2 # IP netfilter configuration
5 menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
12 config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
29 tristate "IPv6 socket lookup support"
31 This option enables the IPv6 socket lookup infrastructure. This
32 is used by the ip6tables socket match.
37 tristate "IPv6 nf_tables support"
39 This option enables the IPv6 support for nf_tables.
43 config NFT_CHAIN_ROUTE_IPV6
44 tristate "IPv6 nf_tables route chain support"
46 This option enables the "route" chain for IPv6 in nf_tables. This
47 chain type is used to force packet re-routing after mangling header
48 fields such as the source, destination, flowlabel, hop-limit and
53 config NFT_CHAIN_NAT_IPV6
54 tristate "IPv6 nf_tables nat chain support"
56 This option enables the "nat" chain for IPv6 in nf_tables. This
57 chain type is used to perform Network Address Translation (NAT)
58 packet transformations such as the source, destination address and
59 source and destination ports.
62 tristate "IPv6 masquerade support for nf_tables"
64 select NF_NAT_MASQUERADE_IPV6
66 This is the expression that provides IPv4 masquerading support for
70 tristate "IPv6 redirect support for nf_tables"
72 select NF_NAT_REDIRECT
74 This is the expression that provides IPv4 redirect support for
79 config NFT_REJECT_IPV6
85 tristate "IPv6 nf_tables packet duplication support"
86 depends on !NF_CONNTRACK || NF_CONNTRACK
89 This module enables IPv6 packet duplication support for nf_tables.
92 tristate "nf_tables fib / ipv6 route lookup support"
95 This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
96 It also allows query of the FIB for the route type, e.g. local, unicast,
97 multicast or blackhole.
99 endif # NF_TABLES_IPV6
103 tristate "Netfilter IPv6 packet duplication to alternate destination"
104 depends on !NF_CONNTRACK || NF_CONNTRACK
106 This option enables the nf_dup_ipv6 core, which duplicates an IPv6
107 packet to be rerouted to another destination.
109 config NF_REJECT_IPV6
110 tristate "IPv6 packet rejection"
111 default m if NETFILTER_ADVANCED=n
114 tristate "IPv6 packet logging"
115 default m if NETFILTER_ADVANCED=n
120 depends on NF_CONNTRACK_IPV6
121 depends on NETFILTER_ADVANCED
124 The IPv6 NAT option allows masquerading, port forwarding and other
125 forms of full Network Address Port Translation. This can be
126 controlled by iptables or nft.
130 config NF_NAT_MASQUERADE_IPV6
131 tristate "IPv6 masquerade support"
133 This is the kernel functionality to provide NAT in the masquerade
134 flavour (automatic source address selection) for IPv6.
138 config IP6_NF_IPTABLES
139 tristate "IP6 tables support (required for filtering)"
140 depends on INET && IPV6
141 select NETFILTER_XTABLES
142 default m if NETFILTER_ADVANCED=n
144 ip6tables is a general, extensible packet identification framework.
145 Currently only the packet filtering and packet mangling subsystem
146 for IPv6 use this, but connection tracking is going to follow.
147 Say 'Y' or 'M' here if you want to use either of those.
149 To compile it as a module, choose M here. If unsure, say N.
153 # The simple matches.
154 config IP6_NF_MATCH_AH
155 tristate '"ah" match support'
156 depends on NETFILTER_ADVANCED
158 This module allows one to match AH packets.
160 To compile it as a module, choose M here. If unsure, say N.
162 config IP6_NF_MATCH_EUI64
163 tristate '"eui64" address check'
164 depends on NETFILTER_ADVANCED
166 This module performs checking on the IPv6 source address
167 Compares the last 64 bits with the EUI64 (delivered
168 from the MAC address) address
170 To compile it as a module, choose M here. If unsure, say N.
172 config IP6_NF_MATCH_FRAG
173 tristate '"frag" Fragmentation header match support'
174 depends on NETFILTER_ADVANCED
176 frag matching allows you to match packets based on the fragmentation
177 header of the packet.
179 To compile it as a module, choose M here. If unsure, say N.
181 config IP6_NF_MATCH_OPTS
182 tristate '"hbh" hop-by-hop and "dst" opts header match support'
183 depends on NETFILTER_ADVANCED
185 This allows one to match packets based on the hop-by-hop
186 and destination options headers of a packet.
188 To compile it as a module, choose M here. If unsure, say N.
190 config IP6_NF_MATCH_HL
191 tristate '"hl" hoplimit match support'
192 depends on NETFILTER_ADVANCED
193 select NETFILTER_XT_MATCH_HL
195 This is a backwards-compat option for the user's convenience
196 (e.g. when running oldconfig). It selects
197 CONFIG_NETFILTER_XT_MATCH_HL.
199 config IP6_NF_MATCH_IPV6HEADER
200 tristate '"ipv6header" IPv6 Extension Headers Match'
201 default m if NETFILTER_ADVANCED=n
203 This module allows one to match packets based upon
204 the ipv6 extension headers.
206 To compile it as a module, choose M here. If unsure, say N.
208 config IP6_NF_MATCH_MH
209 tristate '"mh" match support'
210 depends on NETFILTER_ADVANCED
212 This module allows one to match MH packets.
214 To compile it as a module, choose M here. If unsure, say N.
216 config IP6_NF_MATCH_RPFILTER
217 tristate '"rpfilter" reverse path filter match support'
218 depends on NETFILTER_ADVANCED
219 depends on IP6_NF_MANGLE || IP6_NF_RAW
221 This option allows you to match packets whose replies would
222 go out via the interface the packet came in.
224 To compile it as a module, choose M here. If unsure, say N.
225 The module will be called ip6t_rpfilter.
227 config IP6_NF_MATCH_RT
228 tristate '"rt" Routing header match support'
229 depends on NETFILTER_ADVANCED
231 rt matching allows you to match packets based on the routing
232 header of the packet.
234 To compile it as a module, choose M here. If unsure, say N.
237 config IP6_NF_TARGET_HL
238 tristate '"HL" hoplimit target support'
239 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
240 select NETFILTER_XT_TARGET_HL
242 This is a backwards-compatible option for the user's convenience
243 (e.g. when running oldconfig). It selects
244 CONFIG_NETFILTER_XT_TARGET_HL.
247 tristate "Packet filtering"
248 default m if NETFILTER_ADVANCED=n
250 Packet filtering defines a table `filter', which has a series of
251 rules for simple packet filtering at local input, forwarding and
252 local output. See the man page for iptables(8).
254 To compile it as a module, choose M here. If unsure, say N.
256 config IP6_NF_TARGET_REJECT
257 tristate "REJECT target support"
258 depends on IP6_NF_FILTER
259 select NF_REJECT_IPV6
260 default m if NETFILTER_ADVANCED=n
262 The REJECT target allows a filtering rule to specify that an ICMPv6
263 error should be issued in response to an incoming packet, rather
264 than silently being dropped.
266 To compile it as a module, choose M here. If unsure, say N.
268 config IP6_NF_TARGET_SYNPROXY
269 tristate "SYNPROXY target support"
270 depends on NF_CONNTRACK && NETFILTER_ADVANCED
271 select NETFILTER_SYNPROXY
274 The SYNPROXY target allows you to intercept TCP connections and
275 establish them using syncookies before they are passed on to the
276 server. This allows to avoid conntrack and server resource usage
277 during SYN-flood attacks.
279 To compile it as a module, choose M here. If unsure, say N.
282 tristate "Packet mangling"
283 default m if NETFILTER_ADVANCED=n
285 This option adds a `mangle' table to iptables: see the man page for
286 iptables(8). This table is used for various packet alterations
287 which can effect how the packet is routed.
289 To compile it as a module, choose M here. If unsure, say N.
292 tristate 'raw table support (required for TRACE)'
294 This option adds a `raw' table to ip6tables. This table is the very
295 first in the netfilter framework and hooks in at the PREROUTING
298 If you want to compile it as a module, say M here and read
299 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
301 # security table for MAC policy
302 config IP6_NF_SECURITY
303 tristate "Security table"
305 depends on NETFILTER_ADVANCED
307 This option adds a `security' table to iptables, for use
308 with Mandatory Access Control (MAC) policy.
313 tristate "ip6tables NAT support"
314 depends on NF_CONNTRACK_IPV6
315 depends on NETFILTER_ADVANCED
318 select NETFILTER_XT_NAT
320 This enables the `nat' table in ip6tables. This allows masquerading,
321 port forwarding and other forms of full Network Address Port
324 To compile it as a module, choose M here. If unsure, say N.
328 config IP6_NF_TARGET_MASQUERADE
329 tristate "MASQUERADE target support"
330 select NF_NAT_MASQUERADE_IPV6
332 Masquerading is a special case of NAT: all outgoing connections are
333 changed to seem to come from a particular interface's address, and
334 if the interface goes down, those connections are lost. This is
335 only useful for dialup accounts with dynamic IP address (ie. your IP
336 address will be different on next dialup).
338 To compile it as a module, choose M here. If unsure, say N.
340 config IP6_NF_TARGET_NPT
341 tristate "NPT (Network Prefix translation) target support"
343 This option adds the `SNPT' and `DNPT' target, which perform
344 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
346 To compile it as a module, choose M here. If unsure, say N.
350 endif # IP6_NF_IPTABLES