]> git.ipfire.org Git - thirdparty/linux.git/blob - net/ipv4/netfilter/Kconfig
projects / thirdparty / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Linux-2.6.12-rc2
[thirdparty/linux.git] / net / ipv4 / netfilter / Kconfig
1 #
2 # IP netfilter configuration
3 #
4
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
7
8 # connection tracking, helpers and protocols
9 config IP_NF_CONNTRACK
10 tristate "Connection tracking (required for masq/NAT)"
11 ---help---
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
14 into connections.
15
16 This is required to do Masquerading or other kinds of Network
17 Address Translation (except for Fast NAT). It can also be used to
18 enhance packet filtering (see `Connection state match support'
19 below).
20
21 To compile it as a module, choose M here. If unsure, say N.
22
23 config IP_NF_CT_ACCT
24 bool "Connection tracking flow accounting"
25 depends on IP_NF_CONNTRACK
26 help
27 If this option is enabled, the connection tracking code will
28 keep per-flow packet and byte counters.
29
30 Those counters can be used for flow-based accounting or the
31 `connbytes' match.
32
33 If unsure, say `N'.
34
35 config IP_NF_CONNTRACK_MARK
36 bool 'Connection mark tracking support'
37 help
38 This option enables support for connection marks, used by the
39 `CONNMARK' target and `connmark' match. Similar to the mark value
40 of packets, but this mark value is kept in the conntrack session
41 instead of the individual packets.
42
43 config IP_NF_CT_PROTO_SCTP
44 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
45 depends on IP_NF_CONNTRACK && EXPERIMENTAL
46 help
47 With this option enabled, the connection tracking code will
48 be able to do state tracking on SCTP connections.
49
50 If you want to compile it as a module, say M here and read
51 <file:Documentation/modules.txt>. If unsure, say `N'.
52
53 config IP_NF_FTP
54 tristate "FTP protocol support"
55 depends on IP_NF_CONNTRACK
56 help
57 Tracking FTP connections is problematic: special helpers are
58 required for tracking them, and doing masquerading and other forms
59 of Network Address Translation on them.
60
61 To compile it as a module, choose M here. If unsure, say Y.
62
63 config IP_NF_IRC
64 tristate "IRC protocol support"
65 depends on IP_NF_CONNTRACK
66 ---help---
67 There is a commonly-used extension to IRC called
68 Direct Client-to-Client Protocol (DCC). This enables users to send
69 files to each other, and also chat to each other without the need
70 of a server. DCC Sending is used anywhere you send files over IRC,
71 and DCC Chat is most commonly used by Eggdrop bots. If you are
72 using NAT, this extension will enable you to send files and initiate
73 chats. Note that you do NOT need this extension to get files or
74 have others initiate chats, or everything else in IRC.
75
76 To compile it as a module, choose M here. If unsure, say Y.
77
78 config IP_NF_TFTP
79 tristate "TFTP protocol support"
80 depends on IP_NF_CONNTRACK
81 help
82 TFTP connection tracking helper, this is required depending
83 on how restrictive your ruleset is.
84 If you are using a tftp client behind -j SNAT or -j MASQUERADING
85 you will need this.
86
87 To compile it as a module, choose M here. If unsure, say Y.
88
89 config IP_NF_AMANDA
90 tristate "Amanda backup protocol support"
91 depends on IP_NF_CONNTRACK
92 help
93 If you are running the Amanda backup package <http://www.amanda.org/>
94 on this machine or machines that will be MASQUERADED through this
95 machine, then you may want to enable this feature. This allows the
96 connection tracking and natting code to allow the sub-channels that
97 Amanda requires for communication of the backup data, messages and
98 index.
99
100 To compile it as a module, choose M here. If unsure, say Y.
101
102 config IP_NF_QUEUE
103 tristate "Userspace queueing via NETLINK"
104 help
105 Netfilter has the ability to queue packets to user space: the
106 netlink device can be used to access them using this driver.
107
108 To compile it as a module, choose M here. If unsure, say N.
109
110 config IP_NF_IPTABLES
111 tristate "IP tables support (required for filtering/masq/NAT)"
112 help
113 iptables is a general, extensible packet identification framework.
114 The packet filtering and full NAT (masquerading, port forwarding,
115 etc) subsystems now use this: say `Y' or `M' here if you want to use
116 either of those.
117
118 To compile it as a module, choose M here. If unsure, say N.
119
120 # The matches.
121 config IP_NF_MATCH_LIMIT
122 tristate "limit match support"
123 depends on IP_NF_IPTABLES
124 help
125 limit matching allows you to control the rate at which a rule can be
126 matched: mainly useful in combination with the LOG target ("LOG
127 target support", below) and to avoid some Denial of Service attacks.
128
129 To compile it as a module, choose M here. If unsure, say N.
130
131 config IP_NF_MATCH_IPRANGE
132 tristate "IP range match support"
133 depends on IP_NF_IPTABLES
134 help
135 This option makes possible to match IP addresses against IP address
136 ranges.
137
138 To compile it as a module, choose M here. If unsure, say N.
139
140 config IP_NF_MATCH_MAC
141 tristate "MAC address match support"
142 depends on IP_NF_IPTABLES
143 help
144 MAC matching allows you to match packets based on the source
145 Ethernet address of the packet.
146
147 To compile it as a module, choose M here. If unsure, say N.
148
149 config IP_NF_MATCH_PKTTYPE
150 tristate "Packet type match support"
151 depends on IP_NF_IPTABLES
152 help
153 Packet type matching allows you to match a packet by
154 its "class", eg. BROADCAST, MULTICAST, ...
155
156 Typical usage:
157 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
158
159 To compile it as a module, choose M here. If unsure, say N.
160
161 config IP_NF_MATCH_MARK
162 tristate "netfilter MARK match support"
163 depends on IP_NF_IPTABLES
164 help
165 Netfilter mark matching allows you to match packets based on the
166 `nfmark' value in the packet. This can be set by the MARK target
167 (see below).
168
169 To compile it as a module, choose M here. If unsure, say N.
170
171 config IP_NF_MATCH_MULTIPORT
172 tristate "Multiple port match support"
173 depends on IP_NF_IPTABLES
174 help
175 Multiport matching allows you to match TCP or UDP packets based on
176 a series of source or destination ports: normally a rule can only
177 match a single range of ports.
178
179 To compile it as a module, choose M here. If unsure, say N.
180
181 config IP_NF_MATCH_TOS
182 tristate "TOS match support"
183 depends on IP_NF_IPTABLES
184 help
185 TOS matching allows you to match packets based on the Type Of
186 Service fields of the IP packet.
187
188 To compile it as a module, choose M here. If unsure, say N.
189
190 config IP_NF_MATCH_RECENT
191 tristate "recent match support"
192 depends on IP_NF_IPTABLES
193 help
194 This match is used for creating one or many lists of recently
195 used addresses and then matching against that/those list(s).
196
197 Short options are available by using 'iptables -m recent -h'
198 Official Website: <http://snowman.net/projects/ipt_recent/>
199
200 To compile it as a module, choose M here. If unsure, say N.
201
202 config IP_NF_MATCH_ECN
203 tristate "ECN match support"
204 depends on IP_NF_IPTABLES
205 help
206 This option adds a `ECN' match, which allows you to match against
207 the IPv4 and TCP header ECN fields.
208
209 To compile it as a module, choose M here. If unsure, say N.
210
211 config IP_NF_MATCH_DSCP
212 tristate "DSCP match support"
213 depends on IP_NF_IPTABLES
214 help
215 This option adds a `DSCP' match, which allows you to match against
216 the IPv4 header DSCP field (DSCP codepoint).
217
218 The DSCP codepoint can have any value between 0x0 and 0x4f.
219
220 To compile it as a module, choose M here. If unsure, say N.
221
222 config IP_NF_MATCH_AH_ESP
223 tristate "AH/ESP match support"
224 depends on IP_NF_IPTABLES
225 help
226 These two match extensions (`ah' and `esp') allow you to match a
227 range of SPIs inside AH or ESP headers of IPSec packets.
228
229 To compile it as a module, choose M here. If unsure, say N.
230
231 config IP_NF_MATCH_LENGTH
232 tristate "LENGTH match support"
233 depends on IP_NF_IPTABLES
234 help
235 This option allows you to match the length of a packet against a
236 specific value or range of values.
237
238 To compile it as a module, choose M here. If unsure, say N.
239
240 config IP_NF_MATCH_TTL
241 tristate "TTL match support"
242 depends on IP_NF_IPTABLES
243 help
244 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
245 to match packets by their TTL value.
246
247 To compile it as a module, choose M here. If unsure, say N.
248
249 config IP_NF_MATCH_TCPMSS
250 tristate "tcpmss match support"
251 depends on IP_NF_IPTABLES
252 help
253 This option adds a `tcpmss' match, which allows you to examine the
254 MSS value of TCP SYN packets, which control the maximum packet size
255 for that connection.
256
257 To compile it as a module, choose M here. If unsure, say N.
258
259 config IP_NF_MATCH_HELPER
260 tristate "Helper match support"
261 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
262 help
263 Helper matching allows you to match packets in dynamic connections
264 tracked by a conntrack-helper, ie. ip_conntrack_ftp
265
266 To compile it as a module, choose M here. If unsure, say Y.
267
268 config IP_NF_MATCH_STATE
269 tristate "Connection state match support"
270 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
271 help
272 Connection state matching allows you to match packets based on their
273 relationship to a tracked connection (ie. previous packets). This
274 is a powerful tool for packet classification.
275
276 To compile it as a module, choose M here. If unsure, say N.
277
278 config IP_NF_MATCH_CONNTRACK
279 tristate "Connection tracking match support"
280 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
281 help
282 This is a general conntrack match module, a superset of the state match.
283
284 It allows matching on additional conntrack information, which is
285 useful in complex configurations, such as NAT gateways with multiple
286 internet links or tunnels.
287
288 To compile it as a module, choose M here. If unsure, say N.
289
290 config IP_NF_MATCH_OWNER
291 tristate "Owner match support"
292 depends on IP_NF_IPTABLES
293 help
294 Packet owner matching allows you to match locally-generated packets
295 based on who created them: the user, group, process or session.
296
297 To compile it as a module, choose M here. If unsure, say N.
298
299 config IP_NF_MATCH_PHYSDEV
300 tristate "Physdev match support"
301 depends on IP_NF_IPTABLES && BRIDGE_NETFILTER
302 help
303 Physdev packet matching matches against the physical bridge ports
304 the IP packet arrived on or will leave by.
305
306 To compile it as a module, choose M here. If unsure, say N.
307
308 config IP_NF_MATCH_ADDRTYPE
309 tristate 'address type match support'
310 depends on IP_NF_IPTABLES
311 help
312 This option allows you to match what routing thinks of an address,
313 eg. UNICAST, LOCAL, BROADCAST, ...
314
315 If you want to compile it as a module, say M here and read
316 <file:Documentation/modules.txt>. If unsure, say `N'.
317
318 config IP_NF_MATCH_REALM
319 tristate 'realm match support'
320 depends on IP_NF_IPTABLES
321 select NET_CLS_ROUTE
322 help
323 This option adds a `realm' match, which allows you to use the realm
324 key from the routing subsystem inside iptables.
325
326 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
327 in tc world.
328
329 If you want to compile it as a module, say M here and read
330 <file:Documentation/modules.txt>. If unsure, say `N'.
331
332 config IP_NF_MATCH_SCTP
333 tristate 'SCTP protocol match support'
334 depends on IP_NF_IPTABLES
335 help
336 With this option enabled, you will be able to use the iptables
337 `sctp' match in order to match on SCTP source/destination ports
338 and SCTP chunk types.
339
340 If you want to compile it as a module, say M here and read
341 <file:Documentation/modules.txt>. If unsure, say `N'.
342
343 config IP_NF_MATCH_COMMENT
344 tristate 'comment match support'
345 depends on IP_NF_IPTABLES
346 help
347 This option adds a `comment' dummy-match, which allows you to put
348 comments in your iptables ruleset.
349
350 If you want to compile it as a module, say M here and read
351 <file:Documentation/modules.txt>. If unsure, say `N'.
352
353 config IP_NF_MATCH_CONNMARK
354 tristate 'Connection mark match support'
355 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES
356 help
357 This option adds a `connmark' match, which allows you to match the
358 connection mark value previously set for the session by `CONNMARK'.
359
360 If you want to compile it as a module, say M here and read
361 <file:Documentation/modules.txt>. The module will be called
362 ipt_connmark.o. If unsure, say `N'.
363
364 config IP_NF_MATCH_HASHLIMIT
365 tristate 'hashlimit match support'
366 depends on IP_NF_IPTABLES
367 help
368 This option adds a new iptables `hashlimit' match.
369
370 As opposed to `limit', this match dynamically crates a hash table
371 of limit buckets, based on your selection of source/destination
372 ip addresses and/or ports.
373
374 It enables you to express policies like `10kpps for any given
375 destination IP' or `500pps from any given source IP' with a single
376 IPtables rule.
377
378 # `filter', generic and specific targets
379 config IP_NF_FILTER
380 tristate "Packet filtering"
381 depends on IP_NF_IPTABLES
382 help
383 Packet filtering defines a table `filter', which has a series of
384 rules for simple packet filtering at local input, forwarding and
385 local output. See the man page for iptables(8).
386
387 To compile it as a module, choose M here. If unsure, say N.
388
389 config IP_NF_TARGET_REJECT
390 tristate "REJECT target support"
391 depends on IP_NF_FILTER
392 help
393 The REJECT target allows a filtering rule to specify that an ICMP
394 error should be issued in response to an incoming packet, rather
395 than silently being dropped.
396
397 To compile it as a module, choose M here. If unsure, say N.
398
399 config IP_NF_TARGET_LOG
400 tristate "LOG target support"
401 depends on IP_NF_IPTABLES
402 help
403 This option adds a `LOG' target, which allows you to create rules in
404 any iptables table which records the packet header to the syslog.
405
406 To compile it as a module, choose M here. If unsure, say N.
407
408 config IP_NF_TARGET_ULOG
409 tristate "ULOG target support"
410 depends on IP_NF_IPTABLES
411 ---help---
412 This option adds a `ULOG' target, which allows you to create rules in
413 any iptables table. The packet is passed to a userspace logging
414 daemon using netlink multicast sockets; unlike the LOG target
415 which can only be viewed through syslog.
416
417 The apropriate userspace logging daemon (ulogd) may be obtained from
418 <http://www.gnumonks.org/projects/ulogd/>
419
420 To compile it as a module, choose M here. If unsure, say N.
421
422 config IP_NF_TARGET_TCPMSS
423 tristate "TCPMSS target support"
424 depends on IP_NF_IPTABLES
425 ---help---
426 This option adds a `TCPMSS' target, which allows you to alter the
427 MSS value of TCP SYN packets, to control the maximum size for that
428 connection (usually limiting it to your outgoing interface's MTU
429 minus 40).
430
431 This is used to overcome criminally braindead ISPs or servers which
432 block ICMP Fragmentation Needed packets. The symptoms of this
433 problem are that everything works fine from your Linux
434 firewall/router, but machines behind it can never exchange large
435 packets:
436 1) Web browsers connect, then hang with no data received.
437 2) Small mail works fine, but large emails hang.
438 3) ssh works fine, but scp hangs after initial handshaking.
439
440 Workaround: activate this option and add a rule to your firewall
441 configuration like:
442
443 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
444 -j TCPMSS --clamp-mss-to-pmtu
445
446 To compile it as a module, choose M here. If unsure, say N.
447
448 # NAT + specific targets
449 config IP_NF_NAT
450 tristate "Full NAT"
451 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
452 help
453 The Full NAT option allows masquerading, port forwarding and other
454 forms of full Network Address Port Translation. It is controlled by
455 the `nat' table in iptables: see the man page for iptables(8).
456
457 To compile it as a module, choose M here. If unsure, say N.
458
459 config IP_NF_NAT_NEEDED
460 bool
461 depends on IP_NF_NAT != n
462 default y
463
464 config IP_NF_TARGET_MASQUERADE
465 tristate "MASQUERADE target support"
466 depends on IP_NF_NAT
467 help
468 Masquerading is a special case of NAT: all outgoing connections are
469 changed to seem to come from a particular interface's address, and
470 if the interface goes down, those connections are lost. This is
471 only useful for dialup accounts with dynamic IP address (ie. your IP
472 address will be different on next dialup).
473
474 To compile it as a module, choose M here. If unsure, say N.
475
476 config IP_NF_TARGET_REDIRECT
477 tristate "REDIRECT target support"
478 depends on IP_NF_NAT
479 help
480 REDIRECT is a special case of NAT: all incoming connections are
481 mapped onto the incoming interface's address, causing the packets to
482 come to the local machine instead of passing through. This is
483 useful for transparent proxies.
484
485 To compile it as a module, choose M here. If unsure, say N.
486
487 config IP_NF_TARGET_NETMAP
488 tristate "NETMAP target support"
489 depends on IP_NF_NAT
490 help
491 NETMAP is an implementation of static 1:1 NAT mapping of network
492 addresses. It maps the network address part, while keeping the host
493 address part intact. It is similar to Fast NAT, except that
494 Netfilter's connection tracking doesn't work well with Fast NAT.
495
496 To compile it as a module, choose M here. If unsure, say N.
497
498 config IP_NF_TARGET_SAME
499 tristate "SAME target support"
500 depends on IP_NF_NAT
501 help
502 This option adds a `SAME' target, which works like the standard SNAT
503 target, but attempts to give clients the same IP for all connections.
504
505 To compile it as a module, choose M here. If unsure, say N.
506
507 config IP_NF_NAT_SNMP_BASIC
508 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
509 depends on EXPERIMENTAL && IP_NF_NAT
510 ---help---
511
512 This module implements an Application Layer Gateway (ALG) for
513 SNMP payloads. In conjunction with NAT, it allows a network
514 management system to access multiple private networks with
515 conflicting addresses. It works by modifying IP addresses
516 inside SNMP payloads to match IP-layer NAT mapping.
517
518 This is the "basic" form of SNMP-ALG, as described in RFC 2962
519
520 To compile it as a module, choose M here. If unsure, say N.
521
522 config IP_NF_NAT_IRC
523 tristate
524 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
525 default IP_NF_NAT if IP_NF_IRC=y
526 default m if IP_NF_IRC=m
527
528 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
529 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
530 config IP_NF_NAT_FTP
531 tristate
532 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
533 default IP_NF_NAT if IP_NF_FTP=y
534 default m if IP_NF_FTP=m
535
536 config IP_NF_NAT_TFTP
537 tristate
538 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
539 default IP_NF_NAT if IP_NF_TFTP=y
540 default m if IP_NF_TFTP=m
541
542 config IP_NF_NAT_AMANDA
543 tristate
544 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
545 default IP_NF_NAT if IP_NF_AMANDA=y
546 default m if IP_NF_AMANDA=m
547
548 # mangle + specific targets
549 config IP_NF_MANGLE
550 tristate "Packet mangling"
551 depends on IP_NF_IPTABLES
552 help
553 This option adds a `mangle' table to iptables: see the man page for
554 iptables(8). This table is used for various packet alterations
555 which can effect how the packet is routed.
556
557 To compile it as a module, choose M here. If unsure, say N.
558
559 config IP_NF_TARGET_TOS
560 tristate "TOS target support"
561 depends on IP_NF_MANGLE
562 help
563 This option adds a `TOS' target, which allows you to create rules in
564 the `mangle' table which alter the Type Of Service field of an IP
565 packet prior to routing.
566
567 To compile it as a module, choose M here. If unsure, say N.
568
569 config IP_NF_TARGET_ECN
570 tristate "ECN target support"
571 depends on IP_NF_MANGLE
572 ---help---
573 This option adds a `ECN' target, which can be used in the iptables mangle
574 table.
575
576 You can use this target to remove the ECN bits from the IPv4 header of
577 an IP packet. This is particularly useful, if you need to work around
578 existing ECN blackholes on the internet, but don't want to disable
579 ECN support in general.
580
581 To compile it as a module, choose M here. If unsure, say N.
582
583 config IP_NF_TARGET_DSCP
584 tristate "DSCP target support"
585 depends on IP_NF_MANGLE
586 help
587 This option adds a `DSCP' match, which allows you to match against
588 the IPv4 header DSCP field (DSCP codepoint).
589
590 The DSCP codepoint can have any value between 0x0 and 0x4f.
591
592 To compile it as a module, choose M here. If unsure, say N.
593
594 config IP_NF_TARGET_MARK
595 tristate "MARK target support"
596 depends on IP_NF_MANGLE
597 help
598 This option adds a `MARK' target, which allows you to create rules
599 in the `mangle' table which alter the netfilter mark (nfmark) field
600 associated with the packet prior to routing. This can change
601 the routing method (see `Use netfilter MARK value as routing
602 key') and can also be used by other subsystems to change their
603 behavior.
604
605 To compile it as a module, choose M here. If unsure, say N.
606
607 config IP_NF_TARGET_CLASSIFY
608 tristate "CLASSIFY target support"
609 depends on IP_NF_MANGLE
610 help
611 This option adds a `CLASSIFY' target, which enables the user to set
612 the priority of a packet. Some qdiscs can use this value for
613 classification, among these are:
614
615 atm, cbq, dsmark, pfifo_fast, htb, prio
616
617 To compile it as a module, choose M here. If unsure, say N.
618
619 config IP_NF_TARGET_CONNMARK
620 tristate 'CONNMARK target support'
621 depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE
622 help
623 This option adds a `CONNMARK' target, which allows one to manipulate
624 the connection mark value. Similar to the MARK target, but
625 affects the connection mark value rather than the packet mark value.
626
627 If you want to compile it as a module, say M here and read
628 <file:Documentation/modules.txt>. The module will be called
629 ipt_CONNMARK.o. If unsure, say `N'.
630
631 config IP_NF_TARGET_CLUSTERIP
632 tristate "CLUSTERIP target support (EXPERIMENTAL)"
633 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES && EXPERIMENTAL
634 help
635 The CLUSTERIP target allows you to build load-balancing clusters of
636 network servers without having a dedicated load-balancing
637 router/server/switch.
638
639 To compile it as a module, choose M here. If unsure, say N.
640
641 # raw + specific targets
642 config IP_NF_RAW
643 tristate 'raw table support (required for NOTRACK/TRACE)'
644 depends on IP_NF_IPTABLES
645 help
646 This option adds a `raw' table to iptables. This table is the very
647 first in the netfilter framework and hooks in at the PREROUTING
648 and OUTPUT chains.
649
650 If you want to compile it as a module, say M here and read
651 <file:Documentation/modules.txt>. If unsure, say `N'.
652
653 config IP_NF_TARGET_NOTRACK
654 tristate 'NOTRACK target support'
655 depends on IP_NF_RAW
656 depends on IP_NF_CONNTRACK
657 help
658 The NOTRACK target allows a select rule to specify
659 which packets *not* to enter the conntrack/NAT
660 subsystem with all the consequences (no ICMP error tracking,
661 no protocol helpers for the selected packets).
662
663 If you want to compile it as a module, say M here and read
664 <file:Documentation/modules.txt>. If unsure, say `N'.
665
666
667 # ARP tables
668 config IP_NF_ARPTABLES
669 tristate "ARP tables support"
670 help
671 arptables is a general, extensible packet identification framework.
672 The ARP packet filtering and mangling (manipulation)subsystems
673 use this: say Y or M here if you want to use either of those.
674
675 To compile it as a module, choose M here. If unsure, say N.
676
677 config IP_NF_ARPFILTER
678 tristate "ARP packet filtering"
679 depends on IP_NF_ARPTABLES
680 help
681 ARP packet filtering defines a table `filter', which has a series of
682 rules for simple ARP packet filtering at local input and
683 local output. On a bridge, you can also specify filtering rules
684 for forwarded ARP packets. See the man page for arptables(8).
685
686 To compile it as a module, choose M here. If unsure, say N.
687
688 config IP_NF_ARP_MANGLE
689 tristate "ARP payload mangling"
690 depends on IP_NF_ARPTABLES
691 help
692 Allows altering the ARP packet payload: source and destination
693 hardware and network addresses.
694
695 endmenu
696
A mirror of Linus' kernel repository