net/ipv4/netfilter/Kconfig at v2.6.19

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / ipv4 / netfilter / Kconfig
at v2.6.19 627 lines 22 kB view raw
wrap content
  1#
  2# IP netfilter configuration
  3#
  4
  5menu "IP: Netfilter Configuration"
  6	depends on INET && NETFILTER
  7
  8config NF_CONNTRACK_IPV4
  9	tristate "IPv4 support for new connection tracking (EXPERIMENTAL)"
 10	depends on EXPERIMENTAL && NF_CONNTRACK
 11	---help---
 12	  Connection tracking keeps a record of what packets have passed
 13	  through your machine, in order to figure out how they are related
 14	  into connections.
 15
 16	  This is IPv4 support on Layer 3 independent connection tracking.
 17	  Layer 3 independent connection tracking is experimental scheme
 18	  which generalize ip_conntrack to support other layer 3 protocols.
 19
 20	  To compile it as a module, choose M here.  If unsure, say N.
 21
 22# connection tracking, helpers and protocols
 23config IP_NF_CONNTRACK
 24	tristate "Connection tracking (required for masq/NAT)"
 25	---help---
 26	  Connection tracking keeps a record of what packets have passed
 27	  through your machine, in order to figure out how they are related
 28	  into connections.
 29
 30	  This is required to do Masquerading or other kinds of Network
 31	  Address Translation (except for Fast NAT).  It can also be used to
 32	  enhance packet filtering (see `Connection state match support'
 33	  below).
 34
 35	  To compile it as a module, choose M here.  If unsure, say N.
 36
 37config IP_NF_CT_ACCT
 38	bool "Connection tracking flow accounting"
 39	depends on IP_NF_CONNTRACK
 40	help
 41	  If this option is enabled, the connection tracking code will
 42	  keep per-flow packet and byte counters.
 43
 44	  Those counters can be used for flow-based accounting or the
 45	  `connbytes' match.
 46
 47	  If unsure, say `N'.
 48
 49config IP_NF_CONNTRACK_MARK
 50	bool  'Connection mark tracking support'
 51	depends on IP_NF_CONNTRACK
 52	help
 53	  This option enables support for connection marks, used by the
 54	  `CONNMARK' target and `connmark' match. Similar to the mark value
 55	  of packets, but this mark value is kept in the conntrack session
 56	  instead of the individual packets.
 57	
 58config IP_NF_CONNTRACK_SECMARK
 59	bool  'Connection tracking security mark support'
 60	depends on IP_NF_CONNTRACK && NETWORK_SECMARK
 61	help
 62	  This option enables security markings to be applied to
 63	  connections.  Typically they are copied to connections from
 64	  packets using the CONNSECMARK target and copied back from
 65	  connections to packets with the same target, with the packets
 66	  being originally labeled via SECMARK.
 67
 68	  If unsure, say 'N'.
 69
 70config IP_NF_CONNTRACK_EVENTS
 71	bool "Connection tracking events (EXPERIMENTAL)"
 72	depends on EXPERIMENTAL && IP_NF_CONNTRACK
 73	help
 74	  If this option is enabled, the connection tracking code will
 75	  provide a notifier chain that can be used by other kernel code
 76	  to get notified about changes in the connection tracking state.
 77	  
 78	  IF unsure, say `N'.
 79
 80config IP_NF_CONNTRACK_NETLINK
 81	tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
 82	depends on EXPERIMENTAL && IP_NF_CONNTRACK && NETFILTER_NETLINK
 83	depends on IP_NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
 84	depends on IP_NF_NAT=n || IP_NF_NAT
 85	help
 86	  This option enables support for a netlink-based userspace interface
 87
 88
 89config IP_NF_CT_PROTO_SCTP
 90	tristate  'SCTP protocol connection tracking support (EXPERIMENTAL)'
 91	depends on IP_NF_CONNTRACK && EXPERIMENTAL
 92	help
 93	  With this option enabled, the connection tracking code will
 94	  be able to do state tracking on SCTP connections.
 95
 96	  If you want to compile it as a module, say M here and read
 97	  <file:Documentation/modules.txt>.  If unsure, say `N'.
 98
 99config IP_NF_FTP
100	tristate "FTP protocol support"
101	depends on IP_NF_CONNTRACK
102	help
103	  Tracking FTP connections is problematic: special helpers are
104	  required for tracking them, and doing masquerading and other forms
105	  of Network Address Translation on them.
106
107	  To compile it as a module, choose M here.  If unsure, say Y.
108
109config IP_NF_IRC
110	tristate "IRC protocol support"
111	depends on IP_NF_CONNTRACK
112	---help---
113	  There is a commonly-used extension to IRC called
114	  Direct Client-to-Client Protocol (DCC).  This enables users to send
115	  files to each other, and also chat to each other without the need
116	  of a server.  DCC Sending is used anywhere you send files over IRC,
117	  and DCC Chat is most commonly used by Eggdrop bots.  If you are
118	  using NAT, this extension will enable you to send files and initiate
119	  chats.  Note that you do NOT need this extension to get files or
120	  have others initiate chats, or everything else in IRC.
121
122	  To compile it as a module, choose M here.  If unsure, say Y.
123
124config IP_NF_NETBIOS_NS
125	tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
126	depends on IP_NF_CONNTRACK && EXPERIMENTAL
127	help
128	  NetBIOS name service requests are sent as broadcast messages from an
129	  unprivileged port and responded to with unicast messages to the
130	  same port. This make them hard to firewall properly because connection
131	  tracking doesn't deal with broadcasts. This helper tracks locally
132	  originating NetBIOS name service requests and the corresponding
133	  responses. It relies on correct IP address configuration, specifically
134	  netmask and broadcast address. When properly configured, the output
135	  of "ip address show" should look similar to this:
136
137	  $ ip -4 address show eth0
138	  4: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 1000
139	      inet 172.16.2.252/24 brd 172.16.2.255 scope global eth0
140	  
141	  To compile it as a module, choose M here.  If unsure, say N.
142
143config IP_NF_TFTP
144	tristate "TFTP protocol support"
145	depends on IP_NF_CONNTRACK
146	help
147	  TFTP connection tracking helper, this is required depending
148	  on how restrictive your ruleset is.
149	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
150	  you will need this.
151
152	  To compile it as a module, choose M here.  If unsure, say Y.
153
154config IP_NF_AMANDA
155	tristate "Amanda backup protocol support"
156	depends on IP_NF_CONNTRACK
157	select TEXTSEARCH
158	select TEXTSEARCH_KMP
159	help
160	  If you are running the Amanda backup package <http://www.amanda.org/>
161	  on this machine or machines that will be MASQUERADED through this
162	  machine, then you may want to enable this feature.  This allows the
163	  connection tracking and natting code to allow the sub-channels that
164	  Amanda requires for communication of the backup data, messages and
165	  index.
166
167	  To compile it as a module, choose M here.  If unsure, say Y.
168
169config IP_NF_PPTP
170	tristate  'PPTP protocol support'
171	depends on IP_NF_CONNTRACK
172	help
173	  This module adds support for PPTP (Point to Point Tunnelling
174	  Protocol, RFC2637) connection tracking and NAT. 
175	
176	  If you are running PPTP sessions over a stateful firewall or NAT
177	  box, you may want to enable this feature.  
178	
179	  Please note that not all PPTP modes of operation are supported yet.
180	  For more info, read top of the file
181	  net/ipv4/netfilter/ip_conntrack_pptp.c
182	
183	  If you want to compile it as a module, say M here and read
184	  Documentation/modules.txt.  If unsure, say `N'.
185
186config IP_NF_H323
187	tristate  'H.323 protocol support (EXPERIMENTAL)'
188	depends on IP_NF_CONNTRACK && EXPERIMENTAL
189	help
190	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
191	  important VoIP protocols, it is widely used by voice hardware and
192	  software including voice gateways, IP phones, Netmeeting, OpenPhone,
193	  Gnomemeeting, etc.
194
195	  With this module you can support H.323 on a connection tracking/NAT
196	  firewall.
197
198	  This module supports RAS, Fast Start, H.245 Tunnelling, Call
199	  Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
200	  whiteboard, file transfer, etc. For more information, please
201	  visit http://nath323.sourceforge.net/.
202
203	  If you want to compile it as a module, say 'M' here and read
204	  Documentation/modules.txt.  If unsure, say 'N'.
205
206config IP_NF_SIP
207	tristate "SIP protocol support (EXPERIMENTAL)"
208	depends on IP_NF_CONNTRACK && EXPERIMENTAL
209	help
210	  SIP is an application-layer control protocol that can establish,
211	  modify, and terminate multimedia sessions (conferences) such as
212	  Internet telephony calls. With the ip_conntrack_sip and
213	  the ip_nat_sip modules you can support the protocol on a connection
214	  tracking/NATing firewall.
215
216	  To compile it as a module, choose M here.  If unsure, say Y.
217
218config IP_NF_QUEUE
219	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
220	help
221	  Netfilter has the ability to queue packets to user space: the
222	  netlink device can be used to access them using this driver.
223
224	  This option enables the old IPv4-only "ip_queue" implementation
225	  which has been obsoleted by the new "nfnetlink_queue" code (see
226	  CONFIG_NETFILTER_NETLINK_QUEUE).
227
228	  To compile it as a module, choose M here.  If unsure, say N.
229
230config IP_NF_IPTABLES
231	tristate "IP tables support (required for filtering/masq/NAT)"
232	depends on NETFILTER_XTABLES
233	help
234	  iptables is a general, extensible packet identification framework.
235	  The packet filtering and full NAT (masquerading, port forwarding,
236	  etc) subsystems now use this: say `Y' or `M' here if you want to use
237	  either of those.
238
239	  To compile it as a module, choose M here.  If unsure, say N.
240
241# The matches.
242config IP_NF_MATCH_IPRANGE
243	tristate "IP range match support"
244	depends on IP_NF_IPTABLES
245	help
246	  This option makes possible to match IP addresses against IP address
247	  ranges.
248
249	  To compile it as a module, choose M here.  If unsure, say N.
250
251config IP_NF_MATCH_TOS
252	tristate "TOS match support"
253	depends on IP_NF_IPTABLES
254	help
255	  TOS matching allows you to match packets based on the Type Of
256	  Service fields of the IP packet.
257
258	  To compile it as a module, choose M here.  If unsure, say N.
259
260config IP_NF_MATCH_RECENT
261	tristate "recent match support"
262	depends on IP_NF_IPTABLES
263	help
264	  This match is used for creating one or many lists of recently
265	  used addresses and then matching against that/those list(s).
266
267	  Short options are available by using 'iptables -m recent -h'
268	  Official Website: <http://snowman.net/projects/ipt_recent/>
269
270	  To compile it as a module, choose M here.  If unsure, say N.
271
272config IP_NF_MATCH_ECN
273	tristate "ECN match support"
274	depends on IP_NF_IPTABLES
275	help
276	  This option adds a `ECN' match, which allows you to match against
277	  the IPv4 and TCP header ECN fields.
278
279	  To compile it as a module, choose M here.  If unsure, say N.
280
281config IP_NF_MATCH_AH
282	tristate "AH match support"
283	depends on IP_NF_IPTABLES
284	help
285	  This match extension allows you to match a range of SPIs
286	  inside AH header of IPSec packets.
287
288	  To compile it as a module, choose M here.  If unsure, say N.
289
290config IP_NF_MATCH_TTL
291	tristate "TTL match support"
292	depends on IP_NF_IPTABLES
293	help
294	  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
295	  to match packets by their TTL value.
296
297	  To compile it as a module, choose M here.  If unsure, say N.
298
299config IP_NF_MATCH_OWNER
300	tristate "Owner match support"
301	depends on IP_NF_IPTABLES
302	help
303	  Packet owner matching allows you to match locally-generated packets
304	  based on who created them: the user, group, process or session.
305
306	  To compile it as a module, choose M here.  If unsure, say N.
307
308config IP_NF_MATCH_ADDRTYPE
309	tristate  'address type match support'
310	depends on IP_NF_IPTABLES
311	help
312	  This option allows you to match what routing thinks of an address,
313	  eg. UNICAST, LOCAL, BROADCAST, ...
314	
315	  If you want to compile it as a module, say M here and read
316	  <file:Documentation/modules.txt>.  If unsure, say `N'.
317
318config IP_NF_MATCH_HASHLIMIT
319	tristate  'hashlimit match support'
320	depends on IP_NF_IPTABLES
321	help
322	  This option adds a new iptables `hashlimit' match.  
323
324	  As opposed to `limit', this match dynamically creates a hash table
325	  of limit buckets, based on your selection of source/destination
326	  ip addresses and/or ports.
327
328	  It enables you to express policies like `10kpps for any given
329	  destination IP' or `500pps from any given source IP'  with a single
330	  IPtables rule.
331
332# `filter', generic and specific targets
333config IP_NF_FILTER
334	tristate "Packet filtering"
335	depends on IP_NF_IPTABLES
336	help
337	  Packet filtering defines a table `filter', which has a series of
338	  rules for simple packet filtering at local input, forwarding and
339	  local output.  See the man page for iptables(8).
340
341	  To compile it as a module, choose M here.  If unsure, say N.
342
343config IP_NF_TARGET_REJECT
344	tristate "REJECT target support"
345	depends on IP_NF_FILTER
346	help
347	  The REJECT target allows a filtering rule to specify that an ICMP
348	  error should be issued in response to an incoming packet, rather
349	  than silently being dropped.
350
351	  To compile it as a module, choose M here.  If unsure, say N.
352
353config IP_NF_TARGET_LOG
354	tristate "LOG target support"
355	depends on IP_NF_IPTABLES
356	help
357	  This option adds a `LOG' target, which allows you to create rules in
358	  any iptables table which records the packet header to the syslog.
359
360	  To compile it as a module, choose M here.  If unsure, say N.
361
362config IP_NF_TARGET_ULOG
363	tristate "ULOG target support"
364	depends on IP_NF_IPTABLES
365	---help---
366
367	  This option enables the old IPv4-only "ipt_ULOG" implementation
368	  which has been obsoleted by the new "nfnetlink_log" code (see
369	  CONFIG_NETFILTER_NETLINK_LOG).
370
371	  This option adds a `ULOG' target, which allows you to create rules in
372	  any iptables table. The packet is passed to a userspace logging
373	  daemon using netlink multicast sockets; unlike the LOG target
374	  which can only be viewed through syslog.
375
376	  The appropriate userspace logging daemon (ulogd) may be obtained from
377	  <http://www.gnumonks.org/projects/ulogd/>
378
379	  To compile it as a module, choose M here.  If unsure, say N.
380
381config IP_NF_TARGET_TCPMSS
382	tristate "TCPMSS target support"
383	depends on IP_NF_IPTABLES
384	---help---
385	  This option adds a `TCPMSS' target, which allows you to alter the
386	  MSS value of TCP SYN packets, to control the maximum size for that
387	  connection (usually limiting it to your outgoing interface's MTU
388	  minus 40).
389
390	  This is used to overcome criminally braindead ISPs or servers which
391	  block ICMP Fragmentation Needed packets.  The symptoms of this
392	  problem are that everything works fine from your Linux
393	  firewall/router, but machines behind it can never exchange large
394	  packets:
395	  	1) Web browsers connect, then hang with no data received.
396	  	2) Small mail works fine, but large emails hang.
397	  	3) ssh works fine, but scp hangs after initial handshaking.
398
399	  Workaround: activate this option and add a rule to your firewall
400	  configuration like:
401
402	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
403	  		 -j TCPMSS --clamp-mss-to-pmtu
404
405	  To compile it as a module, choose M here.  If unsure, say N.
406
407# NAT + specific targets
408config IP_NF_NAT
409	tristate "Full NAT"
410	depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
411	help
412	  The Full NAT option allows masquerading, port forwarding and other
413	  forms of full Network Address Port Translation.  It is controlled by
414	  the `nat' table in iptables: see the man page for iptables(8).
415
416	  To compile it as a module, choose M here.  If unsure, say N.
417
418config IP_NF_NAT_NEEDED
419	bool
420	depends on IP_NF_NAT != n
421	default y
422
423config IP_NF_TARGET_MASQUERADE
424	tristate "MASQUERADE target support"
425	depends on IP_NF_NAT
426	help
427	  Masquerading is a special case of NAT: all outgoing connections are
428	  changed to seem to come from a particular interface's address, and
429	  if the interface goes down, those connections are lost.  This is
430	  only useful for dialup accounts with dynamic IP address (ie. your IP
431	  address will be different on next dialup).
432
433	  To compile it as a module, choose M here.  If unsure, say N.
434
435config IP_NF_TARGET_REDIRECT
436	tristate "REDIRECT target support"
437	depends on IP_NF_NAT
438	help
439	  REDIRECT is a special case of NAT: all incoming connections are
440	  mapped onto the incoming interface's address, causing the packets to
441	  come to the local machine instead of passing through.  This is
442	  useful for transparent proxies.
443
444	  To compile it as a module, choose M here.  If unsure, say N.
445
446config IP_NF_TARGET_NETMAP
447	tristate "NETMAP target support"
448	depends on IP_NF_NAT
449	help
450	  NETMAP is an implementation of static 1:1 NAT mapping of network
451	  addresses. It maps the network address part, while keeping the host
452	  address part intact. It is similar to Fast NAT, except that
453	  Netfilter's connection tracking doesn't work well with Fast NAT.
454
455	  To compile it as a module, choose M here.  If unsure, say N.
456
457config IP_NF_TARGET_SAME
458	tristate "SAME target support"
459	depends on IP_NF_NAT
460	help
461	  This option adds a `SAME' target, which works like the standard SNAT
462	  target, but attempts to give clients the same IP for all connections.
463
464	  To compile it as a module, choose M here.  If unsure, say N.
465
466config IP_NF_NAT_SNMP_BASIC
467	tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
468	depends on EXPERIMENTAL && IP_NF_NAT
469	---help---
470
471	  This module implements an Application Layer Gateway (ALG) for
472	  SNMP payloads.  In conjunction with NAT, it allows a network
473	  management system to access multiple private networks with
474	  conflicting addresses.  It works by modifying IP addresses
475	  inside SNMP payloads to match IP-layer NAT mapping.
476
477	  This is the "basic" form of SNMP-ALG, as described in RFC 2962
478
479	  To compile it as a module, choose M here.  If unsure, say N.
480
481config IP_NF_NAT_IRC
482	tristate
483	depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
484	default IP_NF_NAT if IP_NF_IRC=y
485	default m if IP_NF_IRC=m
486
487# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 
488# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.  Argh.
489config IP_NF_NAT_FTP
490	tristate
491	depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
492	default IP_NF_NAT if IP_NF_FTP=y
493	default m if IP_NF_FTP=m
494
495config IP_NF_NAT_TFTP
496	tristate
497	depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
498	default IP_NF_NAT if IP_NF_TFTP=y
499	default m if IP_NF_TFTP=m
500
501config IP_NF_NAT_AMANDA
502	tristate
503	depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
504	default IP_NF_NAT if IP_NF_AMANDA=y
505	default m if IP_NF_AMANDA=m
506
507config IP_NF_NAT_PPTP
508	tristate
509	depends on IP_NF_NAT!=n && IP_NF_PPTP!=n
510	default IP_NF_NAT if IP_NF_PPTP=y
511	default m if IP_NF_PPTP=m
512
513config IP_NF_NAT_H323
514	tristate
515	depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
516	default IP_NF_NAT if IP_NF_H323=y
517	default m if IP_NF_H323=m
518
519config IP_NF_NAT_SIP
520	tristate
521	depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
522	default IP_NF_NAT if IP_NF_SIP=y
523	default m if IP_NF_SIP=m
524
525# mangle + specific targets
526config IP_NF_MANGLE
527	tristate "Packet mangling"
528	depends on IP_NF_IPTABLES
529	help
530	  This option adds a `mangle' table to iptables: see the man page for
531	  iptables(8).  This table is used for various packet alterations
532	  which can effect how the packet is routed.
533
534	  To compile it as a module, choose M here.  If unsure, say N.
535
536config IP_NF_TARGET_TOS
537	tristate "TOS target support"
538	depends on IP_NF_MANGLE
539	help
540	  This option adds a `TOS' target, which allows you to create rules in
541	  the `mangle' table which alter the Type Of Service field of an IP
542	  packet prior to routing.
543
544	  To compile it as a module, choose M here.  If unsure, say N.
545
546config IP_NF_TARGET_ECN
547	tristate "ECN target support"
548	depends on IP_NF_MANGLE
549	---help---
550	  This option adds a `ECN' target, which can be used in the iptables mangle
551	  table.  
552
553	  You can use this target to remove the ECN bits from the IPv4 header of
554	  an IP packet.  This is particularly useful, if you need to work around
555	  existing ECN blackholes on the internet, but don't want to disable
556	  ECN support in general.
557
558	  To compile it as a module, choose M here.  If unsure, say N.
559
560config IP_NF_TARGET_TTL
561	tristate  'TTL target support'
562	depends on IP_NF_MANGLE
563	help
564	  This option adds a `TTL' target, which enables the user to modify
565	  the TTL value of the IP header.
566
567	  While it is safe to decrement/lower the TTL, this target also enables
568	  functionality to increment and set the TTL value of the IP header to
569	  arbitrary values.  This is EXTREMELY DANGEROUS since you can easily
570	  create immortal packets that loop forever on the network.
571
572	  To compile it as a module, choose M here.  If unsure, say N.
573
574config IP_NF_TARGET_CLUSTERIP
575	tristate "CLUSTERIP target support (EXPERIMENTAL)"
576	depends on IP_NF_MANGLE && EXPERIMENTAL
577	depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4)
578	help
579	  The CLUSTERIP target allows you to build load-balancing clusters of
580	  network servers without having a dedicated load-balancing
581	  router/server/switch.
582	
583	  To compile it as a module, choose M here.  If unsure, say N.
584
585# raw + specific targets
586config IP_NF_RAW
587	tristate  'raw table support (required for NOTRACK/TRACE)'
588	depends on IP_NF_IPTABLES
589	help
590	  This option adds a `raw' table to iptables. This table is the very
591	  first in the netfilter framework and hooks in at the PREROUTING
592	  and OUTPUT chains.
593	
594	  If you want to compile it as a module, say M here and read
595	  <file:Documentation/modules.txt>.  If unsure, say `N'.
596
597# ARP tables
598config IP_NF_ARPTABLES
599	tristate "ARP tables support"
600	depends on NETFILTER_XTABLES
601	help
602	  arptables is a general, extensible packet identification framework.
603	  The ARP packet filtering and mangling (manipulation)subsystems
604	  use this: say Y or M here if you want to use either of those.
605
606	  To compile it as a module, choose M here.  If unsure, say N.
607
608config IP_NF_ARPFILTER
609	tristate "ARP packet filtering"
610	depends on IP_NF_ARPTABLES
611	help
612	  ARP packet filtering defines a table `filter', which has a series of
613	  rules for simple ARP packet filtering at local input and
614	  local output.  On a bridge, you can also specify filtering rules
615	  for forwarded ARP packets. See the man page for arptables(8).
616
617	  To compile it as a module, choose M here.  If unsure, say N.
618
619config IP_NF_ARP_MANGLE
620	tristate "ARP payload mangling"
621	depends on IP_NF_ARPTABLES
622	help
623	  Allows altering the ARP packet payload: source and destination
624	  hardware and network addresses.
625
626endmenu
627
Configure Feed

Configure Feed
