tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / net / ipv6 / netfilter / Kconfig
at v4.14-rc2 352 lines 11 kB view raw
1# 2# IP netfilter configuration 3# 4 5menu "IPv6: Netfilter Configuration" 6 depends on INET && IPV6 && NETFILTER 7 8config NF_DEFRAG_IPV6 9 tristate 10 default n 11 12config NF_CONNTRACK_IPV6 13 tristate "IPv6 connection tracking support" 14 depends on INET && IPV6 && NF_CONNTRACK 15 default m if NETFILTER_ADVANCED=n 16 select NF_DEFRAG_IPV6 17 ---help--- 18 Connection tracking keeps a record of what packets have passed 19 through your machine, in order to figure out how they are related 20 into connections. 21 22 This is IPv6 support on Layer 3 independent connection tracking. 23 Layer 3 independent connection tracking is experimental scheme 24 which generalize ip_conntrack to support other layer 3 protocols. 25 26 To compile it as a module, choose M here. If unsure, say N. 27 28config NF_SOCKET_IPV6 29 tristate "IPv6 socket lookup support" 30 help 31 This option enables the IPv6 socket lookup infrastructure. This 32 is used by the ip6tables socket match. 33 34if NF_TABLES 35 36config NF_TABLES_IPV6 37 tristate "IPv6 nf_tables support" 38 help 39 This option enables the IPv6 support for nf_tables. 40 41if NF_TABLES_IPV6 42 43config NFT_CHAIN_ROUTE_IPV6 44 tristate "IPv6 nf_tables route chain support" 45 help 46 This option enables the "route" chain for IPv6 in nf_tables. This 47 chain type is used to force packet re-routing after mangling header 48 fields such as the source, destination, flowlabel, hop-limit and 49 the packet mark. 50 51config NFT_REJECT_IPV6 52 select NF_REJECT_IPV6 53 default NFT_REJECT 54 tristate 55 56config NFT_DUP_IPV6 57 tristate "IPv6 nf_tables packet duplication support" 58 depends on !NF_CONNTRACK || NF_CONNTRACK 59 select NF_DUP_IPV6 60 help 61 This module enables IPv6 packet duplication support for nf_tables. 62 63config NFT_FIB_IPV6 64 tristate "nf_tables fib / ipv6 route lookup support" 65 select NFT_FIB 66 help 67 This module enables IPv6 FIB lookups, e.g. for reverse path filtering. 68 It also allows query of the FIB for the route type, e.g. local, unicast, 69 multicast or blackhole. 70 71endif # NF_TABLES_IPV6 72endif # NF_TABLES 73 74config NF_DUP_IPV6 75 tristate "Netfilter IPv6 packet duplication to alternate destination" 76 depends on !NF_CONNTRACK || NF_CONNTRACK 77 help 78 This option enables the nf_dup_ipv6 core, which duplicates an IPv6 79 packet to be rerouted to another destination. 80 81config NF_REJECT_IPV6 82 tristate "IPv6 packet rejection" 83 default m if NETFILTER_ADVANCED=n 84 85config NF_LOG_IPV6 86 tristate "IPv6 packet logging" 87 default m if NETFILTER_ADVANCED=n 88 select NF_LOG_COMMON 89 90config NF_NAT_IPV6 91 tristate "IPv6 NAT" 92 depends on NF_CONNTRACK_IPV6 93 depends on NETFILTER_ADVANCED 94 select NF_NAT 95 help 96 The IPv6 NAT option allows masquerading, port forwarding and other 97 forms of full Network Address Port Translation. This can be 98 controlled by iptables or nft. 99 100if NF_NAT_IPV6 101 102config NFT_CHAIN_NAT_IPV6 103 depends on NF_TABLES_IPV6 104 tristate "IPv6 nf_tables nat chain support" 105 help 106 This option enables the "nat" chain for IPv6 in nf_tables. This 107 chain type is used to perform Network Address Translation (NAT) 108 packet transformations such as the source, destination address and 109 source and destination ports. 110 111config NF_NAT_MASQUERADE_IPV6 112 tristate "IPv6 masquerade support" 113 help 114 This is the kernel functionality to provide NAT in the masquerade 115 flavour (automatic source address selection) for IPv6. 116 117config NFT_MASQ_IPV6 118 tristate "IPv6 masquerade support for nf_tables" 119 depends on NF_TABLES_IPV6 120 depends on NFT_MASQ 121 select NF_NAT_MASQUERADE_IPV6 122 help 123 This is the expression that provides IPv4 masquerading support for 124 nf_tables. 125 126config NFT_REDIR_IPV6 127 tristate "IPv6 redirect support for nf_tables" 128 depends on NF_TABLES_IPV6 129 depends on NFT_REDIR 130 select NF_NAT_REDIRECT 131 help 132 This is the expression that provides IPv4 redirect support for 133 nf_tables. 134 135endif # NF_NAT_IPV6 136 137config IP6_NF_IPTABLES 138 tristate "IP6 tables support (required for filtering)" 139 depends on INET && IPV6 140 select NETFILTER_XTABLES 141 default m if NETFILTER_ADVANCED=n 142 help 143 ip6tables is a general, extensible packet identification framework. 144 Currently only the packet filtering and packet mangling subsystem 145 for IPv6 use this, but connection tracking is going to follow. 146 Say 'Y' or 'M' here if you want to use either of those. 147 148 To compile it as a module, choose M here. If unsure, say N. 149 150if IP6_NF_IPTABLES 151 152# The simple matches. 153config IP6_NF_MATCH_AH 154 tristate '"ah" match support' 155 depends on NETFILTER_ADVANCED 156 help 157 This module allows one to match AH packets. 158 159 To compile it as a module, choose M here. If unsure, say N. 160 161config IP6_NF_MATCH_EUI64 162 tristate '"eui64" address check' 163 depends on NETFILTER_ADVANCED 164 help 165 This module performs checking on the IPv6 source address 166 Compares the last 64 bits with the EUI64 (delivered 167 from the MAC address) address 168 169 To compile it as a module, choose M here. If unsure, say N. 170 171config IP6_NF_MATCH_FRAG 172 tristate '"frag" Fragmentation header match support' 173 depends on NETFILTER_ADVANCED 174 help 175 frag matching allows you to match packets based on the fragmentation 176 header of the packet. 177 178 To compile it as a module, choose M here. If unsure, say N. 179 180config IP6_NF_MATCH_OPTS 181 tristate '"hbh" hop-by-hop and "dst" opts header match support' 182 depends on NETFILTER_ADVANCED 183 help 184 This allows one to match packets based on the hop-by-hop 185 and destination options headers of a packet. 186 187 To compile it as a module, choose M here. If unsure, say N. 188 189config IP6_NF_MATCH_HL 190 tristate '"hl" hoplimit match support' 191 depends on NETFILTER_ADVANCED 192 select NETFILTER_XT_MATCH_HL 193 ---help--- 194 This is a backwards-compat option for the user's convenience 195 (e.g. when running oldconfig). It selects 196 CONFIG_NETFILTER_XT_MATCH_HL. 197 198config IP6_NF_MATCH_IPV6HEADER 199 tristate '"ipv6header" IPv6 Extension Headers Match' 200 default m if NETFILTER_ADVANCED=n 201 help 202 This module allows one to match packets based upon 203 the ipv6 extension headers. 204 205 To compile it as a module, choose M here. If unsure, say N. 206 207config IP6_NF_MATCH_MH 208 tristate '"mh" match support' 209 depends on NETFILTER_ADVANCED 210 help 211 This module allows one to match MH packets. 212 213 To compile it as a module, choose M here. If unsure, say N. 214 215config IP6_NF_MATCH_RPFILTER 216 tristate '"rpfilter" reverse path filter match support' 217 depends on NETFILTER_ADVANCED 218 depends on IP6_NF_MANGLE || IP6_NF_RAW 219 ---help--- 220 This option allows you to match packets whose replies would 221 go out via the interface the packet came in. 222 223 To compile it as a module, choose M here. If unsure, say N. 224 The module will be called ip6t_rpfilter. 225 226config IP6_NF_MATCH_RT 227 tristate '"rt" Routing header match support' 228 depends on NETFILTER_ADVANCED 229 help 230 rt matching allows you to match packets based on the routing 231 header of the packet. 232 233 To compile it as a module, choose M here. If unsure, say N. 234 235# The targets 236config IP6_NF_TARGET_HL 237 tristate '"HL" hoplimit target support' 238 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 239 select NETFILTER_XT_TARGET_HL 240 ---help--- 241 This is a backwards-compatible option for the user's convenience 242 (e.g. when running oldconfig). It selects 243 CONFIG_NETFILTER_XT_TARGET_HL. 244 245config IP6_NF_FILTER 246 tristate "Packet filtering" 247 default m if NETFILTER_ADVANCED=n 248 help 249 Packet filtering defines a table `filter', which has a series of 250 rules for simple packet filtering at local input, forwarding and 251 local output. See the man page for iptables(8). 252 253 To compile it as a module, choose M here. If unsure, say N. 254 255config IP6_NF_TARGET_REJECT 256 tristate "REJECT target support" 257 depends on IP6_NF_FILTER 258 select NF_REJECT_IPV6 259 default m if NETFILTER_ADVANCED=n 260 help 261 The REJECT target allows a filtering rule to specify that an ICMPv6 262 error should be issued in response to an incoming packet, rather 263 than silently being dropped. 264 265 To compile it as a module, choose M here. If unsure, say N. 266 267config IP6_NF_TARGET_SYNPROXY 268 tristate "SYNPROXY target support" 269 depends on NF_CONNTRACK && NETFILTER_ADVANCED 270 select NETFILTER_SYNPROXY 271 select SYN_COOKIES 272 help 273 The SYNPROXY target allows you to intercept TCP connections and 274 establish them using syncookies before they are passed on to the 275 server. This allows to avoid conntrack and server resource usage 276 during SYN-flood attacks. 277 278 To compile it as a module, choose M here. If unsure, say N. 279 280config IP6_NF_MANGLE 281 tristate "Packet mangling" 282 default m if NETFILTER_ADVANCED=n 283 help 284 This option adds a `mangle' table to iptables: see the man page for 285 iptables(8). This table is used for various packet alterations 286 which can effect how the packet is routed. 287 288 To compile it as a module, choose M here. If unsure, say N. 289 290config IP6_NF_RAW 291 tristate 'raw table support (required for TRACE)' 292 help 293 This option adds a `raw' table to ip6tables. This table is the very 294 first in the netfilter framework and hooks in at the PREROUTING 295 and OUTPUT chains. 296 297 If you want to compile it as a module, say M here and read 298 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 299 300# security table for MAC policy 301config IP6_NF_SECURITY 302 tristate "Security table" 303 depends on SECURITY 304 depends on NETFILTER_ADVANCED 305 help 306 This option adds a `security' table to iptables, for use 307 with Mandatory Access Control (MAC) policy. 308 309 If unsure, say N. 310 311config IP6_NF_NAT 312 tristate "ip6tables NAT support" 313 depends on NF_CONNTRACK_IPV6 314 depends on NETFILTER_ADVANCED 315 select NF_NAT 316 select NF_NAT_IPV6 317 select NETFILTER_XT_NAT 318 help 319 This enables the `nat' table in ip6tables. This allows masquerading, 320 port forwarding and other forms of full Network Address Port 321 Translation. 322 323 To compile it as a module, choose M here. If unsure, say N. 324 325if IP6_NF_NAT 326 327config IP6_NF_TARGET_MASQUERADE 328 tristate "MASQUERADE target support" 329 select NF_NAT_MASQUERADE_IPV6 330 help 331 Masquerading is a special case of NAT: all outgoing connections are 332 changed to seem to come from a particular interface's address, and 333 if the interface goes down, those connections are lost. This is 334 only useful for dialup accounts with dynamic IP address (ie. your IP 335 address will be different on next dialup). 336 337 To compile it as a module, choose M here. If unsure, say N. 338 339config IP6_NF_TARGET_NPT 340 tristate "NPT (Network Prefix translation) target support" 341 help 342 This option adds the `SNPT' and `DNPT' target, which perform 343 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 344 345 To compile it as a module, choose M here. If unsure, say N. 346 347endif # IP6_NF_NAT 348 349endif # IP6_NF_IPTABLES 350 351endmenu 352