1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_SOCKET_IPV6 29 tristate "IPv6 socket lookup support" 30 help 31 This option enables the IPv6 socket lookup infrastructure. This 32 is used by the ip6tables socket match. 33 34if NF_TABLES 35 36config NF_TABLES_IPV6 37 bool "IPv6 nf_tables support" 38 help 39 This option enables the IPv6 support for nf_tables. 40 41if NF_TABLES_IPV6 42 43config NFT_CHAIN_ROUTE_IPV6 44 tristate "IPv6 nf_tables route chain support" 45 help 46 This option enables the "route" chain for IPv6 in nf_tables. This 47 chain type is used to force packet re-routing after mangling header 48 fields such as the source, destination, flowlabel, hop-limit and 49 the packet mark. 50 51if NF_NAT_IPV6 52 53config NFT_CHAIN_NAT_IPV6 54 tristate "IPv6 nf_tables nat chain support" 55 help 56 This option enables the "nat" chain for IPv6 in nf_tables. This 57 chain type is used to perform Network Address Translation (NAT) 58 packet transformations such as the source, destination address and 59 source and destination ports. 60 61config NFT_MASQ_IPV6 62 tristate "IPv6 masquerade support for nf_tables" 63 depends on NFT_MASQ 64 select NF_NAT_MASQUERADE_IPV6 65 help 66 This is the expression that provides IPv4 masquerading support for 67 nf_tables. 68 69config NFT_REDIR_IPV6 70 tristate "IPv6 redirect support for nf_tables" 71 depends on NFT_REDIR 72 select NF_NAT_REDIRECT 73 help 74 This is the expression that provides IPv4 redirect support for 75 nf_tables. 76 77endif # NF_NAT_IPV6 78 79config NFT_REJECT_IPV6 80 select NF_REJECT_IPV6 81 default NFT_REJECT 82 tristate 83 84config NFT_DUP_IPV6 85 tristate "IPv6 nf_tables packet duplication support" 86 depends on !NF_CONNTRACK || NF_CONNTRACK 87 select NF_DUP_IPV6 88 help 89 This module enables IPv6 packet duplication support for nf_tables. 90 91config NFT_FIB_IPV6 92 tristate "nf_tables fib / ipv6 route lookup support" 93 select NFT_FIB 94 help 95 This module enables IPv6 FIB lookups, e.g. for reverse path filtering. 96 It also allows query of the FIB for the route type, e.g. local, unicast, 97 multicast or blackhole. 98 99endif # NF_TABLES_IPV6 100endif # NF_TABLES 101 102config NF_FLOW_TABLE_IPV6 103 tristate "Netfilter flow table IPv6 module" 104 depends on NF_FLOW_TABLE 105 help 106 This option adds the flow table IPv6 support. 107 108 To compile it as a module, choose M here. 109 110config NF_DUP_IPV6 111 tristate "Netfilter IPv6 packet duplication to alternate destination" 112 depends on !NF_CONNTRACK || NF_CONNTRACK 113 help 114 This option enables the nf_dup_ipv6 core, which duplicates an IPv6 115 packet to be rerouted to another destination. 116 117config NF_REJECT_IPV6 118 tristate "IPv6 packet rejection" 119 default m if NETFILTER_ADVANCED=n 120 121config NF_LOG_IPV6 122 tristate "IPv6 packet logging" 123 default m if NETFILTER_ADVANCED=n 124 select NF_LOG_COMMON 125 126config NF_NAT_IPV6 127 tristate "IPv6 NAT" 128 depends on NF_CONNTRACK_IPV6 129 depends on NETFILTER_ADVANCED 130 select NF_NAT 131 help 132 The IPv6 NAT option allows masquerading, port forwarding and other 133 forms of full Network Address Port Translation. This can be 134 controlled by iptables or nft. 135 136if NF_NAT_IPV6 137 138config NF_NAT_MASQUERADE_IPV6 139 bool 140 141endif # NF_NAT_IPV6 142 143config IP6_NF_IPTABLES 144 tristate "IP6 tables support (required for filtering)" 145 depends on INET && IPV6 146 select NETFILTER_XTABLES 147 default m if NETFILTER_ADVANCED=n 148 help 149 ip6tables is a general, extensible packet identification framework. 150 Currently only the packet filtering and packet mangling subsystem 151 for IPv6 use this, but connection tracking is going to follow. 152 Say 'Y' or 'M' here if you want to use either of those. 153 154 To compile it as a module, choose M here. If unsure, say N. 155 156if IP6_NF_IPTABLES 157 158# The simple matches. 159config IP6_NF_MATCH_AH 160 tristate '"ah" match support' 161 depends on NETFILTER_ADVANCED 162 help 163 This module allows one to match AH packets. 164 165 To compile it as a module, choose M here. If unsure, say N. 166 167config IP6_NF_MATCH_EUI64 168 tristate '"eui64" address check' 169 depends on NETFILTER_ADVANCED 170 help 171 This module performs checking on the IPv6 source address 172 Compares the last 64 bits with the EUI64 (delivered 173 from the MAC address) address 174 175 To compile it as a module, choose M here. If unsure, say N. 176 177config IP6_NF_MATCH_FRAG 178 tristate '"frag" Fragmentation header match support' 179 depends on NETFILTER_ADVANCED 180 help 181 frag matching allows you to match packets based on the fragmentation 182 header of the packet. 183 184 To compile it as a module, choose M here. If unsure, say N. 185 186config IP6_NF_MATCH_OPTS 187 tristate '"hbh" hop-by-hop and "dst" opts header match support' 188 depends on NETFILTER_ADVANCED 189 help 190 This allows one to match packets based on the hop-by-hop 191 and destination options headers of a packet. 192 193 To compile it as a module, choose M here. If unsure, say N. 194 195config IP6_NF_MATCH_HL 196 tristate '"hl" hoplimit match support' 197 depends on NETFILTER_ADVANCED 198 select NETFILTER_XT_MATCH_HL 199 ---help--- 200 This is a backwards-compat option for the user's convenience 201 (e.g. when running oldconfig). It selects 202 CONFIG_NETFILTER_XT_MATCH_HL. 203 204config IP6_NF_MATCH_IPV6HEADER 205 tristate '"ipv6header" IPv6 Extension Headers Match' 206 default m if NETFILTER_ADVANCED=n 207 help 208 This module allows one to match packets based upon 209 the ipv6 extension headers. 210 211 To compile it as a module, choose M here. If unsure, say N. 212 213config IP6_NF_MATCH_MH 214 tristate '"mh" match support' 215 depends on NETFILTER_ADVANCED 216 help 217 This module allows one to match MH packets. 218 219 To compile it as a module, choose M here. If unsure, say N. 220 221config IP6_NF_MATCH_RPFILTER 222 tristate '"rpfilter" reverse path filter match support' 223 depends on NETFILTER_ADVANCED 224 depends on IP6_NF_MANGLE || IP6_NF_RAW 225 ---help--- 226 This option allows you to match packets whose replies would 227 go out via the interface the packet came in. 228 229 To compile it as a module, choose M here. If unsure, say N. 230 The module will be called ip6t_rpfilter. 231 232config IP6_NF_MATCH_RT 233 tristate '"rt" Routing header match support' 234 depends on NETFILTER_ADVANCED 235 help 236 rt matching allows you to match packets based on the routing 237 header of the packet. 238 239 To compile it as a module, choose M here. If unsure, say N. 240 241config IP6_NF_MATCH_SRH 242 tristate '"srh" Segment Routing header match support' 243 depends on NETFILTER_ADVANCED 244 help 245 srh matching allows you to match packets based on the segment 246 routing header of the packet. 247 248 To compile it as a module, choose M here. If unsure, say N. 249 250# The targets 251config IP6_NF_TARGET_HL 252 tristate '"HL" hoplimit target support' 253 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 254 select NETFILTER_XT_TARGET_HL 255 ---help--- 256 This is a backwards-compatible option for the user's convenience 257 (e.g. when running oldconfig). It selects 258 CONFIG_NETFILTER_XT_TARGET_HL. 259 260config IP6_NF_FILTER 261 tristate "Packet filtering" 262 default m if NETFILTER_ADVANCED=n 263 help 264 Packet filtering defines a table `filter', which has a series of 265 rules for simple packet filtering at local input, forwarding and 266 local output. See the man page for iptables(8). 267 268 To compile it as a module, choose M here. If unsure, say N. 269 270config IP6_NF_TARGET_REJECT 271 tristate "REJECT target support" 272 depends on IP6_NF_FILTER 273 select NF_REJECT_IPV6 274 default m if NETFILTER_ADVANCED=n 275 help 276 The REJECT target allows a filtering rule to specify that an ICMPv6 277 error should be issued in response to an incoming packet, rather 278 than silently being dropped. 279 280 To compile it as a module, choose M here. If unsure, say N. 281 282config IP6_NF_TARGET_SYNPROXY 283 tristate "SYNPROXY target support" 284 depends on NF_CONNTRACK && NETFILTER_ADVANCED 285 select NETFILTER_SYNPROXY 286 select SYN_COOKIES 287 help 288 The SYNPROXY target allows you to intercept TCP connections and 289 establish them using syncookies before they are passed on to the 290 server. This allows to avoid conntrack and server resource usage 291 during SYN-flood attacks. 292 293 To compile it as a module, choose M here. If unsure, say N. 294 295config IP6_NF_MANGLE 296 tristate "Packet mangling" 297 default m if NETFILTER_ADVANCED=n 298 help 299 This option adds a `mangle' table to iptables: see the man page for 300 iptables(8). This table is used for various packet alterations 301 which can effect how the packet is routed. 302 303 To compile it as a module, choose M here. If unsure, say N. 304 305config IP6_NF_RAW 306 tristate 'raw table support (required for TRACE)' 307 help 308 This option adds a `raw' table to ip6tables. This table is the very 309 first in the netfilter framework and hooks in at the PREROUTING 310 and OUTPUT chains. 311 312 If you want to compile it as a module, say M here and read 313 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 314 315# security table for MAC policy 316config IP6_NF_SECURITY 317 tristate "Security table" 318 depends on SECURITY 319 depends on NETFILTER_ADVANCED 320 help 321 This option adds a `security' table to iptables, for use 322 with Mandatory Access Control (MAC) policy. 323 324 If unsure, say N. 325 326config IP6_NF_NAT 327 tristate "ip6tables NAT support" 328 depends on NF_CONNTRACK_IPV6 329 depends on NETFILTER_ADVANCED 330 select NF_NAT 331 select NF_NAT_IPV6 332 select NETFILTER_XT_NAT 333 help 334 This enables the `nat' table in ip6tables. This allows masquerading, 335 port forwarding and other forms of full Network Address Port 336 Translation. 337 338 To compile it as a module, choose M here. If unsure, say N. 339 340if IP6_NF_NAT 341 342config IP6_NF_TARGET_MASQUERADE 343 tristate "MASQUERADE target support" 344 select NF_NAT_MASQUERADE_IPV6 345 help 346 Masquerading is a special case of NAT: all outgoing connections are 347 changed to seem to come from a particular interface's address, and 348 if the interface goes down, those connections are lost. This is 349 only useful for dialup accounts with dynamic IP address (ie. your IP 350 address will be different on next dialup). 351 352 To compile it as a module, choose M here. If unsure, say N. 353 354config IP6_NF_TARGET_NPT 355 tristate "NPT (Network Prefix translation) target support" 356 help 357 This option adds the `SNPT' and `DNPT' target, which perform 358 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 359 360 To compile it as a module, choose M here. If unsure, say N. 361 362endif # IP6_NF_NAT 363 364endif # IP6_NF_IPTABLES 365 366endmenu 367 368