net/ipv6/netfilter/Kconfig at v4.1-rc8

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / ipv6 / netfilter / Kconfig
at v4.1-rc8 323 lines 9.7 kB view raw
wrap content
  1#
  2# IP netfilter configuration
  3#
  4
  5menu "IPv6: Netfilter Configuration"
  6	depends on INET && IPV6 && NETFILTER
  7
  8config NF_DEFRAG_IPV6
  9	tristate
 10	default n
 11
 12config NF_CONNTRACK_IPV6
 13	tristate "IPv6 connection tracking support"
 14	depends on INET && IPV6 && NF_CONNTRACK
 15	default m if NETFILTER_ADVANCED=n
 16	select NF_DEFRAG_IPV6
 17	---help---
 18	  Connection tracking keeps a record of what packets have passed
 19	  through your machine, in order to figure out how they are related
 20	  into connections.
 21
 22	  This is IPv6 support on Layer 3 independent connection tracking.
 23	  Layer 3 independent connection tracking is experimental scheme
 24	  which generalize ip_conntrack to support other layer 3 protocols.
 25
 26	  To compile it as a module, choose M here.  If unsure, say N.
 27
 28if NF_TABLES
 29
 30config NF_TABLES_IPV6
 31	tristate "IPv6 nf_tables support"
 32	help
 33	  This option enables the IPv6 support for nf_tables.
 34
 35if NF_TABLES_IPV6
 36
 37config NFT_CHAIN_ROUTE_IPV6
 38	tristate "IPv6 nf_tables route chain support"
 39	help
 40	  This option enables the "route" chain for IPv6 in nf_tables. This
 41	  chain type is used to force packet re-routing after mangling header
 42	  fields such as the source, destination, flowlabel, hop-limit and
 43	  the packet mark.
 44
 45config NFT_REJECT_IPV6
 46	select NF_REJECT_IPV6
 47	default NFT_REJECT
 48	tristate
 49
 50endif # NF_TABLES_IPV6
 51endif # NF_TABLES
 52
 53config NF_REJECT_IPV6
 54	tristate "IPv6 packet rejection"
 55	default m if NETFILTER_ADVANCED=n
 56
 57config NF_LOG_IPV6
 58	tristate "IPv6 packet logging"
 59	default m if NETFILTER_ADVANCED=n
 60	select NF_LOG_COMMON
 61
 62config NF_NAT_IPV6
 63	tristate "IPv6 NAT"
 64	depends on NF_CONNTRACK_IPV6
 65	depends on NETFILTER_ADVANCED
 66	select NF_NAT
 67	help
 68	  The IPv6 NAT option allows masquerading, port forwarding and other
 69	  forms of full Network Address Port Translation. This can be
 70	  controlled by iptables or nft.
 71
 72if NF_NAT_IPV6
 73
 74config NFT_CHAIN_NAT_IPV6
 75	depends on NF_TABLES_IPV6
 76	tristate "IPv6 nf_tables nat chain support"
 77	help
 78	  This option enables the "nat" chain for IPv6 in nf_tables. This
 79	  chain type is used to perform Network Address Translation (NAT)
 80	  packet transformations such as the source, destination address and
 81	  source and destination ports.
 82
 83config NF_NAT_MASQUERADE_IPV6
 84	tristate "IPv6 masquerade support"
 85	help
 86	  This is the kernel functionality to provide NAT in the masquerade
 87	  flavour (automatic source address selection) for IPv6.
 88
 89config NFT_MASQ_IPV6
 90	tristate "IPv6 masquerade support for nf_tables"
 91	depends on NF_TABLES_IPV6
 92	depends on NFT_MASQ
 93	select NF_NAT_MASQUERADE_IPV6
 94	help
 95	  This is the expression that provides IPv4 masquerading support for
 96	  nf_tables.
 97
 98config NFT_REDIR_IPV6
 99	tristate "IPv6 redirect support for nf_tables"
100	depends on NF_TABLES_IPV6
101	depends on NFT_REDIR
102	select NF_NAT_REDIRECT
103	help
104	  This is the expression that provides IPv4 redirect support for
105	  nf_tables.
106
107endif # NF_NAT_IPV6
108
109config IP6_NF_IPTABLES
110	tristate "IP6 tables support (required for filtering)"
111	depends on INET && IPV6
112	select NETFILTER_XTABLES
113	default m if NETFILTER_ADVANCED=n
114	help
115	  ip6tables is a general, extensible packet identification framework.
116	  Currently only the packet filtering and packet mangling subsystem
117	  for IPv6 use this, but connection tracking is going to follow.
118	  Say 'Y' or 'M' here if you want to use either of those.
119
120	  To compile it as a module, choose M here.  If unsure, say N.
121
122if IP6_NF_IPTABLES
123
124# The simple matches.
125config IP6_NF_MATCH_AH
126	tristate '"ah" match support'
127	depends on NETFILTER_ADVANCED
128	help
129	  This module allows one to match AH packets.
130
131	  To compile it as a module, choose M here.  If unsure, say N.
132
133config IP6_NF_MATCH_EUI64
134	tristate '"eui64" address check'
135	depends on NETFILTER_ADVANCED
136	help
137	  This module performs checking on the IPv6 source address
138	  Compares the last 64 bits with the EUI64 (delivered
139	  from the MAC address) address
140
141	  To compile it as a module, choose M here.  If unsure, say N.
142
143config IP6_NF_MATCH_FRAG
144	tristate '"frag" Fragmentation header match support'
145	depends on NETFILTER_ADVANCED
146	help
147	  frag matching allows you to match packets based on the fragmentation
148	  header of the packet.
149
150	  To compile it as a module, choose M here.  If unsure, say N.
151
152config IP6_NF_MATCH_OPTS
153	tristate '"hbh" hop-by-hop and "dst" opts header match support'
154	depends on NETFILTER_ADVANCED
155	help
156	  This allows one to match packets based on the hop-by-hop
157	  and destination options headers of a packet.
158
159	  To compile it as a module, choose M here.  If unsure, say N.
160
161config IP6_NF_MATCH_HL
162	tristate '"hl" hoplimit match support'
163	depends on NETFILTER_ADVANCED
164	select NETFILTER_XT_MATCH_HL
165	---help---
166	This is a backwards-compat option for the user's convenience
167	(e.g. when running oldconfig). It selects
168	CONFIG_NETFILTER_XT_MATCH_HL.
169
170config IP6_NF_MATCH_IPV6HEADER
171	tristate '"ipv6header" IPv6 Extension Headers Match'
172	default m if NETFILTER_ADVANCED=n
173	help
174	  This module allows one to match packets based upon
175	  the ipv6 extension headers.
176
177	  To compile it as a module, choose M here.  If unsure, say N.
178
179config IP6_NF_MATCH_MH
180	tristate '"mh" match support'
181	depends on NETFILTER_ADVANCED
182	help
183	  This module allows one to match MH packets.
184
185	  To compile it as a module, choose M here.  If unsure, say N.
186
187config IP6_NF_MATCH_RPFILTER
188	tristate '"rpfilter" reverse path filter match support'
189	depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
190	---help---
191	  This option allows you to match packets whose replies would
192	  go out via the interface the packet came in.
193
194	  To compile it as a module, choose M here.  If unsure, say N.
195	  The module will be called ip6t_rpfilter.
196
197config IP6_NF_MATCH_RT
198	tristate '"rt" Routing header match support'
199	depends on NETFILTER_ADVANCED
200	help
201	  rt matching allows you to match packets based on the routing
202	  header of the packet.
203
204	  To compile it as a module, choose M here.  If unsure, say N.
205
206# The targets
207config IP6_NF_TARGET_HL
208	tristate '"HL" hoplimit target support'
209	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
210	select NETFILTER_XT_TARGET_HL
211	---help---
212	This is a backwards-compatible option for the user's convenience
213	(e.g. when running oldconfig). It selects
214	CONFIG_NETFILTER_XT_TARGET_HL.
215
216config IP6_NF_FILTER
217	tristate "Packet filtering"
218	default m if NETFILTER_ADVANCED=n
219	help
220	  Packet filtering defines a table `filter', which has a series of
221	  rules for simple packet filtering at local input, forwarding and
222	  local output.  See the man page for iptables(8).
223
224	  To compile it as a module, choose M here.  If unsure, say N.
225
226config IP6_NF_TARGET_REJECT
227	tristate "REJECT target support"
228	depends on IP6_NF_FILTER
229	select NF_REJECT_IPV6
230	default m if NETFILTER_ADVANCED=n
231	help
232	  The REJECT target allows a filtering rule to specify that an ICMPv6
233	  error should be issued in response to an incoming packet, rather
234	  than silently being dropped.
235
236	  To compile it as a module, choose M here.  If unsure, say N.
237
238config IP6_NF_TARGET_SYNPROXY
239	tristate "SYNPROXY target support"
240	depends on NF_CONNTRACK && NETFILTER_ADVANCED
241	select NETFILTER_SYNPROXY
242	select SYN_COOKIES
243	help
244	  The SYNPROXY target allows you to intercept TCP connections and
245	  establish them using syncookies before they are passed on to the
246	  server. This allows to avoid conntrack and server resource usage
247	  during SYN-flood attacks.
248
249	  To compile it as a module, choose M here. If unsure, say N.
250
251config IP6_NF_MANGLE
252	tristate "Packet mangling"
253	default m if NETFILTER_ADVANCED=n
254	help
255	  This option adds a `mangle' table to iptables: see the man page for
256	  iptables(8).  This table is used for various packet alterations
257	  which can effect how the packet is routed.
258
259	  To compile it as a module, choose M here.  If unsure, say N.
260
261config IP6_NF_RAW
262	tristate  'raw table support (required for TRACE)'
263	help
264	  This option adds a `raw' table to ip6tables. This table is the very
265	  first in the netfilter framework and hooks in at the PREROUTING
266	  and OUTPUT chains.
267
268	  If you want to compile it as a module, say M here and read
269	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
270
271# security table for MAC policy
272config IP6_NF_SECURITY
273       tristate "Security table"
274       depends on SECURITY
275       depends on NETFILTER_ADVANCED
276       help
277         This option adds a `security' table to iptables, for use
278         with Mandatory Access Control (MAC) policy.
279
280         If unsure, say N.
281
282config IP6_NF_NAT
283	tristate "ip6tables NAT support"
284	depends on NF_CONNTRACK_IPV6
285	depends on NETFILTER_ADVANCED
286	select NF_NAT
287	select NF_NAT_IPV6
288	select NETFILTER_XT_NAT
289	help
290	  This enables the `nat' table in ip6tables. This allows masquerading,
291	  port forwarding and other forms of full Network Address Port
292	  Translation.
293
294	  To compile it as a module, choose M here.  If unsure, say N.
295
296if IP6_NF_NAT
297
298config IP6_NF_TARGET_MASQUERADE
299	tristate "MASQUERADE target support"
300	select NF_NAT_MASQUERADE_IPV6
301	help
302	  Masquerading is a special case of NAT: all outgoing connections are
303	  changed to seem to come from a particular interface's address, and
304	  if the interface goes down, those connections are lost.  This is
305	  only useful for dialup accounts with dynamic IP address (ie. your IP
306	  address will be different on next dialup).
307
308	  To compile it as a module, choose M here.  If unsure, say N.
309
310config IP6_NF_TARGET_NPT
311	tristate "NPT (Network Prefix translation) target support"
312	help
313	  This option adds the `SNPT' and `DNPT' target, which perform
314	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
315
316	  To compile it as a module, choose M here.  If unsure, say N.
317
318endif # IP6_NF_NAT
319
320endif # IP6_NF_IPTABLES
321
322endmenu
323
Configure Feed

Configure Feed
