net/ipv6/netfilter/Kconfig at v4.2

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / ipv6 / netfilter / Kconfig
at v4.2 324 lines 9.7 kB view raw
wrap content
  1#
  2# IP netfilter configuration
  3#
  4
  5menu "IPv6: Netfilter Configuration"
  6	depends on INET && IPV6 && NETFILTER
  7
  8config NF_DEFRAG_IPV6
  9	tristate
 10	default n
 11
 12config NF_CONNTRACK_IPV6
 13	tristate "IPv6 connection tracking support"
 14	depends on INET && IPV6 && NF_CONNTRACK
 15	default m if NETFILTER_ADVANCED=n
 16	select NF_DEFRAG_IPV6
 17	---help---
 18	  Connection tracking keeps a record of what packets have passed
 19	  through your machine, in order to figure out how they are related
 20	  into connections.
 21
 22	  This is IPv6 support on Layer 3 independent connection tracking.
 23	  Layer 3 independent connection tracking is experimental scheme
 24	  which generalize ip_conntrack to support other layer 3 protocols.
 25
 26	  To compile it as a module, choose M here.  If unsure, say N.
 27
 28if NF_TABLES
 29
 30config NF_TABLES_IPV6
 31	tristate "IPv6 nf_tables support"
 32	help
 33	  This option enables the IPv6 support for nf_tables.
 34
 35if NF_TABLES_IPV6
 36
 37config NFT_CHAIN_ROUTE_IPV6
 38	tristate "IPv6 nf_tables route chain support"
 39	help
 40	  This option enables the "route" chain for IPv6 in nf_tables. This
 41	  chain type is used to force packet re-routing after mangling header
 42	  fields such as the source, destination, flowlabel, hop-limit and
 43	  the packet mark.
 44
 45config NFT_REJECT_IPV6
 46	select NF_REJECT_IPV6
 47	default NFT_REJECT
 48	tristate
 49
 50endif # NF_TABLES_IPV6
 51endif # NF_TABLES
 52
 53config NF_REJECT_IPV6
 54	tristate "IPv6 packet rejection"
 55	default m if NETFILTER_ADVANCED=n
 56
 57config NF_LOG_IPV6
 58	tristate "IPv6 packet logging"
 59	default m if NETFILTER_ADVANCED=n
 60	select NF_LOG_COMMON
 61
 62config NF_NAT_IPV6
 63	tristate "IPv6 NAT"
 64	depends on NF_CONNTRACK_IPV6
 65	depends on NETFILTER_ADVANCED
 66	select NF_NAT
 67	help
 68	  The IPv6 NAT option allows masquerading, port forwarding and other
 69	  forms of full Network Address Port Translation. This can be
 70	  controlled by iptables or nft.
 71
 72if NF_NAT_IPV6
 73
 74config NFT_CHAIN_NAT_IPV6
 75	depends on NF_TABLES_IPV6
 76	tristate "IPv6 nf_tables nat chain support"
 77	help
 78	  This option enables the "nat" chain for IPv6 in nf_tables. This
 79	  chain type is used to perform Network Address Translation (NAT)
 80	  packet transformations such as the source, destination address and
 81	  source and destination ports.
 82
 83config NF_NAT_MASQUERADE_IPV6
 84	tristate "IPv6 masquerade support"
 85	help
 86	  This is the kernel functionality to provide NAT in the masquerade
 87	  flavour (automatic source address selection) for IPv6.
 88
 89config NFT_MASQ_IPV6
 90	tristate "IPv6 masquerade support for nf_tables"
 91	depends on NF_TABLES_IPV6
 92	depends on NFT_MASQ
 93	select NF_NAT_MASQUERADE_IPV6
 94	help
 95	  This is the expression that provides IPv4 masquerading support for
 96	  nf_tables.
 97
 98config NFT_REDIR_IPV6
 99	tristate "IPv6 redirect support for nf_tables"
100	depends on NF_TABLES_IPV6
101	depends on NFT_REDIR
102	select NF_NAT_REDIRECT
103	help
104	  This is the expression that provides IPv4 redirect support for
105	  nf_tables.
106
107endif # NF_NAT_IPV6
108
109config IP6_NF_IPTABLES
110	tristate "IP6 tables support (required for filtering)"
111	depends on INET && IPV6
112	select NETFILTER_XTABLES
113	default m if NETFILTER_ADVANCED=n
114	help
115	  ip6tables is a general, extensible packet identification framework.
116	  Currently only the packet filtering and packet mangling subsystem
117	  for IPv6 use this, but connection tracking is going to follow.
118	  Say 'Y' or 'M' here if you want to use either of those.
119
120	  To compile it as a module, choose M here.  If unsure, say N.
121
122if IP6_NF_IPTABLES
123
124# The simple matches.
125config IP6_NF_MATCH_AH
126	tristate '"ah" match support'
127	depends on NETFILTER_ADVANCED
128	help
129	  This module allows one to match AH packets.
130
131	  To compile it as a module, choose M here.  If unsure, say N.
132
133config IP6_NF_MATCH_EUI64
134	tristate '"eui64" address check'
135	depends on NETFILTER_ADVANCED
136	help
137	  This module performs checking on the IPv6 source address
138	  Compares the last 64 bits with the EUI64 (delivered
139	  from the MAC address) address
140
141	  To compile it as a module, choose M here.  If unsure, say N.
142
143config IP6_NF_MATCH_FRAG
144	tristate '"frag" Fragmentation header match support'
145	depends on NETFILTER_ADVANCED
146	help
147	  frag matching allows you to match packets based on the fragmentation
148	  header of the packet.
149
150	  To compile it as a module, choose M here.  If unsure, say N.
151
152config IP6_NF_MATCH_OPTS
153	tristate '"hbh" hop-by-hop and "dst" opts header match support'
154	depends on NETFILTER_ADVANCED
155	help
156	  This allows one to match packets based on the hop-by-hop
157	  and destination options headers of a packet.
158
159	  To compile it as a module, choose M here.  If unsure, say N.
160
161config IP6_NF_MATCH_HL
162	tristate '"hl" hoplimit match support'
163	depends on NETFILTER_ADVANCED
164	select NETFILTER_XT_MATCH_HL
165	---help---
166	This is a backwards-compat option for the user's convenience
167	(e.g. when running oldconfig). It selects
168	CONFIG_NETFILTER_XT_MATCH_HL.
169
170config IP6_NF_MATCH_IPV6HEADER
171	tristate '"ipv6header" IPv6 Extension Headers Match'
172	default m if NETFILTER_ADVANCED=n
173	help
174	  This module allows one to match packets based upon
175	  the ipv6 extension headers.
176
177	  To compile it as a module, choose M here.  If unsure, say N.
178
179config IP6_NF_MATCH_MH
180	tristate '"mh" match support'
181	depends on NETFILTER_ADVANCED
182	help
183	  This module allows one to match MH packets.
184
185	  To compile it as a module, choose M here.  If unsure, say N.
186
187config IP6_NF_MATCH_RPFILTER
188	tristate '"rpfilter" reverse path filter match support'
189	depends on NETFILTER_ADVANCED
190	depends on IP6_NF_MANGLE || IP6_NF_RAW
191	---help---
192	  This option allows you to match packets whose replies would
193	  go out via the interface the packet came in.
194
195	  To compile it as a module, choose M here.  If unsure, say N.
196	  The module will be called ip6t_rpfilter.
197
198config IP6_NF_MATCH_RT
199	tristate '"rt" Routing header match support'
200	depends on NETFILTER_ADVANCED
201	help
202	  rt matching allows you to match packets based on the routing
203	  header of the packet.
204
205	  To compile it as a module, choose M here.  If unsure, say N.
206
207# The targets
208config IP6_NF_TARGET_HL
209	tristate '"HL" hoplimit target support'
210	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
211	select NETFILTER_XT_TARGET_HL
212	---help---
213	This is a backwards-compatible option for the user's convenience
214	(e.g. when running oldconfig). It selects
215	CONFIG_NETFILTER_XT_TARGET_HL.
216
217config IP6_NF_FILTER
218	tristate "Packet filtering"
219	default m if NETFILTER_ADVANCED=n
220	help
221	  Packet filtering defines a table `filter', which has a series of
222	  rules for simple packet filtering at local input, forwarding and
223	  local output.  See the man page for iptables(8).
224
225	  To compile it as a module, choose M here.  If unsure, say N.
226
227config IP6_NF_TARGET_REJECT
228	tristate "REJECT target support"
229	depends on IP6_NF_FILTER
230	select NF_REJECT_IPV6
231	default m if NETFILTER_ADVANCED=n
232	help
233	  The REJECT target allows a filtering rule to specify that an ICMPv6
234	  error should be issued in response to an incoming packet, rather
235	  than silently being dropped.
236
237	  To compile it as a module, choose M here.  If unsure, say N.
238
239config IP6_NF_TARGET_SYNPROXY
240	tristate "SYNPROXY target support"
241	depends on NF_CONNTRACK && NETFILTER_ADVANCED
242	select NETFILTER_SYNPROXY
243	select SYN_COOKIES
244	help
245	  The SYNPROXY target allows you to intercept TCP connections and
246	  establish them using syncookies before they are passed on to the
247	  server. This allows to avoid conntrack and server resource usage
248	  during SYN-flood attacks.
249
250	  To compile it as a module, choose M here. If unsure, say N.
251
252config IP6_NF_MANGLE
253	tristate "Packet mangling"
254	default m if NETFILTER_ADVANCED=n
255	help
256	  This option adds a `mangle' table to iptables: see the man page for
257	  iptables(8).  This table is used for various packet alterations
258	  which can effect how the packet is routed.
259
260	  To compile it as a module, choose M here.  If unsure, say N.
261
262config IP6_NF_RAW
263	tristate  'raw table support (required for TRACE)'
264	help
265	  This option adds a `raw' table to ip6tables. This table is the very
266	  first in the netfilter framework and hooks in at the PREROUTING
267	  and OUTPUT chains.
268
269	  If you want to compile it as a module, say M here and read
270	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
271
272# security table for MAC policy
273config IP6_NF_SECURITY
274       tristate "Security table"
275       depends on SECURITY
276       depends on NETFILTER_ADVANCED
277       help
278         This option adds a `security' table to iptables, for use
279         with Mandatory Access Control (MAC) policy.
280
281         If unsure, say N.
282
283config IP6_NF_NAT
284	tristate "ip6tables NAT support"
285	depends on NF_CONNTRACK_IPV6
286	depends on NETFILTER_ADVANCED
287	select NF_NAT
288	select NF_NAT_IPV6
289	select NETFILTER_XT_NAT
290	help
291	  This enables the `nat' table in ip6tables. This allows masquerading,
292	  port forwarding and other forms of full Network Address Port
293	  Translation.
294
295	  To compile it as a module, choose M here.  If unsure, say N.
296
297if IP6_NF_NAT
298
299config IP6_NF_TARGET_MASQUERADE
300	tristate "MASQUERADE target support"
301	select NF_NAT_MASQUERADE_IPV6
302	help
303	  Masquerading is a special case of NAT: all outgoing connections are
304	  changed to seem to come from a particular interface's address, and
305	  if the interface goes down, those connections are lost.  This is
306	  only useful for dialup accounts with dynamic IP address (ie. your IP
307	  address will be different on next dialup).
308
309	  To compile it as a module, choose M here.  If unsure, say N.
310
311config IP6_NF_TARGET_NPT
312	tristate "NPT (Network Prefix translation) target support"
313	help
314	  This option adds the `SNPT' and `DNPT' target, which perform
315	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
316
317	  To compile it as a module, choose M here.  If unsure, say N.
318
319endif # IP6_NF_NAT
320
321endif # IP6_NF_IPTABLES
322
323endmenu
324
Configure Feed

Configure Feed
