1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration (EXPERIMENTAL)" 6 depends on INET && IPV6 && NETFILTER && EXPERIMENTAL 7 8config NF_CONNTRACK_IPV6 9 tristate "IPv6 support for new connection tracking (EXPERIMENTAL)" 10 depends on EXPERIMENTAL && NF_CONNTRACK 11 ---help--- 12 Connection tracking keeps a record of what packets have passed 13 through your machine, in order to figure out how they are related 14 into connections. 15 16 This is IPv6 support on Layer 3 independent connection tracking. 17 Layer 3 independent connection tracking is experimental scheme 18 which generalize ip_conntrack to support other layer 3 protocols. 19 20 To compile it as a module, choose M here. If unsure, say N. 21 22config IP6_NF_QUEUE 23 tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)" 24 ---help--- 25 26 This option adds a queue handler to the kernel for IPv6 27 packets which enables users to receive the filtered packets 28 with QUEUE target using libipq. 29 30 THis option enables the old IPv6-only "ip6_queue" implementation 31 which has been obsoleted by the new "nfnetlink_queue" code (see 32 CONFIG_NETFILTER_NETLINK_QUEUE). 33 34 (C) Fernando Anton 2001 35 IPv64 Project - Work based in IPv64 draft by Arturo Azcorra. 36 Universidad Carlos III de Madrid 37 Universidad Politecnica de Alcala de Henares 38 email: <fanton@it.uc3m.es>. 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42config IP6_NF_IPTABLES 43 tristate "IP6 tables support (required for filtering/masq/NAT)" 44 depends on NETFILTER_XTABLES 45 help 46 ip6tables is a general, extensible packet identification framework. 47 Currently only the packet filtering and packet mangling subsystem 48 for IPv6 use this, but connection tracking is going to follow. 49 Say 'Y' or 'M' here if you want to use either of those. 50 51 To compile it as a module, choose M here. If unsure, say N. 52 53# The simple matches. 54config IP6_NF_MATCH_RT 55 tristate "Routing header match support" 56 depends on IP6_NF_IPTABLES 57 help 58 rt matching allows you to match packets based on the routing 59 header of the packet. 60 61 To compile it as a module, choose M here. If unsure, say N. 62 63config IP6_NF_MATCH_OPTS 64 tristate "Hop-by-hop and Dst opts header match support" 65 depends on IP6_NF_IPTABLES 66 help 67 This allows one to match packets based on the hop-by-hop 68 and destination options headers of a packet. 69 70 To compile it as a module, choose M here. If unsure, say N. 71 72config IP6_NF_MATCH_FRAG 73 tristate "Fragmentation header match support" 74 depends on IP6_NF_IPTABLES 75 help 76 frag matching allows you to match packets based on the fragmentation 77 header of the packet. 78 79 To compile it as a module, choose M here. If unsure, say N. 80 81config IP6_NF_MATCH_HL 82 tristate "HL match support" 83 depends on IP6_NF_IPTABLES 84 help 85 HL matching allows you to match packets based on the hop 86 limit of the packet. 87 88 To compile it as a module, choose M here. If unsure, say N. 89 90config IP6_NF_MATCH_MULTIPORT 91 tristate "Multiple port match support" 92 depends on IP6_NF_IPTABLES 93 help 94 Multiport matching allows you to match TCP or UDP packets based on 95 a series of source or destination ports: normally a rule can only 96 match a single range of ports. 97 98 To compile it as a module, choose M here. If unsure, say N. 99 100config IP6_NF_MATCH_OWNER 101 tristate "Owner match support" 102 depends on IP6_NF_IPTABLES 103 help 104 Packet owner matching allows you to match locally-generated packets 105 based on who created them: the user, group, process or session. 106 107 To compile it as a module, choose M here. If unsure, say N. 108 109config IP6_NF_MATCH_IPV6HEADER 110 tristate "IPv6 Extension Headers Match" 111 depends on IP6_NF_IPTABLES 112 help 113 This module allows one to match packets based upon 114 the ipv6 extension headers. 115 116 To compile it as a module, choose M here. If unsure, say N. 117 118config IP6_NF_MATCH_AHESP 119 tristate "AH/ESP match support" 120 depends on IP6_NF_IPTABLES 121 help 122 This module allows one to match AH and ESP packets. 123 124 To compile it as a module, choose M here. If unsure, say N. 125 126config IP6_NF_MATCH_EUI64 127 tristate "EUI64 address check" 128 depends on IP6_NF_IPTABLES 129 help 130 This module performs checking on the IPv6 source address 131 Compares the last 64 bits with the EUI64 (delivered 132 from the MAC address) address 133 134 To compile it as a module, choose M here. If unsure, say N. 135 136config IP6_NF_MATCH_POLICY 137 tristate "IPsec policy match support" 138 depends on IP6_NF_IPTABLES && XFRM 139 help 140 Policy matching allows you to match packets based on the 141 IPsec policy that was used during decapsulation/will 142 be used during encapsulation. 143 144 To compile it as a module, choose M here. If unsure, say N. 145 146# The targets 147config IP6_NF_FILTER 148 tristate "Packet filtering" 149 depends on IP6_NF_IPTABLES 150 help 151 Packet filtering defines a table `filter', which has a series of 152 rules for simple packet filtering at local input, forwarding and 153 local output. See the man page for iptables(8). 154 155 To compile it as a module, choose M here. If unsure, say N. 156 157config IP6_NF_TARGET_LOG 158 tristate "LOG target support" 159 depends on IP6_NF_FILTER 160 help 161 This option adds a `LOG' target, which allows you to create rules in 162 any iptables table which records the packet header to the syslog. 163 164 To compile it as a module, choose M here. If unsure, say N. 165 166config IP6_NF_TARGET_REJECT 167 tristate "REJECT target support" 168 depends on IP6_NF_FILTER 169 help 170 The REJECT target allows a filtering rule to specify that an ICMPv6 171 error should be issued in response to an incoming packet, rather 172 than silently being dropped. 173 174 To compile it as a module, choose M here. If unsure, say N. 175 176config IP6_NF_MANGLE 177 tristate "Packet mangling" 178 depends on IP6_NF_IPTABLES 179 help 180 This option adds a `mangle' table to iptables: see the man page for 181 iptables(8). This table is used for various packet alterations 182 which can effect how the packet is routed. 183 184 To compile it as a module, choose M here. If unsure, say N. 185 186config IP6_NF_TARGET_HL 187 tristate 'HL (hoplimit) target support' 188 depends on IP6_NF_MANGLE 189 help 190 This option adds a `HL' target, which enables the user to decrement 191 the hoplimit value of the IPv6 header or set it to a given (lower) 192 value. 193 194 While it is safe to decrement the hoplimit value, this option also 195 enables functionality to increment and set the hoplimit value of the 196 IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since 197 you can easily create immortal packets that loop forever on the 198 network. 199 200 To compile it as a module, choose M here. If unsure, say N. 201 202config IP6_NF_RAW 203 tristate 'raw table support (required for TRACE)' 204 depends on IP6_NF_IPTABLES 205 help 206 This option adds a `raw' table to ip6tables. This table is the very 207 first in the netfilter framework and hooks in at the PREROUTING 208 and OUTPUT chains. 209 210 If you want to compile it as a module, say M here and read 211 <file:Documentation/modules.txt>. If unsure, say `N'. 212 213endmenu 214 215