2 # IP netfilter configuration
5 menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
12 config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
31 tristate "IPv6 nf_tables support"
33 This option enables the IPv6 support for nf_tables.
37 config NFT_CHAIN_ROUTE_IPV6
38 tristate "IPv6 nf_tables route chain support"
40 This option enables the "route" chain for IPv6 in nf_tables. This
41 chain type is used to force packet re-routing after mangling header
42 fields such as the source, destination, flowlabel, hop-limit and
45 config NFT_REJECT_IPV6
50 endif # NF_TABLES_IPV6
54 tristate "Netfilter IPv6 packet duplication to alternate destination"
56 This option enables the nf_dup_ipv6 core, which duplicates an IPv6
57 packet to be rerouted to another destination.
60 tristate "IPv6 packet rejection"
61 default m if NETFILTER_ADVANCED=n
64 tristate "IPv6 packet logging"
65 default m if NETFILTER_ADVANCED=n
70 depends on NF_CONNTRACK_IPV6
71 depends on NETFILTER_ADVANCED
74 The IPv6 NAT option allows masquerading, port forwarding and other
75 forms of full Network Address Port Translation. This can be
76 controlled by iptables or nft.
80 config NFT_CHAIN_NAT_IPV6
81 depends on NF_TABLES_IPV6
82 tristate "IPv6 nf_tables nat chain support"
84 This option enables the "nat" chain for IPv6 in nf_tables. This
85 chain type is used to perform Network Address Translation (NAT)
86 packet transformations such as the source, destination address and
87 source and destination ports.
89 config NF_NAT_MASQUERADE_IPV6
90 tristate "IPv6 masquerade support"
92 This is the kernel functionality to provide NAT in the masquerade
93 flavour (automatic source address selection) for IPv6.
96 tristate "IPv6 masquerade support for nf_tables"
97 depends on NF_TABLES_IPV6
99 select NF_NAT_MASQUERADE_IPV6
101 This is the expression that provides IPv4 masquerading support for
104 config NFT_REDIR_IPV6
105 tristate "IPv6 redirect support for nf_tables"
106 depends on NF_TABLES_IPV6
108 select NF_NAT_REDIRECT
110 This is the expression that provides IPv4 redirect support for
115 config IP6_NF_IPTABLES
116 tristate "IP6 tables support (required for filtering)"
117 depends on INET && IPV6
118 select NETFILTER_XTABLES
119 default m if NETFILTER_ADVANCED=n
121 ip6tables is a general, extensible packet identification framework.
122 Currently only the packet filtering and packet mangling subsystem
123 for IPv6 use this, but connection tracking is going to follow.
124 Say 'Y' or 'M' here if you want to use either of those.
126 To compile it as a module, choose M here. If unsure, say N.
130 # The simple matches.
131 config IP6_NF_MATCH_AH
132 tristate '"ah" match support'
133 depends on NETFILTER_ADVANCED
135 This module allows one to match AH packets.
137 To compile it as a module, choose M here. If unsure, say N.
139 config IP6_NF_MATCH_EUI64
140 tristate '"eui64" address check'
141 depends on NETFILTER_ADVANCED
143 This module performs checking on the IPv6 source address
144 Compares the last 64 bits with the EUI64 (delivered
145 from the MAC address) address
147 To compile it as a module, choose M here. If unsure, say N.
149 config IP6_NF_MATCH_FRAG
150 tristate '"frag" Fragmentation header match support'
151 depends on NETFILTER_ADVANCED
153 frag matching allows you to match packets based on the fragmentation
154 header of the packet.
156 To compile it as a module, choose M here. If unsure, say N.
158 config IP6_NF_MATCH_OPTS
159 tristate '"hbh" hop-by-hop and "dst" opts header match support'
160 depends on NETFILTER_ADVANCED
162 This allows one to match packets based on the hop-by-hop
163 and destination options headers of a packet.
165 To compile it as a module, choose M here. If unsure, say N.
167 config IP6_NF_MATCH_HL
168 tristate '"hl" hoplimit match support'
169 depends on NETFILTER_ADVANCED
170 select NETFILTER_XT_MATCH_HL
172 This is a backwards-compat option for the user's convenience
173 (e.g. when running oldconfig). It selects
174 CONFIG_NETFILTER_XT_MATCH_HL.
176 config IP6_NF_MATCH_IPV6HEADER
177 tristate '"ipv6header" IPv6 Extension Headers Match'
178 default m if NETFILTER_ADVANCED=n
180 This module allows one to match packets based upon
181 the ipv6 extension headers.
183 To compile it as a module, choose M here. If unsure, say N.
185 config IP6_NF_MATCH_MH
186 tristate '"mh" match support'
187 depends on NETFILTER_ADVANCED
189 This module allows one to match MH packets.
191 To compile it as a module, choose M here. If unsure, say N.
193 config IP6_NF_MATCH_RPFILTER
194 tristate '"rpfilter" reverse path filter match support'
195 depends on NETFILTER_ADVANCED
196 depends on IP6_NF_MANGLE || IP6_NF_RAW
198 This option allows you to match packets whose replies would
199 go out via the interface the packet came in.
201 To compile it as a module, choose M here. If unsure, say N.
202 The module will be called ip6t_rpfilter.
204 config IP6_NF_MATCH_RT
205 tristate '"rt" Routing header match support'
206 depends on NETFILTER_ADVANCED
208 rt matching allows you to match packets based on the routing
209 header of the packet.
211 To compile it as a module, choose M here. If unsure, say N.
214 config IP6_NF_TARGET_HL
215 tristate '"HL" hoplimit target support'
216 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
217 select NETFILTER_XT_TARGET_HL
219 This is a backwards-compatible option for the user's convenience
220 (e.g. when running oldconfig). It selects
221 CONFIG_NETFILTER_XT_TARGET_HL.
224 tristate "Packet filtering"
225 default m if NETFILTER_ADVANCED=n
227 Packet filtering defines a table `filter', which has a series of
228 rules for simple packet filtering at local input, forwarding and
229 local output. See the man page for iptables(8).
231 To compile it as a module, choose M here. If unsure, say N.
233 config IP6_NF_TARGET_REJECT
234 tristate "REJECT target support"
235 depends on IP6_NF_FILTER
236 select NF_REJECT_IPV6
237 default m if NETFILTER_ADVANCED=n
239 The REJECT target allows a filtering rule to specify that an ICMPv6
240 error should be issued in response to an incoming packet, rather
241 than silently being dropped.
243 To compile it as a module, choose M here. If unsure, say N.
245 config IP6_NF_TARGET_SYNPROXY
246 tristate "SYNPROXY target support"
247 depends on NF_CONNTRACK && NETFILTER_ADVANCED
248 select NETFILTER_SYNPROXY
251 The SYNPROXY target allows you to intercept TCP connections and
252 establish them using syncookies before they are passed on to the
253 server. This allows to avoid conntrack and server resource usage
254 during SYN-flood attacks.
256 To compile it as a module, choose M here. If unsure, say N.
259 tristate "Packet mangling"
260 default m if NETFILTER_ADVANCED=n
262 This option adds a `mangle' table to iptables: see the man page for
263 iptables(8). This table is used for various packet alterations
264 which can effect how the packet is routed.
266 To compile it as a module, choose M here. If unsure, say N.
269 tristate 'raw table support (required for TRACE)'
271 This option adds a `raw' table to ip6tables. This table is the very
272 first in the netfilter framework and hooks in at the PREROUTING
275 If you want to compile it as a module, say M here and read
276 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
278 # security table for MAC policy
279 config IP6_NF_SECURITY
280 tristate "Security table"
282 depends on NETFILTER_ADVANCED
284 This option adds a `security' table to iptables, for use
285 with Mandatory Access Control (MAC) policy.
290 tristate "ip6tables NAT support"
291 depends on NF_CONNTRACK_IPV6
292 depends on NETFILTER_ADVANCED
295 select NETFILTER_XT_NAT
297 This enables the `nat' table in ip6tables. This allows masquerading,
298 port forwarding and other forms of full Network Address Port
301 To compile it as a module, choose M here. If unsure, say N.
305 config IP6_NF_TARGET_MASQUERADE
306 tristate "MASQUERADE target support"
307 select NF_NAT_MASQUERADE_IPV6
309 Masquerading is a special case of NAT: all outgoing connections are
310 changed to seem to come from a particular interface's address, and
311 if the interface goes down, those connections are lost. This is
312 only useful for dialup accounts with dynamic IP address (ie. your IP
313 address will be different on next dialup).
315 To compile it as a module, choose M here. If unsure, say N.
317 config IP6_NF_TARGET_NPT
318 tristate "NPT (Network Prefix translation) target support"
320 This option adds the `SNPT' and `DNPT' target, which perform
321 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
323 To compile it as a module, choose M here. If unsure, say N.
327 endif # IP6_NF_IPTABLES