1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_SOCKET_IPV6 29 tristate "IPv6 socket lookup support" 30 help 31 This option enables the IPv6 socket lookup infrastructure. This 32 is used by the {ip6,nf}tables socket match. 33 34config NF_TPROXY_IPV6 35 tristate "IPv6 tproxy support" 36 37if NF_TABLES 38 39config NF_TABLES_IPV6 40 bool "IPv6 nf_tables support" 41 help 42 This option enables the IPv6 support for nf_tables. 43 44if NF_TABLES_IPV6 45 46config NFT_CHAIN_ROUTE_IPV6 47 tristate "IPv6 nf_tables route chain support" 48 help 49 This option enables the "route" chain for IPv6 in nf_tables. This 50 chain type is used to force packet re-routing after mangling header 51 fields such as the source, destination, flowlabel, hop-limit and 52 the packet mark. 53 54if NF_NAT_IPV6 55 56config NFT_CHAIN_NAT_IPV6 57 tristate "IPv6 nf_tables nat chain support" 58 help 59 This option enables the "nat" chain for IPv6 in nf_tables. This 60 chain type is used to perform Network Address Translation (NAT) 61 packet transformations such as the source, destination address and 62 source and destination ports. 63 64config NFT_MASQ_IPV6 65 tristate "IPv6 masquerade support for nf_tables" 66 depends on NFT_MASQ 67 select NF_NAT_MASQUERADE_IPV6 68 help 69 This is the expression that provides IPv4 masquerading support for 70 nf_tables. 71 72config NFT_REDIR_IPV6 73 tristate "IPv6 redirect support for nf_tables" 74 depends on NFT_REDIR 75 select NF_NAT_REDIRECT 76 help 77 This is the expression that provides IPv4 redirect support for 78 nf_tables. 79 80endif # NF_NAT_IPV6 81 82config NFT_REJECT_IPV6 83 select NF_REJECT_IPV6 84 default NFT_REJECT 85 tristate 86 87config NFT_DUP_IPV6 88 tristate "IPv6 nf_tables packet duplication support" 89 depends on !NF_CONNTRACK || NF_CONNTRACK 90 select NF_DUP_IPV6 91 help 92 This module enables IPv6 packet duplication support for nf_tables. 93 94config NFT_FIB_IPV6 95 tristate "nf_tables fib / ipv6 route lookup support" 96 select NFT_FIB 97 help 98 This module enables IPv6 FIB lookups, e.g. for reverse path filtering. 99 It also allows query of the FIB for the route type, e.g. local, unicast, 100 multicast or blackhole. 101 102endif # NF_TABLES_IPV6 103endif # NF_TABLES 104 105config NF_FLOW_TABLE_IPV6 106 tristate "Netfilter flow table IPv6 module" 107 depends on NF_FLOW_TABLE 108 help 109 This option adds the flow table IPv6 support. 110 111 To compile it as a module, choose M here. 112 113config NF_DUP_IPV6 114 tristate "Netfilter IPv6 packet duplication to alternate destination" 115 depends on !NF_CONNTRACK || NF_CONNTRACK 116 help 117 This option enables the nf_dup_ipv6 core, which duplicates an IPv6 118 packet to be rerouted to another destination. 119 120config NF_REJECT_IPV6 121 tristate "IPv6 packet rejection" 122 default m if NETFILTER_ADVANCED=n 123 124config NF_LOG_IPV6 125 tristate "IPv6 packet logging" 126 default m if NETFILTER_ADVANCED=n 127 select NF_LOG_COMMON 128 129config NF_NAT_IPV6 130 tristate "IPv6 NAT" 131 depends on NF_CONNTRACK_IPV6 132 depends on NETFILTER_ADVANCED 133 select NF_NAT 134 help 135 The IPv6 NAT option allows masquerading, port forwarding and other 136 forms of full Network Address Port Translation. This can be 137 controlled by iptables or nft. 138 139if NF_NAT_IPV6 140 141config NF_NAT_MASQUERADE_IPV6 142 bool 143 144endif # NF_NAT_IPV6 145 146config IP6_NF_IPTABLES 147 tristate "IP6 tables support (required for filtering)" 148 depends on INET && IPV6 149 select NETFILTER_XTABLES 150 default m if NETFILTER_ADVANCED=n 151 help 152 ip6tables is a general, extensible packet identification framework. 153 Currently only the packet filtering and packet mangling subsystem 154 for IPv6 use this, but connection tracking is going to follow. 155 Say 'Y' or 'M' here if you want to use either of those. 156 157 To compile it as a module, choose M here. If unsure, say N. 158 159if IP6_NF_IPTABLES 160 161# The simple matches. 162config IP6_NF_MATCH_AH 163 tristate '"ah" match support' 164 depends on NETFILTER_ADVANCED 165 help 166 This module allows one to match AH packets. 167 168 To compile it as a module, choose M here. If unsure, say N. 169 170config IP6_NF_MATCH_EUI64 171 tristate '"eui64" address check' 172 depends on NETFILTER_ADVANCED 173 help 174 This module performs checking on the IPv6 source address 175 Compares the last 64 bits with the EUI64 (delivered 176 from the MAC address) address 177 178 To compile it as a module, choose M here. If unsure, say N. 179 180config IP6_NF_MATCH_FRAG 181 tristate '"frag" Fragmentation header match support' 182 depends on NETFILTER_ADVANCED 183 help 184 frag matching allows you to match packets based on the fragmentation 185 header of the packet. 186 187 To compile it as a module, choose M here. If unsure, say N. 188 189config IP6_NF_MATCH_OPTS 190 tristate '"hbh" hop-by-hop and "dst" opts header match support' 191 depends on NETFILTER_ADVANCED 192 help 193 This allows one to match packets based on the hop-by-hop 194 and destination options headers of a packet. 195 196 To compile it as a module, choose M here. If unsure, say N. 197 198config IP6_NF_MATCH_HL 199 tristate '"hl" hoplimit match support' 200 depends on NETFILTER_ADVANCED 201 select NETFILTER_XT_MATCH_HL 202 ---help--- 203 This is a backwards-compat option for the user's convenience 204 (e.g. when running oldconfig). It selects 205 CONFIG_NETFILTER_XT_MATCH_HL. 206 207config IP6_NF_MATCH_IPV6HEADER 208 tristate '"ipv6header" IPv6 Extension Headers Match' 209 default m if NETFILTER_ADVANCED=n 210 help 211 This module allows one to match packets based upon 212 the ipv6 extension headers. 213 214 To compile it as a module, choose M here. If unsure, say N. 215 216config IP6_NF_MATCH_MH 217 tristate '"mh" match support' 218 depends on NETFILTER_ADVANCED 219 help 220 This module allows one to match MH packets. 221 222 To compile it as a module, choose M here. If unsure, say N. 223 224config IP6_NF_MATCH_RPFILTER 225 tristate '"rpfilter" reverse path filter match support' 226 depends on NETFILTER_ADVANCED 227 depends on IP6_NF_MANGLE || IP6_NF_RAW 228 ---help--- 229 This option allows you to match packets whose replies would 230 go out via the interface the packet came in. 231 232 To compile it as a module, choose M here. If unsure, say N. 233 The module will be called ip6t_rpfilter. 234 235config IP6_NF_MATCH_RT 236 tristate '"rt" Routing header match support' 237 depends on NETFILTER_ADVANCED 238 help 239 rt matching allows you to match packets based on the routing 240 header of the packet. 241 242 To compile it as a module, choose M here. If unsure, say N. 243 244config IP6_NF_MATCH_SRH 245 tristate '"srh" Segment Routing header match support' 246 depends on NETFILTER_ADVANCED 247 help 248 srh matching allows you to match packets based on the segment 249 routing header of the packet. 250 251 To compile it as a module, choose M here. If unsure, say N. 252 253# The targets 254config IP6_NF_TARGET_HL 255 tristate '"HL" hoplimit target support' 256 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 257 select NETFILTER_XT_TARGET_HL 258 ---help--- 259 This is a backwards-compatible option for the user's convenience 260 (e.g. when running oldconfig). It selects 261 CONFIG_NETFILTER_XT_TARGET_HL. 262 263config IP6_NF_FILTER 264 tristate "Packet filtering" 265 default m if NETFILTER_ADVANCED=n 266 help 267 Packet filtering defines a table `filter', which has a series of 268 rules for simple packet filtering at local input, forwarding and 269 local output. See the man page for iptables(8). 270 271 To compile it as a module, choose M here. If unsure, say N. 272 273config IP6_NF_TARGET_REJECT 274 tristate "REJECT target support" 275 depends on IP6_NF_FILTER 276 select NF_REJECT_IPV6 277 default m if NETFILTER_ADVANCED=n 278 help 279 The REJECT target allows a filtering rule to specify that an ICMPv6 280 error should be issued in response to an incoming packet, rather 281 than silently being dropped. 282 283 To compile it as a module, choose M here. If unsure, say N. 284 285config IP6_NF_TARGET_SYNPROXY 286 tristate "SYNPROXY target support" 287 depends on NF_CONNTRACK && NETFILTER_ADVANCED 288 select NETFILTER_SYNPROXY 289 select SYN_COOKIES 290 help 291 The SYNPROXY target allows you to intercept TCP connections and 292 establish them using syncookies before they are passed on to the 293 server. This allows to avoid conntrack and server resource usage 294 during SYN-flood attacks. 295 296 To compile it as a module, choose M here. If unsure, say N. 297 298config IP6_NF_MANGLE 299 tristate "Packet mangling" 300 default m if NETFILTER_ADVANCED=n 301 help 302 This option adds a `mangle' table to iptables: see the man page for 303 iptables(8). This table is used for various packet alterations 304 which can effect how the packet is routed. 305 306 To compile it as a module, choose M here. If unsure, say N. 307 308config IP6_NF_RAW 309 tristate 'raw table support (required for TRACE)' 310 help 311 This option adds a `raw' table to ip6tables. This table is the very 312 first in the netfilter framework and hooks in at the PREROUTING 313 and OUTPUT chains. 314 315 If you want to compile it as a module, say M here and read 316 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 317 318# security table for MAC policy 319config IP6_NF_SECURITY 320 tristate "Security table" 321 depends on SECURITY 322 depends on NETFILTER_ADVANCED 323 help 324 This option adds a `security' table to iptables, for use 325 with Mandatory Access Control (MAC) policy. 326 327 If unsure, say N. 328 329config IP6_NF_NAT 330 tristate "ip6tables NAT support" 331 depends on NF_CONNTRACK_IPV6 332 depends on NETFILTER_ADVANCED 333 select NF_NAT 334 select NF_NAT_IPV6 335 select NETFILTER_XT_NAT 336 help 337 This enables the `nat' table in ip6tables. This allows masquerading, 338 port forwarding and other forms of full Network Address Port 339 Translation. 340 341 To compile it as a module, choose M here. If unsure, say N. 342 343if IP6_NF_NAT 344 345config IP6_NF_TARGET_MASQUERADE 346 tristate "MASQUERADE target support" 347 select NF_NAT_MASQUERADE_IPV6 348 help 349 Masquerading is a special case of NAT: all outgoing connections are 350 changed to seem to come from a particular interface's address, and 351 if the interface goes down, those connections are lost. This is 352 only useful for dialup accounts with dynamic IP address (ie. your IP 353 address will be different on next dialup). 354 355 To compile it as a module, choose M here. If unsure, say N. 356 357config IP6_NF_TARGET_NPT 358 tristate "NPT (Network Prefix translation) target support" 359 help 360 This option adds the `SNPT' and `DNPT' target, which perform 361 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 362 363 To compile it as a module, choose M here. If unsure, say N. 364 365endif # IP6_NF_NAT 366 367endif # IP6_NF_IPTABLES 368 369endmenu 370 371