1# 2# IP netfilter configuration 3# 4 5menu "IP: Netfilter Configuration" 6 depends on INET && NETFILTER 7 8# connection tracking, helpers and protocols 9config IP_NF_CONNTRACK 10 tristate "Connection tracking (required for masq/NAT)" 11 ---help--- 12 Connection tracking keeps a record of what packets have passed 13 through your machine, in order to figure out how they are related 14 into connections. 15 16 This is required to do Masquerading or other kinds of Network 17 Address Translation (except for Fast NAT). It can also be used to 18 enhance packet filtering (see `Connection state match support' 19 below). 20 21 To compile it as a module, choose M here. If unsure, say N. 22 23config IP_NF_CT_ACCT 24 bool "Connection tracking flow accounting" 25 depends on IP_NF_CONNTRACK 26 help 27 If this option is enabled, the connection tracking code will 28 keep per-flow packet and byte counters. 29 30 Those counters can be used for flow-based accounting or the 31 `connbytes' match. 32 33 If unsure, say `N'. 34 35config IP_NF_CONNTRACK_MARK 36 bool 'Connection mark tracking support' 37 depends on IP_NF_CONNTRACK 38 help 39 This option enables support for connection marks, used by the 40 `CONNMARK' target and `connmark' match. Similar to the mark value 41 of packets, but this mark value is kept in the conntrack session 42 instead of the individual packets. 43 44config IP_NF_CONNTRACK_EVENTS 45 bool "Connection tracking events" 46 depends on IP_NF_CONNTRACK 47 help 48 If this option is enabled, the connection tracking code will 49 provide a notifier chain that can be used by other kernel code 50 to get notified about changes in the connection tracking state. 51 52 IF unsure, say `N'. 53 54config IP_NF_CT_PROTO_SCTP 55 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 56 depends on IP_NF_CONNTRACK && EXPERIMENTAL 57 help 58 With this option enabled, the connection tracking code will 59 be able to do state tracking on SCTP connections. 60 61 If you want to compile it as a module, say M here and read 62 <file:Documentation/modules.txt>. If unsure, say `N'. 63 64config IP_NF_FTP 65 tristate "FTP protocol support" 66 depends on IP_NF_CONNTRACK 67 help 68 Tracking FTP connections is problematic: special helpers are 69 required for tracking them, and doing masquerading and other forms 70 of Network Address Translation on them. 71 72 To compile it as a module, choose M here. If unsure, say Y. 73 74config IP_NF_IRC 75 tristate "IRC protocol support" 76 depends on IP_NF_CONNTRACK 77 ---help--- 78 There is a commonly-used extension to IRC called 79 Direct Client-to-Client Protocol (DCC). This enables users to send 80 files to each other, and also chat to each other without the need 81 of a server. DCC Sending is used anywhere you send files over IRC, 82 and DCC Chat is most commonly used by Eggdrop bots. If you are 83 using NAT, this extension will enable you to send files and initiate 84 chats. Note that you do NOT need this extension to get files or 85 have others initiate chats, or everything else in IRC. 86 87 To compile it as a module, choose M here. If unsure, say Y. 88 89config IP_NF_NETBIOS_NS 90 tristate "NetBIOS name service protocol support (EXPERIMENTAL)" 91 depends on IP_NF_CONNTRACK && EXPERIMENTAL 92 help 93 NetBIOS name service requests are sent as broadcast messages from an 94 unprivileged port and responded to with unicast messages to the 95 same port. This make them hard to firewall properly because connection 96 tracking doesn't deal with broadcasts. This helper tracks locally 97 originating NetBIOS name service requests and the corresponding 98 responses. It relies on correct IP address configuration, specifically 99 netmask and broadcast address. When properly configured, the output 100 of "ip address show" should look similar to this: 101 102 $ ip -4 address show eth0 103 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000 104 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0 105 106 To compile it as a module, choose M here. If unsure, say N. 107 108config IP_NF_TFTP 109 tristate "TFTP protocol support" 110 depends on IP_NF_CONNTRACK 111 help 112 TFTP connection tracking helper, this is required depending 113 on how restrictive your ruleset is. 114 If you are using a tftp client behind -j SNAT or -j MASQUERADING 115 you will need this. 116 117 To compile it as a module, choose M here. If unsure, say Y. 118 119config IP_NF_AMANDA 120 tristate "Amanda backup protocol support" 121 depends on IP_NF_CONNTRACK 122 help 123 If you are running the Amanda backup package <http://www.amanda.org/> 124 on this machine or machines that will be MASQUERADED through this 125 machine, then you may want to enable this feature. This allows the 126 connection tracking and natting code to allow the sub-channels that 127 Amanda requires for communication of the backup data, messages and 128 index. 129 130 To compile it as a module, choose M here. If unsure, say Y. 131 132config IP_NF_QUEUE 133 tristate "IP Userspace queueing via NETLINK (OBSOLETE)" 134 help 135 Netfilter has the ability to queue packets to user space: the 136 netlink device can be used to access them using this driver. 137 138 This option enables the old IPv4-only "ip_queue" implementation 139 which has been obsoleted by the new "nfnetlink_queue" code (see 140 CONFIG_NETFILTER_NETLINK_QUEUE). 141 142 To compile it as a module, choose M here. If unsure, say N. 143 144config IP_NF_IPTABLES 145 tristate "IP tables support (required for filtering/masq/NAT)" 146 help 147 iptables is a general, extensible packet identification framework. 148 The packet filtering and full NAT (masquerading, port forwarding, 149 etc) subsystems now use this: say `Y' or `M' here if you want to use 150 either of those. 151 152 To compile it as a module, choose M here. If unsure, say N. 153 154# The matches. 155config IP_NF_MATCH_LIMIT 156 tristate "limit match support" 157 depends on IP_NF_IPTABLES 158 help 159 limit matching allows you to control the rate at which a rule can be 160 matched: mainly useful in combination with the LOG target ("LOG 161 target support", below) and to avoid some Denial of Service attacks. 162 163 To compile it as a module, choose M here. If unsure, say N. 164 165config IP_NF_MATCH_IPRANGE 166 tristate "IP range match support" 167 depends on IP_NF_IPTABLES 168 help 169 This option makes possible to match IP addresses against IP address 170 ranges. 171 172 To compile it as a module, choose M here. If unsure, say N. 173 174config IP_NF_MATCH_MAC 175 tristate "MAC address match support" 176 depends on IP_NF_IPTABLES 177 help 178 MAC matching allows you to match packets based on the source 179 Ethernet address of the packet. 180 181 To compile it as a module, choose M here. If unsure, say N. 182 183config IP_NF_MATCH_PKTTYPE 184 tristate "Packet type match support" 185 depends on IP_NF_IPTABLES 186 help 187 Packet type matching allows you to match a packet by 188 its "class", eg. BROADCAST, MULTICAST, ... 189 190 Typical usage: 191 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG 192 193 To compile it as a module, choose M here. If unsure, say N. 194 195config IP_NF_MATCH_MARK 196 tristate "netfilter MARK match support" 197 depends on IP_NF_IPTABLES 198 help 199 Netfilter mark matching allows you to match packets based on the 200 `nfmark' value in the packet. This can be set by the MARK target 201 (see below). 202 203 To compile it as a module, choose M here. If unsure, say N. 204 205config IP_NF_MATCH_MULTIPORT 206 tristate "Multiple port match support" 207 depends on IP_NF_IPTABLES 208 help 209 Multiport matching allows you to match TCP or UDP packets based on 210 a series of source or destination ports: normally a rule can only 211 match a single range of ports. 212 213 To compile it as a module, choose M here. If unsure, say N. 214 215config IP_NF_MATCH_TOS 216 tristate "TOS match support" 217 depends on IP_NF_IPTABLES 218 help 219 TOS matching allows you to match packets based on the Type Of 220 Service fields of the IP packet. 221 222 To compile it as a module, choose M here. If unsure, say N. 223 224config IP_NF_MATCH_RECENT 225 tristate "recent match support" 226 depends on IP_NF_IPTABLES 227 help 228 This match is used for creating one or many lists of recently 229 used addresses and then matching against that/those list(s). 230 231 Short options are available by using 'iptables -m recent -h' 232 Official Website: <http://snowman.net/projects/ipt_recent/> 233 234 To compile it as a module, choose M here. If unsure, say N. 235 236config IP_NF_MATCH_ECN 237 tristate "ECN match support" 238 depends on IP_NF_IPTABLES 239 help 240 This option adds a `ECN' match, which allows you to match against 241 the IPv4 and TCP header ECN fields. 242 243 To compile it as a module, choose M here. If unsure, say N. 244 245config IP_NF_MATCH_DSCP 246 tristate "DSCP match support" 247 depends on IP_NF_IPTABLES 248 help 249 This option adds a `DSCP' match, which allows you to match against 250 the IPv4 header DSCP field (DSCP codepoint). 251 252 The DSCP codepoint can have any value between 0x0 and 0x4f. 253 254 To compile it as a module, choose M here. If unsure, say N. 255 256config IP_NF_MATCH_AH_ESP 257 tristate "AH/ESP match support" 258 depends on IP_NF_IPTABLES 259 help 260 These two match extensions (`ah' and `esp') allow you to match a 261 range of SPIs inside AH or ESP headers of IPSec packets. 262 263 To compile it as a module, choose M here. If unsure, say N. 264 265config IP_NF_MATCH_LENGTH 266 tristate "LENGTH match support" 267 depends on IP_NF_IPTABLES 268 help 269 This option allows you to match the length of a packet against a 270 specific value or range of values. 271 272 To compile it as a module, choose M here. If unsure, say N. 273 274config IP_NF_MATCH_TTL 275 tristate "TTL match support" 276 depends on IP_NF_IPTABLES 277 help 278 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user 279 to match packets by their TTL value. 280 281 To compile it as a module, choose M here. If unsure, say N. 282 283config IP_NF_MATCH_TCPMSS 284 tristate "tcpmss match support" 285 depends on IP_NF_IPTABLES 286 help 287 This option adds a `tcpmss' match, which allows you to examine the 288 MSS value of TCP SYN packets, which control the maximum packet size 289 for that connection. 290 291 To compile it as a module, choose M here. If unsure, say N. 292 293config IP_NF_MATCH_HELPER 294 tristate "Helper match support" 295 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES 296 help 297 Helper matching allows you to match packets in dynamic connections 298 tracked by a conntrack-helper, ie. ip_conntrack_ftp 299 300 To compile it as a module, choose M here. If unsure, say Y. 301 302config IP_NF_MATCH_STATE 303 tristate "Connection state match support" 304 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES 305 help 306 Connection state matching allows you to match packets based on their 307 relationship to a tracked connection (ie. previous packets). This 308 is a powerful tool for packet classification. 309 310 To compile it as a module, choose M here. If unsure, say N. 311 312config IP_NF_MATCH_CONNTRACK 313 tristate "Connection tracking match support" 314 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES 315 help 316 This is a general conntrack match module, a superset of the state match. 317 318 It allows matching on additional conntrack information, which is 319 useful in complex configurations, such as NAT gateways with multiple 320 internet links or tunnels. 321 322 To compile it as a module, choose M here. If unsure, say N. 323 324config IP_NF_MATCH_OWNER 325 tristate "Owner match support" 326 depends on IP_NF_IPTABLES 327 help 328 Packet owner matching allows you to match locally-generated packets 329 based on who created them: the user, group, process or session. 330 331 To compile it as a module, choose M here. If unsure, say N. 332 333config IP_NF_MATCH_PHYSDEV 334 tristate "Physdev match support" 335 depends on IP_NF_IPTABLES && BRIDGE_NETFILTER 336 help 337 Physdev packet matching matches against the physical bridge ports 338 the IP packet arrived on or will leave by. 339 340 To compile it as a module, choose M here. If unsure, say N. 341 342config IP_NF_MATCH_ADDRTYPE 343 tristate 'address type match support' 344 depends on IP_NF_IPTABLES 345 help 346 This option allows you to match what routing thinks of an address, 347 eg. UNICAST, LOCAL, BROADCAST, ... 348 349 If you want to compile it as a module, say M here and read 350 <file:Documentation/modules.txt>. If unsure, say `N'. 351 352config IP_NF_MATCH_REALM 353 tristate 'realm match support' 354 depends on IP_NF_IPTABLES 355 select NET_CLS_ROUTE 356 help 357 This option adds a `realm' match, which allows you to use the realm 358 key from the routing subsystem inside iptables. 359 360 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 361 in tc world. 362 363 If you want to compile it as a module, say M here and read 364 <file:Documentation/modules.txt>. If unsure, say `N'. 365 366config IP_NF_MATCH_SCTP 367 tristate 'SCTP protocol match support' 368 depends on IP_NF_IPTABLES 369 help 370 With this option enabled, you will be able to use the iptables 371 `sctp' match in order to match on SCTP source/destination ports 372 and SCTP chunk types. 373 374 If you want to compile it as a module, say M here and read 375 <file:Documentation/modules.txt>. If unsure, say `N'. 376 377config IP_NF_MATCH_DCCP 378 tristate 'DCCP protocol match support' 379 depends on IP_NF_IPTABLES 380 help 381 With this option enabled, you will be able to use the iptables 382 `dccp' match in order to match on DCCP source/destination ports 383 and DCCP flags. 384 385 If you want to compile it as a module, say M here and read 386 <file:Documentation/modules.txt>. If unsure, say `N'. 387 388config IP_NF_MATCH_COMMENT 389 tristate 'comment match support' 390 depends on IP_NF_IPTABLES 391 help 392 This option adds a `comment' dummy-match, which allows you to put 393 comments in your iptables ruleset. 394 395 If you want to compile it as a module, say M here and read 396 <file:Documentation/modules.txt>. If unsure, say `N'. 397 398config IP_NF_MATCH_CONNMARK 399 tristate 'Connection mark match support' 400 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES 401 help 402 This option adds a `connmark' match, which allows you to match the 403 connection mark value previously set for the session by `CONNMARK'. 404 405 If you want to compile it as a module, say M here and read 406 <file:Documentation/modules.txt>. The module will be called 407 ipt_connmark.o. If unsure, say `N'. 408 409config IP_NF_MATCH_CONNBYTES 410 tristate 'Connection byte/packet counter match support' 411 depends on IP_NF_CT_ACCT && IP_NF_IPTABLES 412 help 413 This option adds a `connbytes' match, which allows you to match the 414 number of bytes and/or packets for each direction within a connection. 415 416 If you want to compile it as a module, say M here and read 417 <file:Documentation/modules.txt>. If unsure, say `N'. 418 419config IP_NF_MATCH_HASHLIMIT 420 tristate 'hashlimit match support' 421 depends on IP_NF_IPTABLES 422 help 423 This option adds a new iptables `hashlimit' match. 424 425 As opposed to `limit', this match dynamically crates a hash table 426 of limit buckets, based on your selection of source/destination 427 ip addresses and/or ports. 428 429 It enables you to express policies like `10kpps for any given 430 destination IP' or `500pps from any given source IP' with a single 431 IPtables rule. 432 433config IP_NF_MATCH_STRING 434 tristate 'string match support' 435 depends on IP_NF_IPTABLES 436 select TEXTSEARCH 437 select TEXTSEARCH_KMP 438 select TEXTSEARCH_BM 439 select TEXTSEARCH_FSM 440 help 441 This option adds a `string' match, which allows you to look for 442 pattern matchings in packets. 443 444 To compile it as a module, choose M here. If unsure, say N. 445 446# `filter', generic and specific targets 447config IP_NF_FILTER 448 tristate "Packet filtering" 449 depends on IP_NF_IPTABLES 450 help 451 Packet filtering defines a table `filter', which has a series of 452 rules for simple packet filtering at local input, forwarding and 453 local output. See the man page for iptables(8). 454 455 To compile it as a module, choose M here. If unsure, say N. 456 457config IP_NF_TARGET_REJECT 458 tristate "REJECT target support" 459 depends on IP_NF_FILTER 460 help 461 The REJECT target allows a filtering rule to specify that an ICMP 462 error should be issued in response to an incoming packet, rather 463 than silently being dropped. 464 465 To compile it as a module, choose M here. If unsure, say N. 466 467config IP_NF_TARGET_LOG 468 tristate "LOG target support" 469 depends on IP_NF_IPTABLES 470 help 471 This option adds a `LOG' target, which allows you to create rules in 472 any iptables table which records the packet header to the syslog. 473 474 To compile it as a module, choose M here. If unsure, say N. 475 476config IP_NF_TARGET_ULOG 477 tristate "ULOG target support" 478 depends on IP_NF_IPTABLES 479 ---help--- 480 This option adds a `ULOG' target, which allows you to create rules in 481 any iptables table. The packet is passed to a userspace logging 482 daemon using netlink multicast sockets; unlike the LOG target 483 which can only be viewed through syslog. 484 485 The apropriate userspace logging daemon (ulogd) may be obtained from 486 <http://www.gnumonks.org/projects/ulogd/> 487 488 To compile it as a module, choose M here. If unsure, say N. 489 490config IP_NF_TARGET_TCPMSS 491 tristate "TCPMSS target support" 492 depends on IP_NF_IPTABLES 493 ---help--- 494 This option adds a `TCPMSS' target, which allows you to alter the 495 MSS value of TCP SYN packets, to control the maximum size for that 496 connection (usually limiting it to your outgoing interface's MTU 497 minus 40). 498 499 This is used to overcome criminally braindead ISPs or servers which 500 block ICMP Fragmentation Needed packets. The symptoms of this 501 problem are that everything works fine from your Linux 502 firewall/router, but machines behind it can never exchange large 503 packets: 504 1) Web browsers connect, then hang with no data received. 505 2) Small mail works fine, but large emails hang. 506 3) ssh works fine, but scp hangs after initial handshaking. 507 508 Workaround: activate this option and add a rule to your firewall 509 configuration like: 510 511 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \ 512 -j TCPMSS --clamp-mss-to-pmtu 513 514 To compile it as a module, choose M here. If unsure, say N. 515 516# NAT + specific targets 517config IP_NF_NAT 518 tristate "Full NAT" 519 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK 520 help 521 The Full NAT option allows masquerading, port forwarding and other 522 forms of full Network Address Port Translation. It is controlled by 523 the `nat' table in iptables: see the man page for iptables(8). 524 525 To compile it as a module, choose M here. If unsure, say N. 526 527config IP_NF_NAT_NEEDED 528 bool 529 depends on IP_NF_NAT != n 530 default y 531 532config IP_NF_TARGET_MASQUERADE 533 tristate "MASQUERADE target support" 534 depends on IP_NF_NAT 535 help 536 Masquerading is a special case of NAT: all outgoing connections are 537 changed to seem to come from a particular interface's address, and 538 if the interface goes down, those connections are lost. This is 539 only useful for dialup accounts with dynamic IP address (ie. your IP 540 address will be different on next dialup). 541 542 To compile it as a module, choose M here. If unsure, say N. 543 544config IP_NF_TARGET_REDIRECT 545 tristate "REDIRECT target support" 546 depends on IP_NF_NAT 547 help 548 REDIRECT is a special case of NAT: all incoming connections are 549 mapped onto the incoming interface's address, causing the packets to 550 come to the local machine instead of passing through. This is 551 useful for transparent proxies. 552 553 To compile it as a module, choose M here. If unsure, say N. 554 555config IP_NF_TARGET_NETMAP 556 tristate "NETMAP target support" 557 depends on IP_NF_NAT 558 help 559 NETMAP is an implementation of static 1:1 NAT mapping of network 560 addresses. It maps the network address part, while keeping the host 561 address part intact. It is similar to Fast NAT, except that 562 Netfilter's connection tracking doesn't work well with Fast NAT. 563 564 To compile it as a module, choose M here. If unsure, say N. 565 566config IP_NF_TARGET_SAME 567 tristate "SAME target support" 568 depends on IP_NF_NAT 569 help 570 This option adds a `SAME' target, which works like the standard SNAT 571 target, but attempts to give clients the same IP for all connections. 572 573 To compile it as a module, choose M here. If unsure, say N. 574 575config IP_NF_NAT_SNMP_BASIC 576 tristate "Basic SNMP-ALG support (EXPERIMENTAL)" 577 depends on EXPERIMENTAL && IP_NF_NAT 578 ---help--- 579 580 This module implements an Application Layer Gateway (ALG) for 581 SNMP payloads. In conjunction with NAT, it allows a network 582 management system to access multiple private networks with 583 conflicting addresses. It works by modifying IP addresses 584 inside SNMP payloads to match IP-layer NAT mapping. 585 586 This is the "basic" form of SNMP-ALG, as described in RFC 2962 587 588 To compile it as a module, choose M here. If unsure, say N. 589 590config IP_NF_NAT_IRC 591 tristate 592 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n 593 default IP_NF_NAT if IP_NF_IRC=y 594 default m if IP_NF_IRC=m 595 596# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 597# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh. 598config IP_NF_NAT_FTP 599 tristate 600 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n 601 default IP_NF_NAT if IP_NF_FTP=y 602 default m if IP_NF_FTP=m 603 604config IP_NF_NAT_TFTP 605 tristate 606 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n 607 default IP_NF_NAT if IP_NF_TFTP=y 608 default m if IP_NF_TFTP=m 609 610config IP_NF_NAT_AMANDA 611 tristate 612 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n 613 default IP_NF_NAT if IP_NF_AMANDA=y 614 default m if IP_NF_AMANDA=m 615 616# mangle + specific targets 617config IP_NF_MANGLE 618 tristate "Packet mangling" 619 depends on IP_NF_IPTABLES 620 help 621 This option adds a `mangle' table to iptables: see the man page for 622 iptables(8). This table is used for various packet alterations 623 which can effect how the packet is routed. 624 625 To compile it as a module, choose M here. If unsure, say N. 626 627config IP_NF_TARGET_TOS 628 tristate "TOS target support" 629 depends on IP_NF_MANGLE 630 help 631 This option adds a `TOS' target, which allows you to create rules in 632 the `mangle' table which alter the Type Of Service field of an IP 633 packet prior to routing. 634 635 To compile it as a module, choose M here. If unsure, say N. 636 637config IP_NF_TARGET_ECN 638 tristate "ECN target support" 639 depends on IP_NF_MANGLE 640 ---help--- 641 This option adds a `ECN' target, which can be used in the iptables mangle 642 table. 643 644 You can use this target to remove the ECN bits from the IPv4 header of 645 an IP packet. This is particularly useful, if you need to work around 646 existing ECN blackholes on the internet, but don't want to disable 647 ECN support in general. 648 649 To compile it as a module, choose M here. If unsure, say N. 650 651config IP_NF_TARGET_DSCP 652 tristate "DSCP target support" 653 depends on IP_NF_MANGLE 654 help 655 This option adds a `DSCP' match, which allows you to match against 656 the IPv4 header DSCP field (DSCP codepoint). 657 658 The DSCP codepoint can have any value between 0x0 and 0x4f. 659 660 To compile it as a module, choose M here. If unsure, say N. 661 662config IP_NF_TARGET_MARK 663 tristate "MARK target support" 664 depends on IP_NF_MANGLE 665 help 666 This option adds a `MARK' target, which allows you to create rules 667 in the `mangle' table which alter the netfilter mark (nfmark) field 668 associated with the packet prior to routing. This can change 669 the routing method (see `Use netfilter MARK value as routing 670 key') and can also be used by other subsystems to change their 671 behavior. 672 673 To compile it as a module, choose M here. If unsure, say N. 674 675config IP_NF_TARGET_CLASSIFY 676 tristate "CLASSIFY target support" 677 depends on IP_NF_MANGLE 678 help 679 This option adds a `CLASSIFY' target, which enables the user to set 680 the priority of a packet. Some qdiscs can use this value for 681 classification, among these are: 682 683 atm, cbq, dsmark, pfifo_fast, htb, prio 684 685 To compile it as a module, choose M here. If unsure, say N. 686 687config IP_NF_TARGET_TTL 688 tristate 'TTL target support' 689 depends on IP_NF_MANGLE 690 help 691 This option adds a `TTL' target, which enables the user to modify 692 the TTL value of the IP header. 693 694 While it is safe to decrement/lower the TTL, this target also enables 695 functionality to increment and set the TTL value of the IP header to 696 arbitrary values. This is EXTREMELY DANGEROUS since you can easily 697 create immortal packets that loop forever on the network. 698 699 To compile it as a module, choose M here. If unsure, say N. 700 701config IP_NF_TARGET_CONNMARK 702 tristate 'CONNMARK target support' 703 depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE 704 help 705 This option adds a `CONNMARK' target, which allows one to manipulate 706 the connection mark value. Similar to the MARK target, but 707 affects the connection mark value rather than the packet mark value. 708 709 If you want to compile it as a module, say M here and read 710 <file:Documentation/modules.txt>. The module will be called 711 ipt_CONNMARK.o. If unsure, say `N'. 712 713config IP_NF_TARGET_CLUSTERIP 714 tristate "CLUSTERIP target support (EXPERIMENTAL)" 715 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES && EXPERIMENTAL 716 help 717 The CLUSTERIP target allows you to build load-balancing clusters of 718 network servers without having a dedicated load-balancing 719 router/server/switch. 720 721 To compile it as a module, choose M here. If unsure, say N. 722 723# raw + specific targets 724config IP_NF_RAW 725 tristate 'raw table support (required for NOTRACK/TRACE)' 726 depends on IP_NF_IPTABLES 727 help 728 This option adds a `raw' table to iptables. This table is the very 729 first in the netfilter framework and hooks in at the PREROUTING 730 and OUTPUT chains. 731 732 If you want to compile it as a module, say M here and read 733 <file:Documentation/modules.txt>. If unsure, say `N'. 734 735config IP_NF_TARGET_NOTRACK 736 tristate 'NOTRACK target support' 737 depends on IP_NF_RAW 738 depends on IP_NF_CONNTRACK 739 help 740 The NOTRACK target allows a select rule to specify 741 which packets *not* to enter the conntrack/NAT 742 subsystem with all the consequences (no ICMP error tracking, 743 no protocol helpers for the selected packets). 744 745 If you want to compile it as a module, say M here and read 746 <file:Documentation/modules.txt>. If unsure, say `N'. 747 748 749# ARP tables 750config IP_NF_ARPTABLES 751 tristate "ARP tables support" 752 help 753 arptables is a general, extensible packet identification framework. 754 The ARP packet filtering and mangling (manipulation)subsystems 755 use this: say Y or M here if you want to use either of those. 756 757 To compile it as a module, choose M here. If unsure, say N. 758 759config IP_NF_ARPFILTER 760 tristate "ARP packet filtering" 761 depends on IP_NF_ARPTABLES 762 help 763 ARP packet filtering defines a table `filter', which has a series of 764 rules for simple ARP packet filtering at local input and 765 local output. On a bridge, you can also specify filtering rules 766 for forwarded ARP packets. See the man page for arptables(8). 767 768 To compile it as a module, choose M here. If unsure, say N. 769 770config IP_NF_ARP_MANGLE 771 tristate "ARP payload mangling" 772 depends on IP_NF_ARPTABLES 773 help 774 Allows altering the ARP packet payload: source and destination 775 hardware and network addresses. 776 777config IP_NF_CONNTRACK_NETLINK 778 tristate 'Connection tracking netlink interface' 779 depends on IP_NF_CONNTRACK && NETFILTER_NETLINK 780 help 781 This option enables support for a netlink-based userspace interface 782 783endmenu 784 785