]>
Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | # |
2 | # IP netfilter configuration | |
3 | # | |
4 | ||
8ce22fca PM |
5 | menu "IPv6: Netfilter Configuration" |
6 | depends on INET && IPV6 && NETFILTER | |
1da177e4 | 7 | |
8db4c5be PNA |
8 | config NF_SOCKET_IPV6 |
9 | tristate "IPv6 socket lookup support" | |
10 | help | |
11 | This option enables the IPv6 socket lookup infrastructure. This | |
45ca4e0c ME |
12 | is used by the {ip6,nf}tables socket match. |
13 | ||
14 | config NF_TPROXY_IPV6 | |
15 | tristate "IPv6 tproxy support" | |
8db4c5be | 16 | |
f04e599e PNA |
17 | if NF_TABLES |
18 | ||
96518518 | 19 | config NF_TABLES_IPV6 |
02c7b25e | 20 | bool "IPv6 nf_tables support" |
d497c635 PNA |
21 | help |
22 | This option enables the IPv6 support for nf_tables. | |
96518518 | 23 | |
f04e599e PNA |
24 | if NF_TABLES_IPV6 |
25 | ||
9370761c | 26 | config NFT_CHAIN_ROUTE_IPV6 |
9370761c | 27 | tristate "IPv6 nf_tables route chain support" |
d497c635 PNA |
28 | help |
29 | This option enables the "route" chain for IPv6 in nf_tables. This | |
30 | chain type is used to force packet re-routing after mangling header | |
31 | fields such as the source, destination, flowlabel, hop-limit and | |
32 | the packet mark. | |
96518518 | 33 | |
39f2ff08 PNA |
34 | if NF_NAT_IPV6 |
35 | ||
36 | config NFT_CHAIN_NAT_IPV6 | |
37 | tristate "IPv6 nf_tables nat chain support" | |
38 | help | |
39 | This option enables the "nat" chain for IPv6 in nf_tables. This | |
40 | chain type is used to perform Network Address Translation (NAT) | |
41 | packet transformations such as the source, destination address and | |
42 | source and destination ports. | |
43 | ||
44 | config NFT_MASQ_IPV6 | |
45 | tristate "IPv6 masquerade support for nf_tables" | |
46 | depends on NFT_MASQ | |
47 | select NF_NAT_MASQUERADE_IPV6 | |
48 | help | |
49 | This is the expression that provides IPv4 masquerading support for | |
50 | nf_tables. | |
51 | ||
52 | config NFT_REDIR_IPV6 | |
53 | tristate "IPv6 redirect support for nf_tables" | |
54 | depends on NFT_REDIR | |
55 | select NF_NAT_REDIRECT | |
56 | help | |
57 | This is the expression that provides IPv4 redirect support for | |
58 | nf_tables. | |
59 | ||
60 | endif # NF_NAT_IPV6 | |
61 | ||
cc4723ca | 62 | config NFT_REJECT_IPV6 |
c8d7b98b | 63 | select NF_REJECT_IPV6 |
cc4723ca PM |
64 | default NFT_REJECT |
65 | tristate | |
66 | ||
d877f071 PNA |
67 | config NFT_DUP_IPV6 |
68 | tristate "IPv6 nf_tables packet duplication support" | |
d3340b79 | 69 | depends on !NF_CONNTRACK || NF_CONNTRACK |
d877f071 PNA |
70 | select NF_DUP_IPV6 |
71 | help | |
72 | This module enables IPv6 packet duplication support for nf_tables. | |
73 | ||
f6d0cbcf FW |
74 | config NFT_FIB_IPV6 |
75 | tristate "nf_tables fib / ipv6 route lookup support" | |
76 | select NFT_FIB | |
77 | help | |
78 | This module enables IPv6 FIB lookups, e.g. for reverse path filtering. | |
79 | It also allows query of the FIB for the route type, e.g. local, unicast, | |
80 | multicast or blackhole. | |
81 | ||
f04e599e PNA |
82 | endif # NF_TABLES_IPV6 |
83 | endif # NF_TABLES | |
84 | ||
09952107 | 85 | config NF_FLOW_TABLE_IPV6 |
09952107 | 86 | tristate "Netfilter flow table IPv6 module" |
6be3bcd7 | 87 | depends on NF_FLOW_TABLE |
09952107 PNA |
88 | help |
89 | This option adds the flow table IPv6 support. | |
90 | ||
91 | To compile it as a module, choose M here. | |
92 | ||
bbde9fc1 PNA |
93 | config NF_DUP_IPV6 |
94 | tristate "Netfilter IPv6 packet duplication to alternate destination" | |
6ece90f9 | 95 | depends on !NF_CONNTRACK || NF_CONNTRACK |
bbde9fc1 PNA |
96 | help |
97 | This option enables the nf_dup_ipv6 core, which duplicates an IPv6 | |
98 | packet to be rerouted to another destination. | |
99 | ||
f04e599e PNA |
100 | config NF_REJECT_IPV6 |
101 | tristate "IPv6 packet rejection" | |
102 | default m if NETFILTER_ADVANCED=n | |
103 | ||
c1878869 PNA |
104 | config NF_LOG_IPV6 |
105 | tristate "IPv6 packet logging" | |
41ad82f7 | 106 | default m if NETFILTER_ADVANCED=n |
c1878869 PNA |
107 | select NF_LOG_COMMON |
108 | ||
8993cf8e PNA |
109 | config NF_NAT_IPV6 |
110 | tristate "IPv6 NAT" | |
a0ae2562 | 111 | depends on NF_CONNTRACK |
8993cf8e PNA |
112 | depends on NETFILTER_ADVANCED |
113 | select NF_NAT | |
114 | help | |
115 | The IPv6 NAT option allows masquerading, port forwarding and other | |
116 | forms of full Network Address Port Translation. This can be | |
117 | controlled by iptables or nft. | |
118 | ||
3e8dc212 PNA |
119 | if NF_NAT_IPV6 |
120 | ||
0bbe80e5 | 121 | config NF_NAT_MASQUERADE_IPV6 |
0168e8b3 | 122 | bool |
0bbe80e5 | 123 | |
3e8dc212 PNA |
124 | endif # NF_NAT_IPV6 |
125 | ||
1da177e4 | 126 | config IP6_NF_IPTABLES |
844dc7c8 | 127 | tristate "IP6 tables support (required for filtering)" |
8ce22fca | 128 | depends on INET && IPV6 |
a3c941b0 | 129 | select NETFILTER_XTABLES |
33b8e776 | 130 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
131 | help |
132 | ip6tables is a general, extensible packet identification framework. | |
133 | Currently only the packet filtering and packet mangling subsystem | |
134 | for IPv6 use this, but connection tracking is going to follow. | |
135 | Say 'Y' or 'M' here if you want to use either of those. | |
136 | ||
137 | To compile it as a module, choose M here. If unsure, say N. | |
138 | ||
c2df73de JE |
139 | if IP6_NF_IPTABLES |
140 | ||
1da177e4 | 141 | # The simple matches. |
aba0d348 JE |
142 | config IP6_NF_MATCH_AH |
143 | tristate '"ah" match support' | |
33b8e776 | 144 | depends on NETFILTER_ADVANCED |
1da177e4 | 145 | help |
aba0d348 | 146 | This module allows one to match AH packets. |
1da177e4 LT |
147 | |
148 | To compile it as a module, choose M here. If unsure, say N. | |
149 | ||
aba0d348 JE |
150 | config IP6_NF_MATCH_EUI64 |
151 | tristate '"eui64" address check' | |
33b8e776 | 152 | depends on NETFILTER_ADVANCED |
1da177e4 | 153 | help |
aba0d348 JE |
154 | This module performs checking on the IPv6 source address |
155 | Compares the last 64 bits with the EUI64 (delivered | |
156 | from the MAC address) address | |
1da177e4 LT |
157 | |
158 | To compile it as a module, choose M here. If unsure, say N. | |
159 | ||
160 | config IP6_NF_MATCH_FRAG | |
4c37799c | 161 | tristate '"frag" Fragmentation header match support' |
33b8e776 | 162 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
163 | help |
164 | frag matching allows you to match packets based on the fragmentation | |
165 | header of the packet. | |
166 | ||
167 | To compile it as a module, choose M here. If unsure, say N. | |
168 | ||
aba0d348 JE |
169 | config IP6_NF_MATCH_OPTS |
170 | tristate '"hbh" hop-by-hop and "dst" opts header match support' | |
aba0d348 JE |
171 | depends on NETFILTER_ADVANCED |
172 | help | |
173 | This allows one to match packets based on the hop-by-hop | |
174 | and destination options headers of a packet. | |
175 | ||
176 | To compile it as a module, choose M here. If unsure, say N. | |
177 | ||
4323362e JE |
178 | config IP6_NF_MATCH_HL |
179 | tristate '"hl" hoplimit match support' | |
180 | depends on NETFILTER_ADVANCED | |
181 | select NETFILTER_XT_MATCH_HL | |
182 | ---help--- | |
183 | This is a backwards-compat option for the user's convenience | |
184 | (e.g. when running oldconfig). It selects | |
8dd1d047 | 185 | CONFIG_NETFILTER_XT_MATCH_HL. |
4323362e | 186 | |
1da177e4 | 187 | config IP6_NF_MATCH_IPV6HEADER |
4c37799c | 188 | tristate '"ipv6header" IPv6 Extension Headers Match' |
44c45eb9 | 189 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
190 | help |
191 | This module allows one to match packets based upon | |
192 | the ipv6 extension headers. | |
193 | ||
194 | To compile it as a module, choose M here. If unsure, say N. | |
195 | ||
a0ca215a | 196 | config IP6_NF_MATCH_MH |
4c37799c | 197 | tristate '"mh" match support' |
33b8e776 | 198 | depends on NETFILTER_ADVANCED |
a0ca215a MN |
199 | help |
200 | This module allows one to match MH packets. | |
201 | ||
202 | To compile it as a module, choose M here. If unsure, say N. | |
203 | ||
e26f9a48 FW |
204 | config IP6_NF_MATCH_RPFILTER |
205 | tristate '"rpfilter" reverse path filter match support' | |
f09becc7 PNA |
206 | depends on NETFILTER_ADVANCED |
207 | depends on IP6_NF_MANGLE || IP6_NF_RAW | |
e26f9a48 FW |
208 | ---help--- |
209 | This option allows you to match packets whose replies would | |
210 | go out via the interface the packet came in. | |
211 | ||
212 | To compile it as a module, choose M here. If unsure, say N. | |
213 | The module will be called ip6t_rpfilter. | |
214 | ||
aba0d348 JE |
215 | config IP6_NF_MATCH_RT |
216 | tristate '"rt" Routing header match support' | |
33b8e776 | 217 | depends on NETFILTER_ADVANCED |
1da177e4 | 218 | help |
aba0d348 JE |
219 | rt matching allows you to match packets based on the routing |
220 | header of the packet. | |
1da177e4 LT |
221 | |
222 | To compile it as a module, choose M here. If unsure, say N. | |
223 | ||
202a8ff5 AA |
224 | config IP6_NF_MATCH_SRH |
225 | tristate '"srh" Segment Routing header match support' | |
226 | depends on NETFILTER_ADVANCED | |
227 | help | |
228 | srh matching allows you to match packets based on the segment | |
229 | routing header of the packet. | |
230 | ||
231 | To compile it as a module, choose M here. If unsure, say N. | |
232 | ||
1da177e4 | 233 | # The targets |
4323362e JE |
234 | config IP6_NF_TARGET_HL |
235 | tristate '"HL" hoplimit target support' | |
76b6717b | 236 | depends on NETFILTER_ADVANCED && IP6_NF_MANGLE |
4323362e JE |
237 | select NETFILTER_XT_TARGET_HL |
238 | ---help--- | |
76b6717b | 239 | This is a backwards-compatible option for the user's convenience |
4323362e | 240 | (e.g. when running oldconfig). It selects |
8dd1d047 | 241 | CONFIG_NETFILTER_XT_TARGET_HL. |
4323362e | 242 | |
2203eb47 JE |
243 | config IP6_NF_FILTER |
244 | tristate "Packet filtering" | |
33b8e776 | 245 | default m if NETFILTER_ADVANCED=n |
1da177e4 | 246 | help |
2203eb47 JE |
247 | Packet filtering defines a table `filter', which has a series of |
248 | rules for simple packet filtering at local input, forwarding and | |
249 | local output. See the man page for iptables(8). | |
1da177e4 LT |
250 | |
251 | To compile it as a module, choose M here. If unsure, say N. | |
252 | ||
764d8a9f PM |
253 | config IP6_NF_TARGET_REJECT |
254 | tristate "REJECT target support" | |
255 | depends on IP6_NF_FILTER | |
c8d7b98b | 256 | select NF_REJECT_IPV6 |
33b8e776 | 257 | default m if NETFILTER_ADVANCED=n |
764d8a9f PM |
258 | help |
259 | The REJECT target allows a filtering rule to specify that an ICMPv6 | |
260 | error should be issued in response to an incoming packet, rather | |
261 | than silently being dropped. | |
262 | ||
263 | To compile it as a module, choose M here. If unsure, say N. | |
264 | ||
4ad36228 PM |
265 | config IP6_NF_TARGET_SYNPROXY |
266 | tristate "SYNPROXY target support" | |
267 | depends on NF_CONNTRACK && NETFILTER_ADVANCED | |
268 | select NETFILTER_SYNPROXY | |
269 | select SYN_COOKIES | |
270 | help | |
271 | The SYNPROXY target allows you to intercept TCP connections and | |
272 | establish them using syncookies before they are passed on to the | |
273 | server. This allows to avoid conntrack and server resource usage | |
274 | during SYN-flood attacks. | |
275 | ||
276 | To compile it as a module, choose M here. If unsure, say N. | |
277 | ||
1da177e4 LT |
278 | config IP6_NF_MANGLE |
279 | tristate "Packet mangling" | |
33b8e776 | 280 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
281 | help |
282 | This option adds a `mangle' table to iptables: see the man page for | |
283 | iptables(8). This table is used for various packet alterations | |
284 | which can effect how the packet is routed. | |
285 | ||
286 | To compile it as a module, choose M here. If unsure, say N. | |
1da177e4 | 287 | |
1da177e4 LT |
288 | config IP6_NF_RAW |
289 | tristate 'raw table support (required for TRACE)' | |
1da177e4 LT |
290 | help |
291 | This option adds a `raw' table to ip6tables. This table is the very | |
292 | first in the netfilter framework and hooks in at the PREROUTING | |
293 | and OUTPUT chains. | |
33b8e776 | 294 | |
1da177e4 | 295 | If you want to compile it as a module, say M here and read |
39f5fb30 | 296 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
1da177e4 | 297 | |
17e6e59f JM |
298 | # security table for MAC policy |
299 | config IP6_NF_SECURITY | |
300 | tristate "Security table" | |
17e6e59f | 301 | depends on SECURITY |
70eed75d | 302 | depends on NETFILTER_ADVANCED |
17e6e59f JM |
303 | help |
304 | This option adds a `security' table to iptables, for use | |
305 | with Mandatory Access Control (MAC) policy. | |
b0041d1b | 306 | |
17e6e59f JM |
307 | If unsure, say N. |
308 | ||
8993cf8e PNA |
309 | config IP6_NF_NAT |
310 | tristate "ip6tables NAT support" | |
a0ae2562 | 311 | depends on NF_CONNTRACK |
b0041d1b PNA |
312 | depends on NETFILTER_ADVANCED |
313 | select NF_NAT | |
8993cf8e PNA |
314 | select NF_NAT_IPV6 |
315 | select NETFILTER_XT_NAT | |
b0041d1b | 316 | help |
8993cf8e PNA |
317 | This enables the `nat' table in ip6tables. This allows masquerading, |
318 | port forwarding and other forms of full Network Address Port | |
319 | Translation. | |
b0041d1b PNA |
320 | |
321 | To compile it as a module, choose M here. If unsure, say N. | |
322 | ||
8993cf8e | 323 | if IP6_NF_NAT |
b0041d1b PNA |
324 | |
325 | config IP6_NF_TARGET_MASQUERADE | |
326 | tristate "MASQUERADE target support" | |
be6b635c | 327 | select NF_NAT_MASQUERADE_IPV6 |
b0041d1b PNA |
328 | help |
329 | Masquerading is a special case of NAT: all outgoing connections are | |
330 | changed to seem to come from a particular interface's address, and | |
331 | if the interface goes down, those connections are lost. This is | |
332 | only useful for dialup accounts with dynamic IP address (ie. your IP | |
333 | address will be different on next dialup). | |
334 | ||
335 | To compile it as a module, choose M here. If unsure, say N. | |
336 | ||
b0041d1b PNA |
337 | config IP6_NF_TARGET_NPT |
338 | tristate "NPT (Network Prefix translation) target support" | |
339 | help | |
340 | This option adds the `SNPT' and `DNPT' target, which perform | |
341 | stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. | |
342 | ||
343 | To compile it as a module, choose M here. If unsure, say N. | |
344 | ||
8993cf8e | 345 | endif # IP6_NF_NAT |
b0041d1b | 346 | |
c2df73de | 347 | endif # IP6_NF_IPTABLES |
1da177e4 LT |
348 | endmenu |
349 | ||
a0ae2562 FW |
350 | config NF_DEFRAG_IPV6 |
351 | tristate |