Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | # |
| 2 | # IP netfilter configuration |
| 3 | # |
| 4 | |
| 5 | menu "IPv6: Netfilter Configuration (EXPERIMENTAL)" |
| 6 | depends on INET && IPV6 && NETFILTER && EXPERIMENTAL |
| 7 | |
| 8 | #tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP6_NF_CONNTRACK |
| 9 | #if [ "$CONFIG_IP6_NF_CONNTRACK" != "n" ]; then |
| 10 | # dep_tristate ' FTP protocol support' CONFIG_IP6_NF_FTP $CONFIG_IP6_NF_CONNTRACK |
| 11 | #fi |
| 12 | config IP6_NF_QUEUE |
| 13 | tristate "Userspace queueing via NETLINK" |
| 14 | ---help--- |
| 15 | |
| 16 | This option adds a queue handler to the kernel for IPv6 |
| 17 | packets which lets us to receive the filtered packets |
| 18 | with QUEUE target using libiptc as we can do with |
| 19 | the IPv4 now. |
| 20 | |
| 21 | (C) Fernando Anton 2001 |
| 22 | IPv64 Project - Work based in IPv64 draft by Arturo Azcorra. |
| 23 | Universidad Carlos III de Madrid |
| 24 | Universidad Politecnica de Alcala de Henares |
| 25 | email: <fanton@it.uc3m.es>. |
| 26 | |
| 27 | To compile it as a module, choose M here. If unsure, say N. |
| 28 | |
| 29 | config IP6_NF_IPTABLES |
| 30 | tristate "IP6 tables support (required for filtering/masq/NAT)" |
| 31 | help |
| 32 | ip6tables is a general, extensible packet identification framework. |
| 33 | Currently only the packet filtering and packet mangling subsystem |
| 34 | for IPv6 use this, but connection tracking is going to follow. |
| 35 | Say 'Y' or 'M' here if you want to use either of those. |
| 36 | |
| 37 | To compile it as a module, choose M here. If unsure, say N. |
| 38 | |
| 39 | # The simple matches. |
| 40 | config IP6_NF_MATCH_LIMIT |
| 41 | tristate "limit match support" |
| 42 | depends on IP6_NF_IPTABLES |
| 43 | help |
| 44 | limit matching allows you to control the rate at which a rule can be |
| 45 | matched: mainly useful in combination with the LOG target ("LOG |
| 46 | target support", below) and to avoid some Denial of Service attacks. |
| 47 | |
| 48 | To compile it as a module, choose M here. If unsure, say N. |
| 49 | |
| 50 | config IP6_NF_MATCH_MAC |
| 51 | tristate "MAC address match support" |
| 52 | depends on IP6_NF_IPTABLES |
| 53 | help |
| 54 | mac matching allows you to match packets based on the source |
| 55 | Ethernet address of the packet. |
| 56 | |
| 57 | To compile it as a module, choose M here. If unsure, say N. |
| 58 | |
| 59 | config IP6_NF_MATCH_RT |
| 60 | tristate "Routing header match support" |
| 61 | depends on IP6_NF_IPTABLES |
| 62 | help |
| 63 | rt matching allows you to match packets based on the routing |
| 64 | header of the packet. |
| 65 | |
| 66 | To compile it as a module, choose M here. If unsure, say N. |
| 67 | |
| 68 | config IP6_NF_MATCH_OPTS |
| 69 | tristate "Hop-by-hop and Dst opts header match support" |
| 70 | depends on IP6_NF_IPTABLES |
| 71 | help |
| 72 | This allows one to match packets based on the hop-by-hop |
| 73 | and destination options headers of a packet. |
| 74 | |
| 75 | To compile it as a module, choose M here. If unsure, say N. |
| 76 | |
| 77 | config IP6_NF_MATCH_FRAG |
| 78 | tristate "Fragmentation header match support" |
| 79 | depends on IP6_NF_IPTABLES |
| 80 | help |
| 81 | frag matching allows you to match packets based on the fragmentation |
| 82 | header of the packet. |
| 83 | |
| 84 | To compile it as a module, choose M here. If unsure, say N. |
| 85 | |
| 86 | config IP6_NF_MATCH_HL |
| 87 | tristate "HL match support" |
| 88 | depends on IP6_NF_IPTABLES |
| 89 | help |
| 90 | HL matching allows you to match packets based on the hop |
| 91 | limit of the packet. |
| 92 | |
| 93 | To compile it as a module, choose M here. If unsure, say N. |
| 94 | |
| 95 | config IP6_NF_MATCH_MULTIPORT |
| 96 | tristate "Multiple port match support" |
| 97 | depends on IP6_NF_IPTABLES |
| 98 | help |
| 99 | Multiport matching allows you to match TCP or UDP packets based on |
| 100 | a series of source or destination ports: normally a rule can only |
| 101 | match a single range of ports. |
| 102 | |
| 103 | To compile it as a module, choose M here. If unsure, say N. |
| 104 | |
| 105 | config IP6_NF_MATCH_OWNER |
| 106 | tristate "Owner match support" |
| 107 | depends on IP6_NF_IPTABLES |
| 108 | help |
| 109 | Packet owner matching allows you to match locally-generated packets |
| 110 | based on who created them: the user, group, process or session. |
| 111 | |
| 112 | To compile it as a module, choose M here. If unsure, say N. |
| 113 | |
| 114 | # dep_tristate ' MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES |
| 115 | config IP6_NF_MATCH_MARK |
| 116 | tristate "netfilter MARK match support" |
| 117 | depends on IP6_NF_IPTABLES |
| 118 | help |
| 119 | Netfilter mark matching allows you to match packets based on the |
| 120 | `nfmark' value in the packet. This can be set by the MARK target |
| 121 | (see below). |
| 122 | |
| 123 | To compile it as a module, choose M here. If unsure, say N. |
| 124 | |
| 125 | config IP6_NF_MATCH_IPV6HEADER |
| 126 | tristate "IPv6 Extension Headers Match" |
| 127 | depends on IP6_NF_IPTABLES |
| 128 | help |
| 129 | This module allows one to match packets based upon |
| 130 | the ipv6 extension headers. |
| 131 | |
| 132 | To compile it as a module, choose M here. If unsure, say N. |
| 133 | |
| 134 | config IP6_NF_MATCH_AHESP |
| 135 | tristate "AH/ESP match support" |
| 136 | depends on IP6_NF_IPTABLES |
| 137 | help |
| 138 | This module allows one to match AH and ESP packets. |
| 139 | |
| 140 | To compile it as a module, choose M here. If unsure, say N. |
| 141 | |
| 142 | config IP6_NF_MATCH_LENGTH |
| 143 | tristate "Packet Length match support" |
| 144 | depends on IP6_NF_IPTABLES |
| 145 | help |
| 146 | This option allows you to match the length of a packet against a |
| 147 | specific value or range of values. |
| 148 | |
| 149 | To compile it as a module, choose M here. If unsure, say N. |
| 150 | |
| 151 | config IP6_NF_MATCH_EUI64 |
| 152 | tristate "EUI64 address check" |
| 153 | depends on IP6_NF_IPTABLES |
| 154 | help |
| 155 | This module performs checking on the IPv6 source address |
| 156 | Compares the last 64 bits with the EUI64 (delivered |
| 157 | from the MAC address) address |
| 158 | |
| 159 | To compile it as a module, choose M here. If unsure, say N. |
| 160 | |
| 161 | config IP6_NF_MATCH_PHYSDEV |
| 162 | tristate "Physdev match support" |
| 163 | depends on IP6_NF_IPTABLES && BRIDGE_NETFILTER |
| 164 | help |
| 165 | Physdev packet matching matches against the physical bridge ports |
| 166 | the IP packet arrived on or will leave by. |
| 167 | |
| 168 | To compile it as a module, choose M here. If unsure, say N. |
| 169 | |
| 170 | # dep_tristate ' Multiple port match support' CONFIG_IP6_NF_MATCH_MULTIPORT $CONFIG_IP6_NF_IPTABLES |
| 171 | # dep_tristate ' TOS match support' CONFIG_IP6_NF_MATCH_TOS $CONFIG_IP6_NF_IPTABLES |
| 172 | # if [ "$CONFIG_IP6_NF_CONNTRACK" != "n" ]; then |
| 173 | # dep_tristate ' Connection state match support' CONFIG_IP6_NF_MATCH_STATE $CONFIG_IP6_NF_CONNTRACK $CONFIG_IP6_NF_IPTABLES |
| 174 | # fi |
| 175 | # if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then |
| 176 | # dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_UNCLEAN $CONFIG_IP6_NF_IPTABLES |
| 177 | # dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_OWNER $CONFIG_IP6_NF_IPTABLES |
| 178 | # fi |
| 179 | # The targets |
| 180 | config IP6_NF_FILTER |
| 181 | tristate "Packet filtering" |
| 182 | depends on IP6_NF_IPTABLES |
| 183 | help |
| 184 | Packet filtering defines a table `filter', which has a series of |
| 185 | rules for simple packet filtering at local input, forwarding and |
| 186 | local output. See the man page for iptables(8). |
| 187 | |
| 188 | To compile it as a module, choose M here. If unsure, say N. |
| 189 | |
| 190 | config IP6_NF_TARGET_LOG |
| 191 | tristate "LOG target support" |
| 192 | depends on IP6_NF_FILTER |
| 193 | help |
| 194 | This option adds a `LOG' target, which allows you to create rules in |
| 195 | any iptables table which records the packet header to the syslog. |
| 196 | |
| 197 | To compile it as a module, choose M here. If unsure, say N. |
| 198 | |
| 199 | # if [ "$CONFIG_IP6_NF_FILTER" != "n" ]; then |
| 200 | # dep_tristate ' REJECT target support' CONFIG_IP6_NF_TARGET_REJECT $CONFIG_IP6_NF_FILTER |
| 201 | # if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then |
| 202 | # dep_tristate ' MIRROR target support (EXPERIMENTAL)' CONFIG_IP6_NF_TARGET_MIRROR $CONFIG_IP6_NF_FILTER |
| 203 | # fi |
| 204 | # fi |
| 205 | config IP6_NF_MANGLE |
| 206 | tristate "Packet mangling" |
| 207 | depends on IP6_NF_IPTABLES |
| 208 | help |
| 209 | This option adds a `mangle' table to iptables: see the man page for |
| 210 | iptables(8). This table is used for various packet alterations |
| 211 | which can effect how the packet is routed. |
| 212 | |
| 213 | To compile it as a module, choose M here. If unsure, say N. |
| 214 | |
| 215 | # dep_tristate ' TOS target support' CONFIG_IP6_NF_TARGET_TOS $CONFIG_IP_NF_MANGLE |
| 216 | config IP6_NF_TARGET_MARK |
| 217 | tristate "MARK target support" |
| 218 | depends on IP6_NF_MANGLE |
| 219 | help |
| 220 | This option adds a `MARK' target, which allows you to create rules |
| 221 | in the `mangle' table which alter the netfilter mark (nfmark) field |
| 222 | associated with the packet packet prior to routing. This can change |
| 223 | the routing method (see `Use netfilter MARK value as routing |
| 224 | key') and can also be used by other subsystems to change their |
| 225 | behavior. |
| 226 | |
| 227 | To compile it as a module, choose M here. If unsure, say N. |
| 228 | |
| 229 | #dep_tristate ' LOG target support' CONFIG_IP6_NF_TARGET_LOG $CONFIG_IP6_NF_IPTABLES |
| 230 | config IP6_NF_RAW |
| 231 | tristate 'raw table support (required for TRACE)' |
| 232 | depends on IP6_NF_IPTABLES |
| 233 | help |
| 234 | This option adds a `raw' table to ip6tables. This table is the very |
| 235 | first in the netfilter framework and hooks in at the PREROUTING |
| 236 | and OUTPUT chains. |
| 237 | |
| 238 | If you want to compile it as a module, say M here and read |
| 239 | <file:Documentation/modules.txt>. If unsure, say `N'. |
| 240 | |
| 241 | endmenu |
| 242 | |