1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_TABLES_IPV6 29 depends on NF_TABLES 30 tristate "IPv6 nf_tables support" 31 help 32 This option enables the IPv6 support for nf_tables. 33 34config NFT_CHAIN_ROUTE_IPV6 35 depends on NF_TABLES_IPV6 36 tristate "IPv6 nf_tables route chain support" 37 help 38 This option enables the "route" chain for IPv6 in nf_tables. This 39 chain type is used to force packet re-routing after mangling header 40 fields such as the source, destination, flowlabel, hop-limit and 41 the packet mark. 42 43config NFT_CHAIN_NAT_IPV6 44 depends on NF_TABLES_IPV6 45 depends on NF_NAT_IPV6 && NFT_NAT 46 tristate "IPv6 nf_tables nat chain support" 47 help 48 This option enables the "nat" chain for IPv6 in nf_tables. This 49 chain type is used to perform Network Address Translation (NAT) 50 packet transformations such as the source, destination address and 51 source and destination ports. 52 53config NFT_REJECT_IPV6 54 depends on NF_TABLES_IPV6 55 default NFT_REJECT 56 tristate 57 58config NF_LOG_IPV6 59 tristate "IPv6 packet logging" 60 default m if NETFILTER_ADVANCED=n 61 select NF_LOG_COMMON 62 63config NF_NAT_IPV6 64 tristate "IPv6 NAT" 65 depends on NF_CONNTRACK_IPV6 66 depends on NETFILTER_ADVANCED 67 select NF_NAT 68 help 69 The IPv6 NAT option allows masquerading, port forwarding and other 70 forms of full Network Address Port Translation. This can be 71 controlled by iptables or nft. 72 73config IP6_NF_IPTABLES 74 tristate "IP6 tables support (required for filtering)" 75 depends on INET && IPV6 76 select NETFILTER_XTABLES 77 default m if NETFILTER_ADVANCED=n 78 help 79 ip6tables is a general, extensible packet identification framework. 80 Currently only the packet filtering and packet mangling subsystem 81 for IPv6 use this, but connection tracking is going to follow. 82 Say 'Y' or 'M' here if you want to use either of those. 83 84 To compile it as a module, choose M here. If unsure, say N. 85 86if IP6_NF_IPTABLES 87 88# The simple matches. 89config IP6_NF_MATCH_AH 90 tristate '"ah" match support' 91 depends on NETFILTER_ADVANCED 92 help 93 This module allows one to match AH packets. 94 95 To compile it as a module, choose M here. If unsure, say N. 96 97config IP6_NF_MATCH_EUI64 98 tristate '"eui64" address check' 99 depends on NETFILTER_ADVANCED 100 help 101 This module performs checking on the IPv6 source address 102 Compares the last 64 bits with the EUI64 (delivered 103 from the MAC address) address 104 105 To compile it as a module, choose M here. If unsure, say N. 106 107config IP6_NF_MATCH_FRAG 108 tristate '"frag" Fragmentation header match support' 109 depends on NETFILTER_ADVANCED 110 help 111 frag matching allows you to match packets based on the fragmentation 112 header of the packet. 113 114 To compile it as a module, choose M here. If unsure, say N. 115 116config IP6_NF_MATCH_OPTS 117 tristate '"hbh" hop-by-hop and "dst" opts header match support' 118 depends on NETFILTER_ADVANCED 119 help 120 This allows one to match packets based on the hop-by-hop 121 and destination options headers of a packet. 122 123 To compile it as a module, choose M here. If unsure, say N. 124 125config IP6_NF_MATCH_HL 126 tristate '"hl" hoplimit match support' 127 depends on NETFILTER_ADVANCED 128 select NETFILTER_XT_MATCH_HL 129 ---help--- 130 This is a backwards-compat option for the user's convenience 131 (e.g. when running oldconfig). It selects 132 CONFIG_NETFILTER_XT_MATCH_HL. 133 134config IP6_NF_MATCH_IPV6HEADER 135 tristate '"ipv6header" IPv6 Extension Headers Match' 136 default m if NETFILTER_ADVANCED=n 137 help 138 This module allows one to match packets based upon 139 the ipv6 extension headers. 140 141 To compile it as a module, choose M here. If unsure, say N. 142 143config IP6_NF_MATCH_MH 144 tristate '"mh" match support' 145 depends on NETFILTER_ADVANCED 146 help 147 This module allows one to match MH packets. 148 149 To compile it as a module, choose M here. If unsure, say N. 150 151config IP6_NF_MATCH_RPFILTER 152 tristate '"rpfilter" reverse path filter match support' 153 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW) 154 ---help--- 155 This option allows you to match packets whose replies would 156 go out via the interface the packet came in. 157 158 To compile it as a module, choose M here. If unsure, say N. 159 The module will be called ip6t_rpfilter. 160 161config IP6_NF_MATCH_RT 162 tristate '"rt" Routing header match support' 163 depends on NETFILTER_ADVANCED 164 help 165 rt matching allows you to match packets based on the routing 166 header of the packet. 167 168 To compile it as a module, choose M here. If unsure, say N. 169 170# The targets 171config IP6_NF_TARGET_HL 172 tristate '"HL" hoplimit target support' 173 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 174 select NETFILTER_XT_TARGET_HL 175 ---help--- 176 This is a backwards-compatible option for the user's convenience 177 (e.g. when running oldconfig). It selects 178 CONFIG_NETFILTER_XT_TARGET_HL. 179 180config IP6_NF_FILTER 181 tristate "Packet filtering" 182 default m if NETFILTER_ADVANCED=n 183 help 184 Packet filtering defines a table `filter', which has a series of 185 rules for simple packet filtering at local input, forwarding and 186 local output. See the man page for iptables(8). 187 188 To compile it as a module, choose M here. If unsure, say N. 189 190config IP6_NF_TARGET_REJECT 191 tristate "REJECT target support" 192 depends on IP6_NF_FILTER 193 default m if NETFILTER_ADVANCED=n 194 help 195 The REJECT target allows a filtering rule to specify that an ICMPv6 196 error should be issued in response to an incoming packet, rather 197 than silently being dropped. 198 199 To compile it as a module, choose M here. If unsure, say N. 200 201config IP6_NF_TARGET_SYNPROXY 202 tristate "SYNPROXY target support" 203 depends on NF_CONNTRACK && NETFILTER_ADVANCED 204 select NETFILTER_SYNPROXY 205 select SYN_COOKIES 206 help 207 The SYNPROXY target allows you to intercept TCP connections and 208 establish them using syncookies before they are passed on to the 209 server. This allows to avoid conntrack and server resource usage 210 during SYN-flood attacks. 211 212 To compile it as a module, choose M here. If unsure, say N. 213 214config IP6_NF_MANGLE 215 tristate "Packet mangling" 216 default m if NETFILTER_ADVANCED=n 217 help 218 This option adds a `mangle' table to iptables: see the man page for 219 iptables(8). This table is used for various packet alterations 220 which can effect how the packet is routed. 221 222 To compile it as a module, choose M here. If unsure, say N. 223 224config IP6_NF_RAW 225 tristate 'raw table support (required for TRACE)' 226 help 227 This option adds a `raw' table to ip6tables. This table is the very 228 first in the netfilter framework and hooks in at the PREROUTING 229 and OUTPUT chains. 230 231 If you want to compile it as a module, say M here and read 232 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 233 234# security table for MAC policy 235config IP6_NF_SECURITY 236 tristate "Security table" 237 depends on SECURITY 238 depends on NETFILTER_ADVANCED 239 help 240 This option adds a `security' table to iptables, for use 241 with Mandatory Access Control (MAC) policy. 242 243 If unsure, say N. 244 245config IP6_NF_NAT 246 tristate "ip6tables NAT support" 247 depends on NF_CONNTRACK_IPV6 248 depends on NETFILTER_ADVANCED 249 select NF_NAT 250 select NF_NAT_IPV6 251 select NETFILTER_XT_NAT 252 help 253 This enables the `nat' table in ip6tables. This allows masquerading, 254 port forwarding and other forms of full Network Address Port 255 Translation. 256 257 To compile it as a module, choose M here. If unsure, say N. 258 259if IP6_NF_NAT 260 261config NF_NAT_MASQUERADE_IPV6 262 tristate "IPv6 masquerade support" 263 help 264 This is the kernel functionality to provide NAT in the masquerade 265 flavour (automatic source address selection) for IPv6. 266 267config NFT_MASQ_IPV6 268 tristate "IPv6 masquerade support for nf_tables" 269 depends on NF_TABLES_IPV6 270 depends on NFT_MASQ 271 select NF_NAT_MASQUERADE_IPV6 272 273config IP6_NF_TARGET_MASQUERADE 274 tristate "MASQUERADE target support" 275 select NF_NAT_MASQUERADE_IPV6 276 help 277 Masquerading is a special case of NAT: all outgoing connections are 278 changed to seem to come from a particular interface's address, and 279 if the interface goes down, those connections are lost. This is 280 only useful for dialup accounts with dynamic IP address (ie. your IP 281 address will be different on next dialup). 282 283 To compile it as a module, choose M here. If unsure, say N. 284 285config IP6_NF_TARGET_NPT 286 tristate "NPT (Network Prefix translation) target support" 287 help 288 This option adds the `SNPT' and `DNPT' target, which perform 289 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 290 291 To compile it as a module, choose M here. If unsure, say N. 292 293endif # IP6_NF_NAT 294 295endif # IP6_NF_IPTABLES 296 297endmenu 298 299