2 # IP netfilter configuration
5 menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
12 config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
30 tristate "IPv6 nf_tables support"
32 This option enables the IPv6 support for nf_tables.
34 config NFT_CHAIN_ROUTE_IPV6
35 depends on NF_TABLES_IPV6
36 tristate "IPv6 nf_tables route chain support"
38 This option enables the "route" chain for IPv6 in nf_tables. This
39 chain type is used to force packet re-routing after mangling header
40 fields such as the source, destination, flowlabel, hop-limit and
43 config NFT_REJECT_IPV6
44 depends on NF_TABLES_IPV6
49 tristate "IPv6 packet logging"
50 default m if NETFILTER_ADVANCED=n
55 depends on NF_CONNTRACK_IPV6
56 depends on NETFILTER_ADVANCED
59 The IPv6 NAT option allows masquerading, port forwarding and other
60 forms of full Network Address Port Translation. This can be
61 controlled by iptables or nft.
65 config NFT_CHAIN_NAT_IPV6
66 depends on NF_TABLES_IPV6
67 tristate "IPv6 nf_tables nat chain support"
69 This option enables the "nat" chain for IPv6 in nf_tables. This
70 chain type is used to perform Network Address Translation (NAT)
71 packet transformations such as the source, destination address and
72 source and destination ports.
76 config IP6_NF_IPTABLES
77 tristate "IP6 tables support (required for filtering)"
78 depends on INET && IPV6
79 select NETFILTER_XTABLES
80 default m if NETFILTER_ADVANCED=n
82 ip6tables is a general, extensible packet identification framework.
83 Currently only the packet filtering and packet mangling subsystem
84 for IPv6 use this, but connection tracking is going to follow.
85 Say 'Y' or 'M' here if you want to use either of those.
87 To compile it as a module, choose M here. If unsure, say N.
92 config IP6_NF_MATCH_AH
93 tristate '"ah" match support'
94 depends on NETFILTER_ADVANCED
96 This module allows one to match AH packets.
98 To compile it as a module, choose M here. If unsure, say N.
100 config IP6_NF_MATCH_EUI64
101 tristate '"eui64" address check'
102 depends on NETFILTER_ADVANCED
104 This module performs checking on the IPv6 source address
105 Compares the last 64 bits with the EUI64 (delivered
106 from the MAC address) address
108 To compile it as a module, choose M here. If unsure, say N.
110 config IP6_NF_MATCH_FRAG
111 tristate '"frag" Fragmentation header match support'
112 depends on NETFILTER_ADVANCED
114 frag matching allows you to match packets based on the fragmentation
115 header of the packet.
117 To compile it as a module, choose M here. If unsure, say N.
119 config IP6_NF_MATCH_OPTS
120 tristate '"hbh" hop-by-hop and "dst" opts header match support'
121 depends on NETFILTER_ADVANCED
123 This allows one to match packets based on the hop-by-hop
124 and destination options headers of a packet.
126 To compile it as a module, choose M here. If unsure, say N.
128 config IP6_NF_MATCH_HL
129 tristate '"hl" hoplimit match support'
130 depends on NETFILTER_ADVANCED
131 select NETFILTER_XT_MATCH_HL
133 This is a backwards-compat option for the user's convenience
134 (e.g. when running oldconfig). It selects
135 CONFIG_NETFILTER_XT_MATCH_HL.
137 config IP6_NF_MATCH_IPV6HEADER
138 tristate '"ipv6header" IPv6 Extension Headers Match'
139 default m if NETFILTER_ADVANCED=n
141 This module allows one to match packets based upon
142 the ipv6 extension headers.
144 To compile it as a module, choose M here. If unsure, say N.
146 config IP6_NF_MATCH_MH
147 tristate '"mh" match support'
148 depends on NETFILTER_ADVANCED
150 This module allows one to match MH packets.
152 To compile it as a module, choose M here. If unsure, say N.
154 config IP6_NF_MATCH_RPFILTER
155 tristate '"rpfilter" reverse path filter match support'
156 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
158 This option allows you to match packets whose replies would
159 go out via the interface the packet came in.
161 To compile it as a module, choose M here. If unsure, say N.
162 The module will be called ip6t_rpfilter.
164 config IP6_NF_MATCH_RT
165 tristate '"rt" Routing header match support'
166 depends on NETFILTER_ADVANCED
168 rt matching allows you to match packets based on the routing
169 header of the packet.
171 To compile it as a module, choose M here. If unsure, say N.
174 config IP6_NF_TARGET_HL
175 tristate '"HL" hoplimit target support'
176 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
177 select NETFILTER_XT_TARGET_HL
179 This is a backwards-compatible option for the user's convenience
180 (e.g. when running oldconfig). It selects
181 CONFIG_NETFILTER_XT_TARGET_HL.
184 tristate "Packet filtering"
185 default m if NETFILTER_ADVANCED=n
187 Packet filtering defines a table `filter', which has a series of
188 rules for simple packet filtering at local input, forwarding and
189 local output. See the man page for iptables(8).
191 To compile it as a module, choose M here. If unsure, say N.
193 config IP6_NF_TARGET_REJECT
194 tristate "REJECT target support"
195 depends on IP6_NF_FILTER
196 default m if NETFILTER_ADVANCED=n
198 The REJECT target allows a filtering rule to specify that an ICMPv6
199 error should be issued in response to an incoming packet, rather
200 than silently being dropped.
202 To compile it as a module, choose M here. If unsure, say N.
204 config IP6_NF_TARGET_SYNPROXY
205 tristate "SYNPROXY target support"
206 depends on NF_CONNTRACK && NETFILTER_ADVANCED
207 select NETFILTER_SYNPROXY
210 The SYNPROXY target allows you to intercept TCP connections and
211 establish them using syncookies before they are passed on to the
212 server. This allows to avoid conntrack and server resource usage
213 during SYN-flood attacks.
215 To compile it as a module, choose M here. If unsure, say N.
218 tristate "Packet mangling"
219 default m if NETFILTER_ADVANCED=n
221 This option adds a `mangle' table to iptables: see the man page for
222 iptables(8). This table is used for various packet alterations
223 which can effect how the packet is routed.
225 To compile it as a module, choose M here. If unsure, say N.
228 tristate 'raw table support (required for TRACE)'
230 This option adds a `raw' table to ip6tables. This table is the very
231 first in the netfilter framework and hooks in at the PREROUTING
234 If you want to compile it as a module, say M here and read
235 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
237 # security table for MAC policy
238 config IP6_NF_SECURITY
239 tristate "Security table"
241 depends on NETFILTER_ADVANCED
243 This option adds a `security' table to iptables, for use
244 with Mandatory Access Control (MAC) policy.
249 tristate "ip6tables NAT support"
250 depends on NF_CONNTRACK_IPV6
251 depends on NETFILTER_ADVANCED
254 select NETFILTER_XT_NAT
256 This enables the `nat' table in ip6tables. This allows masquerading,
257 port forwarding and other forms of full Network Address Port
260 To compile it as a module, choose M here. If unsure, say N.
264 config NF_NAT_MASQUERADE_IPV6
265 tristate "IPv6 masquerade support"
267 This is the kernel functionality to provide NAT in the masquerade
268 flavour (automatic source address selection) for IPv6.
271 tristate "IPv6 masquerade support for nf_tables"
272 depends on NF_TABLES_IPV6
274 select NF_NAT_MASQUERADE_IPV6
276 config IP6_NF_TARGET_MASQUERADE
277 tristate "MASQUERADE target support"
278 select NF_NAT_MASQUERADE_IPV6
280 Masquerading is a special case of NAT: all outgoing connections are
281 changed to seem to come from a particular interface's address, and
282 if the interface goes down, those connections are lost. This is
283 only useful for dialup accounts with dynamic IP address (ie. your IP
284 address will be different on next dialup).
286 To compile it as a module, choose M here. If unsure, say N.
288 config IP6_NF_TARGET_NPT
289 tristate "NPT (Network Prefix translation) target support"
291 This option adds the `SNPT' and `DNPT' target, which perform
292 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
294 To compile it as a module, choose M here. If unsure, say N.
298 endif # IP6_NF_IPTABLES