2 # IP netfilter configuration
5 menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
12 config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
30 tristate "IPv6 nf_tables support"
32 This option enables the IPv6 support for nf_tables.
34 config NFT_CHAIN_ROUTE_IPV6
35 depends on NF_TABLES_IPV6
36 tristate "IPv6 nf_tables route chain support"
38 This option enables the "route" chain for IPv6 in nf_tables. This
39 chain type is used to force packet re-routing after mangling header
40 fields such as the source, destination, flowlabel, hop-limit and
43 config NFT_CHAIN_NAT_IPV6
44 depends on NF_TABLES_IPV6
45 depends on NF_NAT_IPV6 && NFT_NAT
46 tristate "IPv6 nf_tables nat chain support"
48 This option enables the "nat" chain for IPv6 in nf_tables. This
49 chain type is used to perform Network Address Translation (NAT)
50 packet transformations such as the source, destination address and
51 source and destination ports.
53 config IP6_NF_IPTABLES
54 tristate "IP6 tables support (required for filtering)"
55 depends on INET && IPV6
56 select NETFILTER_XTABLES
57 default m if NETFILTER_ADVANCED=n
59 ip6tables is a general, extensible packet identification framework.
60 Currently only the packet filtering and packet mangling subsystem
61 for IPv6 use this, but connection tracking is going to follow.
62 Say 'Y' or 'M' here if you want to use either of those.
64 To compile it as a module, choose M here. If unsure, say N.
69 config IP6_NF_MATCH_AH
70 tristate '"ah" match support'
71 depends on NETFILTER_ADVANCED
73 This module allows one to match AH packets.
75 To compile it as a module, choose M here. If unsure, say N.
77 config IP6_NF_MATCH_EUI64
78 tristate '"eui64" address check'
79 depends on NETFILTER_ADVANCED
81 This module performs checking on the IPv6 source address
82 Compares the last 64 bits with the EUI64 (delivered
83 from the MAC address) address
85 To compile it as a module, choose M here. If unsure, say N.
87 config IP6_NF_MATCH_FRAG
88 tristate '"frag" Fragmentation header match support'
89 depends on NETFILTER_ADVANCED
91 frag matching allows you to match packets based on the fragmentation
94 To compile it as a module, choose M here. If unsure, say N.
96 config IP6_NF_MATCH_OPTS
97 tristate '"hbh" hop-by-hop and "dst" opts header match support'
98 depends on NETFILTER_ADVANCED
100 This allows one to match packets based on the hop-by-hop
101 and destination options headers of a packet.
103 To compile it as a module, choose M here. If unsure, say N.
105 config IP6_NF_MATCH_HL
106 tristate '"hl" hoplimit match support'
107 depends on NETFILTER_ADVANCED
108 select NETFILTER_XT_MATCH_HL
110 This is a backwards-compat option for the user's convenience
111 (e.g. when running oldconfig). It selects
112 CONFIG_NETFILTER_XT_MATCH_HL.
114 config IP6_NF_MATCH_IPV6HEADER
115 tristate '"ipv6header" IPv6 Extension Headers Match'
116 default m if NETFILTER_ADVANCED=n
118 This module allows one to match packets based upon
119 the ipv6 extension headers.
121 To compile it as a module, choose M here. If unsure, say N.
123 config IP6_NF_MATCH_MH
124 tristate '"mh" match support'
125 depends on NETFILTER_ADVANCED
127 This module allows one to match MH packets.
129 To compile it as a module, choose M here. If unsure, say N.
131 config IP6_NF_MATCH_RPFILTER
132 tristate '"rpfilter" reverse path filter match support'
133 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
135 This option allows you to match packets whose replies would
136 go out via the interface the packet came in.
138 To compile it as a module, choose M here. If unsure, say N.
139 The module will be called ip6t_rpfilter.
141 config IP6_NF_MATCH_RT
142 tristate '"rt" Routing header match support'
143 depends on NETFILTER_ADVANCED
145 rt matching allows you to match packets based on the routing
146 header of the packet.
148 To compile it as a module, choose M here. If unsure, say N.
151 config IP6_NF_TARGET_HL
152 tristate '"HL" hoplimit target support'
153 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
154 select NETFILTER_XT_TARGET_HL
156 This is a backwards-compatible option for the user's convenience
157 (e.g. when running oldconfig). It selects
158 CONFIG_NETFILTER_XT_TARGET_HL.
161 tristate "Packet filtering"
162 default m if NETFILTER_ADVANCED=n
164 Packet filtering defines a table `filter', which has a series of
165 rules for simple packet filtering at local input, forwarding and
166 local output. See the man page for iptables(8).
168 To compile it as a module, choose M here. If unsure, say N.
170 config IP6_NF_TARGET_REJECT
171 tristate "REJECT target support"
172 depends on IP6_NF_FILTER
173 default m if NETFILTER_ADVANCED=n
175 The REJECT target allows a filtering rule to specify that an ICMPv6
176 error should be issued in response to an incoming packet, rather
177 than silently being dropped.
179 To compile it as a module, choose M here. If unsure, say N.
181 config IP6_NF_TARGET_SYNPROXY
182 tristate "SYNPROXY target support"
183 depends on NF_CONNTRACK && NETFILTER_ADVANCED
184 select NETFILTER_SYNPROXY
187 The SYNPROXY target allows you to intercept TCP connections and
188 establish them using syncookies before they are passed on to the
189 server. This allows to avoid conntrack and server resource usage
190 during SYN-flood attacks.
192 To compile it as a module, choose M here. If unsure, say N.
195 tristate "Packet mangling"
196 default m if NETFILTER_ADVANCED=n
198 This option adds a `mangle' table to iptables: see the man page for
199 iptables(8). This table is used for various packet alterations
200 which can effect how the packet is routed.
202 To compile it as a module, choose M here. If unsure, say N.
205 tristate 'raw table support (required for TRACE)'
207 This option adds a `raw' table to ip6tables. This table is the very
208 first in the netfilter framework and hooks in at the PREROUTING
211 If you want to compile it as a module, say M here and read
212 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
214 # security table for MAC policy
215 config IP6_NF_SECURITY
216 tristate "Security table"
218 depends on NETFILTER_ADVANCED
220 This option adds a `security' table to iptables, for use
221 with Mandatory Access Control (MAC) policy.
227 depends on NF_CONNTRACK_IPV6
228 depends on NETFILTER_ADVANCED
231 The IPv6 NAT option allows masquerading, port forwarding and other
232 forms of full Network Address Port Translation. It is controlled by
233 the `nat' table in ip6tables, see the man page for ip6tables(8).
235 To compile it as a module, choose M here. If unsure, say N.
239 config IP6_NF_TARGET_MASQUERADE
240 tristate "MASQUERADE target support"
242 Masquerading is a special case of NAT: all outgoing connections are
243 changed to seem to come from a particular interface's address, and
244 if the interface goes down, those connections are lost. This is
245 only useful for dialup accounts with dynamic IP address (ie. your IP
246 address will be different on next dialup).
248 To compile it as a module, choose M here. If unsure, say N.
250 config IP6_NF_TARGET_NPT
251 tristate "NPT (Network Prefix translation) target support"
253 This option adds the `SNPT' and `DNPT' target, which perform
254 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
256 To compile it as a module, choose M here. If unsure, say N.
260 endif # IP6_NF_IPTABLES