1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_TABLES_IPV6 29 depends on NF_TABLES 30 tristate "IPv6 nf_tables support" 31 help 32 This option enables the IPv6 support for nf_tables. 33 34config NFT_CHAIN_ROUTE_IPV6 35 depends on NF_TABLES_IPV6 36 tristate "IPv6 nf_tables route chain support" 37 help 38 This option enables the "route" chain for IPv6 in nf_tables. This 39 chain type is used to force packet re-routing after mangling header 40 fields such as the source, destination, flowlabel, hop-limit and 41 the packet mark. 42 43config NFT_REJECT_IPV6 44 depends on NF_TABLES_IPV6 45 default NFT_REJECT 46 tristate 47 48config NF_LOG_IPV6 49 tristate "IPv6 packet logging" 50 default m if NETFILTER_ADVANCED=n 51 select NF_LOG_COMMON 52 53config NF_NAT_IPV6 54 tristate "IPv6 NAT" 55 depends on NF_CONNTRACK_IPV6 56 depends on NETFILTER_ADVANCED 57 select NF_NAT 58 help 59 The IPv6 NAT option allows masquerading, port forwarding and other 60 forms of full Network Address Port Translation. This can be 61 controlled by iptables or nft. 62 63if NF_NAT_IPV6 64 65config NFT_CHAIN_NAT_IPV6 66 depends on NF_TABLES_IPV6 67 tristate "IPv6 nf_tables nat chain support" 68 help 69 This option enables the "nat" chain for IPv6 in nf_tables. This 70 chain type is used to perform Network Address Translation (NAT) 71 packet transformations such as the source, destination address and 72 source and destination ports. 73 74config NF_NAT_MASQUERADE_IPV6 75 tristate "IPv6 masquerade support" 76 help 77 This is the kernel functionality to provide NAT in the masquerade 78 flavour (automatic source address selection) for IPv6. 79 80config NFT_MASQ_IPV6 81 tristate "IPv6 masquerade support for nf_tables" 82 depends on NF_TABLES_IPV6 83 depends on NFT_MASQ 84 select NF_NAT_MASQUERADE_IPV6 85 help 86 This is the expression that provides IPv4 masquerading support for 87 nf_tables. 88 89endif # NF_NAT_IPV6 90 91config IP6_NF_IPTABLES 92 tristate "IP6 tables support (required for filtering)" 93 depends on INET && IPV6 94 select NETFILTER_XTABLES 95 default m if NETFILTER_ADVANCED=n 96 help 97 ip6tables is a general, extensible packet identification framework. 98 Currently only the packet filtering and packet mangling subsystem 99 for IPv6 use this, but connection tracking is going to follow. 100 Say 'Y' or 'M' here if you want to use either of those. 101 102 To compile it as a module, choose M here. If unsure, say N. 103 104if IP6_NF_IPTABLES 105 106# The simple matches. 107config IP6_NF_MATCH_AH 108 tristate '"ah" match support' 109 depends on NETFILTER_ADVANCED 110 help 111 This module allows one to match AH packets. 112 113 To compile it as a module, choose M here. If unsure, say N. 114 115config IP6_NF_MATCH_EUI64 116 tristate '"eui64" address check' 117 depends on NETFILTER_ADVANCED 118 help 119 This module performs checking on the IPv6 source address 120 Compares the last 64 bits with the EUI64 (delivered 121 from the MAC address) address 122 123 To compile it as a module, choose M here. If unsure, say N. 124 125config IP6_NF_MATCH_FRAG 126 tristate '"frag" Fragmentation header match support' 127 depends on NETFILTER_ADVANCED 128 help 129 frag matching allows you to match packets based on the fragmentation 130 header of the packet. 131 132 To compile it as a module, choose M here. If unsure, say N. 133 134config IP6_NF_MATCH_OPTS 135 tristate '"hbh" hop-by-hop and "dst" opts header match support' 136 depends on NETFILTER_ADVANCED 137 help 138 This allows one to match packets based on the hop-by-hop 139 and destination options headers of a packet. 140 141 To compile it as a module, choose M here. If unsure, say N. 142 143config IP6_NF_MATCH_HL 144 tristate '"hl" hoplimit match support' 145 depends on NETFILTER_ADVANCED 146 select NETFILTER_XT_MATCH_HL 147 ---help--- 148 This is a backwards-compat option for the user's convenience 149 (e.g. when running oldconfig). It selects 150 CONFIG_NETFILTER_XT_MATCH_HL. 151 152config IP6_NF_MATCH_IPV6HEADER 153 tristate '"ipv6header" IPv6 Extension Headers Match' 154 default m if NETFILTER_ADVANCED=n 155 help 156 This module allows one to match packets based upon 157 the ipv6 extension headers. 158 159 To compile it as a module, choose M here. If unsure, say N. 160 161config IP6_NF_MATCH_MH 162 tristate '"mh" match support' 163 depends on NETFILTER_ADVANCED 164 help 165 This module allows one to match MH packets. 166 167 To compile it as a module, choose M here. If unsure, say N. 168 169config IP6_NF_MATCH_RPFILTER 170 tristate '"rpfilter" reverse path filter match support' 171 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW) 172 ---help--- 173 This option allows you to match packets whose replies would 174 go out via the interface the packet came in. 175 176 To compile it as a module, choose M here. If unsure, say N. 177 The module will be called ip6t_rpfilter. 178 179config IP6_NF_MATCH_RT 180 tristate '"rt" Routing header match support' 181 depends on NETFILTER_ADVANCED 182 help 183 rt matching allows you to match packets based on the routing 184 header of the packet. 185 186 To compile it as a module, choose M here. If unsure, say N. 187 188# The targets 189config IP6_NF_TARGET_HL 190 tristate '"HL" hoplimit target support' 191 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 192 select NETFILTER_XT_TARGET_HL 193 ---help--- 194 This is a backwards-compatible option for the user's convenience 195 (e.g. when running oldconfig). It selects 196 CONFIG_NETFILTER_XT_TARGET_HL. 197 198config IP6_NF_FILTER 199 tristate "Packet filtering" 200 default m if NETFILTER_ADVANCED=n 201 help 202 Packet filtering defines a table `filter', which has a series of 203 rules for simple packet filtering at local input, forwarding and 204 local output. See the man page for iptables(8). 205 206 To compile it as a module, choose M here. If unsure, say N. 207 208config IP6_NF_TARGET_REJECT 209 tristate "REJECT target support" 210 depends on IP6_NF_FILTER 211 default m if NETFILTER_ADVANCED=n 212 help 213 The REJECT target allows a filtering rule to specify that an ICMPv6 214 error should be issued in response to an incoming packet, rather 215 than silently being dropped. 216 217 To compile it as a module, choose M here. If unsure, say N. 218 219config IP6_NF_TARGET_SYNPROXY 220 tristate "SYNPROXY target support" 221 depends on NF_CONNTRACK && NETFILTER_ADVANCED 222 select NETFILTER_SYNPROXY 223 select SYN_COOKIES 224 help 225 The SYNPROXY target allows you to intercept TCP connections and 226 establish them using syncookies before they are passed on to the 227 server. This allows to avoid conntrack and server resource usage 228 during SYN-flood attacks. 229 230 To compile it as a module, choose M here. If unsure, say N. 231 232config IP6_NF_MANGLE 233 tristate "Packet mangling" 234 default m if NETFILTER_ADVANCED=n 235 help 236 This option adds a `mangle' table to iptables: see the man page for 237 iptables(8). This table is used for various packet alterations 238 which can effect how the packet is routed. 239 240 To compile it as a module, choose M here. If unsure, say N. 241 242config IP6_NF_RAW 243 tristate 'raw table support (required for TRACE)' 244 help 245 This option adds a `raw' table to ip6tables. This table is the very 246 first in the netfilter framework and hooks in at the PREROUTING 247 and OUTPUT chains. 248 249 If you want to compile it as a module, say M here and read 250 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 251 252# security table for MAC policy 253config IP6_NF_SECURITY 254 tristate "Security table" 255 depends on SECURITY 256 depends on NETFILTER_ADVANCED 257 help 258 This option adds a `security' table to iptables, for use 259 with Mandatory Access Control (MAC) policy. 260 261 If unsure, say N. 262 263config IP6_NF_NAT 264 tristate "ip6tables NAT support" 265 depends on NF_CONNTRACK_IPV6 266 depends on NETFILTER_ADVANCED 267 select NF_NAT 268 select NF_NAT_IPV6 269 select NETFILTER_XT_NAT 270 help 271 This enables the `nat' table in ip6tables. This allows masquerading, 272 port forwarding and other forms of full Network Address Port 273 Translation. 274 275 To compile it as a module, choose M here. If unsure, say N. 276 277if IP6_NF_NAT 278 279config IP6_NF_TARGET_MASQUERADE 280 tristate "MASQUERADE target support" 281 select NF_NAT_MASQUERADE_IPV6 282 help 283 Masquerading is a special case of NAT: all outgoing connections are 284 changed to seem to come from a particular interface's address, and 285 if the interface goes down, those connections are lost. This is 286 only useful for dialup accounts with dynamic IP address (ie. your IP 287 address will be different on next dialup). 288 289 To compile it as a module, choose M here. If unsure, say N. 290 291config IP6_NF_TARGET_NPT 292 tristate "NPT (Network Prefix translation) target support" 293 help 294 This option adds the `SNPT' and `DNPT' target, which perform 295 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 296 297 To compile it as a module, choose M here. If unsure, say N. 298 299endif # IP6_NF_NAT 300 301endif # IP6_NF_IPTABLES 302 303endmenu 304 305