1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_SOCKET_IPV6 9 tristate "IPv6 socket lookup support" 10 help 11 This option enables the IPv6 socket lookup infrastructure. This 12 is used by the {ip6,nf}tables socket match. 13 14config NF_TPROXY_IPV6 15 tristate "IPv6 tproxy support" 16 17if NF_TABLES 18 19config NF_TABLES_IPV6 20 bool "IPv6 nf_tables support" 21 help 22 This option enables the IPv6 support for nf_tables. 23 24if NF_TABLES_IPV6 25 26config NFT_CHAIN_ROUTE_IPV6 27 tristate "IPv6 nf_tables route chain support" 28 help 29 This option enables the "route" chain for IPv6 in nf_tables. This 30 chain type is used to force packet re-routing after mangling header 31 fields such as the source, destination, flowlabel, hop-limit and 32 the packet mark. 33 34config NFT_REJECT_IPV6 35 select NF_REJECT_IPV6 36 default NFT_REJECT 37 tristate 38 39config NFT_DUP_IPV6 40 tristate "IPv6 nf_tables packet duplication support" 41 depends on !NF_CONNTRACK || NF_CONNTRACK 42 select NF_DUP_IPV6 43 help 44 This module enables IPv6 packet duplication support for nf_tables. 45 46config NFT_FIB_IPV6 47 tristate "nf_tables fib / ipv6 route lookup support" 48 select NFT_FIB 49 help 50 This module enables IPv6 FIB lookups, e.g. for reverse path filtering. 51 It also allows query of the FIB for the route type, e.g. local, unicast, 52 multicast or blackhole. 53 54endif # NF_TABLES_IPV6 55endif # NF_TABLES 56 57config NF_FLOW_TABLE_IPV6 58 tristate "Netfilter flow table IPv6 module" 59 depends on NF_FLOW_TABLE 60 help 61 This option adds the flow table IPv6 support. 62 63 To compile it as a module, choose M here. 64 65config NF_DUP_IPV6 66 tristate "Netfilter IPv6 packet duplication to alternate destination" 67 depends on !NF_CONNTRACK || NF_CONNTRACK 68 help 69 This option enables the nf_dup_ipv6 core, which duplicates an IPv6 70 packet to be rerouted to another destination. 71 72config NF_REJECT_IPV6 73 tristate "IPv6 packet rejection" 74 default m if NETFILTER_ADVANCED=n 75 76config NF_LOG_IPV6 77 tristate "IPv6 packet logging" 78 default m if NETFILTER_ADVANCED=n 79 select NF_LOG_COMMON 80 81config IP6_NF_IPTABLES 82 tristate "IP6 tables support (required for filtering)" 83 depends on INET && IPV6 84 select NETFILTER_XTABLES 85 default m if NETFILTER_ADVANCED=n 86 help 87 ip6tables is a general, extensible packet identification framework. 88 Currently only the packet filtering and packet mangling subsystem 89 for IPv6 use this, but connection tracking is going to follow. 90 Say 'Y' or 'M' here if you want to use either of those. 91 92 To compile it as a module, choose M here. If unsure, say N. 93 94if IP6_NF_IPTABLES 95 96# The simple matches. 97config IP6_NF_MATCH_AH 98 tristate '"ah" match support' 99 depends on NETFILTER_ADVANCED 100 help 101 This module allows one to match AH packets. 102 103 To compile it as a module, choose M here. If unsure, say N. 104 105config IP6_NF_MATCH_EUI64 106 tristate '"eui64" address check' 107 depends on NETFILTER_ADVANCED 108 help 109 This module performs checking on the IPv6 source address 110 Compares the last 64 bits with the EUI64 (delivered 111 from the MAC address) address 112 113 To compile it as a module, choose M here. If unsure, say N. 114 115config IP6_NF_MATCH_FRAG 116 tristate '"frag" Fragmentation header match support' 117 depends on NETFILTER_ADVANCED 118 help 119 frag matching allows you to match packets based on the fragmentation 120 header of the packet. 121 122 To compile it as a module, choose M here. If unsure, say N. 123 124config IP6_NF_MATCH_OPTS 125 tristate '"hbh" hop-by-hop and "dst" opts header match support' 126 depends on NETFILTER_ADVANCED 127 help 128 This allows one to match packets based on the hop-by-hop 129 and destination options headers of a packet. 130 131 To compile it as a module, choose M here. If unsure, say N. 132 133config IP6_NF_MATCH_HL 134 tristate '"hl" hoplimit match support' 135 depends on NETFILTER_ADVANCED 136 select NETFILTER_XT_MATCH_HL 137 ---help--- 138 This is a backwards-compat option for the user's convenience 139 (e.g. when running oldconfig). It selects 140 CONFIG_NETFILTER_XT_MATCH_HL. 141 142config IP6_NF_MATCH_IPV6HEADER 143 tristate '"ipv6header" IPv6 Extension Headers Match' 144 default m if NETFILTER_ADVANCED=n 145 help 146 This module allows one to match packets based upon 147 the ipv6 extension headers. 148 149 To compile it as a module, choose M here. If unsure, say N. 150 151config IP6_NF_MATCH_MH 152 tristate '"mh" match support' 153 depends on NETFILTER_ADVANCED 154 help 155 This module allows one to match MH packets. 156 157 To compile it as a module, choose M here. If unsure, say N. 158 159config IP6_NF_MATCH_RPFILTER 160 tristate '"rpfilter" reverse path filter match support' 161 depends on NETFILTER_ADVANCED 162 depends on IP6_NF_MANGLE || IP6_NF_RAW 163 ---help--- 164 This option allows you to match packets whose replies would 165 go out via the interface the packet came in. 166 167 To compile it as a module, choose M here. If unsure, say N. 168 The module will be called ip6t_rpfilter. 169 170config IP6_NF_MATCH_RT 171 tristate '"rt" Routing header match support' 172 depends on NETFILTER_ADVANCED 173 help 174 rt matching allows you to match packets based on the routing 175 header of the packet. 176 177 To compile it as a module, choose M here. If unsure, say N. 178 179config IP6_NF_MATCH_SRH 180 tristate '"srh" Segment Routing header match support' 181 depends on NETFILTER_ADVANCED 182 help 183 srh matching allows you to match packets based on the segment 184 routing header of the packet. 185 186 To compile it as a module, choose M here. If unsure, say N. 187 188# The targets 189config IP6_NF_TARGET_HL 190 tristate '"HL" hoplimit target support' 191 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 192 select NETFILTER_XT_TARGET_HL 193 ---help--- 194 This is a backwards-compatible option for the user's convenience 195 (e.g. when running oldconfig). It selects 196 CONFIG_NETFILTER_XT_TARGET_HL. 197 198config IP6_NF_FILTER 199 tristate "Packet filtering" 200 default m if NETFILTER_ADVANCED=n 201 help 202 Packet filtering defines a table `filter', which has a series of 203 rules for simple packet filtering at local input, forwarding and 204 local output. See the man page for iptables(8). 205 206 To compile it as a module, choose M here. If unsure, say N. 207 208config IP6_NF_TARGET_REJECT 209 tristate "REJECT target support" 210 depends on IP6_NF_FILTER 211 select NF_REJECT_IPV6 212 default m if NETFILTER_ADVANCED=n 213 help 214 The REJECT target allows a filtering rule to specify that an ICMPv6 215 error should be issued in response to an incoming packet, rather 216 than silently being dropped. 217 218 To compile it as a module, choose M here. If unsure, say N. 219 220config IP6_NF_TARGET_SYNPROXY 221 tristate "SYNPROXY target support" 222 depends on NF_CONNTRACK && NETFILTER_ADVANCED 223 select NETFILTER_SYNPROXY 224 select SYN_COOKIES 225 help 226 The SYNPROXY target allows you to intercept TCP connections and 227 establish them using syncookies before they are passed on to the 228 server. This allows to avoid conntrack and server resource usage 229 during SYN-flood attacks. 230 231 To compile it as a module, choose M here. If unsure, say N. 232 233config IP6_NF_MANGLE 234 tristate "Packet mangling" 235 default m if NETFILTER_ADVANCED=n 236 help 237 This option adds a `mangle' table to iptables: see the man page for 238 iptables(8). This table is used for various packet alterations 239 which can effect how the packet is routed. 240 241 To compile it as a module, choose M here. If unsure, say N. 242 243config IP6_NF_RAW 244 tristate 'raw table support (required for TRACE)' 245 help 246 This option adds a `raw' table to ip6tables. This table is the very 247 first in the netfilter framework and hooks in at the PREROUTING 248 and OUTPUT chains. 249 250 If you want to compile it as a module, say M here and read 251 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 252 253# security table for MAC policy 254config IP6_NF_SECURITY 255 tristate "Security table" 256 depends on SECURITY 257 depends on NETFILTER_ADVANCED 258 help 259 This option adds a `security' table to iptables, for use 260 with Mandatory Access Control (MAC) policy. 261 262 If unsure, say N. 263 264config IP6_NF_NAT 265 tristate "ip6tables NAT support" 266 depends on NF_CONNTRACK 267 depends on NETFILTER_ADVANCED 268 select NF_NAT 269 select NETFILTER_XT_NAT 270 help 271 This enables the `nat' table in ip6tables. This allows masquerading, 272 port forwarding and other forms of full Network Address Port 273 Translation. 274 275 To compile it as a module, choose M here. If unsure, say N. 276 277if IP6_NF_NAT 278 279config IP6_NF_TARGET_MASQUERADE 280 tristate "MASQUERADE target support" 281 select NF_NAT_MASQUERADE 282 help 283 Masquerading is a special case of NAT: all outgoing connections are 284 changed to seem to come from a particular interface's address, and 285 if the interface goes down, those connections are lost. This is 286 only useful for dialup accounts with dynamic IP address (ie. your IP 287 address will be different on next dialup). 288 289 To compile it as a module, choose M here. If unsure, say N. 290 291config IP6_NF_TARGET_NPT 292 tristate "NPT (Network Prefix translation) target support" 293 help 294 This option adds the `SNPT' and `DNPT' target, which perform 295 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 296 297 To compile it as a module, choose M here. If unsure, say N. 298 299endif # IP6_NF_NAT 300 301endif # IP6_NF_IPTABLES 302endmenu 303 304config NF_DEFRAG_IPV6 305 tristate 306