1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_NAT_IPV6 29 tristate "IPv6 NAT" 30 depends on NF_CONNTRACK_IPV6 31 depends on NETFILTER_ADVANCED 32 select NF_NAT 33 help 34 The IPv6 NAT option allows masquerading, port forwarding and other 35 forms of full Network Address Port Translation. It is controlled by 36 the `nat' table in ip6tables, see the man page for ip6tables(8). 37 38 To compile it as a module, choose M here. If unsure, say N. 39 40config IP6_NF_IPTABLES 41 tristate "IP6 tables support (required for filtering)" 42 depends on INET && IPV6 43 select NETFILTER_XTABLES 44 default m if NETFILTER_ADVANCED=n 45 help 46 ip6tables is a general, extensible packet identification framework. 47 Currently only the packet filtering and packet mangling subsystem 48 for IPv6 use this, but connection tracking is going to follow. 49 Say 'Y' or 'M' here if you want to use either of those. 50 51 To compile it as a module, choose M here. If unsure, say N. 52 53if IP6_NF_IPTABLES 54 55# The simple matches. 56config IP6_NF_MATCH_AH 57 tristate '"ah" match support' 58 depends on NETFILTER_ADVANCED 59 help 60 This module allows one to match AH packets. 61 62 To compile it as a module, choose M here. If unsure, say N. 63 64config IP6_NF_MATCH_EUI64 65 tristate '"eui64" address check' 66 depends on NETFILTER_ADVANCED 67 help 68 This module performs checking on the IPv6 source address 69 Compares the last 64 bits with the EUI64 (delivered 70 from the MAC address) address 71 72 To compile it as a module, choose M here. If unsure, say N. 73 74config IP6_NF_MATCH_FRAG 75 tristate '"frag" Fragmentation header match support' 76 depends on NETFILTER_ADVANCED 77 help 78 frag matching allows you to match packets based on the fragmentation 79 header of the packet. 80 81 To compile it as a module, choose M here. If unsure, say N. 82 83config IP6_NF_MATCH_OPTS 84 tristate '"hbh" hop-by-hop and "dst" opts header match support' 85 depends on NETFILTER_ADVANCED 86 help 87 This allows one to match packets based on the hop-by-hop 88 and destination options headers of a packet. 89 90 To compile it as a module, choose M here. If unsure, say N. 91 92config IP6_NF_MATCH_HL 93 tristate '"hl" hoplimit match support' 94 depends on NETFILTER_ADVANCED 95 select NETFILTER_XT_MATCH_HL 96 ---help--- 97 This is a backwards-compat option for the user's convenience 98 (e.g. when running oldconfig). It selects 99 CONFIG_NETFILTER_XT_MATCH_HL. 100 101config IP6_NF_MATCH_IPV6HEADER 102 tristate '"ipv6header" IPv6 Extension Headers Match' 103 default m if NETFILTER_ADVANCED=n 104 help 105 This module allows one to match packets based upon 106 the ipv6 extension headers. 107 108 To compile it as a module, choose M here. If unsure, say N. 109 110config IP6_NF_MATCH_MH 111 tristate '"mh" match support' 112 depends on NETFILTER_ADVANCED 113 help 114 This module allows one to match MH packets. 115 116 To compile it as a module, choose M here. If unsure, say N. 117 118config IP6_NF_MATCH_RPFILTER 119 tristate '"rpfilter" reverse path filter match support' 120 depends on NETFILTER_ADVANCED 121 ---help--- 122 This option allows you to match packets whose replies would 123 go out via the interface the packet came in. 124 125 To compile it as a module, choose M here. If unsure, say N. 126 The module will be called ip6t_rpfilter. 127 128config IP6_NF_MATCH_RT 129 tristate '"rt" Routing header match support' 130 depends on NETFILTER_ADVANCED 131 help 132 rt matching allows you to match packets based on the routing 133 header of the packet. 134 135 To compile it as a module, choose M here. If unsure, say N. 136 137# The targets 138config IP6_NF_TARGET_HL 139 tristate '"HL" hoplimit target support' 140 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 141 select NETFILTER_XT_TARGET_HL 142 ---help--- 143 This is a backwards-compatible option for the user's convenience 144 (e.g. when running oldconfig). It selects 145 CONFIG_NETFILTER_XT_TARGET_HL. 146 147config IP6_NF_TARGET_MASQUERADE 148 tristate "MASQUERADE target support" 149 depends on NF_NAT_IPV6 150 help 151 Masquerading is a special case of NAT: all outgoing connections are 152 changed to seem to come from a particular interface's address, and 153 if the interface goes down, those connections are lost. This is 154 only useful for dialup accounts with dynamic IP address (ie. your IP 155 address will be different on next dialup). 156 157 To compile it as a module, choose M here. If unsure, say N. 158 159config IP6_NF_TARGET_NETMAP 160 tristate "NETMAP target support" 161 depends on NF_NAT_IPV6 162 help 163 NETMAP is an implementation of static 1:1 NAT mapping of network 164 addresses. It maps the network address part, while keeping the host 165 address part intact. 166 167 To compile it as a module, choose M here. If unsure, say N. 168 169config IP6_NF_TARGET_REDIRECT 170 tristate "REDIRECT target support" 171 depends on NF_NAT_IPV6 172 help 173 REDIRECT is a special case of NAT: all incoming connections are 174 mapped onto the incoming interface's address, causing the packets to 175 come to the local machine instead of passing through. This is 176 useful for transparent proxies. 177 178 To compile it as a module, choose M here. If unsure, say N. 179 180config IP6_NF_TARGET_NPT 181 tristate "NPT (Network Prefix translation) target support" 182 depends on NETFILTER_ADVANCED 183 help 184 This option adds the `SNPT' and `DNPT' target, which perform 185 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 186 187 To compile it as a module, choose M here. If unsure, say N. 188 189config IP6_NF_FILTER 190 tristate "Packet filtering" 191 default m if NETFILTER_ADVANCED=n 192 help 193 Packet filtering defines a table `filter', which has a series of 194 rules for simple packet filtering at local input, forwarding and 195 local output. See the man page for iptables(8). 196 197 To compile it as a module, choose M here. If unsure, say N. 198 199config IP6_NF_TARGET_REJECT 200 tristate "REJECT target support" 201 depends on IP6_NF_FILTER 202 default m if NETFILTER_ADVANCED=n 203 help 204 The REJECT target allows a filtering rule to specify that an ICMPv6 205 error should be issued in response to an incoming packet, rather 206 than silently being dropped. 207 208 To compile it as a module, choose M here. If unsure, say N. 209 210config IP6_NF_MANGLE 211 tristate "Packet mangling" 212 default m if NETFILTER_ADVANCED=n 213 help 214 This option adds a `mangle' table to iptables: see the man page for 215 iptables(8). This table is used for various packet alterations 216 which can effect how the packet is routed. 217 218 To compile it as a module, choose M here. If unsure, say N. 219 220config IP6_NF_RAW 221 tristate 'raw table support (required for TRACE)' 222 help 223 This option adds a `raw' table to ip6tables. This table is the very 224 first in the netfilter framework and hooks in at the PREROUTING 225 and OUTPUT chains. 226 227 If you want to compile it as a module, say M here and read 228 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 229 230# security table for MAC policy 231config IP6_NF_SECURITY 232 tristate "Security table" 233 depends on SECURITY 234 depends on NETFILTER_ADVANCED 235 help 236 This option adds a `security' table to iptables, for use 237 with Mandatory Access Control (MAC) policy. 238 239 If unsure, say N. 240 241endif # IP6_NF_IPTABLES 242 243endmenu 244 245