1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_SOCKET_IPV6 9 tristate "IPv6 socket lookup support" 10 help 11 This option enables the IPv6 socket lookup infrastructure. This 12 is used by the {ip6,nf}tables socket match. 13 14config NF_TPROXY_IPV6 15 tristate "IPv6 tproxy support" 16 17if NF_TABLES 18 19config NF_TABLES_IPV6 20 bool "IPv6 nf_tables support" 21 help 22 This option enables the IPv6 support for nf_tables. 23 24if NF_TABLES_IPV6 25 26config NFT_REJECT_IPV6 27 select NF_REJECT_IPV6 28 default NFT_REJECT 29 tristate 30 31config NFT_DUP_IPV6 32 tristate "IPv6 nf_tables packet duplication support" 33 depends on !NF_CONNTRACK || NF_CONNTRACK 34 select NF_DUP_IPV6 35 help 36 This module enables IPv6 packet duplication support for nf_tables. 37 38config NFT_FIB_IPV6 39 tristate "nf_tables fib / ipv6 route lookup support" 40 select NFT_FIB 41 help 42 This module enables IPv6 FIB lookups, e.g. for reverse path filtering. 43 It also allows query of the FIB for the route type, e.g. local, unicast, 44 multicast or blackhole. 45 46endif # NF_TABLES_IPV6 47endif # NF_TABLES 48 49config NF_FLOW_TABLE_IPV6 50 tristate "Netfilter flow table IPv6 module" 51 depends on NF_FLOW_TABLE 52 help 53 This option adds the flow table IPv6 support. 54 55 To compile it as a module, choose M here. 56 57config NF_DUP_IPV6 58 tristate "Netfilter IPv6 packet duplication to alternate destination" 59 depends on !NF_CONNTRACK || NF_CONNTRACK 60 help 61 This option enables the nf_dup_ipv6 core, which duplicates an IPv6 62 packet to be rerouted to another destination. 63 64config NF_REJECT_IPV6 65 tristate "IPv6 packet rejection" 66 default m if NETFILTER_ADVANCED=n 67 68config NF_LOG_IPV6 69 tristate "IPv6 packet logging" 70 default m if NETFILTER_ADVANCED=n 71 select NF_LOG_COMMON 72 73config IP6_NF_IPTABLES 74 tristate "IP6 tables support (required for filtering)" 75 depends on INET && IPV6 76 select NETFILTER_XTABLES 77 default m if NETFILTER_ADVANCED=n 78 help 79 ip6tables is a general, extensible packet identification framework. 80 Currently only the packet filtering and packet mangling subsystem 81 for IPv6 use this, but connection tracking is going to follow. 82 Say 'Y' or 'M' here if you want to use either of those. 83 84 To compile it as a module, choose M here. If unsure, say N. 85 86if IP6_NF_IPTABLES 87 88# The simple matches. 89config IP6_NF_MATCH_AH 90 tristate '"ah" match support' 91 depends on NETFILTER_ADVANCED 92 help 93 This module allows one to match AH packets. 94 95 To compile it as a module, choose M here. If unsure, say N. 96 97config IP6_NF_MATCH_EUI64 98 tristate '"eui64" address check' 99 depends on NETFILTER_ADVANCED 100 help 101 This module performs checking on the IPv6 source address 102 Compares the last 64 bits with the EUI64 (delivered 103 from the MAC address) address 104 105 To compile it as a module, choose M here. If unsure, say N. 106 107config IP6_NF_MATCH_FRAG 108 tristate '"frag" Fragmentation header match support' 109 depends on NETFILTER_ADVANCED 110 help 111 frag matching allows you to match packets based on the fragmentation 112 header of the packet. 113 114 To compile it as a module, choose M here. If unsure, say N. 115 116config IP6_NF_MATCH_OPTS 117 tristate '"hbh" hop-by-hop and "dst" opts header match support' 118 depends on NETFILTER_ADVANCED 119 help 120 This allows one to match packets based on the hop-by-hop 121 and destination options headers of a packet. 122 123 To compile it as a module, choose M here. If unsure, say N. 124 125config IP6_NF_MATCH_HL 126 tristate '"hl" hoplimit match support' 127 depends on NETFILTER_ADVANCED 128 select NETFILTER_XT_MATCH_HL 129 ---help--- 130 This is a backwards-compat option for the user's convenience 131 (e.g. when running oldconfig). It selects 132 CONFIG_NETFILTER_XT_MATCH_HL. 133 134config IP6_NF_MATCH_IPV6HEADER 135 tristate '"ipv6header" IPv6 Extension Headers Match' 136 default m if NETFILTER_ADVANCED=n 137 help 138 This module allows one to match packets based upon 139 the ipv6 extension headers. 140 141 To compile it as a module, choose M here. If unsure, say N. 142 143config IP6_NF_MATCH_MH 144 tristate '"mh" match support' 145 depends on NETFILTER_ADVANCED 146 help 147 This module allows one to match MH packets. 148 149 To compile it as a module, choose M here. If unsure, say N. 150 151config IP6_NF_MATCH_RPFILTER 152 tristate '"rpfilter" reverse path filter match support' 153 depends on NETFILTER_ADVANCED 154 depends on IP6_NF_MANGLE || IP6_NF_RAW 155 ---help--- 156 This option allows you to match packets whose replies would 157 go out via the interface the packet came in. 158 159 To compile it as a module, choose M here. If unsure, say N. 160 The module will be called ip6t_rpfilter. 161 162config IP6_NF_MATCH_RT 163 tristate '"rt" Routing header match support' 164 depends on NETFILTER_ADVANCED 165 help 166 rt matching allows you to match packets based on the routing 167 header of the packet. 168 169 To compile it as a module, choose M here. If unsure, say N. 170 171config IP6_NF_MATCH_SRH 172 tristate '"srh" Segment Routing header match support' 173 depends on NETFILTER_ADVANCED 174 help 175 srh matching allows you to match packets based on the segment 176 routing header of the packet. 177 178 To compile it as a module, choose M here. If unsure, say N. 179 180# The targets 181config IP6_NF_TARGET_HL 182 tristate '"HL" hoplimit target support' 183 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 184 select NETFILTER_XT_TARGET_HL 185 ---help--- 186 This is a backwards-compatible option for the user's convenience 187 (e.g. when running oldconfig). It selects 188 CONFIG_NETFILTER_XT_TARGET_HL. 189 190config IP6_NF_FILTER 191 tristate "Packet filtering" 192 default m if NETFILTER_ADVANCED=n 193 help 194 Packet filtering defines a table `filter', which has a series of 195 rules for simple packet filtering at local input, forwarding and 196 local output. See the man page for iptables(8). 197 198 To compile it as a module, choose M here. If unsure, say N. 199 200config IP6_NF_TARGET_REJECT 201 tristate "REJECT target support" 202 depends on IP6_NF_FILTER 203 select NF_REJECT_IPV6 204 default m if NETFILTER_ADVANCED=n 205 help 206 The REJECT target allows a filtering rule to specify that an ICMPv6 207 error should be issued in response to an incoming packet, rather 208 than silently being dropped. 209 210 To compile it as a module, choose M here. If unsure, say N. 211 212config IP6_NF_TARGET_SYNPROXY 213 tristate "SYNPROXY target support" 214 depends on NF_CONNTRACK && NETFILTER_ADVANCED 215 select NETFILTER_SYNPROXY 216 select SYN_COOKIES 217 help 218 The SYNPROXY target allows you to intercept TCP connections and 219 establish them using syncookies before they are passed on to the 220 server. This allows to avoid conntrack and server resource usage 221 during SYN-flood attacks. 222 223 To compile it as a module, choose M here. If unsure, say N. 224 225config IP6_NF_MANGLE 226 tristate "Packet mangling" 227 default m if NETFILTER_ADVANCED=n 228 help 229 This option adds a `mangle' table to iptables: see the man page for 230 iptables(8). This table is used for various packet alterations 231 which can effect how the packet is routed. 232 233 To compile it as a module, choose M here. If unsure, say N. 234 235config IP6_NF_RAW 236 tristate 'raw table support (required for TRACE)' 237 help 238 This option adds a `raw' table to ip6tables. This table is the very 239 first in the netfilter framework and hooks in at the PREROUTING 240 and OUTPUT chains. 241 242 If you want to compile it as a module, say M here and read 243 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 244 245# security table for MAC policy 246config IP6_NF_SECURITY 247 tristate "Security table" 248 depends on SECURITY 249 depends on NETFILTER_ADVANCED 250 help 251 This option adds a `security' table to iptables, for use 252 with Mandatory Access Control (MAC) policy. 253 254 If unsure, say N. 255 256config IP6_NF_NAT 257 tristate "ip6tables NAT support" 258 depends on NF_CONNTRACK 259 depends on NETFILTER_ADVANCED 260 select NF_NAT 261 select NETFILTER_XT_NAT 262 help 263 This enables the `nat' table in ip6tables. This allows masquerading, 264 port forwarding and other forms of full Network Address Port 265 Translation. 266 267 To compile it as a module, choose M here. If unsure, say N. 268 269if IP6_NF_NAT 270 271config IP6_NF_TARGET_MASQUERADE 272 tristate "MASQUERADE target support" 273 select NETFILTER_XT_TARGET_MASQUERADE 274 help 275 This is a backwards-compat option for the user's convenience 276 (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE. 277 278config IP6_NF_TARGET_NPT 279 tristate "NPT (Network Prefix translation) target support" 280 help 281 This option adds the `SNPT' and `DNPT' target, which perform 282 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 283 284 To compile it as a module, choose M here. If unsure, say N. 285 286endif # IP6_NF_NAT 287 288endif # IP6_NF_IPTABLES 289endmenu 290 291config NF_DEFRAG_IPV6 292 tristate 293