kconfig

h内核

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  If unsure, say `N'.

config IP_NF_MATCH_CONNMARK
	tristate  'Connection mark match support'
	depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES
	help
	  This option adds a `connmark' match, which allows you to match the
	  connection mark value previously set for the session by `CONNMARK'. 
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  The module will be called
	  ipt_connmark.o.  If unsure, say `N'.

config IP_NF_MATCH_HASHLIMIT
	tristate  'hashlimit match support'
	depends on IP_NF_IPTABLES
	help
	  This option adds a new iptables `hashlimit' match.  

	  As opposed to `limit', this match dynamically crates a hash table
	  of limit buckets, based on your selection of source/destination
	  ip addresses and/or ports.

	  It enables you to express policies like `10kpps for any given
	  destination IP' or `500pps from any given source IP'  with a single
	  IPtables rule.

# `filter', generic and specific targets
config IP_NF_FILTER
	tristate "Packet filtering"
	depends on IP_NF_IPTABLES
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on IP_NF_FILTER
	help
	  The REJECT target allows a filtering rule to specify that an ICMP
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_LOG
	tristate "LOG target support"
	depends on IP_NF_IPTABLES
	help
	  This option adds a `LOG' target, which allows you to create rules in
	  any iptables table which records the packet header to the syslog.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ULOG
	tristate "ULOG target support"
	depends on IP_NF_IPTABLES
	---help---
	  This option adds a `ULOG' target, which allows you to create rules in
	  any iptables table. The packet is passed to a userspace logging
	  daemon using netlink multicast sockets; unlike the LOG target
	  which can only be viewed through syslog.

	  The apropriate userspace logging daemon (ulogd) may be obtained from
	  <http://www.gnumonks.org/projects/ulogd/>

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TCPMSS
	tristate "TCPMSS target support"
	depends on IP_NF_IPTABLES
	---help---
	  This option adds a `TCPMSS' target, which allows you to alter the
	  MSS value of TCP SYN packets, to control the maximum size for that
	  connection (usually limiting it to your outgoing interface's MTU
	  minus 40).

	  This is used to overcome criminally braindead ISPs or servers which
	  block ICMP Fragmentation Needed packets.  The symptoms of this
	  problem are that everything works fine from your Linux
	  firewall/router, but machines behind it can never exchange large
	  packets:
	  	1) Web browsers connect, then hang with no data received.
	  	2) Small mail works fine, but large emails hang.
	  	3) ssh works fine, but scp hangs after initial handshaking.

	  Workaround: activate this option and add a rule to your firewall
	  configuration like:

	  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN \
	  		 -j TCPMSS --clamp-mss-to-pmtu

	  To compile it as a module, choose M here.  If unsure, say N.

# NAT + specific targets
config IP_NF_NAT
	tristate "Full NAT"
	depends on IP_NF_IPTABLES && IP_NF_CONNTRACK
	help
	  The Full NAT option allows masquerading, port forwarding and other
	  forms of full Network Address Port Translation.  It is controlled by
	  the `nat' table in iptables: see the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_NAT_NEEDED
	bool
	depends on IP_NF_NAT != n
	default y

config IP_NF_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	depends on IP_NF_NAT
	help
	  Masquerading is a special case of NAT: all outgoing connections are
	  changed to seem to come from a particular interface's address, and
	  if the interface goes down, those connections are lost.  This is
	  only useful for dialup accounts with dynamic IP address (ie. your IP
	  address will be different on next dialup).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_REDIRECT
	tristate "REDIRECT target support"
	depends on IP_NF_NAT
	help
	  REDIRECT is a special case of NAT: all incoming connections are
	  mapped onto the incoming interface's address, causing the packets to
	  come to the local machine instead of passing through.  This is
	  useful for transparent proxies.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_NETMAP
	tristate "NETMAP target support"
	depends on IP_NF_NAT
	help
	  NETMAP is an implementation of static 1:1 NAT mapping of network
	  addresses. It maps the network address part, while keeping the host
	  address part intact. It is similar to Fast NAT, except that
	  Netfilter's connection tracking doesn't work well with Fast NAT.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_SAME
	tristate "SAME target support"
	depends on IP_NF_NAT
	help
	  This option adds a `SAME' target, which works like the standard SNAT
	  target, but attempts to give clients the same IP for all connections.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_NAT_SNMP_BASIC
	tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
	depends on EXPERIMENTAL && IP_NF_NAT
	---help---

	  This module implements an Application Layer Gateway (ALG) for
	  SNMP payloads.  In conjunction with NAT, it allows a network
	  management system to access multiple private networks with
	  conflicting addresses.  It works by modifying IP addresses
	  inside SNMP payloads to match IP-layer NAT mapping.

	  This is the "basic" form of SNMP-ALG, as described in RFC 2962

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_NAT_IRC
	tristate
	depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
	default IP_NF_NAT if IP_NF_IRC=y
	default m if IP_NF_IRC=m

# If they want FTP, set to $CONFIG_IP_NF_NAT (m or y), 
# or $CONFIG_IP_NF_FTP (m or y), whichever is weaker.  Argh.
config IP_NF_NAT_FTP
	tristate
	depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
	default IP_NF_NAT if IP_NF_FTP=y
	default m if IP_NF_FTP=m

config IP_NF_NAT_TFTP
	tristate
	depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
	default IP_NF_NAT if IP_NF_TFTP=y
	default m if IP_NF_TFTP=m

config IP_NF_NAT_AMANDA
	tristate
	depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
	default IP_NF_NAT if IP_NF_AMANDA=y
	default m if IP_NF_AMANDA=m

# mangle + specific targets
config IP_NF_MANGLE
	tristate "Packet mangling"
	depends on IP_NF_IPTABLES
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_TOS
	tristate "TOS target support"
	depends on IP_NF_MANGLE
	help
	  This option adds a `TOS' target, which allows you to create rules in
	  the `mangle' table which alter the Type Of Service field of an IP
	  packet prior to routing.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_ECN
	tristate "ECN target support"
	depends on IP_NF_MANGLE
	---help---
	  This option adds a `ECN' target, which can be used in the iptables mangle
	  table.  

	  You can use this target to remove the ECN bits from the IPv4 header of
	  an IP packet.  This is particularly useful, if you need to work around
	  existing ECN blackholes on the internet, but don't want to disable
	  ECN support in general.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_DSCP
	tristate "DSCP target support"
	depends on IP_NF_MANGLE
	help
	  This option adds a `DSCP' match, which allows you to match against
	  the IPv4 header DSCP field (DSCP codepoint).

	  The DSCP codepoint can have any value between 0x0 and 0x4f.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_MARK
	tristate "MARK target support"
	depends on IP_NF_MANGLE
	help
	  This option adds a `MARK' target, which allows you to create rules
	  in the `mangle' table which alter the netfilter mark (nfmark) field
	  associated with the packet prior to routing. This can change
	  the routing method (see `Use netfilter MARK value as routing
	  key') and can also be used by other subsystems to change their
	  behavior.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_CLASSIFY
	tristate "CLASSIFY target support"
	depends on IP_NF_MANGLE
	help
	  This option adds a `CLASSIFY' target, which enables the user to set
	  the priority of a packet. Some qdiscs can use this value for
	  classification, among these are:

  	  atm, cbq, dsmark, pfifo_fast, htb, prio

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_TARGET_CONNMARK
	tristate  'CONNMARK target support'
	depends on IP_NF_CONNTRACK_MARK && IP_NF_MANGLE
	help
	  This option adds a `CONNMARK' target, which allows one to manipulate
	  the connection mark value.  Similar to the MARK target, but
	  affects the connection mark value rather than the packet mark value.
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  The module will be called
	  ipt_CONNMARK.o.  If unsure, say `N'.

config IP_NF_TARGET_CLUSTERIP
	tristate "CLUSTERIP target support (EXPERIMENTAL)"
	depends on IP_NF_CONNTRACK_MARK && IP_NF_IPTABLES && EXPERIMENTAL
	help
	  The CLUSTERIP target allows you to build load-balancing clusters of
	  network servers without having a dedicated load-balancing
	  router/server/switch.
	
	  To compile it as a module, choose M here.  If unsure, say N.

# raw + specific targets
config IP_NF_RAW
	tristate  'raw table support (required for NOTRACK/TRACE)'
	depends on IP_NF_IPTABLES
	help
	  This option adds a `raw' table to iptables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  If unsure, say `N'.

config IP_NF_TARGET_NOTRACK
	tristate  'NOTRACK target support'
	depends on IP_NF_RAW
	depends on IP_NF_CONNTRACK
	help
	  The NOTRACK target allows a select rule to specify
	  which packets *not* to enter the conntrack/NAT
	  subsystem with all the consequences (no ICMP error tracking,
	  no protocol helpers for the selected packets).
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  If unsure, say `N'.


# ARP tables
config IP_NF_ARPTABLES
	tristate "ARP tables support"
	help
	  arptables is a general, extensible packet identification framework.
	  The ARP packet filtering and mangling (manipulation)subsystems
	  use this: say Y or M here if you want to use either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARPFILTER
	tristate "ARP packet filtering"
	depends on IP_NF_ARPTABLES
	help
	  ARP packet filtering defines a table `filter', which has a series of
	  rules for simple ARP packet filtering at local input and
	  local output.  On a bridge, you can also specify filtering rules
	  for forwarded ARP packets. See the man page for arptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARP_MANGLE
	tristate "ARP payload mangling"
	depends on IP_NF_ARPTABLES
	help
	  Allows altering the ARP packet payload: source and destination
	  hardware and network addresses.

endmenu