2 # IP netfilter configuration
5 menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
12 config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
31 tristate "IPv6 nf_tables support"
33 This option enables the IPv6 support for nf_tables.
37 config NFT_CHAIN_ROUTE_IPV6
38 tristate "IPv6 nf_tables route chain support"
40 This option enables the "route" chain for IPv6 in nf_tables. This
41 chain type is used to force packet re-routing after mangling header
42 fields such as the source, destination, flowlabel, hop-limit and
45 config NFT_REJECT_IPV6
50 endif # NF_TABLES_IPV6
54 tristate "IPv6 packet rejection"
55 default m if NETFILTER_ADVANCED=n
58 tristate "IPv6 packet logging"
59 default m if NETFILTER_ADVANCED=n
64 depends on NF_CONNTRACK_IPV6
65 depends on NETFILTER_ADVANCED
68 The IPv6 NAT option allows masquerading, port forwarding and other
69 forms of full Network Address Port Translation. This can be
70 controlled by iptables or nft.
74 config NFT_CHAIN_NAT_IPV6
75 depends on NF_TABLES_IPV6
76 tristate "IPv6 nf_tables nat chain support"
78 This option enables the "nat" chain for IPv6 in nf_tables. This
79 chain type is used to perform Network Address Translation (NAT)
80 packet transformations such as the source, destination address and
81 source and destination ports.
83 config NF_NAT_MASQUERADE_IPV6
84 tristate "IPv6 masquerade support"
86 This is the kernel functionality to provide NAT in the masquerade
87 flavour (automatic source address selection) for IPv6.
90 tristate "IPv6 masquerade support for nf_tables"
91 depends on NF_TABLES_IPV6
93 select NF_NAT_MASQUERADE_IPV6
95 This is the expression that provides IPv4 masquerading support for
99 tristate "IPv6 redirect support for nf_tables"
100 depends on NF_TABLES_IPV6
102 select NF_NAT_REDIRECT
104 This is the expression that provides IPv4 redirect support for
109 config IP6_NF_IPTABLES
110 tristate "IP6 tables support (required for filtering)"
111 depends on INET && IPV6
112 select NETFILTER_XTABLES
113 default m if NETFILTER_ADVANCED=n
115 ip6tables is a general, extensible packet identification framework.
116 Currently only the packet filtering and packet mangling subsystem
117 for IPv6 use this, but connection tracking is going to follow.
118 Say 'Y' or 'M' here if you want to use either of those.
120 To compile it as a module, choose M here. If unsure, say N.
124 # The simple matches.
125 config IP6_NF_MATCH_AH
126 tristate '"ah" match support'
127 depends on NETFILTER_ADVANCED
129 This module allows one to match AH packets.
131 To compile it as a module, choose M here. If unsure, say N.
133 config IP6_NF_MATCH_EUI64
134 tristate '"eui64" address check'
135 depends on NETFILTER_ADVANCED
137 This module performs checking on the IPv6 source address
138 Compares the last 64 bits with the EUI64 (delivered
139 from the MAC address) address
141 To compile it as a module, choose M here. If unsure, say N.
143 config IP6_NF_MATCH_FRAG
144 tristate '"frag" Fragmentation header match support'
145 depends on NETFILTER_ADVANCED
147 frag matching allows you to match packets based on the fragmentation
148 header of the packet.
150 To compile it as a module, choose M here. If unsure, say N.
152 config IP6_NF_MATCH_OPTS
153 tristate '"hbh" hop-by-hop and "dst" opts header match support'
154 depends on NETFILTER_ADVANCED
156 This allows one to match packets based on the hop-by-hop
157 and destination options headers of a packet.
159 To compile it as a module, choose M here. If unsure, say N.
161 config IP6_NF_MATCH_HL
162 tristate '"hl" hoplimit match support'
163 depends on NETFILTER_ADVANCED
164 select NETFILTER_XT_MATCH_HL
166 This is a backwards-compat option for the user's convenience
167 (e.g. when running oldconfig). It selects
168 CONFIG_NETFILTER_XT_MATCH_HL.
170 config IP6_NF_MATCH_IPV6HEADER
171 tristate '"ipv6header" IPv6 Extension Headers Match'
172 default m if NETFILTER_ADVANCED=n
174 This module allows one to match packets based upon
175 the ipv6 extension headers.
177 To compile it as a module, choose M here. If unsure, say N.
179 config IP6_NF_MATCH_MH
180 tristate '"mh" match support'
181 depends on NETFILTER_ADVANCED
183 This module allows one to match MH packets.
185 To compile it as a module, choose M here. If unsure, say N.
187 config IP6_NF_MATCH_RPFILTER
188 tristate '"rpfilter" reverse path filter match support'
189 depends on NETFILTER_ADVANCED
190 depends on IP6_NF_MANGLE || IP6_NF_RAW
192 This option allows you to match packets whose replies would
193 go out via the interface the packet came in.
195 To compile it as a module, choose M here. If unsure, say N.
196 The module will be called ip6t_rpfilter.
198 config IP6_NF_MATCH_RT
199 tristate '"rt" Routing header match support'
200 depends on NETFILTER_ADVANCED
202 rt matching allows you to match packets based on the routing
203 header of the packet.
205 To compile it as a module, choose M here. If unsure, say N.
208 config IP6_NF_TARGET_HL
209 tristate '"HL" hoplimit target support'
210 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
211 select NETFILTER_XT_TARGET_HL
213 This is a backwards-compatible option for the user's convenience
214 (e.g. when running oldconfig). It selects
215 CONFIG_NETFILTER_XT_TARGET_HL.
218 tristate "Packet filtering"
219 default m if NETFILTER_ADVANCED=n
221 Packet filtering defines a table `filter', which has a series of
222 rules for simple packet filtering at local input, forwarding and
223 local output. See the man page for iptables(8).
225 To compile it as a module, choose M here. If unsure, say N.
227 config IP6_NF_TARGET_REJECT
228 tristate "REJECT target support"
229 depends on IP6_NF_FILTER
230 select NF_REJECT_IPV6
231 default m if NETFILTER_ADVANCED=n
233 The REJECT target allows a filtering rule to specify that an ICMPv6
234 error should be issued in response to an incoming packet, rather
235 than silently being dropped.
237 To compile it as a module, choose M here. If unsure, say N.
239 config IP6_NF_TARGET_SYNPROXY
240 tristate "SYNPROXY target support"
241 depends on NF_CONNTRACK && NETFILTER_ADVANCED
242 select NETFILTER_SYNPROXY
245 The SYNPROXY target allows you to intercept TCP connections and
246 establish them using syncookies before they are passed on to the
247 server. This allows to avoid conntrack and server resource usage
248 during SYN-flood attacks.
250 To compile it as a module, choose M here. If unsure, say N.
253 tristate "Packet mangling"
254 default m if NETFILTER_ADVANCED=n
256 This option adds a `mangle' table to iptables: see the man page for
257 iptables(8). This table is used for various packet alterations
258 which can effect how the packet is routed.
260 To compile it as a module, choose M here. If unsure, say N.
263 tristate 'raw table support (required for TRACE)'
265 This option adds a `raw' table to ip6tables. This table is the very
266 first in the netfilter framework and hooks in at the PREROUTING
269 If you want to compile it as a module, say M here and read
270 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
272 # security table for MAC policy
273 config IP6_NF_SECURITY
274 tristate "Security table"
276 depends on NETFILTER_ADVANCED
278 This option adds a `security' table to iptables, for use
279 with Mandatory Access Control (MAC) policy.
284 tristate "ip6tables NAT support"
285 depends on NF_CONNTRACK_IPV6
286 depends on NETFILTER_ADVANCED
289 select NETFILTER_XT_NAT
291 This enables the `nat' table in ip6tables. This allows masquerading,
292 port forwarding and other forms of full Network Address Port
295 To compile it as a module, choose M here. If unsure, say N.
299 config IP6_NF_TARGET_MASQUERADE
300 tristate "MASQUERADE target support"
301 select NF_NAT_MASQUERADE_IPV6
303 Masquerading is a special case of NAT: all outgoing connections are
304 changed to seem to come from a particular interface's address, and
305 if the interface goes down, those connections are lost. This is
306 only useful for dialup accounts with dynamic IP address (ie. your IP
307 address will be different on next dialup).
309 To compile it as a module, choose M here. If unsure, say N.
311 config IP6_NF_TARGET_NPT
312 tristate "NPT (Network Prefix translation) target support"
314 This option adds the `SNPT' and `DNPT' target, which perform
315 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
317 To compile it as a module, choose M here. If unsure, say N.
321 endif # IP6_NF_IPTABLES