1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_TABLES_IPV6 29 depends on NF_TABLES 30 tristate "IPv6 nf_tables support" 31 help 32 This option enables the IPv6 support for nf_tables. 33 34config NFT_CHAIN_ROUTE_IPV6 35 depends on NF_TABLES_IPV6 36 tristate "IPv6 nf_tables route chain support" 37 help 38 This option enables the "route" chain for IPv6 in nf_tables. This 39 chain type is used to force packet re-routing after mangling header 40 fields such as the source, destination, flowlabel, hop-limit and 41 the packet mark. 42 43config NF_REJECT_IPV6 44 tristate "IPv6 packet rejection" 45 default m if NETFILTER_ADVANCED=n 46 47config NFT_REJECT_IPV6 48 depends on NF_TABLES_IPV6 49 select NF_REJECT_IPV6 50 default NFT_REJECT 51 tristate 52 53config NF_LOG_IPV6 54 tristate "IPv6 packet logging" 55 default m if NETFILTER_ADVANCED=n 56 select NF_LOG_COMMON 57 58config NF_NAT_IPV6 59 tristate "IPv6 NAT" 60 depends on NF_CONNTRACK_IPV6 61 depends on NETFILTER_ADVANCED 62 select NF_NAT 63 help 64 The IPv6 NAT option allows masquerading, port forwarding and other 65 forms of full Network Address Port Translation. This can be 66 controlled by iptables or nft. 67 68if NF_NAT_IPV6 69 70config NFT_CHAIN_NAT_IPV6 71 depends on NF_TABLES_IPV6 72 tristate "IPv6 nf_tables nat chain support" 73 help 74 This option enables the "nat" chain for IPv6 in nf_tables. This 75 chain type is used to perform Network Address Translation (NAT) 76 packet transformations such as the source, destination address and 77 source and destination ports. 78 79config NF_NAT_MASQUERADE_IPV6 80 tristate "IPv6 masquerade support" 81 help 82 This is the kernel functionality to provide NAT in the masquerade 83 flavour (automatic source address selection) for IPv6. 84 85config NFT_MASQ_IPV6 86 tristate "IPv6 masquerade support for nf_tables" 87 depends on NF_TABLES_IPV6 88 depends on NFT_MASQ 89 select NF_NAT_MASQUERADE_IPV6 90 help 91 This is the expression that provides IPv4 masquerading support for 92 nf_tables. 93 94config NFT_REDIR_IPV6 95 tristate "IPv6 redirect support for nf_tables" 96 depends on NF_TABLES_IPV6 97 depends on NFT_REDIR 98 select NF_NAT_REDIRECT 99 help 100 This is the expression that provides IPv4 redirect support for 101 nf_tables. 102 103endif # NF_NAT_IPV6 104 105config IP6_NF_IPTABLES 106 tristate "IP6 tables support (required for filtering)" 107 depends on INET && IPV6 108 select NETFILTER_XTABLES 109 default m if NETFILTER_ADVANCED=n 110 help 111 ip6tables is a general, extensible packet identification framework. 112 Currently only the packet filtering and packet mangling subsystem 113 for IPv6 use this, but connection tracking is going to follow. 114 Say 'Y' or 'M' here if you want to use either of those. 115 116 To compile it as a module, choose M here. If unsure, say N. 117 118if IP6_NF_IPTABLES 119 120# The simple matches. 121config IP6_NF_MATCH_AH 122 tristate '"ah" match support' 123 depends on NETFILTER_ADVANCED 124 help 125 This module allows one to match AH packets. 126 127 To compile it as a module, choose M here. If unsure, say N. 128 129config IP6_NF_MATCH_EUI64 130 tristate '"eui64" address check' 131 depends on NETFILTER_ADVANCED 132 help 133 This module performs checking on the IPv6 source address 134 Compares the last 64 bits with the EUI64 (delivered 135 from the MAC address) address 136 137 To compile it as a module, choose M here. If unsure, say N. 138 139config IP6_NF_MATCH_FRAG 140 tristate '"frag" Fragmentation header match support' 141 depends on NETFILTER_ADVANCED 142 help 143 frag matching allows you to match packets based on the fragmentation 144 header of the packet. 145 146 To compile it as a module, choose M here. If unsure, say N. 147 148config IP6_NF_MATCH_OPTS 149 tristate '"hbh" hop-by-hop and "dst" opts header match support' 150 depends on NETFILTER_ADVANCED 151 help 152 This allows one to match packets based on the hop-by-hop 153 and destination options headers of a packet. 154 155 To compile it as a module, choose M here. If unsure, say N. 156 157config IP6_NF_MATCH_HL 158 tristate '"hl" hoplimit match support' 159 depends on NETFILTER_ADVANCED 160 select NETFILTER_XT_MATCH_HL 161 ---help--- 162 This is a backwards-compat option for the user's convenience 163 (e.g. when running oldconfig). It selects 164 CONFIG_NETFILTER_XT_MATCH_HL. 165 166config IP6_NF_MATCH_IPV6HEADER 167 tristate '"ipv6header" IPv6 Extension Headers Match' 168 default m if NETFILTER_ADVANCED=n 169 help 170 This module allows one to match packets based upon 171 the ipv6 extension headers. 172 173 To compile it as a module, choose M here. If unsure, say N. 174 175config IP6_NF_MATCH_MH 176 tristate '"mh" match support' 177 depends on NETFILTER_ADVANCED 178 help 179 This module allows one to match MH packets. 180 181 To compile it as a module, choose M here. If unsure, say N. 182 183config IP6_NF_MATCH_RPFILTER 184 tristate '"rpfilter" reverse path filter match support' 185 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW) 186 ---help--- 187 This option allows you to match packets whose replies would 188 go out via the interface the packet came in. 189 190 To compile it as a module, choose M here. If unsure, say N. 191 The module will be called ip6t_rpfilter. 192 193config IP6_NF_MATCH_RT 194 tristate '"rt" Routing header match support' 195 depends on NETFILTER_ADVANCED 196 help 197 rt matching allows you to match packets based on the routing 198 header of the packet. 199 200 To compile it as a module, choose M here. If unsure, say N. 201 202# The targets 203config IP6_NF_TARGET_HL 204 tristate '"HL" hoplimit target support' 205 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 206 select NETFILTER_XT_TARGET_HL 207 ---help--- 208 This is a backwards-compatible option for the user's convenience 209 (e.g. when running oldconfig). It selects 210 CONFIG_NETFILTER_XT_TARGET_HL. 211 212config IP6_NF_FILTER 213 tristate "Packet filtering" 214 default m if NETFILTER_ADVANCED=n 215 help 216 Packet filtering defines a table `filter', which has a series of 217 rules for simple packet filtering at local input, forwarding and 218 local output. See the man page for iptables(8). 219 220 To compile it as a module, choose M here. If unsure, say N. 221 222config IP6_NF_TARGET_REJECT 223 tristate "REJECT target support" 224 depends on IP6_NF_FILTER 225 select NF_REJECT_IPV6 226 default m if NETFILTER_ADVANCED=n 227 help 228 The REJECT target allows a filtering rule to specify that an ICMPv6 229 error should be issued in response to an incoming packet, rather 230 than silently being dropped. 231 232 To compile it as a module, choose M here. If unsure, say N. 233 234config IP6_NF_TARGET_SYNPROXY 235 tristate "SYNPROXY target support" 236 depends on NF_CONNTRACK && NETFILTER_ADVANCED 237 select NETFILTER_SYNPROXY 238 select SYN_COOKIES 239 help 240 The SYNPROXY target allows you to intercept TCP connections and 241 establish them using syncookies before they are passed on to the 242 server. This allows to avoid conntrack and server resource usage 243 during SYN-flood attacks. 244 245 To compile it as a module, choose M here. If unsure, say N. 246 247config IP6_NF_MANGLE 248 tristate "Packet mangling" 249 default m if NETFILTER_ADVANCED=n 250 help 251 This option adds a `mangle' table to iptables: see the man page for 252 iptables(8). This table is used for various packet alterations 253 which can effect how the packet is routed. 254 255 To compile it as a module, choose M here. If unsure, say N. 256 257config IP6_NF_RAW 258 tristate 'raw table support (required for TRACE)' 259 help 260 This option adds a `raw' table to ip6tables. This table is the very 261 first in the netfilter framework and hooks in at the PREROUTING 262 and OUTPUT chains. 263 264 If you want to compile it as a module, say M here and read 265 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 266 267# security table for MAC policy 268config IP6_NF_SECURITY 269 tristate "Security table" 270 depends on SECURITY 271 depends on NETFILTER_ADVANCED 272 help 273 This option adds a `security' table to iptables, for use 274 with Mandatory Access Control (MAC) policy. 275 276 If unsure, say N. 277 278config IP6_NF_NAT 279 tristate "ip6tables NAT support" 280 depends on NF_CONNTRACK_IPV6 281 depends on NETFILTER_ADVANCED 282 select NF_NAT 283 select NF_NAT_IPV6 284 select NETFILTER_XT_NAT 285 help 286 This enables the `nat' table in ip6tables. This allows masquerading, 287 port forwarding and other forms of full Network Address Port 288 Translation. 289 290 To compile it as a module, choose M here. If unsure, say N. 291 292if IP6_NF_NAT 293 294config IP6_NF_TARGET_MASQUERADE 295 tristate "MASQUERADE target support" 296 select NF_NAT_MASQUERADE_IPV6 297 help 298 Masquerading is a special case of NAT: all outgoing connections are 299 changed to seem to come from a particular interface's address, and 300 if the interface goes down, those connections are lost. This is 301 only useful for dialup accounts with dynamic IP address (ie. your IP 302 address will be different on next dialup). 303 304 To compile it as a module, choose M here. If unsure, say N. 305 306config IP6_NF_TARGET_NPT 307 tristate "NPT (Network Prefix translation) target support" 308 help 309 This option adds the `SNPT' and `DNPT' target, which perform 310 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 311 312 To compile it as a module, choose M here. If unsure, say N. 313 314endif # IP6_NF_NAT 315 316endif # IP6_NF_IPTABLES 317 318endmenu 319 320