1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_TABLES_IPV6 29 depends on NF_TABLES 30 tristate "IPv6 nf_tables support" 31 help 32 This option enables the IPv6 support for nf_tables. 33 34config NFT_CHAIN_ROUTE_IPV6 35 depends on NF_TABLES_IPV6 36 tristate "IPv6 nf_tables route chain support" 37 help 38 This option enables the "route" chain for IPv6 in nf_tables. This 39 chain type is used to force packet re-routing after mangling header 40 fields such as the source, destination, flowlabel, hop-limit and 41 the packet mark. 42 43config NFT_REJECT_IPV6 44 depends on NF_TABLES_IPV6 45 default NFT_REJECT 46 tristate 47 48config NF_LOG_IPV6 49 tristate "IPv6 packet logging" 50 default m if NETFILTER_ADVANCED=n 51 select NF_LOG_COMMON 52 53config NF_NAT_IPV6 54 tristate "IPv6 NAT" 55 depends on NF_CONNTRACK_IPV6 56 depends on NETFILTER_ADVANCED 57 select NF_NAT 58 help 59 The IPv6 NAT option allows masquerading, port forwarding and other 60 forms of full Network Address Port Translation. This can be 61 controlled by iptables or nft. 62 63if NF_NAT_IPV6 64 65config NFT_CHAIN_NAT_IPV6 66 depends on NF_TABLES_IPV6 67 tristate "IPv6 nf_tables nat chain support" 68 help 69 This option enables the "nat" chain for IPv6 in nf_tables. This 70 chain type is used to perform Network Address Translation (NAT) 71 packet transformations such as the source, destination address and 72 source and destination ports. 73 74endif # NF_NAT_IPV6 75 76config IP6_NF_IPTABLES 77 tristate "IP6 tables support (required for filtering)" 78 depends on INET && IPV6 79 select NETFILTER_XTABLES 80 default m if NETFILTER_ADVANCED=n 81 help 82 ip6tables is a general, extensible packet identification framework. 83 Currently only the packet filtering and packet mangling subsystem 84 for IPv6 use this, but connection tracking is going to follow. 85 Say 'Y' or 'M' here if you want to use either of those. 86 87 To compile it as a module, choose M here. If unsure, say N. 88 89if IP6_NF_IPTABLES 90 91# The simple matches. 92config IP6_NF_MATCH_AH 93 tristate '"ah" match support' 94 depends on NETFILTER_ADVANCED 95 help 96 This module allows one to match AH packets. 97 98 To compile it as a module, choose M here. If unsure, say N. 99 100config IP6_NF_MATCH_EUI64 101 tristate '"eui64" address check' 102 depends on NETFILTER_ADVANCED 103 help 104 This module performs checking on the IPv6 source address 105 Compares the last 64 bits with the EUI64 (delivered 106 from the MAC address) address 107 108 To compile it as a module, choose M here. If unsure, say N. 109 110config IP6_NF_MATCH_FRAG 111 tristate '"frag" Fragmentation header match support' 112 depends on NETFILTER_ADVANCED 113 help 114 frag matching allows you to match packets based on the fragmentation 115 header of the packet. 116 117 To compile it as a module, choose M here. If unsure, say N. 118 119config IP6_NF_MATCH_OPTS 120 tristate '"hbh" hop-by-hop and "dst" opts header match support' 121 depends on NETFILTER_ADVANCED 122 help 123 This allows one to match packets based on the hop-by-hop 124 and destination options headers of a packet. 125 126 To compile it as a module, choose M here. If unsure, say N. 127 128config IP6_NF_MATCH_HL 129 tristate '"hl" hoplimit match support' 130 depends on NETFILTER_ADVANCED 131 select NETFILTER_XT_MATCH_HL 132 ---help--- 133 This is a backwards-compat option for the user's convenience 134 (e.g. when running oldconfig). It selects 135 CONFIG_NETFILTER_XT_MATCH_HL. 136 137config IP6_NF_MATCH_IPV6HEADER 138 tristate '"ipv6header" IPv6 Extension Headers Match' 139 default m if NETFILTER_ADVANCED=n 140 help 141 This module allows one to match packets based upon 142 the ipv6 extension headers. 143 144 To compile it as a module, choose M here. If unsure, say N. 145 146config IP6_NF_MATCH_MH 147 tristate '"mh" match support' 148 depends on NETFILTER_ADVANCED 149 help 150 This module allows one to match MH packets. 151 152 To compile it as a module, choose M here. If unsure, say N. 153 154config IP6_NF_MATCH_RPFILTER 155 tristate '"rpfilter" reverse path filter match support' 156 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW) 157 ---help--- 158 This option allows you to match packets whose replies would 159 go out via the interface the packet came in. 160 161 To compile it as a module, choose M here. If unsure, say N. 162 The module will be called ip6t_rpfilter. 163 164config IP6_NF_MATCH_RT 165 tristate '"rt" Routing header match support' 166 depends on NETFILTER_ADVANCED 167 help 168 rt matching allows you to match packets based on the routing 169 header of the packet. 170 171 To compile it as a module, choose M here. If unsure, say N. 172 173# The targets 174config IP6_NF_TARGET_HL 175 tristate '"HL" hoplimit target support' 176 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 177 select NETFILTER_XT_TARGET_HL 178 ---help--- 179 This is a backwards-compatible option for the user's convenience 180 (e.g. when running oldconfig). It selects 181 CONFIG_NETFILTER_XT_TARGET_HL. 182 183config IP6_NF_FILTER 184 tristate "Packet filtering" 185 default m if NETFILTER_ADVANCED=n 186 help 187 Packet filtering defines a table `filter', which has a series of 188 rules for simple packet filtering at local input, forwarding and 189 local output. See the man page for iptables(8). 190 191 To compile it as a module, choose M here. If unsure, say N. 192 193config IP6_NF_TARGET_REJECT 194 tristate "REJECT target support" 195 depends on IP6_NF_FILTER 196 default m if NETFILTER_ADVANCED=n 197 help 198 The REJECT target allows a filtering rule to specify that an ICMPv6 199 error should be issued in response to an incoming packet, rather 200 than silently being dropped. 201 202 To compile it as a module, choose M here. If unsure, say N. 203 204config IP6_NF_TARGET_SYNPROXY 205 tristate "SYNPROXY target support" 206 depends on NF_CONNTRACK && NETFILTER_ADVANCED 207 select NETFILTER_SYNPROXY 208 select SYN_COOKIES 209 help 210 The SYNPROXY target allows you to intercept TCP connections and 211 establish them using syncookies before they are passed on to the 212 server. This allows to avoid conntrack and server resource usage 213 during SYN-flood attacks. 214 215 To compile it as a module, choose M here. If unsure, say N. 216 217config IP6_NF_MANGLE 218 tristate "Packet mangling" 219 default m if NETFILTER_ADVANCED=n 220 help 221 This option adds a `mangle' table to iptables: see the man page for 222 iptables(8). This table is used for various packet alterations 223 which can effect how the packet is routed. 224 225 To compile it as a module, choose M here. If unsure, say N. 226 227config IP6_NF_RAW 228 tristate 'raw table support (required for TRACE)' 229 help 230 This option adds a `raw' table to ip6tables. This table is the very 231 first in the netfilter framework and hooks in at the PREROUTING 232 and OUTPUT chains. 233 234 If you want to compile it as a module, say M here and read 235 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 236 237# security table for MAC policy 238config IP6_NF_SECURITY 239 tristate "Security table" 240 depends on SECURITY 241 depends on NETFILTER_ADVANCED 242 help 243 This option adds a `security' table to iptables, for use 244 with Mandatory Access Control (MAC) policy. 245 246 If unsure, say N. 247 248config IP6_NF_NAT 249 tristate "ip6tables NAT support" 250 depends on NF_CONNTRACK_IPV6 251 depends on NETFILTER_ADVANCED 252 select NF_NAT 253 select NF_NAT_IPV6 254 select NETFILTER_XT_NAT 255 help 256 This enables the `nat' table in ip6tables. This allows masquerading, 257 port forwarding and other forms of full Network Address Port 258 Translation. 259 260 To compile it as a module, choose M here. If unsure, say N. 261 262if IP6_NF_NAT 263 264config NF_NAT_MASQUERADE_IPV6 265 tristate "IPv6 masquerade support" 266 help 267 This is the kernel functionality to provide NAT in the masquerade 268 flavour (automatic source address selection) for IPv6. 269 270config NFT_MASQ_IPV6 271 tristate "IPv6 masquerade support for nf_tables" 272 depends on NF_TABLES_IPV6 273 depends on NFT_MASQ 274 select NF_NAT_MASQUERADE_IPV6 275 276config IP6_NF_TARGET_MASQUERADE 277 tristate "MASQUERADE target support" 278 select NF_NAT_MASQUERADE_IPV6 279 help 280 Masquerading is a special case of NAT: all outgoing connections are 281 changed to seem to come from a particular interface's address, and 282 if the interface goes down, those connections are lost. This is 283 only useful for dialup accounts with dynamic IP address (ie. your IP 284 address will be different on next dialup). 285 286 To compile it as a module, choose M here. If unsure, say N. 287 288config IP6_NF_TARGET_NPT 289 tristate "NPT (Network Prefix translation) target support" 290 help 291 This option adds the `SNPT' and `DNPT' target, which perform 292 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 293 294 To compile it as a module, choose M here. If unsure, say N. 295 296endif # IP6_NF_NAT 297 298endif # IP6_NF_IPTABLES 299 300endmenu 301 302