netfilter: xtables: use "if" blocks in Kconfig

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_IPTABLES

# The matches.

config IP_NF_MATCH_ADDRTYPE

	tristate '"addrtype" address type match support'

	depends on IP_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	  This option allows you to match what routing thinks of an address,

config IP_NF_MATCH_AH

	tristate '"ah" match support'

	depends on IP_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	  This match extension allows you to match a range of SPIs

config IP_NF_MATCH_ECN

	tristate '"ecn" match support'

	depends on IP_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	  This option adds a `ECN' match, which allows you to match against

config IP_NF_MATCH_TTL

	tristate '"ttl" match support'

	depends on IP_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user

# `filter', generic and specific targets

config IP_NF_FILTER

	tristate "Packet filtering"

	depends on IP_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	help

	  Packet filtering defines a table `filter', which has a series of

config IP_NF_TARGET_LOG

	tristate "LOG target support"

	depends on IP_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	help

	  This option adds a `LOG' target, which allows you to create rules in

config IP_NF_TARGET_ULOG

	tristate "ULOG target support"

	depends on IP_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	---help---

# NAT + specific targets: nf_conntrack

config NF_NAT

	tristate "Full NAT"

	depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4

	depends on NF_CONNTRACK_IPV4

	default m if NETFILTER_ADVANCED=n

	help

	  The Full NAT option allows masquerading, port forwarding and other

config NF_NAT_FTP

	tristate

	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT

	depends on NF_CONNTRACK && NF_NAT

	default NF_NAT && NF_CONNTRACK_FTP

config NF_NAT_IRC

	tristate

	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT

	depends on NF_CONNTRACK && NF_NAT

	default NF_NAT && NF_CONNTRACK_IRC

config NF_NAT_TFTP

	tristate

	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT

	depends on NF_CONNTRACK && NF_NAT

	default NF_NAT && NF_CONNTRACK_TFTP

config NF_NAT_AMANDA

	tristate

	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT

	depends on NF_CONNTRACK && NF_NAT

	default NF_NAT && NF_CONNTRACK_AMANDA

config NF_NAT_PPTP

	tristate

	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT

	depends on NF_CONNTRACK && NF_NAT

	default NF_NAT && NF_CONNTRACK_PPTP

	select NF_NAT_PROTO_GRE

config NF_NAT_H323

	tristate

	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT

	depends on NF_CONNTRACK && NF_NAT

	default NF_NAT && NF_CONNTRACK_H323

config NF_NAT_SIP

	tristate

	depends on IP_NF_IPTABLES && NF_CONNTRACK && NF_NAT

	depends on NF_CONNTRACK && NF_NAT

	default NF_NAT && NF_CONNTRACK_SIP

# mangle + specific targets

config IP_NF_MANGLE

	tristate "Packet mangling"

	depends on IP_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	help

	  This option adds a `mangle' table to iptables: see the man page for

# raw + specific targets

config IP_NF_RAW

	tristate  'raw table support (required for NOTRACK/TRACE)'

	depends on IP_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	  This option adds a `raw' table to iptables. This table is the very

# security table for MAC policy

config IP_NF_SECURITY

	tristate "Security table"

	depends on IP_NF_IPTABLES

	depends on SECURITY

	depends on NETFILTER_ADVANCED

	help

	  If unsure, say N.

endif # IP_NF_IPTABLES

# ARP tables

config IP_NF_ARPTABLES

	tristate "ARP tables support"

	  To compile it as a module, choose M here.  If unsure, say N.

if IP_NF_ARPTABLES

config IP_NF_ARPFILTER

	tristate "ARP packet filtering"

	depends on IP_NF_ARPTABLES

	help

	  ARP packet filtering defines a table `filter', which has a series of

	  rules for simple ARP packet filtering at local input and

config IP_NF_ARP_MANGLE

	tristate "ARP payload mangling"

	depends on IP_NF_ARPTABLES

	help

	  Allows altering the ARP packet payload: source and destination

	  hardware and network addresses.

endif # IP_NF_ARPTABLES

endmenu

	  To compile it as a module, choose M here.  If unsure, say N.

if IP6_NF_IPTABLES

# The simple matches.

config IP6_NF_MATCH_AH

	tristate '"ah" match support'

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	  This module allows one to match AH packets.

config IP6_NF_MATCH_EUI64

	tristate '"eui64" address check'

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	  This module performs checking on the IPv6 source address

config IP6_NF_MATCH_FRAG

	tristate '"frag" Fragmentation header match support'

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	  frag matching allows you to match packets based on the fragmentation

config IP6_NF_MATCH_OPTS

	tristate '"hbh" hop-by-hop and "dst" opts header match support'

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	  This allows one to match packets based on the hop-by-hop

config IP6_NF_MATCH_HL

	tristate '"hl" match support'

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	  HL matching allows you to match packets based on the hop

config IP6_NF_MATCH_IPV6HEADER

	tristate '"ipv6header" IPv6 Extension Headers Match'

	depends on IP6_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	help

	  This module allows one to match packets based upon

config IP6_NF_MATCH_MH

	tristate '"mh" match support'

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	  This module allows one to match MH packets.

config IP6_NF_MATCH_RT

	tristate '"rt" Routing header match support'

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	  rt matching allows you to match packets based on the routing

# The targets

config IP6_NF_TARGET_LOG

	tristate "LOG target support"

	depends on IP6_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	help

	  This option adds a `LOG' target, which allows you to create rules in

config IP6_NF_FILTER

	tristate "Packet filtering"

	depends on IP6_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	help

	  Packet filtering defines a table `filter', which has a series of

config IP6_NF_MANGLE

	tristate "Packet mangling"

	depends on IP6_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	help

	  This option adds a `mangle' table to iptables: see the man page for

config IP6_NF_RAW

	tristate  'raw table support (required for TRACE)'

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	  This option adds a `raw' table to ip6tables. This table is the very

# security table for MAC policy

config IP6_NF_SECURITY

       tristate "Security table"

       depends on IP6_NF_IPTABLES

       depends on SECURITY

       depends on NETFILTER_ADVANCED

       help

         If unsure, say N.

endif # IP6_NF_IPTABLES

endmenu

	  To compile it as a module, choose M here.  If unsure, say N.

if NF_CONNTRACK

config NF_CT_ACCT

	bool "Connection tracking flow accounting"

	depends on NETFILTER_ADVANCED

	depends on NF_CONNTRACK

	help

	  If this option is enabled, the connection tracking code will

	  keep per-flow packet and byte counters.

config NF_CONNTRACK_MARK

	bool  'Connection mark tracking support'

	depends on NETFILTER_ADVANCED

	depends on NF_CONNTRACK

	help

	  This option enables support for connection marks, used by the

	  `CONNMARK' target and `connmark' match. Similar to the mark value

config NF_CONNTRACK_SECMARK

	bool  'Connection tracking security mark support'

	depends on NF_CONNTRACK && NETWORK_SECMARK

	depends on NETWORK_SECMARK

	default m if NETFILTER_ADVANCED=n

	help

	  This option enables security markings to be applied to

config NF_CONNTRACK_EVENTS

	bool "Connection tracking events"

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	help

	  If this option is enabled, the connection tracking code will

config NF_CT_PROTO_DCCP

	tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'

	depends on EXPERIMENTAL && NF_CONNTRACK

	depends on EXPERIMENTAL

	depends on NETFILTER_ADVANCED

	default IP_DCCP

	help

config NF_CT_PROTO_GRE

	tristate

	depends on NF_CONNTRACK

config NF_CT_PROTO_SCTP

	tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'

	depends on EXPERIMENTAL && NF_CONNTRACK

	depends on EXPERIMENTAL

	depends on NETFILTER_ADVANCED

	default IP_SCTP

	help

config NF_CT_PROTO_UDPLITE

	tristate 'UDP-Lite protocol connection tracking support'

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	help

	  With this option enabled, the layer 3 independent connection

config NF_CONNTRACK_AMANDA

	tristate "Amanda backup protocol support"

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	select TEXTSEARCH

	select TEXTSEARCH_KMP

config NF_CONNTRACK_FTP

	tristate "FTP protocol support"

	depends on NF_CONNTRACK

	default m if NETFILTER_ADVANCED=n

	help

	  Tracking FTP connections is problematic: special helpers are

config NF_CONNTRACK_H323

	tristate "H.323 protocol support"

	depends on NF_CONNTRACK && (IPV6 || IPV6=n)

	depends on (IPV6 || IPV6=n)

	depends on NETFILTER_ADVANCED

	help

	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most

config NF_CONNTRACK_IRC

	tristate "IRC protocol support"

	depends on NF_CONNTRACK

	default m if NETFILTER_ADVANCED=n

	help

	  There is a commonly-used extension to IRC called

config NF_CONNTRACK_NETBIOS_NS

	tristate "NetBIOS name service protocol support"

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	help

	  NetBIOS name service requests are sent as broadcast messages from an

config NF_CONNTRACK_PPTP

	tristate "PPtP protocol support"

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	select NF_CT_PROTO_GRE

	help

config NF_CONNTRACK_SANE

	tristate "SANE protocol support (EXPERIMENTAL)"

	depends on EXPERIMENTAL && NF_CONNTRACK

	depends on EXPERIMENTAL

	depends on NETFILTER_ADVANCED

	help

	  SANE is a protocol for remote access to scanners as implemented

config NF_CONNTRACK_SIP

	tristate "SIP protocol support"

	depends on NF_CONNTRACK

	default m if NETFILTER_ADVANCED=n

	help

	  SIP is an application-layer control protocol that can establish,

config NF_CONNTRACK_TFTP

	tristate "TFTP protocol support"

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	help

	  TFTP connection tracking helper, this is required depending

config NF_CT_NETLINK

	tristate 'Connection tracking netlink interface'

	depends on NF_CONNTRACK

	select NETFILTER_NETLINK

	depends on NF_NAT=n || NF_NAT

	default m if NETFILTER_ADVANCED=n

	  To compile it as a module, choose M here.  If unsure, say N.

endif # NF_CONNTRACK

config NETFILTER_XTABLES

	tristate "Netfilter Xtables support (required for ip_tables)"

	default m if NETFILTER_ADVANCED=n

	  This is required if you intend to use any of ip_tables,

	  ip6_tables or arp_tables.

if NETFILTER_XTABLES

# alphabetically ordered list of targets

config NETFILTER_XT_TARGET_CLASSIFY

	tristate '"CLASSIFY" target support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  This option adds a `CLASSIFY' target, which enables the user to set

config NETFILTER_XT_TARGET_CONNMARK

	tristate  '"CONNMARK" target support'

	depends on NETFILTER_XTABLES

	depends on IP_NF_MANGLE || IP6_NF_MANGLE

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

config NETFILTER_XT_TARGET_CONNSECMARK

	tristate '"CONNSECMARK" target support'

	depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK

	depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK

	default m if NETFILTER_ADVANCED=n

	help

	  The CONNSECMARK target copies security markings from packets

config NETFILTER_XT_TARGET_DSCP

	tristate '"DSCP" and "TOS" target support'

	depends on NETFILTER_XTABLES

	depends on IP_NF_MANGLE || IP6_NF_MANGLE

	depends on NETFILTER_ADVANCED

	help

config NETFILTER_XT_TARGET_MARK

	tristate '"MARK" target support'

	depends on NETFILTER_XTABLES

	default m if NETFILTER_ADVANCED=n

	help

	  This option adds a `MARK' target, which allows you to create rules

config NETFILTER_XT_TARGET_NFLOG

	tristate '"NFLOG" target support'

	depends on NETFILTER_XTABLES

	default m if NETFILTER_ADVANCED=n

	help

	  This option enables the NFLOG target, which allows to LOG

config NETFILTER_XT_TARGET_NFQUEUE

	tristate '"NFQUEUE" target Support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  This target replaced the old obsolete QUEUE target.

config NETFILTER_XT_TARGET_NOTRACK

	tristate  '"NOTRACK" target support'

	depends on NETFILTER_XTABLES

	depends on IP_NF_RAW || IP6_NF_RAW

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

config NETFILTER_XT_TARGET_RATEEST

	tristate '"RATEEST" target support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  This option adds a `RATEEST' target, which allows to measure

config NETFILTER_XT_TARGET_TRACE

	tristate  '"TRACE" target support'

	depends on NETFILTER_XTABLES

	depends on IP_NF_RAW || IP6_NF_RAW

	depends on NETFILTER_ADVANCED

	help

config NETFILTER_XT_TARGET_SECMARK

	tristate '"SECMARK" target support'

	depends on NETFILTER_XTABLES && NETWORK_SECMARK

	depends on NETWORK_SECMARK

	default m if NETFILTER_ADVANCED=n

	help

	  The SECMARK target allows security marking of network

config NETFILTER_XT_TARGET_TCPMSS

	tristate '"TCPMSS" target support'

	depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)

	depends on (IPV6 || IPV6=n)

	default m if NETFILTER_ADVANCED=n

	---help---

	  This option adds a `TCPMSS' target, which allows you to alter the

config NETFILTER_XT_TARGET_TCPOPTSTRIP

	tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'

	depends on EXPERIMENTAL && NETFILTER_XTABLES

	depends on EXPERIMENTAL

	depends on IP_NF_MANGLE || IP6_NF_MANGLE

	depends on NETFILTER_ADVANCED

	help

config NETFILTER_XT_MATCH_COMMENT

	tristate  '"comment" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  This option adds a `comment' dummy-match, which allows you to put

config NETFILTER_XT_MATCH_CONNBYTES

	tristate  '"connbytes" per-connection counter match support'

	depends on NETFILTER_XTABLES

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	select NF_CT_ACCT

config NETFILTER_XT_MATCH_CONNLIMIT

	tristate '"connlimit" match support"'

	depends on NETFILTER_XTABLES

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	---help---

config NETFILTER_XT_MATCH_CONNMARK

	tristate  '"connmark" connection mark match support'

	depends on NETFILTER_XTABLES

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	select NF_CONNTRACK_MARK

config NETFILTER_XT_MATCH_CONNTRACK

	tristate '"conntrack" connection tracking match support'

	depends on NETFILTER_XTABLES

	depends on NF_CONNTRACK

	default m if NETFILTER_ADVANCED=n

	help

config NETFILTER_XT_MATCH_DCCP

	tristate '"dccp" protocol match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	default IP_DCCP

	help

config NETFILTER_XT_MATCH_DSCP

	tristate '"dscp" and "tos" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  This option adds a `DSCP' match, which allows you to match against

config NETFILTER_XT_MATCH_ESP

	tristate '"esp" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  This match extension allows you to match a range of SPIs

config NETFILTER_XT_MATCH_HASHLIMIT

	tristate '"hashlimit" match support'

	depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)

	depends on (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)

	depends on NETFILTER_ADVANCED

	help

	  This option adds a `hashlimit' match.

config NETFILTER_XT_MATCH_HELPER

	tristate '"helper" match support'

	depends on NETFILTER_XTABLES

	depends on NF_CONNTRACK

	depends on NETFILTER_ADVANCED

	help

config NETFILTER_XT_MATCH_IPRANGE

	tristate '"iprange" address range match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	---help---

	This option adds a "iprange" match, which allows you to match based on

config NETFILTER_XT_MATCH_LENGTH

	tristate '"length" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  This option allows you to match the length of a packet against a

config NETFILTER_XT_MATCH_LIMIT

	tristate '"limit" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  limit matching allows you to control the rate at which a rule can be

config NETFILTER_XT_MATCH_MAC

	tristate '"mac" address match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  MAC matching allows you to match packets based on the source

config NETFILTER_XT_MATCH_MARK

	tristate '"mark" match support'

	depends on NETFILTER_XTABLES

	default m if NETFILTER_ADVANCED=n

	help

	  Netfilter mark matching allows you to match packets based on the

config NETFILTER_XT_MATCH_MULTIPORT

	tristate '"multiport" Multiple port match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  Multiport matching allows you to match TCP or UDP packets based on

config NETFILTER_XT_MATCH_OWNER

	tristate '"owner" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	---help---

	Socket owner matching allows you to match locally-generated packets

config NETFILTER_XT_MATCH_POLICY

	tristate 'IPsec "policy" match support'

	depends on NETFILTER_XTABLES && XFRM

	depends on XFRM

	default m if NETFILTER_ADVANCED=n

	help

	  Policy matching allows you to match packets based on the

config NETFILTER_XT_MATCH_PHYSDEV

	tristate '"physdev" match support'

	depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER

	depends on BRIDGE && BRIDGE_NETFILTER

	depends on NETFILTER_ADVANCED

	help

	  Physdev packet matching matches against the physical bridge ports

config NETFILTER_XT_MATCH_PKTTYPE

	tristate '"pkttype" packet type match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  Packet type matching allows you to match a packet by

config NETFILTER_XT_MATCH_QUOTA

	tristate '"quota" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  This option adds a `quota' match, which allows to match on a

config NETFILTER_XT_MATCH_RATEEST

	tristate '"rateest" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	select NETFILTER_XT_TARGET_RATEEST

	help

config NETFILTER_XT_MATCH_REALM

	tristate  '"realm" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	select NET_CLS_ROUTE

	help

config NETFILTER_XT_MATCH_RECENT

	tristate '"recent" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	---help---

	This match is used for creating one or many lists of recently

config NETFILTER_XT_MATCH_SCTP

	tristate  '"sctp" protocol match support (EXPERIMENTAL)'

	depends on NETFILTER_XTABLES && EXPERIMENTAL

	depends on EXPERIMENTAL

	depends on NETFILTER_ADVANCED

	default IP_SCTP

	help

config NETFILTER_XT_MATCH_STATE

	tristate '"state" match support'

	depends on NETFILTER_XTABLES

	depends on NF_CONNTRACK

	default m if NETFILTER_ADVANCED=n

	help

config NETFILTER_XT_MATCH_STATISTIC

	tristate '"statistic" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  This option adds a `statistic' match, which allows you to match

config NETFILTER_XT_MATCH_STRING

	tristate  '"string" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	select TEXTSEARCH

	select TEXTSEARCH_KMP

config NETFILTER_XT_MATCH_TCPMSS

	tristate '"tcpmss" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	  This option adds a `tcpmss' match, which allows you to examine the

config NETFILTER_XT_MATCH_TIME

	tristate '"time" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	---help---

	  This option adds a "time" match, which allows you to match based on

config NETFILTER_XT_MATCH_U32

	tristate '"u32" match support'

	depends on NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	---help---

	  u32 allows you to extract quantities of up to 4 bytes from a packet,

	  Details and examples are in the kernel module source.

endmenu

endif # NETFILTER_XTABLES

endmenu