Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | # |
| 2 | # IP netfilter configuration |
| 3 | # |
| 4 | |
Patrick McHardy | 8ce22fc | 2008-01-14 23:31:36 -0800 | [diff] [blame] | 5 | menu "IPv6: Netfilter Configuration" |
| 6 | depends on INET && IPV6 && NETFILTER |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 7 | |
KOVACS Krisztian | f6318e5 | 2010-10-24 23:38:32 +0000 | [diff] [blame] | 8 | config NF_DEFRAG_IPV6 |
| 9 | tristate |
| 10 | default n |
| 11 | |
Yasuyuki Kozakai | 9bdf87d | 2005-11-14 15:26:58 -0800 | [diff] [blame] | 12 | config NF_CONNTRACK_IPV6 |
Patrick McHardy | 8ce22fc | 2008-01-14 23:31:36 -0800 | [diff] [blame] | 13 | tristate "IPv6 connection tracking support" |
| 14 | depends on INET && IPV6 && NF_CONNTRACK |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 15 | default m if NETFILTER_ADVANCED=n |
KOVACS Krisztian | f6318e5 | 2010-10-24 23:38:32 +0000 | [diff] [blame] | 16 | select NF_DEFRAG_IPV6 |
Yasuyuki Kozakai | 9bdf87d | 2005-11-14 15:26:58 -0800 | [diff] [blame] | 17 | ---help--- |
| 18 | Connection tracking keeps a record of what packets have passed |
| 19 | through your machine, in order to figure out how they are related |
| 20 | into connections. |
| 21 | |
| 22 | This is IPv6 support on Layer 3 independent connection tracking. |
| 23 | Layer 3 independent connection tracking is experimental scheme |
| 24 | which generalize ip_conntrack to support other layer 3 protocols. |
| 25 | |
| 26 | To compile it as a module, choose M here. If unsure, say N. |
| 27 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 28 | config IP6_NF_IPTABLES |
Patrick McHardy | 844dc7c | 2006-10-30 15:12:16 -0800 | [diff] [blame] | 29 | tristate "IP6 tables support (required for filtering)" |
Patrick McHardy | 8ce22fc | 2008-01-14 23:31:36 -0800 | [diff] [blame] | 30 | depends on INET && IPV6 |
Patrick McHardy | a3c941b | 2007-02-12 11:15:02 -0800 | [diff] [blame] | 31 | select NETFILTER_XTABLES |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 32 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 33 | help |
| 34 | ip6tables is a general, extensible packet identification framework. |
| 35 | Currently only the packet filtering and packet mangling subsystem |
| 36 | for IPv6 use this, but connection tracking is going to follow. |
| 37 | Say 'Y' or 'M' here if you want to use either of those. |
| 38 | |
| 39 | To compile it as a module, choose M here. If unsure, say N. |
| 40 | |
Jan Engelhardt | c2df73d | 2008-10-08 11:35:18 +0200 | [diff] [blame] | 41 | if IP6_NF_IPTABLES |
| 42 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 43 | # The simple matches. |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 44 | config IP6_NF_MATCH_AH |
| 45 | tristate '"ah" match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 46 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 47 | help |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 48 | This module allows one to match AH packets. |
| 49 | |
| 50 | To compile it as a module, choose M here. If unsure, say N. |
| 51 | |
| 52 | config IP6_NF_MATCH_EUI64 |
| 53 | tristate '"eui64" address check' |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 54 | depends on NETFILTER_ADVANCED |
| 55 | help |
| 56 | This module performs checking on the IPv6 source address |
| 57 | Compares the last 64 bits with the EUI64 (delivered |
| 58 | from the MAC address) address |
| 59 | |
| 60 | To compile it as a module, choose M here. If unsure, say N. |
| 61 | |
| 62 | config IP6_NF_MATCH_FRAG |
| 63 | tristate '"frag" Fragmentation header match support' |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 64 | depends on NETFILTER_ADVANCED |
| 65 | help |
| 66 | frag matching allows you to match packets based on the fragmentation |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 67 | header of the packet. |
| 68 | |
| 69 | To compile it as a module, choose M here. If unsure, say N. |
| 70 | |
| 71 | config IP6_NF_MATCH_OPTS |
Jan Engelhardt | 77d7358 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 72 | tristate '"hbh" hop-by-hop and "dst" opts header match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 73 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 74 | help |
| 75 | This allows one to match packets based on the hop-by-hop |
| 76 | and destination options headers of a packet. |
| 77 | |
| 78 | To compile it as a module, choose M here. If unsure, say N. |
| 79 | |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 80 | config IP6_NF_MATCH_HL |
| 81 | tristate '"hl" hoplimit match support' |
| 82 | depends on NETFILTER_ADVANCED |
| 83 | select NETFILTER_XT_MATCH_HL |
| 84 | ---help--- |
| 85 | This is a backwards-compat option for the user's convenience |
| 86 | (e.g. when running oldconfig). It selects |
Jan Engelhardt | 8dd1d04 | 2009-03-24 13:35:27 -0700 | [diff] [blame] | 87 | CONFIG_NETFILTER_XT_MATCH_HL. |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 88 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 89 | config IP6_NF_MATCH_IPV6HEADER |
Jan Engelhardt | 4c37799 | 2007-12-04 23:31:59 -0800 | [diff] [blame] | 90 | tristate '"ipv6header" IPv6 Extension Headers Match' |
Linus Torvalds | 44c45eb | 2008-01-31 00:26:10 +1100 | [diff] [blame] | 91 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 92 | help |
| 93 | This module allows one to match packets based upon |
| 94 | the ipv6 extension headers. |
| 95 | |
| 96 | To compile it as a module, choose M here. If unsure, say N. |
| 97 | |
Masahide NAKAMURA | a0ca215 | 2007-02-07 15:12:57 -0800 | [diff] [blame] | 98 | config IP6_NF_MATCH_MH |
Jan Engelhardt | 4c37799 | 2007-12-04 23:31:59 -0800 | [diff] [blame] | 99 | tristate '"mh" match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 100 | depends on NETFILTER_ADVANCED |
Masahide NAKAMURA | a0ca215 | 2007-02-07 15:12:57 -0800 | [diff] [blame] | 101 | help |
| 102 | This module allows one to match MH packets. |
| 103 | |
| 104 | To compile it as a module, choose M here. If unsure, say N. |
| 105 | |
Florian Westphal | e26f9a4 | 2011-08-19 13:52:40 +0200 | [diff] [blame] | 106 | config IP6_NF_MATCH_RPFILTER |
| 107 | tristate '"rpfilter" reverse path filter match support' |
Florian Westphal | d37d696 | 2013-04-17 22:45:25 +0000 | [diff] [blame] | 108 | depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW) |
Florian Westphal | e26f9a4 | 2011-08-19 13:52:40 +0200 | [diff] [blame] | 109 | ---help--- |
| 110 | This option allows you to match packets whose replies would |
| 111 | go out via the interface the packet came in. |
| 112 | |
| 113 | To compile it as a module, choose M here. If unsure, say N. |
| 114 | The module will be called ip6t_rpfilter. |
| 115 | |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 116 | config IP6_NF_MATCH_RT |
| 117 | tristate '"rt" Routing header match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 118 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 119 | help |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 120 | rt matching allows you to match packets based on the routing |
| 121 | header of the packet. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 122 | |
| 123 | To compile it as a module, choose M here. If unsure, say N. |
| 124 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 125 | # The targets |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 126 | config IP6_NF_TARGET_HL |
| 127 | tristate '"HL" hoplimit target support' |
Randy Dunlap | 76b6717 | 2010-10-18 11:13:30 +0200 | [diff] [blame] | 128 | depends on NETFILTER_ADVANCED && IP6_NF_MANGLE |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 129 | select NETFILTER_XT_TARGET_HL |
| 130 | ---help--- |
Randy Dunlap | 76b6717 | 2010-10-18 11:13:30 +0200 | [diff] [blame] | 131 | This is a backwards-compatible option for the user's convenience |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 132 | (e.g. when running oldconfig). It selects |
Jan Engelhardt | 8dd1d04 | 2009-03-24 13:35:27 -0700 | [diff] [blame] | 133 | CONFIG_NETFILTER_XT_TARGET_HL. |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 134 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 135 | config IP6_NF_FILTER |
| 136 | tristate "Packet filtering" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 137 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 138 | help |
| 139 | Packet filtering defines a table `filter', which has a series of |
| 140 | rules for simple packet filtering at local input, forwarding and |
| 141 | local output. See the man page for iptables(8). |
| 142 | |
| 143 | To compile it as a module, choose M here. If unsure, say N. |
| 144 | |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 145 | config IP6_NF_TARGET_REJECT |
| 146 | tristate "REJECT target support" |
| 147 | depends on IP6_NF_FILTER |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 148 | default m if NETFILTER_ADVANCED=n |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 149 | help |
| 150 | The REJECT target allows a filtering rule to specify that an ICMPv6 |
| 151 | error should be issued in response to an incoming packet, rather |
| 152 | than silently being dropped. |
| 153 | |
| 154 | To compile it as a module, choose M here. If unsure, say N. |
| 155 | |
Patrick McHardy | 4ad3622 | 2013-08-27 08:50:16 +0200 | [diff] [blame] | 156 | config IP6_NF_TARGET_SYNPROXY |
| 157 | tristate "SYNPROXY target support" |
| 158 | depends on NF_CONNTRACK && NETFILTER_ADVANCED |
| 159 | select NETFILTER_SYNPROXY |
| 160 | select SYN_COOKIES |
| 161 | help |
| 162 | The SYNPROXY target allows you to intercept TCP connections and |
| 163 | establish them using syncookies before they are passed on to the |
| 164 | server. This allows to avoid conntrack and server resource usage |
| 165 | during SYN-flood attacks. |
| 166 | |
| 167 | To compile it as a module, choose M here. If unsure, say N. |
| 168 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 169 | config IP6_NF_MANGLE |
| 170 | tristate "Packet mangling" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 171 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 172 | help |
| 173 | This option adds a `mangle' table to iptables: see the man page for |
| 174 | iptables(8). This table is used for various packet alterations |
| 175 | which can effect how the packet is routed. |
| 176 | |
| 177 | To compile it as a module, choose M here. If unsure, say N. |
| 178 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 179 | config IP6_NF_RAW |
| 180 | tristate 'raw table support (required for TRACE)' |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 181 | help |
| 182 | This option adds a `raw' table to ip6tables. This table is the very |
| 183 | first in the netfilter framework and hooks in at the PREROUTING |
| 184 | and OUTPUT chains. |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 185 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 186 | If you want to compile it as a module, say M here and read |
Alexander E. Patrakov | 39f5fb3 | 2007-03-16 18:28:43 +0500 | [diff] [blame] | 187 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 188 | |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 189 | # security table for MAC policy |
| 190 | config IP6_NF_SECURITY |
| 191 | tristate "Security table" |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 192 | depends on SECURITY |
Patrick McHardy | 70eed75 | 2008-07-23 16:42:42 -0700 | [diff] [blame] | 193 | depends on NETFILTER_ADVANCED |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 194 | help |
| 195 | This option adds a `security' table to iptables, for use |
| 196 | with Mandatory Access Control (MAC) policy. |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 197 | |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 198 | If unsure, say N. |
| 199 | |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 200 | config NF_NAT_IPV6 |
| 201 | tristate "IPv6 NAT" |
| 202 | depends on NF_CONNTRACK_IPV6 |
| 203 | depends on NETFILTER_ADVANCED |
| 204 | select NF_NAT |
| 205 | help |
| 206 | The IPv6 NAT option allows masquerading, port forwarding and other |
| 207 | forms of full Network Address Port Translation. It is controlled by |
| 208 | the `nat' table in ip6tables, see the man page for ip6tables(8). |
| 209 | |
| 210 | To compile it as a module, choose M here. If unsure, say N. |
| 211 | |
| 212 | if NF_NAT_IPV6 |
| 213 | |
| 214 | config IP6_NF_TARGET_MASQUERADE |
| 215 | tristate "MASQUERADE target support" |
| 216 | help |
| 217 | Masquerading is a special case of NAT: all outgoing connections are |
| 218 | changed to seem to come from a particular interface's address, and |
| 219 | if the interface goes down, those connections are lost. This is |
| 220 | only useful for dialup accounts with dynamic IP address (ie. your IP |
| 221 | address will be different on next dialup). |
| 222 | |
| 223 | To compile it as a module, choose M here. If unsure, say N. |
| 224 | |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 225 | config IP6_NF_TARGET_NPT |
| 226 | tristate "NPT (Network Prefix translation) target support" |
| 227 | help |
| 228 | This option adds the `SNPT' and `DNPT' target, which perform |
| 229 | stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. |
| 230 | |
| 231 | To compile it as a module, choose M here. If unsure, say N. |
| 232 | |
| 233 | endif # NF_NAT_IPV6 |
| 234 | |
Jan Engelhardt | c2df73d | 2008-10-08 11:35:18 +0200 | [diff] [blame] | 235 | endif # IP6_NF_IPTABLES |
| 236 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 237 | endmenu |
| 238 | |