[mirror_ubuntu-hirsute-kernel.git] / net / ipv6 / netfilter / Kconfig

#
# IP netfilter configuration
#

menu "IPv6: Netfilter Configuration"
	depends on INET && IPV6 && NETFILTER

config NF_SOCKET_IPV6
	tristate "IPv6 socket lookup support"
	help
	  This option enables the IPv6 socket lookup infrastructure. This
	  is used by the {ip6,nf}tables socket match.

config NF_TPROXY_IPV6
	tristate "IPv6 tproxy support"

if NF_TABLES

config NF_TABLES_IPV6
	bool "IPv6 nf_tables support"
	help
	  This option enables the IPv6 support for nf_tables.

if NF_TABLES_IPV6

config NFT_CHAIN_ROUTE_IPV6
	tristate "IPv6 nf_tables route chain support"
	help
	  This option enables the "route" chain for IPv6 in nf_tables. This
	  chain type is used to force packet re-routing after mangling header
	  fields such as the source, destination, flowlabel, hop-limit and
	  the packet mark.

if NF_NAT_IPV6

config NFT_CHAIN_NAT_IPV6
	tristate "IPv6 nf_tables nat chain support"
	help
	  This option enables the "nat" chain for IPv6 in nf_tables. This
	  chain type is used to perform Network Address Translation (NAT)
	  packet transformations such as the source, destination address and
	  source and destination ports.

config NFT_MASQ_IPV6
	tristate "IPv6 masquerade support for nf_tables"
	depends on NFT_MASQ
	select NF_NAT_MASQUERADE_IPV6
	help
	  This is the expression that provides IPv4 masquerading support for
	  nf_tables.

config NFT_REDIR_IPV6
	tristate "IPv6 redirect support for nf_tables"
	depends on NFT_REDIR
	select NF_NAT_REDIRECT
	help
	  This is the expression that provides IPv4 redirect support for
	  nf_tables.

endif # NF_NAT_IPV6

config NFT_REJECT_IPV6
	select NF_REJECT_IPV6
	default NFT_REJECT
	tristate

config NFT_DUP_IPV6
	tristate "IPv6 nf_tables packet duplication support"
	depends on !NF_CONNTRACK || NF_CONNTRACK
	select NF_DUP_IPV6
	help
	  This module enables IPv6 packet duplication support for nf_tables.

config NFT_FIB_IPV6
	tristate "nf_tables fib / ipv6 route lookup support"
	select NFT_FIB
	help
	  This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
	  It also allows query of the FIB for the route type, e.g. local, unicast,
	  multicast or blackhole.

endif # NF_TABLES_IPV6
endif # NF_TABLES

config NF_FLOW_TABLE_IPV6
	tristate "Netfilter flow table IPv6 module"
	depends on NF_FLOW_TABLE
	help
	  This option adds the flow table IPv6 support.

	  To compile it as a module, choose M here.

config NF_DUP_IPV6
	tristate "Netfilter IPv6 packet duplication to alternate destination"
	depends on !NF_CONNTRACK || NF_CONNTRACK
	help
	  This option enables the nf_dup_ipv6 core, which duplicates an IPv6
	  packet to be rerouted to another destination.

config NF_REJECT_IPV6
	tristate "IPv6 packet rejection"
	default m if NETFILTER_ADVANCED=n

config NF_LOG_IPV6
	tristate "IPv6 packet logging"
	default m if NETFILTER_ADVANCED=n
	select NF_LOG_COMMON

config NF_NAT_IPV6
	tristate "IPv6 NAT"
	depends on NF_CONNTRACK
	depends on NETFILTER_ADVANCED
	select NF_NAT
	help
	  The IPv6 NAT option allows masquerading, port forwarding and other
	  forms of full Network Address Port Translation. This can be
	  controlled by iptables or nft.

if NF_NAT_IPV6

config NF_NAT_MASQUERADE_IPV6
	bool

endif # NF_NAT_IPV6

config IP6_NF_IPTABLES
	tristate "IP6 tables support (required for filtering)"
	depends on INET && IPV6
	select NETFILTER_XTABLES
	default m if NETFILTER_ADVANCED=n
	help
	  ip6tables is a general, extensible packet identification framework.
	  Currently only the packet filtering and packet mangling subsystem
	  for IPv6 use this, but connection tracking is going to follow.
	  Say 'Y' or 'M' here if you want to use either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP6_NF_IPTABLES

# The simple matches.
config IP6_NF_MATCH_AH
	tristate '"ah" match support'
	depends on NETFILTER_ADVANCED
	help
	  This module allows one to match AH packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_EUI64
	tristate '"eui64" address check'
	depends on NETFILTER_ADVANCED
	help
	  This module performs checking on the IPv6 source address
	  Compares the last 64 bits with the EUI64 (delivered
	  from the MAC address) address

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_FRAG
	tristate '"frag" Fragmentation header match support'
	depends on NETFILTER_ADVANCED
	help
	  frag matching allows you to match packets based on the fragmentation
	  header of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_OPTS
	tristate '"hbh" hop-by-hop and "dst" opts header match support'
	depends on NETFILTER_ADVANCED
	help
	  This allows one to match packets based on the hop-by-hop
	  and destination options headers of a packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_HL
	tristate '"hl" hoplimit match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_HL
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_HL.

config IP6_NF_MATCH_IPV6HEADER
	tristate '"ipv6header" IPv6 Extension Headers Match'
	default m if NETFILTER_ADVANCED=n
	help
	  This module allows one to match packets based upon
	  the ipv6 extension headers.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_MH
	tristate '"mh" match support'
	depends on NETFILTER_ADVANCED
	help
	  This module allows one to match MH packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_RPFILTER
	tristate '"rpfilter" reverse path filter match support'
	depends on NETFILTER_ADVANCED
	depends on IP6_NF_MANGLE || IP6_NF_RAW
	---help---
	  This option allows you to match packets whose replies would
	  go out via the interface the packet came in.

	  To compile it as a module, choose M here.  If unsure, say N.
	  The module will be called ip6t_rpfilter.

config IP6_NF_MATCH_RT
	tristate '"rt" Routing header match support'
	depends on NETFILTER_ADVANCED
	help
	  rt matching allows you to match packets based on the routing
	  header of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_SRH
        tristate '"srh" Segment Routing header match support'
        depends on NETFILTER_ADVANCED
        help
          srh matching allows you to match packets based on the segment
	  routing header of the packet.

          To compile it as a module, choose M here.  If unsure, say N.

# The targets
config IP6_NF_TARGET_HL
	tristate '"HL" hoplimit target support'
	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
	select NETFILTER_XT_TARGET_HL
	---help---
	This is a backwards-compatible option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_HL.

config IP6_NF_FILTER
	tristate "Packet filtering"
	default m if NETFILTER_ADVANCED=n
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on IP6_NF_FILTER
	select NF_REJECT_IPV6
	default m if NETFILTER_ADVANCED=n
	help
	  The REJECT target allows a filtering rule to specify that an ICMPv6
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_SYNPROXY
	tristate "SYNPROXY target support"
	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	select NETFILTER_SYNPROXY
	select SYN_COOKIES
	help
	  The SYNPROXY target allows you to intercept TCP connections and
	  establish them using syncookies before they are passed on to the
	  server. This allows to avoid conntrack and server resource usage
	  during SYN-flood attacks.

	  To compile it as a module, choose M here. If unsure, say N.

config IP6_NF_MANGLE
	tristate "Packet mangling"
	default m if NETFILTER_ADVANCED=n
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_RAW
	tristate  'raw table support (required for TRACE)'
	help
	  This option adds a `raw' table to ip6tables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

# security table for MAC policy
config IP6_NF_SECURITY
       tristate "Security table"
       depends on SECURITY
       depends on NETFILTER_ADVANCED
       help
         This option adds a `security' table to iptables, for use
         with Mandatory Access Control (MAC) policy.

         If unsure, say N.

config IP6_NF_NAT
	tristate "ip6tables NAT support"
	depends on NF_CONNTRACK
	depends on NETFILTER_ADVANCED
	select NF_NAT
	select NF_NAT_IPV6
	select NETFILTER_XT_NAT
	help
	  This enables the `nat' table in ip6tables. This allows masquerading,
	  port forwarding and other forms of full Network Address Port
	  Translation.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP6_NF_NAT

config IP6_NF_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	select NF_NAT_MASQUERADE_IPV6
	help
	  Masquerading is a special case of NAT: all outgoing connections are
	  changed to seem to come from a particular interface's address, and
	  if the interface goes down, those connections are lost.  This is
	  only useful for dialup accounts with dynamic IP address (ie. your IP
	  address will be different on next dialup).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_NPT
	tristate "NPT (Network Prefix translation) target support"
	help
	  This option adds the `SNPT' and `DNPT' target, which perform
	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.

	  To compile it as a module, choose M here.  If unsure, say N.

endif # IP6_NF_NAT

endif # IP6_NF_IPTABLES
endmenu

config NF_DEFRAG_IPV6
	tristate
Commit	Line	Data
1da177e4 LT	1	#
	2	# IP netfilter configuration
	3	#
	4
8ce22fca PM	5	menu "IPv6: Netfilter Configuration"
8ce22fca PM	6	depends on INET && IPV6 && NETFILTER
1da177e4	7
8db4c5be PNA	8	config NF_SOCKET_IPV6
	9	tristate "IPv6 socket lookup support"
	10	help
	11	This option enables the IPv6 socket lookup infrastructure. This
45ca4e0c ME	12	is used by the {ip6,nf}tables socket match.
	13
	14	config NF_TPROXY_IPV6
	15	tristate "IPv6 tproxy support"
8db4c5be	16
f04e599e PNA	17	if NF_TABLES
f04e599e PNA	18
96518518	19	config NF_TABLES_IPV6
02c7b25e	20	bool "IPv6 nf_tables support"
d497c635 PNA	21	help
d497c635 PNA	22	This option enables the IPv6 support for nf_tables.
96518518	23
f04e599e PNA	24	if NF_TABLES_IPV6
f04e599e PNA	25
9370761c	26	config NFT_CHAIN_ROUTE_IPV6
9370761c	27	tristate "IPv6 nf_tables route chain support"
d497c635 PNA	28	help
	29	This option enables the "route" chain for IPv6 in nf_tables. This
	30	chain type is used to force packet re-routing after mangling header
	31	fields such as the source, destination, flowlabel, hop-limit and
	32	the packet mark.
96518518	33
39f2ff08 PNA	34	if NF_NAT_IPV6
	35
	36	config NFT_CHAIN_NAT_IPV6
	37	tristate "IPv6 nf_tables nat chain support"
	38	help
	39	This option enables the "nat" chain for IPv6 in nf_tables. This
	40	chain type is used to perform Network Address Translation (NAT)
	41	packet transformations such as the source, destination address and
	42	source and destination ports.
	43
	44	config NFT_MASQ_IPV6
	45	tristate "IPv6 masquerade support for nf_tables"
	46	depends on NFT_MASQ
	47	select NF_NAT_MASQUERADE_IPV6
	48	help
	49	This is the expression that provides IPv4 masquerading support for
	50	nf_tables.
	51
	52	config NFT_REDIR_IPV6
	53	tristate "IPv6 redirect support for nf_tables"
	54	depends on NFT_REDIR
	55	select NF_NAT_REDIRECT
	56	help
	57	This is the expression that provides IPv4 redirect support for
	58	nf_tables.
	59
	60	endif # NF_NAT_IPV6
	61
cc4723ca	62	config NFT_REJECT_IPV6
c8d7b98b	63	select NF_REJECT_IPV6
cc4723ca PM	64	default NFT_REJECT
	65	tristate
	66
d877f071 PNA	67	config NFT_DUP_IPV6
d877f071 PNA	68	tristate "IPv6 nf_tables packet duplication support"
d3340b79	69	depends on !NF_CONNTRACK \|\| NF_CONNTRACK
d877f071 PNA	70	select NF_DUP_IPV6
	71	help
	72	This module enables IPv6 packet duplication support for nf_tables.
	73
f6d0cbcf FW	74	config NFT_FIB_IPV6
	75	tristate "nf_tables fib / ipv6 route lookup support"
	76	select NFT_FIB
	77	help
	78	This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
	79	It also allows query of the FIB for the route type, e.g. local, unicast,
	80	multicast or blackhole.
	81
f04e599e PNA	82	endif # NF_TABLES_IPV6
	83	endif # NF_TABLES
	84
09952107	85	config NF_FLOW_TABLE_IPV6
09952107	86	tristate "Netfilter flow table IPv6 module"
6be3bcd7	87	depends on NF_FLOW_TABLE
09952107 PNA	88	help
	89	This option adds the flow table IPv6 support.
	90
	91	To compile it as a module, choose M here.
	92
bbde9fc1 PNA	93	config NF_DUP_IPV6
bbde9fc1 PNA	94	tristate "Netfilter IPv6 packet duplication to alternate destination"
6ece90f9	95	depends on !NF_CONNTRACK \|\| NF_CONNTRACK
bbde9fc1 PNA	96	help
	97	This option enables the nf_dup_ipv6 core, which duplicates an IPv6
	98	packet to be rerouted to another destination.
	99
f04e599e PNA	100	config NF_REJECT_IPV6
	101	tristate "IPv6 packet rejection"
	102	default m if NETFILTER_ADVANCED=n
	103
c1878869 PNA	104	config NF_LOG_IPV6
c1878869 PNA	105	tristate "IPv6 packet logging"
41ad82f7	106	default m if NETFILTER_ADVANCED=n
c1878869 PNA	107	select NF_LOG_COMMON
c1878869 PNA	108
8993cf8e PNA	109	config NF_NAT_IPV6
8993cf8e PNA	110	tristate "IPv6 NAT"
a0ae2562	111	depends on NF_CONNTRACK
8993cf8e PNA	112	depends on NETFILTER_ADVANCED
	113	select NF_NAT
	114	help
	115	The IPv6 NAT option allows masquerading, port forwarding and other
	116	forms of full Network Address Port Translation. This can be
	117	controlled by iptables or nft.
	118
3e8dc212 PNA	119	if NF_NAT_IPV6
3e8dc212 PNA	120
0bbe80e5	121	config NF_NAT_MASQUERADE_IPV6
0168e8b3	122	bool
0bbe80e5	123
3e8dc212 PNA	124	endif # NF_NAT_IPV6
3e8dc212 PNA	125
1da177e4	126	config IP6_NF_IPTABLES
844dc7c8	127	tristate "IP6 tables support (required for filtering)"
8ce22fca	128	depends on INET && IPV6
a3c941b0	129	select NETFILTER_XTABLES
33b8e776	130	default m if NETFILTER_ADVANCED=n
1da177e4 LT	131	help
	132	ip6tables is a general, extensible packet identification framework.
	133	Currently only the packet filtering and packet mangling subsystem
	134	for IPv6 use this, but connection tracking is going to follow.
	135	Say 'Y' or 'M' here if you want to use either of those.
	136
	137	To compile it as a module, choose M here. If unsure, say N.
	138
c2df73de JE	139	if IP6_NF_IPTABLES
c2df73de JE	140
1da177e4	141	# The simple matches.
aba0d348 JE	142	config IP6_NF_MATCH_AH
aba0d348 JE	143	tristate '"ah" match support'
33b8e776	144	depends on NETFILTER_ADVANCED
1da177e4	145	help
aba0d348	146	This module allows one to match AH packets.
1da177e4 LT	147
	148	To compile it as a module, choose M here. If unsure, say N.
	149
aba0d348 JE	150	config IP6_NF_MATCH_EUI64
aba0d348 JE	151	tristate '"eui64" address check'
33b8e776	152	depends on NETFILTER_ADVANCED
1da177e4	153	help
aba0d348 JE	154	This module performs checking on the IPv6 source address
	155	Compares the last 64 bits with the EUI64 (delivered
	156	from the MAC address) address
1da177e4 LT	157
	158	To compile it as a module, choose M here. If unsure, say N.
	159
	160	config IP6_NF_MATCH_FRAG
4c37799c	161	tristate '"frag" Fragmentation header match support'
33b8e776	162	depends on NETFILTER_ADVANCED
1da177e4 LT	163	help
	164	frag matching allows you to match packets based on the fragmentation
	165	header of the packet.
	166
	167	To compile it as a module, choose M here. If unsure, say N.
	168
aba0d348 JE	169	config IP6_NF_MATCH_OPTS
aba0d348 JE	170	tristate '"hbh" hop-by-hop and "dst" opts header match support'
aba0d348 JE	171	depends on NETFILTER_ADVANCED
	172	help
	173	This allows one to match packets based on the hop-by-hop
	174	and destination options headers of a packet.
	175
	176	To compile it as a module, choose M here. If unsure, say N.
	177
4323362e JE	178	config IP6_NF_MATCH_HL
	179	tristate '"hl" hoplimit match support'
	180	depends on NETFILTER_ADVANCED
	181	select NETFILTER_XT_MATCH_HL
	182	---help---
	183	This is a backwards-compat option for the user's convenience
	184	(e.g. when running oldconfig). It selects
8dd1d047	185	CONFIG_NETFILTER_XT_MATCH_HL.
4323362e	186
1da177e4	187	config IP6_NF_MATCH_IPV6HEADER
4c37799c	188	tristate '"ipv6header" IPv6 Extension Headers Match'
44c45eb9	189	default m if NETFILTER_ADVANCED=n
1da177e4 LT	190	help
	191	This module allows one to match packets based upon
	192	the ipv6 extension headers.
	193
	194	To compile it as a module, choose M here. If unsure, say N.
	195
a0ca215a	196	config IP6_NF_MATCH_MH
4c37799c	197	tristate '"mh" match support'
33b8e776	198	depends on NETFILTER_ADVANCED
a0ca215a MN	199	help
	200	This module allows one to match MH packets.
	201
	202	To compile it as a module, choose M here. If unsure, say N.
	203
e26f9a48 FW	204	config IP6_NF_MATCH_RPFILTER
e26f9a48 FW	205	tristate '"rpfilter" reverse path filter match support'
f09becc7 PNA	206	depends on NETFILTER_ADVANCED
f09becc7 PNA	207	depends on IP6_NF_MANGLE \|\| IP6_NF_RAW
e26f9a48 FW	208	---help---
	209	This option allows you to match packets whose replies would
	210	go out via the interface the packet came in.
	211
	212	To compile it as a module, choose M here. If unsure, say N.
	213	The module will be called ip6t_rpfilter.
	214
aba0d348 JE	215	config IP6_NF_MATCH_RT
aba0d348 JE	216	tristate '"rt" Routing header match support'
33b8e776	217	depends on NETFILTER_ADVANCED
1da177e4	218	help
aba0d348 JE	219	rt matching allows you to match packets based on the routing
aba0d348 JE	220	header of the packet.
1da177e4 LT	221
	222	To compile it as a module, choose M here. If unsure, say N.
	223
202a8ff5 AA	224	config IP6_NF_MATCH_SRH
	225	tristate '"srh" Segment Routing header match support'
	226	depends on NETFILTER_ADVANCED
	227	help
	228	srh matching allows you to match packets based on the segment
	229	routing header of the packet.
	230
	231	To compile it as a module, choose M here. If unsure, say N.
	232
1da177e4	233	# The targets
4323362e JE	234	config IP6_NF_TARGET_HL
4323362e JE	235	tristate '"HL" hoplimit target support'
76b6717b	236	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
4323362e JE	237	select NETFILTER_XT_TARGET_HL
4323362e JE	238	---help---
76b6717b	239	This is a backwards-compatible option for the user's convenience
4323362e	240	(e.g. when running oldconfig). It selects
8dd1d047	241	CONFIG_NETFILTER_XT_TARGET_HL.
4323362e	242
2203eb47 JE	243	config IP6_NF_FILTER
2203eb47 JE	244	tristate "Packet filtering"
33b8e776	245	default m if NETFILTER_ADVANCED=n
1da177e4	246	help
2203eb47 JE	247	Packet filtering defines a table `filter', which has a series of
	248	rules for simple packet filtering at local input, forwarding and
	249	local output. See the man page for iptables(8).
1da177e4 LT	250
	251	To compile it as a module, choose M here. If unsure, say N.
	252
764d8a9f PM	253	config IP6_NF_TARGET_REJECT
	254	tristate "REJECT target support"
	255	depends on IP6_NF_FILTER
c8d7b98b	256	select NF_REJECT_IPV6
33b8e776	257	default m if NETFILTER_ADVANCED=n
764d8a9f PM	258	help
	259	The REJECT target allows a filtering rule to specify that an ICMPv6
	260	error should be issued in response to an incoming packet, rather
	261	than silently being dropped.
	262
	263	To compile it as a module, choose M here. If unsure, say N.
	264
4ad36228 PM	265	config IP6_NF_TARGET_SYNPROXY
	266	tristate "SYNPROXY target support"
	267	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	268	select NETFILTER_SYNPROXY
	269	select SYN_COOKIES
	270	help
	271	The SYNPROXY target allows you to intercept TCP connections and
	272	establish them using syncookies before they are passed on to the
	273	server. This allows to avoid conntrack and server resource usage
	274	during SYN-flood attacks.
	275
	276	To compile it as a module, choose M here. If unsure, say N.
	277
1da177e4 LT	278	config IP6_NF_MANGLE
1da177e4 LT	279	tristate "Packet mangling"
33b8e776	280	default m if NETFILTER_ADVANCED=n
1da177e4 LT	281	help
	282	This option adds a `mangle' table to iptables: see the man page for
	283	iptables(8). This table is used for various packet alterations
	284	which can effect how the packet is routed.
	285
	286	To compile it as a module, choose M here. If unsure, say N.
1da177e4	287
1da177e4 LT	288	config IP6_NF_RAW
1da177e4 LT	289	tristate 'raw table support (required for TRACE)'
1da177e4 LT	290	help
	291	This option adds a `raw' table to ip6tables. This table is the very
	292	first in the netfilter framework and hooks in at the PREROUTING
	293	and OUTPUT chains.
33b8e776	294
1da177e4	295	If you want to compile it as a module, say M here and read
39f5fb30	296	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1da177e4	297
17e6e59f JM	298	# security table for MAC policy
	299	config IP6_NF_SECURITY
	300	tristate "Security table"
17e6e59f	301	depends on SECURITY
70eed75d	302	depends on NETFILTER_ADVANCED
17e6e59f JM	303	help
	304	This option adds a `security' table to iptables, for use
	305	with Mandatory Access Control (MAC) policy.
b0041d1b	306
17e6e59f JM	307	If unsure, say N.
17e6e59f JM	308
8993cf8e PNA	309	config IP6_NF_NAT
8993cf8e PNA	310	tristate "ip6tables NAT support"
a0ae2562	311	depends on NF_CONNTRACK
b0041d1b PNA	312	depends on NETFILTER_ADVANCED
b0041d1b PNA	313	select NF_NAT
8993cf8e PNA	314	select NF_NAT_IPV6
8993cf8e PNA	315	select NETFILTER_XT_NAT
b0041d1b	316	help
8993cf8e PNA	317	This enables the `nat' table in ip6tables. This allows masquerading,
	318	port forwarding and other forms of full Network Address Port
	319	Translation.
b0041d1b PNA	320
	321	To compile it as a module, choose M here. If unsure, say N.
	322
8993cf8e	323	if IP6_NF_NAT
b0041d1b PNA	324
	325	config IP6_NF_TARGET_MASQUERADE
	326	tristate "MASQUERADE target support"
be6b635c	327	select NF_NAT_MASQUERADE_IPV6
b0041d1b PNA	328	help
	329	Masquerading is a special case of NAT: all outgoing connections are
	330	changed to seem to come from a particular interface's address, and
	331	if the interface goes down, those connections are lost. This is
	332	only useful for dialup accounts with dynamic IP address (ie. your IP
	333	address will be different on next dialup).
	334
	335	To compile it as a module, choose M here. If unsure, say N.
	336
b0041d1b PNA	337	config IP6_NF_TARGET_NPT
	338	tristate "NPT (Network Prefix translation) target support"
	339	help
	340	This option adds the `SNPT' and `DNPT' target, which perform
	341	stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
	342
	343	To compile it as a module, choose M here. If unsure, say N.
	344
8993cf8e	345	endif # IP6_NF_NAT
b0041d1b	346
c2df73de	347	endif # IP6_NF_IPTABLES
1da177e4 LT	348	endmenu
1da177e4 LT	349
a0ae2562 FW	350	config NF_DEFRAG_IPV6
a0ae2562 FW	351	tristate