2 # IP netfilter configuration
5 menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
12 config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
30 tristate "IPv6 nf_tables support"
32 config NFT_CHAIN_ROUTE_IPV6
33 depends on NF_TABLES_IPV6
34 tristate "IPv6 nf_tables route chain support"
36 config NFT_CHAIN_NAT_IPV6
37 depends on NF_TABLES_IPV6
38 depends on NF_NAT_IPV6 && NFT_NAT
39 tristate "IPv6 nf_tables nat chain support"
41 config IP6_NF_IPTABLES
42 tristate "IP6 tables support (required for filtering)"
43 depends on INET && IPV6
44 select NETFILTER_XTABLES
45 default m if NETFILTER_ADVANCED=n
47 ip6tables is a general, extensible packet identification framework.
48 Currently only the packet filtering and packet mangling subsystem
49 for IPv6 use this, but connection tracking is going to follow.
50 Say 'Y' or 'M' here if you want to use either of those.
52 To compile it as a module, choose M here. If unsure, say N.
57 config IP6_NF_MATCH_AH
58 tristate '"ah" match support'
59 depends on NETFILTER_ADVANCED
61 This module allows one to match AH packets.
63 To compile it as a module, choose M here. If unsure, say N.
65 config IP6_NF_MATCH_EUI64
66 tristate '"eui64" address check'
67 depends on NETFILTER_ADVANCED
69 This module performs checking on the IPv6 source address
70 Compares the last 64 bits with the EUI64 (delivered
71 from the MAC address) address
73 To compile it as a module, choose M here. If unsure, say N.
75 config IP6_NF_MATCH_FRAG
76 tristate '"frag" Fragmentation header match support'
77 depends on NETFILTER_ADVANCED
79 frag matching allows you to match packets based on the fragmentation
82 To compile it as a module, choose M here. If unsure, say N.
84 config IP6_NF_MATCH_OPTS
85 tristate '"hbh" hop-by-hop and "dst" opts header match support'
86 depends on NETFILTER_ADVANCED
88 This allows one to match packets based on the hop-by-hop
89 and destination options headers of a packet.
91 To compile it as a module, choose M here. If unsure, say N.
93 config IP6_NF_MATCH_HL
94 tristate '"hl" hoplimit match support'
95 depends on NETFILTER_ADVANCED
96 select NETFILTER_XT_MATCH_HL
98 This is a backwards-compat option for the user's convenience
99 (e.g. when running oldconfig). It selects
100 CONFIG_NETFILTER_XT_MATCH_HL.
102 config IP6_NF_MATCH_IPV6HEADER
103 tristate '"ipv6header" IPv6 Extension Headers Match'
104 default m if NETFILTER_ADVANCED=n
106 This module allows one to match packets based upon
107 the ipv6 extension headers.
109 To compile it as a module, choose M here. If unsure, say N.
111 config IP6_NF_MATCH_MH
112 tristate '"mh" match support'
113 depends on NETFILTER_ADVANCED
115 This module allows one to match MH packets.
117 To compile it as a module, choose M here. If unsure, say N.
119 config IP6_NF_MATCH_RPFILTER
120 tristate '"rpfilter" reverse path filter match support'
121 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
123 This option allows you to match packets whose replies would
124 go out via the interface the packet came in.
126 To compile it as a module, choose M here. If unsure, say N.
127 The module will be called ip6t_rpfilter.
129 config IP6_NF_MATCH_RT
130 tristate '"rt" Routing header match support'
131 depends on NETFILTER_ADVANCED
133 rt matching allows you to match packets based on the routing
134 header of the packet.
136 To compile it as a module, choose M here. If unsure, say N.
139 config IP6_NF_TARGET_HL
140 tristate '"HL" hoplimit target support'
141 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
142 select NETFILTER_XT_TARGET_HL
144 This is a backwards-compatible option for the user's convenience
145 (e.g. when running oldconfig). It selects
146 CONFIG_NETFILTER_XT_TARGET_HL.
149 tristate "Packet filtering"
150 default m if NETFILTER_ADVANCED=n
152 Packet filtering defines a table `filter', which has a series of
153 rules for simple packet filtering at local input, forwarding and
154 local output. See the man page for iptables(8).
156 To compile it as a module, choose M here. If unsure, say N.
158 config IP6_NF_TARGET_REJECT
159 tristate "REJECT target support"
160 depends on IP6_NF_FILTER
161 default m if NETFILTER_ADVANCED=n
163 The REJECT target allows a filtering rule to specify that an ICMPv6
164 error should be issued in response to an incoming packet, rather
165 than silently being dropped.
167 To compile it as a module, choose M here. If unsure, say N.
169 config IP6_NF_TARGET_SYNPROXY
170 tristate "SYNPROXY target support"
171 depends on NF_CONNTRACK && NETFILTER_ADVANCED
172 select NETFILTER_SYNPROXY
175 The SYNPROXY target allows you to intercept TCP connections and
176 establish them using syncookies before they are passed on to the
177 server. This allows to avoid conntrack and server resource usage
178 during SYN-flood attacks.
180 To compile it as a module, choose M here. If unsure, say N.
183 tristate "Packet mangling"
184 default m if NETFILTER_ADVANCED=n
186 This option adds a `mangle' table to iptables: see the man page for
187 iptables(8). This table is used for various packet alterations
188 which can effect how the packet is routed.
190 To compile it as a module, choose M here. If unsure, say N.
193 tristate 'raw table support (required for TRACE)'
195 This option adds a `raw' table to ip6tables. This table is the very
196 first in the netfilter framework and hooks in at the PREROUTING
199 If you want to compile it as a module, say M here and read
200 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
202 # security table for MAC policy
203 config IP6_NF_SECURITY
204 tristate "Security table"
206 depends on NETFILTER_ADVANCED
208 This option adds a `security' table to iptables, for use
209 with Mandatory Access Control (MAC) policy.
215 depends on NF_CONNTRACK_IPV6
216 depends on NETFILTER_ADVANCED
219 The IPv6 NAT option allows masquerading, port forwarding and other
220 forms of full Network Address Port Translation. It is controlled by
221 the `nat' table in ip6tables, see the man page for ip6tables(8).
223 To compile it as a module, choose M here. If unsure, say N.
227 config IP6_NF_TARGET_MASQUERADE
228 tristate "MASQUERADE target support"
230 Masquerading is a special case of NAT: all outgoing connections are
231 changed to seem to come from a particular interface's address, and
232 if the interface goes down, those connections are lost. This is
233 only useful for dialup accounts with dynamic IP address (ie. your IP
234 address will be different on next dialup).
236 To compile it as a module, choose M here. If unsure, say N.
238 config IP6_NF_TARGET_NPT
239 tristate "NPT (Network Prefix translation) target support"
241 This option adds the `SNPT' and `DNPT' target, which perform
242 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
244 To compile it as a module, choose M here. If unsure, say N.
248 endif # IP6_NF_IPTABLES