• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration"
6	depends on INET && IPV6 && NETFILTER
7
8config NF_DEFRAG_IPV6
9	tristate
10	default n
11
12config NF_CONNTRACK_IPV6
13	tristate "IPv6 connection tracking support"
14	depends on INET && IPV6 && NF_CONNTRACK
15	default m if NETFILTER_ADVANCED=n
16	select NF_DEFRAG_IPV6
17	---help---
18	  Connection tracking keeps a record of what packets have passed
19	  through your machine, in order to figure out how they are related
20	  into connections.
21
22	  This is IPv6 support on Layer 3 independent connection tracking.
23	  Layer 3 independent connection tracking is experimental scheme
24	  which generalize ip_conntrack to support other layer 3 protocols.
25
26	  To compile it as a module, choose M here.  If unsure, say N.
27
28config NF_SOCKET_IPV6
29	tristate "IPv6 socket lookup support"
30	help
31	  This option enables the IPv6 socket lookup infrastructure. This
32	  is used by the ip6tables socket match.
33
34if NF_TABLES
35
36config NF_TABLES_IPV6
37	tristate "IPv6 nf_tables support"
38	help
39	  This option enables the IPv6 support for nf_tables.
40
41if NF_TABLES_IPV6
42
43config NFT_CHAIN_ROUTE_IPV6
44	tristate "IPv6 nf_tables route chain support"
45	help
46	  This option enables the "route" chain for IPv6 in nf_tables. This
47	  chain type is used to force packet re-routing after mangling header
48	  fields such as the source, destination, flowlabel, hop-limit and
49	  the packet mark.
50
51if NF_NAT_IPV6
52
53config NFT_CHAIN_NAT_IPV6
54	tristate "IPv6 nf_tables nat chain support"
55	help
56	  This option enables the "nat" chain for IPv6 in nf_tables. This
57	  chain type is used to perform Network Address Translation (NAT)
58	  packet transformations such as the source, destination address and
59	  source and destination ports.
60
61config NFT_MASQ_IPV6
62	tristate "IPv6 masquerade support for nf_tables"
63	depends on NFT_MASQ
64	select NF_NAT_MASQUERADE_IPV6
65	help
66	  This is the expression that provides IPv4 masquerading support for
67	  nf_tables.
68
69config NFT_REDIR_IPV6
70	tristate "IPv6 redirect support for nf_tables"
71	depends on NFT_REDIR
72	select NF_NAT_REDIRECT
73	help
74	  This is the expression that provides IPv4 redirect support for
75	  nf_tables.
76
77endif # NF_NAT_IPV6
78
79config NFT_REJECT_IPV6
80	select NF_REJECT_IPV6
81	default NFT_REJECT
82	tristate
83
84config NFT_DUP_IPV6
85	tristate "IPv6 nf_tables packet duplication support"
86	depends on !NF_CONNTRACK || NF_CONNTRACK
87	select NF_DUP_IPV6
88	help
89	  This module enables IPv6 packet duplication support for nf_tables.
90
91config NFT_FIB_IPV6
92	tristate "nf_tables fib / ipv6 route lookup support"
93	select NFT_FIB
94	help
95	  This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
96	  It also allows query of the FIB for the route type, e.g. local, unicast,
97	  multicast or blackhole.
98
99endif # NF_TABLES_IPV6
100endif # NF_TABLES
101
102config NF_DUP_IPV6
103	tristate "Netfilter IPv6 packet duplication to alternate destination"
104	depends on !NF_CONNTRACK || NF_CONNTRACK
105	help
106	  This option enables the nf_dup_ipv6 core, which duplicates an IPv6
107	  packet to be rerouted to another destination.
108
109config NF_REJECT_IPV6
110	tristate "IPv6 packet rejection"
111	default m if NETFILTER_ADVANCED=n
112
113config NF_LOG_IPV6
114	tristate "IPv6 packet logging"
115	default m if NETFILTER_ADVANCED=n
116	select NF_LOG_COMMON
117
118config NF_NAT_IPV6
119	tristate "IPv6 NAT"
120	depends on NF_CONNTRACK_IPV6
121	depends on NETFILTER_ADVANCED
122	select NF_NAT
123	help
124	  The IPv6 NAT option allows masquerading, port forwarding and other
125	  forms of full Network Address Port Translation. This can be
126	  controlled by iptables or nft.
127
128if NF_NAT_IPV6
129
130config NF_NAT_MASQUERADE_IPV6
131	tristate "IPv6 masquerade support"
132	help
133	  This is the kernel functionality to provide NAT in the masquerade
134	  flavour (automatic source address selection) for IPv6.
135
136endif # NF_NAT_IPV6
137
138config IP6_NF_IPTABLES
139	tristate "IP6 tables support (required for filtering)"
140	depends on INET && IPV6
141	select NETFILTER_XTABLES
142	default m if NETFILTER_ADVANCED=n
143	help
144	  ip6tables is a general, extensible packet identification framework.
145	  Currently only the packet filtering and packet mangling subsystem
146	  for IPv6 use this, but connection tracking is going to follow.
147	  Say 'Y' or 'M' here if you want to use either of those.
148
149	  To compile it as a module, choose M here.  If unsure, say N.
150
151if IP6_NF_IPTABLES
152
153# The simple matches.
154config IP6_NF_MATCH_AH
155	tristate '"ah" match support'
156	depends on NETFILTER_ADVANCED
157	help
158	  This module allows one to match AH packets.
159
160	  To compile it as a module, choose M here.  If unsure, say N.
161
162config IP6_NF_MATCH_EUI64
163	tristate '"eui64" address check'
164	depends on NETFILTER_ADVANCED
165	help
166	  This module performs checking on the IPv6 source address
167	  Compares the last 64 bits with the EUI64 (delivered
168	  from the MAC address) address
169
170	  To compile it as a module, choose M here.  If unsure, say N.
171
172config IP6_NF_MATCH_FRAG
173	tristate '"frag" Fragmentation header match support'
174	depends on NETFILTER_ADVANCED
175	help
176	  frag matching allows you to match packets based on the fragmentation
177	  header of the packet.
178
179	  To compile it as a module, choose M here.  If unsure, say N.
180
181config IP6_NF_MATCH_OPTS
182	tristate '"hbh" hop-by-hop and "dst" opts header match support'
183	depends on NETFILTER_ADVANCED
184	help
185	  This allows one to match packets based on the hop-by-hop
186	  and destination options headers of a packet.
187
188	  To compile it as a module, choose M here.  If unsure, say N.
189
190config IP6_NF_MATCH_HL
191	tristate '"hl" hoplimit match support'
192	depends on NETFILTER_ADVANCED
193	select NETFILTER_XT_MATCH_HL
194	---help---
195	This is a backwards-compat option for the user's convenience
196	(e.g. when running oldconfig). It selects
197	CONFIG_NETFILTER_XT_MATCH_HL.
198
199config IP6_NF_MATCH_IPV6HEADER
200	tristate '"ipv6header" IPv6 Extension Headers Match'
201	default m if NETFILTER_ADVANCED=n
202	help
203	  This module allows one to match packets based upon
204	  the ipv6 extension headers.
205
206	  To compile it as a module, choose M here.  If unsure, say N.
207
208config IP6_NF_MATCH_MH
209	tristate '"mh" match support'
210	depends on NETFILTER_ADVANCED
211	help
212	  This module allows one to match MH packets.
213
214	  To compile it as a module, choose M here.  If unsure, say N.
215
216config IP6_NF_MATCH_RPFILTER
217	tristate '"rpfilter" reverse path filter match support'
218	depends on NETFILTER_ADVANCED
219	depends on IP6_NF_MANGLE || IP6_NF_RAW
220	---help---
221	  This option allows you to match packets whose replies would
222	  go out via the interface the packet came in.
223
224	  To compile it as a module, choose M here.  If unsure, say N.
225	  The module will be called ip6t_rpfilter.
226
227config IP6_NF_MATCH_RT
228	tristate '"rt" Routing header match support'
229	depends on NETFILTER_ADVANCED
230	help
231	  rt matching allows you to match packets based on the routing
232	  header of the packet.
233
234	  To compile it as a module, choose M here.  If unsure, say N.
235
236# The targets
237config IP6_NF_TARGET_HL
238	tristate '"HL" hoplimit target support'
239	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
240	select NETFILTER_XT_TARGET_HL
241	---help---
242	This is a backwards-compatible option for the user's convenience
243	(e.g. when running oldconfig). It selects
244	CONFIG_NETFILTER_XT_TARGET_HL.
245
246config IP6_NF_FILTER
247	tristate "Packet filtering"
248	default m if NETFILTER_ADVANCED=n
249	help
250	  Packet filtering defines a table `filter', which has a series of
251	  rules for simple packet filtering at local input, forwarding and
252	  local output.  See the man page for iptables(8).
253
254	  To compile it as a module, choose M here.  If unsure, say N.
255
256config IP6_NF_TARGET_REJECT
257	tristate "REJECT target support"
258	depends on IP6_NF_FILTER
259	select NF_REJECT_IPV6
260	default m if NETFILTER_ADVANCED=n
261	help
262	  The REJECT target allows a filtering rule to specify that an ICMPv6
263	  error should be issued in response to an incoming packet, rather
264	  than silently being dropped.
265
266	  To compile it as a module, choose M here.  If unsure, say N.
267
268config IP6_NF_TARGET_SYNPROXY
269	tristate "SYNPROXY target support"
270	depends on NF_CONNTRACK && NETFILTER_ADVANCED
271	select NETFILTER_SYNPROXY
272	select SYN_COOKIES
273	help
274	  The SYNPROXY target allows you to intercept TCP connections and
275	  establish them using syncookies before they are passed on to the
276	  server. This allows to avoid conntrack and server resource usage
277	  during SYN-flood attacks.
278
279	  To compile it as a module, choose M here. If unsure, say N.
280
281config IP6_NF_MANGLE
282	tristate "Packet mangling"
283	default m if NETFILTER_ADVANCED=n
284	help
285	  This option adds a `mangle' table to iptables: see the man page for
286	  iptables(8).  This table is used for various packet alterations
287	  which can effect how the packet is routed.
288
289	  To compile it as a module, choose M here.  If unsure, say N.
290
291config IP6_NF_RAW
292	tristate  'raw table support (required for TRACE)'
293	help
294	  This option adds a `raw' table to ip6tables. This table is the very
295	  first in the netfilter framework and hooks in at the PREROUTING
296	  and OUTPUT chains.
297
298	  If you want to compile it as a module, say M here and read
299	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
300
301# security table for MAC policy
302config IP6_NF_SECURITY
303       tristate "Security table"
304       depends on SECURITY
305       depends on NETFILTER_ADVANCED
306       help
307         This option adds a `security' table to iptables, for use
308         with Mandatory Access Control (MAC) policy.
309
310         If unsure, say N.
311
312config IP6_NF_NAT
313	tristate "ip6tables NAT support"
314	depends on NF_CONNTRACK_IPV6
315	depends on NETFILTER_ADVANCED
316	select NF_NAT
317	select NF_NAT_IPV6
318	select NETFILTER_XT_NAT
319	help
320	  This enables the `nat' table in ip6tables. This allows masquerading,
321	  port forwarding and other forms of full Network Address Port
322	  Translation.
323
324	  To compile it as a module, choose M here.  If unsure, say N.
325
326if IP6_NF_NAT
327
328config IP6_NF_TARGET_MASQUERADE
329	tristate "MASQUERADE target support"
330	select NF_NAT_MASQUERADE_IPV6
331	help
332	  Masquerading is a special case of NAT: all outgoing connections are
333	  changed to seem to come from a particular interface's address, and
334	  if the interface goes down, those connections are lost.  This is
335	  only useful for dialup accounts with dynamic IP address (ie. your IP
336	  address will be different on next dialup).
337
338	  To compile it as a module, choose M here.  If unsure, say N.
339
340config IP6_NF_TARGET_NPT
341	tristate "NPT (Network Prefix translation) target support"
342	help
343	  This option adds the `SNPT' and `DNPT' target, which perform
344	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
345
346	  To compile it as a module, choose M here.  If unsure, say N.
347
348endif # IP6_NF_NAT
349
350endif # IP6_NF_IPTABLES
351
352endmenu
353
354