xref: /openbmc/linux/net/ipv6/netfilter/Kconfig (revision 76b6717b) 
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration"
6	depends on INET && IPV6 && NETFILTER
7
8config NF_CONNTRACK_IPV6
9	tristate "IPv6 connection tracking support"
10	depends on INET && IPV6 && NF_CONNTRACK
11	default m if NETFILTER_ADVANCED=n
12	---help---
13	  Connection tracking keeps a record of what packets have passed
14	  through your machine, in order to figure out how they are related
15	  into connections.
16
17	  This is IPv6 support on Layer 3 independent connection tracking.
18	  Layer 3 independent connection tracking is experimental scheme
19	  which generalize ip_conntrack to support other layer 3 protocols.
20
21	  To compile it as a module, choose M here.  If unsure, say N.
22
23config IP6_NF_QUEUE
24	tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"
25	depends on INET && IPV6 && NETFILTER
26	depends on NETFILTER_ADVANCED
27	---help---
28
29	  This option adds a queue handler to the kernel for IPv6
30	  packets which enables users to receive the filtered packets
31	  with QUEUE target using libipq.
32
33	  This option enables the old IPv6-only "ip6_queue" implementation
34	  which has been obsoleted by the new "nfnetlink_queue" code (see
35	  CONFIG_NETFILTER_NETLINK_QUEUE).
36
37	  (C) Fernando Anton 2001
38	  IPv64 Project - Work based in IPv64 draft by Arturo Azcorra.
39	  Universidad Carlos III de Madrid
40	  Universidad Politecnica de Alcala de Henares
41	  email: <fanton@it.uc3m.es>.
42
43	  To compile it as a module, choose M here.  If unsure, say N.
44
45config IP6_NF_IPTABLES
46	tristate "IP6 tables support (required for filtering)"
47	depends on INET && IPV6
48	select NETFILTER_XTABLES
49	default m if NETFILTER_ADVANCED=n
50	help
51	  ip6tables is a general, extensible packet identification framework.
52	  Currently only the packet filtering and packet mangling subsystem
53	  for IPv6 use this, but connection tracking is going to follow.
54	  Say 'Y' or 'M' here if you want to use either of those.
55
56	  To compile it as a module, choose M here.  If unsure, say N.
57
58if IP6_NF_IPTABLES
59
60# The simple matches.
61config IP6_NF_MATCH_AH
62	tristate '"ah" match support'
63	depends on NETFILTER_ADVANCED
64	help
65	  This module allows one to match AH packets.
66
67	  To compile it as a module, choose M here.  If unsure, say N.
68
69config IP6_NF_MATCH_EUI64
70	tristate '"eui64" address check'
71	depends on NETFILTER_ADVANCED
72	help
73	  This module performs checking on the IPv6 source address
74	  Compares the last 64 bits with the EUI64 (delivered
75	  from the MAC address) address
76
77	  To compile it as a module, choose M here.  If unsure, say N.
78
79config IP6_NF_MATCH_FRAG
80	tristate '"frag" Fragmentation header match support'
81	depends on NETFILTER_ADVANCED
82	help
83	  frag matching allows you to match packets based on the fragmentation
84	  header of the packet.
85
86	  To compile it as a module, choose M here.  If unsure, say N.
87
88config IP6_NF_MATCH_OPTS
89	tristate '"hbh" hop-by-hop and "dst" opts header match support'
90	depends on NETFILTER_ADVANCED
91	help
92	  This allows one to match packets based on the hop-by-hop
93	  and destination options headers of a packet.
94
95	  To compile it as a module, choose M here.  If unsure, say N.
96
97config IP6_NF_MATCH_HL
98	tristate '"hl" hoplimit match support'
99	depends on NETFILTER_ADVANCED
100	select NETFILTER_XT_MATCH_HL
101	---help---
102	This is a backwards-compat option for the user's convenience
103	(e.g. when running oldconfig). It selects
104	CONFIG_NETFILTER_XT_MATCH_HL.
105
106config IP6_NF_MATCH_IPV6HEADER
107	tristate '"ipv6header" IPv6 Extension Headers Match'
108	default m if NETFILTER_ADVANCED=n
109	help
110	  This module allows one to match packets based upon
111	  the ipv6 extension headers.
112
113	  To compile it as a module, choose M here.  If unsure, say N.
114
115config IP6_NF_MATCH_MH
116	tristate '"mh" match support'
117	depends on NETFILTER_ADVANCED
118	help
119	  This module allows one to match MH packets.
120
121	  To compile it as a module, choose M here.  If unsure, say N.
122
123config IP6_NF_MATCH_RT
124	tristate '"rt" Routing header match support'
125	depends on NETFILTER_ADVANCED
126	help
127	  rt matching allows you to match packets based on the routing
128	  header of the packet.
129
130	  To compile it as a module, choose M here.  If unsure, say N.
131
132# The targets
133config IP6_NF_TARGET_HL
134	tristate '"HL" hoplimit target support'
135	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
136	select NETFILTER_XT_TARGET_HL
137	---help---
138	This is a backwards-compatible option for the user's convenience
139	(e.g. when running oldconfig). It selects
140	CONFIG_NETFILTER_XT_TARGET_HL.
141
142config IP6_NF_TARGET_LOG
143	tristate "LOG target support"
144	default m if NETFILTER_ADVANCED=n
145	help
146	  This option adds a `LOG' target, which allows you to create rules in
147	  any iptables table which records the packet header to the syslog.
148
149	  To compile it as a module, choose M here.  If unsure, say N.
150
151config IP6_NF_FILTER
152	tristate "Packet filtering"
153	default m if NETFILTER_ADVANCED=n
154	help
155	  Packet filtering defines a table `filter', which has a series of
156	  rules for simple packet filtering at local input, forwarding and
157	  local output.  See the man page for iptables(8).
158
159	  To compile it as a module, choose M here.  If unsure, say N.
160
161config IP6_NF_TARGET_REJECT
162	tristate "REJECT target support"
163	depends on IP6_NF_FILTER
164	default m if NETFILTER_ADVANCED=n
165	help
166	  The REJECT target allows a filtering rule to specify that an ICMPv6
167	  error should be issued in response to an incoming packet, rather
168	  than silently being dropped.
169
170	  To compile it as a module, choose M here.  If unsure, say N.
171
172config IP6_NF_MANGLE
173	tristate "Packet mangling"
174	default m if NETFILTER_ADVANCED=n
175	help
176	  This option adds a `mangle' table to iptables: see the man page for
177	  iptables(8).  This table is used for various packet alterations
178	  which can effect how the packet is routed.
179
180	  To compile it as a module, choose M here.  If unsure, say N.
181
182config IP6_NF_RAW
183	tristate  'raw table support (required for TRACE)'
184	depends on NETFILTER_ADVANCED
185	help
186	  This option adds a `raw' table to ip6tables. This table is the very
187	  first in the netfilter framework and hooks in at the PREROUTING
188	  and OUTPUT chains.
189
190	  If you want to compile it as a module, say M here and read
191	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
192
193# security table for MAC policy
194config IP6_NF_SECURITY
195       tristate "Security table"
196       depends on SECURITY
197       depends on NETFILTER_ADVANCED
198       help
199         This option adds a `security' table to iptables, for use
200         with Mandatory Access Control (MAC) policy.
201
202         If unsure, say N.
203
204endif # IP6_NF_IPTABLES
205
206endmenu
207
208