xref: /openbmc/linux/net/ipv6/netfilter/Kconfig (revision 0265ab44) 
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration (EXPERIMENTAL)"
6	depends on INET && IPV6 && NETFILTER && EXPERIMENTAL
7
8config NF_CONNTRACK_IPV6
9	tristate "IPv6 connection tracking support (EXPERIMENTAL)"
10	depends on INET && IPV6 && EXPERIMENTAL && NF_CONNTRACK
11	---help---
12	  Connection tracking keeps a record of what packets have passed
13	  through your machine, in order to figure out how they are related
14	  into connections.
15
16	  This is IPv6 support on Layer 3 independent connection tracking.
17	  Layer 3 independent connection tracking is experimental scheme
18	  which generalize ip_conntrack to support other layer 3 protocols.
19
20	  To compile it as a module, choose M here.  If unsure, say N.
21
22config IP6_NF_QUEUE
23	tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"
24	depends on INET && IPV6 && NETFILTER && EXPERIMENTAL
25	---help---
26
27	  This option adds a queue handler to the kernel for IPv6
28	  packets which enables users to receive the filtered packets
29	  with QUEUE target using libipq.
30
31	  This option enables the old IPv6-only "ip6_queue" implementation
32	  which has been obsoleted by the new "nfnetlink_queue" code (see
33	  CONFIG_NETFILTER_NETLINK_QUEUE).
34
35	  (C) Fernando Anton 2001
36	  IPv64 Project - Work based in IPv64 draft by Arturo Azcorra.
37	  Universidad Carlos III de Madrid
38	  Universidad Politecnica de Alcala de Henares
39	  email: <fanton@it.uc3m.es>.
40
41	  To compile it as a module, choose M here.  If unsure, say N.
42
43config IP6_NF_IPTABLES
44	tristate "IP6 tables support (required for filtering)"
45	depends on INET && IPV6 && EXPERIMENTAL
46	select NETFILTER_XTABLES
47	help
48	  ip6tables is a general, extensible packet identification framework.
49	  Currently only the packet filtering and packet mangling subsystem
50	  for IPv6 use this, but connection tracking is going to follow.
51	  Say 'Y' or 'M' here if you want to use either of those.
52
53	  To compile it as a module, choose M here.  If unsure, say N.
54
55# The simple matches.
56config IP6_NF_MATCH_RT
57	tristate "Routing header match support"
58	depends on IP6_NF_IPTABLES
59	help
60	  rt matching allows you to match packets based on the routing
61	  header of the packet.
62
63	  To compile it as a module, choose M here.  If unsure, say N.
64
65config IP6_NF_MATCH_OPTS
66	tristate "Hop-by-hop and Dst opts header match support"
67	depends on IP6_NF_IPTABLES
68	help
69	  This allows one to match packets based on the hop-by-hop
70	  and destination options headers of a packet.
71
72	  To compile it as a module, choose M here.  If unsure, say N.
73
74config IP6_NF_MATCH_FRAG
75	tristate "Fragmentation header match support"
76	depends on IP6_NF_IPTABLES
77	help
78	  frag matching allows you to match packets based on the fragmentation
79	  header of the packet.
80
81	  To compile it as a module, choose M here.  If unsure, say N.
82
83config IP6_NF_MATCH_HL
84	tristate "HL match support"
85	depends on IP6_NF_IPTABLES
86	help
87	  HL matching allows you to match packets based on the hop
88	  limit of the packet.
89
90	  To compile it as a module, choose M here.  If unsure, say N.
91
92config IP6_NF_MATCH_IPV6HEADER
93	tristate "IPv6 Extension Headers Match"
94	depends on IP6_NF_IPTABLES
95	help
96	  This module allows one to match packets based upon
97	  the ipv6 extension headers.
98
99	  To compile it as a module, choose M here.  If unsure, say N.
100
101config IP6_NF_MATCH_AH
102	tristate "AH match support"
103	depends on IP6_NF_IPTABLES
104	help
105	  This module allows one to match AH packets.
106
107	  To compile it as a module, choose M here.  If unsure, say N.
108
109config IP6_NF_MATCH_MH
110	tristate "MH match support"
111	depends on IP6_NF_IPTABLES
112	help
113	  This module allows one to match MH packets.
114
115	  To compile it as a module, choose M here.  If unsure, say N.
116
117config IP6_NF_MATCH_EUI64
118	tristate "EUI64 address check"
119	depends on IP6_NF_IPTABLES
120	help
121	  This module performs checking on the IPv6 source address
122	  Compares the last 64 bits with the EUI64 (delivered
123	  from the MAC address) address
124
125	  To compile it as a module, choose M here.  If unsure, say N.
126
127# The targets
128config IP6_NF_FILTER
129	tristate "Packet filtering"
130	depends on IP6_NF_IPTABLES
131	help
132	  Packet filtering defines a table `filter', which has a series of
133	  rules for simple packet filtering at local input, forwarding and
134	  local output.  See the man page for iptables(8).
135
136	  To compile it as a module, choose M here.  If unsure, say N.
137
138config IP6_NF_TARGET_LOG
139	tristate "LOG target support"
140	depends on IP6_NF_FILTER
141	help
142	  This option adds a `LOG' target, which allows you to create rules in
143	  any iptables table which records the packet header to the syslog.
144
145	  To compile it as a module, choose M here.  If unsure, say N.
146
147config IP6_NF_TARGET_REJECT
148	tristate "REJECT target support"
149	depends on IP6_NF_FILTER
150	help
151	  The REJECT target allows a filtering rule to specify that an ICMPv6
152	  error should be issued in response to an incoming packet, rather
153	  than silently being dropped.
154
155	  To compile it as a module, choose M here.  If unsure, say N.
156
157config IP6_NF_MANGLE
158	tristate "Packet mangling"
159	depends on IP6_NF_IPTABLES
160	help
161	  This option adds a `mangle' table to iptables: see the man page for
162	  iptables(8).  This table is used for various packet alterations
163	  which can effect how the packet is routed.
164
165	  To compile it as a module, choose M here.  If unsure, say N.
166
167config IP6_NF_TARGET_HL
168	tristate  'HL (hoplimit) target support'
169	depends on IP6_NF_MANGLE
170	help
171	  This option adds a `HL' target, which enables the user to decrement
172	  the hoplimit value of the IPv6 header or set it to a given (lower)
173	  value.
174
175	  While it is safe to decrement the hoplimit value, this option also
176	  enables functionality to increment and set the hoplimit value of the
177	  IPv6 header to arbitrary values.  This is EXTREMELY DANGEROUS since
178	  you can easily create immortal packets that loop forever on the
179	  network.
180
181	  To compile it as a module, choose M here.  If unsure, say N.
182
183config IP6_NF_RAW
184	tristate  'raw table support (required for TRACE)'
185	depends on IP6_NF_IPTABLES
186	help
187	  This option adds a `raw' table to ip6tables. This table is the very
188	  first in the netfilter framework and hooks in at the PREROUTING
189	  and OUTPUT chains.
190
191	  If you want to compile it as a module, say M here and read
192	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
193
194endmenu
195
196