[mirror_ubuntu-bionic-kernel.git] / net / ipv6 / netfilter / Kconfig

#
# IP netfilter configuration
#

menu "IPv6: Netfilter Configuration"
	depends on INET && IPV6 && NETFILTER

config NF_DEFRAG_IPV6
	tristate
	default n

config NF_CONNTRACK_IPV6
	tristate "IPv6 connection tracking support"
	depends on INET && IPV6 && NF_CONNTRACK
	default m if NETFILTER_ADVANCED=n
	select NF_DEFRAG_IPV6
	---help---
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is IPv6 support on Layer 3 independent connection tracking.
	  Layer 3 independent connection tracking is experimental scheme
	  which generalize ip_conntrack to support other layer 3 protocols.

	  To compile it as a module, choose M here.  If unsure, say N.

if NF_TABLES

config NF_TABLES_IPV6
	tristate "IPv6 nf_tables support"
	help
	  This option enables the IPv6 support for nf_tables.

if NF_TABLES_IPV6

config NFT_CHAIN_ROUTE_IPV6
	tristate "IPv6 nf_tables route chain support"
	help
	  This option enables the "route" chain for IPv6 in nf_tables. This
	  chain type is used to force packet re-routing after mangling header
	  fields such as the source, destination, flowlabel, hop-limit and
	  the packet mark.

config NFT_REJECT_IPV6
	select NF_REJECT_IPV6
	default NFT_REJECT
	tristate

config NFT_DUP_IPV6
	tristate "IPv6 nf_tables packet duplication support"
	depends on !NF_CONNTRACK || NF_CONNTRACK
	select NF_DUP_IPV6
	help
	  This module enables IPv6 packet duplication support for nf_tables.

endif # NF_TABLES_IPV6
endif # NF_TABLES

config NF_DUP_IPV6
	tristate "Netfilter IPv6 packet duplication to alternate destination"
	depends on !NF_CONNTRACK || NF_CONNTRACK
	help
	  This option enables the nf_dup_ipv6 core, which duplicates an IPv6
	  packet to be rerouted to another destination.

config NF_REJECT_IPV6
	tristate "IPv6 packet rejection"
	default m if NETFILTER_ADVANCED=n

config NF_LOG_IPV6
	tristate "IPv6 packet logging"
	default m if NETFILTER_ADVANCED=n
	select NF_LOG_COMMON

config NF_NAT_IPV6
	tristate "IPv6 NAT"
	depends on NF_CONNTRACK_IPV6
	depends on NETFILTER_ADVANCED
	select NF_NAT
	help
	  The IPv6 NAT option allows masquerading, port forwarding and other
	  forms of full Network Address Port Translation. This can be
	  controlled by iptables or nft.

if NF_NAT_IPV6

config NFT_CHAIN_NAT_IPV6
	depends on NF_TABLES_IPV6
	tristate "IPv6 nf_tables nat chain support"
	help
	  This option enables the "nat" chain for IPv6 in nf_tables. This
	  chain type is used to perform Network Address Translation (NAT)
	  packet transformations such as the source, destination address and
	  source and destination ports.

config NF_NAT_MASQUERADE_IPV6
	tristate "IPv6 masquerade support"
	help
	  This is the kernel functionality to provide NAT in the masquerade
	  flavour (automatic source address selection) for IPv6.

config NFT_MASQ_IPV6
	tristate "IPv6 masquerade support for nf_tables"
	depends on NF_TABLES_IPV6
	depends on NFT_MASQ
	select NF_NAT_MASQUERADE_IPV6
	help
	  This is the expression that provides IPv4 masquerading support for
	  nf_tables.

config NFT_REDIR_IPV6
	tristate "IPv6 redirect support for nf_tables"
	depends on NF_TABLES_IPV6
	depends on NFT_REDIR
	select NF_NAT_REDIRECT
	help
	  This is the expression that provides IPv4 redirect support for
	  nf_tables.

endif # NF_NAT_IPV6

config IP6_NF_IPTABLES
	tristate "IP6 tables support (required for filtering)"
	depends on INET && IPV6
	select NETFILTER_XTABLES
	default m if NETFILTER_ADVANCED=n
	help
	  ip6tables is a general, extensible packet identification framework.
	  Currently only the packet filtering and packet mangling subsystem
	  for IPv6 use this, but connection tracking is going to follow.
	  Say 'Y' or 'M' here if you want to use either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP6_NF_IPTABLES

# The simple matches.
config IP6_NF_MATCH_AH
	tristate '"ah" match support'
	depends on NETFILTER_ADVANCED
	help
	  This module allows one to match AH packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_EUI64
	tristate '"eui64" address check'
	depends on NETFILTER_ADVANCED
	help
	  This module performs checking on the IPv6 source address
	  Compares the last 64 bits with the EUI64 (delivered
	  from the MAC address) address

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_FRAG
	tristate '"frag" Fragmentation header match support'
	depends on NETFILTER_ADVANCED
	help
	  frag matching allows you to match packets based on the fragmentation
	  header of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_OPTS
	tristate '"hbh" hop-by-hop and "dst" opts header match support'
	depends on NETFILTER_ADVANCED
	help
	  This allows one to match packets based on the hop-by-hop
	  and destination options headers of a packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_HL
	tristate '"hl" hoplimit match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_HL
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_HL.

config IP6_NF_MATCH_IPV6HEADER
	tristate '"ipv6header" IPv6 Extension Headers Match'
	default m if NETFILTER_ADVANCED=n
	help
	  This module allows one to match packets based upon
	  the ipv6 extension headers.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_MH
	tristate '"mh" match support'
	depends on NETFILTER_ADVANCED
	help
	  This module allows one to match MH packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_RPFILTER
	tristate '"rpfilter" reverse path filter match support'
	depends on NETFILTER_ADVANCED
	depends on IP6_NF_MANGLE || IP6_NF_RAW
	---help---
	  This option allows you to match packets whose replies would
	  go out via the interface the packet came in.

	  To compile it as a module, choose M here.  If unsure, say N.
	  The module will be called ip6t_rpfilter.

config IP6_NF_MATCH_RT
	tristate '"rt" Routing header match support'
	depends on NETFILTER_ADVANCED
	help
	  rt matching allows you to match packets based on the routing
	  header of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

# The targets
config IP6_NF_TARGET_HL
	tristate '"HL" hoplimit target support'
	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
	select NETFILTER_XT_TARGET_HL
	---help---
	This is a backwards-compatible option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_HL.

config IP6_NF_FILTER
	tristate "Packet filtering"
	default m if NETFILTER_ADVANCED=n
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on IP6_NF_FILTER
	select NF_REJECT_IPV6
	default m if NETFILTER_ADVANCED=n
	help
	  The REJECT target allows a filtering rule to specify that an ICMPv6
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_SYNPROXY
	tristate "SYNPROXY target support"
	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	select NETFILTER_SYNPROXY
	select SYN_COOKIES
	help
	  The SYNPROXY target allows you to intercept TCP connections and
	  establish them using syncookies before they are passed on to the
	  server. This allows to avoid conntrack and server resource usage
	  during SYN-flood attacks.

	  To compile it as a module, choose M here. If unsure, say N.

config IP6_NF_MANGLE
	tristate "Packet mangling"
	default m if NETFILTER_ADVANCED=n
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_RAW
	tristate  'raw table support (required for TRACE)'
	help
	  This option adds a `raw' table to ip6tables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

# security table for MAC policy
config IP6_NF_SECURITY
       tristate "Security table"
       depends on SECURITY
       depends on NETFILTER_ADVANCED
       help
         This option adds a `security' table to iptables, for use
         with Mandatory Access Control (MAC) policy.

         If unsure, say N.

config IP6_NF_NAT
	tristate "ip6tables NAT support"
	depends on NF_CONNTRACK_IPV6
	depends on NETFILTER_ADVANCED
	select NF_NAT
	select NF_NAT_IPV6
	select NETFILTER_XT_NAT
	help
	  This enables the `nat' table in ip6tables. This allows masquerading,
	  port forwarding and other forms of full Network Address Port
	  Translation.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP6_NF_NAT

config IP6_NF_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	select NF_NAT_MASQUERADE_IPV6
	help
	  Masquerading is a special case of NAT: all outgoing connections are
	  changed to seem to come from a particular interface's address, and
	  if the interface goes down, those connections are lost.  This is
	  only useful for dialup accounts with dynamic IP address (ie. your IP
	  address will be different on next dialup).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_NPT
	tristate "NPT (Network Prefix translation) target support"
	help
	  This option adds the `SNPT' and `DNPT' target, which perform
	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.

	  To compile it as a module, choose M here.  If unsure, say N.

endif # IP6_NF_NAT

endif # IP6_NF_IPTABLES

endmenu
Commit	Line	Data
1da177e4 LT	1	#
	2	# IP netfilter configuration
	3	#
	4
8ce22fca PM	5	menu "IPv6: Netfilter Configuration"
8ce22fca PM	6	depends on INET && IPV6 && NETFILTER
1da177e4	7
f6318e55 KK	8	config NF_DEFRAG_IPV6
	9	tristate
	10	default n
	11
9bdf87d9	12	config NF_CONNTRACK_IPV6
8ce22fca PM	13	tristate "IPv6 connection tracking support"
8ce22fca PM	14	depends on INET && IPV6 && NF_CONNTRACK
33b8e776	15	default m if NETFILTER_ADVANCED=n
f6318e55	16	select NF_DEFRAG_IPV6
9bdf87d9 YK	17	---help---
	18	Connection tracking keeps a record of what packets have passed
	19	through your machine, in order to figure out how they are related
	20	into connections.
	21
	22	This is IPv6 support on Layer 3 independent connection tracking.
	23	Layer 3 independent connection tracking is experimental scheme
	24	which generalize ip_conntrack to support other layer 3 protocols.
	25
	26	To compile it as a module, choose M here. If unsure, say N.
58a317f1	27
f04e599e PNA	28	if NF_TABLES
f04e599e PNA	29
96518518	30	config NF_TABLES_IPV6
96518518	31	tristate "IPv6 nf_tables support"
d497c635 PNA	32	help
d497c635 PNA	33	This option enables the IPv6 support for nf_tables.
96518518	34
f04e599e PNA	35	if NF_TABLES_IPV6
f04e599e PNA	36
9370761c	37	config NFT_CHAIN_ROUTE_IPV6
9370761c	38	tristate "IPv6 nf_tables route chain support"
d497c635 PNA	39	help
	40	This option enables the "route" chain for IPv6 in nf_tables. This
	41	chain type is used to force packet re-routing after mangling header
	42	fields such as the source, destination, flowlabel, hop-limit and
	43	the packet mark.
96518518	44
cc4723ca	45	config NFT_REJECT_IPV6
c8d7b98b	46	select NF_REJECT_IPV6
cc4723ca PM	47	default NFT_REJECT
	48	tristate
	49
d877f071 PNA	50	config NFT_DUP_IPV6
d877f071 PNA	51	tristate "IPv6 nf_tables packet duplication support"
d3340b79	52	depends on !NF_CONNTRACK \|\| NF_CONNTRACK
d877f071 PNA	53	select NF_DUP_IPV6
	54	help
	55	This module enables IPv6 packet duplication support for nf_tables.
	56
f04e599e PNA	57	endif # NF_TABLES_IPV6
	58	endif # NF_TABLES
	59
bbde9fc1 PNA	60	config NF_DUP_IPV6
bbde9fc1 PNA	61	tristate "Netfilter IPv6 packet duplication to alternate destination"
6ece90f9	62	depends on !NF_CONNTRACK \|\| NF_CONNTRACK
bbde9fc1 PNA	63	help
	64	This option enables the nf_dup_ipv6 core, which duplicates an IPv6
	65	packet to be rerouted to another destination.
	66
f04e599e PNA	67	config NF_REJECT_IPV6
	68	tristate "IPv6 packet rejection"
	69	default m if NETFILTER_ADVANCED=n
	70
c1878869 PNA	71	config NF_LOG_IPV6
c1878869 PNA	72	tristate "IPv6 packet logging"
41ad82f7	73	default m if NETFILTER_ADVANCED=n
c1878869 PNA	74	select NF_LOG_COMMON
c1878869 PNA	75
8993cf8e PNA	76	config NF_NAT_IPV6
	77	tristate "IPv6 NAT"
	78	depends on NF_CONNTRACK_IPV6
	79	depends on NETFILTER_ADVANCED
	80	select NF_NAT
	81	help
	82	The IPv6 NAT option allows masquerading, port forwarding and other
	83	forms of full Network Address Port Translation. This can be
	84	controlled by iptables or nft.
	85
3e8dc212 PNA	86	if NF_NAT_IPV6
	87
	88	config NFT_CHAIN_NAT_IPV6
	89	depends on NF_TABLES_IPV6
	90	tristate "IPv6 nf_tables nat chain support"
	91	help
	92	This option enables the "nat" chain for IPv6 in nf_tables. This
	93	chain type is used to perform Network Address Translation (NAT)
	94	packet transformations such as the source, destination address and
	95	source and destination ports.
	96
0bbe80e5 PNA	97	config NF_NAT_MASQUERADE_IPV6
	98	tristate "IPv6 masquerade support"
	99	help
	100	This is the kernel functionality to provide NAT in the masquerade
	101	flavour (automatic source address selection) for IPv6.
	102
	103	config NFT_MASQ_IPV6
	104	tristate "IPv6 masquerade support for nf_tables"
	105	depends on NF_TABLES_IPV6
	106	depends on NFT_MASQ
	107	select NF_NAT_MASQUERADE_IPV6
	108	help
	109	This is the expression that provides IPv4 masquerading support for
	110	nf_tables.
	111
e9105f1b AB	112	config NFT_REDIR_IPV6
	113	tristate "IPv6 redirect support for nf_tables"
	114	depends on NF_TABLES_IPV6
	115	depends on NFT_REDIR
b59eaf9e	116	select NF_NAT_REDIRECT
e9105f1b AB	117	help
	118	This is the expression that provides IPv4 redirect support for
	119	nf_tables.
	120
3e8dc212 PNA	121	endif # NF_NAT_IPV6
3e8dc212 PNA	122
1da177e4	123	config IP6_NF_IPTABLES
844dc7c8	124	tristate "IP6 tables support (required for filtering)"
8ce22fca	125	depends on INET && IPV6
a3c941b0	126	select NETFILTER_XTABLES
33b8e776	127	default m if NETFILTER_ADVANCED=n
1da177e4 LT	128	help
	129	ip6tables is a general, extensible packet identification framework.
	130	Currently only the packet filtering and packet mangling subsystem
	131	for IPv6 use this, but connection tracking is going to follow.
	132	Say 'Y' or 'M' here if you want to use either of those.
	133
	134	To compile it as a module, choose M here. If unsure, say N.
	135
c2df73de JE	136	if IP6_NF_IPTABLES
c2df73de JE	137
1da177e4	138	# The simple matches.
aba0d348 JE	139	config IP6_NF_MATCH_AH
aba0d348 JE	140	tristate '"ah" match support'
33b8e776	141	depends on NETFILTER_ADVANCED
1da177e4	142	help
aba0d348	143	This module allows one to match AH packets.
1da177e4 LT	144
	145	To compile it as a module, choose M here. If unsure, say N.
	146
aba0d348 JE	147	config IP6_NF_MATCH_EUI64
aba0d348 JE	148	tristate '"eui64" address check'
33b8e776	149	depends on NETFILTER_ADVANCED
1da177e4	150	help
aba0d348 JE	151	This module performs checking on the IPv6 source address
	152	Compares the last 64 bits with the EUI64 (delivered
	153	from the MAC address) address
1da177e4 LT	154
	155	To compile it as a module, choose M here. If unsure, say N.
	156
	157	config IP6_NF_MATCH_FRAG
4c37799c	158	tristate '"frag" Fragmentation header match support'
33b8e776	159	depends on NETFILTER_ADVANCED
1da177e4 LT	160	help
	161	frag matching allows you to match packets based on the fragmentation
	162	header of the packet.
	163
	164	To compile it as a module, choose M here. If unsure, say N.
	165
aba0d348 JE	166	config IP6_NF_MATCH_OPTS
aba0d348 JE	167	tristate '"hbh" hop-by-hop and "dst" opts header match support'
aba0d348 JE	168	depends on NETFILTER_ADVANCED
	169	help
	170	This allows one to match packets based on the hop-by-hop
	171	and destination options headers of a packet.
	172
	173	To compile it as a module, choose M here. If unsure, say N.
	174
4323362e JE	175	config IP6_NF_MATCH_HL
	176	tristate '"hl" hoplimit match support'
	177	depends on NETFILTER_ADVANCED
	178	select NETFILTER_XT_MATCH_HL
	179	---help---
	180	This is a backwards-compat option for the user's convenience
	181	(e.g. when running oldconfig). It selects
8dd1d047	182	CONFIG_NETFILTER_XT_MATCH_HL.
4323362e	183
1da177e4	184	config IP6_NF_MATCH_IPV6HEADER
4c37799c	185	tristate '"ipv6header" IPv6 Extension Headers Match'
44c45eb9	186	default m if NETFILTER_ADVANCED=n
1da177e4 LT	187	help
	188	This module allows one to match packets based upon
	189	the ipv6 extension headers.
	190
	191	To compile it as a module, choose M here. If unsure, say N.
	192
a0ca215a	193	config IP6_NF_MATCH_MH
4c37799c	194	tristate '"mh" match support'
33b8e776	195	depends on NETFILTER_ADVANCED
a0ca215a MN	196	help
	197	This module allows one to match MH packets.
	198
	199	To compile it as a module, choose M here. If unsure, say N.
	200
e26f9a48 FW	201	config IP6_NF_MATCH_RPFILTER
e26f9a48 FW	202	tristate '"rpfilter" reverse path filter match support'
f09becc7 PNA	203	depends on NETFILTER_ADVANCED
f09becc7 PNA	204	depends on IP6_NF_MANGLE \|\| IP6_NF_RAW
e26f9a48 FW	205	---help---
	206	This option allows you to match packets whose replies would
	207	go out via the interface the packet came in.
	208
	209	To compile it as a module, choose M here. If unsure, say N.
	210	The module will be called ip6t_rpfilter.
	211
aba0d348 JE	212	config IP6_NF_MATCH_RT
aba0d348 JE	213	tristate '"rt" Routing header match support'
33b8e776	214	depends on NETFILTER_ADVANCED
1da177e4	215	help
aba0d348 JE	216	rt matching allows you to match packets based on the routing
aba0d348 JE	217	header of the packet.
1da177e4 LT	218
	219	To compile it as a module, choose M here. If unsure, say N.
	220
1da177e4	221	# The targets
4323362e JE	222	config IP6_NF_TARGET_HL
4323362e JE	223	tristate '"HL" hoplimit target support'
76b6717b	224	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
4323362e JE	225	select NETFILTER_XT_TARGET_HL
4323362e JE	226	---help---
76b6717b	227	This is a backwards-compatible option for the user's convenience
4323362e	228	(e.g. when running oldconfig). It selects
8dd1d047	229	CONFIG_NETFILTER_XT_TARGET_HL.
4323362e	230
2203eb47 JE	231	config IP6_NF_FILTER
2203eb47 JE	232	tristate "Packet filtering"
33b8e776	233	default m if NETFILTER_ADVANCED=n
1da177e4	234	help
2203eb47 JE	235	Packet filtering defines a table `filter', which has a series of
	236	rules for simple packet filtering at local input, forwarding and
	237	local output. See the man page for iptables(8).
1da177e4 LT	238
	239	To compile it as a module, choose M here. If unsure, say N.
	240
764d8a9f PM	241	config IP6_NF_TARGET_REJECT
	242	tristate "REJECT target support"
	243	depends on IP6_NF_FILTER
c8d7b98b	244	select NF_REJECT_IPV6
33b8e776	245	default m if NETFILTER_ADVANCED=n
764d8a9f PM	246	help
	247	The REJECT target allows a filtering rule to specify that an ICMPv6
	248	error should be issued in response to an incoming packet, rather
	249	than silently being dropped.
	250
	251	To compile it as a module, choose M here. If unsure, say N.
	252
4ad36228 PM	253	config IP6_NF_TARGET_SYNPROXY
	254	tristate "SYNPROXY target support"
	255	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	256	select NETFILTER_SYNPROXY
	257	select SYN_COOKIES
	258	help
	259	The SYNPROXY target allows you to intercept TCP connections and
	260	establish them using syncookies before they are passed on to the
	261	server. This allows to avoid conntrack and server resource usage
	262	during SYN-flood attacks.
	263
	264	To compile it as a module, choose M here. If unsure, say N.
	265
1da177e4 LT	266	config IP6_NF_MANGLE
1da177e4 LT	267	tristate "Packet mangling"
33b8e776	268	default m if NETFILTER_ADVANCED=n
1da177e4 LT	269	help
	270	This option adds a `mangle' table to iptables: see the man page for
	271	iptables(8). This table is used for various packet alterations
	272	which can effect how the packet is routed.
	273
	274	To compile it as a module, choose M here. If unsure, say N.
1da177e4	275
1da177e4 LT	276	config IP6_NF_RAW
1da177e4 LT	277	tristate 'raw table support (required for TRACE)'
1da177e4 LT	278	help
	279	This option adds a `raw' table to ip6tables. This table is the very
	280	first in the netfilter framework and hooks in at the PREROUTING
	281	and OUTPUT chains.
33b8e776	282
1da177e4	283	If you want to compile it as a module, say M here and read
39f5fb30	284	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1da177e4	285
17e6e59f JM	286	# security table for MAC policy
	287	config IP6_NF_SECURITY
	288	tristate "Security table"
17e6e59f	289	depends on SECURITY
70eed75d	290	depends on NETFILTER_ADVANCED
17e6e59f JM	291	help
	292	This option adds a `security' table to iptables, for use
	293	with Mandatory Access Control (MAC) policy.
b0041d1b	294
17e6e59f JM	295	If unsure, say N.
17e6e59f JM	296
8993cf8e PNA	297	config IP6_NF_NAT
8993cf8e PNA	298	tristate "ip6tables NAT support"
b0041d1b PNA	299	depends on NF_CONNTRACK_IPV6
	300	depends on NETFILTER_ADVANCED
	301	select NF_NAT
8993cf8e PNA	302	select NF_NAT_IPV6
8993cf8e PNA	303	select NETFILTER_XT_NAT
b0041d1b	304	help
8993cf8e PNA	305	This enables the `nat' table in ip6tables. This allows masquerading,
	306	port forwarding and other forms of full Network Address Port
	307	Translation.
b0041d1b PNA	308
	309	To compile it as a module, choose M here. If unsure, say N.
	310
8993cf8e	311	if IP6_NF_NAT
b0041d1b PNA	312
	313	config IP6_NF_TARGET_MASQUERADE
	314	tristate "MASQUERADE target support"
be6b635c	315	select NF_NAT_MASQUERADE_IPV6
b0041d1b PNA	316	help
	317	Masquerading is a special case of NAT: all outgoing connections are
	318	changed to seem to come from a particular interface's address, and
	319	if the interface goes down, those connections are lost. This is
	320	only useful for dialup accounts with dynamic IP address (ie. your IP
	321	address will be different on next dialup).
	322
	323	To compile it as a module, choose M here. If unsure, say N.
	324
b0041d1b PNA	325	config IP6_NF_TARGET_NPT
	326	tristate "NPT (Network Prefix translation) target support"
	327	help
	328	This option adds the `SNPT' and `DNPT' target, which perform
	329	stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
	330
	331	To compile it as a module, choose M here. If unsure, say N.
	332
8993cf8e	333	endif # IP6_NF_NAT
b0041d1b	334
c2df73de JE	335	endif # IP6_NF_IPTABLES
c2df73de JE	336
1da177e4 LT	337	endmenu
1da177e4 LT	338