machine instead of passing through. This is 483 useful for transparent proxies. 484 485 To compile it as a module, choose M here. If unsure, say N. 486 487config IP_NF_TARGET_NETMAP 488 tristate "NETMAP target support" 489 depends on IP_NF_NAT 490 help 491 NETMAP is an implementation of static 1:1 NAT mapping of network 492 addresses. It maps the network address part, while keeping the host 493 address part intact. It is similar to Fast NAT, except that 494 Netfilter's connection tracking doesn't work well with Fast NAT. 495 496 To compile it as a module, choose M here. If unsure, say N. 497 498config IP_NF_TARGET_SAME 499 tristate "SAME target support" 500 depends on IP_NF_NAT 501 help 502 This option adds a `SAME' target, which works like the standard SNAT 503 target, but attempts to give clients the same IP for all connections. 504 505 To compile it as a module, choose M here. If unsure, say N. 506 507config IP_NF_NAT_SNMP_BASIC 508 tristate "Basic SNMP-ALG support (EXPERIMENTAL)" 509 depends on EXPERIMENTAL && IP_NF_NAT 510 ---help--- 511 512 This module implements an Application Layer Gateway (ALG) for 513 SNMP payloads. In conjunction with NAT, it allows a network 514 management system to access multiple private networks with 515 conflicting addresses. It works by modifying IP addresses 516 inside SNMP payloads to match IP-layer NAT mapping. 517 518 This is the "basic" form of SNMP-ALG, as described in RFC 2962 519 520 To compile it as a module, choose M here. If unsure, say N. 521 522config IP_NF_NAT_IRC 523 tristate 524 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n 525 default IP_NF_NAT if IP_NF_IRC=y 526 default m if IP_NF_IRC=m 527 528# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 529# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh. 530config IP_NF_NAT_FTP 531 tristate 532 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n 533 default IP_NF_NAT if IP_NF_FTP=y 534 default m if IP_NF_FTP=m 535 536config IP_NF_NAT_TFTP 537 tristate 538 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n 539 default IP_NF_NAT if IP_NF_TFTP=y 540 default m if IP_NF_TFTP=m 541 542config IP_NF_NAT_AMANDA 543 tristate 544 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n 545 default IP_NF_NAT if IP_NF_AMANDA=y 546 default m if IP_NF_AMANDA=m 547 548# mangle + specific targets 549config IP_NF_MANGLE 550 tristate "Packet mangling" 551 depends on IP_NF_IPTABLES 552 help 553 This option adds a `mangle' table to iptables: see the man page for 554 iptables(8). This table is used for various packet alterations 555 which can effect how the packet is routed. 556 557 To compile it as a module, choose M here. If unsure, say N. 558 559config IP_NF_TARGET_TOS 560 tristate "TOS target support" 561 depends on IP_NF_MANGLE 562 help 563 This option adds a `TOS' target, which allows you to create rules in 564 the `mangle' table which alter the Type Of Service field of an IP 565 packet prior to routing. 566 567 To compile it as a module, choose M here. If unsure, say N. 568 569config IP_NF_TARGET_ECN 570 tristate "ECN target support" 571 depends on IP_NF_MANGLE 572 ---help--- 573 This option adds a `ECN' target, which can be used in the iptables mangle 574 table. 575 576 You can use this target to remove the ECN bits from the IPv4 header of 577 an IP packet. This is particularly useful, if you need to work around 578 existing ECN blackholes on the internet, but don't want to disable 579 ECN support in general. 580 581 To compile it as a module, choose M here. If unsure, say N. 582 583config IP_NF_TARGET_DSCP 584 tristate "DSCP target support" 585 depends on IP_NF_MANGLE 586 help 587 This option adds a `DSCP' match, which allows you to match against 588 the IPv4 header DSCP field (DSCP codepoint). 589 590 The DSCP codepoint can have any value between 0x0 and 0x4f. 591 592 To compile it as a module, choose M here. If unsure, say N. 593 594config IP_NF_TARGET_MARK 595 tristate "MARK target support" 596 depends on IP_NF_MANGLE 597 help 598 This option adds a `MARK' target, which allows you to create rules 599 in the `mangle' table which alter the netfilter mark (nfmark) field 600 associated with the packet prior to routing. This can change 601 the routing method (see `Use netfilter MARK value as routing 602 key') and can also be used by other subsystems to change their 603 behavior. 604 605 To compile it as a module, choose M here. If unsure, say N. 606 607config IP_NF_TARGET_CLASSIFY 608 tristate "CLASSIFY target support" 609 depends on IP_NF_MANGLE 610 help 611 This option adds a `CLASSIFY' target, which enables the user to set 612 the priority of a packet. Some qdiscs can use this value for 613 classification, among these are: 614 615 atm, cbq, dsmark, pfifo_fast, htb, prio 616 617 To compile it as a module, choose M here. If unsure, say N. 618 619config IP_NF_TARGET_CONNMARK 620 tristate 'CONNMARK target support' 621 depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE 622 help 623 This option adds a `CONNMARK' target, which allows one to manipulate 624 the connection mark value. Similar to the MARK target, but 625 affects the connection mark value rather than the packet mark value. 626 627 If you want to compile it as a module, say M here and read 628 <file:Documentation/modules.txt>. The module will be called 629 ipt_CONNMARK.o. If unsure, say `N'. 630 631config IP_NF_TARGET_CLUSTERIP 632 tristate "CLUSTERIP target support (EXPERIMENTAL)" 633 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES && EXPERIMENTAL 634 help 635 The CLUSTERIP target allows you to build load-balancing clusters of 636 network servers without having a dedicated load-balancing 637 router/server/switch. 638 639 To compile it as a module, choose M here. If unsure, say N. 640 641# raw + specific targets 642config IP_NF_RAW 643 tristate 'raw table support (required for NOTRACK/TRACE)' 644 depends on IP_NF_IPTABLES 645 help 646 This option adds a `raw' table to iptables. This table is the very 647 first in the netfilter framework and hooks in at the PREROUTING 648 and OUTPUT chains. 649 650 If you want to compile it as a module, say M here and read 651 <file:Documentation/modules.txt>. If unsure, say `N'. 652 653config IP_NF_TARGET_NOTRACK 654 tristate 'NOTRACK target support' 655 depends on IP_NF_RAW 656 depends on IP_NF_CONNTRACK 657 help 658 The NOTRACK target allows a select rule to specify 659 which packets *not* to enter the conntrack/NAT 660 subsystem with all the consequences (no ICMP error tracking, 661 no protocol helpers for the selected packets). 662 663 If you want to compile it as a module, say M here and read 664 <file:Documentation/modules.txt>. If unsure, say `N'. 665 666 667# ARP tables 668config IP_NF_ARPTABLES 669 tristate "ARP tables support" 670 help 671 arptables is a general, extensible packet identification framework. 672 The ARP packet filtering and mangling (manipulation)subsystems 673 use this: say Y or M here if you want to use either of those. 674 675 To compile it as a module, choose M here. If unsure, say N. 676 677config IP_NF_ARPFILTER 678 tristate "ARP packet filtering" 679 depends on IP_NF_ARPTABLES 680 help 681 ARP packet filtering defines a table `filter', which has a series of 682 rules for simple ARP packet filtering at local input and 683 local output. On a bridge, you can also specify filtering rules 684 for forwarded ARP packets. See the man page for arptables(8). 685 686 To compile it as a module, choose M here. If unsure, say N. 687 688config IP_NF_ARP_MANGLE 689 tristate "ARP payload mangling" 690 depends on IP_NF_ARPTABLES 691 help 692 Allows altering the ARP packet payload: source and destination 693 hardware and network addresses. 694 695endmenu 696 697