1# SPDX-License-Identifier: GPL-2.0-only 2# 3# IP netfilter configuration 4# 5 6menu "IPv6: Netfilter Configuration" 7 depends on INET && IPV6 && NETFILTER 8 9config NF_SOCKET_IPV6 10 tristate "IPv6 socket lookup support" 11 help 12 This option enables the IPv6 socket lookup infrastructure. This 13 is used by the {ip6,nf}tables socket match. 14 15config NF_TPROXY_IPV6 16 tristate "IPv6 tproxy support" 17 18if NF_TABLES 19 20config NF_TABLES_IPV6 21 bool "IPv6 nf_tables support" 22 help 23 This option enables the IPv6 support for nf_tables. 24 25if NF_TABLES_IPV6 26 27config NFT_REJECT_IPV6 28 select NF_REJECT_IPV6 29 default NFT_REJECT 30 tristate 31 32config NFT_DUP_IPV6 33 tristate "IPv6 nf_tables packet duplication support" 34 depends on !NF_CONNTRACK || NF_CONNTRACK 35 select NF_DUP_IPV6 36 help 37 This module enables IPv6 packet duplication support for nf_tables. 38 39config NFT_FIB_IPV6 40 tristate "nf_tables fib / ipv6 route lookup support" 41 select NFT_FIB 42 help 43 This module enables IPv6 FIB lookups, e.g. for reverse path filtering. 44 It also allows query of the FIB for the route type, e.g. local, unicast, 45 multicast or blackhole. 46 47endif # NF_TABLES_IPV6 48endif # NF_TABLES 49 50config NF_FLOW_TABLE_IPV6 51 tristate "Netfilter flow table IPv6 module" 52 depends on NF_FLOW_TABLE 53 help 54 This option adds the flow table IPv6 support. 55 56 To compile it as a module, choose M here. 57 58config NF_DUP_IPV6 59 tristate "Netfilter IPv6 packet duplication to alternate destination" 60 depends on !NF_CONNTRACK || NF_CONNTRACK 61 help 62 This option enables the nf_dup_ipv6 core, which duplicates an IPv6 63 packet to be rerouted to another destination. 64 65config NF_REJECT_IPV6 66 tristate "IPv6 packet rejection" 67 default m if NETFILTER_ADVANCED=n 68 69config NF_LOG_IPV6 70 tristate "IPv6 packet logging" 71 default m if NETFILTER_ADVANCED=n 72 select NF_LOG_COMMON 73 74config IP6_NF_IPTABLES 75 tristate "IP6 tables support (required for filtering)" 76 depends on INET && IPV6 77 select NETFILTER_XTABLES 78 default m if NETFILTER_ADVANCED=n 79 help 80 ip6tables is a general, extensible packet identification framework. 81 Currently only the packet filtering and packet mangling subsystem 82 for IPv6 use this, but connection tracking is going to follow. 83 Say 'Y' or 'M' here if you want to use either of those. 84 85 To compile it as a module, choose M here. If unsure, say N. 86 87if IP6_NF_IPTABLES 88 89# The simple matches. 90config IP6_NF_MATCH_AH 91 tristate '"ah" match support' 92 depends on NETFILTER_ADVANCED 93 help 94 This module allows one to match AH packets. 95 96 To compile it as a module, choose M here. If unsure, say N. 97 98config IP6_NF_MATCH_EUI64 99 tristate '"eui64" address check' 100 depends on NETFILTER_ADVANCED 101 help 102 This module performs checking on the IPv6 source address 103 Compares the last 64 bits with the EUI64 (delivered 104 from the MAC address) address 105 106 To compile it as a module, choose M here. If unsure, say N. 107 108config IP6_NF_MATCH_FRAG 109 tristate '"frag" Fragmentation header match support' 110 depends on NETFILTER_ADVANCED 111 help 112 frag matching allows you to match packets based on the fragmentation 113 header of the packet. 114 115 To compile it as a module, choose M here. If unsure, say N. 116 117config IP6_NF_MATCH_OPTS 118 tristate '"hbh" hop-by-hop and "dst" opts header match support' 119 depends on NETFILTER_ADVANCED 120 help 121 This allows one to match packets based on the hop-by-hop 122 and destination options headers of a packet. 123 124 To compile it as a module, choose M here. If unsure, say N. 125 126config IP6_NF_MATCH_HL 127 tristate '"hl" hoplimit match support' 128 depends on NETFILTER_ADVANCED 129 select NETFILTER_XT_MATCH_HL 130 help 131 This is a backwards-compat option for the user's convenience 132 (e.g. when running oldconfig). It selects 133 CONFIG_NETFILTER_XT_MATCH_HL. 134 135config IP6_NF_MATCH_IPV6HEADER 136 tristate '"ipv6header" IPv6 Extension Headers Match' 137 default m if NETFILTER_ADVANCED=n 138 help 139 This module allows one to match packets based upon 140 the ipv6 extension headers. 141 142 To compile it as a module, choose M here. If unsure, say N. 143 144config IP6_NF_MATCH_MH 145 tristate '"mh" match support' 146 depends on NETFILTER_ADVANCED 147 help 148 This module allows one to match MH packets. 149 150 To compile it as a module, choose M here. If unsure, say N. 151 152config IP6_NF_MATCH_RPFILTER 153 tristate '"rpfilter" reverse path filter match support' 154 depends on NETFILTER_ADVANCED 155 depends on IP6_NF_MANGLE || IP6_NF_RAW 156 help 157 This option allows you to match packets whose replies would 158 go out via the interface the packet came in. 159 160 To compile it as a module, choose M here. If unsure, say N. 161 The module will be called ip6t_rpfilter. 162 163config IP6_NF_MATCH_RT 164 tristate '"rt" Routing header match support' 165 depends on NETFILTER_ADVANCED 166 help 167 rt matching allows you to match packets based on the routing 168 header of the packet. 169 170 To compile it as a module, choose M here. If unsure, say N. 171 172config IP6_NF_MATCH_SRH 173 tristate '"srh" Segment Routing header match support' 174 depends on NETFILTER_ADVANCED 175 help 176 srh matching allows you to match packets based on the segment 177 routing header of the packet. 178 179 To compile it as a module, choose M here. If unsure, say N. 180 181# The targets 182config IP6_NF_TARGET_HL 183 tristate '"HL" hoplimit target support' 184 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 185 select NETFILTER_XT_TARGET_HL 186 help 187 This is a backwards-compatible option for the user's convenience 188 (e.g. when running oldconfig). It selects 189 CONFIG_NETFILTER_XT_TARGET_HL. 190 191config IP6_NF_FILTER 192 tristate "Packet filtering" 193 default m if NETFILTER_ADVANCED=n 194 help 195 Packet filtering defines a table `filter', which has a series of 196 rules for simple packet filtering at local input, forwarding and 197 local output. See the man page for iptables(8). 198 199 To compile it as a module, choose M here. If unsure, say N. 200 201config IP6_NF_TARGET_REJECT 202 tristate "REJECT target support" 203 depends on IP6_NF_FILTER 204 select NF_REJECT_IPV6 205 default m if NETFILTER_ADVANCED=n 206 help 207 The REJECT target allows a filtering rule to specify that an ICMPv6 208 error should be issued in response to an incoming packet, rather 209 than silently being dropped. 210 211 To compile it as a module, choose M here. If unsure, say N. 212 213config IP6_NF_TARGET_SYNPROXY 214 tristate "SYNPROXY target support" 215 depends on NF_CONNTRACK && NETFILTER_ADVANCED 216 select NETFILTER_SYNPROXY 217 select SYN_COOKIES 218 help 219 The SYNPROXY target allows you to intercept TCP connections and 220 establish them using syncookies before they are passed on to the 221 server. This allows to avoid conntrack and server resource usage 222 during SYN-flood attacks. 223 224 To compile it as a module, choose M here. If unsure, say N. 225 226config IP6_NF_MANGLE 227 tristate "Packet mangling" 228 default m if NETFILTER_ADVANCED=n 229 help 230 This option adds a `mangle' table to iptables: see the man page for 231 iptables(8). This table is used for various packet alterations 232 which can effect how the packet is routed. 233 234 To compile it as a module, choose M here. If unsure, say N. 235 236config IP6_NF_RAW 237 tristate 'raw table support (required for TRACE)' 238 help 239 This option adds a `raw' table to ip6tables. This table is the very 240 first in the netfilter framework and hooks in at the PREROUTING 241 and OUTPUT chains. 242 243 If you want to compile it as a module, say M here and read 244 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 245 246# security table for MAC policy 247config IP6_NF_SECURITY 248 tristate "Security table" 249 depends on SECURITY 250 depends on NETFILTER_ADVANCED 251 help 252 This option adds a `security' table to iptables, for use 253 with Mandatory Access Control (MAC) policy. 254 255 If unsure, say N. 256 257config IP6_NF_NAT 258 tristate "ip6tables NAT support" 259 depends on NF_CONNTRACK 260 depends on NETFILTER_ADVANCED 261 select NF_NAT 262 select NETFILTER_XT_NAT 263 help 264 This enables the `nat' table in ip6tables. This allows masquerading, 265 port forwarding and other forms of full Network Address Port 266 Translation. 267 268 To compile it as a module, choose M here. If unsure, say N. 269 270if IP6_NF_NAT 271 272config IP6_NF_TARGET_MASQUERADE 273 tristate "MASQUERADE target support" 274 select NETFILTER_XT_TARGET_MASQUERADE 275 help 276 This is a backwards-compat option for the user's convenience 277 (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE. 278 279config IP6_NF_TARGET_NPT 280 tristate "NPT (Network Prefix translation) target support" 281 help 282 This option adds the `SNPT' and `DNPT' target, which perform 283 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 284 285 To compile it as a module, choose M here. If unsure, say N. 286 287endif # IP6_NF_NAT 288 289endif # IP6_NF_IPTABLES 290endmenu 291 292config NF_DEFRAG_IPV6 293 tristate 294