1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration (EXPERIMENTAL)" 6 depends on INET && IPV6 && NETFILTER && EXPERIMENTAL 7 8config NF_CONNTRACK_IPV6 9 tristate "IPv6 support for new connection tracking (EXPERIMENTAL)" 10 depends on EXPERIMENTAL && NF_CONNTRACK 11 ---help--- 12 Connection tracking keeps a record of what packets have passed 13 through your machine, in order to figure out how they are related 14 into connections. 15 16 This is IPv6 support on Layer 3 independent connection tracking. 17 Layer 3 independent connection tracking is experimental scheme 18 which generalize ip_conntrack to support other layer 3 protocols. 19 20 To compile it as a module, choose M here. If unsure, say N. 21 22config IP6_NF_QUEUE 23 tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)" 24 ---help--- 25 26 This option adds a queue handler to the kernel for IPv6 27 packets which enables users to receive the filtered packets 28 with QUEUE target using libipq. 29 30 THis option enables the old IPv6-only "ip6_queue" implementation 31 which has been obsoleted by the new "nfnetlink_queue" code (see 32 CONFIG_NETFILTER_NETLINK_QUEUE). 33 34 (C) Fernando Anton 2001 35 IPv64 Project - Work based in IPv64 draft by Arturo Azcorra. 36 Universidad Carlos III de Madrid 37 Universidad Politecnica de Alcala de Henares 38 email: <fanton@it.uc3m.es>. 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42config IP6_NF_IPTABLES 43 tristate "IP6 tables support (required for filtering/masq/NAT)" 44 help 45 ip6tables is a general, extensible packet identification framework. 46 Currently only the packet filtering and packet mangling subsystem 47 for IPv6 use this, but connection tracking is going to follow. 48 Say 'Y' or 'M' here if you want to use either of those. 49 50 To compile it as a module, choose M here. If unsure, say N. 51 52# The simple matches. 53config IP6_NF_MATCH_LIMIT 54 tristate "limit match support" 55 depends on IP6_NF_IPTABLES 56 help 57 limit matching allows you to control the rate at which a rule can be 58 matched: mainly useful in combination with the LOG target ("LOG 59 target support", below) and to avoid some Denial of Service attacks. 60 61 To compile it as a module, choose M here. If unsure, say N. 62 63config IP6_NF_MATCH_MAC 64 tristate "MAC address match support" 65 depends on IP6_NF_IPTABLES 66 help 67 mac matching allows you to match packets based on the source 68 Ethernet address of the packet. 69 70 To compile it as a module, choose M here. If unsure, say N. 71 72config IP6_NF_MATCH_RT 73 tristate "Routing header match support" 74 depends on IP6_NF_IPTABLES 75 help 76 rt matching allows you to match packets based on the routing 77 header of the packet. 78 79 To compile it as a module, choose M here. If unsure, say N. 80 81config IP6_NF_MATCH_OPTS 82 tristate "Hop-by-hop and Dst opts header match support" 83 depends on IP6_NF_IPTABLES 84 help 85 This allows one to match packets based on the hop-by-hop 86 and destination options headers of a packet. 87 88 To compile it as a module, choose M here. If unsure, say N. 89 90config IP6_NF_MATCH_FRAG 91 tristate "Fragmentation header match support" 92 depends on IP6_NF_IPTABLES 93 help 94 frag matching allows you to match packets based on the fragmentation 95 header of the packet. 96 97 To compile it as a module, choose M here. If unsure, say N. 98 99config IP6_NF_MATCH_HL 100 tristate "HL match support" 101 depends on IP6_NF_IPTABLES 102 help 103 HL matching allows you to match packets based on the hop 104 limit of the packet. 105 106 To compile it as a module, choose M here. If unsure, say N. 107 108config IP6_NF_MATCH_MULTIPORT 109 tristate "Multiple port match support" 110 depends on IP6_NF_IPTABLES 111 help 112 Multiport matching allows you to match TCP or UDP packets based on 113 a series of source or destination ports: normally a rule can only 114 match a single range of ports. 115 116 To compile it as a module, choose M here. If unsure, say N. 117 118config IP6_NF_MATCH_OWNER 119 tristate "Owner match support" 120 depends on IP6_NF_IPTABLES 121 help 122 Packet owner matching allows you to match locally-generated packets 123 based on who created them: the user, group, process or session. 124 125 To compile it as a module, choose M here. If unsure, say N. 126 127config IP6_NF_MATCH_MARK 128 tristate "netfilter MARK match support" 129 depends on IP6_NF_IPTABLES 130 help 131 Netfilter mark matching allows you to match packets based on the 132 `nfmark' value in the packet. This can be set by the MARK target 133 (see below). 134 135 To compile it as a module, choose M here. If unsure, say N. 136 137config IP6_NF_MATCH_IPV6HEADER 138 tristate "IPv6 Extension Headers Match" 139 depends on IP6_NF_IPTABLES 140 help 141 This module allows one to match packets based upon 142 the ipv6 extension headers. 143 144 To compile it as a module, choose M here. If unsure, say N. 145 146config IP6_NF_MATCH_AHESP 147 tristate "AH/ESP match support" 148 depends on IP6_NF_IPTABLES 149 help 150 This module allows one to match AH and ESP packets. 151 152 To compile it as a module, choose M here. If unsure, say N. 153 154config IP6_NF_MATCH_LENGTH 155 tristate "Packet Length match support" 156 depends on IP6_NF_IPTABLES 157 help 158 This option allows you to match the length of a packet against a 159 specific value or range of values. 160 161 To compile it as a module, choose M here. If unsure, say N. 162 163config IP6_NF_MATCH_EUI64 164 tristate "EUI64 address check" 165 depends on IP6_NF_IPTABLES 166 help 167 This module performs checking on the IPv6 source address 168 Compares the last 64 bits with the EUI64 (delivered 169 from the MAC address) address 170 171 To compile it as a module, choose M here. If unsure, say N. 172 173config IP6_NF_MATCH_PHYSDEV 174 tristate "Physdev match support" 175 depends on IP6_NF_IPTABLES && BRIDGE_NETFILTER 176 help 177 Physdev packet matching matches against the physical bridge ports 178 the IP packet arrived on or will leave by. 179 180 To compile it as a module, choose M here. If unsure, say N. 181 182config IP6_NF_MATCH_POLICY 183 tristate "IPsec policy match support" 184 depends on IP6_NF_IPTABLES && XFRM 185 help 186 Policy matching allows you to match packets based on the 187 IPsec policy that was used during decapsulation/will 188 be used during encapsulation. 189 190 To compile it as a module, choose M here. If unsure, say N. 191 192# The targets 193config IP6_NF_FILTER 194 tristate "Packet filtering" 195 depends on IP6_NF_IPTABLES 196 help 197 Packet filtering defines a table `filter', which has a series of 198 rules for simple packet filtering at local input, forwarding and 199 local output. See the man page for iptables(8). 200 201 To compile it as a module, choose M here. If unsure, say N. 202 203config IP6_NF_TARGET_LOG 204 tristate "LOG target support" 205 depends on IP6_NF_FILTER 206 help 207 This option adds a `LOG' target, which allows you to create rules in 208 any iptables table which records the packet header to the syslog. 209 210 To compile it as a module, choose M here. If unsure, say N. 211 212config IP6_NF_TARGET_REJECT 213 tristate "REJECT target support" 214 depends on IP6_NF_FILTER 215 help 216 The REJECT target allows a filtering rule to specify that an ICMPv6 217 error should be issued in response to an incoming packet, rather 218 than silently being dropped. 219 220 To compile it as a module, choose M here. If unsure, say N. 221 222config IP6_NF_TARGET_NFQUEUE 223 tristate "NFQUEUE Target Support" 224 depends on IP6_NF_IPTABLES 225 help 226 This Target replaced the old obsolete QUEUE target. 227 228 As opposed to QUEUE, it supports 65535 different queues, 229 not just one. 230 231 To compile it as a module, choose M here. If unsure, say N. 232 233config IP6_NF_MANGLE 234 tristate "Packet mangling" 235 depends on IP6_NF_IPTABLES 236 help 237 This option adds a `mangle' table to iptables: see the man page for 238 iptables(8). This table is used for various packet alterations 239 which can effect how the packet is routed. 240 241 To compile it as a module, choose M here. If unsure, say N. 242 243config IP6_NF_TARGET_MARK 244 tristate "MARK target support" 245 depends on IP6_NF_MANGLE 246 help 247 This option adds a `MARK' target, which allows you to create rules 248 in the `mangle' table which alter the netfilter mark (nfmark) field 249 associated with the packet packet prior to routing. This can change 250 the routing method (see `Use netfilter MARK value as routing 251 key') and can also be used by other subsystems to change their 252 behavior. 253 254 To compile it as a module, choose M here. If unsure, say N. 255 256config IP6_NF_TARGET_HL 257 tristate 'HL (hoplimit) target support' 258 depends on IP6_NF_MANGLE 259 help 260 This option adds a `HL' target, which enables the user to decrement 261 the hoplimit value of the IPv6 header or set it to a given (lower) 262 value. 263 264 While it is safe to decrement the hoplimit value, this option also 265 enables functionality to increment and set the hoplimit value of the 266 IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since 267 you can easily create immortal packets that loop forever on the 268 network. 269 270 To compile it as a module, choose M here. If unsure, say N. 271 272config IP6_NF_RAW 273 tristate 'raw table support (required for TRACE)' 274 depends on IP6_NF_IPTABLES 275 help 276 This option adds a `raw' table to ip6tables. This table is the very 277 first in the netfilter framework and hooks in at the PREROUTING 278 and OUTPUT chains. 279 280 If you want to compile it as a module, say M here and read 281 <file:Documentation/modules.txt>. If unsure, say `N'. 282 283endmenu 284 285