Linux-2.6.12-rc2

[mirror_ubuntu-artful-kernel.git] / net / ipv6 / netfilter / Kconfig

#
# IP netfilter configuration
#

menu "IPv6: Netfilter Configuration (EXPERIMENTAL)"
        depends on INET && IPV6 && NETFILTER && EXPERIMENTAL

#tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP6_NF_CONNTRACK
#if [ "$CONFIG_IP6_NF_CONNTRACK" != "n" ]; then
#  dep_tristate '  FTP protocol support' CONFIG_IP6_NF_FTP $CONFIG_IP6_NF_CONNTRACK
#fi
config IP6_NF_QUEUE
        tristate "Userspace queueing via NETLINK"
        ---help---

          This option adds a queue handler to the kernel for IPv6
          packets which lets us to receive the filtered packets
          with QUEUE target using libiptc as we can do with
          the IPv4 now.

          (C) Fernando Anton 2001
          IPv64 Project - Work based in IPv64 draft by Arturo Azcorra.
          Universidad Carlos III de Madrid
          Universidad Politecnica de Alcala de Henares
          email: <fanton@it.uc3m.es>.

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_IPTABLES
        tristate "IP6 tables support (required for filtering/masq/NAT)"
        help
          ip6tables is a general, extensible packet identification framework.
          Currently only the packet filtering and packet mangling subsystem
          for IPv6 use this, but connection tracking is going to follow.
          Say 'Y' or 'M' here if you want to use either of those.

          To compile it as a module, choose M here.  If unsure, say N.

# The simple matches.
config IP6_NF_MATCH_LIMIT
        tristate "limit match support"
        depends on IP6_NF_IPTABLES
        help
          limit matching allows you to control the rate at which a rule can be
          matched: mainly useful in combination with the LOG target ("LOG
          target support", below) and to avoid some Denial of Service attacks.

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_MAC
        tristate "MAC address match support"
        depends on IP6_NF_IPTABLES
        help
          mac matching allows you to match packets based on the source
          Ethernet address of the packet.

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_RT
        tristate "Routing header match support"
        depends on IP6_NF_IPTABLES
        help
          rt matching allows you to match packets based on the routing
          header of the packet.

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_OPTS
        tristate "Hop-by-hop and Dst opts header match support"
        depends on IP6_NF_IPTABLES
        help
          This allows one to match packets based on the hop-by-hop
          and destination options headers of a packet.

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_FRAG
        tristate "Fragmentation header match support"
        depends on IP6_NF_IPTABLES
        help
          frag matching allows you to match packets based on the fragmentation
          header of the packet.

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_HL
        tristate "HL match support"
        depends on IP6_NF_IPTABLES
        help
          HL matching allows you to match packets based on the hop
          limit of the packet.

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_MULTIPORT
        tristate "Multiple port match support"
        depends on IP6_NF_IPTABLES
        help
          Multiport matching allows you to match TCP or UDP packets based on
          a series of source or destination ports: normally a rule can only
          match a single range of ports.

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_OWNER
        tristate "Owner match support"
        depends on IP6_NF_IPTABLES
        help
          Packet owner matching allows you to match locally-generated packets
          based on who created them: the user, group, process or session.

          To compile it as a module, choose M here.  If unsure, say N.

#  dep_tristate '  MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES
config IP6_NF_MATCH_MARK
        tristate "netfilter MARK match support"
        depends on IP6_NF_IPTABLES
        help
          Netfilter mark matching allows you to match packets based on the
          `nfmark' value in the packet.  This can be set by the MARK target
          (see below).

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_IPV6HEADER
        tristate "IPv6 Extension Headers Match"
        depends on IP6_NF_IPTABLES
        help
          This module allows one to match packets based upon
          the ipv6 extension headers.

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_AHESP
        tristate "AH/ESP match support"
        depends on IP6_NF_IPTABLES
        help
          This module allows one to match AH and ESP packets.

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_LENGTH
        tristate "Packet Length match support"
        depends on IP6_NF_IPTABLES
        help
          This option allows you to match the length of a packet against a
          specific value or range of values.

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_EUI64
        tristate "EUI64 address check"
        depends on IP6_NF_IPTABLES
        help
          This module performs checking on the IPv6 source address
          Compares the last 64 bits with the EUI64 (delivered
          from the MAC address) address

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_PHYSDEV
        tristate "Physdev match support"
        depends on IP6_NF_IPTABLES && BRIDGE_NETFILTER
        help
          Physdev packet matching matches against the physical bridge ports
          the IP packet arrived on or will leave by.

          To compile it as a module, choose M here.  If unsure, say N.

#  dep_tristate '  Multiple port match support' CONFIG_IP6_NF_MATCH_MULTIPORT $CONFIG_IP6_NF_IPTABLES
#  dep_tristate '  TOS match support' CONFIG_IP6_NF_MATCH_TOS $CONFIG_IP6_NF_IPTABLES
#  if [ "$CONFIG_IP6_NF_CONNTRACK" != "n" ]; then
#    dep_tristate '  Connection state match support' CONFIG_IP6_NF_MATCH_STATE $CONFIG_IP6_NF_CONNTRACK $CONFIG_IP6_NF_IPTABLES 
#  fi
#  if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
#    dep_tristate '  Unclean match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_UNCLEAN $CONFIG_IP6_NF_IPTABLES
#    dep_tristate '  Owner match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_OWNER $CONFIG_IP6_NF_IPTABLES
#  fi
# The targets
config IP6_NF_FILTER
        tristate "Packet filtering"
        depends on IP6_NF_IPTABLES
        help
          Packet filtering defines a table `filter', which has a series of
          rules for simple packet filtering at local input, forwarding and
          local output.  See the man page for iptables(8).

          To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_LOG
        tristate "LOG target support"
        depends on IP6_NF_FILTER
        help
          This option adds a `LOG' target, which allows you to create rules in
          any iptables table which records the packet header to the syslog.

          To compile it as a module, choose M here.  If unsure, say N.

#  if [ "$CONFIG_IP6_NF_FILTER" != "n" ]; then
#    dep_tristate '    REJECT target support' CONFIG_IP6_NF_TARGET_REJECT $CONFIG_IP6_NF_FILTER
#    if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
#      dep_tristate '    MIRROR target support (EXPERIMENTAL)' CONFIG_IP6_NF_TARGET_MIRROR $CONFIG_IP6_NF_FILTER
#    fi
#  fi
config IP6_NF_MANGLE
        tristate "Packet mangling"
        depends on IP6_NF_IPTABLES
        help
          This option adds a `mangle' table to iptables: see the man page for
          iptables(8).  This table is used for various packet alterations
          which can effect how the packet is routed.

          To compile it as a module, choose M here.  If unsure, say N.

#    dep_tristate '    TOS target support' CONFIG_IP6_NF_TARGET_TOS $CONFIG_IP_NF_MANGLE
config IP6_NF_TARGET_MARK
        tristate "MARK target support"
        depends on IP6_NF_MANGLE
        help
          This option adds a `MARK' target, which allows you to create rules
          in the `mangle' table which alter the netfilter mark (nfmark) field
          associated with the packet packet prior to routing. This can change
          the routing method (see `Use netfilter MARK value as routing
          key') and can also be used by other subsystems to change their
          behavior.

          To compile it as a module, choose M here.  If unsure, say N.

#dep_tristate '  LOG target support' CONFIG_IP6_NF_TARGET_LOG $CONFIG_IP6_NF_IPTABLES
config IP6_NF_RAW
        tristate  'raw table support (required for TRACE)'
        depends on IP6_NF_IPTABLES
        help
          This option adds a `raw' table to ip6tables. This table is the very
          first in the netfilter framework and hooks in at the PREROUTING
          and OUTPUT chains.
        
          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.

endmenu