2 # IP netfilter configuration
5 menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
12 config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
31 tristate "IPv6 nf_tables support"
33 This option enables the IPv6 support for nf_tables.
37 config NFT_CHAIN_ROUTE_IPV6
38 tristate "IPv6 nf_tables route chain support"
40 This option enables the "route" chain for IPv6 in nf_tables. This
41 chain type is used to force packet re-routing after mangling header
42 fields such as the source, destination, flowlabel, hop-limit and
45 config NFT_REJECT_IPV6
50 endif # NF_TABLES_IPV6
54 tristate "IPv6 packet rejection"
55 default m if NETFILTER_ADVANCED=n
58 tristate "IPv6 packet logging"
59 default m if NETFILTER_ADVANCED=n
64 depends on NF_CONNTRACK_IPV6
65 depends on NETFILTER_ADVANCED
68 The IPv6 NAT option allows masquerading, port forwarding and other
69 forms of full Network Address Port Translation. This can be
70 controlled by iptables or nft.
74 config NFT_CHAIN_NAT_IPV6
75 depends on NF_TABLES_IPV6
76 tristate "IPv6 nf_tables nat chain support"
78 This option enables the "nat" chain for IPv6 in nf_tables. This
79 chain type is used to perform Network Address Translation (NAT)
80 packet transformations such as the source, destination address and
81 source and destination ports.
83 config NF_NAT_MASQUERADE_IPV6
84 tristate "IPv6 masquerade support"
86 This is the kernel functionality to provide NAT in the masquerade
87 flavour (automatic source address selection) for IPv6.
90 tristate "IPv6 masquerade support for nf_tables"
91 depends on NF_TABLES_IPV6
93 select NF_NAT_MASQUERADE_IPV6
95 This is the expression that provides IPv4 masquerading support for
99 tristate "IPv6 redirect support for nf_tables"
100 depends on NF_TABLES_IPV6
102 select NF_NAT_REDIRECT
104 This is the expression that provides IPv4 redirect support for
109 config IP6_NF_IPTABLES
110 tristate "IP6 tables support (required for filtering)"
111 depends on INET && IPV6
112 select NETFILTER_XTABLES
113 default m if NETFILTER_ADVANCED=n
115 ip6tables is a general, extensible packet identification framework.
116 Currently only the packet filtering and packet mangling subsystem
117 for IPv6 use this, but connection tracking is going to follow.
118 Say 'Y' or 'M' here if you want to use either of those.
120 To compile it as a module, choose M here. If unsure, say N.
124 # The simple matches.
125 config IP6_NF_MATCH_AH
126 tristate '"ah" match support'
127 depends on NETFILTER_ADVANCED
129 This module allows one to match AH packets.
131 To compile it as a module, choose M here. If unsure, say N.
133 config IP6_NF_MATCH_EUI64
134 tristate '"eui64" address check'
135 depends on NETFILTER_ADVANCED
137 This module performs checking on the IPv6 source address
138 Compares the last 64 bits with the EUI64 (delivered
139 from the MAC address) address
141 To compile it as a module, choose M here. If unsure, say N.
143 config IP6_NF_MATCH_FRAG
144 tristate '"frag" Fragmentation header match support'
145 depends on NETFILTER_ADVANCED
147 frag matching allows you to match packets based on the fragmentation
148 header of the packet.
150 To compile it as a module, choose M here. If unsure, say N.
152 config IP6_NF_MATCH_OPTS
153 tristate '"hbh" hop-by-hop and "dst" opts header match support'
154 depends on NETFILTER_ADVANCED
156 This allows one to match packets based on the hop-by-hop
157 and destination options headers of a packet.
159 To compile it as a module, choose M here. If unsure, say N.
161 config IP6_NF_MATCH_HL
162 tristate '"hl" hoplimit match support'
163 depends on NETFILTER_ADVANCED
164 select NETFILTER_XT_MATCH_HL
166 This is a backwards-compat option for the user's convenience
167 (e.g. when running oldconfig). It selects
168 CONFIG_NETFILTER_XT_MATCH_HL.
170 config IP6_NF_MATCH_IPV6HEADER
171 tristate '"ipv6header" IPv6 Extension Headers Match'
172 default m if NETFILTER_ADVANCED=n
174 This module allows one to match packets based upon
175 the ipv6 extension headers.
177 To compile it as a module, choose M here. If unsure, say N.
179 config IP6_NF_MATCH_MH
180 tristate '"mh" match support'
181 depends on NETFILTER_ADVANCED
183 This module allows one to match MH packets.
185 To compile it as a module, choose M here. If unsure, say N.
187 config IP6_NF_MATCH_RPFILTER
188 tristate '"rpfilter" reverse path filter match support'
189 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
191 This option allows you to match packets whose replies would
192 go out via the interface the packet came in.
194 To compile it as a module, choose M here. If unsure, say N.
195 The module will be called ip6t_rpfilter.
197 config IP6_NF_MATCH_RT
198 tristate '"rt" Routing header match support'
199 depends on NETFILTER_ADVANCED
201 rt matching allows you to match packets based on the routing
202 header of the packet.
204 To compile it as a module, choose M here. If unsure, say N.
207 config IP6_NF_TARGET_HL
208 tristate '"HL" hoplimit target support'
209 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
210 select NETFILTER_XT_TARGET_HL
212 This is a backwards-compatible option for the user's convenience
213 (e.g. when running oldconfig). It selects
214 CONFIG_NETFILTER_XT_TARGET_HL.
217 tristate "Packet filtering"
218 default m if NETFILTER_ADVANCED=n
220 Packet filtering defines a table `filter', which has a series of
221 rules for simple packet filtering at local input, forwarding and
222 local output. See the man page for iptables(8).
224 To compile it as a module, choose M here. If unsure, say N.
226 config IP6_NF_TARGET_REJECT
227 tristate "REJECT target support"
228 depends on IP6_NF_FILTER
229 select NF_REJECT_IPV6
230 default m if NETFILTER_ADVANCED=n
232 The REJECT target allows a filtering rule to specify that an ICMPv6
233 error should be issued in response to an incoming packet, rather
234 than silently being dropped.
236 To compile it as a module, choose M here. If unsure, say N.
238 config IP6_NF_TARGET_SYNPROXY
239 tristate "SYNPROXY target support"
240 depends on NF_CONNTRACK && NETFILTER_ADVANCED
241 select NETFILTER_SYNPROXY
244 The SYNPROXY target allows you to intercept TCP connections and
245 establish them using syncookies before they are passed on to the
246 server. This allows to avoid conntrack and server resource usage
247 during SYN-flood attacks.
249 To compile it as a module, choose M here. If unsure, say N.
252 tristate "Packet mangling"
253 default m if NETFILTER_ADVANCED=n
255 This option adds a `mangle' table to iptables: see the man page for
256 iptables(8). This table is used for various packet alterations
257 which can effect how the packet is routed.
259 To compile it as a module, choose M here. If unsure, say N.
262 tristate 'raw table support (required for TRACE)'
264 This option adds a `raw' table to ip6tables. This table is the very
265 first in the netfilter framework and hooks in at the PREROUTING
268 If you want to compile it as a module, say M here and read
269 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
271 # security table for MAC policy
272 config IP6_NF_SECURITY
273 tristate "Security table"
275 depends on NETFILTER_ADVANCED
277 This option adds a `security' table to iptables, for use
278 with Mandatory Access Control (MAC) policy.
283 tristate "ip6tables NAT support"
284 depends on NF_CONNTRACK_IPV6
285 depends on NETFILTER_ADVANCED
288 select NETFILTER_XT_NAT
290 This enables the `nat' table in ip6tables. This allows masquerading,
291 port forwarding and other forms of full Network Address Port
294 To compile it as a module, choose M here. If unsure, say N.
298 config IP6_NF_TARGET_MASQUERADE
299 tristate "MASQUERADE target support"
300 select NF_NAT_MASQUERADE_IPV6
302 Masquerading is a special case of NAT: all outgoing connections are
303 changed to seem to come from a particular interface's address, and
304 if the interface goes down, those connections are lost. This is
305 only useful for dialup accounts with dynamic IP address (ie. your IP
306 address will be different on next dialup).
308 To compile it as a module, choose M here. If unsure, say N.
310 config IP6_NF_TARGET_NPT
311 tristate "NPT (Network Prefix translation) target support"
313 This option adds the `SNPT' and `DNPT' target, which perform
314 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
316 To compile it as a module, choose M here. If unsure, say N.
320 endif # IP6_NF_IPTABLES