1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_SOCKET_IPV6 29 tristate "IPv6 socket lookup support" 30 help 31 This option enables the IPv6 socket lookup infrastructure. This 32 is used by the ip6tables socket match. 33 34if NF_TABLES 35 36config NF_TABLES_IPV6 37 tristate "IPv6 nf_tables support" 38 help 39 This option enables the IPv6 support for nf_tables. 40 41if NF_TABLES_IPV6 42 43config NFT_CHAIN_ROUTE_IPV6 44 tristate "IPv6 nf_tables route chain support" 45 help 46 This option enables the "route" chain for IPv6 in nf_tables. This 47 chain type is used to force packet re-routing after mangling header 48 fields such as the source, destination, flowlabel, hop-limit and 49 the packet mark. 50 51config NFT_REJECT_IPV6 52 select NF_REJECT_IPV6 53 default NFT_REJECT 54 tristate 55 56config NFT_DUP_IPV6 57 tristate "IPv6 nf_tables packet duplication support" 58 depends on !NF_CONNTRACK || NF_CONNTRACK 59 select NF_DUP_IPV6 60 help 61 This module enables IPv6 packet duplication support for nf_tables. 62 63config NFT_FIB_IPV6 64 tristate "nf_tables fib / ipv6 route lookup support" 65 select NFT_FIB 66 help 67 This module enables IPv6 FIB lookups, e.g. for reverse path filtering. 68 It also allows query of the FIB for the route type, e.g. local, unicast, 69 multicast or blackhole. 70 71endif # NF_TABLES_IPV6 72endif # NF_TABLES 73 74config NF_FLOW_TABLE_IPV6 75 select NF_FLOW_TABLE 76 tristate "Netfilter flow table IPv6 module" 77 help 78 This option adds the flow table IPv6 support. 79 80 To compile it as a module, choose M here. 81 82config NF_DUP_IPV6 83 tristate "Netfilter IPv6 packet duplication to alternate destination" 84 depends on !NF_CONNTRACK || NF_CONNTRACK 85 help 86 This option enables the nf_dup_ipv6 core, which duplicates an IPv6 87 packet to be rerouted to another destination. 88 89config NF_REJECT_IPV6 90 tristate "IPv6 packet rejection" 91 default m if NETFILTER_ADVANCED=n 92 93config NF_LOG_IPV6 94 tristate "IPv6 packet logging" 95 default m if NETFILTER_ADVANCED=n 96 select NF_LOG_COMMON 97 98config NF_NAT_IPV6 99 tristate "IPv6 NAT" 100 depends on NF_CONNTRACK_IPV6 101 depends on NETFILTER_ADVANCED 102 select NF_NAT 103 help 104 The IPv6 NAT option allows masquerading, port forwarding and other 105 forms of full Network Address Port Translation. This can be 106 controlled by iptables or nft. 107 108if NF_NAT_IPV6 109 110config NFT_CHAIN_NAT_IPV6 111 depends on NF_TABLES_IPV6 112 tristate "IPv6 nf_tables nat chain support" 113 help 114 This option enables the "nat" chain for IPv6 in nf_tables. This 115 chain type is used to perform Network Address Translation (NAT) 116 packet transformations such as the source, destination address and 117 source and destination ports. 118 119config NF_NAT_MASQUERADE_IPV6 120 tristate "IPv6 masquerade support" 121 help 122 This is the kernel functionality to provide NAT in the masquerade 123 flavour (automatic source address selection) for IPv6. 124 125config NFT_MASQ_IPV6 126 tristate "IPv6 masquerade support for nf_tables" 127 depends on NF_TABLES_IPV6 128 depends on NFT_MASQ 129 select NF_NAT_MASQUERADE_IPV6 130 help 131 This is the expression that provides IPv4 masquerading support for 132 nf_tables. 133 134config NFT_REDIR_IPV6 135 tristate "IPv6 redirect support for nf_tables" 136 depends on NF_TABLES_IPV6 137 depends on NFT_REDIR 138 select NF_NAT_REDIRECT 139 help 140 This is the expression that provides IPv4 redirect support for 141 nf_tables. 142 143endif # NF_NAT_IPV6 144 145config IP6_NF_IPTABLES 146 tristate "IP6 tables support (required for filtering)" 147 depends on INET && IPV6 148 select NETFILTER_XTABLES 149 default m if NETFILTER_ADVANCED=n 150 help 151 ip6tables is a general, extensible packet identification framework. 152 Currently only the packet filtering and packet mangling subsystem 153 for IPv6 use this, but connection tracking is going to follow. 154 Say 'Y' or 'M' here if you want to use either of those. 155 156 To compile it as a module, choose M here. If unsure, say N. 157 158if IP6_NF_IPTABLES 159 160# The simple matches. 161config IP6_NF_MATCH_AH 162 tristate '"ah" match support' 163 depends on NETFILTER_ADVANCED 164 help 165 This module allows one to match AH packets. 166 167 To compile it as a module, choose M here. If unsure, say N. 168 169config IP6_NF_MATCH_EUI64 170 tristate '"eui64" address check' 171 depends on NETFILTER_ADVANCED 172 help 173 This module performs checking on the IPv6 source address 174 Compares the last 64 bits with the EUI64 (delivered 175 from the MAC address) address 176 177 To compile it as a module, choose M here. If unsure, say N. 178 179config IP6_NF_MATCH_FRAG 180 tristate '"frag" Fragmentation header match support' 181 depends on NETFILTER_ADVANCED 182 help 183 frag matching allows you to match packets based on the fragmentation 184 header of the packet. 185 186 To compile it as a module, choose M here. If unsure, say N. 187 188config IP6_NF_MATCH_OPTS 189 tristate '"hbh" hop-by-hop and "dst" opts header match support' 190 depends on NETFILTER_ADVANCED 191 help 192 This allows one to match packets based on the hop-by-hop 193 and destination options headers of a packet. 194 195 To compile it as a module, choose M here. If unsure, say N. 196 197config IP6_NF_MATCH_HL 198 tristate '"hl" hoplimit match support' 199 depends on NETFILTER_ADVANCED 200 select NETFILTER_XT_MATCH_HL 201 ---help--- 202 This is a backwards-compat option for the user's convenience 203 (e.g. when running oldconfig). It selects 204 CONFIG_NETFILTER_XT_MATCH_HL. 205 206config IP6_NF_MATCH_IPV6HEADER 207 tristate '"ipv6header" IPv6 Extension Headers Match' 208 default m if NETFILTER_ADVANCED=n 209 help 210 This module allows one to match packets based upon 211 the ipv6 extension headers. 212 213 To compile it as a module, choose M here. If unsure, say N. 214 215config IP6_NF_MATCH_MH 216 tristate '"mh" match support' 217 depends on NETFILTER_ADVANCED 218 help 219 This module allows one to match MH packets. 220 221 To compile it as a module, choose M here. If unsure, say N. 222 223config IP6_NF_MATCH_RPFILTER 224 tristate '"rpfilter" reverse path filter match support' 225 depends on NETFILTER_ADVANCED 226 depends on IP6_NF_MANGLE || IP6_NF_RAW 227 ---help--- 228 This option allows you to match packets whose replies would 229 go out via the interface the packet came in. 230 231 To compile it as a module, choose M here. If unsure, say N. 232 The module will be called ip6t_rpfilter. 233 234config IP6_NF_MATCH_RT 235 tristate '"rt" Routing header match support' 236 depends on NETFILTER_ADVANCED 237 help 238 rt matching allows you to match packets based on the routing 239 header of the packet. 240 241 To compile it as a module, choose M here. If unsure, say N. 242 243# The targets 244config IP6_NF_TARGET_HL 245 tristate '"HL" hoplimit target support' 246 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 247 select NETFILTER_XT_TARGET_HL 248 ---help--- 249 This is a backwards-compatible option for the user's convenience 250 (e.g. when running oldconfig). It selects 251 CONFIG_NETFILTER_XT_TARGET_HL. 252 253config IP6_NF_FILTER 254 tristate "Packet filtering" 255 default m if NETFILTER_ADVANCED=n 256 help 257 Packet filtering defines a table `filter', which has a series of 258 rules for simple packet filtering at local input, forwarding and 259 local output. See the man page for iptables(8). 260 261 To compile it as a module, choose M here. If unsure, say N. 262 263config IP6_NF_TARGET_REJECT 264 tristate "REJECT target support" 265 depends on IP6_NF_FILTER 266 select NF_REJECT_IPV6 267 default m if NETFILTER_ADVANCED=n 268 help 269 The REJECT target allows a filtering rule to specify that an ICMPv6 270 error should be issued in response to an incoming packet, rather 271 than silently being dropped. 272 273 To compile it as a module, choose M here. If unsure, say N. 274 275config IP6_NF_TARGET_SYNPROXY 276 tristate "SYNPROXY target support" 277 depends on NF_CONNTRACK && NETFILTER_ADVANCED 278 select NETFILTER_SYNPROXY 279 select SYN_COOKIES 280 help 281 The SYNPROXY target allows you to intercept TCP connections and 282 establish them using syncookies before they are passed on to the 283 server. This allows to avoid conntrack and server resource usage 284 during SYN-flood attacks. 285 286 To compile it as a module, choose M here. If unsure, say N. 287 288config IP6_NF_MANGLE 289 tristate "Packet mangling" 290 default m if NETFILTER_ADVANCED=n 291 help 292 This option adds a `mangle' table to iptables: see the man page for 293 iptables(8). This table is used for various packet alterations 294 which can effect how the packet is routed. 295 296 To compile it as a module, choose M here. If unsure, say N. 297 298config IP6_NF_RAW 299 tristate 'raw table support (required for TRACE)' 300 help 301 This option adds a `raw' table to ip6tables. This table is the very 302 first in the netfilter framework and hooks in at the PREROUTING 303 and OUTPUT chains. 304 305 If you want to compile it as a module, say M here and read 306 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 307 308# security table for MAC policy 309config IP6_NF_SECURITY 310 tristate "Security table" 311 depends on SECURITY 312 depends on NETFILTER_ADVANCED 313 help 314 This option adds a `security' table to iptables, for use 315 with Mandatory Access Control (MAC) policy. 316 317 If unsure, say N. 318 319config IP6_NF_NAT 320 tristate "ip6tables NAT support" 321 depends on NF_CONNTRACK_IPV6 322 depends on NETFILTER_ADVANCED 323 select NF_NAT 324 select NF_NAT_IPV6 325 select NETFILTER_XT_NAT 326 help 327 This enables the `nat' table in ip6tables. This allows masquerading, 328 port forwarding and other forms of full Network Address Port 329 Translation. 330 331 To compile it as a module, choose M here. If unsure, say N. 332 333if IP6_NF_NAT 334 335config IP6_NF_TARGET_MASQUERADE 336 tristate "MASQUERADE target support" 337 select NF_NAT_MASQUERADE_IPV6 338 help 339 Masquerading is a special case of NAT: all outgoing connections are 340 changed to seem to come from a particular interface's address, and 341 if the interface goes down, those connections are lost. This is 342 only useful for dialup accounts with dynamic IP address (ie. your IP 343 address will be different on next dialup). 344 345 To compile it as a module, choose M here. If unsure, say N. 346 347config IP6_NF_TARGET_NPT 348 tristate "NPT (Network Prefix translation) target support" 349 help 350 This option adds the `SNPT' and `DNPT' target, which perform 351 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 352 353 To compile it as a module, choose M here. If unsure, say N. 354 355endif # IP6_NF_NAT 356 357endif # IP6_NF_IPTABLES 358 359endmenu 360 361