[linux-2.6-block.git] / net / ipv4 / netfilter / Kconfig

# SPDX-License-Identifier: GPL-2.0-only
#
# IP netfilter configuration
#

menu "IP: Netfilter Configuration"
	depends on INET && NETFILTER

config NF_DEFRAG_IPV4
	tristate
	default n

config NF_SOCKET_IPV4
	tristate "IPv4 socket lookup support"
	help
	  This option enables the IPv4 socket lookup infrastructure. This is
	  is required by the {ip,nf}tables socket match.

config NF_TPROXY_IPV4
	tristate "IPv4 tproxy support"

if NF_TABLES

config NF_TABLES_IPV4
	bool "IPv4 nf_tables support"
	help
	  This option enables the IPv4 support for nf_tables.

if NF_TABLES_IPV4

config NFT_REJECT_IPV4
	select NF_REJECT_IPV4
	default NFT_REJECT
	tristate

config NFT_DUP_IPV4
	tristate "IPv4 nf_tables packet duplication support"
	depends on !NF_CONNTRACK || NF_CONNTRACK
	select NF_DUP_IPV4
	help
	  This module enables IPv4 packet duplication support for nf_tables.

config NFT_FIB_IPV4
	select NFT_FIB
	tristate "nf_tables fib / ip route lookup support"
	help
	  This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
	  It also allows query of the FIB for the route type, e.g. local, unicast,
	  multicast or blackhole.

endif # NF_TABLES_IPV4

config NF_TABLES_ARP
	bool "ARP nf_tables support"
	select NETFILTER_FAMILY_ARP
	help
	  This option enables the ARP support for nf_tables.

endif # NF_TABLES

config NF_FLOW_TABLE_IPV4
	tristate "Netfilter flow table IPv4 module"
	depends on NF_FLOW_TABLE
	help
	  This option adds the flow table IPv4 support.

	  To compile it as a module, choose M here.

config NF_DUP_IPV4
	tristate "Netfilter IPv4 packet duplication to alternate destination"
	depends on !NF_CONNTRACK || NF_CONNTRACK
	help
	  This option enables the nf_dup_ipv4 core, which duplicates an IPv4
	  packet to be rerouted to another destination.

config NF_LOG_ARP
	tristate "ARP packet logging"
	default m if NETFILTER_ADVANCED=n
	select NF_LOG_COMMON

config NF_LOG_IPV4
	tristate "IPv4 packet logging"
	default m if NETFILTER_ADVANCED=n
	select NF_LOG_COMMON

config NF_REJECT_IPV4
	tristate "IPv4 packet rejection"
	default m if NETFILTER_ADVANCED=n

if NF_NAT
config NF_NAT_SNMP_BASIC
	tristate "Basic SNMP-ALG support"
	depends on NF_CONNTRACK_SNMP
	depends on NETFILTER_ADVANCED
	default NF_NAT && NF_CONNTRACK_SNMP
	select ASN1
	---help---

	  This module implements an Application Layer Gateway (ALG) for
	  SNMP payloads.  In conjunction with NAT, it allows a network
	  management system to access multiple private networks with
	  conflicting addresses.  It works by modifying IP addresses
	  inside SNMP payloads to match IP-layer NAT mapping.

	  This is the "basic" form of SNMP-ALG, as described in RFC 2962

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_NAT_PPTP
	tristate
	depends on NF_CONNTRACK
	default NF_CONNTRACK_PPTP

config NF_NAT_H323
	tristate
	depends on NF_CONNTRACK
	default NF_CONNTRACK_H323

endif # NF_NAT

config IP_NF_IPTABLES
	tristate "IP tables support (required for filtering/masq/NAT)"
	default m if NETFILTER_ADVANCED=n
	select NETFILTER_XTABLES
	help
	  iptables is a general, extensible packet identification framework.
	  The packet filtering and full NAT (masquerading, port forwarding,
	  etc) subsystems now use this: say `Y' or `M' here if you want to use
	  either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_IPTABLES

# The matches.
config IP_NF_MATCH_AH
	tristate '"ah" match support'
	depends on NETFILTER_ADVANCED
	help
	  This match extension allows you to match a range of SPIs
	  inside AH header of IPSec packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_MATCH_ECN
	tristate '"ecn" match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_ECN
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_ECN.

config IP_NF_MATCH_RPFILTER
	tristate '"rpfilter" reverse path filter match support'
	depends on NETFILTER_ADVANCED
	depends on IP_NF_MANGLE || IP_NF_RAW
	---help---
	  This option allows you to match packets whose replies would
	  go out via the interface the packet came in.

	  To compile it as a module, choose M here.  If unsure, say N.
	  The module will be called ipt_rpfilter.

config IP_NF_MATCH_TTL
	tristate '"ttl" match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_HL
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_HL.

# `filter', generic and specific targets
config IP_NF_FILTER
	tristate "Packet filtering"
	default m if NETFILTER_ADVANCED=n
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on IP_NF_FILTER
	select NF_REJECT_IPV4
	default m if NETFILTER_ADVANCED=n
	help
	  The REJECT target allows a filtering rule to specify that an ICMP
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_SYNPROXY
	tristate "SYNPROXY target support"
	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	select NETFILTER_SYNPROXY
	select SYN_COOKIES
	help
	  The SYNPROXY target allows you to intercept TCP connections and
	  establish them using syncookies before they are passed on to the
	  server. This allows to avoid conntrack and server resource usage
	  during SYN-flood attacks.

	  To compile it as a module, choose M here. If unsure, say N.

# NAT + specific targets: nf_conntrack
config IP_NF_NAT
	tristate "iptables NAT support"
	depends on NF_CONNTRACK
	default m if NETFILTER_ADVANCED=n
	select NF_NAT
	select NETFILTER_XT_NAT
	help
	  This enables the `nat' table in iptables. This allows masquerading,
	  port forwarding and other forms of full Network Address Port
	  Translation.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_NAT

config IP_NF_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	select NETFILTER_XT_TARGET_MASQUERADE
	help
	  This is a backwards-compat option for the user's convenience
	  (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.

config IP_NF_TARGET_NETMAP
	tristate "NETMAP target support"
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_TARGET_NETMAP
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_NETMAP.

config IP_NF_TARGET_REDIRECT
	tristate "REDIRECT target support"
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_TARGET_REDIRECT
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_REDIRECT.

endif # IP_NF_NAT

# mangle + specific targets
config IP_NF_MANGLE
	tristate "Packet mangling"
	default m if NETFILTER_ADVANCED=n
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_CLUSTERIP
	tristate "CLUSTERIP target support"
	depends on IP_NF_MANGLE
	depends on NF_CONNTRACK
	depends on NETFILTER_ADVANCED
	select NF_CONNTRACK_MARK
	select NETFILTER_FAMILY_ARP
	help
	  The CLUSTERIP target allows you to build load-balancing clusters of
	  network servers without having a dedicated load-balancing
	  router/server/switch.
	
	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ECN
	tristate "ECN target support"
	depends on IP_NF_MANGLE
	depends on NETFILTER_ADVANCED
	---help---
	  This option adds a `ECN' target, which can be used in the iptables mangle
	  table.  

	  You can use this target to remove the ECN bits from the IPv4 header of
	  an IP packet.  This is particularly useful, if you need to work around
	  existing ECN blackholes on the internet, but don't want to disable
	  ECN support in general.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TTL
	tristate '"TTL" target support'
	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
	select NETFILTER_XT_TARGET_HL
	---help---
	This is a backwards-compatible option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_HL.

# raw + specific targets
config IP_NF_RAW
	tristate  'raw table support (required for NOTRACK/TRACE)'
	help
	  This option adds a `raw' table to iptables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

# security table for MAC policy
config IP_NF_SECURITY
	tristate "Security table"
	depends on SECURITY
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `security' table to iptables, for use
	  with Mandatory Access Control (MAC) policy.
	 
	  If unsure, say N.

endif # IP_NF_IPTABLES

# ARP tables
config IP_NF_ARPTABLES
	tristate "ARP tables support"
	select NETFILTER_XTABLES
	select NETFILTER_FAMILY_ARP
	depends on NETFILTER_ADVANCED
	help
	  arptables is a general, extensible packet identification framework.
	  The ARP packet filtering and mangling (manipulation)subsystems
	  use this: say Y or M here if you want to use either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_ARPTABLES

config IP_NF_ARPFILTER
	tristate "ARP packet filtering"
	help
	  ARP packet filtering defines a table `filter', which has a series of
	  rules for simple ARP packet filtering at local input and
	  local output.  On a bridge, you can also specify filtering rules
	  for forwarded ARP packets. See the man page for arptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARP_MANGLE
	tristate "ARP payload mangling"
	help
	  Allows altering the ARP packet payload: source and destination
	  hardware and network addresses.

endif # IP_NF_ARPTABLES

endmenu
Commit	Line	Data
ec8f24b7	1	# SPDX-License-Identifier: GPL-2.0-only
1da177e4 LT	2	#
	3	# IP netfilter configuration
	4	#
	5
	6	menu "IP: Netfilter Configuration"
	7	depends on INET && NETFILTER
	8
73e4022f KK	9	config NF_DEFRAG_IPV4
	10	tristate
	11	default n
	12
8db4c5be PNA	13	config NF_SOCKET_IPV4
	14	tristate "IPv4 socket lookup support"
	15	help
	16	This option enables the IPv4 socket lookup infrastructure. This is
45ca4e0c ME	17	is required by the {ip,nf}tables socket match.
	18
	19	config NF_TPROXY_IPV4
	20	tristate "IPv4 tproxy support"
8db4c5be	21
f04e599e	22	if NF_TABLES
c1878869	23
96518518	24	config NF_TABLES_IPV4
02c7b25e	25	bool "IPv4 nf_tables support"
d497c635 PNA	26	help
d497c635 PNA	27	This option enables the IPv4 support for nf_tables.
96518518	28
f04e599e PNA	29	if NF_TABLES_IPV4
f04e599e PNA	30
cc4723ca	31	config NFT_REJECT_IPV4
c8d7b98b	32	select NF_REJECT_IPV4
cc4723ca PM	33	default NFT_REJECT
	34	tristate
	35
d877f071 PNA	36	config NFT_DUP_IPV4
d877f071 PNA	37	tristate "IPv4 nf_tables packet duplication support"
d3340b79	38	depends on !NF_CONNTRACK \|\| NF_CONNTRACK
d877f071 PNA	39	select NF_DUP_IPV4
	40	help
	41	This module enables IPv4 packet duplication support for nf_tables.
	42
f6d0cbcf FW	43	config NFT_FIB_IPV4
	44	select NFT_FIB
	45	tristate "nf_tables fib / ip route lookup support"
	46	help
	47	This module enables IPv4 FIB lookups, e.g. for reverse path filtering.
	48	It also allows query of the FIB for the route type, e.g. local, unicast,
	49	multicast or blackhole.
	50
f04e599e PNA	51	endif # NF_TABLES_IPV4
f04e599e PNA	52
ed683f13	53	config NF_TABLES_ARP
02c7b25e	54	bool "ARP nf_tables support"
2a95183a	55	select NETFILTER_FAMILY_ARP
d497c635 PNA	56	help
d497c635 PNA	57	This option enables the ARP support for nf_tables.
ed683f13	58
f04e599e PNA	59	endif # NF_TABLES
f04e599e PNA	60
97add9f0	61	config NF_FLOW_TABLE_IPV4
97add9f0	62	tristate "Netfilter flow table IPv4 module"
6be3bcd7	63	depends on NF_FLOW_TABLE
97add9f0 PNA	64	help
	65	This option adds the flow table IPv4 support.
	66
	67	To compile it as a module, choose M here.
	68
bbde9fc1 PNA	69	config NF_DUP_IPV4
bbde9fc1 PNA	70	tristate "Netfilter IPv4 packet duplication to alternate destination"
6ece90f9	71	depends on !NF_CONNTRACK \|\| NF_CONNTRACK
bbde9fc1 PNA	72	help
	73	This option enables the nf_dup_ipv4 core, which duplicates an IPv4
	74	packet to be rerouted to another destination.
	75
f04e599e PNA	76	config NF_LOG_ARP
	77	tristate "ARP packet logging"
	78	default m if NETFILTER_ADVANCED=n
	79	select NF_LOG_COMMON
	80
	81	config NF_LOG_IPV4
	82	tristate "IPv4 packet logging"
	83	default m if NETFILTER_ADVANCED=n
	84	select NF_LOG_COMMON
	85
	86	config NF_REJECT_IPV4
	87	tristate "IPv4 packet rejection"
	88	default m if NETFILTER_ADVANCED=n
	89
3bf195ae	90	if NF_NAT
8993cf8e PNA	91	config NF_NAT_SNMP_BASIC
	92	tristate "Basic SNMP-ALG support"
	93	depends on NF_CONNTRACK_SNMP
	94	depends on NETFILTER_ADVANCED
	95	default NF_NAT && NF_CONNTRACK_SNMP
cc2d5863	96	select ASN1
8993cf8e PNA	97	---help---
	98
	99	This module implements an Application Layer Gateway (ALG) for
	100	SNMP payloads. In conjunction with NAT, it allows a network
	101	management system to access multiple private networks with
	102	conflicting addresses. It works by modifying IP addresses
	103	inside SNMP payloads to match IP-layer NAT mapping.
	104
	105	This is the "basic" form of SNMP-ALG, as described in RFC 2962
	106
	107	To compile it as a module, choose M here. If unsure, say N.
	108
8993cf8e PNA	109	config NF_NAT_PPTP
	110	tristate
	111	depends on NF_CONNTRACK
	112	default NF_CONNTRACK_PPTP
8993cf8e PNA	113
	114	config NF_NAT_H323
	115	tristate
	116	depends on NF_CONNTRACK
	117	default NF_CONNTRACK_H323
	118
3bf195ae	119	endif # NF_NAT
8993cf8e	120
1da177e4 LT	121	config IP_NF_IPTABLES
1da177e4 LT	122	tristate "IP tables support (required for filtering/masq/NAT)"
33b8e776	123	default m if NETFILTER_ADVANCED=n
a3c941b0	124	select NETFILTER_XTABLES
1da177e4 LT	125	help
	126	iptables is a general, extensible packet identification framework.
	127	The packet filtering and full NAT (masquerading, port forwarding,
	128	etc) subsystems now use this: say `Y' or `M' here if you want to use
	129	either of those.
	130
	131	To compile it as a module, choose M here. If unsure, say N.
	132
c2df73de JE	133	if IP_NF_IPTABLES
c2df73de JE	134
1da177e4	135	# The matches.
dc5ab2fa	136	config IP_NF_MATCH_AH
4c37799c	137	tristate '"ah" match support'
33b8e776	138	depends on NETFILTER_ADVANCED
1da177e4	139	help
dc5ab2fa YK	140	This match extension allows you to match a range of SPIs
dc5ab2fa YK	141	inside AH header of IPSec packets.
1da177e4 LT	142
	143	To compile it as a module, choose M here. If unsure, say N.
	144
aba0d348 JE	145	config IP_NF_MATCH_ECN
aba0d348 JE	146	tristate '"ecn" match support'
33b8e776	147	depends on NETFILTER_ADVANCED
d446a820 JE	148	select NETFILTER_XT_MATCH_ECN
	149	---help---
	150	This is a backwards-compat option for the user's convenience
	151	(e.g. when running oldconfig). It selects
	152	CONFIG_NETFILTER_XT_MATCH_ECN.
1da177e4	153
8f97339d FW	154	config IP_NF_MATCH_RPFILTER
8f97339d FW	155	tristate '"rpfilter" reverse path filter match support'
f09becc7 PNA	156	depends on NETFILTER_ADVANCED
f09becc7 PNA	157	depends on IP_NF_MANGLE \|\| IP_NF_RAW
8f97339d FW	158	---help---
	159	This option allows you to match packets whose replies would
	160	go out via the interface the packet came in.
	161
	162	To compile it as a module, choose M here. If unsure, say N.
	163	The module will be called ipt_rpfilter.
	164
4323362e JE	165	config IP_NF_MATCH_TTL
	166	tristate '"ttl" match support'
	167	depends on NETFILTER_ADVANCED
	168	select NETFILTER_XT_MATCH_HL
	169	---help---
	170	This is a backwards-compat option for the user's convenience
	171	(e.g. when running oldconfig). It selects
67c0d579	172	CONFIG_NETFILTER_XT_MATCH_HL.
4323362e	173
1da177e4 LT	174	# `filter', generic and specific targets
	175	config IP_NF_FILTER
	176	tristate "Packet filtering"
33b8e776	177	default m if NETFILTER_ADVANCED=n
1da177e4 LT	178	help
	179	Packet filtering defines a table `filter', which has a series of
	180	rules for simple packet filtering at local input, forwarding and
	181	local output. See the man page for iptables(8).
	182
	183	To compile it as a module, choose M here. If unsure, say N.
	184
	185	config IP_NF_TARGET_REJECT
	186	tristate "REJECT target support"
	187	depends on IP_NF_FILTER
c8d7b98b	188	select NF_REJECT_IPV4
33b8e776	189	default m if NETFILTER_ADVANCED=n
1da177e4 LT	190	help
	191	The REJECT target allows a filtering rule to specify that an ICMP
	192	error should be issued in response to an incoming packet, rather
	193	than silently being dropped.
	194
	195	To compile it as a module, choose M here. If unsure, say N.
	196
48b1de4c PM	197	config IP_NF_TARGET_SYNPROXY
	198	tristate "SYNPROXY target support"
	199	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	200	select NETFILTER_SYNPROXY
	201	select SYN_COOKIES
	202	help
	203	The SYNPROXY target allows you to intercept TCP connections and
	204	establish them using syncookies before they are passed on to the
	205	server. This allows to avoid conntrack and server resource usage
	206	during SYN-flood attacks.
	207
	208	To compile it as a module, choose M here. If unsure, say N.
	209
5b1158e9	210	# NAT + specific targets: nf_conntrack
8993cf8e PNA	211	config IP_NF_NAT
8993cf8e PNA	212	tristate "iptables NAT support"
a0ae2562	213	depends on NF_CONNTRACK
33b8e776	214	default m if NETFILTER_ADVANCED=n
c7232c99	215	select NF_NAT
8993cf8e	216	select NETFILTER_XT_NAT
5b1158e9	217	help
8993cf8e PNA	218	This enables the `nat' table in iptables. This allows masquerading,
	219	port forwarding and other forms of full Network Address Port
	220	Translation.
5b1158e9 JK	221
	222	To compile it as a module, choose M here. If unsure, say N.
	223
8993cf8e	224	if IP_NF_NAT
1da177e4 LT	225
	226	config IP_NF_TARGET_MASQUERADE
	227	tristate "MASQUERADE target support"
adf82acc	228	select NETFILTER_XT_TARGET_MASQUERADE
1da177e4	229	help
adf82acc FW	230	This is a backwards-compat option for the user's convenience
adf82acc FW	231	(e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
1da177e4	232
aba0d348 JE	233	config IP_NF_TARGET_NETMAP
aba0d348 JE	234	tristate "NETMAP target support"
33b8e776	235	depends on NETFILTER_ADVANCED
b3d54b3e JE	236	select NETFILTER_XT_TARGET_NETMAP
	237	---help---
	238	This is a backwards-compat option for the user's convenience
	239	(e.g. when running oldconfig). It selects
	240	CONFIG_NETFILTER_XT_TARGET_NETMAP.
1da177e4	241
aba0d348 JE	242	config IP_NF_TARGET_REDIRECT
aba0d348 JE	243	tristate "REDIRECT target support"
33b8e776	244	depends on NETFILTER_ADVANCED
2cbc78a2 JE	245	select NETFILTER_XT_TARGET_REDIRECT
	246	---help---
	247	This is a backwards-compat option for the user's convenience
	248	(e.g. when running oldconfig). It selects
	249	CONFIG_NETFILTER_XT_TARGET_REDIRECT.
1da177e4	250
8993cf8e	251	endif # IP_NF_NAT
f587de0e	252
1da177e4 LT	253	# mangle + specific targets
	254	config IP_NF_MANGLE
	255	tristate "Packet mangling"
33b8e776	256	default m if NETFILTER_ADVANCED=n
1da177e4 LT	257	help
	258	This option adds a `mangle' table to iptables: see the man page for
	259	iptables(8). This table is used for various packet alterations
	260	which can effect how the packet is routed.
	261
	262	To compile it as a module, choose M here. If unsure, say N.
	263
aba0d348	264	config IP_NF_TARGET_CLUSTERIP
aec9a0eb KC	265	tristate "CLUSTERIP target support"
aec9a0eb KC	266	depends on IP_NF_MANGLE
a0ae2562	267	depends on NF_CONNTRACK
aba0d348 JE	268	depends on NETFILTER_ADVANCED
aba0d348 JE	269	select NF_CONNTRACK_MARK
5ed001ba	270	select NETFILTER_FAMILY_ARP
aba0d348 JE	271	help
	272	The CLUSTERIP target allows you to build load-balancing clusters of
	273	network servers without having a dedicated load-balancing
	274	router/server/switch.
	275
	276	To compile it as a module, choose M here. If unsure, say N.
	277
1da177e4 LT	278	config IP_NF_TARGET_ECN
	279	tristate "ECN target support"
	280	depends on IP_NF_MANGLE
33b8e776	281	depends on NETFILTER_ADVANCED
1da177e4 LT	282	---help---
	283	This option adds a `ECN' target, which can be used in the iptables mangle
	284	table.
	285
	286	You can use this target to remove the ECN bits from the IPv4 header of
	287	an IP packet. This is particularly useful, if you need to work around
	288	existing ECN blackholes on the internet, but don't want to disable
	289	ECN support in general.
	290
	291	To compile it as a module, choose M here. If unsure, say N.
	292
4323362e JE	293	config IP_NF_TARGET_TTL
4323362e JE	294	tristate '"TTL" target support'
76b6717b	295	depends on NETFILTER_ADVANCED && IP_NF_MANGLE
4323362e JE	296	select NETFILTER_XT_TARGET_HL
4323362e JE	297	---help---
76b6717b	298	This is a backwards-compatible option for the user's convenience
4323362e	299	(e.g. when running oldconfig). It selects
67c0d579	300	CONFIG_NETFILTER_XT_TARGET_HL.
4323362e	301
1da177e4 LT	302	# raw + specific targets
	303	config IP_NF_RAW
	304	tristate 'raw table support (required for NOTRACK/TRACE)'
1da177e4 LT	305	help
	306	This option adds a `raw' table to iptables. This table is the very
	307	first in the netfilter framework and hooks in at the PREROUTING
	308	and OUTPUT chains.
	309
	310	If you want to compile it as a module, say M here and read
e403149c	311	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
560ee653 JM	312
	313	# security table for MAC policy
	314	config IP_NF_SECURITY
	315	tristate "Security table"
560ee653	316	depends on SECURITY
70eed75d	317	depends on NETFILTER_ADVANCED
560ee653 JM	318	help
	319	This option adds a `security' table to iptables, for use
	320	with Mandatory Access Control (MAC) policy.
	321
	322	If unsure, say N.
1da177e4	323
c2df73de JE	324	endif # IP_NF_IPTABLES
c2df73de JE	325
1da177e4 LT	326	# ARP tables
	327	config IP_NF_ARPTABLES
	328	tristate "ARP tables support"
a3c941b0	329	select NETFILTER_XTABLES
2a95183a	330	select NETFILTER_FAMILY_ARP
33b8e776	331	depends on NETFILTER_ADVANCED
1da177e4 LT	332	help
	333	arptables is a general, extensible packet identification framework.
	334	The ARP packet filtering and mangling (manipulation)subsystems
	335	use this: say Y or M here if you want to use either of those.
	336
	337	To compile it as a module, choose M here. If unsure, say N.
	338
c2df73de JE	339	if IP_NF_ARPTABLES
c2df73de JE	340
1da177e4 LT	341	config IP_NF_ARPFILTER
1da177e4 LT	342	tristate "ARP packet filtering"
1da177e4 LT	343	help
	344	ARP packet filtering defines a table `filter', which has a series of
	345	rules for simple ARP packet filtering at local input and
	346	local output. On a bridge, you can also specify filtering rules
	347	for forwarded ARP packets. See the man page for arptables(8).
	348
	349	To compile it as a module, choose M here. If unsure, say N.
	350
	351	config IP_NF_ARP_MANGLE
	352	tristate "ARP payload mangling"
1da177e4 LT	353	help
	354	Allows altering the ARP packet payload: source and destination
	355	hardware and network addresses.
	356
c2df73de JE	357	endif # IP_NF_ARPTABLES
c2df73de JE	358
1da177e4 LT	359	endmenu
1da177e4 LT	360