1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_TABLES_IPV6 29 depends on NF_TABLES 30 tristate "IPv6 nf_tables support" 31 help 32 This option enables the IPv6 support for nf_tables. 33 34config NFT_CHAIN_ROUTE_IPV6 35 depends on NF_TABLES_IPV6 36 tristate "IPv6 nf_tables route chain support" 37 help 38 This option enables the "route" chain for IPv6 in nf_tables. This 39 chain type is used to force packet re-routing after mangling header 40 fields such as the source, destination, flowlabel, hop-limit and 41 the packet mark. 42 43config NFT_CHAIN_NAT_IPV6 44 depends on NF_TABLES_IPV6 45 depends on NF_NAT_IPV6 && NFT_NAT 46 tristate "IPv6 nf_tables nat chain support" 47 help 48 This option enables the "nat" chain for IPv6 in nf_tables. This 49 chain type is used to perform Network Address Translation (NAT) 50 packet transformations such as the source, destination address and 51 source and destination ports. 52 53config NFT_REJECT_IPV6 54 depends on NF_TABLES_IPV6 55 default NFT_REJECT 56 tristate 57 58config IP6_NF_IPTABLES 59 tristate "IP6 tables support (required for filtering)" 60 depends on INET && IPV6 61 select NETFILTER_XTABLES 62 default m if NETFILTER_ADVANCED=n 63 help 64 ip6tables is a general, extensible packet identification framework. 65 Currently only the packet filtering and packet mangling subsystem 66 for IPv6 use this, but connection tracking is going to follow. 67 Say 'Y' or 'M' here if you want to use either of those. 68 69 To compile it as a module, choose M here. If unsure, say N. 70 71if IP6_NF_IPTABLES 72 73# The simple matches. 74config IP6_NF_MATCH_AH 75 tristate '"ah" match support' 76 depends on NETFILTER_ADVANCED 77 help 78 This module allows one to match AH packets. 79 80 To compile it as a module, choose M here. If unsure, say N. 81 82config IP6_NF_MATCH_EUI64 83 tristate '"eui64" address check' 84 depends on NETFILTER_ADVANCED 85 help 86 This module performs checking on the IPv6 source address 87 Compares the last 64 bits with the EUI64 (delivered 88 from the MAC address) address 89 90 To compile it as a module, choose M here. If unsure, say N. 91 92config IP6_NF_MATCH_FRAG 93 tristate '"frag" Fragmentation header match support' 94 depends on NETFILTER_ADVANCED 95 help 96 frag matching allows you to match packets based on the fragmentation 97 header of the packet. 98 99 To compile it as a module, choose M here. If unsure, say N. 100 101config IP6_NF_MATCH_OPTS 102 tristate '"hbh" hop-by-hop and "dst" opts header match support' 103 depends on NETFILTER_ADVANCED 104 help 105 This allows one to match packets based on the hop-by-hop 106 and destination options headers of a packet. 107 108 To compile it as a module, choose M here. If unsure, say N. 109 110config IP6_NF_MATCH_HL 111 tristate '"hl" hoplimit match support' 112 depends on NETFILTER_ADVANCED 113 select NETFILTER_XT_MATCH_HL 114 ---help--- 115 This is a backwards-compat option for the user's convenience 116 (e.g. when running oldconfig). It selects 117 CONFIG_NETFILTER_XT_MATCH_HL. 118 119config IP6_NF_MATCH_IPV6HEADER 120 tristate '"ipv6header" IPv6 Extension Headers Match' 121 default m if NETFILTER_ADVANCED=n 122 help 123 This module allows one to match packets based upon 124 the ipv6 extension headers. 125 126 To compile it as a module, choose M here. If unsure, say N. 127 128config IP6_NF_MATCH_MH 129 tristate '"mh" match support' 130 depends on NETFILTER_ADVANCED 131 help 132 This module allows one to match MH packets. 133 134 To compile it as a module, choose M here. If unsure, say N. 135 136config IP6_NF_MATCH_RPFILTER 137 tristate '"rpfilter" reverse path filter match support' 138 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW) 139 ---help--- 140 This option allows you to match packets whose replies would 141 go out via the interface the packet came in. 142 143 To compile it as a module, choose M here. If unsure, say N. 144 The module will be called ip6t_rpfilter. 145 146config IP6_NF_MATCH_RT 147 tristate '"rt" Routing header match support' 148 depends on NETFILTER_ADVANCED 149 help 150 rt matching allows you to match packets based on the routing 151 header of the packet. 152 153 To compile it as a module, choose M here. If unsure, say N. 154 155# The targets 156config IP6_NF_TARGET_HL 157 tristate '"HL" hoplimit target support' 158 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 159 select NETFILTER_XT_TARGET_HL 160 ---help--- 161 This is a backwards-compatible option for the user's convenience 162 (e.g. when running oldconfig). It selects 163 CONFIG_NETFILTER_XT_TARGET_HL. 164 165config IP6_NF_FILTER 166 tristate "Packet filtering" 167 default m if NETFILTER_ADVANCED=n 168 help 169 Packet filtering defines a table `filter', which has a series of 170 rules for simple packet filtering at local input, forwarding and 171 local output. See the man page for iptables(8). 172 173 To compile it as a module, choose M here. If unsure, say N. 174 175config IP6_NF_TARGET_REJECT 176 tristate "REJECT target support" 177 depends on IP6_NF_FILTER 178 default m if NETFILTER_ADVANCED=n 179 help 180 The REJECT target allows a filtering rule to specify that an ICMPv6 181 error should be issued in response to an incoming packet, rather 182 than silently being dropped. 183 184 To compile it as a module, choose M here. If unsure, say N. 185 186config IP6_NF_TARGET_SYNPROXY 187 tristate "SYNPROXY target support" 188 depends on NF_CONNTRACK && NETFILTER_ADVANCED 189 select NETFILTER_SYNPROXY 190 select SYN_COOKIES 191 help 192 The SYNPROXY target allows you to intercept TCP connections and 193 establish them using syncookies before they are passed on to the 194 server. This allows to avoid conntrack and server resource usage 195 during SYN-flood attacks. 196 197 To compile it as a module, choose M here. If unsure, say N. 198 199config IP6_NF_MANGLE 200 tristate "Packet mangling" 201 default m if NETFILTER_ADVANCED=n 202 help 203 This option adds a `mangle' table to iptables: see the man page for 204 iptables(8). This table is used for various packet alterations 205 which can effect how the packet is routed. 206 207 To compile it as a module, choose M here. If unsure, say N. 208 209config IP6_NF_RAW 210 tristate 'raw table support (required for TRACE)' 211 help 212 This option adds a `raw' table to ip6tables. This table is the very 213 first in the netfilter framework and hooks in at the PREROUTING 214 and OUTPUT chains. 215 216 If you want to compile it as a module, say M here and read 217 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 218 219# security table for MAC policy 220config IP6_NF_SECURITY 221 tristate "Security table" 222 depends on SECURITY 223 depends on NETFILTER_ADVANCED 224 help 225 This option adds a `security' table to iptables, for use 226 with Mandatory Access Control (MAC) policy. 227 228 If unsure, say N. 229 230config NF_LOG_IPV6 231 tristate "IPv6 packet logging" 232 depends on NETFILTER_ADVANCED 233 select NF_LOG_COMMON 234 235config NF_NAT_IPV6 236 tristate "IPv6 NAT" 237 depends on NF_CONNTRACK_IPV6 238 depends on NETFILTER_ADVANCED 239 select NF_NAT 240 help 241 The IPv6 NAT option allows masquerading, port forwarding and other 242 forms of full Network Address Port Translation. It is controlled by 243 the `nat' table in ip6tables, see the man page for ip6tables(8). 244 245 To compile it as a module, choose M here. If unsure, say N. 246 247if NF_NAT_IPV6 248 249config IP6_NF_TARGET_MASQUERADE 250 tristate "MASQUERADE target support" 251 help 252 Masquerading is a special case of NAT: all outgoing connections are 253 changed to seem to come from a particular interface's address, and 254 if the interface goes down, those connections are lost. This is 255 only useful for dialup accounts with dynamic IP address (ie. your IP 256 address will be different on next dialup). 257 258 To compile it as a module, choose M here. If unsure, say N. 259 260config IP6_NF_TARGET_NPT 261 tristate "NPT (Network Prefix translation) target support" 262 help 263 This option adds the `SNPT' and `DNPT' target, which perform 264 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 265 266 To compile it as a module, choose M here. If unsure, say N. 267 268endif # NF_NAT_IPV6 269 270endif # IP6_NF_IPTABLES 271 272endmenu 273 274