xref: /openbmc/linux/net/ipv6/netfilter/Kconfig (revision 83e96d44) 
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration"
6	depends on INET && IPV6 && NETFILTER
7
8config NF_DEFRAG_IPV6
9	tristate
10	default n
11
12config NF_CONNTRACK_IPV6
13	tristate "IPv6 connection tracking support"
14	depends on INET && IPV6 && NF_CONNTRACK
15	default m if NETFILTER_ADVANCED=n
16	select NF_DEFRAG_IPV6
17	---help---
18	  Connection tracking keeps a record of what packets have passed
19	  through your machine, in order to figure out how they are related
20	  into connections.
21
22	  This is IPv6 support on Layer 3 independent connection tracking.
23	  Layer 3 independent connection tracking is experimental scheme
24	  which generalize ip_conntrack to support other layer 3 protocols.
25
26	  To compile it as a module, choose M here.  If unsure, say N.
27
28config NF_TABLES_IPV6
29	depends on NF_TABLES
30	tristate "IPv6 nf_tables support"
31	help
32	  This option enables the IPv6 support for nf_tables.
33
34config NFT_CHAIN_ROUTE_IPV6
35	depends on NF_TABLES_IPV6
36	tristate "IPv6 nf_tables route chain support"
37	help
38	  This option enables the "route" chain for IPv6 in nf_tables. This
39	  chain type is used to force packet re-routing after mangling header
40	  fields such as the source, destination, flowlabel, hop-limit and
41	  the packet mark.
42
43config NFT_CHAIN_NAT_IPV6
44	depends on NF_TABLES_IPV6
45	depends on NF_NAT_IPV6 && NFT_NAT
46	tristate "IPv6 nf_tables nat chain support"
47	help
48	  This option enables the "nat" chain for IPv6 in nf_tables. This
49	  chain type is used to perform Network Address Translation (NAT)
50	  packet transformations such as the source, destination address and
51	  source and destination ports.
52
53config NFT_REJECT_IPV6
54	depends on NF_TABLES_IPV6
55	default NFT_REJECT
56	tristate
57
58config IP6_NF_IPTABLES
59	tristate "IP6 tables support (required for filtering)"
60	depends on INET && IPV6
61	select NETFILTER_XTABLES
62	default m if NETFILTER_ADVANCED=n
63	help
64	  ip6tables is a general, extensible packet identification framework.
65	  Currently only the packet filtering and packet mangling subsystem
66	  for IPv6 use this, but connection tracking is going to follow.
67	  Say 'Y' or 'M' here if you want to use either of those.
68
69	  To compile it as a module, choose M here.  If unsure, say N.
70
71if IP6_NF_IPTABLES
72
73# The simple matches.
74config IP6_NF_MATCH_AH
75	tristate '"ah" match support'
76	depends on NETFILTER_ADVANCED
77	help
78	  This module allows one to match AH packets.
79
80	  To compile it as a module, choose M here.  If unsure, say N.
81
82config IP6_NF_MATCH_EUI64
83	tristate '"eui64" address check'
84	depends on NETFILTER_ADVANCED
85	help
86	  This module performs checking on the IPv6 source address
87	  Compares the last 64 bits with the EUI64 (delivered
88	  from the MAC address) address
89
90	  To compile it as a module, choose M here.  If unsure, say N.
91
92config IP6_NF_MATCH_FRAG
93	tristate '"frag" Fragmentation header match support'
94	depends on NETFILTER_ADVANCED
95	help
96	  frag matching allows you to match packets based on the fragmentation
97	  header of the packet.
98
99	  To compile it as a module, choose M here.  If unsure, say N.
100
101config IP6_NF_MATCH_OPTS
102	tristate '"hbh" hop-by-hop and "dst" opts header match support'
103	depends on NETFILTER_ADVANCED
104	help
105	  This allows one to match packets based on the hop-by-hop
106	  and destination options headers of a packet.
107
108	  To compile it as a module, choose M here.  If unsure, say N.
109
110config IP6_NF_MATCH_HL
111	tristate '"hl" hoplimit match support'
112	depends on NETFILTER_ADVANCED
113	select NETFILTER_XT_MATCH_HL
114	---help---
115	This is a backwards-compat option for the user's convenience
116	(e.g. when running oldconfig). It selects
117	CONFIG_NETFILTER_XT_MATCH_HL.
118
119config IP6_NF_MATCH_IPV6HEADER
120	tristate '"ipv6header" IPv6 Extension Headers Match'
121	default m if NETFILTER_ADVANCED=n
122	help
123	  This module allows one to match packets based upon
124	  the ipv6 extension headers.
125
126	  To compile it as a module, choose M here.  If unsure, say N.
127
128config IP6_NF_MATCH_MH
129	tristate '"mh" match support'
130	depends on NETFILTER_ADVANCED
131	help
132	  This module allows one to match MH packets.
133
134	  To compile it as a module, choose M here.  If unsure, say N.
135
136config IP6_NF_MATCH_RPFILTER
137	tristate '"rpfilter" reverse path filter match support'
138	depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
139	---help---
140	  This option allows you to match packets whose replies would
141	  go out via the interface the packet came in.
142
143	  To compile it as a module, choose M here.  If unsure, say N.
144	  The module will be called ip6t_rpfilter.
145
146config IP6_NF_MATCH_RT
147	tristate '"rt" Routing header match support'
148	depends on NETFILTER_ADVANCED
149	help
150	  rt matching allows you to match packets based on the routing
151	  header of the packet.
152
153	  To compile it as a module, choose M here.  If unsure, say N.
154
155# The targets
156config IP6_NF_TARGET_HL
157	tristate '"HL" hoplimit target support'
158	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
159	select NETFILTER_XT_TARGET_HL
160	---help---
161	This is a backwards-compatible option for the user's convenience
162	(e.g. when running oldconfig). It selects
163	CONFIG_NETFILTER_XT_TARGET_HL.
164
165config IP6_NF_FILTER
166	tristate "Packet filtering"
167	default m if NETFILTER_ADVANCED=n
168	help
169	  Packet filtering defines a table `filter', which has a series of
170	  rules for simple packet filtering at local input, forwarding and
171	  local output.  See the man page for iptables(8).
172
173	  To compile it as a module, choose M here.  If unsure, say N.
174
175config IP6_NF_TARGET_REJECT
176	tristate "REJECT target support"
177	depends on IP6_NF_FILTER
178	default m if NETFILTER_ADVANCED=n
179	help
180	  The REJECT target allows a filtering rule to specify that an ICMPv6
181	  error should be issued in response to an incoming packet, rather
182	  than silently being dropped.
183
184	  To compile it as a module, choose M here.  If unsure, say N.
185
186config IP6_NF_TARGET_SYNPROXY
187	tristate "SYNPROXY target support"
188	depends on NF_CONNTRACK && NETFILTER_ADVANCED
189	select NETFILTER_SYNPROXY
190	select SYN_COOKIES
191	help
192	  The SYNPROXY target allows you to intercept TCP connections and
193	  establish them using syncookies before they are passed on to the
194	  server. This allows to avoid conntrack and server resource usage
195	  during SYN-flood attacks.
196
197	  To compile it as a module, choose M here. If unsure, say N.
198
199config IP6_NF_MANGLE
200	tristate "Packet mangling"
201	default m if NETFILTER_ADVANCED=n
202	help
203	  This option adds a `mangle' table to iptables: see the man page for
204	  iptables(8).  This table is used for various packet alterations
205	  which can effect how the packet is routed.
206
207	  To compile it as a module, choose M here.  If unsure, say N.
208
209config IP6_NF_RAW
210	tristate  'raw table support (required for TRACE)'
211	help
212	  This option adds a `raw' table to ip6tables. This table is the very
213	  first in the netfilter framework and hooks in at the PREROUTING
214	  and OUTPUT chains.
215
216	  If you want to compile it as a module, say M here and read
217	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
218
219# security table for MAC policy
220config IP6_NF_SECURITY
221       tristate "Security table"
222       depends on SECURITY
223       depends on NETFILTER_ADVANCED
224       help
225         This option adds a `security' table to iptables, for use
226         with Mandatory Access Control (MAC) policy.
227
228         If unsure, say N.
229
230config NF_LOG_IPV6
231	tristate "IPv6 packet logging"
232	depends on NETFILTER_ADVANCED
233	select NF_LOG_COMMON
234
235config NF_NAT_IPV6
236	tristate "IPv6 NAT"
237	depends on NF_CONNTRACK_IPV6
238	depends on NETFILTER_ADVANCED
239	select NF_NAT
240	help
241	  The IPv6 NAT option allows masquerading, port forwarding and other
242	  forms of full Network Address Port Translation. It is controlled by
243	  the `nat' table in ip6tables, see the man page for ip6tables(8).
244
245	  To compile it as a module, choose M here.  If unsure, say N.
246
247if NF_NAT_IPV6
248
249config IP6_NF_TARGET_MASQUERADE
250	tristate "MASQUERADE target support"
251	help
252	  Masquerading is a special case of NAT: all outgoing connections are
253	  changed to seem to come from a particular interface's address, and
254	  if the interface goes down, those connections are lost.  This is
255	  only useful for dialup accounts with dynamic IP address (ie. your IP
256	  address will be different on next dialup).
257
258	  To compile it as a module, choose M here.  If unsure, say N.
259
260config IP6_NF_TARGET_NPT
261	tristate "NPT (Network Prefix translation) target support"
262	help
263	  This option adds the `SNPT' and `DNPT' target, which perform
264	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
265
266	  To compile it as a module, choose M here.  If unsure, say N.
267
268endif # NF_NAT_IPV6
269
270endif # IP6_NF_IPTABLES
271
272endmenu
273
274