2 # IP netfilter configuration
5 menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
12 config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
30 tristate "IPv6 nf_tables support"
32 This option enables the IPv6 support for nf_tables.
34 config NFT_CHAIN_ROUTE_IPV6
35 depends on NF_TABLES_IPV6
36 tristate "IPv6 nf_tables route chain support"
38 This option enables the "route" chain for IPv6 in nf_tables. This
39 chain type is used to force packet re-routing after mangling header
40 fields such as the source, destination, flowlabel, hop-limit and
44 tristate "IPv6 packet rejection"
45 default m if NETFILTER_ADVANCED=n
47 config NFT_REJECT_IPV6
48 depends on NF_TABLES_IPV6
54 tristate "IPv6 packet logging"
55 default m if NETFILTER_ADVANCED=n
60 depends on NF_CONNTRACK_IPV6
61 depends on NETFILTER_ADVANCED
64 The IPv6 NAT option allows masquerading, port forwarding and other
65 forms of full Network Address Port Translation. This can be
66 controlled by iptables or nft.
70 config NFT_CHAIN_NAT_IPV6
71 depends on NF_TABLES_IPV6
72 tristate "IPv6 nf_tables nat chain support"
74 This option enables the "nat" chain for IPv6 in nf_tables. This
75 chain type is used to perform Network Address Translation (NAT)
76 packet transformations such as the source, destination address and
77 source and destination ports.
79 config NF_NAT_MASQUERADE_IPV6
80 tristate "IPv6 masquerade support"
82 This is the kernel functionality to provide NAT in the masquerade
83 flavour (automatic source address selection) for IPv6.
86 tristate "IPv6 masquerade support for nf_tables"
87 depends on NF_TABLES_IPV6
89 select NF_NAT_MASQUERADE_IPV6
91 This is the expression that provides IPv4 masquerading support for
95 tristate "IPv6 redirect support for nf_tables"
96 depends on NF_TABLES_IPV6
98 select NF_NAT_REDIRECT
100 This is the expression that provides IPv4 redirect support for
105 config IP6_NF_IPTABLES
106 tristate "IP6 tables support (required for filtering)"
107 depends on INET && IPV6
108 select NETFILTER_XTABLES
109 default m if NETFILTER_ADVANCED=n
111 ip6tables is a general, extensible packet identification framework.
112 Currently only the packet filtering and packet mangling subsystem
113 for IPv6 use this, but connection tracking is going to follow.
114 Say 'Y' or 'M' here if you want to use either of those.
116 To compile it as a module, choose M here. If unsure, say N.
120 # The simple matches.
121 config IP6_NF_MATCH_AH
122 tristate '"ah" match support'
123 depends on NETFILTER_ADVANCED
125 This module allows one to match AH packets.
127 To compile it as a module, choose M here. If unsure, say N.
129 config IP6_NF_MATCH_EUI64
130 tristate '"eui64" address check'
131 depends on NETFILTER_ADVANCED
133 This module performs checking on the IPv6 source address
134 Compares the last 64 bits with the EUI64 (delivered
135 from the MAC address) address
137 To compile it as a module, choose M here. If unsure, say N.
139 config IP6_NF_MATCH_FRAG
140 tristate '"frag" Fragmentation header match support'
141 depends on NETFILTER_ADVANCED
143 frag matching allows you to match packets based on the fragmentation
144 header of the packet.
146 To compile it as a module, choose M here. If unsure, say N.
148 config IP6_NF_MATCH_OPTS
149 tristate '"hbh" hop-by-hop and "dst" opts header match support'
150 depends on NETFILTER_ADVANCED
152 This allows one to match packets based on the hop-by-hop
153 and destination options headers of a packet.
155 To compile it as a module, choose M here. If unsure, say N.
157 config IP6_NF_MATCH_HL
158 tristate '"hl" hoplimit match support'
159 depends on NETFILTER_ADVANCED
160 select NETFILTER_XT_MATCH_HL
162 This is a backwards-compat option for the user's convenience
163 (e.g. when running oldconfig). It selects
164 CONFIG_NETFILTER_XT_MATCH_HL.
166 config IP6_NF_MATCH_IPV6HEADER
167 tristate '"ipv6header" IPv6 Extension Headers Match'
168 default m if NETFILTER_ADVANCED=n
170 This module allows one to match packets based upon
171 the ipv6 extension headers.
173 To compile it as a module, choose M here. If unsure, say N.
175 config IP6_NF_MATCH_MH
176 tristate '"mh" match support'
177 depends on NETFILTER_ADVANCED
179 This module allows one to match MH packets.
181 To compile it as a module, choose M here. If unsure, say N.
183 config IP6_NF_MATCH_RPFILTER
184 tristate '"rpfilter" reverse path filter match support'
185 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
187 This option allows you to match packets whose replies would
188 go out via the interface the packet came in.
190 To compile it as a module, choose M here. If unsure, say N.
191 The module will be called ip6t_rpfilter.
193 config IP6_NF_MATCH_RT
194 tristate '"rt" Routing header match support'
195 depends on NETFILTER_ADVANCED
197 rt matching allows you to match packets based on the routing
198 header of the packet.
200 To compile it as a module, choose M here. If unsure, say N.
203 config IP6_NF_TARGET_HL
204 tristate '"HL" hoplimit target support'
205 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
206 select NETFILTER_XT_TARGET_HL
208 This is a backwards-compatible option for the user's convenience
209 (e.g. when running oldconfig). It selects
210 CONFIG_NETFILTER_XT_TARGET_HL.
213 tristate "Packet filtering"
214 default m if NETFILTER_ADVANCED=n
216 Packet filtering defines a table `filter', which has a series of
217 rules for simple packet filtering at local input, forwarding and
218 local output. See the man page for iptables(8).
220 To compile it as a module, choose M here. If unsure, say N.
222 config IP6_NF_TARGET_REJECT
223 tristate "REJECT target support"
224 depends on IP6_NF_FILTER
225 select NF_REJECT_IPV6
226 default m if NETFILTER_ADVANCED=n
228 The REJECT target allows a filtering rule to specify that an ICMPv6
229 error should be issued in response to an incoming packet, rather
230 than silently being dropped.
232 To compile it as a module, choose M here. If unsure, say N.
234 config IP6_NF_TARGET_SYNPROXY
235 tristate "SYNPROXY target support"
236 depends on NF_CONNTRACK && NETFILTER_ADVANCED
237 select NETFILTER_SYNPROXY
240 The SYNPROXY target allows you to intercept TCP connections and
241 establish them using syncookies before they are passed on to the
242 server. This allows to avoid conntrack and server resource usage
243 during SYN-flood attacks.
245 To compile it as a module, choose M here. If unsure, say N.
248 tristate "Packet mangling"
249 default m if NETFILTER_ADVANCED=n
251 This option adds a `mangle' table to iptables: see the man page for
252 iptables(8). This table is used for various packet alterations
253 which can effect how the packet is routed.
255 To compile it as a module, choose M here. If unsure, say N.
258 tristate 'raw table support (required for TRACE)'
260 This option adds a `raw' table to ip6tables. This table is the very
261 first in the netfilter framework and hooks in at the PREROUTING
264 If you want to compile it as a module, say M here and read
265 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
267 # security table for MAC policy
268 config IP6_NF_SECURITY
269 tristate "Security table"
271 depends on NETFILTER_ADVANCED
273 This option adds a `security' table to iptables, for use
274 with Mandatory Access Control (MAC) policy.
279 tristate "ip6tables NAT support"
280 depends on NF_CONNTRACK_IPV6
281 depends on NETFILTER_ADVANCED
284 select NETFILTER_XT_NAT
286 This enables the `nat' table in ip6tables. This allows masquerading,
287 port forwarding and other forms of full Network Address Port
290 To compile it as a module, choose M here. If unsure, say N.
294 config IP6_NF_TARGET_MASQUERADE
295 tristate "MASQUERADE target support"
296 select NF_NAT_MASQUERADE_IPV6
298 Masquerading is a special case of NAT: all outgoing connections are
299 changed to seem to come from a particular interface's address, and
300 if the interface goes down, those connections are lost. This is
301 only useful for dialup accounts with dynamic IP address (ie. your IP
302 address will be different on next dialup).
304 To compile it as a module, choose M here. If unsure, say N.
306 config IP6_NF_TARGET_NPT
307 tristate "NPT (Network Prefix translation) target support"
309 This option adds the `SNPT' and `DNPT' target, which perform
310 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
312 To compile it as a module, choose M here. If unsure, say N.
316 endif # IP6_NF_IPTABLES