1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28if NF_TABLES 29 30config NF_TABLES_IPV6 31 tristate "IPv6 nf_tables support" 32 help 33 This option enables the IPv6 support for nf_tables. 34 35if NF_TABLES_IPV6 36 37config NFT_CHAIN_ROUTE_IPV6 38 tristate "IPv6 nf_tables route chain support" 39 help 40 This option enables the "route" chain for IPv6 in nf_tables. This 41 chain type is used to force packet re-routing after mangling header 42 fields such as the source, destination, flowlabel, hop-limit and 43 the packet mark. 44 45config NFT_REJECT_IPV6 46 select NF_REJECT_IPV6 47 default NFT_REJECT 48 tristate 49 50endif # NF_TABLES_IPV6 51endif # NF_TABLES 52 53config NF_REJECT_IPV6 54 tristate "IPv6 packet rejection" 55 default m if NETFILTER_ADVANCED=n 56 57config NF_LOG_IPV6 58 tristate "IPv6 packet logging" 59 default m if NETFILTER_ADVANCED=n 60 select NF_LOG_COMMON 61 62config NF_NAT_IPV6 63 tristate "IPv6 NAT" 64 depends on NF_CONNTRACK_IPV6 65 depends on NETFILTER_ADVANCED 66 select NF_NAT 67 help 68 The IPv6 NAT option allows masquerading, port forwarding and other 69 forms of full Network Address Port Translation. This can be 70 controlled by iptables or nft. 71 72if NF_NAT_IPV6 73 74config NFT_CHAIN_NAT_IPV6 75 depends on NF_TABLES_IPV6 76 tristate "IPv6 nf_tables nat chain support" 77 help 78 This option enables the "nat" chain for IPv6 in nf_tables. This 79 chain type is used to perform Network Address Translation (NAT) 80 packet transformations such as the source, destination address and 81 source and destination ports. 82 83config NF_NAT_MASQUERADE_IPV6 84 tristate "IPv6 masquerade support" 85 help 86 This is the kernel functionality to provide NAT in the masquerade 87 flavour (automatic source address selection) for IPv6. 88 89config NFT_MASQ_IPV6 90 tristate "IPv6 masquerade support for nf_tables" 91 depends on NF_TABLES_IPV6 92 depends on NFT_MASQ 93 select NF_NAT_MASQUERADE_IPV6 94 help 95 This is the expression that provides IPv4 masquerading support for 96 nf_tables. 97 98config NFT_REDIR_IPV6 99 tristate "IPv6 redirect support for nf_tables" 100 depends on NF_TABLES_IPV6 101 depends on NFT_REDIR 102 select NF_NAT_REDIRECT 103 help 104 This is the expression that provides IPv4 redirect support for 105 nf_tables. 106 107endif # NF_NAT_IPV6 108 109config IP6_NF_IPTABLES 110 tristate "IP6 tables support (required for filtering)" 111 depends on INET && IPV6 112 select NETFILTER_XTABLES 113 default m if NETFILTER_ADVANCED=n 114 help 115 ip6tables is a general, extensible packet identification framework. 116 Currently only the packet filtering and packet mangling subsystem 117 for IPv6 use this, but connection tracking is going to follow. 118 Say 'Y' or 'M' here if you want to use either of those. 119 120 To compile it as a module, choose M here. If unsure, say N. 121 122if IP6_NF_IPTABLES 123 124# The simple matches. 125config IP6_NF_MATCH_AH 126 tristate '"ah" match support' 127 depends on NETFILTER_ADVANCED 128 help 129 This module allows one to match AH packets. 130 131 To compile it as a module, choose M here. If unsure, say N. 132 133config IP6_NF_MATCH_EUI64 134 tristate '"eui64" address check' 135 depends on NETFILTER_ADVANCED 136 help 137 This module performs checking on the IPv6 source address 138 Compares the last 64 bits with the EUI64 (delivered 139 from the MAC address) address 140 141 To compile it as a module, choose M here. If unsure, say N. 142 143config IP6_NF_MATCH_FRAG 144 tristate '"frag" Fragmentation header match support' 145 depends on NETFILTER_ADVANCED 146 help 147 frag matching allows you to match packets based on the fragmentation 148 header of the packet. 149 150 To compile it as a module, choose M here. If unsure, say N. 151 152config IP6_NF_MATCH_OPTS 153 tristate '"hbh" hop-by-hop and "dst" opts header match support' 154 depends on NETFILTER_ADVANCED 155 help 156 This allows one to match packets based on the hop-by-hop 157 and destination options headers of a packet. 158 159 To compile it as a module, choose M here. If unsure, say N. 160 161config IP6_NF_MATCH_HL 162 tristate '"hl" hoplimit match support' 163 depends on NETFILTER_ADVANCED 164 select NETFILTER_XT_MATCH_HL 165 ---help--- 166 This is a backwards-compat option for the user's convenience 167 (e.g. when running oldconfig). It selects 168 CONFIG_NETFILTER_XT_MATCH_HL. 169 170config IP6_NF_MATCH_IPV6HEADER 171 tristate '"ipv6header" IPv6 Extension Headers Match' 172 default m if NETFILTER_ADVANCED=n 173 help 174 This module allows one to match packets based upon 175 the ipv6 extension headers. 176 177 To compile it as a module, choose M here. If unsure, say N. 178 179config IP6_NF_MATCH_MH 180 tristate '"mh" match support' 181 depends on NETFILTER_ADVANCED 182 help 183 This module allows one to match MH packets. 184 185 To compile it as a module, choose M here. If unsure, say N. 186 187config IP6_NF_MATCH_RPFILTER 188 tristate '"rpfilter" reverse path filter match support' 189 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW) 190 ---help--- 191 This option allows you to match packets whose replies would 192 go out via the interface the packet came in. 193 194 To compile it as a module, choose M here. If unsure, say N. 195 The module will be called ip6t_rpfilter. 196 197config IP6_NF_MATCH_RT 198 tristate '"rt" Routing header match support' 199 depends on NETFILTER_ADVANCED 200 help 201 rt matching allows you to match packets based on the routing 202 header of the packet. 203 204 To compile it as a module, choose M here. If unsure, say N. 205 206# The targets 207config IP6_NF_TARGET_HL 208 tristate '"HL" hoplimit target support' 209 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 210 select NETFILTER_XT_TARGET_HL 211 ---help--- 212 This is a backwards-compatible option for the user's convenience 213 (e.g. when running oldconfig). It selects 214 CONFIG_NETFILTER_XT_TARGET_HL. 215 216config IP6_NF_FILTER 217 tristate "Packet filtering" 218 default m if NETFILTER_ADVANCED=n 219 help 220 Packet filtering defines a table `filter', which has a series of 221 rules for simple packet filtering at local input, forwarding and 222 local output. See the man page for iptables(8). 223 224 To compile it as a module, choose M here. If unsure, say N. 225 226config IP6_NF_TARGET_REJECT 227 tristate "REJECT target support" 228 depends on IP6_NF_FILTER 229 select NF_REJECT_IPV6 230 default m if NETFILTER_ADVANCED=n 231 help 232 The REJECT target allows a filtering rule to specify that an ICMPv6 233 error should be issued in response to an incoming packet, rather 234 than silently being dropped. 235 236 To compile it as a module, choose M here. If unsure, say N. 237 238config IP6_NF_TARGET_SYNPROXY 239 tristate "SYNPROXY target support" 240 depends on NF_CONNTRACK && NETFILTER_ADVANCED 241 select NETFILTER_SYNPROXY 242 select SYN_COOKIES 243 help 244 The SYNPROXY target allows you to intercept TCP connections and 245 establish them using syncookies before they are passed on to the 246 server. This allows to avoid conntrack and server resource usage 247 during SYN-flood attacks. 248 249 To compile it as a module, choose M here. If unsure, say N. 250 251config IP6_NF_MANGLE 252 tristate "Packet mangling" 253 default m if NETFILTER_ADVANCED=n 254 help 255 This option adds a `mangle' table to iptables: see the man page for 256 iptables(8). This table is used for various packet alterations 257 which can effect how the packet is routed. 258 259 To compile it as a module, choose M here. If unsure, say N. 260 261config IP6_NF_RAW 262 tristate 'raw table support (required for TRACE)' 263 help 264 This option adds a `raw' table to ip6tables. This table is the very 265 first in the netfilter framework and hooks in at the PREROUTING 266 and OUTPUT chains. 267 268 If you want to compile it as a module, say M here and read 269 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 270 271# security table for MAC policy 272config IP6_NF_SECURITY 273 tristate "Security table" 274 depends on SECURITY 275 depends on NETFILTER_ADVANCED 276 help 277 This option adds a `security' table to iptables, for use 278 with Mandatory Access Control (MAC) policy. 279 280 If unsure, say N. 281 282config IP6_NF_NAT 283 tristate "ip6tables NAT support" 284 depends on NF_CONNTRACK_IPV6 285 depends on NETFILTER_ADVANCED 286 select NF_NAT 287 select NF_NAT_IPV6 288 select NETFILTER_XT_NAT 289 help 290 This enables the `nat' table in ip6tables. This allows masquerading, 291 port forwarding and other forms of full Network Address Port 292 Translation. 293 294 To compile it as a module, choose M here. If unsure, say N. 295 296if IP6_NF_NAT 297 298config IP6_NF_TARGET_MASQUERADE 299 tristate "MASQUERADE target support" 300 select NF_NAT_MASQUERADE_IPV6 301 help 302 Masquerading is a special case of NAT: all outgoing connections are 303 changed to seem to come from a particular interface's address, and 304 if the interface goes down, those connections are lost. This is 305 only useful for dialup accounts with dynamic IP address (ie. your IP 306 address will be different on next dialup). 307 308 To compile it as a module, choose M here. If unsure, say N. 309 310config IP6_NF_TARGET_NPT 311 tristate "NPT (Network Prefix translation) target support" 312 help 313 This option adds the `SNPT' and `DNPT' target, which perform 314 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 315 316 To compile it as a module, choose M here. If unsure, say N. 317 318endif # IP6_NF_NAT 319 320endif # IP6_NF_IPTABLES 321 322endmenu 323 324