tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
7
8config NF_DEFRAG_IPV6
9 tristate
10 default n
11
12config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
16 select NF_DEFRAG_IPV6
17 ---help---
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
20 into connections.
21
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
25
26 To compile it as a module, choose M here. If unsure, say N.
27
28config NF_TABLES_IPV6
29 depends on NF_TABLES
30 tristate "IPv6 nf_tables support"
31 help
32 This option enables the IPv6 support for nf_tables.
33
34config NFT_CHAIN_ROUTE_IPV6
35 depends on NF_TABLES_IPV6
36 tristate "IPv6 nf_tables route chain support"
37 help
38 This option enables the "route" chain for IPv6 in nf_tables. This
39 chain type is used to force packet re-routing after mangling header
40 fields such as the source, destination, flowlabel, hop-limit and
41 the packet mark.
42
43config NF_REJECT_IPV6
44 tristate "IPv6 packet rejection"
45 default m if NETFILTER_ADVANCED=n
46
47config NFT_REJECT_IPV6
48 depends on NF_TABLES_IPV6
49 select NF_REJECT_IPV6
50 default NFT_REJECT
51 tristate
52
53config NF_LOG_IPV6
54 tristate "IPv6 packet logging"
55 default m if NETFILTER_ADVANCED=n
56 select NF_LOG_COMMON
57
58config NF_NAT_IPV6
59 tristate "IPv6 NAT"
60 depends on NF_CONNTRACK_IPV6
61 depends on NETFILTER_ADVANCED
62 select NF_NAT
63 help
64 The IPv6 NAT option allows masquerading, port forwarding and other
65 forms of full Network Address Port Translation. This can be
66 controlled by iptables or nft.
67
68if NF_NAT_IPV6
69
70config NFT_CHAIN_NAT_IPV6
71 depends on NF_TABLES_IPV6
72 tristate "IPv6 nf_tables nat chain support"
73 help
74 This option enables the "nat" chain for IPv6 in nf_tables. This
75 chain type is used to perform Network Address Translation (NAT)
76 packet transformations such as the source, destination address and
77 source and destination ports.
78
79config NF_NAT_MASQUERADE_IPV6
80 tristate "IPv6 masquerade support"
81 help
82 This is the kernel functionality to provide NAT in the masquerade
83 flavour (automatic source address selection) for IPv6.
84
85config NFT_MASQ_IPV6
86 tristate "IPv6 masquerade support for nf_tables"
87 depends on NF_TABLES_IPV6
88 depends on NFT_MASQ
89 select NF_NAT_MASQUERADE_IPV6
90 help
91 This is the expression that provides IPv4 masquerading support for
92 nf_tables.
93
94endif # NF_NAT_IPV6
95
96config IP6_NF_IPTABLES
97 tristate "IP6 tables support (required for filtering)"
98 depends on INET && IPV6
99 select NETFILTER_XTABLES
100 default m if NETFILTER_ADVANCED=n
101 help
102 ip6tables is a general, extensible packet identification framework.
103 Currently only the packet filtering and packet mangling subsystem
104 for IPv6 use this, but connection tracking is going to follow.
105 Say 'Y' or 'M' here if you want to use either of those.
106
107 To compile it as a module, choose M here. If unsure, say N.
108
109if IP6_NF_IPTABLES
110
111# The simple matches.
112config IP6_NF_MATCH_AH
113 tristate '"ah" match support'
114 depends on NETFILTER_ADVANCED
115 help
116 This module allows one to match AH packets.
117
118 To compile it as a module, choose M here. If unsure, say N.
119
120config IP6_NF_MATCH_EUI64
121 tristate '"eui64" address check'
122 depends on NETFILTER_ADVANCED
123 help
124 This module performs checking on the IPv6 source address
125 Compares the last 64 bits with the EUI64 (delivered
126 from the MAC address) address
127
128 To compile it as a module, choose M here. If unsure, say N.
129
130config IP6_NF_MATCH_FRAG
131 tristate '"frag" Fragmentation header match support'
132 depends on NETFILTER_ADVANCED
133 help
134 frag matching allows you to match packets based on the fragmentation
135 header of the packet.
136
137 To compile it as a module, choose M here. If unsure, say N.
138
139config IP6_NF_MATCH_OPTS
140 tristate '"hbh" hop-by-hop and "dst" opts header match support'
141 depends on NETFILTER_ADVANCED
142 help
143 This allows one to match packets based on the hop-by-hop
144 and destination options headers of a packet.
145
146 To compile it as a module, choose M here. If unsure, say N.
147
148config IP6_NF_MATCH_HL
149 tristate '"hl" hoplimit match support'
150 depends on NETFILTER_ADVANCED
151 select NETFILTER_XT_MATCH_HL
152 ---help---
153 This is a backwards-compat option for the user's convenience
154 (e.g. when running oldconfig). It selects
155 CONFIG_NETFILTER_XT_MATCH_HL.
156
157config IP6_NF_MATCH_IPV6HEADER
158 tristate '"ipv6header" IPv6 Extension Headers Match'
159 default m if NETFILTER_ADVANCED=n
160 help
161 This module allows one to match packets based upon
162 the ipv6 extension headers.
163
164 To compile it as a module, choose M here. If unsure, say N.
165
166config IP6_NF_MATCH_MH
167 tristate '"mh" match support'
168 depends on NETFILTER_ADVANCED
169 help
170 This module allows one to match MH packets.
171
172 To compile it as a module, choose M here. If unsure, say N.
173
174config IP6_NF_MATCH_RPFILTER
175 tristate '"rpfilter" reverse path filter match support'
176 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
177 ---help---
178 This option allows you to match packets whose replies would
179 go out via the interface the packet came in.
180
181 To compile it as a module, choose M here. If unsure, say N.
182 The module will be called ip6t_rpfilter.
183
184config IP6_NF_MATCH_RT
185 tristate '"rt" Routing header match support'
186 depends on NETFILTER_ADVANCED
187 help
188 rt matching allows you to match packets based on the routing
189 header of the packet.
190
191 To compile it as a module, choose M here. If unsure, say N.
192
193# The targets
194config IP6_NF_TARGET_HL
195 tristate '"HL" hoplimit target support'
196 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
197 select NETFILTER_XT_TARGET_HL
198 ---help---
199 This is a backwards-compatible option for the user's convenience
200 (e.g. when running oldconfig). It selects
201 CONFIG_NETFILTER_XT_TARGET_HL.
202
203config IP6_NF_FILTER
204 tristate "Packet filtering"
205 default m if NETFILTER_ADVANCED=n
206 help
207 Packet filtering defines a table `filter', which has a series of
208 rules for simple packet filtering at local input, forwarding and
209 local output. See the man page for iptables(8).
210
211 To compile it as a module, choose M here. If unsure, say N.
212
213config IP6_NF_TARGET_REJECT
214 tristate "REJECT target support"
215 depends on IP6_NF_FILTER
216 select NF_REJECT_IPV6
217 default m if NETFILTER_ADVANCED=n
218 help
219 The REJECT target allows a filtering rule to specify that an ICMPv6
220 error should be issued in response to an incoming packet, rather
221 than silently being dropped.
222
223 To compile it as a module, choose M here. If unsure, say N.
224
225config IP6_NF_TARGET_SYNPROXY
226 tristate "SYNPROXY target support"
227 depends on NF_CONNTRACK && NETFILTER_ADVANCED
228 select NETFILTER_SYNPROXY
229 select SYN_COOKIES
230 help
231 The SYNPROXY target allows you to intercept TCP connections and
232 establish them using syncookies before they are passed on to the
233 server. This allows to avoid conntrack and server resource usage
234 during SYN-flood attacks.
235
236 To compile it as a module, choose M here. If unsure, say N.
237
238config IP6_NF_MANGLE
239 tristate "Packet mangling"
240 default m if NETFILTER_ADVANCED=n
241 help
242 This option adds a `mangle' table to iptables: see the man page for
243 iptables(8). This table is used for various packet alterations
244 which can effect how the packet is routed.
245
246 To compile it as a module, choose M here. If unsure, say N.
247
248config IP6_NF_RAW
249 tristate 'raw table support (required for TRACE)'
250 help
251 This option adds a `raw' table to ip6tables. This table is the very
252 first in the netfilter framework and hooks in at the PREROUTING
253 and OUTPUT chains.
254
255 If you want to compile it as a module, say M here and read
256 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
257
258# security table for MAC policy
259config IP6_NF_SECURITY
260 tristate "Security table"
261 depends on SECURITY
262 depends on NETFILTER_ADVANCED
263 help
264 This option adds a `security' table to iptables, for use
265 with Mandatory Access Control (MAC) policy.
266
267 If unsure, say N.
268
269config IP6_NF_NAT
270 tristate "ip6tables NAT support"
271 depends on NF_CONNTRACK_IPV6
272 depends on NETFILTER_ADVANCED
273 select NF_NAT
274 select NF_NAT_IPV6
275 select NETFILTER_XT_NAT
276 help
277 This enables the `nat' table in ip6tables. This allows masquerading,
278 port forwarding and other forms of full Network Address Port
279 Translation.
280
281 To compile it as a module, choose M here. If unsure, say N.
282
283if IP6_NF_NAT
284
285config IP6_NF_TARGET_MASQUERADE
286 tristate "MASQUERADE target support"
287 select NF_NAT_MASQUERADE_IPV6
288 help
289 Masquerading is a special case of NAT: all outgoing connections are
290 changed to seem to come from a particular interface's address, and
291 if the interface goes down, those connections are lost. This is
292 only useful for dialup accounts with dynamic IP address (ie. your IP
293 address will be different on next dialup).
294
295 To compile it as a module, choose M here. If unsure, say N.
296
297config IP6_NF_TARGET_NPT
298 tristate "NPT (Network Prefix translation) target support"
299 help
300 This option adds the `SNPT' and `DNPT' target, which perform
301 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
302
303 To compile it as a module, choose M here. If unsure, say N.
304
305endif # IP6_NF_NAT
306
307endif # IP6_NF_IPTABLES
308
309endmenu
310