1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_SOCKET_IPV6 29 tristate "IPv6 socket lookup support" 30 help 31 This option enables the IPv6 socket lookup infrastructure. This 32 is used by the ip6tables socket match. 33 34if NF_TABLES 35 36config NF_TABLES_IPV6 37 bool "IPv6 nf_tables support" 38 help 39 This option enables the IPv6 support for nf_tables. 40 41if NF_TABLES_IPV6 42 43config NFT_CHAIN_ROUTE_IPV6 44 tristate "IPv6 nf_tables route chain support" 45 help 46 This option enables the "route" chain for IPv6 in nf_tables. This 47 chain type is used to force packet re-routing after mangling header 48 fields such as the source, destination, flowlabel, hop-limit and 49 the packet mark. 50 51config NFT_REJECT_IPV6 52 select NF_REJECT_IPV6 53 default NFT_REJECT 54 tristate 55 56config NFT_DUP_IPV6 57 tristate "IPv6 nf_tables packet duplication support" 58 depends on !NF_CONNTRACK || NF_CONNTRACK 59 select NF_DUP_IPV6 60 help 61 This module enables IPv6 packet duplication support for nf_tables. 62 63config NFT_FIB_IPV6 64 tristate "nf_tables fib / ipv6 route lookup support" 65 select NFT_FIB 66 help 67 This module enables IPv6 FIB lookups, e.g. for reverse path filtering. 68 It also allows query of the FIB for the route type, e.g. local, unicast, 69 multicast or blackhole. 70 71endif # NF_TABLES_IPV6 72endif # NF_TABLES 73 74config NF_FLOW_TABLE_IPV6 75 tristate "Netfilter flow table IPv6 module" 76 depends on NF_FLOW_TABLE 77 help 78 This option adds the flow table IPv6 support. 79 80 To compile it as a module, choose M here. 81 82config NF_DUP_IPV6 83 tristate "Netfilter IPv6 packet duplication to alternate destination" 84 depends on !NF_CONNTRACK || NF_CONNTRACK 85 help 86 This option enables the nf_dup_ipv6 core, which duplicates an IPv6 87 packet to be rerouted to another destination. 88 89config NF_REJECT_IPV6 90 tristate "IPv6 packet rejection" 91 default m if NETFILTER_ADVANCED=n 92 93config NF_LOG_IPV6 94 tristate "IPv6 packet logging" 95 default m if NETFILTER_ADVANCED=n 96 select NF_LOG_COMMON 97 98config NF_NAT_IPV6 99 tristate "IPv6 NAT" 100 depends on NF_CONNTRACK_IPV6 101 depends on NETFILTER_ADVANCED 102 select NF_NAT 103 help 104 The IPv6 NAT option allows masquerading, port forwarding and other 105 forms of full Network Address Port Translation. This can be 106 controlled by iptables or nft. 107 108if NF_NAT_IPV6 109 110config NFT_CHAIN_NAT_IPV6 111 depends on NF_TABLES_IPV6 112 tristate "IPv6 nf_tables nat chain support" 113 help 114 This option enables the "nat" chain for IPv6 in nf_tables. This 115 chain type is used to perform Network Address Translation (NAT) 116 packet transformations such as the source, destination address and 117 source and destination ports. 118 119config NF_NAT_MASQUERADE_IPV6 120 tristate "IPv6 masquerade support" 121 help 122 This is the kernel functionality to provide NAT in the masquerade 123 flavour (automatic source address selection) for IPv6. 124 125config NFT_MASQ_IPV6 126 tristate "IPv6 masquerade support for nf_tables" 127 depends on NF_TABLES_IPV6 128 depends on NFT_MASQ 129 select NF_NAT_MASQUERADE_IPV6 130 help 131 This is the expression that provides IPv4 masquerading support for 132 nf_tables. 133 134config NFT_REDIR_IPV6 135 tristate "IPv6 redirect support for nf_tables" 136 depends on NF_TABLES_IPV6 137 depends on NFT_REDIR 138 select NF_NAT_REDIRECT 139 help 140 This is the expression that provides IPv4 redirect support for 141 nf_tables. 142 143endif # NF_NAT_IPV6 144 145config IP6_NF_IPTABLES 146 tristate "IP6 tables support (required for filtering)" 147 depends on INET && IPV6 148 select NETFILTER_XTABLES 149 default m if NETFILTER_ADVANCED=n 150 help 151 ip6tables is a general, extensible packet identification framework. 152 Currently only the packet filtering and packet mangling subsystem 153 for IPv6 use this, but connection tracking is going to follow. 154 Say 'Y' or 'M' here if you want to use either of those. 155 156 To compile it as a module, choose M here. If unsure, say N. 157 158if IP6_NF_IPTABLES 159 160# The simple matches. 161config IP6_NF_MATCH_AH 162 tristate '"ah" match support' 163 depends on NETFILTER_ADVANCED 164 help 165 This module allows one to match AH packets. 166 167 To compile it as a module, choose M here. If unsure, say N. 168 169config IP6_NF_MATCH_EUI64 170 tristate '"eui64" address check' 171 depends on NETFILTER_ADVANCED 172 help 173 This module performs checking on the IPv6 source address 174 Compares the last 64 bits with the EUI64 (delivered 175 from the MAC address) address 176 177 To compile it as a module, choose M here. If unsure, say N. 178 179config IP6_NF_MATCH_FRAG 180 tristate '"frag" Fragmentation header match support' 181 depends on NETFILTER_ADVANCED 182 help 183 frag matching allows you to match packets based on the fragmentation 184 header of the packet. 185 186 To compile it as a module, choose M here. If unsure, say N. 187 188config IP6_NF_MATCH_OPTS 189 tristate '"hbh" hop-by-hop and "dst" opts header match support' 190 depends on NETFILTER_ADVANCED 191 help 192 This allows one to match packets based on the hop-by-hop 193 and destination options headers of a packet. 194 195 To compile it as a module, choose M here. If unsure, say N. 196 197config IP6_NF_MATCH_HL 198 tristate '"hl" hoplimit match support' 199 depends on NETFILTER_ADVANCED 200 select NETFILTER_XT_MATCH_HL 201 ---help--- 202 This is a backwards-compat option for the user's convenience 203 (e.g. when running oldconfig). It selects 204 CONFIG_NETFILTER_XT_MATCH_HL. 205 206config IP6_NF_MATCH_IPV6HEADER 207 tristate '"ipv6header" IPv6 Extension Headers Match' 208 default m if NETFILTER_ADVANCED=n 209 help 210 This module allows one to match packets based upon 211 the ipv6 extension headers. 212 213 To compile it as a module, choose M here. If unsure, say N. 214 215config IP6_NF_MATCH_MH 216 tristate '"mh" match support' 217 depends on NETFILTER_ADVANCED 218 help 219 This module allows one to match MH packets. 220 221 To compile it as a module, choose M here. If unsure, say N. 222 223config IP6_NF_MATCH_RPFILTER 224 tristate '"rpfilter" reverse path filter match support' 225 depends on NETFILTER_ADVANCED 226 depends on IP6_NF_MANGLE || IP6_NF_RAW 227 ---help--- 228 This option allows you to match packets whose replies would 229 go out via the interface the packet came in. 230 231 To compile it as a module, choose M here. If unsure, say N. 232 The module will be called ip6t_rpfilter. 233 234config IP6_NF_MATCH_RT 235 tristate '"rt" Routing header match support' 236 depends on NETFILTER_ADVANCED 237 help 238 rt matching allows you to match packets based on the routing 239 header of the packet. 240 241 To compile it as a module, choose M here. If unsure, say N. 242 243config IP6_NF_MATCH_SRH 244 tristate '"srh" Segment Routing header match support' 245 depends on NETFILTER_ADVANCED 246 help 247 srh matching allows you to match packets based on the segment 248 routing header of the packet. 249 250 To compile it as a module, choose M here. If unsure, say N. 251 252# The targets 253config IP6_NF_TARGET_HL 254 tristate '"HL" hoplimit target support' 255 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 256 select NETFILTER_XT_TARGET_HL 257 ---help--- 258 This is a backwards-compatible option for the user's convenience 259 (e.g. when running oldconfig). It selects 260 CONFIG_NETFILTER_XT_TARGET_HL. 261 262config IP6_NF_FILTER 263 tristate "Packet filtering" 264 default m if NETFILTER_ADVANCED=n 265 help 266 Packet filtering defines a table `filter', which has a series of 267 rules for simple packet filtering at local input, forwarding and 268 local output. See the man page for iptables(8). 269 270 To compile it as a module, choose M here. If unsure, say N. 271 272config IP6_NF_TARGET_REJECT 273 tristate "REJECT target support" 274 depends on IP6_NF_FILTER 275 select NF_REJECT_IPV6 276 default m if NETFILTER_ADVANCED=n 277 help 278 The REJECT target allows a filtering rule to specify that an ICMPv6 279 error should be issued in response to an incoming packet, rather 280 than silently being dropped. 281 282 To compile it as a module, choose M here. If unsure, say N. 283 284config IP6_NF_TARGET_SYNPROXY 285 tristate "SYNPROXY target support" 286 depends on NF_CONNTRACK && NETFILTER_ADVANCED 287 select NETFILTER_SYNPROXY 288 select SYN_COOKIES 289 help 290 The SYNPROXY target allows you to intercept TCP connections and 291 establish them using syncookies before they are passed on to the 292 server. This allows to avoid conntrack and server resource usage 293 during SYN-flood attacks. 294 295 To compile it as a module, choose M here. If unsure, say N. 296 297config IP6_NF_MANGLE 298 tristate "Packet mangling" 299 default m if NETFILTER_ADVANCED=n 300 help 301 This option adds a `mangle' table to iptables: see the man page for 302 iptables(8). This table is used for various packet alterations 303 which can effect how the packet is routed. 304 305 To compile it as a module, choose M here. If unsure, say N. 306 307config IP6_NF_RAW 308 tristate 'raw table support (required for TRACE)' 309 help 310 This option adds a `raw' table to ip6tables. This table is the very 311 first in the netfilter framework and hooks in at the PREROUTING 312 and OUTPUT chains. 313 314 If you want to compile it as a module, say M here and read 315 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 316 317# security table for MAC policy 318config IP6_NF_SECURITY 319 tristate "Security table" 320 depends on SECURITY 321 depends on NETFILTER_ADVANCED 322 help 323 This option adds a `security' table to iptables, for use 324 with Mandatory Access Control (MAC) policy. 325 326 If unsure, say N. 327 328config IP6_NF_NAT 329 tristate "ip6tables NAT support" 330 depends on NF_CONNTRACK_IPV6 331 depends on NETFILTER_ADVANCED 332 select NF_NAT 333 select NF_NAT_IPV6 334 select NETFILTER_XT_NAT 335 help 336 This enables the `nat' table in ip6tables. This allows masquerading, 337 port forwarding and other forms of full Network Address Port 338 Translation. 339 340 To compile it as a module, choose M here. If unsure, say N. 341 342if IP6_NF_NAT 343 344config IP6_NF_TARGET_MASQUERADE 345 tristate "MASQUERADE target support" 346 select NF_NAT_MASQUERADE_IPV6 347 help 348 Masquerading is a special case of NAT: all outgoing connections are 349 changed to seem to come from a particular interface's address, and 350 if the interface goes down, those connections are lost. This is 351 only useful for dialup accounts with dynamic IP address (ie. your IP 352 address will be different on next dialup). 353 354 To compile it as a module, choose M here. If unsure, say N. 355 356config IP6_NF_TARGET_NPT 357 tristate "NPT (Network Prefix translation) target support" 358 help 359 This option adds the `SNPT' and `DNPT' target, which perform 360 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 361 362 To compile it as a module, choose M here. If unsure, say N. 363 364endif # IP6_NF_NAT 365 366endif # IP6_NF_IPTABLES 367 368endmenu 369 370