xref: /openbmc/linux/net/ipv6/netfilter/Kconfig (revision c1878869) 
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration"
6	depends on INET && IPV6 && NETFILTER
7
8config NF_DEFRAG_IPV6
9	tristate
10	default n
11
12config NF_CONNTRACK_IPV6
13	tristate "IPv6 connection tracking support"
14	depends on INET && IPV6 && NF_CONNTRACK
15	default m if NETFILTER_ADVANCED=n
16	select NF_DEFRAG_IPV6
17	---help---
18	  Connection tracking keeps a record of what packets have passed
19	  through your machine, in order to figure out how they are related
20	  into connections.
21
22	  This is IPv6 support on Layer 3 independent connection tracking.
23	  Layer 3 independent connection tracking is experimental scheme
24	  which generalize ip_conntrack to support other layer 3 protocols.
25
26	  To compile it as a module, choose M here.  If unsure, say N.
27
28config NF_TABLES_IPV6
29	depends on NF_TABLES
30	tristate "IPv6 nf_tables support"
31	help
32	  This option enables the IPv6 support for nf_tables.
33
34config NFT_CHAIN_ROUTE_IPV6
35	depends on NF_TABLES_IPV6
36	tristate "IPv6 nf_tables route chain support"
37	help
38	  This option enables the "route" chain for IPv6 in nf_tables. This
39	  chain type is used to force packet re-routing after mangling header
40	  fields such as the source, destination, flowlabel, hop-limit and
41	  the packet mark.
42
43config NFT_CHAIN_NAT_IPV6
44	depends on NF_TABLES_IPV6
45	depends on NF_NAT_IPV6 && NFT_NAT
46	tristate "IPv6 nf_tables nat chain support"
47	help
48	  This option enables the "nat" chain for IPv6 in nf_tables. This
49	  chain type is used to perform Network Address Translation (NAT)
50	  packet transformations such as the source, destination address and
51	  source and destination ports.
52
53config NFT_REJECT_IPV6
54	depends on NF_TABLES_IPV6
55	default NFT_REJECT
56	tristate
57
58config NF_LOG_IPV6
59	tristate "IPv6 packet logging"
60	depends on NETFILTER_ADVANCED
61	select NF_LOG_COMMON
62
63config IP6_NF_IPTABLES
64	tristate "IP6 tables support (required for filtering)"
65	depends on INET && IPV6
66	select NETFILTER_XTABLES
67	default m if NETFILTER_ADVANCED=n
68	help
69	  ip6tables is a general, extensible packet identification framework.
70	  Currently only the packet filtering and packet mangling subsystem
71	  for IPv6 use this, but connection tracking is going to follow.
72	  Say 'Y' or 'M' here if you want to use either of those.
73
74	  To compile it as a module, choose M here.  If unsure, say N.
75
76if IP6_NF_IPTABLES
77
78# The simple matches.
79config IP6_NF_MATCH_AH
80	tristate '"ah" match support'
81	depends on NETFILTER_ADVANCED
82	help
83	  This module allows one to match AH packets.
84
85	  To compile it as a module, choose M here.  If unsure, say N.
86
87config IP6_NF_MATCH_EUI64
88	tristate '"eui64" address check'
89	depends on NETFILTER_ADVANCED
90	help
91	  This module performs checking on the IPv6 source address
92	  Compares the last 64 bits with the EUI64 (delivered
93	  from the MAC address) address
94
95	  To compile it as a module, choose M here.  If unsure, say N.
96
97config IP6_NF_MATCH_FRAG
98	tristate '"frag" Fragmentation header match support'
99	depends on NETFILTER_ADVANCED
100	help
101	  frag matching allows you to match packets based on the fragmentation
102	  header of the packet.
103
104	  To compile it as a module, choose M here.  If unsure, say N.
105
106config IP6_NF_MATCH_OPTS
107	tristate '"hbh" hop-by-hop and "dst" opts header match support'
108	depends on NETFILTER_ADVANCED
109	help
110	  This allows one to match packets based on the hop-by-hop
111	  and destination options headers of a packet.
112
113	  To compile it as a module, choose M here.  If unsure, say N.
114
115config IP6_NF_MATCH_HL
116	tristate '"hl" hoplimit match support'
117	depends on NETFILTER_ADVANCED
118	select NETFILTER_XT_MATCH_HL
119	---help---
120	This is a backwards-compat option for the user's convenience
121	(e.g. when running oldconfig). It selects
122	CONFIG_NETFILTER_XT_MATCH_HL.
123
124config IP6_NF_MATCH_IPV6HEADER
125	tristate '"ipv6header" IPv6 Extension Headers Match'
126	default m if NETFILTER_ADVANCED=n
127	help
128	  This module allows one to match packets based upon
129	  the ipv6 extension headers.
130
131	  To compile it as a module, choose M here.  If unsure, say N.
132
133config IP6_NF_MATCH_MH
134	tristate '"mh" match support'
135	depends on NETFILTER_ADVANCED
136	help
137	  This module allows one to match MH packets.
138
139	  To compile it as a module, choose M here.  If unsure, say N.
140
141config IP6_NF_MATCH_RPFILTER
142	tristate '"rpfilter" reverse path filter match support'
143	depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
144	---help---
145	  This option allows you to match packets whose replies would
146	  go out via the interface the packet came in.
147
148	  To compile it as a module, choose M here.  If unsure, say N.
149	  The module will be called ip6t_rpfilter.
150
151config IP6_NF_MATCH_RT
152	tristate '"rt" Routing header match support'
153	depends on NETFILTER_ADVANCED
154	help
155	  rt matching allows you to match packets based on the routing
156	  header of the packet.
157
158	  To compile it as a module, choose M here.  If unsure, say N.
159
160# The targets
161config IP6_NF_TARGET_HL
162	tristate '"HL" hoplimit target support'
163	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
164	select NETFILTER_XT_TARGET_HL
165	---help---
166	This is a backwards-compatible option for the user's convenience
167	(e.g. when running oldconfig). It selects
168	CONFIG_NETFILTER_XT_TARGET_HL.
169
170config IP6_NF_FILTER
171	tristate "Packet filtering"
172	default m if NETFILTER_ADVANCED=n
173	help
174	  Packet filtering defines a table `filter', which has a series of
175	  rules for simple packet filtering at local input, forwarding and
176	  local output.  See the man page for iptables(8).
177
178	  To compile it as a module, choose M here.  If unsure, say N.
179
180config IP6_NF_TARGET_REJECT
181	tristate "REJECT target support"
182	depends on IP6_NF_FILTER
183	default m if NETFILTER_ADVANCED=n
184	help
185	  The REJECT target allows a filtering rule to specify that an ICMPv6
186	  error should be issued in response to an incoming packet, rather
187	  than silently being dropped.
188
189	  To compile it as a module, choose M here.  If unsure, say N.
190
191config IP6_NF_TARGET_SYNPROXY
192	tristate "SYNPROXY target support"
193	depends on NF_CONNTRACK && NETFILTER_ADVANCED
194	select NETFILTER_SYNPROXY
195	select SYN_COOKIES
196	help
197	  The SYNPROXY target allows you to intercept TCP connections and
198	  establish them using syncookies before they are passed on to the
199	  server. This allows to avoid conntrack and server resource usage
200	  during SYN-flood attacks.
201
202	  To compile it as a module, choose M here. If unsure, say N.
203
204config IP6_NF_MANGLE
205	tristate "Packet mangling"
206	default m if NETFILTER_ADVANCED=n
207	help
208	  This option adds a `mangle' table to iptables: see the man page for
209	  iptables(8).  This table is used for various packet alterations
210	  which can effect how the packet is routed.
211
212	  To compile it as a module, choose M here.  If unsure, say N.
213
214config IP6_NF_RAW
215	tristate  'raw table support (required for TRACE)'
216	help
217	  This option adds a `raw' table to ip6tables. This table is the very
218	  first in the netfilter framework and hooks in at the PREROUTING
219	  and OUTPUT chains.
220
221	  If you want to compile it as a module, say M here and read
222	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
223
224# security table for MAC policy
225config IP6_NF_SECURITY
226       tristate "Security table"
227       depends on SECURITY
228       depends on NETFILTER_ADVANCED
229       help
230         This option adds a `security' table to iptables, for use
231         with Mandatory Access Control (MAC) policy.
232
233         If unsure, say N.
234
235config NF_NAT_IPV6
236	tristate "IPv6 NAT"
237	depends on NF_CONNTRACK_IPV6
238	depends on NETFILTER_ADVANCED
239	select NF_NAT
240	help
241	  The IPv6 NAT option allows masquerading, port forwarding and other
242	  forms of full Network Address Port Translation. It is controlled by
243	  the `nat' table in ip6tables, see the man page for ip6tables(8).
244
245	  To compile it as a module, choose M here.  If unsure, say N.
246
247if NF_NAT_IPV6
248
249config IP6_NF_TARGET_MASQUERADE
250	tristate "MASQUERADE target support"
251	help
252	  Masquerading is a special case of NAT: all outgoing connections are
253	  changed to seem to come from a particular interface's address, and
254	  if the interface goes down, those connections are lost.  This is
255	  only useful for dialup accounts with dynamic IP address (ie. your IP
256	  address will be different on next dialup).
257
258	  To compile it as a module, choose M here.  If unsure, say N.
259
260config IP6_NF_TARGET_NPT
261	tristate "NPT (Network Prefix translation) target support"
262	help
263	  This option adds the `SNPT' and `DNPT' target, which perform
264	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
265
266	  To compile it as a module, choose M here.  If unsure, say N.
267
268endif # NF_NAT_IPV6
269
270endif # IP6_NF_IPTABLES
271
272endmenu
273
274