Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | # |
2 | # IP netfilter configuration | |
3 | # | |
4 | ||
8ce22fca PM |
5 | menu "IPv6: Netfilter Configuration" |
6 | depends on INET && IPV6 && NETFILTER | |
1da177e4 | 7 | |
f6318e55 KK |
8 | config NF_DEFRAG_IPV6 |
9 | tristate | |
10 | default n | |
11 | ||
9bdf87d9 | 12 | config NF_CONNTRACK_IPV6 |
8ce22fca PM |
13 | tristate "IPv6 connection tracking support" |
14 | depends on INET && IPV6 && NF_CONNTRACK | |
33b8e776 | 15 | default m if NETFILTER_ADVANCED=n |
f6318e55 | 16 | select NF_DEFRAG_IPV6 |
9bdf87d9 YK |
17 | ---help--- |
18 | Connection tracking keeps a record of what packets have passed | |
19 | through your machine, in order to figure out how they are related | |
20 | into connections. | |
21 | ||
22 | This is IPv6 support on Layer 3 independent connection tracking. | |
23 | Layer 3 independent connection tracking is experimental scheme | |
24 | which generalize ip_conntrack to support other layer 3 protocols. | |
25 | ||
26 | To compile it as a module, choose M here. If unsure, say N. | |
58a317f1 | 27 | |
1da177e4 | 28 | config IP6_NF_IPTABLES |
844dc7c8 | 29 | tristate "IP6 tables support (required for filtering)" |
8ce22fca | 30 | depends on INET && IPV6 |
a3c941b0 | 31 | select NETFILTER_XTABLES |
33b8e776 | 32 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
33 | help |
34 | ip6tables is a general, extensible packet identification framework. | |
35 | Currently only the packet filtering and packet mangling subsystem | |
36 | for IPv6 use this, but connection tracking is going to follow. | |
37 | Say 'Y' or 'M' here if you want to use either of those. | |
38 | ||
39 | To compile it as a module, choose M here. If unsure, say N. | |
40 | ||
c2df73de JE |
41 | if IP6_NF_IPTABLES |
42 | ||
1da177e4 | 43 | # The simple matches. |
aba0d348 JE |
44 | config IP6_NF_MATCH_AH |
45 | tristate '"ah" match support' | |
33b8e776 | 46 | depends on NETFILTER_ADVANCED |
1da177e4 | 47 | help |
aba0d348 | 48 | This module allows one to match AH packets. |
1da177e4 LT |
49 | |
50 | To compile it as a module, choose M here. If unsure, say N. | |
51 | ||
aba0d348 JE |
52 | config IP6_NF_MATCH_EUI64 |
53 | tristate '"eui64" address check' | |
33b8e776 | 54 | depends on NETFILTER_ADVANCED |
1da177e4 | 55 | help |
aba0d348 JE |
56 | This module performs checking on the IPv6 source address |
57 | Compares the last 64 bits with the EUI64 (delivered | |
58 | from the MAC address) address | |
1da177e4 LT |
59 | |
60 | To compile it as a module, choose M here. If unsure, say N. | |
61 | ||
62 | config IP6_NF_MATCH_FRAG | |
4c37799c | 63 | tristate '"frag" Fragmentation header match support' |
33b8e776 | 64 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
65 | help |
66 | frag matching allows you to match packets based on the fragmentation | |
67 | header of the packet. | |
68 | ||
69 | To compile it as a module, choose M here. If unsure, say N. | |
70 | ||
aba0d348 JE |
71 | config IP6_NF_MATCH_OPTS |
72 | tristate '"hbh" hop-by-hop and "dst" opts header match support' | |
aba0d348 JE |
73 | depends on NETFILTER_ADVANCED |
74 | help | |
75 | This allows one to match packets based on the hop-by-hop | |
76 | and destination options headers of a packet. | |
77 | ||
78 | To compile it as a module, choose M here. If unsure, say N. | |
79 | ||
4323362e JE |
80 | config IP6_NF_MATCH_HL |
81 | tristate '"hl" hoplimit match support' | |
82 | depends on NETFILTER_ADVANCED | |
83 | select NETFILTER_XT_MATCH_HL | |
84 | ---help--- | |
85 | This is a backwards-compat option for the user's convenience | |
86 | (e.g. when running oldconfig). It selects | |
8dd1d047 | 87 | CONFIG_NETFILTER_XT_MATCH_HL. |
4323362e | 88 | |
1da177e4 | 89 | config IP6_NF_MATCH_IPV6HEADER |
4c37799c | 90 | tristate '"ipv6header" IPv6 Extension Headers Match' |
44c45eb9 | 91 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
92 | help |
93 | This module allows one to match packets based upon | |
94 | the ipv6 extension headers. | |
95 | ||
96 | To compile it as a module, choose M here. If unsure, say N. | |
97 | ||
a0ca215a | 98 | config IP6_NF_MATCH_MH |
4c37799c | 99 | tristate '"mh" match support' |
33b8e776 | 100 | depends on NETFILTER_ADVANCED |
a0ca215a MN |
101 | help |
102 | This module allows one to match MH packets. | |
103 | ||
104 | To compile it as a module, choose M here. If unsure, say N. | |
105 | ||
e26f9a48 FW |
106 | config IP6_NF_MATCH_RPFILTER |
107 | tristate '"rpfilter" reverse path filter match support' | |
108 | depends on NETFILTER_ADVANCED | |
109 | ---help--- | |
110 | This option allows you to match packets whose replies would | |
111 | go out via the interface the packet came in. | |
112 | ||
113 | To compile it as a module, choose M here. If unsure, say N. | |
114 | The module will be called ip6t_rpfilter. | |
115 | ||
aba0d348 JE |
116 | config IP6_NF_MATCH_RT |
117 | tristate '"rt" Routing header match support' | |
33b8e776 | 118 | depends on NETFILTER_ADVANCED |
1da177e4 | 119 | help |
aba0d348 JE |
120 | rt matching allows you to match packets based on the routing |
121 | header of the packet. | |
1da177e4 LT |
122 | |
123 | To compile it as a module, choose M here. If unsure, say N. | |
124 | ||
1da177e4 | 125 | # The targets |
4323362e JE |
126 | config IP6_NF_TARGET_HL |
127 | tristate '"HL" hoplimit target support' | |
76b6717b | 128 | depends on NETFILTER_ADVANCED && IP6_NF_MANGLE |
4323362e JE |
129 | select NETFILTER_XT_TARGET_HL |
130 | ---help--- | |
76b6717b | 131 | This is a backwards-compatible option for the user's convenience |
4323362e | 132 | (e.g. when running oldconfig). It selects |
8dd1d047 | 133 | CONFIG_NETFILTER_XT_TARGET_HL. |
4323362e | 134 | |
2203eb47 JE |
135 | config IP6_NF_FILTER |
136 | tristate "Packet filtering" | |
33b8e776 | 137 | default m if NETFILTER_ADVANCED=n |
1da177e4 | 138 | help |
2203eb47 JE |
139 | Packet filtering defines a table `filter', which has a series of |
140 | rules for simple packet filtering at local input, forwarding and | |
141 | local output. See the man page for iptables(8). | |
1da177e4 LT |
142 | |
143 | To compile it as a module, choose M here. If unsure, say N. | |
144 | ||
764d8a9f PM |
145 | config IP6_NF_TARGET_REJECT |
146 | tristate "REJECT target support" | |
147 | depends on IP6_NF_FILTER | |
33b8e776 | 148 | default m if NETFILTER_ADVANCED=n |
764d8a9f PM |
149 | help |
150 | The REJECT target allows a filtering rule to specify that an ICMPv6 | |
151 | error should be issued in response to an incoming packet, rather | |
152 | than silently being dropped. | |
153 | ||
154 | To compile it as a module, choose M here. If unsure, say N. | |
155 | ||
1da177e4 LT |
156 | config IP6_NF_MANGLE |
157 | tristate "Packet mangling" | |
33b8e776 | 158 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
159 | help |
160 | This option adds a `mangle' table to iptables: see the man page for | |
161 | iptables(8). This table is used for various packet alterations | |
162 | which can effect how the packet is routed. | |
163 | ||
164 | To compile it as a module, choose M here. If unsure, say N. | |
1da177e4 | 165 | |
1da177e4 LT |
166 | config IP6_NF_RAW |
167 | tristate 'raw table support (required for TRACE)' | |
1da177e4 LT |
168 | help |
169 | This option adds a `raw' table to ip6tables. This table is the very | |
170 | first in the netfilter framework and hooks in at the PREROUTING | |
171 | and OUTPUT chains. | |
33b8e776 | 172 | |
1da177e4 | 173 | If you want to compile it as a module, say M here and read |
39f5fb30 | 174 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
1da177e4 | 175 | |
17e6e59f JM |
176 | # security table for MAC policy |
177 | config IP6_NF_SECURITY | |
178 | tristate "Security table" | |
17e6e59f | 179 | depends on SECURITY |
70eed75d | 180 | depends on NETFILTER_ADVANCED |
17e6e59f JM |
181 | help |
182 | This option adds a `security' table to iptables, for use | |
183 | with Mandatory Access Control (MAC) policy. | |
b0041d1b | 184 | |
17e6e59f JM |
185 | If unsure, say N. |
186 | ||
b0041d1b PNA |
187 | config NF_NAT_IPV6 |
188 | tristate "IPv6 NAT" | |
189 | depends on NF_CONNTRACK_IPV6 | |
190 | depends on NETFILTER_ADVANCED | |
191 | select NF_NAT | |
192 | help | |
193 | The IPv6 NAT option allows masquerading, port forwarding and other | |
194 | forms of full Network Address Port Translation. It is controlled by | |
195 | the `nat' table in ip6tables, see the man page for ip6tables(8). | |
196 | ||
197 | To compile it as a module, choose M here. If unsure, say N. | |
198 | ||
199 | if NF_NAT_IPV6 | |
200 | ||
201 | config IP6_NF_TARGET_MASQUERADE | |
202 | tristate "MASQUERADE target support" | |
203 | help | |
204 | Masquerading is a special case of NAT: all outgoing connections are | |
205 | changed to seem to come from a particular interface's address, and | |
206 | if the interface goes down, those connections are lost. This is | |
207 | only useful for dialup accounts with dynamic IP address (ie. your IP | |
208 | address will be different on next dialup). | |
209 | ||
210 | To compile it as a module, choose M here. If unsure, say N. | |
211 | ||
b0041d1b PNA |
212 | config IP6_NF_TARGET_NPT |
213 | tristate "NPT (Network Prefix translation) target support" | |
214 | help | |
215 | This option adds the `SNPT' and `DNPT' target, which perform | |
216 | stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. | |
217 | ||
218 | To compile it as a module, choose M here. If unsure, say N. | |
219 | ||
220 | endif # NF_NAT_IPV6 | |
221 | ||
c2df73de JE |
222 | endif # IP6_NF_IPTABLES |
223 | ||
1da177e4 LT |
224 | endmenu |
225 |