config.help

是关于linux2.5.1的完全源码

CONFIG_IP_NF_CONNTRACK
  Connection tracking keeps a record of what packets have passed
  through your machine, in order to figure out how they are related
  into connections.

  This is required to do Masquerading or other kinds of Network
  Address Translation (except for Fast NAT).  It can also be used to
  enhance packet filtering (see `Connection state match support'
  below).

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_IRC
  There is a commonly-used extension to IRC called
  Direct Client-to-Client Protocol (DCC).  This enables users to send
  files to each other, and also chat to each other without the need
  of a server.  DCC Sending is used anywhere you send files over IRC,
  and DCC Chat is most commonly used by Eggdrop bots.  If you are
  using NAT, this extension will enable you to send files and initiate
  chats.  Note that you do NOT need this extension to get files or
  have others initiate chats, or everything else in IRC.

  If you want to compile it as a module, say 'M' here and read
  Documentation/modules.txt.  If unsure, say 'N'.

CONFIG_IP_NF_FTP
  Tracking FTP connections is problematic: special helpers are
  required for tracking them, and doing masquerading and other forms
  of Network Address Translation on them.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `Y'.

CONFIG_IP_NF_QUEUE
  Netfilter has the ability to queue packets to user space: the
  netlink device can be used to access them using this driver.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_IPTABLES
  iptables is a general, extensible packet identification framework.
  The packet filtering and full NAT (masquerading, port forwarding,
  etc) subsystems now use this: say `Y' or `M' here if you want to use
  either of those.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_MATCH_LIMIT
  limit matching allows you to control the rate at which a rule can be
  matched: mainly useful in combination with the LOG target ("LOG
  target support", below) and to avoid some Denial of Service attacks.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_MATCH_MAC
  MAC matching allows you to match packets based on the source
  Ethernet address of the packet.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_MATCH_MARK
  Netfilter mark matching allows you to match packets based on the
  `nfmark' value in the packet.  This can be set by the MARK target
  (see below).

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_MATCH_MULTIPORT
  Multiport matching allows you to match TCP or UDP packets based on
  a series of source or destination ports: normally a rule can only
  match a single range of ports.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_MATCH_TTL
  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
  to match packets by their TTL value.

  If you want to compile it as a module, say M here and read
  Documentation/modules.txt.  If unsure, say `N'.

CONFIG_IP_NF_MATCH_LENGTH
  This option allows you to match the length of a packet against a
  specific value or range of values.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_MATCH_AH_ESP
  These two match extensions (`ah' and `esp') allow you to match a
  range of SPIs inside AH or ESP headers of IPSec packets.

  If you want to compile it as a module, say M here and read
  Documentation/modules.txt.  If unsure, say `N'.

CONFIG_IP_NF_MATCH_TOS
  TOS matching allows you to match packets based on the Type Of
  Service fields of the IP packet.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_MATCH_STATE
  Connection state matching allows you to match packets based on their
  relationship to a tracked connection (ie. previous packets).  This
  is a powerful tool for packet classification.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_MATCH_UNCLEAN
  Unclean packet matching matches any strange or invalid packets, by
  looking at a series of fields in the IP, TCP, UDP and ICMP headers.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_MATCH_OWNER
  Packet owner matching allows you to match locally-generated packets
  based on who created them: the user, group, process or session.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_FILTER
  Packet filtering defines a table `filter', which has a series of
  rules for simple packet filtering at local input, forwarding and
  local output.  See the man page for iptables(8).

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_TARGET_REJECT
  The REJECT target allows a filtering rule to specify that an ICMP
  error should be issued in response to an incoming packet, rather
  than silently being dropped.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_TARGET_MIRROR
  The MIRROR target allows a filtering rule to specify that an
  incoming packet should be bounced back to the sender.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_NAT
  The Full NAT option allows masquerading, port forwarding and other
  forms of full Network Address Port Translation.  It is controlled by
  the `nat' table in iptables: see the man page for iptables(8).

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_NAT_LOCAL
  This option enables support for NAT of locally originated connections. 
  Enable this if you need to use destination NAT on connections
  originating from local processes on the nat box itself.

  Please note that you will need a recent version (>= 1.2.6a)
  of the iptables userspace program in order to use this feature.
  See http://www.iptables.org/ for download instructions.

  If unsure, say 'N'.

CONFIG_IP_NF_TARGET_MASQUERADE
  Masquerading is a special case of NAT: all outgoing connections are
  changed to seem to come from a particular interface's address, and
  if the interface goes down, those connections are lost.  This is
  only useful for dialup accounts with dynamic IP address (ie. your IP
  address will be different on next dialup).

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_NAT_SNMP_BASIC

  This module implements an Application Layer Gateway (ALG) for
  SNMP payloads.  In conjunction with NAT, it allows a network
  management system to access multiple private networks with
  conflicting addresses.  It works by modifying IP addresses
  inside SNMP payloads to match IP-layer NAT mapping.

  This is the "basic" form of SNMP-ALG, as described in RFC 2962

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_TARGET_REDIRECT
  REDIRECT is a special case of NAT: all incoming connections are
  mapped onto the incoming interface's address, causing the packets to
  come to the local machine instead of passing through.  This is
  useful for transparent proxies.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_MANGLE
  This option adds a `mangle' table to iptables: see the man page for
  iptables(8).  This table is used for various packet alterations
  which can effect how the packet is routed.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_TARGET_TOS
  This option adds a `TOS' target, which allows you to create rules in
  the `mangle' table which alter the Type Of Service field of an IP
  packet prior to routing.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_TARGET_MARK
  This option adds a `MARK' target, which allows you to create rules
  in the `mangle' table which alter the netfilter mark (nfmark) field
  associated with the packet prior to routing. This can change
  the routing method (see `Use netfilter MARK value as routing
  key') and can also be used by other subsystems to change their
  behavior.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_TARGET_TCPMSS
  This option adds a `TCPMSS' target, which allows you to alter the
  MSS value of TCP SYN packets, to control the maximum size for that
  connection (usually limiting it to your outgoing interface's MTU
  minus 40).

  This is used to overcome criminally braindead ISPs or servers which
  block ICMP Fragmentation Needed packets.  The symptoms of this
  problem are that everything works fine from your Linux
  firewall/router, but machines behind it can never exchange large
  packets:
	1) Web browsers connect, then hang with no data received.
	2) Small mail works fine, but large emails hang.
	3) ssh works fine, but scp hangs after initial handshaking.

  Workaround: activate this option and add a rule to your firewall
  configuration like:

        iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
		 -j TCPMSS --clamp-mss-to-pmtu

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_MATCH_TCPMSS
  This option adds a `tcpmss' match, which allows you to examine the
  MSS value of TCP SYN packets, which control the maximum packet size
  for that connection.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_TARGET_ULOG
  This option adds a `ULOG' target, which allows you to create rules in
  any iptables table. The packet is passed to a userspace logging
  daemon using netlink multicast sockets; unlike the LOG target
  which can only be viewed through syslog.

  The apropriate userspace logging daemon (ulogd) may be obtained from
  http://www.gnumonks.org/projects/ulogd

  If you want to compile it as a module, say M here and read
  Documentation/modules.txt.  If unsure, say `N'.

CONFIG_IP_NF_TARGET_LOG
  This option adds a `LOG' target, which allows you to create rules in
  any iptables table which records the packet header to the syslog.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_COMPAT_IPCHAINS
  This option places ipchains (with masquerading and redirection
  support) back into the kernel, using the new netfilter
  infrastructure.  It is not recommended for new installations (see
  `Packet filtering').  With this enabled, you should be able to use
  the ipchains tool exactly as in 2.2 kernels.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.

CONFIG_IP_NF_COMPAT_IPFWADM
  This option places ipfwadm (with masquerading and redirection
  support) back into the kernel, using the new netfilter
  infrastructure.  It is not recommended for new installations (see
  `Packet filtering').  With this enabled, you should be able to use
  the ipfwadm tool exactly as in 2.0 kernels.

  If you want to compile it as a module, say M here and read
  <file:Documentation/modules.txt>.  If unsure, say `N'.