• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration"
6	depends on INET && IPV6 && NETFILTER
7
8config NF_DEFRAG_IPV6
9	tristate
10	default n
11
12config NF_CONNTRACK_IPV6
13	tristate "IPv6 connection tracking support"
14	depends on INET && IPV6 && NF_CONNTRACK
15	default m if NETFILTER_ADVANCED=n
16	select NF_DEFRAG_IPV6
17	---help---
18	  Connection tracking keeps a record of what packets have passed
19	  through your machine, in order to figure out how they are related
20	  into connections.
21
22	  This is IPv6 support on Layer 3 independent connection tracking.
23	  Layer 3 independent connection tracking is experimental scheme
24	  which generalize ip_conntrack to support other layer 3 protocols.
25
26	  To compile it as a module, choose M here.  If unsure, say N.
27
28config IP6_NF_IPTABLES
29	tristate "IP6 tables support (required for filtering)"
30	depends on INET && IPV6
31	select NETFILTER_XTABLES
32	default m if NETFILTER_ADVANCED=n
33	help
34	  ip6tables is a general, extensible packet identification framework.
35	  Currently only the packet filtering and packet mangling subsystem
36	  for IPv6 use this, but connection tracking is going to follow.
37	  Say 'Y' or 'M' here if you want to use either of those.
38
39	  To compile it as a module, choose M here.  If unsure, say N.
40
41if IP6_NF_IPTABLES
42
43# The simple matches.
44config IP6_NF_MATCH_AH
45	tristate '"ah" match support'
46	depends on NETFILTER_ADVANCED
47	help
48	  This module allows one to match AH packets.
49
50	  To compile it as a module, choose M here.  If unsure, say N.
51
52config IP6_NF_MATCH_EUI64
53	tristate '"eui64" address check'
54	depends on NETFILTER_ADVANCED
55	help
56	  This module performs checking on the IPv6 source address
57	  Compares the last 64 bits with the EUI64 (delivered
58	  from the MAC address) address
59
60	  To compile it as a module, choose M here.  If unsure, say N.
61
62config IP6_NF_MATCH_FRAG
63	tristate '"frag" Fragmentation header match support'
64	depends on NETFILTER_ADVANCED
65	help
66	  frag matching allows you to match packets based on the fragmentation
67	  header of the packet.
68
69	  To compile it as a module, choose M here.  If unsure, say N.
70
71config IP6_NF_MATCH_OPTS
72	tristate '"hbh" hop-by-hop and "dst" opts header match support'
73	depends on NETFILTER_ADVANCED
74	help
75	  This allows one to match packets based on the hop-by-hop
76	  and destination options headers of a packet.
77
78	  To compile it as a module, choose M here.  If unsure, say N.
79
80config IP6_NF_MATCH_HL
81	tristate '"hl" hoplimit match support'
82	depends on NETFILTER_ADVANCED
83	select NETFILTER_XT_MATCH_HL
84	---help---
85	This is a backwards-compat option for the user's convenience
86	(e.g. when running oldconfig). It selects
87	CONFIG_NETFILTER_XT_MATCH_HL.
88
89config IP6_NF_MATCH_IPV6HEADER
90	tristate '"ipv6header" IPv6 Extension Headers Match'
91	default m if NETFILTER_ADVANCED=n
92	help
93	  This module allows one to match packets based upon
94	  the ipv6 extension headers.
95
96	  To compile it as a module, choose M here.  If unsure, say N.
97
98config IP6_NF_MATCH_MH
99	tristate '"mh" match support'
100	depends on NETFILTER_ADVANCED
101	help
102	  This module allows one to match MH packets.
103
104	  To compile it as a module, choose M here.  If unsure, say N.
105
106config IP6_NF_MATCH_RPFILTER
107	tristate '"rpfilter" reverse path filter match support'
108	depends on NETFILTER_ADVANCED
109	depends on IP6_NF_MANGLE || IP6_NF_RAW
110	---help---
111	  This option allows you to match packets whose replies would
112	  go out via the interface the packet came in.
113
114	  To compile it as a module, choose M here.  If unsure, say N.
115	  The module will be called ip6t_rpfilter.
116
117config IP6_NF_MATCH_RT
118	tristate '"rt" Routing header match support'
119	depends on NETFILTER_ADVANCED
120	help
121	  rt matching allows you to match packets based on the routing
122	  header of the packet.
123
124	  To compile it as a module, choose M here.  If unsure, say N.
125
126# The targets
127config IP6_NF_TARGET_HL
128	tristate '"HL" hoplimit target support'
129	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
130	select NETFILTER_XT_TARGET_HL
131	---help---
132	This is a backwards-compatible option for the user's convenience
133	(e.g. when running oldconfig). It selects
134	CONFIG_NETFILTER_XT_TARGET_HL.
135
136config IP6_NF_FILTER
137	tristate "Packet filtering"
138	default m if NETFILTER_ADVANCED=n
139	help
140	  Packet filtering defines a table `filter', which has a series of
141	  rules for simple packet filtering at local input, forwarding and
142	  local output.  See the man page for iptables(8).
143
144	  To compile it as a module, choose M here.  If unsure, say N.
145
146config IP6_NF_TARGET_REJECT
147	tristate "REJECT target support"
148	depends on IP6_NF_FILTER
149	default m if NETFILTER_ADVANCED=n
150	help
151	  The REJECT target allows a filtering rule to specify that an ICMPv6
152	  error should be issued in response to an incoming packet, rather
153	  than silently being dropped.
154
155	  To compile it as a module, choose M here.  If unsure, say N.
156
157config IP6_NF_MANGLE
158	tristate "Packet mangling"
159	default m if NETFILTER_ADVANCED=n
160	help
161	  This option adds a `mangle' table to iptables: see the man page for
162	  iptables(8).  This table is used for various packet alterations
163	  which can effect how the packet is routed.
164
165	  To compile it as a module, choose M here.  If unsure, say N.
166
167config IP6_NF_RAW
168	tristate  'raw table support (required for TRACE)'
169	help
170	  This option adds a `raw' table to ip6tables. This table is the very
171	  first in the netfilter framework and hooks in at the PREROUTING
172	  and OUTPUT chains.
173
174	  If you want to compile it as a module, say M here and read
175	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
176
177# security table for MAC policy
178config IP6_NF_SECURITY
179       tristate "Security table"
180       depends on SECURITY
181       depends on NETFILTER_ADVANCED
182       help
183         This option adds a `security' table to iptables, for use
184         with Mandatory Access Control (MAC) policy.
185
186         If unsure, say N.
187
188config NF_NAT_IPV6
189	tristate "IPv6 NAT"
190	depends on NF_CONNTRACK_IPV6
191	depends on NETFILTER_ADVANCED
192	select NF_NAT
193	help
194	  The IPv6 NAT option allows masquerading, port forwarding and other
195	  forms of full Network Address Port Translation. It is controlled by
196	  the `nat' table in ip6tables, see the man page for ip6tables(8).
197
198	  To compile it as a module, choose M here.  If unsure, say N.
199
200if NF_NAT_IPV6
201
202config IP6_NF_TARGET_MASQUERADE
203	tristate "MASQUERADE target support"
204	help
205	  Masquerading is a special case of NAT: all outgoing connections are
206	  changed to seem to come from a particular interface's address, and
207	  if the interface goes down, those connections are lost.  This is
208	  only useful for dialup accounts with dynamic IP address (ie. your IP
209	  address will be different on next dialup).
210
211	  To compile it as a module, choose M here.  If unsure, say N.
212
213config IP6_NF_TARGET_NPT
214	tristate "NPT (Network Prefix translation) target support"
215	help
216	  This option adds the `SNPT' and `DNPT' target, which perform
217	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
218
219	  To compile it as a module, choose M here.  If unsure, say N.
220
221endif # NF_NAT_IPV6
222
223endif # IP6_NF_IPTABLES
224
225endmenu
226
227