2 # IP netfilter configuration
5 menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
12 config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
31 tristate "IPv6 nf_tables support"
33 This option enables the IPv6 support for nf_tables.
37 config NFT_CHAIN_ROUTE_IPV6
38 tristate "IPv6 nf_tables route chain support"
40 This option enables the "route" chain for IPv6 in nf_tables. This
41 chain type is used to force packet re-routing after mangling header
42 fields such as the source, destination, flowlabel, hop-limit and
45 config NFT_REJECT_IPV6
51 tristate "IPv6 nf_tables packet duplication support"
54 This module enables IPv6 packet duplication support for nf_tables.
56 endif # NF_TABLES_IPV6
60 tristate "Netfilter IPv6 packet duplication to alternate destination"
62 This option enables the nf_dup_ipv6 core, which duplicates an IPv6
63 packet to be rerouted to another destination.
66 tristate "IPv6 packet rejection"
67 default m if NETFILTER_ADVANCED=n
70 tristate "IPv6 packet logging"
71 default m if NETFILTER_ADVANCED=n
76 depends on NF_CONNTRACK_IPV6
77 depends on NETFILTER_ADVANCED
80 The IPv6 NAT option allows masquerading, port forwarding and other
81 forms of full Network Address Port Translation. This can be
82 controlled by iptables or nft.
86 config NFT_CHAIN_NAT_IPV6
87 depends on NF_TABLES_IPV6
88 tristate "IPv6 nf_tables nat chain support"
90 This option enables the "nat" chain for IPv6 in nf_tables. This
91 chain type is used to perform Network Address Translation (NAT)
92 packet transformations such as the source, destination address and
93 source and destination ports.
95 config NF_NAT_MASQUERADE_IPV6
96 tristate "IPv6 masquerade support"
98 This is the kernel functionality to provide NAT in the masquerade
99 flavour (automatic source address selection) for IPv6.
102 tristate "IPv6 masquerade support for nf_tables"
103 depends on NF_TABLES_IPV6
105 select NF_NAT_MASQUERADE_IPV6
107 This is the expression that provides IPv4 masquerading support for
110 config NFT_REDIR_IPV6
111 tristate "IPv6 redirect support for nf_tables"
112 depends on NF_TABLES_IPV6
114 select NF_NAT_REDIRECT
116 This is the expression that provides IPv4 redirect support for
121 config IP6_NF_IPTABLES
122 tristate "IP6 tables support (required for filtering)"
123 depends on INET && IPV6
124 select NETFILTER_XTABLES
125 default m if NETFILTER_ADVANCED=n
127 ip6tables is a general, extensible packet identification framework.
128 Currently only the packet filtering and packet mangling subsystem
129 for IPv6 use this, but connection tracking is going to follow.
130 Say 'Y' or 'M' here if you want to use either of those.
132 To compile it as a module, choose M here. If unsure, say N.
136 # The simple matches.
137 config IP6_NF_MATCH_AH
138 tristate '"ah" match support'
139 depends on NETFILTER_ADVANCED
141 This module allows one to match AH packets.
143 To compile it as a module, choose M here. If unsure, say N.
145 config IP6_NF_MATCH_EUI64
146 tristate '"eui64" address check'
147 depends on NETFILTER_ADVANCED
149 This module performs checking on the IPv6 source address
150 Compares the last 64 bits with the EUI64 (delivered
151 from the MAC address) address
153 To compile it as a module, choose M here. If unsure, say N.
155 config IP6_NF_MATCH_FRAG
156 tristate '"frag" Fragmentation header match support'
157 depends on NETFILTER_ADVANCED
159 frag matching allows you to match packets based on the fragmentation
160 header of the packet.
162 To compile it as a module, choose M here. If unsure, say N.
164 config IP6_NF_MATCH_OPTS
165 tristate '"hbh" hop-by-hop and "dst" opts header match support'
166 depends on NETFILTER_ADVANCED
168 This allows one to match packets based on the hop-by-hop
169 and destination options headers of a packet.
171 To compile it as a module, choose M here. If unsure, say N.
173 config IP6_NF_MATCH_HL
174 tristate '"hl" hoplimit match support'
175 depends on NETFILTER_ADVANCED
176 select NETFILTER_XT_MATCH_HL
178 This is a backwards-compat option for the user's convenience
179 (e.g. when running oldconfig). It selects
180 CONFIG_NETFILTER_XT_MATCH_HL.
182 config IP6_NF_MATCH_IPV6HEADER
183 tristate '"ipv6header" IPv6 Extension Headers Match'
184 default m if NETFILTER_ADVANCED=n
186 This module allows one to match packets based upon
187 the ipv6 extension headers.
189 To compile it as a module, choose M here. If unsure, say N.
191 config IP6_NF_MATCH_MH
192 tristate '"mh" match support'
193 depends on NETFILTER_ADVANCED
195 This module allows one to match MH packets.
197 To compile it as a module, choose M here. If unsure, say N.
199 config IP6_NF_MATCH_RPFILTER
200 tristate '"rpfilter" reverse path filter match support'
201 depends on NETFILTER_ADVANCED
202 depends on IP6_NF_MANGLE || IP6_NF_RAW
204 This option allows you to match packets whose replies would
205 go out via the interface the packet came in.
207 To compile it as a module, choose M here. If unsure, say N.
208 The module will be called ip6t_rpfilter.
210 config IP6_NF_MATCH_RT
211 tristate '"rt" Routing header match support'
212 depends on NETFILTER_ADVANCED
214 rt matching allows you to match packets based on the routing
215 header of the packet.
217 To compile it as a module, choose M here. If unsure, say N.
220 config IP6_NF_TARGET_HL
221 tristate '"HL" hoplimit target support'
222 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
223 select NETFILTER_XT_TARGET_HL
225 This is a backwards-compatible option for the user's convenience
226 (e.g. when running oldconfig). It selects
227 CONFIG_NETFILTER_XT_TARGET_HL.
230 tristate "Packet filtering"
231 default m if NETFILTER_ADVANCED=n
233 Packet filtering defines a table `filter', which has a series of
234 rules for simple packet filtering at local input, forwarding and
235 local output. See the man page for iptables(8).
237 To compile it as a module, choose M here. If unsure, say N.
239 config IP6_NF_TARGET_REJECT
240 tristate "REJECT target support"
241 depends on IP6_NF_FILTER
242 select NF_REJECT_IPV6
243 default m if NETFILTER_ADVANCED=n
245 The REJECT target allows a filtering rule to specify that an ICMPv6
246 error should be issued in response to an incoming packet, rather
247 than silently being dropped.
249 To compile it as a module, choose M here. If unsure, say N.
251 config IP6_NF_TARGET_SYNPROXY
252 tristate "SYNPROXY target support"
253 depends on NF_CONNTRACK && NETFILTER_ADVANCED
254 select NETFILTER_SYNPROXY
257 The SYNPROXY target allows you to intercept TCP connections and
258 establish them using syncookies before they are passed on to the
259 server. This allows to avoid conntrack and server resource usage
260 during SYN-flood attacks.
262 To compile it as a module, choose M here. If unsure, say N.
265 tristate "Packet mangling"
266 default m if NETFILTER_ADVANCED=n
268 This option adds a `mangle' table to iptables: see the man page for
269 iptables(8). This table is used for various packet alterations
270 which can effect how the packet is routed.
272 To compile it as a module, choose M here. If unsure, say N.
275 tristate 'raw table support (required for TRACE)'
277 This option adds a `raw' table to ip6tables. This table is the very
278 first in the netfilter framework and hooks in at the PREROUTING
281 If you want to compile it as a module, say M here and read
282 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
284 # security table for MAC policy
285 config IP6_NF_SECURITY
286 tristate "Security table"
288 depends on NETFILTER_ADVANCED
290 This option adds a `security' table to iptables, for use
291 with Mandatory Access Control (MAC) policy.
296 tristate "ip6tables NAT support"
297 depends on NF_CONNTRACK_IPV6
298 depends on NETFILTER_ADVANCED
301 select NETFILTER_XT_NAT
303 This enables the `nat' table in ip6tables. This allows masquerading,
304 port forwarding and other forms of full Network Address Port
307 To compile it as a module, choose M here. If unsure, say N.
311 config IP6_NF_TARGET_MASQUERADE
312 tristate "MASQUERADE target support"
313 select NF_NAT_MASQUERADE_IPV6
315 Masquerading is a special case of NAT: all outgoing connections are
316 changed to seem to come from a particular interface's address, and
317 if the interface goes down, those connections are lost. This is
318 only useful for dialup accounts with dynamic IP address (ie. your IP
319 address will be different on next dialup).
321 To compile it as a module, choose M here. If unsure, say N.
323 config IP6_NF_TARGET_NPT
324 tristate "NPT (Network Prefix translation) target support"
326 This option adds the `SNPT' and `DNPT' target, which perform
327 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
329 To compile it as a module, choose M here. If unsure, say N.
333 endif # IP6_NF_IPTABLES