Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | # |
2 | # IP netfilter configuration | |
3 | # | |
4 | ||
8ce22fca PM |
5 | menu "IPv6: Netfilter Configuration" |
6 | depends on INET && IPV6 && NETFILTER | |
1da177e4 | 7 | |
f6318e55 KK |
8 | config NF_DEFRAG_IPV6 |
9 | tristate | |
10 | default n | |
11 | ||
9bdf87d9 | 12 | config NF_CONNTRACK_IPV6 |
8ce22fca PM |
13 | tristate "IPv6 connection tracking support" |
14 | depends on INET && IPV6 && NF_CONNTRACK | |
33b8e776 | 15 | default m if NETFILTER_ADVANCED=n |
f6318e55 | 16 | select NF_DEFRAG_IPV6 |
9bdf87d9 YK |
17 | ---help--- |
18 | Connection tracking keeps a record of what packets have passed | |
19 | through your machine, in order to figure out how they are related | |
20 | into connections. | |
21 | ||
22 | This is IPv6 support on Layer 3 independent connection tracking. | |
23 | Layer 3 independent connection tracking is experimental scheme | |
24 | which generalize ip_conntrack to support other layer 3 protocols. | |
25 | ||
26 | To compile it as a module, choose M here. If unsure, say N. | |
58a317f1 | 27 | |
f04e599e PNA |
28 | if NF_TABLES |
29 | ||
96518518 | 30 | config NF_TABLES_IPV6 |
96518518 | 31 | tristate "IPv6 nf_tables support" |
d497c635 PNA |
32 | help |
33 | This option enables the IPv6 support for nf_tables. | |
96518518 | 34 | |
f04e599e PNA |
35 | if NF_TABLES_IPV6 |
36 | ||
9370761c | 37 | config NFT_CHAIN_ROUTE_IPV6 |
9370761c | 38 | tristate "IPv6 nf_tables route chain support" |
d497c635 PNA |
39 | help |
40 | This option enables the "route" chain for IPv6 in nf_tables. This | |
41 | chain type is used to force packet re-routing after mangling header | |
42 | fields such as the source, destination, flowlabel, hop-limit and | |
43 | the packet mark. | |
96518518 | 44 | |
cc4723ca | 45 | config NFT_REJECT_IPV6 |
c8d7b98b | 46 | select NF_REJECT_IPV6 |
cc4723ca PM |
47 | default NFT_REJECT |
48 | tristate | |
49 | ||
d877f071 PNA |
50 | config NFT_DUP_IPV6 |
51 | tristate "IPv6 nf_tables packet duplication support" | |
52 | select NF_DUP_IPV6 | |
53 | help | |
54 | This module enables IPv6 packet duplication support for nf_tables. | |
55 | ||
f04e599e PNA |
56 | endif # NF_TABLES_IPV6 |
57 | endif # NF_TABLES | |
58 | ||
bbde9fc1 PNA |
59 | config NF_DUP_IPV6 |
60 | tristate "Netfilter IPv6 packet duplication to alternate destination" | |
6ece90f9 | 61 | depends on !NF_CONNTRACK || NF_CONNTRACK |
bbde9fc1 PNA |
62 | help |
63 | This option enables the nf_dup_ipv6 core, which duplicates an IPv6 | |
64 | packet to be rerouted to another destination. | |
65 | ||
f04e599e PNA |
66 | config NF_REJECT_IPV6 |
67 | tristate "IPv6 packet rejection" | |
68 | default m if NETFILTER_ADVANCED=n | |
69 | ||
c1878869 PNA |
70 | config NF_LOG_IPV6 |
71 | tristate "IPv6 packet logging" | |
41ad82f7 | 72 | default m if NETFILTER_ADVANCED=n |
c1878869 PNA |
73 | select NF_LOG_COMMON |
74 | ||
8993cf8e PNA |
75 | config NF_NAT_IPV6 |
76 | tristate "IPv6 NAT" | |
77 | depends on NF_CONNTRACK_IPV6 | |
78 | depends on NETFILTER_ADVANCED | |
79 | select NF_NAT | |
80 | help | |
81 | The IPv6 NAT option allows masquerading, port forwarding and other | |
82 | forms of full Network Address Port Translation. This can be | |
83 | controlled by iptables or nft. | |
84 | ||
3e8dc212 PNA |
85 | if NF_NAT_IPV6 |
86 | ||
87 | config NFT_CHAIN_NAT_IPV6 | |
88 | depends on NF_TABLES_IPV6 | |
89 | tristate "IPv6 nf_tables nat chain support" | |
90 | help | |
91 | This option enables the "nat" chain for IPv6 in nf_tables. This | |
92 | chain type is used to perform Network Address Translation (NAT) | |
93 | packet transformations such as the source, destination address and | |
94 | source and destination ports. | |
95 | ||
0bbe80e5 PNA |
96 | config NF_NAT_MASQUERADE_IPV6 |
97 | tristate "IPv6 masquerade support" | |
98 | help | |
99 | This is the kernel functionality to provide NAT in the masquerade | |
100 | flavour (automatic source address selection) for IPv6. | |
101 | ||
102 | config NFT_MASQ_IPV6 | |
103 | tristate "IPv6 masquerade support for nf_tables" | |
104 | depends on NF_TABLES_IPV6 | |
105 | depends on NFT_MASQ | |
106 | select NF_NAT_MASQUERADE_IPV6 | |
107 | help | |
108 | This is the expression that provides IPv4 masquerading support for | |
109 | nf_tables. | |
110 | ||
e9105f1b AB |
111 | config NFT_REDIR_IPV6 |
112 | tristate "IPv6 redirect support for nf_tables" | |
113 | depends on NF_TABLES_IPV6 | |
114 | depends on NFT_REDIR | |
b59eaf9e | 115 | select NF_NAT_REDIRECT |
e9105f1b AB |
116 | help |
117 | This is the expression that provides IPv4 redirect support for | |
118 | nf_tables. | |
119 | ||
3e8dc212 PNA |
120 | endif # NF_NAT_IPV6 |
121 | ||
1da177e4 | 122 | config IP6_NF_IPTABLES |
844dc7c8 | 123 | tristate "IP6 tables support (required for filtering)" |
8ce22fca | 124 | depends on INET && IPV6 |
a3c941b0 | 125 | select NETFILTER_XTABLES |
33b8e776 | 126 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
127 | help |
128 | ip6tables is a general, extensible packet identification framework. | |
129 | Currently only the packet filtering and packet mangling subsystem | |
130 | for IPv6 use this, but connection tracking is going to follow. | |
131 | Say 'Y' or 'M' here if you want to use either of those. | |
132 | ||
133 | To compile it as a module, choose M here. If unsure, say N. | |
134 | ||
c2df73de JE |
135 | if IP6_NF_IPTABLES |
136 | ||
1da177e4 | 137 | # The simple matches. |
aba0d348 JE |
138 | config IP6_NF_MATCH_AH |
139 | tristate '"ah" match support' | |
33b8e776 | 140 | depends on NETFILTER_ADVANCED |
1da177e4 | 141 | help |
aba0d348 | 142 | This module allows one to match AH packets. |
1da177e4 LT |
143 | |
144 | To compile it as a module, choose M here. If unsure, say N. | |
145 | ||
aba0d348 JE |
146 | config IP6_NF_MATCH_EUI64 |
147 | tristate '"eui64" address check' | |
33b8e776 | 148 | depends on NETFILTER_ADVANCED |
1da177e4 | 149 | help |
aba0d348 JE |
150 | This module performs checking on the IPv6 source address |
151 | Compares the last 64 bits with the EUI64 (delivered | |
152 | from the MAC address) address | |
1da177e4 LT |
153 | |
154 | To compile it as a module, choose M here. If unsure, say N. | |
155 | ||
156 | config IP6_NF_MATCH_FRAG | |
4c37799c | 157 | tristate '"frag" Fragmentation header match support' |
33b8e776 | 158 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
159 | help |
160 | frag matching allows you to match packets based on the fragmentation | |
161 | header of the packet. | |
162 | ||
163 | To compile it as a module, choose M here. If unsure, say N. | |
164 | ||
aba0d348 JE |
165 | config IP6_NF_MATCH_OPTS |
166 | tristate '"hbh" hop-by-hop and "dst" opts header match support' | |
aba0d348 JE |
167 | depends on NETFILTER_ADVANCED |
168 | help | |
169 | This allows one to match packets based on the hop-by-hop | |
170 | and destination options headers of a packet. | |
171 | ||
172 | To compile it as a module, choose M here. If unsure, say N. | |
173 | ||
4323362e JE |
174 | config IP6_NF_MATCH_HL |
175 | tristate '"hl" hoplimit match support' | |
176 | depends on NETFILTER_ADVANCED | |
177 | select NETFILTER_XT_MATCH_HL | |
178 | ---help--- | |
179 | This is a backwards-compat option for the user's convenience | |
180 | (e.g. when running oldconfig). It selects | |
8dd1d047 | 181 | CONFIG_NETFILTER_XT_MATCH_HL. |
4323362e | 182 | |
1da177e4 | 183 | config IP6_NF_MATCH_IPV6HEADER |
4c37799c | 184 | tristate '"ipv6header" IPv6 Extension Headers Match' |
44c45eb9 | 185 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
186 | help |
187 | This module allows one to match packets based upon | |
188 | the ipv6 extension headers. | |
189 | ||
190 | To compile it as a module, choose M here. If unsure, say N. | |
191 | ||
a0ca215a | 192 | config IP6_NF_MATCH_MH |
4c37799c | 193 | tristate '"mh" match support' |
33b8e776 | 194 | depends on NETFILTER_ADVANCED |
a0ca215a MN |
195 | help |
196 | This module allows one to match MH packets. | |
197 | ||
198 | To compile it as a module, choose M here. If unsure, say N. | |
199 | ||
e26f9a48 FW |
200 | config IP6_NF_MATCH_RPFILTER |
201 | tristate '"rpfilter" reverse path filter match support' | |
f09becc7 PNA |
202 | depends on NETFILTER_ADVANCED |
203 | depends on IP6_NF_MANGLE || IP6_NF_RAW | |
e26f9a48 FW |
204 | ---help--- |
205 | This option allows you to match packets whose replies would | |
206 | go out via the interface the packet came in. | |
207 | ||
208 | To compile it as a module, choose M here. If unsure, say N. | |
209 | The module will be called ip6t_rpfilter. | |
210 | ||
aba0d348 JE |
211 | config IP6_NF_MATCH_RT |
212 | tristate '"rt" Routing header match support' | |
33b8e776 | 213 | depends on NETFILTER_ADVANCED |
1da177e4 | 214 | help |
aba0d348 JE |
215 | rt matching allows you to match packets based on the routing |
216 | header of the packet. | |
1da177e4 LT |
217 | |
218 | To compile it as a module, choose M here. If unsure, say N. | |
219 | ||
1da177e4 | 220 | # The targets |
4323362e JE |
221 | config IP6_NF_TARGET_HL |
222 | tristate '"HL" hoplimit target support' | |
76b6717b | 223 | depends on NETFILTER_ADVANCED && IP6_NF_MANGLE |
4323362e JE |
224 | select NETFILTER_XT_TARGET_HL |
225 | ---help--- | |
76b6717b | 226 | This is a backwards-compatible option for the user's convenience |
4323362e | 227 | (e.g. when running oldconfig). It selects |
8dd1d047 | 228 | CONFIG_NETFILTER_XT_TARGET_HL. |
4323362e | 229 | |
2203eb47 JE |
230 | config IP6_NF_FILTER |
231 | tristate "Packet filtering" | |
33b8e776 | 232 | default m if NETFILTER_ADVANCED=n |
1da177e4 | 233 | help |
2203eb47 JE |
234 | Packet filtering defines a table `filter', which has a series of |
235 | rules for simple packet filtering at local input, forwarding and | |
236 | local output. See the man page for iptables(8). | |
1da177e4 LT |
237 | |
238 | To compile it as a module, choose M here. If unsure, say N. | |
239 | ||
764d8a9f PM |
240 | config IP6_NF_TARGET_REJECT |
241 | tristate "REJECT target support" | |
242 | depends on IP6_NF_FILTER | |
c8d7b98b | 243 | select NF_REJECT_IPV6 |
33b8e776 | 244 | default m if NETFILTER_ADVANCED=n |
764d8a9f PM |
245 | help |
246 | The REJECT target allows a filtering rule to specify that an ICMPv6 | |
247 | error should be issued in response to an incoming packet, rather | |
248 | than silently being dropped. | |
249 | ||
250 | To compile it as a module, choose M here. If unsure, say N. | |
251 | ||
4ad36228 PM |
252 | config IP6_NF_TARGET_SYNPROXY |
253 | tristate "SYNPROXY target support" | |
254 | depends on NF_CONNTRACK && NETFILTER_ADVANCED | |
255 | select NETFILTER_SYNPROXY | |
256 | select SYN_COOKIES | |
257 | help | |
258 | The SYNPROXY target allows you to intercept TCP connections and | |
259 | establish them using syncookies before they are passed on to the | |
260 | server. This allows to avoid conntrack and server resource usage | |
261 | during SYN-flood attacks. | |
262 | ||
263 | To compile it as a module, choose M here. If unsure, say N. | |
264 | ||
1da177e4 LT |
265 | config IP6_NF_MANGLE |
266 | tristate "Packet mangling" | |
33b8e776 | 267 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
268 | help |
269 | This option adds a `mangle' table to iptables: see the man page for | |
270 | iptables(8). This table is used for various packet alterations | |
271 | which can effect how the packet is routed. | |
272 | ||
273 | To compile it as a module, choose M here. If unsure, say N. | |
1da177e4 | 274 | |
1da177e4 LT |
275 | config IP6_NF_RAW |
276 | tristate 'raw table support (required for TRACE)' | |
1da177e4 LT |
277 | help |
278 | This option adds a `raw' table to ip6tables. This table is the very | |
279 | first in the netfilter framework and hooks in at the PREROUTING | |
280 | and OUTPUT chains. | |
33b8e776 | 281 | |
1da177e4 | 282 | If you want to compile it as a module, say M here and read |
39f5fb30 | 283 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
1da177e4 | 284 | |
17e6e59f JM |
285 | # security table for MAC policy |
286 | config IP6_NF_SECURITY | |
287 | tristate "Security table" | |
17e6e59f | 288 | depends on SECURITY |
70eed75d | 289 | depends on NETFILTER_ADVANCED |
17e6e59f JM |
290 | help |
291 | This option adds a `security' table to iptables, for use | |
292 | with Mandatory Access Control (MAC) policy. | |
b0041d1b | 293 | |
17e6e59f JM |
294 | If unsure, say N. |
295 | ||
8993cf8e PNA |
296 | config IP6_NF_NAT |
297 | tristate "ip6tables NAT support" | |
b0041d1b PNA |
298 | depends on NF_CONNTRACK_IPV6 |
299 | depends on NETFILTER_ADVANCED | |
300 | select NF_NAT | |
8993cf8e PNA |
301 | select NF_NAT_IPV6 |
302 | select NETFILTER_XT_NAT | |
b0041d1b | 303 | help |
8993cf8e PNA |
304 | This enables the `nat' table in ip6tables. This allows masquerading, |
305 | port forwarding and other forms of full Network Address Port | |
306 | Translation. | |
b0041d1b PNA |
307 | |
308 | To compile it as a module, choose M here. If unsure, say N. | |
309 | ||
8993cf8e | 310 | if IP6_NF_NAT |
b0041d1b PNA |
311 | |
312 | config IP6_NF_TARGET_MASQUERADE | |
313 | tristate "MASQUERADE target support" | |
be6b635c | 314 | select NF_NAT_MASQUERADE_IPV6 |
b0041d1b PNA |
315 | help |
316 | Masquerading is a special case of NAT: all outgoing connections are | |
317 | changed to seem to come from a particular interface's address, and | |
318 | if the interface goes down, those connections are lost. This is | |
319 | only useful for dialup accounts with dynamic IP address (ie. your IP | |
320 | address will be different on next dialup). | |
321 | ||
322 | To compile it as a module, choose M here. If unsure, say N. | |
323 | ||
b0041d1b PNA |
324 | config IP6_NF_TARGET_NPT |
325 | tristate "NPT (Network Prefix translation) target support" | |
326 | help | |
327 | This option adds the `SNPT' and `DNPT' target, which perform | |
328 | stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. | |
329 | ||
330 | To compile it as a module, choose M here. If unsure, say N. | |
331 | ||
8993cf8e | 332 | endif # IP6_NF_NAT |
b0041d1b | 333 | |
c2df73de JE |
334 | endif # IP6_NF_IPTABLES |
335 | ||
1da177e4 LT |
336 | endmenu |
337 |