net/ipv6/netfilter/Kconfig

   1 #
   2 # IP netfilter configuration
   3 #
   4
   5 menu "IPv6: Netfilter Configuration"
   6         depends on INET && IPV6 && NETFILTER
   7
   8 config NF_DEFRAG_IPV6
   9         tristate
  10         default n
  11
  12 config NF_CONNTRACK_IPV6
  13         tristate "IPv6 connection tracking support"
  14         depends on INET && IPV6 && NF_CONNTRACK
  15         default m if NETFILTER_ADVANCED=n
  16         select NF_DEFRAG_IPV6
  17         ---help---
  18           Connection tracking keeps a record of what packets have passed
  19           through your machine, in order to figure out how they are related
  20           into connections.
  21
  22           This is IPv6 support on Layer 3 independent connection tracking.
  23           Layer 3 independent connection tracking is experimental scheme
  24           which generalize ip_conntrack to support other layer 3 protocols.
  25
  26           To compile it as a module, choose M here.  If unsure, say N.
  27
  28 config NF_TABLES_IPV6
  29         depends on NF_TABLES
  30         tristate "IPv6 nf_tables support"
  31         help
  32           This option enables the IPv6 support for nf_tables.
  33
  34 config NFT_CHAIN_ROUTE_IPV6
  35         depends on NF_TABLES_IPV6
  36         tristate "IPv6 nf_tables route chain support"
  37         help
  38           This option enables the "route" chain for IPv6 in nf_tables. This
  39           chain type is used to force packet re-routing after mangling header
  40           fields such as the source, destination, flowlabel, hop-limit and
  41           the packet mark.
  42
  43 config NF_REJECT_IPV6
  44         tristate "IPv6 packet rejection"
  45         default m if NETFILTER_ADVANCED=n
  46
  47 config NFT_REJECT_IPV6
  48         depends on NF_TABLES_IPV6
  49         select NF_REJECT_IPV6
  50         default NFT_REJECT
  51         tristate
  52
  53 config NF_LOG_IPV6
  54         tristate "IPv6 packet logging"
  55         default m if NETFILTER_ADVANCED=n
  56         select NF_LOG_COMMON
  57
  58 config NF_NAT_IPV6
  59         tristate "IPv6 NAT"
  60         depends on NF_CONNTRACK_IPV6
  61         depends on NETFILTER_ADVANCED
  62         select NF_NAT
  63         help
  64           The IPv6 NAT option allows masquerading, port forwarding and other
  65           forms of full Network Address Port Translation. This can be
  66           controlled by iptables or nft.
  67
  68 if NF_NAT_IPV6
  69
  70 config NFT_CHAIN_NAT_IPV6
  71         depends on NF_TABLES_IPV6
  72         tristate "IPv6 nf_tables nat chain support"
  73         help
  74           This option enables the "nat" chain for IPv6 in nf_tables. This
  75           chain type is used to perform Network Address Translation (NAT)
  76           packet transformations such as the source, destination address and
  77           source and destination ports.
  78
  79 config NF_NAT_MASQUERADE_IPV6
  80         tristate "IPv6 masquerade support"
  81         help
  82           This is the kernel functionality to provide NAT in the masquerade
  83           flavour (automatic source address selection) for IPv6.
  84
  85 config NFT_MASQ_IPV6
  86         tristate "IPv6 masquerade support for nf_tables"
  87         depends on NF_TABLES_IPV6
  88         depends on NFT_MASQ
  89         select NF_NAT_MASQUERADE_IPV6
  90         help
  91           This is the expression that provides IPv4 masquerading support for
  92           nf_tables.
  93
  94 config NFT_REDIR_IPV6
  95         tristate "IPv6 redirect support for nf_tables"
  96         depends on NF_TABLES_IPV6
  97         depends on NFT_REDIR
  98         select NF_NAT_REDIRECT
  99         help
 100           This is the expression that provides IPv4 redirect support for
 101           nf_tables.
 102
 103 endif # NF_NAT_IPV6
 104
 105 config IP6_NF_IPTABLES
 106         tristate "IP6 tables support (required for filtering)"
 107         depends on INET && IPV6
 108         select NETFILTER_XTABLES
 109         default m if NETFILTER_ADVANCED=n
 110         help
 111           ip6tables is a general, extensible packet identification framework.
 112           Currently only the packet filtering and packet mangling subsystem
 113           for IPv6 use this, but connection tracking is going to follow.
 114           Say 'Y' or 'M' here if you want to use either of those.
 115
 116           To compile it as a module, choose M here.  If unsure, say N.
 117
 118 if IP6_NF_IPTABLES
 119
 120 # The simple matches.
 121 config IP6_NF_MATCH_AH
 122         tristate '"ah" match support'
 123         depends on NETFILTER_ADVANCED
 124         help
 125           This module allows one to match AH packets.
 126
 127           To compile it as a module, choose M here.  If unsure, say N.
 128
 129 config IP6_NF_MATCH_EUI64
 130         tristate '"eui64" address check'
 131         depends on NETFILTER_ADVANCED
 132         help
 133           This module performs checking on the IPv6 source address
 134           Compares the last 64 bits with the EUI64 (delivered
 135           from the MAC address) address
 136
 137           To compile it as a module, choose M here.  If unsure, say N.
 138
 139 config IP6_NF_MATCH_FRAG
 140         tristate '"frag" Fragmentation header match support'
 141         depends on NETFILTER_ADVANCED
 142         help
 143           frag matching allows you to match packets based on the fragmentation
 144           header of the packet.
 145
 146           To compile it as a module, choose M here.  If unsure, say N.
 147
 148 config IP6_NF_MATCH_OPTS
 149         tristate '"hbh" hop-by-hop and "dst" opts header match support'
 150         depends on NETFILTER_ADVANCED
 151         help
 152           This allows one to match packets based on the hop-by-hop
 153           and destination options headers of a packet.
 154
 155           To compile it as a module, choose M here.  If unsure, say N.
 156
 157 config IP6_NF_MATCH_HL
 158         tristate '"hl" hoplimit match support'
 159         depends on NETFILTER_ADVANCED
 160         select NETFILTER_XT_MATCH_HL
 161         ---help---
 162         This is a backwards-compat option for the user's convenience
 163         (e.g. when running oldconfig). It selects
 164         CONFIG_NETFILTER_XT_MATCH_HL.
 165
 166 config IP6_NF_MATCH_IPV6HEADER
 167         tristate '"ipv6header" IPv6 Extension Headers Match'
 168         default m if NETFILTER_ADVANCED=n
 169         help
 170           This module allows one to match packets based upon
 171           the ipv6 extension headers.
 172
 173           To compile it as a module, choose M here.  If unsure, say N.
 174
 175 config IP6_NF_MATCH_MH
 176         tristate '"mh" match support'
 177         depends on NETFILTER_ADVANCED
 178         help
 179           This module allows one to match MH packets.
 180
 181           To compile it as a module, choose M here.  If unsure, say N.
 182
 183 config IP6_NF_MATCH_RPFILTER
 184         tristate '"rpfilter" reverse path filter match support'
 185         depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
 186         ---help---
 187           This option allows you to match packets whose replies would
 188           go out via the interface the packet came in.
 189
 190           To compile it as a module, choose M here.  If unsure, say N.
 191           The module will be called ip6t_rpfilter.
 192
 193 config IP6_NF_MATCH_RT
 194         tristate '"rt" Routing header match support'
 195         depends on NETFILTER_ADVANCED
 196         help
 197           rt matching allows you to match packets based on the routing
 198           header of the packet.
 199
 200           To compile it as a module, choose M here.  If unsure, say N.
 201
 202 # The targets
 203 config IP6_NF_TARGET_HL
 204         tristate '"HL" hoplimit target support'
 205         depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
 206         select NETFILTER_XT_TARGET_HL
 207         ---help---
 208         This is a backwards-compatible option for the user's convenience
 209         (e.g. when running oldconfig). It selects
 210         CONFIG_NETFILTER_XT_TARGET_HL.
 211
 212 config IP6_NF_FILTER
 213         tristate "Packet filtering"
 214         default m if NETFILTER_ADVANCED=n
 215         help
 216           Packet filtering defines a table `filter', which has a series of
 217           rules for simple packet filtering at local input, forwarding and
 218           local output.  See the man page for iptables(8).
 219
 220           To compile it as a module, choose M here.  If unsure, say N.
 221
 222 config IP6_NF_TARGET_REJECT
 223         tristate "REJECT target support"
 224         depends on IP6_NF_FILTER
 225         select NF_REJECT_IPV6
 226         default m if NETFILTER_ADVANCED=n
 227         help
 228           The REJECT target allows a filtering rule to specify that an ICMPv6
 229           error should be issued in response to an incoming packet, rather
 230           than silently being dropped.
 231
 232           To compile it as a module, choose M here.  If unsure, say N.
 233
 234 config IP6_NF_TARGET_SYNPROXY
 235         tristate "SYNPROXY target support"
 236         depends on NF_CONNTRACK && NETFILTER_ADVANCED
 237         select NETFILTER_SYNPROXY
 238         select SYN_COOKIES
 239         help
 240           The SYNPROXY target allows you to intercept TCP connections and
 241           establish them using syncookies before they are passed on to the
 242           server. This allows to avoid conntrack and server resource usage
 243           during SYN-flood attacks.
 244
 245           To compile it as a module, choose M here. If unsure, say N.
 246
 247 config IP6_NF_MANGLE
 248         tristate "Packet mangling"
 249         default m if NETFILTER_ADVANCED=n
 250         help
 251           This option adds a `mangle' table to iptables: see the man page for
 252           iptables(8).  This table is used for various packet alterations
 253           which can effect how the packet is routed.
 254
 255           To compile it as a module, choose M here.  If unsure, say N.
 256
 257 config IP6_NF_RAW
 258         tristate  'raw table support (required for TRACE)'
 259         help
 260           This option adds a `raw' table to ip6tables. This table is the very
 261           first in the netfilter framework and hooks in at the PREROUTING
 262           and OUTPUT chains.
 263
 264           If you want to compile it as a module, say M here and read
 265           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 266
 267 # security table for MAC policy
 268 config IP6_NF_SECURITY
 269        tristate "Security table"
 270        depends on SECURITY
 271        depends on NETFILTER_ADVANCED
 272        help
 273          This option adds a `security' table to iptables, for use
 274          with Mandatory Access Control (MAC) policy.
 275
 276          If unsure, say N.
 277
 278 config IP6_NF_NAT
 279         tristate "ip6tables NAT support"
 280         depends on NF_CONNTRACK_IPV6
 281         depends on NETFILTER_ADVANCED
 282         select NF_NAT
 283         select NF_NAT_IPV6
 284         select NETFILTER_XT_NAT
 285         help
 286           This enables the `nat' table in ip6tables. This allows masquerading,
 287           port forwarding and other forms of full Network Address Port
 288           Translation.
 289
 290           To compile it as a module, choose M here.  If unsure, say N.
 291
 292 if IP6_NF_NAT
 293
 294 config IP6_NF_TARGET_MASQUERADE
 295         tristate "MASQUERADE target support"
 296         select NF_NAT_MASQUERADE_IPV6
 297         help
 298           Masquerading is a special case of NAT: all outgoing connections are
 299           changed to seem to come from a particular interface's address, and
 300           if the interface goes down, those connections are lost.  This is
 301           only useful for dialup accounts with dynamic IP address (ie. your IP
 302           address will be different on next dialup).
 303
 304           To compile it as a module, choose M here.  If unsure, say N.
 305
 306 config IP6_NF_TARGET_NPT
 307         tristate "NPT (Network Prefix translation) target support"
 308         help
 309           This option adds the `SNPT' and `DNPT' target, which perform
 310           stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
 311
 312           To compile it as a module, choose M here.  If unsure, say N.
 313
 314 endif # IP6_NF_NAT
 315
 316 endif # IP6_NF_IPTABLES
 317
 318 endmenu
 319