tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1# SPDX-License-Identifier: GPL-2.0-only
2#
3# IP netfilter configuration
4#
5
6menu "IPv6: Netfilter Configuration"
7 depends on INET && IPV6 && NETFILTER
8
9# old sockopt interface and eval loop
10config IP6_NF_IPTABLES_LEGACY
11 tristate "Legacy IP6 tables support"
12 depends on INET && IPV6 && NETFILTER_XTABLES_LEGACY
13 default m if NETFILTER_XTABLES_LEGACY
14 help
15 ip6tables is a legacy packet classifier.
16 This is not needed if you are using iptables over nftables
17 (iptables-nft).
18
19config NF_SOCKET_IPV6
20 tristate "IPv6 socket lookup support"
21 help
22 This option enables the IPv6 socket lookup infrastructure. This
23 is used by the {ip6,nf}tables socket match.
24
25config NF_TPROXY_IPV6
26 tristate "IPv6 tproxy support"
27
28if NF_TABLES
29
30config NF_TABLES_IPV6
31 bool "IPv6 nf_tables support"
32 help
33 This option enables the IPv6 support for nf_tables.
34
35if NF_TABLES_IPV6
36
37config NFT_REJECT_IPV6
38 select NF_REJECT_IPV6
39 default NFT_REJECT
40 tristate
41
42config NFT_DUP_IPV6
43 tristate "IPv6 nf_tables packet duplication support"
44 depends on !NF_CONNTRACK || NF_CONNTRACK
45 select NF_DUP_IPV6
46 help
47 This module enables IPv6 packet duplication support for nf_tables.
48
49config NFT_FIB_IPV6
50 tristate "nf_tables fib / ipv6 route lookup support"
51 select NFT_FIB
52 help
53 This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
54 It also allows query of the FIB for the route type, e.g. local, unicast,
55 multicast or blackhole.
56
57endif # NF_TABLES_IPV6
58endif # NF_TABLES
59
60config NF_DUP_IPV6
61 tristate "Netfilter IPv6 packet duplication to alternate destination"
62 depends on !NF_CONNTRACK || NF_CONNTRACK
63 help
64 This option enables the nf_dup_ipv6 core, which duplicates an IPv6
65 packet to be rerouted to another destination.
66
67config NF_REJECT_IPV6
68 tristate "IPv6 packet rejection"
69 default m if NETFILTER_ADVANCED=n
70
71config NF_LOG_IPV6
72 tristate "IPv6 packet logging"
73 default m if NETFILTER_ADVANCED=n
74 select NF_LOG_SYSLOG
75 help
76 This is a backwards-compat option for the user's convenience
77 (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.
78
79config IP6_NF_IPTABLES
80 tristate "IP6 tables support (required for filtering)"
81 depends on INET && IPV6
82 select NETFILTER_XTABLES
83 default m if NETFILTER_ADVANCED=n
84 help
85 ip6tables is a general, extensible packet identification framework.
86 Currently only the packet filtering and packet mangling subsystem
87 for IPv6 use this, but connection tracking is going to follow.
88 Say 'Y' or 'M' here if you want to use either of those.
89
90 To compile it as a module, choose M here. If unsure, say N.
91
92if IP6_NF_IPTABLES
93
94# The simple matches.
95config IP6_NF_MATCH_AH
96 tristate '"ah" match support'
97 depends on NETFILTER_ADVANCED
98 help
99 This module allows one to match AH packets.
100
101 To compile it as a module, choose M here. If unsure, say N.
102
103config IP6_NF_MATCH_EUI64
104 tristate '"eui64" address check'
105 depends on NETFILTER_ADVANCED
106 help
107 This module performs checking on the IPv6 source address
108 Compares the last 64 bits with the EUI64 (delivered
109 from the MAC address) address
110
111 To compile it as a module, choose M here. If unsure, say N.
112
113config IP6_NF_MATCH_FRAG
114 tristate '"frag" Fragmentation header match support'
115 depends on NETFILTER_ADVANCED
116 help
117 frag matching allows you to match packets based on the fragmentation
118 header of the packet.
119
120 To compile it as a module, choose M here. If unsure, say N.
121
122config IP6_NF_MATCH_OPTS
123 tristate '"hbh" hop-by-hop and "dst" opts header match support'
124 depends on NETFILTER_ADVANCED
125 help
126 This allows one to match packets based on the hop-by-hop
127 and destination options headers of a packet.
128
129 To compile it as a module, choose M here. If unsure, say N.
130
131config IP6_NF_MATCH_HL
132 tristate '"hl" hoplimit match support'
133 depends on NETFILTER_ADVANCED
134 select NETFILTER_XT_MATCH_HL
135 help
136 This is a backwards-compat option for the user's convenience
137 (e.g. when running oldconfig). It selects
138 CONFIG_NETFILTER_XT_MATCH_HL.
139
140config IP6_NF_MATCH_IPV6HEADER
141 tristate '"ipv6header" IPv6 Extension Headers Match'
142 default m if NETFILTER_ADVANCED=n
143 help
144 This module allows one to match packets based upon
145 the ipv6 extension headers.
146
147 To compile it as a module, choose M here. If unsure, say N.
148
149config IP6_NF_MATCH_MH
150 tristate '"mh" match support'
151 depends on NETFILTER_ADVANCED
152 help
153 This module allows one to match MH packets.
154
155 To compile it as a module, choose M here. If unsure, say N.
156
157config IP6_NF_MATCH_RPFILTER
158 tristate '"rpfilter" reverse path filter match support'
159 depends on NETFILTER_ADVANCED
160 depends on IP6_NF_MANGLE || IP6_NF_RAW || NFT_COMPAT
161 help
162 This option allows you to match packets whose replies would
163 go out via the interface the packet came in.
164
165 To compile it as a module, choose M here. If unsure, say N.
166 The module will be called ip6t_rpfilter.
167
168config IP6_NF_MATCH_RT
169 tristate '"rt" Routing header match support'
170 depends on NETFILTER_ADVANCED
171 help
172 rt matching allows you to match packets based on the routing
173 header of the packet.
174
175 To compile it as a module, choose M here. If unsure, say N.
176
177config IP6_NF_MATCH_SRH
178 tristate '"srh" Segment Routing header match support'
179 depends on NETFILTER_ADVANCED
180 help
181 srh matching allows you to match packets based on the segment
182 routing header of the packet.
183
184 To compile it as a module, choose M here. If unsure, say N.
185
186# The targets
187config IP6_NF_TARGET_HL
188 tristate '"HL" hoplimit target support'
189 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
190 select NETFILTER_XT_TARGET_HL
191 help
192 This is a backwards-compatible option for the user's convenience
193 (e.g. when running oldconfig). It selects
194 CONFIG_NETFILTER_XT_TARGET_HL.
195
196config IP6_NF_FILTER
197 tristate "Packet filtering"
198 default m if NETFILTER_ADVANCED=n || IP6_NF_IPTABLES_LEGACY
199 depends on IP6_NF_IPTABLES_LEGACY
200 tristate
201 help
202 Packet filtering defines a table `filter', which has a series of
203 rules for simple packet filtering at local input, forwarding and
204 local output. See the man page for iptables(8).
205
206 To compile it as a module, choose M here. If unsure, say N.
207
208config IP6_NF_TARGET_REJECT
209 tristate "REJECT target support"
210 depends on IP6_NF_FILTER || NFT_COMPAT
211 select NF_REJECT_IPV6
212 default m if NETFILTER_ADVANCED=n
213 help
214 The REJECT target allows a filtering rule to specify that an ICMPv6
215 error should be issued in response to an incoming packet, rather
216 than silently being dropped.
217
218 To compile it as a module, choose M here. If unsure, say N.
219
220config IP6_NF_TARGET_SYNPROXY
221 tristate "SYNPROXY target support"
222 depends on NF_CONNTRACK && NETFILTER_ADVANCED
223 select NETFILTER_SYNPROXY
224 select SYN_COOKIES
225 help
226 The SYNPROXY target allows you to intercept TCP connections and
227 establish them using syncookies before they are passed on to the
228 server. This allows to avoid conntrack and server resource usage
229 during SYN-flood attacks.
230
231 To compile it as a module, choose M here. If unsure, say N.
232
233config IP6_NF_MANGLE
234 tristate "Packet mangling"
235 default m if NETFILTER_ADVANCED=n || IP6_NF_IPTABLES_LEGACY
236 depends on IP6_NF_IPTABLES_LEGACY
237 help
238 This option adds a `mangle' table to iptables: see the man page for
239 iptables(8). This table is used for various packet alterations
240 which can effect how the packet is routed.
241
242 To compile it as a module, choose M here. If unsure, say N.
243
244config IP6_NF_RAW
245 tristate 'raw table support (required for TRACE)'
246 depends on IP6_NF_IPTABLES_LEGACY
247 help
248 This option adds a `raw' table to ip6tables. This table is the very
249 first in the netfilter framework and hooks in at the PREROUTING
250 and OUTPUT chains.
251
252 If you want to compile it as a module, say M here and read
253 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
254
255# security table for MAC policy
256config IP6_NF_SECURITY
257 tristate "Security table"
258 depends on SECURITY
259 depends on NETFILTER_ADVANCED
260 depends on IP6_NF_IPTABLES_LEGACY
261 help
262 This option adds a `security' table to iptables, for use
263 with Mandatory Access Control (MAC) policy.
264
265 If unsure, say N.
266
267config IP6_NF_NAT
268 tristate "ip6tables NAT support"
269 depends on NF_CONNTRACK
270 depends on NETFILTER_ADVANCED
271 depends on IP6_NF_IPTABLES_LEGACY
272 select NF_NAT
273 select NETFILTER_XT_NAT
274 help
275 This enables the `nat' table in ip6tables. This allows masquerading,
276 port forwarding and other forms of full Network Address Port
277 Translation.
278
279 To compile it as a module, choose M here. If unsure, say N.
280
281config IP6_NF_TARGET_MASQUERADE
282 tristate "MASQUERADE target support"
283 select NETFILTER_XT_TARGET_MASQUERADE
284 depends on IP6_NF_NAT
285 help
286 This is a backwards-compat option for the user's convenience
287 (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
288
289config IP6_NF_TARGET_NPT
290 tristate "NPT (Network Prefix translation) target support"
291 depends on IP6_NF_NAT || NFT_COMPAT
292 help
293 This option adds the `SNPT' and `DNPT' target, which perform
294 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
295
296 To compile it as a module, choose M here. If unsure, say N.
297
298endif # IP6_NF_IPTABLES
299endmenu
300
301config NF_DEFRAG_IPV6
302 tristate