xref: /openbmc/linux/net/ipv6/netfilter/Kconfig (revision 2e4e6a17) 
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration (EXPERIMENTAL)"
6	depends on INET && IPV6 && NETFILTER && EXPERIMENTAL
7
8config NF_CONNTRACK_IPV6
9	tristate "IPv6 support for new connection tracking (EXPERIMENTAL)"
10	depends on EXPERIMENTAL && NF_CONNTRACK
11	---help---
12	  Connection tracking keeps a record of what packets have passed
13	  through your machine, in order to figure out how they are related
14	  into connections.
15
16	  This is IPv6 support on Layer 3 independent connection tracking.
17	  Layer 3 independent connection tracking is experimental scheme
18	  which generalize ip_conntrack to support other layer 3 protocols.
19
20	  To compile it as a module, choose M here.  If unsure, say N.
21
22config IP6_NF_QUEUE
23	tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"
24	---help---
25
26	  This option adds a queue handler to the kernel for IPv6
27	  packets which enables users to receive the filtered packets
28	  with QUEUE target using libipq.
29
30	  THis option enables the old IPv6-only "ip6_queue" implementation
31	  which has been obsoleted by the new "nfnetlink_queue" code (see
32	  CONFIG_NETFILTER_NETLINK_QUEUE).
33
34	  (C) Fernando Anton 2001
35	  IPv64 Project - Work based in IPv64 draft by Arturo Azcorra.
36	  Universidad Carlos III de Madrid
37	  Universidad Politecnica de Alcala de Henares
38	  email: <fanton@it.uc3m.es>.
39
40	  To compile it as a module, choose M here.  If unsure, say N.
41
42config IP6_NF_IPTABLES
43	tristate "IP6 tables support (required for filtering/masq/NAT)"
44	depends on NETFILTER_XTABLES
45	help
46	  ip6tables is a general, extensible packet identification framework.
47	  Currently only the packet filtering and packet mangling subsystem
48	  for IPv6 use this, but connection tracking is going to follow.
49	  Say 'Y' or 'M' here if you want to use either of those.
50
51	  To compile it as a module, choose M here.  If unsure, say N.
52
53# The simple matches.
54config IP6_NF_MATCH_RT
55	tristate "Routing header match support"
56	depends on IP6_NF_IPTABLES
57	help
58	  rt matching allows you to match packets based on the routing
59	  header of the packet.
60
61	  To compile it as a module, choose M here.  If unsure, say N.
62
63config IP6_NF_MATCH_OPTS
64	tristate "Hop-by-hop and Dst opts header match support"
65	depends on IP6_NF_IPTABLES
66	help
67	  This allows one to match packets based on the hop-by-hop
68	  and destination options headers of a packet.
69
70	  To compile it as a module, choose M here.  If unsure, say N.
71
72config IP6_NF_MATCH_FRAG
73	tristate "Fragmentation header match support"
74	depends on IP6_NF_IPTABLES
75	help
76	  frag matching allows you to match packets based on the fragmentation
77	  header of the packet.
78
79	  To compile it as a module, choose M here.  If unsure, say N.
80
81config IP6_NF_MATCH_HL
82	tristate "HL match support"
83	depends on IP6_NF_IPTABLES
84	help
85	  HL matching allows you to match packets based on the hop
86	  limit of the packet.
87
88	  To compile it as a module, choose M here.  If unsure, say N.
89
90config IP6_NF_MATCH_MULTIPORT
91	tristate "Multiple port match support"
92	depends on IP6_NF_IPTABLES
93	help
94	  Multiport matching allows you to match TCP or UDP packets based on
95	  a series of source or destination ports: normally a rule can only
96	  match a single range of ports.
97
98	  To compile it as a module, choose M here.  If unsure, say N.
99
100config IP6_NF_MATCH_OWNER
101	tristate "Owner match support"
102	depends on IP6_NF_IPTABLES
103	help
104	  Packet owner matching allows you to match locally-generated packets
105	  based on who created them: the user, group, process or session.
106
107	  To compile it as a module, choose M here.  If unsure, say N.
108
109config IP6_NF_MATCH_IPV6HEADER
110	tristate "IPv6 Extension Headers Match"
111	depends on IP6_NF_IPTABLES
112	help
113	  This module allows one to match packets based upon
114	  the ipv6 extension headers.
115
116	  To compile it as a module, choose M here.  If unsure, say N.
117
118config IP6_NF_MATCH_AHESP
119	tristate "AH/ESP match support"
120	depends on IP6_NF_IPTABLES
121	help
122	  This module allows one to match AH and ESP packets.
123
124	  To compile it as a module, choose M here.  If unsure, say N.
125
126config IP6_NF_MATCH_EUI64
127	tristate "EUI64 address check"
128	depends on IP6_NF_IPTABLES
129	help
130	  This module performs checking on the IPv6 source address
131	  Compares the last 64 bits with the EUI64 (delivered
132	  from the MAC address) address
133
134	  To compile it as a module, choose M here.  If unsure, say N.
135
136config IP6_NF_MATCH_POLICY
137	tristate "IPsec policy match support"
138	depends on IP6_NF_IPTABLES && XFRM
139	help
140	  Policy matching allows you to match packets based on the
141	  IPsec policy that was used during decapsulation/will
142	  be used during encapsulation.
143
144	  To compile it as a module, choose M here.  If unsure, say N.
145
146# The targets
147config IP6_NF_FILTER
148	tristate "Packet filtering"
149	depends on IP6_NF_IPTABLES
150	help
151	  Packet filtering defines a table `filter', which has a series of
152	  rules for simple packet filtering at local input, forwarding and
153	  local output.  See the man page for iptables(8).
154
155	  To compile it as a module, choose M here.  If unsure, say N.
156
157config IP6_NF_TARGET_LOG
158	tristate "LOG target support"
159	depends on IP6_NF_FILTER
160	help
161	  This option adds a `LOG' target, which allows you to create rules in
162	  any iptables table which records the packet header to the syslog.
163
164	  To compile it as a module, choose M here.  If unsure, say N.
165
166config IP6_NF_TARGET_REJECT
167	tristate "REJECT target support"
168	depends on IP6_NF_FILTER
169	help
170	  The REJECT target allows a filtering rule to specify that an ICMPv6
171	  error should be issued in response to an incoming packet, rather
172	  than silently being dropped.
173
174	  To compile it as a module, choose M here.  If unsure, say N.
175
176config IP6_NF_MANGLE
177	tristate "Packet mangling"
178	depends on IP6_NF_IPTABLES
179	help
180	  This option adds a `mangle' table to iptables: see the man page for
181	  iptables(8).  This table is used for various packet alterations
182	  which can effect how the packet is routed.
183
184	  To compile it as a module, choose M here.  If unsure, say N.
185
186config IP6_NF_TARGET_HL
187	tristate  'HL (hoplimit) target support'
188	depends on IP6_NF_MANGLE
189	help
190	  This option adds a `HL' target, which enables the user to decrement
191	  the hoplimit value of the IPv6 header or set it to a given (lower)
192	  value.
193
194	  While it is safe to decrement the hoplimit value, this option also
195	  enables functionality to increment and set the hoplimit value of the
196	  IPv6 header to arbitrary values.  This is EXTREMELY DANGEROUS since
197	  you can easily create immortal packets that loop forever on the
198	  network.
199
200	  To compile it as a module, choose M here.  If unsure, say N.
201
202config IP6_NF_RAW
203	tristate  'raw table support (required for TRACE)'
204	depends on IP6_NF_IPTABLES
205	help
206	  This option adds a `raw' table to ip6tables. This table is the very
207	  first in the netfilter framework and hooks in at the PREROUTING
208	  and OUTPUT chains.
209
210	  If you want to compile it as a module, say M here and read
211	  <file:Documentation/modules.txt>.  If unsure, say `N'.
212
213endmenu
214
215