net/ipv6/netfilter/Kconfig

   1 #
   2 # IP netfilter configuration
   3 #
   4
   5 menu "IPv6: Netfilter Configuration"
   6         depends on INET && IPV6 && NETFILTER
   7
   8 config NF_DEFRAG_IPV6
   9         tristate
  10         default n
  11
  12 config NF_CONNTRACK_IPV6
  13         tristate "IPv6 connection tracking support"
  14         depends on INET && IPV6 && NF_CONNTRACK
  15         default m if NETFILTER_ADVANCED=n
  16         select NF_DEFRAG_IPV6
  17         ---help---
  18           Connection tracking keeps a record of what packets have passed
  19           through your machine, in order to figure out how they are related
  20           into connections.
  21
  22           This is IPv6 support on Layer 3 independent connection tracking.
  23           Layer 3 independent connection tracking is experimental scheme
  24           which generalize ip_conntrack to support other layer 3 protocols.
  25
  26           To compile it as a module, choose M here.  If unsure, say N.
  27
  28 config NF_TABLES_IPV6
  29         depends on NF_TABLES
  30         tristate "IPv6 nf_tables support"
  31         help
  32           This option enables the IPv6 support for nf_tables.
  33
  34 config NFT_CHAIN_ROUTE_IPV6
  35         depends on NF_TABLES_IPV6
  36         tristate "IPv6 nf_tables route chain support"
  37         help
  38           This option enables the "route" chain for IPv6 in nf_tables. This
  39           chain type is used to force packet re-routing after mangling header
  40           fields such as the source, destination, flowlabel, hop-limit and
  41           the packet mark.
  42
  43 config NFT_REJECT_IPV6
  44         depends on NF_TABLES_IPV6
  45         default NFT_REJECT
  46         tristate
  47
  48 config NF_LOG_IPV6
  49         tristate "IPv6 packet logging"
  50         default m if NETFILTER_ADVANCED=n
  51         select NF_LOG_COMMON
  52
  53 config NF_NAT_IPV6
  54         tristate "IPv6 NAT"
  55         depends on NF_CONNTRACK_IPV6
  56         depends on NETFILTER_ADVANCED
  57         select NF_NAT
  58         help
  59           The IPv6 NAT option allows masquerading, port forwarding and other
  60           forms of full Network Address Port Translation. This can be
  61           controlled by iptables or nft.
  62
  63 if NF_NAT_IPV6
  64
  65 config NFT_CHAIN_NAT_IPV6
  66         depends on NF_TABLES_IPV6
  67         tristate "IPv6 nf_tables nat chain support"
  68         help
  69           This option enables the "nat" chain for IPv6 in nf_tables. This
  70           chain type is used to perform Network Address Translation (NAT)
  71           packet transformations such as the source, destination address and
  72           source and destination ports.
  73
  74 endif # NF_NAT_IPV6
  75
  76 config IP6_NF_IPTABLES
  77         tristate "IP6 tables support (required for filtering)"
  78         depends on INET && IPV6
  79         select NETFILTER_XTABLES
  80         default m if NETFILTER_ADVANCED=n
  81         help
  82           ip6tables is a general, extensible packet identification framework.
  83           Currently only the packet filtering and packet mangling subsystem
  84           for IPv6 use this, but connection tracking is going to follow.
  85           Say 'Y' or 'M' here if you want to use either of those.
  86
  87           To compile it as a module, choose M here.  If unsure, say N.
  88
  89 if IP6_NF_IPTABLES
  90
  91 # The simple matches.
  92 config IP6_NF_MATCH_AH
  93         tristate '"ah" match support'
  94         depends on NETFILTER_ADVANCED
  95         help
  96           This module allows one to match AH packets.
  97
  98           To compile it as a module, choose M here.  If unsure, say N.
  99
 100 config IP6_NF_MATCH_EUI64
 101         tristate '"eui64" address check'
 102         depends on NETFILTER_ADVANCED
 103         help
 104           This module performs checking on the IPv6 source address
 105           Compares the last 64 bits with the EUI64 (delivered
 106           from the MAC address) address
 107
 108           To compile it as a module, choose M here.  If unsure, say N.
 109
 110 config IP6_NF_MATCH_FRAG
 111         tristate '"frag" Fragmentation header match support'
 112         depends on NETFILTER_ADVANCED
 113         help
 114           frag matching allows you to match packets based on the fragmentation
 115           header of the packet.
 116
 117           To compile it as a module, choose M here.  If unsure, say N.
 118
 119 config IP6_NF_MATCH_OPTS
 120         tristate '"hbh" hop-by-hop and "dst" opts header match support'
 121         depends on NETFILTER_ADVANCED
 122         help
 123           This allows one to match packets based on the hop-by-hop
 124           and destination options headers of a packet.
 125
 126           To compile it as a module, choose M here.  If unsure, say N.
 127
 128 config IP6_NF_MATCH_HL
 129         tristate '"hl" hoplimit match support'
 130         depends on NETFILTER_ADVANCED
 131         select NETFILTER_XT_MATCH_HL
 132         ---help---
 133         This is a backwards-compat option for the user's convenience
 134         (e.g. when running oldconfig). It selects
 135         CONFIG_NETFILTER_XT_MATCH_HL.
 136
 137 config IP6_NF_MATCH_IPV6HEADER
 138         tristate '"ipv6header" IPv6 Extension Headers Match'
 139         default m if NETFILTER_ADVANCED=n
 140         help
 141           This module allows one to match packets based upon
 142           the ipv6 extension headers.
 143
 144           To compile it as a module, choose M here.  If unsure, say N.
 145
 146 config IP6_NF_MATCH_MH
 147         tristate '"mh" match support'
 148         depends on NETFILTER_ADVANCED
 149         help
 150           This module allows one to match MH packets.
 151
 152           To compile it as a module, choose M here.  If unsure, say N.
 153
 154 config IP6_NF_MATCH_RPFILTER
 155         tristate '"rpfilter" reverse path filter match support'
 156         depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
 157         ---help---
 158           This option allows you to match packets whose replies would
 159           go out via the interface the packet came in.
 160
 161           To compile it as a module, choose M here.  If unsure, say N.
 162           The module will be called ip6t_rpfilter.
 163
 164 config IP6_NF_MATCH_RT
 165         tristate '"rt" Routing header match support'
 166         depends on NETFILTER_ADVANCED
 167         help
 168           rt matching allows you to match packets based on the routing
 169           header of the packet.
 170
 171           To compile it as a module, choose M here.  If unsure, say N.
 172
 173 # The targets
 174 config IP6_NF_TARGET_HL
 175         tristate '"HL" hoplimit target support'
 176         depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
 177         select NETFILTER_XT_TARGET_HL
 178         ---help---
 179         This is a backwards-compatible option for the user's convenience
 180         (e.g. when running oldconfig). It selects
 181         CONFIG_NETFILTER_XT_TARGET_HL.
 182
 183 config IP6_NF_FILTER
 184         tristate "Packet filtering"
 185         default m if NETFILTER_ADVANCED=n
 186         help
 187           Packet filtering defines a table `filter', which has a series of
 188           rules for simple packet filtering at local input, forwarding and
 189           local output.  See the man page for iptables(8).
 190
 191           To compile it as a module, choose M here.  If unsure, say N.
 192
 193 config IP6_NF_TARGET_REJECT
 194         tristate "REJECT target support"
 195         depends on IP6_NF_FILTER
 196         default m if NETFILTER_ADVANCED=n
 197         help
 198           The REJECT target allows a filtering rule to specify that an ICMPv6
 199           error should be issued in response to an incoming packet, rather
 200           than silently being dropped.
 201
 202           To compile it as a module, choose M here.  If unsure, say N.
 203
 204 config IP6_NF_TARGET_SYNPROXY
 205         tristate "SYNPROXY target support"
 206         depends on NF_CONNTRACK && NETFILTER_ADVANCED
 207         select NETFILTER_SYNPROXY
 208         select SYN_COOKIES
 209         help
 210           The SYNPROXY target allows you to intercept TCP connections and
 211           establish them using syncookies before they are passed on to the
 212           server. This allows to avoid conntrack and server resource usage
 213           during SYN-flood attacks.
 214
 215           To compile it as a module, choose M here. If unsure, say N.
 216
 217 config IP6_NF_MANGLE
 218         tristate "Packet mangling"
 219         default m if NETFILTER_ADVANCED=n
 220         help
 221           This option adds a `mangle' table to iptables: see the man page for
 222           iptables(8).  This table is used for various packet alterations
 223           which can effect how the packet is routed.
 224
 225           To compile it as a module, choose M here.  If unsure, say N.
 226
 227 config IP6_NF_RAW
 228         tristate  'raw table support (required for TRACE)'
 229         help
 230           This option adds a `raw' table to ip6tables. This table is the very
 231           first in the netfilter framework and hooks in at the PREROUTING
 232           and OUTPUT chains.
 233
 234           If you want to compile it as a module, say M here and read
 235           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 236
 237 # security table for MAC policy
 238 config IP6_NF_SECURITY
 239        tristate "Security table"
 240        depends on SECURITY
 241        depends on NETFILTER_ADVANCED
 242        help
 243          This option adds a `security' table to iptables, for use
 244          with Mandatory Access Control (MAC) policy.
 245
 246          If unsure, say N.
 247
 248 config IP6_NF_NAT
 249         tristate "ip6tables NAT support"
 250         depends on NF_CONNTRACK_IPV6
 251         depends on NETFILTER_ADVANCED
 252         select NF_NAT
 253         select NF_NAT_IPV6
 254         select NETFILTER_XT_NAT
 255         help
 256           This enables the `nat' table in ip6tables. This allows masquerading,
 257           port forwarding and other forms of full Network Address Port
 258           Translation.
 259
 260           To compile it as a module, choose M here.  If unsure, say N.
 261
 262 if IP6_NF_NAT
 263
 264 config NF_NAT_MASQUERADE_IPV6
 265         tristate "IPv6 masquerade support"
 266         help
 267          This is the kernel functionality to provide NAT in the masquerade
 268          flavour (automatic source address selection) for IPv6.
 269
 270 config NFT_MASQ_IPV6
 271         tristate "IPv6 masquerade support for nf_tables"
 272         depends on NF_TABLES_IPV6
 273         depends on NFT_MASQ
 274         select NF_NAT_MASQUERADE_IPV6
 275
 276 config IP6_NF_TARGET_MASQUERADE
 277         tristate "MASQUERADE target support"
 278         select NF_NAT_MASQUERADE_IPV6
 279         help
 280           Masquerading is a special case of NAT: all outgoing connections are
 281           changed to seem to come from a particular interface's address, and
 282           if the interface goes down, those connections are lost.  This is
 283           only useful for dialup accounts with dynamic IP address (ie. your IP
 284           address will be different on next dialup).
 285
 286           To compile it as a module, choose M here.  If unsure, say N.
 287
 288 config IP6_NF_TARGET_NPT
 289         tristate "NPT (Network Prefix translation) target support"
 290         help
 291           This option adds the `SNPT' and `DNPT' target, which perform
 292           stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
 293
 294           To compile it as a module, choose M here.  If unsure, say N.
 295
 296 endif # IP6_NF_NAT
 297
 298 endif # IP6_NF_IPTABLES
 299
 300 endmenu
 301