xref: /openbmc/linux/net/ipv6/netfilter/Kconfig (revision a3c47977) 
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration (EXPERIMENTAL)"
6	depends on INET && IPV6 && NETFILTER && EXPERIMENTAL
7
8config NF_CONNTRACK_IPV6
9	tristate "IPv6 connection tracking support (EXPERIMENTAL)"
10	depends on EXPERIMENTAL && NF_CONNTRACK
11	---help---
12	  Connection tracking keeps a record of what packets have passed
13	  through your machine, in order to figure out how they are related
14	  into connections.
15
16	  This is IPv6 support on Layer 3 independent connection tracking.
17	  Layer 3 independent connection tracking is experimental scheme
18	  which generalize ip_conntrack to support other layer 3 protocols.
19
20	  To compile it as a module, choose M here.  If unsure, say N.
21
22config IP6_NF_QUEUE
23	tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"
24	---help---
25
26	  This option adds a queue handler to the kernel for IPv6
27	  packets which enables users to receive the filtered packets
28	  with QUEUE target using libipq.
29
30	  THis option enables the old IPv6-only "ip6_queue" implementation
31	  which has been obsoleted by the new "nfnetlink_queue" code (see
32	  CONFIG_NETFILTER_NETLINK_QUEUE).
33
34	  (C) Fernando Anton 2001
35	  IPv64 Project - Work based in IPv64 draft by Arturo Azcorra.
36	  Universidad Carlos III de Madrid
37	  Universidad Politecnica de Alcala de Henares
38	  email: <fanton@it.uc3m.es>.
39
40	  To compile it as a module, choose M here.  If unsure, say N.
41
42config IP6_NF_IPTABLES
43	tristate "IP6 tables support (required for filtering)"
44	depends on NETFILTER_XTABLES
45	help
46	  ip6tables is a general, extensible packet identification framework.
47	  Currently only the packet filtering and packet mangling subsystem
48	  for IPv6 use this, but connection tracking is going to follow.
49	  Say 'Y' or 'M' here if you want to use either of those.
50
51	  To compile it as a module, choose M here.  If unsure, say N.
52
53# The simple matches.
54config IP6_NF_MATCH_RT
55	tristate "Routing header match support"
56	depends on IP6_NF_IPTABLES
57	help
58	  rt matching allows you to match packets based on the routing
59	  header of the packet.
60
61	  To compile it as a module, choose M here.  If unsure, say N.
62
63config IP6_NF_MATCH_OPTS
64	tristate "Hop-by-hop and Dst opts header match support"
65	depends on IP6_NF_IPTABLES
66	help
67	  This allows one to match packets based on the hop-by-hop
68	  and destination options headers of a packet.
69
70	  To compile it as a module, choose M here.  If unsure, say N.
71
72config IP6_NF_MATCH_FRAG
73	tristate "Fragmentation header match support"
74	depends on IP6_NF_IPTABLES
75	help
76	  frag matching allows you to match packets based on the fragmentation
77	  header of the packet.
78
79	  To compile it as a module, choose M here.  If unsure, say N.
80
81config IP6_NF_MATCH_HL
82	tristate "HL match support"
83	depends on IP6_NF_IPTABLES
84	help
85	  HL matching allows you to match packets based on the hop
86	  limit of the packet.
87
88	  To compile it as a module, choose M here.  If unsure, say N.
89
90config IP6_NF_MATCH_OWNER
91	tristate "Owner match support"
92	depends on IP6_NF_IPTABLES
93	help
94	  Packet owner matching allows you to match locally-generated packets
95	  based on who created them: the user, group, process or session.
96
97	  To compile it as a module, choose M here.  If unsure, say N.
98
99config IP6_NF_MATCH_IPV6HEADER
100	tristate "IPv6 Extension Headers Match"
101	depends on IP6_NF_IPTABLES
102	help
103	  This module allows one to match packets based upon
104	  the ipv6 extension headers.
105
106	  To compile it as a module, choose M here.  If unsure, say N.
107
108config IP6_NF_MATCH_AH
109	tristate "AH match support"
110	depends on IP6_NF_IPTABLES
111	help
112	  This module allows one to match AH packets.
113
114	  To compile it as a module, choose M here.  If unsure, say N.
115
116config IP6_NF_MATCH_EUI64
117	tristate "EUI64 address check"
118	depends on IP6_NF_IPTABLES
119	help
120	  This module performs checking on the IPv6 source address
121	  Compares the last 64 bits with the EUI64 (delivered
122	  from the MAC address) address
123
124	  To compile it as a module, choose M here.  If unsure, say N.
125
126# The targets
127config IP6_NF_FILTER
128	tristate "Packet filtering"
129	depends on IP6_NF_IPTABLES
130	help
131	  Packet filtering defines a table `filter', which has a series of
132	  rules for simple packet filtering at local input, forwarding and
133	  local output.  See the man page for iptables(8).
134
135	  To compile it as a module, choose M here.  If unsure, say N.
136
137config IP6_NF_TARGET_LOG
138	tristate "LOG target support"
139	depends on IP6_NF_FILTER
140	help
141	  This option adds a `LOG' target, which allows you to create rules in
142	  any iptables table which records the packet header to the syslog.
143
144	  To compile it as a module, choose M here.  If unsure, say N.
145
146config IP6_NF_TARGET_REJECT
147	tristate "REJECT target support"
148	depends on IP6_NF_FILTER
149	help
150	  The REJECT target allows a filtering rule to specify that an ICMPv6
151	  error should be issued in response to an incoming packet, rather
152	  than silently being dropped.
153
154	  To compile it as a module, choose M here.  If unsure, say N.
155
156config IP6_NF_MANGLE
157	tristate "Packet mangling"
158	depends on IP6_NF_IPTABLES
159	help
160	  This option adds a `mangle' table to iptables: see the man page for
161	  iptables(8).  This table is used for various packet alterations
162	  which can effect how the packet is routed.
163
164	  To compile it as a module, choose M here.  If unsure, say N.
165
166config IP6_NF_TARGET_HL
167	tristate  'HL (hoplimit) target support'
168	depends on IP6_NF_MANGLE
169	help
170	  This option adds a `HL' target, which enables the user to decrement
171	  the hoplimit value of the IPv6 header or set it to a given (lower)
172	  value.
173
174	  While it is safe to decrement the hoplimit value, this option also
175	  enables functionality to increment and set the hoplimit value of the
176	  IPv6 header to arbitrary values.  This is EXTREMELY DANGEROUS since
177	  you can easily create immortal packets that loop forever on the
178	  network.
179
180	  To compile it as a module, choose M here.  If unsure, say N.
181
182config IP6_NF_RAW
183	tristate  'raw table support (required for TRACE)'
184	depends on IP6_NF_IPTABLES
185	help
186	  This option adds a `raw' table to ip6tables. This table is the very
187	  first in the netfilter framework and hooks in at the PREROUTING
188	  and OUTPUT chains.
189
190	  If you want to compile it as a module, say M here and read
191	  <file:Documentation/modules.txt>.  If unsure, say `N'.
192
193endmenu
194
195