2 # IP netfilter configuration
5 menu "IP: Netfilter Configuration"
6 depends on INET && NETFILTER
8 # connection tracking, helpers and protocols
10 tristate "Connection tracking (required for masq/NAT)"
12 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related
16 This is required to do Masquerading or other kinds of Network
17 Address Translation (except for Fast NAT). It can also be used to
18 enhance packet filtering (see `Connection state match support'
21 To compile it as a module, choose M here. If unsure, say N.
24 bool "Connection tracking flow accounting"
25 depends on IP_NF_CONNTRACK
27 If this option is enabled, the connection tracking code will
28 keep per-flow packet and byte counters.
30 Those counters can be used for flow-based accounting or the
35 config IP_NF_CONNTRACK_MARK
36 bool 'Connection mark tracking support'
38 This option enables support for connection marks, used by the
39 `CONNMARK' target and `connmark' match. Similar to the mark value
40 of packets, but this mark value is kept in the conntrack session
41 instead of the individual packets.
43 config IP_NF_CONNTRACK_EVENTS
44 bool "Connection tracking events"
45 depends on IP_NF_CONNTRACK
47 If this option is enabled, the connection tracking code will
48 provide a notifier chain that can be used by other kernel code
49 to get notified about changes in the connection tracking state.
53 config IP_NF_CT_PROTO_SCTP
54 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
55 depends on IP_NF_CONNTRACK && EXPERIMENTAL
57 With this option enabled, the connection tracking code will
58 be able to do state tracking on SCTP connections.
60 If you want to compile it as a module, say M here and read
61 <file:Documentation/modules.txt>. If unsure, say `N'.
64 tristate "FTP protocol support"
65 depends on IP_NF_CONNTRACK
67 Tracking FTP connections is problematic: special helpers are
68 required for tracking them, and doing masquerading and other forms
69 of Network Address Translation on them.
71 To compile it as a module, choose M here. If unsure, say Y.
74 tristate "IRC protocol support"
75 depends on IP_NF_CONNTRACK
77 There is a commonly-used extension to IRC called
78 Direct Client-to-Client Protocol (DCC). This enables users to send
79 files to each other, and also chat to each other without the need
80 of a server. DCC Sending is used anywhere you send files over IRC,
81 and DCC Chat is most commonly used by Eggdrop bots. If you are
82 using NAT, this extension will enable you to send files and initiate
83 chats. Note that you do NOT need this extension to get files or
84 have others initiate chats, or everything else in IRC.
86 To compile it as a module, choose M here. If unsure, say Y.
88 config IP_NF_NETBIOS_NS
89 tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
90 depends on IP_NF_CONNTRACK && EXPERIMENTAL
92 NetBIOS name service requests are sent as broadcast messages from an
93 unprivileged port and responded to with unicast messages to the
94 same port. This make them hard to firewall properly because connection
95 tracking doesn't deal with broadcasts. This helper tracks locally
96 originating NetBIOS name service requests and the corresponding
97 responses. It relies on correct IP address configuration, specifically
98 netmask and broadcast address. When properly configured, the output
99 of "ip address show" should look similar to this:
101 $ ip -4 address show eth0
102 4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
103 inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
105 To compile it as a module, choose M here. If unsure, say N.
108 tristate "TFTP protocol support"
109 depends on IP_NF_CONNTRACK
111 TFTP connection tracking helper, this is required depending
112 on how restrictive your ruleset is.
113 If you are using a tftp client behind -j SNAT or -j MASQUERADING
116 To compile it as a module, choose M here. If unsure, say Y.
119 tristate "Amanda backup protocol support"
120 depends on IP_NF_CONNTRACK
122 If you are running the Amanda backup package <http://www.amanda.org/>
123 on this machine or machines that will be MASQUERADED through this
124 machine, then you may want to enable this feature. This allows the
125 connection tracking and natting code to allow the sub-channels that
126 Amanda requires for communication of the backup data, messages and
129 To compile it as a module, choose M here. If unsure, say Y.
132 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
134 Netfilter has the ability to queue packets to user space: the
135 netlink device can be used to access them using this driver.
137 This option enables the old IPv4-only "ip_queue" implementation
138 which has been obsoleted by the new "nfnetlink_queue" code (see
139 CONFIG_NETFILTER_NETLINK_QUEUE).
141 To compile it as a module, choose M here. If unsure, say N.
143 config IP_NF_IPTABLES
144 tristate "IP tables support (required for filtering/masq/NAT)"
146 iptables is a general, extensible packet identification framework.
147 The packet filtering and full NAT (masquerading, port forwarding,
148 etc) subsystems now use this: say `Y' or `M' here if you want to use
151 To compile it as a module, choose M here. If unsure, say N.
154 config IP_NF_MATCH_LIMIT
155 tristate "limit match support"
156 depends on IP_NF_IPTABLES
158 limit matching allows you to control the rate at which a rule can be
159 matched: mainly useful in combination with the LOG target ("LOG
160 target support", below) and to avoid some Denial of Service attacks.
162 To compile it as a module, choose M here. If unsure, say N.
164 config IP_NF_MATCH_IPRANGE
165 tristate "IP range match support"
166 depends on IP_NF_IPTABLES
168 This option makes possible to match IP addresses against IP address
171 To compile it as a module, choose M here. If unsure, say N.
173 config IP_NF_MATCH_MAC
174 tristate "MAC address match support"
175 depends on IP_NF_IPTABLES
177 MAC matching allows you to match packets based on the source
178 Ethernet address of the packet.
180 To compile it as a module, choose M here. If unsure, say N.
182 config IP_NF_MATCH_PKTTYPE
183 tristate "Packet type match support"
184 depends on IP_NF_IPTABLES
186 Packet type matching allows you to match a packet by
187 its "class", eg. BROADCAST, MULTICAST, ...
190 iptables -A INPUT -m pkttype --pkt-type broadcast -j LOG
192 To compile it as a module, choose M here. If unsure, say N.
194 config IP_NF_MATCH_MARK
195 tristate "netfilter MARK match support"
196 depends on IP_NF_IPTABLES
198 Netfilter mark matching allows you to match packets based on the
199 `nfmark' value in the packet. This can be set by the MARK target
202 To compile it as a module, choose M here. If unsure, say N.
204 config IP_NF_MATCH_MULTIPORT
205 tristate "Multiple port match support"
206 depends on IP_NF_IPTABLES
208 Multiport matching allows you to match TCP or UDP packets based on
209 a series of source or destination ports: normally a rule can only
210 match a single range of ports.
212 To compile it as a module, choose M here. If unsure, say N.
214 config IP_NF_MATCH_TOS
215 tristate "TOS match support"
216 depends on IP_NF_IPTABLES
218 TOS matching allows you to match packets based on the Type Of
219 Service fields of the IP packet.
221 To compile it as a module, choose M here. If unsure, say N.
223 config IP_NF_MATCH_RECENT
224 tristate "recent match support"
225 depends on IP_NF_IPTABLES
227 This match is used for creating one or many lists of recently
228 used addresses and then matching against that/those list(s).
230 Short options are available by using 'iptables -m recent -h'
231 Official Website: <http://snowman.net/projects/ipt_recent/>
233 To compile it as a module, choose M here. If unsure, say N.
235 config IP_NF_MATCH_ECN
236 tristate "ECN match support"
237 depends on IP_NF_IPTABLES
239 This option adds a `ECN' match, which allows you to match against
240 the IPv4 and TCP header ECN fields.
242 To compile it as a module, choose M here. If unsure, say N.
244 config IP_NF_MATCH_DSCP
245 tristate "DSCP match support"
246 depends on IP_NF_IPTABLES
248 This option adds a `DSCP' match, which allows you to match against
249 the IPv4 header DSCP field (DSCP codepoint).
251 The DSCP codepoint can have any value between 0x0 and 0x4f.
253 To compile it as a module, choose M here. If unsure, say N.
255 config IP_NF_MATCH_AH_ESP
256 tristate "AH/ESP match support"
257 depends on IP_NF_IPTABLES
259 These two match extensions (`ah' and `esp') allow you to match a
260 range of SPIs inside AH or ESP headers of IPSec packets.
262 To compile it as a module, choose M here. If unsure, say N.
264 config IP_NF_MATCH_LENGTH
265 tristate "LENGTH match support"
266 depends on IP_NF_IPTABLES
268 This option allows you to match the length of a packet against a
269 specific value or range of values.
271 To compile it as a module, choose M here. If unsure, say N.
273 config IP_NF_MATCH_TTL
274 tristate "TTL match support"
275 depends on IP_NF_IPTABLES
277 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
278 to match packets by their TTL value.
280 To compile it as a module, choose M here. If unsure, say N.
282 config IP_NF_MATCH_TCPMSS
283 tristate "tcpmss match support"
284 depends on IP_NF_IPTABLES
286 This option adds a `tcpmss' match, which allows you to examine the
287 MSS value of TCP SYN packets, which control the maximum packet size
290 To compile it as a module, choose M here. If unsure, say N.
292 config IP_NF_MATCH_HELPER
293 tristate "Helper match support"
294 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
296 Helper matching allows you to match packets in dynamic connections
297 tracked by a conntrack-helper, ie. ip_conntrack_ftp
299 To compile it as a module, choose M here. If unsure, say Y.
301 config IP_NF_MATCH_STATE
302 tristate "Connection state match support"
303 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
305 Connection state matching allows you to match packets based on their
306 relationship to a tracked connection (ie. previous packets). This
307 is a powerful tool for packet classification.
309 To compile it as a module, choose M here. If unsure, say N.
311 config IP_NF_MATCH_CONNTRACK
312 tristate "Connection tracking match support"
313 depends on IP_NF_CONNTRACK && IP_NF_IPTABLES
315 This is a general conntrack match module, a superset of the state match.
317 It allows matching on additional conntrack information, which is
318 useful in complex configurations, such as NAT gateways with multiple
319 internet links or tunnels.
321 To compile it as a module, choose M here. If unsure, say N.
323 config IP_NF_MATCH_OWNER
324 tristate "Owner match support"
325 depends on IP_NF_IPTABLES
327 Packet owner matching allows you to match locally-generated packets
328 based on who created them: the user, group, process or session.
330 To compile it as a module, choose M here. If unsure, say N.
332 config IP_NF_MATCH_PHYSDEV
333 tristate "Physdev match support"
334 depends on IP_NF_IPTABLES && BRIDGE_NETFILTER
336 Physdev packet matching matches against the physical bridge ports
337 the IP packet arrived on or will leave by.
339 To compile it as a module, choose M here. If unsure, say N.
341 config IP_NF_MATCH_ADDRTYPE
342 tristate 'address type match support'
343 depends on IP_NF_IPTABLES
345 This option allows you to match what routing thinks of an address,
346 eg. UNICAST, LOCAL, BROADCAST, ...
348 If you want to compile it as a module, say M here and read
349 <file:Documentation/modules.txt>. If unsure, say `N'.
351 config IP_NF_MATCH_REALM
352 tristate 'realm match support'
353 depends on IP_NF_IPTABLES
356 This option adds a `realm' match, which allows you to use the realm
357 key from the routing subsystem inside iptables.
359 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
362 If you want to compile it as a module, say M here and read
363 <file:Documentation/modules.txt>. If unsure, say `N'.
365 config IP_NF_MATCH_SCTP
366 tristate 'SCTP protocol match support'
367 depends on IP_NF_IPTABLES
369 With this option enabled, you will be able to use the iptables
370 `sctp' match in order to match on SCTP source/destination ports
371 and SCTP chunk types.
373 If you want to compile it as a module, say M here and read
374 <file:Documentation/modules.txt>. If unsure, say `N'.
376 config IP_NF_MATCH_DCCP
377 tristate 'DCCP protocol match support'
378 depends on IP_NF_IPTABLES
380 With this option enabled, you will be able to use the iptables
381 `dccp' match in order to match on DCCP source/destination ports
384 If you want to compile it as a module, say M here and read
385 <file:Documentation/modules.txt>. If unsure, say `N'.
387 config IP_NF_MATCH_COMMENT
388 tristate 'comment match support'
389 depends on IP_NF_IPTABLES
391 This option adds a `comment' dummy-match, which allows you to put
392 comments in your iptables ruleset.
394 If you want to compile it as a module, say M here and read
395 <file:Documentation/modules.txt>. If unsure, say `N'.
397 config IP_NF_MATCH_CONNMARK
398 tristate 'Connection mark match support'
399 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES
401 This option adds a `connmark' match, which allows you to match the
402 connection mark value previously set for the session by `CONNMARK'.
404 If you want to compile it as a module, say M here and read
405 <file:Documentation/modules.txt>. The module will be called
406 ipt_connmark.o. If unsure, say `N'.
408 config IP_NF_MATCH_CONNBYTES
409 tristate 'Connection byte/packet counter match support'
410 depends on IP_NF_CT_ACCT && IP_NF_IPTABLES
412 This option adds a `connbytes' match, which allows you to match the
413 number of bytes and/or packets for each direction within a connection.
415 If you want to compile it as a module, say M here and read
416 <file:Documentation/modules.txt>. If unsure, say `N'.
418 config IP_NF_MATCH_HASHLIMIT
419 tristate 'hashlimit match support'
420 depends on IP_NF_IPTABLES
422 This option adds a new iptables `hashlimit' match.
424 As opposed to `limit', this match dynamically crates a hash table
425 of limit buckets, based on your selection of source/destination
426 ip addresses and/or ports.
428 It enables you to express policies like `10kpps for any given
429 destination IP' or `500pps from any given source IP' with a single
432 config IP_NF_MATCH_STRING
433 tristate 'string match support'
434 depends on IP_NF_IPTABLES
436 select TEXTSEARCH_KMP
438 select TEXTSEARCH_FSM
440 This option adds a `string' match, which allows you to look for
441 pattern matchings in packets.
443 To compile it as a module, choose M here. If unsure, say N.
445 # `filter', generic and specific targets
447 tristate "Packet filtering"
448 depends on IP_NF_IPTABLES
450 Packet filtering defines a table `filter', which has a series of
451 rules for simple packet filtering at local input, forwarding and
452 local output. See the man page for iptables(8).
454 To compile it as a module, choose M here. If unsure, say N.
456 config IP_NF_TARGET_REJECT
457 tristate "REJECT target support"
458 depends on IP_NF_FILTER
460 The REJECT target allows a filtering rule to specify that an ICMP
461 error should be issued in response to an incoming packet, rather
462 than silently being dropped.
464 To compile it as a module, choose M here. If unsure, say N.
466 config IP_NF_TARGET_LOG
467 tristate "LOG target support"
468 depends on IP_NF_IPTABLES
470 This option adds a `LOG' target, which allows you to create rules in
471 any iptables table which records the packet header to the syslog.
473 To compile it as a module, choose M here. If unsure, say N.
475 config IP_NF_TARGET_ULOG
476 tristate "ULOG target support"
477 depends on IP_NF_IPTABLES
479 This option adds a `ULOG' target, which allows you to create rules in
480 any iptables table. The packet is passed to a userspace logging
481 daemon using netlink multicast sockets; unlike the LOG target
482 which can only be viewed through syslog.
484 The apropriate userspace logging daemon (ulogd) may be obtained from
485 <http://www.gnumonks.org/projects/ulogd/>
487 To compile it as a module, choose M here. If unsure, say N.
489 config IP_NF_TARGET_TCPMSS
490 tristate "TCPMSS target support"
491 depends on IP_NF_IPTABLES
493 This option adds a `TCPMSS' target, which allows you to alter the
494 MSS value of TCP SYN packets, to control the maximum size for that
495 connection (usually limiting it to your outgoing interface's MTU
498 This is used to overcome criminally braindead ISPs or servers which
499 block ICMP Fragmentation Needed packets. The symptoms of this
500 problem are that everything works fine from your Linux
501 firewall/router, but machines behind it can never exchange large
503 1) Web browsers connect, then hang with no data received.
504 2) Small mail works fine, but large emails hang.
505 3) ssh works fine, but scp hangs after initial handshaking.
507 Workaround: activate this option and add a rule to your firewall
510 iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
511 -j TCPMSS --clamp-mss-to-pmtu
513 To compile it as a module, choose M here. If unsure, say N.
515 # NAT + specific targets
518 depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
520 The Full NAT option allows masquerading, port forwarding and other
521 forms of full Network Address Port Translation. It is controlled by
522 the `nat' table in iptables: see the man page for iptables(8).
524 To compile it as a module, choose M here. If unsure, say N.
526 config IP_NF_NAT_NEEDED
528 depends on IP_NF_NAT != n
531 config IP_NF_TARGET_MASQUERADE
532 tristate "MASQUERADE target support"
535 Masquerading is a special case of NAT: all outgoing connections are
536 changed to seem to come from a particular interface's address, and
537 if the interface goes down, those connections are lost. This is
538 only useful for dialup accounts with dynamic IP address (ie. your IP
539 address will be different on next dialup).
541 To compile it as a module, choose M here. If unsure, say N.
543 config IP_NF_TARGET_REDIRECT
544 tristate "REDIRECT target support"
547 REDIRECT is a special case of NAT: all incoming connections are
548 mapped onto the incoming interface's address, causing the packets to
549 come to the local machine instead of passing through. This is
550 useful for transparent proxies.
552 To compile it as a module, choose M here. If unsure, say N.
554 config IP_NF_TARGET_NETMAP
555 tristate "NETMAP target support"
558 NETMAP is an implementation of static 1:1 NAT mapping of network
559 addresses. It maps the network address part, while keeping the host
560 address part intact. It is similar to Fast NAT, except that
561 Netfilter's connection tracking doesn't work well with Fast NAT.
563 To compile it as a module, choose M here. If unsure, say N.
565 config IP_NF_TARGET_SAME
566 tristate "SAME target support"
569 This option adds a `SAME' target, which works like the standard SNAT
570 target, but attempts to give clients the same IP for all connections.
572 To compile it as a module, choose M here. If unsure, say N.
574 config IP_NF_NAT_SNMP_BASIC
575 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
576 depends on EXPERIMENTAL && IP_NF_NAT
579 This module implements an Application Layer Gateway (ALG) for
580 SNMP payloads. In conjunction with NAT, it allows a network
581 management system to access multiple private networks with
582 conflicting addresses. It works by modifying IP addresses
583 inside SNMP payloads to match IP-layer NAT mapping.
585 This is the "basic" form of SNMP-ALG, as described in RFC 2962
587 To compile it as a module, choose M here. If unsure, say N.
591 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
592 default IP_NF_NAT if IP_NF_IRC=y
593 default m if IP_NF_IRC=m
595 # If they want FTP, set to $CONFIG_IP_NF_NAT (m or y),
596 # or $CONFIG_IP_NF_FTP (m or y), whichever is weaker. Argh.
599 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
600 default IP_NF_NAT if IP_NF_FTP=y
601 default m if IP_NF_FTP=m
603 config IP_NF_NAT_TFTP
605 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
606 default IP_NF_NAT if IP_NF_TFTP=y
607 default m if IP_NF_TFTP=m
609 config IP_NF_NAT_AMANDA
611 depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
612 default IP_NF_NAT if IP_NF_AMANDA=y
613 default m if IP_NF_AMANDA=m
615 # mangle + specific targets
617 tristate "Packet mangling"
618 depends on IP_NF_IPTABLES
620 This option adds a `mangle' table to iptables: see the man page for
621 iptables(8). This table is used for various packet alterations
622 which can effect how the packet is routed.
624 To compile it as a module, choose M here. If unsure, say N.
626 config IP_NF_TARGET_TOS
627 tristate "TOS target support"
628 depends on IP_NF_MANGLE
630 This option adds a `TOS' target, which allows you to create rules in
631 the `mangle' table which alter the Type Of Service field of an IP
632 packet prior to routing.
634 To compile it as a module, choose M here. If unsure, say N.
636 config IP_NF_TARGET_ECN
637 tristate "ECN target support"
638 depends on IP_NF_MANGLE
640 This option adds a `ECN' target, which can be used in the iptables mangle
643 You can use this target to remove the ECN bits from the IPv4 header of
644 an IP packet. This is particularly useful, if you need to work around
645 existing ECN blackholes on the internet, but don't want to disable
646 ECN support in general.
648 To compile it as a module, choose M here. If unsure, say N.
650 config IP_NF_TARGET_DSCP
651 tristate "DSCP target support"
652 depends on IP_NF_MANGLE
654 This option adds a `DSCP' match, which allows you to match against
655 the IPv4 header DSCP field (DSCP codepoint).
657 The DSCP codepoint can have any value between 0x0 and 0x4f.
659 To compile it as a module, choose M here. If unsure, say N.
661 config IP_NF_TARGET_MARK
662 tristate "MARK target support"
663 depends on IP_NF_MANGLE
665 This option adds a `MARK' target, which allows you to create rules
666 in the `mangle' table which alter the netfilter mark (nfmark) field
667 associated with the packet prior to routing. This can change
668 the routing method (see `Use netfilter MARK value as routing
669 key') and can also be used by other subsystems to change their
672 To compile it as a module, choose M here. If unsure, say N.
674 config IP_NF_TARGET_CLASSIFY
675 tristate "CLASSIFY target support"
676 depends on IP_NF_MANGLE
678 This option adds a `CLASSIFY' target, which enables the user to set
679 the priority of a packet. Some qdiscs can use this value for
680 classification, among these are:
682 atm, cbq, dsmark, pfifo_fast, htb, prio
684 To compile it as a module, choose M here. If unsure, say N.
686 config IP_NF_TARGET_TTL
687 tristate 'TTL target support'
688 depends on IP_NF_MANGLE
690 This option adds a `TTL' target, which enables the user to modify
691 the TTL value of the IP header.
693 While it is safe to decrement/lower the TTL, this target also enables
694 functionality to increment and set the TTL value of the IP header to
695 arbitrary values. This is EXTREMELY DANGEROUS since you can easily
696 create immortal packets that loop forever on the network.
698 To compile it as a module, choose M here. If unsure, say N.
700 config IP_NF_TARGET_CONNMARK
701 tristate 'CONNMARK target support'
702 depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE
704 This option adds a `CONNMARK' target, which allows one to manipulate
705 the connection mark value. Similar to the MARK target, but
706 affects the connection mark value rather than the packet mark value.
708 If you want to compile it as a module, say M here and read
709 <file:Documentation/modules.txt>. The module will be called
710 ipt_CONNMARK.o. If unsure, say `N'.
712 config IP_NF_TARGET_CLUSTERIP
713 tristate "CLUSTERIP target support (EXPERIMENTAL)"
714 depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES && EXPERIMENTAL
716 The CLUSTERIP target allows you to build load-balancing clusters of
717 network servers without having a dedicated load-balancing
718 router/server/switch.
720 To compile it as a module, choose M here. If unsure, say N.
722 # raw + specific targets
724 tristate 'raw table support (required for NOTRACK/TRACE)'
725 depends on IP_NF_IPTABLES
727 This option adds a `raw' table to iptables. This table is the very
728 first in the netfilter framework and hooks in at the PREROUTING
731 If you want to compile it as a module, say M here and read
732 <file:Documentation/modules.txt>. If unsure, say `N'.
734 config IP_NF_TARGET_NOTRACK
735 tristate 'NOTRACK target support'
737 depends on IP_NF_CONNTRACK
739 The NOTRACK target allows a select rule to specify
740 which packets *not* to enter the conntrack/NAT
741 subsystem with all the consequences (no ICMP error tracking,
742 no protocol helpers for the selected packets).
744 If you want to compile it as a module, say M here and read
745 <file:Documentation/modules.txt>. If unsure, say `N'.
749 config IP_NF_ARPTABLES
750 tristate "ARP tables support"
752 arptables is a general, extensible packet identification framework.
753 The ARP packet filtering and mangling (manipulation)subsystems
754 use this: say Y or M here if you want to use either of those.
756 To compile it as a module, choose M here. If unsure, say N.
758 config IP_NF_ARPFILTER
759 tristate "ARP packet filtering"
760 depends on IP_NF_ARPTABLES
762 ARP packet filtering defines a table `filter', which has a series of
763 rules for simple ARP packet filtering at local input and
764 local output. On a bridge, you can also specify filtering rules
765 for forwarded ARP packets. See the man page for arptables(8).
767 To compile it as a module, choose M here. If unsure, say N.
769 config IP_NF_ARP_MANGLE
770 tristate "ARP payload mangling"
771 depends on IP_NF_ARPTABLES
773 Allows altering the ARP packet payload: source and destination
774 hardware and network addresses.
776 config IP_NF_CONNTRACK_NETLINK
777 tristate 'Connection tracking netlink interface'
778 depends on IP_NF_CONNTRACK && NETFILTER_NETLINK
780 This option enables support for a netlink-based userspace interface