• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration"
6	depends on INET && IPV6 && NETFILTER
7
8config NF_CONNTRACK_IPV6
9	tristate "IPv6 connection tracking support"
10	depends on INET && IPV6 && NF_CONNTRACK
11	default m if NETFILTER_ADVANCED=n
12	---help---
13	  Connection tracking keeps a record of what packets have passed
14	  through your machine, in order to figure out how they are related
15	  into connections.
16
17	  This is IPv6 support on Layer 3 independent connection tracking.
18	  Layer 3 independent connection tracking is experimental scheme
19	  which generalize ip_conntrack to support other layer 3 protocols.
20
21	  To compile it as a module, choose M here.  If unsure, say N.
22
23config IP6_NF_QUEUE
24	tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"
25	depends on INET && IPV6 && NETFILTER
26	depends on NETFILTER_ADVANCED
27	---help---
28
29	  This option adds a queue handler to the kernel for IPv6
30	  packets which enables users to receive the filtered packets
31	  with QUEUE target using libipq.
32
33	  This option enables the old IPv6-only "ip6_queue" implementation
34	  which has been obsoleted by the new "nfnetlink_queue" code (see
35	  CONFIG_NETFILTER_NETLINK_QUEUE).
36
37	  (C) Fernando Anton 2001
38	  IPv64 Project - Work based in IPv64 draft by Arturo Azcorra.
39	  Universidad Carlos III de Madrid
40	  Universidad Politecnica de Alcala de Henares
41	  email: <fanton@it.uc3m.es>.
42
43	  To compile it as a module, choose M here.  If unsure, say N.
44
45config IP6_NF_IPTABLES
46	tristate "IP6 tables support (required for filtering)"
47	depends on INET && IPV6
48	select NETFILTER_XTABLES
49	default m if NETFILTER_ADVANCED=n
50	help
51	  ip6tables is a general, extensible packet identification framework.
52	  Currently only the packet filtering and packet mangling subsystem
53	  for IPv6 use this, but connection tracking is going to follow.
54	  Say 'Y' or 'M' here if you want to use either of those.
55
56	  To compile it as a module, choose M here.  If unsure, say N.
57
58if IP6_NF_IPTABLES
59
60# The simple matches.
61config IP6_NF_MATCH_AH
62	tristate '"ah" match support'
63	depends on NETFILTER_ADVANCED
64	help
65	  This module allows one to match AH packets.
66
67	  To compile it as a module, choose M here.  If unsure, say N.
68
69config IP6_NF_MATCH_EUI64
70	tristate '"eui64" address check'
71	depends on NETFILTER_ADVANCED
72	help
73	  This module performs checking on the IPv6 source address
74	  Compares the last 64 bits with the EUI64 (delivered
75	  from the MAC address) address
76
77	  To compile it as a module, choose M here.  If unsure, say N.
78
79config IP6_NF_MATCH_FRAG
80	tristate '"frag" Fragmentation header match support'
81	depends on NETFILTER_ADVANCED
82	help
83	  frag matching allows you to match packets based on the fragmentation
84	  header of the packet.
85
86	  To compile it as a module, choose M here.  If unsure, say N.
87
88config IP6_NF_MATCH_OPTS
89	tristate '"hbh" hop-by-hop and "dst" opts header match support'
90	depends on NETFILTER_ADVANCED
91	help
92	  This allows one to match packets based on the hop-by-hop
93	  and destination options headers of a packet.
94
95	  To compile it as a module, choose M here.  If unsure, say N.
96
97config IP6_NF_MATCH_HL
98	tristate '"hl" match support'
99	depends on NETFILTER_ADVANCED
100	help
101	  HL matching allows you to match packets based on the hop
102	  limit of the packet.
103
104	  To compile it as a module, choose M here.  If unsure, say N.
105
106config IP6_NF_MATCH_IPV6HEADER
107	tristate '"ipv6header" IPv6 Extension Headers Match'
108	default m if NETFILTER_ADVANCED=n
109	help
110	  This module allows one to match packets based upon
111	  the ipv6 extension headers.
112
113	  To compile it as a module, choose M here.  If unsure, say N.
114
115config IP6_NF_MATCH_MH
116	tristate '"mh" match support'
117	depends on NETFILTER_ADVANCED
118	help
119	  This module allows one to match MH packets.
120
121	  To compile it as a module, choose M here.  If unsure, say N.
122
123config IP6_NF_MATCH_RT
124	tristate '"rt" Routing header match support'
125	depends on NETFILTER_ADVANCED
126	help
127	  rt matching allows you to match packets based on the routing
128	  header of the packet.
129
130	  To compile it as a module, choose M here.  If unsure, say N.
131
132# The targets
133config IP6_NF_TARGET_LOG
134	tristate "LOG target support"
135	default m if NETFILTER_ADVANCED=n
136	help
137	  This option adds a `LOG' target, which allows you to create rules in
138	  any iptables table which records the packet header to the syslog.
139
140	  To compile it as a module, choose M here.  If unsure, say N.
141
142config IP6_NF_FILTER
143	tristate "Packet filtering"
144	default m if NETFILTER_ADVANCED=n
145	help
146	  Packet filtering defines a table `filter', which has a series of
147	  rules for simple packet filtering at local input, forwarding and
148	  local output.  See the man page for iptables(8).
149
150	  To compile it as a module, choose M here.  If unsure, say N.
151
152config IP6_NF_TARGET_REJECT
153	tristate "REJECT target support"
154	depends on IP6_NF_FILTER
155	default m if NETFILTER_ADVANCED=n
156	help
157	  The REJECT target allows a filtering rule to specify that an ICMPv6
158	  error should be issued in response to an incoming packet, rather
159	  than silently being dropped.
160
161	  To compile it as a module, choose M here.  If unsure, say N.
162
163config IP6_NF_MANGLE
164	tristate "Packet mangling"
165	default m if NETFILTER_ADVANCED=n
166	help
167	  This option adds a `mangle' table to iptables: see the man page for
168	  iptables(8).  This table is used for various packet alterations
169	  which can effect how the packet is routed.
170
171	  To compile it as a module, choose M here.  If unsure, say N.
172
173config IP6_NF_TARGET_HL
174	tristate  'HL (hoplimit) target support'
175	depends on IP6_NF_MANGLE
176	depends on NETFILTER_ADVANCED
177	help
178	  This option adds a `HL' target, which enables the user to decrement
179	  the hoplimit value of the IPv6 header or set it to a given (lower)
180	  value.
181
182	  While it is safe to decrement the hoplimit value, this option also
183	  enables functionality to increment and set the hoplimit value of the
184	  IPv6 header to arbitrary values.  This is EXTREMELY DANGEROUS since
185	  you can easily create immortal packets that loop forever on the
186	  network.
187
188	  To compile it as a module, choose M here.  If unsure, say N.
189
190config IP6_NF_RAW
191	tristate  'raw table support (required for TRACE)'
192	depends on NETFILTER_ADVANCED
193	help
194	  This option adds a `raw' table to ip6tables. This table is the very
195	  first in the netfilter framework and hooks in at the PREROUTING
196	  and OUTPUT chains.
197
198	  If you want to compile it as a module, say M here and read
199	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
200
201# security table for MAC policy
202config IP6_NF_SECURITY
203       tristate "Security table"
204       depends on SECURITY
205       depends on NETFILTER_ADVANCED
206       help
207         This option adds a `security' table to iptables, for use
208         with Mandatory Access Control (MAC) policy.
209
210         If unsure, say N.
211
212endif # IP6_NF_IPTABLES
213
214endmenu
215
216