[mirror_ubuntu-artful-kernel.git] / net / ipv6 / netfilter / Kconfig

#
# IP netfilter configuration
#

menu "IPv6: Netfilter Configuration"
	depends on INET && IPV6 && NETFILTER

config NF_DEFRAG_IPV6
	tristate
	default n

config NF_CONNTRACK_IPV6
	tristate "IPv6 connection tracking support"
	depends on INET && IPV6 && NF_CONNTRACK
	default m if NETFILTER_ADVANCED=n
	select NF_DEFRAG_IPV6
	---help---
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is IPv6 support on Layer 3 independent connection tracking.
	  Layer 3 independent connection tracking is experimental scheme
	  which generalize ip_conntrack to support other layer 3 protocols.

	  To compile it as a module, choose M here.  If unsure, say N.

config NF_TABLES_IPV6
	depends on NF_TABLES
	tristate "IPv6 nf_tables support"
	help
	  This option enables the IPv6 support for nf_tables.

config NFT_CHAIN_ROUTE_IPV6
	depends on NF_TABLES_IPV6
	tristate "IPv6 nf_tables route chain support"
	help
	  This option enables the "route" chain for IPv6 in nf_tables. This
	  chain type is used to force packet re-routing after mangling header
	  fields such as the source, destination, flowlabel, hop-limit and
	  the packet mark.

config NFT_CHAIN_NAT_IPV6
	depends on NF_TABLES_IPV6
	depends on NF_NAT_IPV6 && NFT_NAT
	tristate "IPv6 nf_tables nat chain support"
	help
	  This option enables the "nat" chain for IPv6 in nf_tables. This
	  chain type is used to perform Network Address Translation (NAT)
	  packet transformations such as the source, destination address and
	  source and destination ports.

config NFT_REJECT_IPV6
	depends on NF_TABLES_IPV6
	default NFT_REJECT
	tristate

config NF_LOG_IPV6
	tristate "IPv6 packet logging"
	depends on NETFILTER_ADVANCED
	select NF_LOG_COMMON

config IP6_NF_IPTABLES
	tristate "IP6 tables support (required for filtering)"
	depends on INET && IPV6
	select NETFILTER_XTABLES
	default m if NETFILTER_ADVANCED=n
	help
	  ip6tables is a general, extensible packet identification framework.
	  Currently only the packet filtering and packet mangling subsystem
	  for IPv6 use this, but connection tracking is going to follow.
	  Say 'Y' or 'M' here if you want to use either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP6_NF_IPTABLES

# The simple matches.
config IP6_NF_MATCH_AH
	tristate '"ah" match support'
	depends on NETFILTER_ADVANCED
	help
	  This module allows one to match AH packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_EUI64
	tristate '"eui64" address check'
	depends on NETFILTER_ADVANCED
	help
	  This module performs checking on the IPv6 source address
	  Compares the last 64 bits with the EUI64 (delivered
	  from the MAC address) address

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_FRAG
	tristate '"frag" Fragmentation header match support'
	depends on NETFILTER_ADVANCED
	help
	  frag matching allows you to match packets based on the fragmentation
	  header of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_OPTS
	tristate '"hbh" hop-by-hop and "dst" opts header match support'
	depends on NETFILTER_ADVANCED
	help
	  This allows one to match packets based on the hop-by-hop
	  and destination options headers of a packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_HL
	tristate '"hl" hoplimit match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_HL
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_HL.

config IP6_NF_MATCH_IPV6HEADER
	tristate '"ipv6header" IPv6 Extension Headers Match'
	default m if NETFILTER_ADVANCED=n
	help
	  This module allows one to match packets based upon
	  the ipv6 extension headers.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_MH
	tristate '"mh" match support'
	depends on NETFILTER_ADVANCED
	help
	  This module allows one to match MH packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_RPFILTER
	tristate '"rpfilter" reverse path filter match support'
	depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
	---help---
	  This option allows you to match packets whose replies would
	  go out via the interface the packet came in.

	  To compile it as a module, choose M here.  If unsure, say N.
	  The module will be called ip6t_rpfilter.

config IP6_NF_MATCH_RT
	tristate '"rt" Routing header match support'
	depends on NETFILTER_ADVANCED
	help
	  rt matching allows you to match packets based on the routing
	  header of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

# The targets
config IP6_NF_TARGET_HL
	tristate '"HL" hoplimit target support'
	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
	select NETFILTER_XT_TARGET_HL
	---help---
	This is a backwards-compatible option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_HL.

config IP6_NF_FILTER
	tristate "Packet filtering"
	default m if NETFILTER_ADVANCED=n
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on IP6_NF_FILTER
	default m if NETFILTER_ADVANCED=n
	help
	  The REJECT target allows a filtering rule to specify that an ICMPv6
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_SYNPROXY
	tristate "SYNPROXY target support"
	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	select NETFILTER_SYNPROXY
	select SYN_COOKIES
	help
	  The SYNPROXY target allows you to intercept TCP connections and
	  establish them using syncookies before they are passed on to the
	  server. This allows to avoid conntrack and server resource usage
	  during SYN-flood attacks.

	  To compile it as a module, choose M here. If unsure, say N.

config IP6_NF_MANGLE
	tristate "Packet mangling"
	default m if NETFILTER_ADVANCED=n
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_RAW
	tristate  'raw table support (required for TRACE)'
	help
	  This option adds a `raw' table to ip6tables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

# security table for MAC policy
config IP6_NF_SECURITY
       tristate "Security table"
       depends on SECURITY
       depends on NETFILTER_ADVANCED
       help
         This option adds a `security' table to iptables, for use
         with Mandatory Access Control (MAC) policy.

         If unsure, say N.

config NF_NAT_IPV6
	tristate "IPv6 NAT"
	depends on NF_CONNTRACK_IPV6
	depends on NETFILTER_ADVANCED
	select NF_NAT
	help
	  The IPv6 NAT option allows masquerading, port forwarding and other
	  forms of full Network Address Port Translation. It is controlled by
	  the `nat' table in ip6tables, see the man page for ip6tables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

if NF_NAT_IPV6

config IP6_NF_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	help
	  Masquerading is a special case of NAT: all outgoing connections are
	  changed to seem to come from a particular interface's address, and
	  if the interface goes down, those connections are lost.  This is
	  only useful for dialup accounts with dynamic IP address (ie. your IP
	  address will be different on next dialup).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_NPT
	tristate "NPT (Network Prefix translation) target support"
	help
	  This option adds the `SNPT' and `DNPT' target, which perform
	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.

	  To compile it as a module, choose M here.  If unsure, say N.

endif # NF_NAT_IPV6

endif # IP6_NF_IPTABLES

endmenu
Commit	Line	Data
1da177e4 LT	1	#
	2	# IP netfilter configuration
	3	#
	4
8ce22fca PM	5	menu "IPv6: Netfilter Configuration"
8ce22fca PM	6	depends on INET && IPV6 && NETFILTER
1da177e4	7
f6318e55 KK	8	config NF_DEFRAG_IPV6
	9	tristate
	10	default n
	11
9bdf87d9	12	config NF_CONNTRACK_IPV6
8ce22fca PM	13	tristate "IPv6 connection tracking support"
8ce22fca PM	14	depends on INET && IPV6 && NF_CONNTRACK
33b8e776	15	default m if NETFILTER_ADVANCED=n
f6318e55	16	select NF_DEFRAG_IPV6
9bdf87d9 YK	17	---help---
	18	Connection tracking keeps a record of what packets have passed
	19	through your machine, in order to figure out how they are related
	20	into connections.
	21
	22	This is IPv6 support on Layer 3 independent connection tracking.
	23	Layer 3 independent connection tracking is experimental scheme
	24	which generalize ip_conntrack to support other layer 3 protocols.
	25
	26	To compile it as a module, choose M here. If unsure, say N.
58a317f1	27
96518518 PM	28	config NF_TABLES_IPV6
	29	depends on NF_TABLES
	30	tristate "IPv6 nf_tables support"
d497c635 PNA	31	help
d497c635 PNA	32	This option enables the IPv6 support for nf_tables.
96518518	33
9370761c	34	config NFT_CHAIN_ROUTE_IPV6
96518518	35	depends on NF_TABLES_IPV6
9370761c	36	tristate "IPv6 nf_tables route chain support"
d497c635 PNA	37	help
	38	This option enables the "route" chain for IPv6 in nf_tables. This
	39	chain type is used to force packet re-routing after mangling header
	40	fields such as the source, destination, flowlabel, hop-limit and
	41	the packet mark.
96518518	42
eb31628e TB	43	config NFT_CHAIN_NAT_IPV6
	44	depends on NF_TABLES_IPV6
	45	depends on NF_NAT_IPV6 && NFT_NAT
	46	tristate "IPv6 nf_tables nat chain support"
d497c635 PNA	47	help
	48	This option enables the "nat" chain for IPv6 in nf_tables. This
	49	chain type is used to perform Network Address Translation (NAT)
	50	packet transformations such as the source, destination address and
	51	source and destination ports.
eb31628e	52
cc4723ca PM	53	config NFT_REJECT_IPV6
	54	depends on NF_TABLES_IPV6
	55	default NFT_REJECT
	56	tristate
	57
c1878869 PNA	58	config NF_LOG_IPV6
	59	tristate "IPv6 packet logging"
	60	depends on NETFILTER_ADVANCED
	61	select NF_LOG_COMMON
	62
1da177e4	63	config IP6_NF_IPTABLES
844dc7c8	64	tristate "IP6 tables support (required for filtering)"
8ce22fca	65	depends on INET && IPV6
a3c941b0	66	select NETFILTER_XTABLES
33b8e776	67	default m if NETFILTER_ADVANCED=n
1da177e4 LT	68	help
	69	ip6tables is a general, extensible packet identification framework.
	70	Currently only the packet filtering and packet mangling subsystem
	71	for IPv6 use this, but connection tracking is going to follow.
	72	Say 'Y' or 'M' here if you want to use either of those.
	73
	74	To compile it as a module, choose M here. If unsure, say N.
	75
c2df73de JE	76	if IP6_NF_IPTABLES
c2df73de JE	77
1da177e4	78	# The simple matches.
aba0d348 JE	79	config IP6_NF_MATCH_AH
aba0d348 JE	80	tristate '"ah" match support'
33b8e776	81	depends on NETFILTER_ADVANCED
1da177e4	82	help
aba0d348	83	This module allows one to match AH packets.
1da177e4 LT	84
	85	To compile it as a module, choose M here. If unsure, say N.
	86
aba0d348 JE	87	config IP6_NF_MATCH_EUI64
aba0d348 JE	88	tristate '"eui64" address check'
33b8e776	89	depends on NETFILTER_ADVANCED
1da177e4	90	help
aba0d348 JE	91	This module performs checking on the IPv6 source address
	92	Compares the last 64 bits with the EUI64 (delivered
	93	from the MAC address) address
1da177e4 LT	94
	95	To compile it as a module, choose M here. If unsure, say N.
	96
	97	config IP6_NF_MATCH_FRAG
4c37799c	98	tristate '"frag" Fragmentation header match support'
33b8e776	99	depends on NETFILTER_ADVANCED
1da177e4 LT	100	help
	101	frag matching allows you to match packets based on the fragmentation
	102	header of the packet.
	103
	104	To compile it as a module, choose M here. If unsure, say N.
	105
aba0d348 JE	106	config IP6_NF_MATCH_OPTS
aba0d348 JE	107	tristate '"hbh" hop-by-hop and "dst" opts header match support'
aba0d348 JE	108	depends on NETFILTER_ADVANCED
	109	help
	110	This allows one to match packets based on the hop-by-hop
	111	and destination options headers of a packet.
	112
	113	To compile it as a module, choose M here. If unsure, say N.
	114
4323362e JE	115	config IP6_NF_MATCH_HL
	116	tristate '"hl" hoplimit match support'
	117	depends on NETFILTER_ADVANCED
	118	select NETFILTER_XT_MATCH_HL
	119	---help---
	120	This is a backwards-compat option for the user's convenience
	121	(e.g. when running oldconfig). It selects
8dd1d047	122	CONFIG_NETFILTER_XT_MATCH_HL.
4323362e	123
1da177e4	124	config IP6_NF_MATCH_IPV6HEADER
4c37799c	125	tristate '"ipv6header" IPv6 Extension Headers Match'
44c45eb9	126	default m if NETFILTER_ADVANCED=n
1da177e4 LT	127	help
	128	This module allows one to match packets based upon
	129	the ipv6 extension headers.
	130
	131	To compile it as a module, choose M here. If unsure, say N.
	132
a0ca215a	133	config IP6_NF_MATCH_MH
4c37799c	134	tristate '"mh" match support'
33b8e776	135	depends on NETFILTER_ADVANCED
a0ca215a MN	136	help
	137	This module allows one to match MH packets.
	138
	139	To compile it as a module, choose M here. If unsure, say N.
	140
e26f9a48 FW	141	config IP6_NF_MATCH_RPFILTER
e26f9a48 FW	142	tristate '"rpfilter" reverse path filter match support'
d37d6968	143	depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE \|\| IP6_NF_RAW)
e26f9a48 FW	144	---help---
	145	This option allows you to match packets whose replies would
	146	go out via the interface the packet came in.
	147
	148	To compile it as a module, choose M here. If unsure, say N.
	149	The module will be called ip6t_rpfilter.
	150
aba0d348 JE	151	config IP6_NF_MATCH_RT
aba0d348 JE	152	tristate '"rt" Routing header match support'
33b8e776	153	depends on NETFILTER_ADVANCED
1da177e4	154	help
aba0d348 JE	155	rt matching allows you to match packets based on the routing
aba0d348 JE	156	header of the packet.
1da177e4 LT	157
	158	To compile it as a module, choose M here. If unsure, say N.
	159
1da177e4	160	# The targets
4323362e JE	161	config IP6_NF_TARGET_HL
4323362e JE	162	tristate '"HL" hoplimit target support'
76b6717b	163	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
4323362e JE	164	select NETFILTER_XT_TARGET_HL
4323362e JE	165	---help---
76b6717b	166	This is a backwards-compatible option for the user's convenience
4323362e	167	(e.g. when running oldconfig). It selects
8dd1d047	168	CONFIG_NETFILTER_XT_TARGET_HL.
4323362e	169
2203eb47 JE	170	config IP6_NF_FILTER
2203eb47 JE	171	tristate "Packet filtering"
33b8e776	172	default m if NETFILTER_ADVANCED=n
1da177e4	173	help
2203eb47 JE	174	Packet filtering defines a table `filter', which has a series of
	175	rules for simple packet filtering at local input, forwarding and
	176	local output. See the man page for iptables(8).
1da177e4 LT	177
	178	To compile it as a module, choose M here. If unsure, say N.
	179
764d8a9f PM	180	config IP6_NF_TARGET_REJECT
	181	tristate "REJECT target support"
	182	depends on IP6_NF_FILTER
33b8e776	183	default m if NETFILTER_ADVANCED=n
764d8a9f PM	184	help
	185	The REJECT target allows a filtering rule to specify that an ICMPv6
	186	error should be issued in response to an incoming packet, rather
	187	than silently being dropped.
	188
	189	To compile it as a module, choose M here. If unsure, say N.
	190
4ad36228 PM	191	config IP6_NF_TARGET_SYNPROXY
	192	tristate "SYNPROXY target support"
	193	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	194	select NETFILTER_SYNPROXY
	195	select SYN_COOKIES
	196	help
	197	The SYNPROXY target allows you to intercept TCP connections and
	198	establish them using syncookies before they are passed on to the
	199	server. This allows to avoid conntrack and server resource usage
	200	during SYN-flood attacks.
	201
	202	To compile it as a module, choose M here. If unsure, say N.
	203
1da177e4 LT	204	config IP6_NF_MANGLE
1da177e4 LT	205	tristate "Packet mangling"
33b8e776	206	default m if NETFILTER_ADVANCED=n
1da177e4 LT	207	help
	208	This option adds a `mangle' table to iptables: see the man page for
	209	iptables(8). This table is used for various packet alterations
	210	which can effect how the packet is routed.
	211
	212	To compile it as a module, choose M here. If unsure, say N.
1da177e4	213
1da177e4 LT	214	config IP6_NF_RAW
1da177e4 LT	215	tristate 'raw table support (required for TRACE)'
1da177e4 LT	216	help
	217	This option adds a `raw' table to ip6tables. This table is the very
	218	first in the netfilter framework and hooks in at the PREROUTING
	219	and OUTPUT chains.
33b8e776	220
1da177e4	221	If you want to compile it as a module, say M here and read
39f5fb30	222	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
1da177e4	223
17e6e59f JM	224	# security table for MAC policy
	225	config IP6_NF_SECURITY
	226	tristate "Security table"
17e6e59f	227	depends on SECURITY
70eed75d	228	depends on NETFILTER_ADVANCED
17e6e59f JM	229	help
	230	This option adds a `security' table to iptables, for use
	231	with Mandatory Access Control (MAC) policy.
b0041d1b	232
17e6e59f JM	233	If unsure, say N.
17e6e59f JM	234
b0041d1b PNA	235	config NF_NAT_IPV6
	236	tristate "IPv6 NAT"
	237	depends on NF_CONNTRACK_IPV6
	238	depends on NETFILTER_ADVANCED
	239	select NF_NAT
	240	help
	241	The IPv6 NAT option allows masquerading, port forwarding and other
	242	forms of full Network Address Port Translation. It is controlled by
	243	the `nat' table in ip6tables, see the man page for ip6tables(8).
	244
	245	To compile it as a module, choose M here. If unsure, say N.
	246
	247	if NF_NAT_IPV6
	248
	249	config IP6_NF_TARGET_MASQUERADE
	250	tristate "MASQUERADE target support"
	251	help
	252	Masquerading is a special case of NAT: all outgoing connections are
	253	changed to seem to come from a particular interface's address, and
	254	if the interface goes down, those connections are lost. This is
	255	only useful for dialup accounts with dynamic IP address (ie. your IP
	256	address will be different on next dialup).
	257
	258	To compile it as a module, choose M here. If unsure, say N.
	259
b0041d1b PNA	260	config IP6_NF_TARGET_NPT
	261	tristate "NPT (Network Prefix translation) target support"
	262	help
	263	This option adds the `SNPT' and `DNPT' target, which perform
	264	stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
	265
	266	To compile it as a module, choose M here. If unsure, say N.
	267
	268	endif # NF_NAT_IPV6
	269
c2df73de JE	270	endif # IP6_NF_IPTABLES
c2df73de JE	271
1da177e4 LT	272	endmenu
1da177e4 LT	273