| blob | d395d1590699d870969a760bcb6aa258ed4d03e3 |
1 #
2 # IP netfilter configuration
3 #
5 menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
8 config NF_DEFRAG_IPV6
9 tristate
10 default n
12 config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
16 select NF_DEFRAG_IPV6
17 ---help---
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
20 into connections.
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
28 config NF_SOCKET_IPV6
29 tristate "IPv6 socket lookup support"
30 help
31 This option enables the IPv6 socket lookup infrastructure. This
32 is used by the ip6tables socket match.
34 if NF_TABLES
36 config NF_TABLES_IPV6
37 tristate "IPv6 nf_tables support"
38 help
39 This option enables the IPv6 support for nf_tables.
41 if NF_TABLES_IPV6
43 config NFT_CHAIN_ROUTE_IPV6
44 tristate "IPv6 nf_tables route chain support"
45 help
46 This option enables the "route" chain for IPv6 in nf_tables. This
47 chain type is used to force packet re-routing after mangling header
48 fields such as the source, destination, flowlabel, hop-limit and
49 the packet mark.
51 config NFT_REJECT_IPV6
52 select NF_REJECT_IPV6
53 default NFT_REJECT
54 tristate
56 config NFT_DUP_IPV6
57 tristate "IPv6 nf_tables packet duplication support"
58 depends on !NF_CONNTRACK || NF_CONNTRACK
59 select NF_DUP_IPV6
60 help
61 This module enables IPv6 packet duplication support for nf_tables.
63 config NFT_FIB_IPV6
64 tristate "nf_tables fib / ipv6 route lookup support"
65 select NFT_FIB
66 help
67 This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
68 It also allows query of the FIB for the route type, e.g. local, unicast,
69 multicast or blackhole.
71 endif # NF_TABLES_IPV6
72 endif # NF_TABLES
74 config NF_FLOW_TABLE_IPV6
75 tristate "Netfilter flow table IPv6 module"
76 depends on NF_FLOW_TABLE
77 help
78 This option adds the flow table IPv6 support.
80 To compile it as a module, choose M here.
82 config NF_DUP_IPV6
83 tristate "Netfilter IPv6 packet duplication to alternate destination"
84 depends on !NF_CONNTRACK || NF_CONNTRACK
85 help
86 This option enables the nf_dup_ipv6 core, which duplicates an IPv6
87 packet to be rerouted to another destination.
89 config NF_REJECT_IPV6
90 tristate "IPv6 packet rejection"
91 default m if NETFILTER_ADVANCED=n
93 config NF_LOG_IPV6
94 tristate "IPv6 packet logging"
95 default m if NETFILTER_ADVANCED=n
96 select NF_LOG_COMMON
98 config NF_NAT_IPV6
99 tristate "IPv6 NAT"
100 depends on NF_CONNTRACK_IPV6
101 depends on NETFILTER_ADVANCED
102 select NF_NAT
103 help
104 The IPv6 NAT option allows masquerading, port forwarding and other
105 forms of full Network Address Port Translation. This can be
106 controlled by iptables or nft.
108 if NF_NAT_IPV6
110 config NFT_CHAIN_NAT_IPV6
111 depends on NF_TABLES_IPV6
112 tristate "IPv6 nf_tables nat chain support"
113 help
114 This option enables the "nat" chain for IPv6 in nf_tables. This
115 chain type is used to perform Network Address Translation (NAT)
116 packet transformations such as the source, destination address and
117 source and destination ports.
119 config NF_NAT_MASQUERADE_IPV6
120 tristate "IPv6 masquerade support"
121 help
122 This is the kernel functionality to provide NAT in the masquerade
123 flavour (automatic source address selection) for IPv6.
125 config NFT_MASQ_IPV6
126 tristate "IPv6 masquerade support for nf_tables"
127 depends on NF_TABLES_IPV6
128 depends on NFT_MASQ
129 select NF_NAT_MASQUERADE_IPV6
130 help
131 This is the expression that provides IPv4 masquerading support for
132 nf_tables.
134 config NFT_REDIR_IPV6
135 tristate "IPv6 redirect support for nf_tables"
136 depends on NF_TABLES_IPV6
137 depends on NFT_REDIR
138 select NF_NAT_REDIRECT
139 help
140 This is the expression that provides IPv4 redirect support for
141 nf_tables.
143 endif # NF_NAT_IPV6
145 config IP6_NF_IPTABLES
146 tristate "IP6 tables support (required for filtering)"
147 depends on INET && IPV6
148 select NETFILTER_XTABLES
149 default m if NETFILTER_ADVANCED=n
150 help
151 ip6tables is a general, extensible packet identification framework.
152 Currently only the packet filtering and packet mangling subsystem
153 for IPv6 use this, but connection tracking is going to follow.
154 Say 'Y' or 'M' here if you want to use either of those.
156 To compile it as a module, choose M here. If unsure, say N.
158 if IP6_NF_IPTABLES
160 # The simple matches.
161 config IP6_NF_MATCH_AH
162 tristate '"ah" match support'
163 depends on NETFILTER_ADVANCED
164 help
165 This module allows one to match AH packets.
167 To compile it as a module, choose M here. If unsure, say N.
169 config IP6_NF_MATCH_EUI64
170 tristate '"eui64" address check'
171 depends on NETFILTER_ADVANCED
172 help
173 This module performs checking on the IPv6 source address
174 Compares the last 64 bits with the EUI64 (delivered
175 from the MAC address) address
177 To compile it as a module, choose M here. If unsure, say N.
179 config IP6_NF_MATCH_FRAG
180 tristate '"frag" Fragmentation header match support'
181 depends on NETFILTER_ADVANCED
182 help
183 frag matching allows you to match packets based on the fragmentation
184 header of the packet.
186 To compile it as a module, choose M here. If unsure, say N.
188 config IP6_NF_MATCH_OPTS
189 tristate '"hbh" hop-by-hop and "dst" opts header match support'
190 depends on NETFILTER_ADVANCED
191 help
192 This allows one to match packets based on the hop-by-hop
193 and destination options headers of a packet.
195 To compile it as a module, choose M here. If unsure, say N.
197 config IP6_NF_MATCH_HL
198 tristate '"hl" hoplimit match support'
199 depends on NETFILTER_ADVANCED
200 select NETFILTER_XT_MATCH_HL
201 ---help---
202 This is a backwards-compat option for the user's convenience
203 (e.g. when running oldconfig). It selects
204 CONFIG_NETFILTER_XT_MATCH_HL.
206 config IP6_NF_MATCH_IPV6HEADER
207 tristate '"ipv6header" IPv6 Extension Headers Match'
208 default m if NETFILTER_ADVANCED=n
209 help
210 This module allows one to match packets based upon
211 the ipv6 extension headers.
213 To compile it as a module, choose M here. If unsure, say N.
215 config IP6_NF_MATCH_MH
216 tristate '"mh" match support'
217 depends on NETFILTER_ADVANCED
218 help
219 This module allows one to match MH packets.
221 To compile it as a module, choose M here. If unsure, say N.
223 config IP6_NF_MATCH_RPFILTER
224 tristate '"rpfilter" reverse path filter match support'
225 depends on NETFILTER_ADVANCED
226 depends on IP6_NF_MANGLE || IP6_NF_RAW
227 ---help---
228 This option allows you to match packets whose replies would
229 go out via the interface the packet came in.
231 To compile it as a module, choose M here. If unsure, say N.
232 The module will be called ip6t_rpfilter.
234 config IP6_NF_MATCH_RT
235 tristate '"rt" Routing header match support'
236 depends on NETFILTER_ADVANCED
237 help
238 rt matching allows you to match packets based on the routing
239 header of the packet.
241 To compile it as a module, choose M here. If unsure, say N.
243 config IP6_NF_MATCH_SRH
244 tristate '"srh" Segment Routing header match support'
245 depends on NETFILTER_ADVANCED
246 help
247 srh matching allows you to match packets based on the segment
248 routing header of the packet.
250 To compile it as a module, choose M here. If unsure, say N.
252 # The targets
253 config IP6_NF_TARGET_HL
254 tristate '"HL" hoplimit target support'
255 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
256 select NETFILTER_XT_TARGET_HL
257 ---help---
258 This is a backwards-compatible option for the user's convenience
259 (e.g. when running oldconfig). It selects
260 CONFIG_NETFILTER_XT_TARGET_HL.
262 config IP6_NF_FILTER
263 tristate "Packet filtering"
264 default m if NETFILTER_ADVANCED=n
265 help
266 Packet filtering defines a table `filter', which has a series of
267 rules for simple packet filtering at local input, forwarding and
268 local output. See the man page for iptables(8).
270 To compile it as a module, choose M here. If unsure, say N.
272 config IP6_NF_TARGET_REJECT
273 tristate "REJECT target support"
274 depends on IP6_NF_FILTER
275 select NF_REJECT_IPV6
276 default m if NETFILTER_ADVANCED=n
277 help
278 The REJECT target allows a filtering rule to specify that an ICMPv6
279 error should be issued in response to an incoming packet, rather
280 than silently being dropped.
282 To compile it as a module, choose M here. If unsure, say N.
284 config IP6_NF_TARGET_SYNPROXY
285 tristate "SYNPROXY target support"
286 depends on NF_CONNTRACK && NETFILTER_ADVANCED
287 select NETFILTER_SYNPROXY
288 select SYN_COOKIES
289 help
290 The SYNPROXY target allows you to intercept TCP connections and
291 establish them using syncookies before they are passed on to the
292 server. This allows to avoid conntrack and server resource usage
293 during SYN-flood attacks.
295 To compile it as a module, choose M here. If unsure, say N.
297 config IP6_NF_MANGLE
298 tristate "Packet mangling"
299 default m if NETFILTER_ADVANCED=n
300 help
301 This option adds a `mangle' table to iptables: see the man page for
302 iptables(8). This table is used for various packet alterations
303 which can effect how the packet is routed.
305 To compile it as a module, choose M here. If unsure, say N.
307 config IP6_NF_RAW
308 tristate 'raw table support (required for TRACE)'
309 help
310 This option adds a `raw' table to ip6tables. This table is the very
311 first in the netfilter framework and hooks in at the PREROUTING
312 and OUTPUT chains.
314 If you want to compile it as a module, say M here and read
315 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
317 # security table for MAC policy
318 config IP6_NF_SECURITY
319 tristate "Security table"
320 depends on SECURITY
321 depends on NETFILTER_ADVANCED
322 help
323 This option adds a `security' table to iptables, for use
324 with Mandatory Access Control (MAC) policy.
326 If unsure, say N.
328 config IP6_NF_NAT
329 tristate "ip6tables NAT support"
330 depends on NF_CONNTRACK_IPV6
331 depends on NETFILTER_ADVANCED
332 select NF_NAT
333 select NF_NAT_IPV6
334 select NETFILTER_XT_NAT
335 help
336 This enables the `nat' table in ip6tables. This allows masquerading,
337 port forwarding and other forms of full Network Address Port
338 Translation.
340 To compile it as a module, choose M here. If unsure, say N.
342 if IP6_NF_NAT
344 config IP6_NF_TARGET_MASQUERADE
345 tristate "MASQUERADE target support"
346 select NF_NAT_MASQUERADE_IPV6
347 help
348 Masquerading is a special case of NAT: all outgoing connections are
349 changed to seem to come from a particular interface's address, and
350 if the interface goes down, those connections are lost. This is
351 only useful for dialup accounts with dynamic IP address (ie. your IP
352 address will be different on next dialup).
354 To compile it as a module, choose M here. If unsure, say N.
356 config IP6_NF_TARGET_NPT
357 tristate "NPT (Network Prefix translation) target support"
358 help
359 This option adds the `SNPT' and `DNPT' target, which perform
360 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
362 To compile it as a module, choose M here. If unsure, say N.
364 endif # IP6_NF_NAT
366 endif # IP6_NF_IPTABLES
368 endmenu