Loading...
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
7
8config NF_DEFRAG_IPV6
9 tristate
10 default n
11
12config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
16 select NF_DEFRAG_IPV6
17 ---help---
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
20 into connections.
21
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
25
26 To compile it as a module, choose M here. If unsure, say N.
27
28config NF_TABLES_IPV6
29 depends on NF_TABLES
30 tristate "IPv6 nf_tables support"
31 help
32 This option enables the IPv6 support for nf_tables.
33
34config NFT_CHAIN_ROUTE_IPV6
35 depends on NF_TABLES_IPV6
36 tristate "IPv6 nf_tables route chain support"
37 help
38 This option enables the "route" chain for IPv6 in nf_tables. This
39 chain type is used to force packet re-routing after mangling header
40 fields such as the source, destination, flowlabel, hop-limit and
41 the packet mark.
42
43config NFT_CHAIN_NAT_IPV6
44 depends on NF_TABLES_IPV6
45 depends on NF_NAT_IPV6 && NFT_NAT
46 tristate "IPv6 nf_tables nat chain support"
47 help
48 This option enables the "nat" chain for IPv6 in nf_tables. This
49 chain type is used to perform Network Address Translation (NAT)
50 packet transformations such as the source, destination address and
51 source and destination ports.
52
53config NFT_REJECT_IPV6
54 depends on NF_TABLES_IPV6
55 default NFT_REJECT
56 tristate
57
58config IP6_NF_IPTABLES
59 tristate "IP6 tables support (required for filtering)"
60 depends on INET && IPV6
61 select NETFILTER_XTABLES
62 default m if NETFILTER_ADVANCED=n
63 help
64 ip6tables is a general, extensible packet identification framework.
65 Currently only the packet filtering and packet mangling subsystem
66 for IPv6 use this, but connection tracking is going to follow.
67 Say 'Y' or 'M' here if you want to use either of those.
68
69 To compile it as a module, choose M here. If unsure, say N.
70
71if IP6_NF_IPTABLES
72
73# The simple matches.
74config IP6_NF_MATCH_AH
75 tristate '"ah" match support'
76 depends on NETFILTER_ADVANCED
77 help
78 This module allows one to match AH packets.
79
80 To compile it as a module, choose M here. If unsure, say N.
81
82config IP6_NF_MATCH_EUI64
83 tristate '"eui64" address check'
84 depends on NETFILTER_ADVANCED
85 help
86 This module performs checking on the IPv6 source address
87 Compares the last 64 bits with the EUI64 (delivered
88 from the MAC address) address
89
90 To compile it as a module, choose M here. If unsure, say N.
91
92config IP6_NF_MATCH_FRAG
93 tristate '"frag" Fragmentation header match support'
94 depends on NETFILTER_ADVANCED
95 help
96 frag matching allows you to match packets based on the fragmentation
97 header of the packet.
98
99 To compile it as a module, choose M here. If unsure, say N.
100
101config IP6_NF_MATCH_OPTS
102 tristate '"hbh" hop-by-hop and "dst" opts header match support'
103 depends on NETFILTER_ADVANCED
104 help
105 This allows one to match packets based on the hop-by-hop
106 and destination options headers of a packet.
107
108 To compile it as a module, choose M here. If unsure, say N.
109
110config IP6_NF_MATCH_HL
111 tristate '"hl" hoplimit match support'
112 depends on NETFILTER_ADVANCED
113 select NETFILTER_XT_MATCH_HL
114 ---help---
115 This is a backwards-compat option for the user's convenience
116 (e.g. when running oldconfig). It selects
117 CONFIG_NETFILTER_XT_MATCH_HL.
118
119config IP6_NF_MATCH_IPV6HEADER
120 tristate '"ipv6header" IPv6 Extension Headers Match'
121 default m if NETFILTER_ADVANCED=n
122 help
123 This module allows one to match packets based upon
124 the ipv6 extension headers.
125
126 To compile it as a module, choose M here. If unsure, say N.
127
128config IP6_NF_MATCH_MH
129 tristate '"mh" match support'
130 depends on NETFILTER_ADVANCED
131 help
132 This module allows one to match MH packets.
133
134 To compile it as a module, choose M here. If unsure, say N.
135
136config IP6_NF_MATCH_RPFILTER
137 tristate '"rpfilter" reverse path filter match support'
138 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
139 ---help---
140 This option allows you to match packets whose replies would
141 go out via the interface the packet came in.
142
143 To compile it as a module, choose M here. If unsure, say N.
144 The module will be called ip6t_rpfilter.
145
146config IP6_NF_MATCH_RT
147 tristate '"rt" Routing header match support'
148 depends on NETFILTER_ADVANCED
149 help
150 rt matching allows you to match packets based on the routing
151 header of the packet.
152
153 To compile it as a module, choose M here. If unsure, say N.
154
155# The targets
156config IP6_NF_TARGET_HL
157 tristate '"HL" hoplimit target support'
158 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
159 select NETFILTER_XT_TARGET_HL
160 ---help---
161 This is a backwards-compatible option for the user's convenience
162 (e.g. when running oldconfig). It selects
163 CONFIG_NETFILTER_XT_TARGET_HL.
164
165config IP6_NF_FILTER
166 tristate "Packet filtering"
167 default m if NETFILTER_ADVANCED=n
168 help
169 Packet filtering defines a table `filter', which has a series of
170 rules for simple packet filtering at local input, forwarding and
171 local output. See the man page for iptables(8).
172
173 To compile it as a module, choose M here. If unsure, say N.
174
175config IP6_NF_TARGET_REJECT
176 tristate "REJECT target support"
177 depends on IP6_NF_FILTER
178 default m if NETFILTER_ADVANCED=n
179 help
180 The REJECT target allows a filtering rule to specify that an ICMPv6
181 error should be issued in response to an incoming packet, rather
182 than silently being dropped.
183
184 To compile it as a module, choose M here. If unsure, say N.
185
186config IP6_NF_TARGET_SYNPROXY
187 tristate "SYNPROXY target support"
188 depends on NF_CONNTRACK && NETFILTER_ADVANCED
189 select NETFILTER_SYNPROXY
190 select SYN_COOKIES
191 help
192 The SYNPROXY target allows you to intercept TCP connections and
193 establish them using syncookies before they are passed on to the
194 server. This allows to avoid conntrack and server resource usage
195 during SYN-flood attacks.
196
197 To compile it as a module, choose M here. If unsure, say N.
198
199config IP6_NF_MANGLE
200 tristate "Packet mangling"
201 default m if NETFILTER_ADVANCED=n
202 help
203 This option adds a `mangle' table to iptables: see the man page for
204 iptables(8). This table is used for various packet alterations
205 which can effect how the packet is routed.
206
207 To compile it as a module, choose M here. If unsure, say N.
208
209config IP6_NF_RAW
210 tristate 'raw table support (required for TRACE)'
211 help
212 This option adds a `raw' table to ip6tables. This table is the very
213 first in the netfilter framework and hooks in at the PREROUTING
214 and OUTPUT chains.
215
216 If you want to compile it as a module, say M here and read
217 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
218
219# security table for MAC policy
220config IP6_NF_SECURITY
221 tristate "Security table"
222 depends on SECURITY
223 depends on NETFILTER_ADVANCED
224 help
225 This option adds a `security' table to iptables, for use
226 with Mandatory Access Control (MAC) policy.
227
228 If unsure, say N.
229
230config NF_NAT_IPV6
231 tristate "IPv6 NAT"
232 depends on NF_CONNTRACK_IPV6
233 depends on NETFILTER_ADVANCED
234 select NF_NAT
235 help
236 The IPv6 NAT option allows masquerading, port forwarding and other
237 forms of full Network Address Port Translation. It is controlled by
238 the `nat' table in ip6tables, see the man page for ip6tables(8).
239
240 To compile it as a module, choose M here. If unsure, say N.
241
242if NF_NAT_IPV6
243
244config IP6_NF_TARGET_MASQUERADE
245 tristate "MASQUERADE target support"
246 help
247 Masquerading is a special case of NAT: all outgoing connections are
248 changed to seem to come from a particular interface's address, and
249 if the interface goes down, those connections are lost. This is
250 only useful for dialup accounts with dynamic IP address (ie. your IP
251 address will be different on next dialup).
252
253 To compile it as a module, choose M here. If unsure, say N.
254
255config IP6_NF_TARGET_NPT
256 tristate "NPT (Network Prefix translation) target support"
257 help
258 This option adds the `SNPT' and `DNPT' target, which perform
259 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
260
261 To compile it as a module, choose M here. If unsure, say N.
262
263endif # NF_NAT_IPV6
264
265endif # IP6_NF_IPTABLES
266
267endmenu
268
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
7
8config NF_DEFRAG_IPV6
9 tristate
10 default n
11
12config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
16 select NF_DEFRAG_IPV6
17 ---help---
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
20 into connections.
21
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
25
26 To compile it as a module, choose M here. If unsure, say N.
27
28config NF_SOCKET_IPV6
29 tristate "IPv6 socket lookup support"
30 help
31 This option enables the IPv6 socket lookup infrastructure. This
32 is used by the ip6tables socket match.
33
34if NF_TABLES
35
36config NF_TABLES_IPV6
37 tristate "IPv6 nf_tables support"
38 help
39 This option enables the IPv6 support for nf_tables.
40
41if NF_TABLES_IPV6
42
43config NFT_CHAIN_ROUTE_IPV6
44 tristate "IPv6 nf_tables route chain support"
45 help
46 This option enables the "route" chain for IPv6 in nf_tables. This
47 chain type is used to force packet re-routing after mangling header
48 fields such as the source, destination, flowlabel, hop-limit and
49 the packet mark.
50
51config NFT_REJECT_IPV6
52 select NF_REJECT_IPV6
53 default NFT_REJECT
54 tristate
55
56config NFT_DUP_IPV6
57 tristate "IPv6 nf_tables packet duplication support"
58 depends on !NF_CONNTRACK || NF_CONNTRACK
59 select NF_DUP_IPV6
60 help
61 This module enables IPv6 packet duplication support for nf_tables.
62
63config NFT_FIB_IPV6
64 tristate "nf_tables fib / ipv6 route lookup support"
65 select NFT_FIB
66 help
67 This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
68 It also allows query of the FIB for the route type, e.g. local, unicast,
69 multicast or blackhole.
70
71endif # NF_TABLES_IPV6
72endif # NF_TABLES
73
74config NF_DUP_IPV6
75 tristate "Netfilter IPv6 packet duplication to alternate destination"
76 depends on !NF_CONNTRACK || NF_CONNTRACK
77 help
78 This option enables the nf_dup_ipv6 core, which duplicates an IPv6
79 packet to be rerouted to another destination.
80
81config NF_REJECT_IPV6
82 tristate "IPv6 packet rejection"
83 default m if NETFILTER_ADVANCED=n
84
85config NF_LOG_IPV6
86 tristate "IPv6 packet logging"
87 default m if NETFILTER_ADVANCED=n
88 select NF_LOG_COMMON
89
90config NF_NAT_IPV6
91 tristate "IPv6 NAT"
92 depends on NF_CONNTRACK_IPV6
93 depends on NETFILTER_ADVANCED
94 select NF_NAT
95 help
96 The IPv6 NAT option allows masquerading, port forwarding and other
97 forms of full Network Address Port Translation. This can be
98 controlled by iptables or nft.
99
100if NF_NAT_IPV6
101
102config NFT_CHAIN_NAT_IPV6
103 depends on NF_TABLES_IPV6
104 tristate "IPv6 nf_tables nat chain support"
105 help
106 This option enables the "nat" chain for IPv6 in nf_tables. This
107 chain type is used to perform Network Address Translation (NAT)
108 packet transformations such as the source, destination address and
109 source and destination ports.
110
111config NF_NAT_MASQUERADE_IPV6
112 tristate "IPv6 masquerade support"
113 help
114 This is the kernel functionality to provide NAT in the masquerade
115 flavour (automatic source address selection) for IPv6.
116
117config NFT_MASQ_IPV6
118 tristate "IPv6 masquerade support for nf_tables"
119 depends on NF_TABLES_IPV6
120 depends on NFT_MASQ
121 select NF_NAT_MASQUERADE_IPV6
122 help
123 This is the expression that provides IPv4 masquerading support for
124 nf_tables.
125
126config NFT_REDIR_IPV6
127 tristate "IPv6 redirect support for nf_tables"
128 depends on NF_TABLES_IPV6
129 depends on NFT_REDIR
130 select NF_NAT_REDIRECT
131 help
132 This is the expression that provides IPv4 redirect support for
133 nf_tables.
134
135endif # NF_NAT_IPV6
136
137config IP6_NF_IPTABLES
138 tristate "IP6 tables support (required for filtering)"
139 depends on INET && IPV6
140 select NETFILTER_XTABLES
141 default m if NETFILTER_ADVANCED=n
142 help
143 ip6tables is a general, extensible packet identification framework.
144 Currently only the packet filtering and packet mangling subsystem
145 for IPv6 use this, but connection tracking is going to follow.
146 Say 'Y' or 'M' here if you want to use either of those.
147
148 To compile it as a module, choose M here. If unsure, say N.
149
150if IP6_NF_IPTABLES
151
152# The simple matches.
153config IP6_NF_MATCH_AH
154 tristate '"ah" match support'
155 depends on NETFILTER_ADVANCED
156 help
157 This module allows one to match AH packets.
158
159 To compile it as a module, choose M here. If unsure, say N.
160
161config IP6_NF_MATCH_EUI64
162 tristate '"eui64" address check'
163 depends on NETFILTER_ADVANCED
164 help
165 This module performs checking on the IPv6 source address
166 Compares the last 64 bits with the EUI64 (delivered
167 from the MAC address) address
168
169 To compile it as a module, choose M here. If unsure, say N.
170
171config IP6_NF_MATCH_FRAG
172 tristate '"frag" Fragmentation header match support'
173 depends on NETFILTER_ADVANCED
174 help
175 frag matching allows you to match packets based on the fragmentation
176 header of the packet.
177
178 To compile it as a module, choose M here. If unsure, say N.
179
180config IP6_NF_MATCH_OPTS
181 tristate '"hbh" hop-by-hop and "dst" opts header match support'
182 depends on NETFILTER_ADVANCED
183 help
184 This allows one to match packets based on the hop-by-hop
185 and destination options headers of a packet.
186
187 To compile it as a module, choose M here. If unsure, say N.
188
189config IP6_NF_MATCH_HL
190 tristate '"hl" hoplimit match support'
191 depends on NETFILTER_ADVANCED
192 select NETFILTER_XT_MATCH_HL
193 ---help---
194 This is a backwards-compat option for the user's convenience
195 (e.g. when running oldconfig). It selects
196 CONFIG_NETFILTER_XT_MATCH_HL.
197
198config IP6_NF_MATCH_IPV6HEADER
199 tristate '"ipv6header" IPv6 Extension Headers Match'
200 default m if NETFILTER_ADVANCED=n
201 help
202 This module allows one to match packets based upon
203 the ipv6 extension headers.
204
205 To compile it as a module, choose M here. If unsure, say N.
206
207config IP6_NF_MATCH_MH
208 tristate '"mh" match support'
209 depends on NETFILTER_ADVANCED
210 help
211 This module allows one to match MH packets.
212
213 To compile it as a module, choose M here. If unsure, say N.
214
215config IP6_NF_MATCH_RPFILTER
216 tristate '"rpfilter" reverse path filter match support'
217 depends on NETFILTER_ADVANCED
218 depends on IP6_NF_MANGLE || IP6_NF_RAW
219 ---help---
220 This option allows you to match packets whose replies would
221 go out via the interface the packet came in.
222
223 To compile it as a module, choose M here. If unsure, say N.
224 The module will be called ip6t_rpfilter.
225
226config IP6_NF_MATCH_RT
227 tristate '"rt" Routing header match support'
228 depends on NETFILTER_ADVANCED
229 help
230 rt matching allows you to match packets based on the routing
231 header of the packet.
232
233 To compile it as a module, choose M here. If unsure, say N.
234
235# The targets
236config IP6_NF_TARGET_HL
237 tristate '"HL" hoplimit target support'
238 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
239 select NETFILTER_XT_TARGET_HL
240 ---help---
241 This is a backwards-compatible option for the user's convenience
242 (e.g. when running oldconfig). It selects
243 CONFIG_NETFILTER_XT_TARGET_HL.
244
245config IP6_NF_FILTER
246 tristate "Packet filtering"
247 default m if NETFILTER_ADVANCED=n
248 help
249 Packet filtering defines a table `filter', which has a series of
250 rules for simple packet filtering at local input, forwarding and
251 local output. See the man page for iptables(8).
252
253 To compile it as a module, choose M here. If unsure, say N.
254
255config IP6_NF_TARGET_REJECT
256 tristate "REJECT target support"
257 depends on IP6_NF_FILTER
258 select NF_REJECT_IPV6
259 default m if NETFILTER_ADVANCED=n
260 help
261 The REJECT target allows a filtering rule to specify that an ICMPv6
262 error should be issued in response to an incoming packet, rather
263 than silently being dropped.
264
265 To compile it as a module, choose M here. If unsure, say N.
266
267config IP6_NF_TARGET_SYNPROXY
268 tristate "SYNPROXY target support"
269 depends on NF_CONNTRACK && NETFILTER_ADVANCED
270 select NETFILTER_SYNPROXY
271 select SYN_COOKIES
272 help
273 The SYNPROXY target allows you to intercept TCP connections and
274 establish them using syncookies before they are passed on to the
275 server. This allows to avoid conntrack and server resource usage
276 during SYN-flood attacks.
277
278 To compile it as a module, choose M here. If unsure, say N.
279
280config IP6_NF_MANGLE
281 tristate "Packet mangling"
282 default m if NETFILTER_ADVANCED=n
283 help
284 This option adds a `mangle' table to iptables: see the man page for
285 iptables(8). This table is used for various packet alterations
286 which can effect how the packet is routed.
287
288 To compile it as a module, choose M here. If unsure, say N.
289
290config IP6_NF_RAW
291 tristate 'raw table support (required for TRACE)'
292 help
293 This option adds a `raw' table to ip6tables. This table is the very
294 first in the netfilter framework and hooks in at the PREROUTING
295 and OUTPUT chains.
296
297 If you want to compile it as a module, say M here and read
298 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
299
300# security table for MAC policy
301config IP6_NF_SECURITY
302 tristate "Security table"
303 depends on SECURITY
304 depends on NETFILTER_ADVANCED
305 help
306 This option adds a `security' table to iptables, for use
307 with Mandatory Access Control (MAC) policy.
308
309 If unsure, say N.
310
311config IP6_NF_NAT
312 tristate "ip6tables NAT support"
313 depends on NF_CONNTRACK_IPV6
314 depends on NETFILTER_ADVANCED
315 select NF_NAT
316 select NF_NAT_IPV6
317 select NETFILTER_XT_NAT
318 help
319 This enables the `nat' table in ip6tables. This allows masquerading,
320 port forwarding and other forms of full Network Address Port
321 Translation.
322
323 To compile it as a module, choose M here. If unsure, say N.
324
325if IP6_NF_NAT
326
327config IP6_NF_TARGET_MASQUERADE
328 tristate "MASQUERADE target support"
329 select NF_NAT_MASQUERADE_IPV6
330 help
331 Masquerading is a special case of NAT: all outgoing connections are
332 changed to seem to come from a particular interface's address, and
333 if the interface goes down, those connections are lost. This is
334 only useful for dialup accounts with dynamic IP address (ie. your IP
335 address will be different on next dialup).
336
337 To compile it as a module, choose M here. If unsure, say N.
338
339config IP6_NF_TARGET_NPT
340 tristate "NPT (Network Prefix translation) target support"
341 help
342 This option adds the `SNPT' and `DNPT' target, which perform
343 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
344
345 To compile it as a module, choose M here. If unsure, say N.
346
347endif # IP6_NF_NAT
348
349endif # IP6_NF_IPTABLES
350
351endmenu
352