]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | # |
2 | # IP netfilter configuration | |
3 | # | |
4 | ||
5 | menu "IPv6: Netfilter Configuration (EXPERIMENTAL)" | |
6 | depends on INET && IPV6 && NETFILTER && EXPERIMENTAL | |
7 | ||
8 | #tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP6_NF_CONNTRACK | |
9 | #if [ "$CONFIG_IP6_NF_CONNTRACK" != "n" ]; then | |
10 | # dep_tristate ' FTP protocol support' CONFIG_IP6_NF_FTP $CONFIG_IP6_NF_CONNTRACK | |
11 | #fi | |
12 | config IP6_NF_QUEUE | |
13 | tristate "Userspace queueing via NETLINK" | |
14 | ---help--- | |
15 | ||
16 | This option adds a queue handler to the kernel for IPv6 | |
17 | packets which lets us to receive the filtered packets | |
18 | with QUEUE target using libiptc as we can do with | |
19 | the IPv4 now. | |
20 | ||
21 | (C) Fernando Anton 2001 | |
22 | IPv64 Project - Work based in IPv64 draft by Arturo Azcorra. | |
23 | Universidad Carlos III de Madrid | |
24 | Universidad Politecnica de Alcala de Henares | |
25 | email: <fanton@it.uc3m.es>. | |
26 | ||
27 | To compile it as a module, choose M here. If unsure, say N. | |
28 | ||
29 | config IP6_NF_IPTABLES | |
30 | tristate "IP6 tables support (required for filtering/masq/NAT)" | |
31 | help | |
32 | ip6tables is a general, extensible packet identification framework. | |
33 | Currently only the packet filtering and packet mangling subsystem | |
34 | for IPv6 use this, but connection tracking is going to follow. | |
35 | Say 'Y' or 'M' here if you want to use either of those. | |
36 | ||
37 | To compile it as a module, choose M here. If unsure, say N. | |
38 | ||
39 | # The simple matches. | |
40 | config IP6_NF_MATCH_LIMIT | |
41 | tristate "limit match support" | |
42 | depends on IP6_NF_IPTABLES | |
43 | help | |
44 | limit matching allows you to control the rate at which a rule can be | |
45 | matched: mainly useful in combination with the LOG target ("LOG | |
46 | target support", below) and to avoid some Denial of Service attacks. | |
47 | ||
48 | To compile it as a module, choose M here. If unsure, say N. | |
49 | ||
50 | config IP6_NF_MATCH_MAC | |
51 | tristate "MAC address match support" | |
52 | depends on IP6_NF_IPTABLES | |
53 | help | |
54 | mac matching allows you to match packets based on the source | |
55 | Ethernet address of the packet. | |
56 | ||
57 | To compile it as a module, choose M here. If unsure, say N. | |
58 | ||
59 | config IP6_NF_MATCH_RT | |
60 | tristate "Routing header match support" | |
61 | depends on IP6_NF_IPTABLES | |
62 | help | |
63 | rt matching allows you to match packets based on the routing | |
64 | header of the packet. | |
65 | ||
66 | To compile it as a module, choose M here. If unsure, say N. | |
67 | ||
68 | config IP6_NF_MATCH_OPTS | |
69 | tristate "Hop-by-hop and Dst opts header match support" | |
70 | depends on IP6_NF_IPTABLES | |
71 | help | |
72 | This allows one to match packets based on the hop-by-hop | |
73 | and destination options headers of a packet. | |
74 | ||
75 | To compile it as a module, choose M here. If unsure, say N. | |
76 | ||
77 | config IP6_NF_MATCH_FRAG | |
78 | tristate "Fragmentation header match support" | |
79 | depends on IP6_NF_IPTABLES | |
80 | help | |
81 | frag matching allows you to match packets based on the fragmentation | |
82 | header of the packet. | |
83 | ||
84 | To compile it as a module, choose M here. If unsure, say N. | |
85 | ||
86 | config IP6_NF_MATCH_HL | |
87 | tristate "HL match support" | |
88 | depends on IP6_NF_IPTABLES | |
89 | help | |
90 | HL matching allows you to match packets based on the hop | |
91 | limit of the packet. | |
92 | ||
93 | To compile it as a module, choose M here. If unsure, say N. | |
94 | ||
95 | config IP6_NF_MATCH_MULTIPORT | |
96 | tristate "Multiple port match support" | |
97 | depends on IP6_NF_IPTABLES | |
98 | help | |
99 | Multiport matching allows you to match TCP or UDP packets based on | |
100 | a series of source or destination ports: normally a rule can only | |
101 | match a single range of ports. | |
102 | ||
103 | To compile it as a module, choose M here. If unsure, say N. | |
104 | ||
105 | config IP6_NF_MATCH_OWNER | |
106 | tristate "Owner match support" | |
107 | depends on IP6_NF_IPTABLES | |
108 | help | |
109 | Packet owner matching allows you to match locally-generated packets | |
110 | based on who created them: the user, group, process or session. | |
111 | ||
112 | To compile it as a module, choose M here. If unsure, say N. | |
113 | ||
114 | # dep_tristate ' MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES | |
115 | config IP6_NF_MATCH_MARK | |
116 | tristate "netfilter MARK match support" | |
117 | depends on IP6_NF_IPTABLES | |
118 | help | |
119 | Netfilter mark matching allows you to match packets based on the | |
120 | `nfmark' value in the packet. This can be set by the MARK target | |
121 | (see below). | |
122 | ||
123 | To compile it as a module, choose M here. If unsure, say N. | |
124 | ||
125 | config IP6_NF_MATCH_IPV6HEADER | |
126 | tristate "IPv6 Extension Headers Match" | |
127 | depends on IP6_NF_IPTABLES | |
128 | help | |
129 | This module allows one to match packets based upon | |
130 | the ipv6 extension headers. | |
131 | ||
132 | To compile it as a module, choose M here. If unsure, say N. | |
133 | ||
134 | config IP6_NF_MATCH_AHESP | |
135 | tristate "AH/ESP match support" | |
136 | depends on IP6_NF_IPTABLES | |
137 | help | |
138 | This module allows one to match AH and ESP packets. | |
139 | ||
140 | To compile it as a module, choose M here. If unsure, say N. | |
141 | ||
142 | config IP6_NF_MATCH_LENGTH | |
143 | tristate "Packet Length match support" | |
144 | depends on IP6_NF_IPTABLES | |
145 | help | |
146 | This option allows you to match the length of a packet against a | |
147 | specific value or range of values. | |
148 | ||
149 | To compile it as a module, choose M here. If unsure, say N. | |
150 | ||
151 | config IP6_NF_MATCH_EUI64 | |
152 | tristate "EUI64 address check" | |
153 | depends on IP6_NF_IPTABLES | |
154 | help | |
155 | This module performs checking on the IPv6 source address | |
156 | Compares the last 64 bits with the EUI64 (delivered | |
157 | from the MAC address) address | |
158 | ||
159 | To compile it as a module, choose M here. If unsure, say N. | |
160 | ||
161 | config IP6_NF_MATCH_PHYSDEV | |
162 | tristate "Physdev match support" | |
163 | depends on IP6_NF_IPTABLES && BRIDGE_NETFILTER | |
164 | help | |
165 | Physdev packet matching matches against the physical bridge ports | |
166 | the IP packet arrived on or will leave by. | |
167 | ||
168 | To compile it as a module, choose M here. If unsure, say N. | |
169 | ||
170 | # dep_tristate ' Multiple port match support' CONFIG_IP6_NF_MATCH_MULTIPORT $CONFIG_IP6_NF_IPTABLES | |
171 | # dep_tristate ' TOS match support' CONFIG_IP6_NF_MATCH_TOS $CONFIG_IP6_NF_IPTABLES | |
172 | # if [ "$CONFIG_IP6_NF_CONNTRACK" != "n" ]; then | |
173 | # dep_tristate ' Connection state match support' CONFIG_IP6_NF_MATCH_STATE $CONFIG_IP6_NF_CONNTRACK $CONFIG_IP6_NF_IPTABLES | |
174 | # fi | |
175 | # if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then | |
176 | # dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_UNCLEAN $CONFIG_IP6_NF_IPTABLES | |
177 | # dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_OWNER $CONFIG_IP6_NF_IPTABLES | |
178 | # fi | |
179 | # The targets | |
180 | config IP6_NF_FILTER | |
181 | tristate "Packet filtering" | |
182 | depends on IP6_NF_IPTABLES | |
183 | help | |
184 | Packet filtering defines a table `filter', which has a series of | |
185 | rules for simple packet filtering at local input, forwarding and | |
186 | local output. See the man page for iptables(8). | |
187 | ||
188 | To compile it as a module, choose M here. If unsure, say N. | |
189 | ||
190 | config IP6_NF_TARGET_LOG | |
191 | tristate "LOG target support" | |
192 | depends on IP6_NF_FILTER | |
193 | help | |
194 | This option adds a `LOG' target, which allows you to create rules in | |
195 | any iptables table which records the packet header to the syslog. | |
196 | ||
197 | To compile it as a module, choose M here. If unsure, say N. | |
198 | ||
199 | # if [ "$CONFIG_IP6_NF_FILTER" != "n" ]; then | |
200 | # dep_tristate ' REJECT target support' CONFIG_IP6_NF_TARGET_REJECT $CONFIG_IP6_NF_FILTER | |
201 | # if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then | |
202 | # dep_tristate ' MIRROR target support (EXPERIMENTAL)' CONFIG_IP6_NF_TARGET_MIRROR $CONFIG_IP6_NF_FILTER | |
203 | # fi | |
204 | # fi | |
205 | config IP6_NF_MANGLE | |
206 | tristate "Packet mangling" | |
207 | depends on IP6_NF_IPTABLES | |
208 | help | |
209 | This option adds a `mangle' table to iptables: see the man page for | |
210 | iptables(8). This table is used for various packet alterations | |
211 | which can effect how the packet is routed. | |
212 | ||
213 | To compile it as a module, choose M here. If unsure, say N. | |
214 | ||
215 | # dep_tristate ' TOS target support' CONFIG_IP6_NF_TARGET_TOS $CONFIG_IP_NF_MANGLE | |
216 | config IP6_NF_TARGET_MARK | |
217 | tristate "MARK target support" | |
218 | depends on IP6_NF_MANGLE | |
219 | help | |
220 | This option adds a `MARK' target, which allows you to create rules | |
221 | in the `mangle' table which alter the netfilter mark (nfmark) field | |
222 | associated with the packet packet prior to routing. This can change | |
223 | the routing method (see `Use netfilter MARK value as routing | |
224 | key') and can also be used by other subsystems to change their | |
225 | behavior. | |
226 | ||
227 | To compile it as a module, choose M here. If unsure, say N. | |
228 | ||
229 | #dep_tristate ' LOG target support' CONFIG_IP6_NF_TARGET_LOG $CONFIG_IP6_NF_IPTABLES | |
230 | config IP6_NF_RAW | |
231 | tristate 'raw table support (required for TRACE)' | |
232 | depends on IP6_NF_IPTABLES | |
233 | help | |
234 | This option adds a `raw' table to ip6tables. This table is the very | |
235 | first in the netfilter framework and hooks in at the PREROUTING | |
236 | and OUTPUT chains. | |
237 | ||
238 | If you want to compile it as a module, say M here and read | |
239 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
240 | ||
241 | endmenu | |
242 |