1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_TABLES_IPV6 29 depends on NF_TABLES 30 tristate "IPv6 nf_tables support" 31 help 32 This option enables the IPv6 support for nf_tables. 33 34config NFT_CHAIN_ROUTE_IPV6 35 depends on NF_TABLES_IPV6 36 tristate "IPv6 nf_tables route chain support" 37 help 38 This option enables the "route" chain for IPv6 in nf_tables. This 39 chain type is used to force packet re-routing after mangling header 40 fields such as the source, destination, flowlabel, hop-limit and 41 the packet mark. 42 43config NF_REJECT_IPV6 44 tristate "IPv6 packet rejection" 45 default m if NETFILTER_ADVANCED=n 46 47config NFT_REJECT_IPV6 48 depends on NF_TABLES_IPV6 49 select NF_REJECT_IPV6 50 default NFT_REJECT 51 tristate 52 53config NF_LOG_IPV6 54 tristate "IPv6 packet logging" 55 default m if NETFILTER_ADVANCED=n 56 select NF_LOG_COMMON 57 58config NF_NAT_IPV6 59 tristate "IPv6 NAT" 60 depends on NF_CONNTRACK_IPV6 61 depends on NETFILTER_ADVANCED 62 select NF_NAT 63 help 64 The IPv6 NAT option allows masquerading, port forwarding and other 65 forms of full Network Address Port Translation. This can be 66 controlled by iptables or nft. 67 68if NF_NAT_IPV6 69 70config NFT_CHAIN_NAT_IPV6 71 depends on NF_TABLES_IPV6 72 tristate "IPv6 nf_tables nat chain support" 73 help 74 This option enables the "nat" chain for IPv6 in nf_tables. This 75 chain type is used to perform Network Address Translation (NAT) 76 packet transformations such as the source, destination address and 77 source and destination ports. 78 79config NF_NAT_MASQUERADE_IPV6 80 tristate "IPv6 masquerade support" 81 help 82 This is the kernel functionality to provide NAT in the masquerade 83 flavour (automatic source address selection) for IPv6. 84 85config NFT_MASQ_IPV6 86 tristate "IPv6 masquerade support for nf_tables" 87 depends on NF_TABLES_IPV6 88 depends on NFT_MASQ 89 select NF_NAT_MASQUERADE_IPV6 90 help 91 This is the expression that provides IPv4 masquerading support for 92 nf_tables. 93 94endif # NF_NAT_IPV6 95 96config IP6_NF_IPTABLES 97 tristate "IP6 tables support (required for filtering)" 98 depends on INET && IPV6 99 select NETFILTER_XTABLES 100 default m if NETFILTER_ADVANCED=n 101 help 102 ip6tables is a general, extensible packet identification framework. 103 Currently only the packet filtering and packet mangling subsystem 104 for IPv6 use this, but connection tracking is going to follow. 105 Say 'Y' or 'M' here if you want to use either of those. 106 107 To compile it as a module, choose M here. If unsure, say N. 108 109if IP6_NF_IPTABLES 110 111# The simple matches. 112config IP6_NF_MATCH_AH 113 tristate '"ah" match support' 114 depends on NETFILTER_ADVANCED 115 help 116 This module allows one to match AH packets. 117 118 To compile it as a module, choose M here. If unsure, say N. 119 120config IP6_NF_MATCH_EUI64 121 tristate '"eui64" address check' 122 depends on NETFILTER_ADVANCED 123 help 124 This module performs checking on the IPv6 source address 125 Compares the last 64 bits with the EUI64 (delivered 126 from the MAC address) address 127 128 To compile it as a module, choose M here. If unsure, say N. 129 130config IP6_NF_MATCH_FRAG 131 tristate '"frag" Fragmentation header match support' 132 depends on NETFILTER_ADVANCED 133 help 134 frag matching allows you to match packets based on the fragmentation 135 header of the packet. 136 137 To compile it as a module, choose M here. If unsure, say N. 138 139config IP6_NF_MATCH_OPTS 140 tristate '"hbh" hop-by-hop and "dst" opts header match support' 141 depends on NETFILTER_ADVANCED 142 help 143 This allows one to match packets based on the hop-by-hop 144 and destination options headers of a packet. 145 146 To compile it as a module, choose M here. If unsure, say N. 147 148config IP6_NF_MATCH_HL 149 tristate '"hl" hoplimit match support' 150 depends on NETFILTER_ADVANCED 151 select NETFILTER_XT_MATCH_HL 152 ---help--- 153 This is a backwards-compat option for the user's convenience 154 (e.g. when running oldconfig). It selects 155 CONFIG_NETFILTER_XT_MATCH_HL. 156 157config IP6_NF_MATCH_IPV6HEADER 158 tristate '"ipv6header" IPv6 Extension Headers Match' 159 default m if NETFILTER_ADVANCED=n 160 help 161 This module allows one to match packets based upon 162 the ipv6 extension headers. 163 164 To compile it as a module, choose M here. If unsure, say N. 165 166config IP6_NF_MATCH_MH 167 tristate '"mh" match support' 168 depends on NETFILTER_ADVANCED 169 help 170 This module allows one to match MH packets. 171 172 To compile it as a module, choose M here. If unsure, say N. 173 174config IP6_NF_MATCH_RPFILTER 175 tristate '"rpfilter" reverse path filter match support' 176 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW) 177 ---help--- 178 This option allows you to match packets whose replies would 179 go out via the interface the packet came in. 180 181 To compile it as a module, choose M here. If unsure, say N. 182 The module will be called ip6t_rpfilter. 183 184config IP6_NF_MATCH_RT 185 tristate '"rt" Routing header match support' 186 depends on NETFILTER_ADVANCED 187 help 188 rt matching allows you to match packets based on the routing 189 header of the packet. 190 191 To compile it as a module, choose M here. If unsure, say N. 192 193# The targets 194config IP6_NF_TARGET_HL 195 tristate '"HL" hoplimit target support' 196 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 197 select NETFILTER_XT_TARGET_HL 198 ---help--- 199 This is a backwards-compatible option for the user's convenience 200 (e.g. when running oldconfig). It selects 201 CONFIG_NETFILTER_XT_TARGET_HL. 202 203config IP6_NF_FILTER 204 tristate "Packet filtering" 205 default m if NETFILTER_ADVANCED=n 206 help 207 Packet filtering defines a table `filter', which has a series of 208 rules for simple packet filtering at local input, forwarding and 209 local output. See the man page for iptables(8). 210 211 To compile it as a module, choose M here. If unsure, say N. 212 213config IP6_NF_TARGET_REJECT 214 tristate "REJECT target support" 215 depends on IP6_NF_FILTER 216 select NF_REJECT_IPV6 217 default m if NETFILTER_ADVANCED=n 218 help 219 The REJECT target allows a filtering rule to specify that an ICMPv6 220 error should be issued in response to an incoming packet, rather 221 than silently being dropped. 222 223 To compile it as a module, choose M here. If unsure, say N. 224 225config IP6_NF_TARGET_SYNPROXY 226 tristate "SYNPROXY target support" 227 depends on NF_CONNTRACK && NETFILTER_ADVANCED 228 select NETFILTER_SYNPROXY 229 select SYN_COOKIES 230 help 231 The SYNPROXY target allows you to intercept TCP connections and 232 establish them using syncookies before they are passed on to the 233 server. This allows to avoid conntrack and server resource usage 234 during SYN-flood attacks. 235 236 To compile it as a module, choose M here. If unsure, say N. 237 238config IP6_NF_MANGLE 239 tristate "Packet mangling" 240 default m if NETFILTER_ADVANCED=n 241 help 242 This option adds a `mangle' table to iptables: see the man page for 243 iptables(8). This table is used for various packet alterations 244 which can effect how the packet is routed. 245 246 To compile it as a module, choose M here. If unsure, say N. 247 248config IP6_NF_RAW 249 tristate 'raw table support (required for TRACE)' 250 help 251 This option adds a `raw' table to ip6tables. This table is the very 252 first in the netfilter framework and hooks in at the PREROUTING 253 and OUTPUT chains. 254 255 If you want to compile it as a module, say M here and read 256 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 257 258# security table for MAC policy 259config IP6_NF_SECURITY 260 tristate "Security table" 261 depends on SECURITY 262 depends on NETFILTER_ADVANCED 263 help 264 This option adds a `security' table to iptables, for use 265 with Mandatory Access Control (MAC) policy. 266 267 If unsure, say N. 268 269config IP6_NF_NAT 270 tristate "ip6tables NAT support" 271 depends on NF_CONNTRACK_IPV6 272 depends on NETFILTER_ADVANCED 273 select NF_NAT 274 select NF_NAT_IPV6 275 select NETFILTER_XT_NAT 276 help 277 This enables the `nat' table in ip6tables. This allows masquerading, 278 port forwarding and other forms of full Network Address Port 279 Translation. 280 281 To compile it as a module, choose M here. If unsure, say N. 282 283if IP6_NF_NAT 284 285config IP6_NF_TARGET_MASQUERADE 286 tristate "MASQUERADE target support" 287 select NF_NAT_MASQUERADE_IPV6 288 help 289 Masquerading is a special case of NAT: all outgoing connections are 290 changed to seem to come from a particular interface's address, and 291 if the interface goes down, those connections are lost. This is 292 only useful for dialup accounts with dynamic IP address (ie. your IP 293 address will be different on next dialup). 294 295 To compile it as a module, choose M here. If unsure, say N. 296 297config IP6_NF_TARGET_NPT 298 tristate "NPT (Network Prefix translation) target support" 299 help 300 This option adds the `SNPT' and `DNPT' target, which perform 301 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 302 303 To compile it as a module, choose M here. If unsure, say N. 304 305endif # IP6_NF_NAT 306 307endif # IP6_NF_IPTABLES 308 309endmenu 310 311