• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration"
6	depends on INET && IPV6 && NETFILTER
7
8config NF_DEFRAG_IPV6
9	tristate
10	default n
11
12config NF_CONNTRACK_IPV6
13	tristate "IPv6 connection tracking support"
14	depends on INET && IPV6 && NF_CONNTRACK
15	default m if NETFILTER_ADVANCED=n
16	select NF_DEFRAG_IPV6
17	---help---
18	  Connection tracking keeps a record of what packets have passed
19	  through your machine, in order to figure out how they are related
20	  into connections.
21
22	  This is IPv6 support on Layer 3 independent connection tracking.
23	  Layer 3 independent connection tracking is experimental scheme
24	  which generalize ip_conntrack to support other layer 3 protocols.
25
26	  To compile it as a module, choose M here.  If unsure, say N.
27
28if NF_TABLES
29
30config NF_TABLES_IPV6
31	tristate "IPv6 nf_tables support"
32	help
33	  This option enables the IPv6 support for nf_tables.
34
35if NF_TABLES_IPV6
36
37config NFT_CHAIN_ROUTE_IPV6
38	tristate "IPv6 nf_tables route chain support"
39	help
40	  This option enables the "route" chain for IPv6 in nf_tables. This
41	  chain type is used to force packet re-routing after mangling header
42	  fields such as the source, destination, flowlabel, hop-limit and
43	  the packet mark.
44
45config NFT_REJECT_IPV6
46	select NF_REJECT_IPV6
47	default NFT_REJECT
48	tristate
49
50config NFT_DUP_IPV6
51	tristate "IPv6 nf_tables packet duplication support"
52	depends on !NF_CONNTRACK || NF_CONNTRACK
53	select NF_DUP_IPV6
54	help
55	  This module enables IPv6 packet duplication support for nf_tables.
56
57endif # NF_TABLES_IPV6
58endif # NF_TABLES
59
60config NF_DUP_IPV6
61	tristate "Netfilter IPv6 packet duplication to alternate destination"
62	depends on !NF_CONNTRACK || NF_CONNTRACK
63	help
64	  This option enables the nf_dup_ipv6 core, which duplicates an IPv6
65	  packet to be rerouted to another destination.
66
67config NF_REJECT_IPV6
68	tristate "IPv6 packet rejection"
69	default m if NETFILTER_ADVANCED=n
70
71config NF_LOG_IPV6
72	tristate "IPv6 packet logging"
73	default m if NETFILTER_ADVANCED=n
74	select NF_LOG_COMMON
75
76config NF_NAT_IPV6
77	tristate "IPv6 NAT"
78	depends on NF_CONNTRACK_IPV6
79	depends on NETFILTER_ADVANCED
80	select NF_NAT
81	help
82	  The IPv6 NAT option allows masquerading, port forwarding and other
83	  forms of full Network Address Port Translation. This can be
84	  controlled by iptables or nft.
85
86if NF_NAT_IPV6
87
88config NFT_CHAIN_NAT_IPV6
89	depends on NF_TABLES_IPV6
90	tristate "IPv6 nf_tables nat chain support"
91	help
92	  This option enables the "nat" chain for IPv6 in nf_tables. This
93	  chain type is used to perform Network Address Translation (NAT)
94	  packet transformations such as the source, destination address and
95	  source and destination ports.
96
97config NF_NAT_MASQUERADE_IPV6
98	tristate "IPv6 masquerade support"
99	help
100	  This is the kernel functionality to provide NAT in the masquerade
101	  flavour (automatic source address selection) for IPv6.
102
103config NFT_MASQ_IPV6
104	tristate "IPv6 masquerade support for nf_tables"
105	depends on NF_TABLES_IPV6
106	depends on NFT_MASQ
107	select NF_NAT_MASQUERADE_IPV6
108	help
109	  This is the expression that provides IPv4 masquerading support for
110	  nf_tables.
111
112config NFT_REDIR_IPV6
113	tristate "IPv6 redirect support for nf_tables"
114	depends on NF_TABLES_IPV6
115	depends on NFT_REDIR
116	select NF_NAT_REDIRECT
117	help
118	  This is the expression that provides IPv4 redirect support for
119	  nf_tables.
120
121endif # NF_NAT_IPV6
122
123config IP6_NF_IPTABLES
124	tristate "IP6 tables support (required for filtering)"
125	depends on INET && IPV6
126	select NETFILTER_XTABLES
127	default m if NETFILTER_ADVANCED=n
128	help
129	  ip6tables is a general, extensible packet identification framework.
130	  Currently only the packet filtering and packet mangling subsystem
131	  for IPv6 use this, but connection tracking is going to follow.
132	  Say 'Y' or 'M' here if you want to use either of those.
133
134	  To compile it as a module, choose M here.  If unsure, say N.
135
136if IP6_NF_IPTABLES
137
138# The simple matches.
139config IP6_NF_MATCH_AH
140	tristate '"ah" match support'
141	depends on NETFILTER_ADVANCED
142	help
143	  This module allows one to match AH packets.
144
145	  To compile it as a module, choose M here.  If unsure, say N.
146
147config IP6_NF_MATCH_EUI64
148	tristate '"eui64" address check'
149	depends on NETFILTER_ADVANCED
150	help
151	  This module performs checking on the IPv6 source address
152	  Compares the last 64 bits with the EUI64 (delivered
153	  from the MAC address) address
154
155	  To compile it as a module, choose M here.  If unsure, say N.
156
157config IP6_NF_MATCH_FRAG
158	tristate '"frag" Fragmentation header match support'
159	depends on NETFILTER_ADVANCED
160	help
161	  frag matching allows you to match packets based on the fragmentation
162	  header of the packet.
163
164	  To compile it as a module, choose M here.  If unsure, say N.
165
166config IP6_NF_MATCH_OPTS
167	tristate '"hbh" hop-by-hop and "dst" opts header match support'
168	depends on NETFILTER_ADVANCED
169	help
170	  This allows one to match packets based on the hop-by-hop
171	  and destination options headers of a packet.
172
173	  To compile it as a module, choose M here.  If unsure, say N.
174
175config IP6_NF_MATCH_HL
176	tristate '"hl" hoplimit match support'
177	depends on NETFILTER_ADVANCED
178	select NETFILTER_XT_MATCH_HL
179	---help---
180	This is a backwards-compat option for the user's convenience
181	(e.g. when running oldconfig). It selects
182	CONFIG_NETFILTER_XT_MATCH_HL.
183
184config IP6_NF_MATCH_IPV6HEADER
185	tristate '"ipv6header" IPv6 Extension Headers Match'
186	default m if NETFILTER_ADVANCED=n
187	help
188	  This module allows one to match packets based upon
189	  the ipv6 extension headers.
190
191	  To compile it as a module, choose M here.  If unsure, say N.
192
193config IP6_NF_MATCH_MH
194	tristate '"mh" match support'
195	depends on NETFILTER_ADVANCED
196	help
197	  This module allows one to match MH packets.
198
199	  To compile it as a module, choose M here.  If unsure, say N.
200
201config IP6_NF_MATCH_RPFILTER
202	tristate '"rpfilter" reverse path filter match support'
203	depends on NETFILTER_ADVANCED
204	depends on IP6_NF_MANGLE || IP6_NF_RAW
205	---help---
206	  This option allows you to match packets whose replies would
207	  go out via the interface the packet came in.
208
209	  To compile it as a module, choose M here.  If unsure, say N.
210	  The module will be called ip6t_rpfilter.
211
212config IP6_NF_MATCH_RT
213	tristate '"rt" Routing header match support'
214	depends on NETFILTER_ADVANCED
215	help
216	  rt matching allows you to match packets based on the routing
217	  header of the packet.
218
219	  To compile it as a module, choose M here.  If unsure, say N.
220
221# The targets
222config IP6_NF_TARGET_HL
223	tristate '"HL" hoplimit target support'
224	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
225	select NETFILTER_XT_TARGET_HL
226	---help---
227	This is a backwards-compatible option for the user's convenience
228	(e.g. when running oldconfig). It selects
229	CONFIG_NETFILTER_XT_TARGET_HL.
230
231config IP6_NF_FILTER
232	tristate "Packet filtering"
233	default m if NETFILTER_ADVANCED=n
234	help
235	  Packet filtering defines a table `filter', which has a series of
236	  rules for simple packet filtering at local input, forwarding and
237	  local output.  See the man page for iptables(8).
238
239	  To compile it as a module, choose M here.  If unsure, say N.
240
241config IP6_NF_TARGET_REJECT
242	tristate "REJECT target support"
243	depends on IP6_NF_FILTER
244	select NF_REJECT_IPV6
245	default m if NETFILTER_ADVANCED=n
246	help
247	  The REJECT target allows a filtering rule to specify that an ICMPv6
248	  error should be issued in response to an incoming packet, rather
249	  than silently being dropped.
250
251	  To compile it as a module, choose M here.  If unsure, say N.
252
253config IP6_NF_TARGET_SYNPROXY
254	tristate "SYNPROXY target support"
255	depends on NF_CONNTRACK && NETFILTER_ADVANCED
256	select NETFILTER_SYNPROXY
257	select SYN_COOKIES
258	help
259	  The SYNPROXY target allows you to intercept TCP connections and
260	  establish them using syncookies before they are passed on to the
261	  server. This allows to avoid conntrack and server resource usage
262	  during SYN-flood attacks.
263
264	  To compile it as a module, choose M here. If unsure, say N.
265
266config IP6_NF_MANGLE
267	tristate "Packet mangling"
268	default m if NETFILTER_ADVANCED=n
269	help
270	  This option adds a `mangle' table to iptables: see the man page for
271	  iptables(8).  This table is used for various packet alterations
272	  which can effect how the packet is routed.
273
274	  To compile it as a module, choose M here.  If unsure, say N.
275
276config IP6_NF_RAW
277	tristate  'raw table support (required for TRACE)'
278	help
279	  This option adds a `raw' table to ip6tables. This table is the very
280	  first in the netfilter framework and hooks in at the PREROUTING
281	  and OUTPUT chains.
282
283	  If you want to compile it as a module, say M here and read
284	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
285
286# security table for MAC policy
287config IP6_NF_SECURITY
288       tristate "Security table"
289       depends on SECURITY
290       depends on NETFILTER_ADVANCED
291       help
292         This option adds a `security' table to iptables, for use
293         with Mandatory Access Control (MAC) policy.
294
295         If unsure, say N.
296
297config IP6_NF_NAT
298	tristate "ip6tables NAT support"
299	depends on NF_CONNTRACK_IPV6
300	depends on NETFILTER_ADVANCED
301	select NF_NAT
302	select NF_NAT_IPV6
303	select NETFILTER_XT_NAT
304	help
305	  This enables the `nat' table in ip6tables. This allows masquerading,
306	  port forwarding and other forms of full Network Address Port
307	  Translation.
308
309	  To compile it as a module, choose M here.  If unsure, say N.
310
311if IP6_NF_NAT
312
313config IP6_NF_TARGET_MASQUERADE
314	tristate "MASQUERADE target support"
315	select NF_NAT_MASQUERADE_IPV6
316	help
317	  Masquerading is a special case of NAT: all outgoing connections are
318	  changed to seem to come from a particular interface's address, and
319	  if the interface goes down, those connections are lost.  This is
320	  only useful for dialup accounts with dynamic IP address (ie. your IP
321	  address will be different on next dialup).
322
323	  To compile it as a module, choose M here.  If unsure, say N.
324
325config IP6_NF_TARGET_NPT
326	tristate "NPT (Network Prefix translation) target support"
327	help
328	  This option adds the `SNPT' and `DNPT' target, which perform
329	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
330
331	  To compile it as a module, choose M here.  If unsure, say N.
332
333endif # IP6_NF_NAT
334
335endif # IP6_NF_IPTABLES
336
337endmenu
338
339