1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_TABLES_IPV6 29 depends on NF_TABLES 30 tristate "IPv6 nf_tables support" 31 help 32 This option enables the IPv6 support for nf_tables. 33 34config NFT_CHAIN_ROUTE_IPV6 35 depends on NF_TABLES_IPV6 36 tristate "IPv6 nf_tables route chain support" 37 help 38 This option enables the "route" chain for IPv6 in nf_tables. This 39 chain type is used to force packet re-routing after mangling header 40 fields such as the source, destination, flowlabel, hop-limit and 41 the packet mark. 42 43config NFT_CHAIN_NAT_IPV6 44 depends on NF_TABLES_IPV6 45 depends on NF_NAT_IPV6 && NFT_NAT 46 tristate "IPv6 nf_tables nat chain support" 47 help 48 This option enables the "nat" chain for IPv6 in nf_tables. This 49 chain type is used to perform Network Address Translation (NAT) 50 packet transformations such as the source, destination address and 51 source and destination ports. 52 53config NFT_REJECT_IPV6 54 depends on NF_TABLES_IPV6 55 default NFT_REJECT 56 tristate 57 58config NF_LOG_IPV6 59 tristate "IPv6 packet logging" 60 depends on NETFILTER_ADVANCED 61 select NF_LOG_COMMON 62 63config IP6_NF_IPTABLES 64 tristate "IP6 tables support (required for filtering)" 65 depends on INET && IPV6 66 select NETFILTER_XTABLES 67 default m if NETFILTER_ADVANCED=n 68 help 69 ip6tables is a general, extensible packet identification framework. 70 Currently only the packet filtering and packet mangling subsystem 71 for IPv6 use this, but connection tracking is going to follow. 72 Say 'Y' or 'M' here if you want to use either of those. 73 74 To compile it as a module, choose M here. If unsure, say N. 75 76if IP6_NF_IPTABLES 77 78# The simple matches. 79config IP6_NF_MATCH_AH 80 tristate '"ah" match support' 81 depends on NETFILTER_ADVANCED 82 help 83 This module allows one to match AH packets. 84 85 To compile it as a module, choose M here. If unsure, say N. 86 87config IP6_NF_MATCH_EUI64 88 tristate '"eui64" address check' 89 depends on NETFILTER_ADVANCED 90 help 91 This module performs checking on the IPv6 source address 92 Compares the last 64 bits with the EUI64 (delivered 93 from the MAC address) address 94 95 To compile it as a module, choose M here. If unsure, say N. 96 97config IP6_NF_MATCH_FRAG 98 tristate '"frag" Fragmentation header match support' 99 depends on NETFILTER_ADVANCED 100 help 101 frag matching allows you to match packets based on the fragmentation 102 header of the packet. 103 104 To compile it as a module, choose M here. If unsure, say N. 105 106config IP6_NF_MATCH_OPTS 107 tristate '"hbh" hop-by-hop and "dst" opts header match support' 108 depends on NETFILTER_ADVANCED 109 help 110 This allows one to match packets based on the hop-by-hop 111 and destination options headers of a packet. 112 113 To compile it as a module, choose M here. If unsure, say N. 114 115config IP6_NF_MATCH_HL 116 tristate '"hl" hoplimit match support' 117 depends on NETFILTER_ADVANCED 118 select NETFILTER_XT_MATCH_HL 119 ---help--- 120 This is a backwards-compat option for the user's convenience 121 (e.g. when running oldconfig). It selects 122 CONFIG_NETFILTER_XT_MATCH_HL. 123 124config IP6_NF_MATCH_IPV6HEADER 125 tristate '"ipv6header" IPv6 Extension Headers Match' 126 default m if NETFILTER_ADVANCED=n 127 help 128 This module allows one to match packets based upon 129 the ipv6 extension headers. 130 131 To compile it as a module, choose M here. If unsure, say N. 132 133config IP6_NF_MATCH_MH 134 tristate '"mh" match support' 135 depends on NETFILTER_ADVANCED 136 help 137 This module allows one to match MH packets. 138 139 To compile it as a module, choose M here. If unsure, say N. 140 141config IP6_NF_MATCH_RPFILTER 142 tristate '"rpfilter" reverse path filter match support' 143 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW) 144 ---help--- 145 This option allows you to match packets whose replies would 146 go out via the interface the packet came in. 147 148 To compile it as a module, choose M here. If unsure, say N. 149 The module will be called ip6t_rpfilter. 150 151config IP6_NF_MATCH_RT 152 tristate '"rt" Routing header match support' 153 depends on NETFILTER_ADVANCED 154 help 155 rt matching allows you to match packets based on the routing 156 header of the packet. 157 158 To compile it as a module, choose M here. If unsure, say N. 159 160# The targets 161config IP6_NF_TARGET_HL 162 tristate '"HL" hoplimit target support' 163 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 164 select NETFILTER_XT_TARGET_HL 165 ---help--- 166 This is a backwards-compatible option for the user's convenience 167 (e.g. when running oldconfig). It selects 168 CONFIG_NETFILTER_XT_TARGET_HL. 169 170config IP6_NF_FILTER 171 tristate "Packet filtering" 172 default m if NETFILTER_ADVANCED=n 173 help 174 Packet filtering defines a table `filter', which has a series of 175 rules for simple packet filtering at local input, forwarding and 176 local output. See the man page for iptables(8). 177 178 To compile it as a module, choose M here. If unsure, say N. 179 180config IP6_NF_TARGET_REJECT 181 tristate "REJECT target support" 182 depends on IP6_NF_FILTER 183 default m if NETFILTER_ADVANCED=n 184 help 185 The REJECT target allows a filtering rule to specify that an ICMPv6 186 error should be issued in response to an incoming packet, rather 187 than silently being dropped. 188 189 To compile it as a module, choose M here. If unsure, say N. 190 191config IP6_NF_TARGET_SYNPROXY 192 tristate "SYNPROXY target support" 193 depends on NF_CONNTRACK && NETFILTER_ADVANCED 194 select NETFILTER_SYNPROXY 195 select SYN_COOKIES 196 help 197 The SYNPROXY target allows you to intercept TCP connections and 198 establish them using syncookies before they are passed on to the 199 server. This allows to avoid conntrack and server resource usage 200 during SYN-flood attacks. 201 202 To compile it as a module, choose M here. If unsure, say N. 203 204config IP6_NF_MANGLE 205 tristate "Packet mangling" 206 default m if NETFILTER_ADVANCED=n 207 help 208 This option adds a `mangle' table to iptables: see the man page for 209 iptables(8). This table is used for various packet alterations 210 which can effect how the packet is routed. 211 212 To compile it as a module, choose M here. If unsure, say N. 213 214config IP6_NF_RAW 215 tristate 'raw table support (required for TRACE)' 216 help 217 This option adds a `raw' table to ip6tables. This table is the very 218 first in the netfilter framework and hooks in at the PREROUTING 219 and OUTPUT chains. 220 221 If you want to compile it as a module, say M here and read 222 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 223 224# security table for MAC policy 225config IP6_NF_SECURITY 226 tristate "Security table" 227 depends on SECURITY 228 depends on NETFILTER_ADVANCED 229 help 230 This option adds a `security' table to iptables, for use 231 with Mandatory Access Control (MAC) policy. 232 233 If unsure, say N. 234 235config NF_NAT_IPV6 236 tristate "IPv6 NAT" 237 depends on NF_CONNTRACK_IPV6 238 depends on NETFILTER_ADVANCED 239 select NF_NAT 240 help 241 The IPv6 NAT option allows masquerading, port forwarding and other 242 forms of full Network Address Port Translation. It is controlled by 243 the `nat' table in ip6tables, see the man page for ip6tables(8). 244 245 To compile it as a module, choose M here. If unsure, say N. 246 247if NF_NAT_IPV6 248 249config NF_NAT_MASQUERADE_IPV6 250 tristate "IPv6 masquerade support" 251 help 252 This is the kernel functionality to provide NAT in the masquerade 253 flavour (automatic source address selection) for IPv6. 254 255config NFT_MASQ_IPV6 256 tristate "IPv6 masquerade support for nf_tables" 257 depends on NF_TABLES_IPV6 258 depends on NFT_MASQ 259 select NF_NAT_MASQUERADE_IPV6 260 261config IP6_NF_TARGET_MASQUERADE 262 tristate "MASQUERADE target support" 263 select NF_NAT_MASQUERADE_IPV6 264 help 265 Masquerading is a special case of NAT: all outgoing connections are 266 changed to seem to come from a particular interface's address, and 267 if the interface goes down, those connections are lost. This is 268 only useful for dialup accounts with dynamic IP address (ie. your IP 269 address will be different on next dialup). 270 271 To compile it as a module, choose M here. If unsure, say N. 272 273config IP6_NF_TARGET_NPT 274 tristate "NPT (Network Prefix translation) target support" 275 help 276 This option adds the `SNPT' and `DNPT' target, which perform 277 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 278 279 To compile it as a module, choose M here. If unsure, say N. 280 281endif # NF_NAT_IPV6 282 283endif # IP6_NF_IPTABLES 284 285endmenu 286 287