Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 521de51871fdb89b8530ddd694401d689e1f94ad / . / net / ipv6 / netfilter / Kconfig
blob: 448464844a253474fed5624f75c68c9bb33cd98e [file] [log] [blame]
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]1#
2# IP netfilter configuration
3#
4
Patrick McHardy8ce22fc2008-01-14 23:31:36 -0800[diff] [blame]5menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]7
KOVACS Krisztianf6318e52010-10-24 23:38:32 +0000[diff] [blame]8config NF_DEFRAG_IPV6
9 tristate
10 default n
11
Yasuyuki Kozakai9bdf87d2005-11-14 15:26:58 -0800[diff] [blame]12config NF_CONNTRACK_IPV6
Patrick McHardy8ce22fc2008-01-14 23:31:36 -0800[diff] [blame]13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
Patrick McHardy33b8e772007-12-17 22:47:05 -0800[diff] [blame]15 default m if NETFILTER_ADVANCED=n
KOVACS Krisztianf6318e52010-10-24 23:38:32 +0000[diff] [blame]16 select NF_DEFRAG_IPV6
Yasuyuki Kozakai9bdf87d2005-11-14 15:26:58 -0800[diff] [blame]17 ---help---
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
20 into connections.
21
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
25
26 To compile it as a module, choose M here. If unsure, say N.
27
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]28config IP6_NF_QUEUE
Harald Welte7af4cc32005-08-09 19:44:15 -0700[diff] [blame]29 tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"
Patrick McHardy8ce22fc2008-01-14 23:31:36 -0800[diff] [blame]30 depends on INET && IPV6 && NETFILTER
Patrick McHardy33b8e772007-12-17 22:47:05 -0800[diff] [blame]31 depends on NETFILTER_ADVANCED
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]32 ---help---
33
34 This option adds a queue handler to the kernel for IPv6
Harald Welte7af4cc32005-08-09 19:44:15 -0700[diff] [blame]35 packets which enables users to receive the filtered packets
36 with QUEUE target using libipq.
37
David Sterba3dde6ad2007-05-09 07:12:20 +0200[diff] [blame]38 This option enables the old IPv6-only "ip6_queue" implementation
Harald Welte7af4cc32005-08-09 19:44:15 -0700[diff] [blame]39 which has been obsoleted by the new "nfnetlink_queue" code (see
40 CONFIG_NETFILTER_NETLINK_QUEUE).
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]41
42 (C) Fernando Anton 2001
43 IPv64 Project - Work based in IPv64 draft by Arturo Azcorra.
44 Universidad Carlos III de Madrid
45 Universidad Politecnica de Alcala de Henares
46 email: <fanton@it.uc3m.es>.
47
48 To compile it as a module, choose M here. If unsure, say N.
49
50config IP6_NF_IPTABLES
Patrick McHardy844dc7c2006-10-30 15:12:16 -0800[diff] [blame]51 tristate "IP6 tables support (required for filtering)"
Patrick McHardy8ce22fc2008-01-14 23:31:36 -0800[diff] [blame]52 depends on INET && IPV6
Patrick McHardya3c941b2007-02-12 11:15:02 -0800[diff] [blame]53 select NETFILTER_XTABLES
Patrick McHardy33b8e772007-12-17 22:47:05 -0800[diff] [blame]54 default m if NETFILTER_ADVANCED=n
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]55 help
56 ip6tables is a general, extensible packet identification framework.
57 Currently only the packet filtering and packet mangling subsystem
58 for IPv6 use this, but connection tracking is going to follow.
59 Say 'Y' or 'M' here if you want to use either of those.
60
61 To compile it as a module, choose M here. If unsure, say N.
62
Jan Engelhardtc2df73d2008-10-08 11:35:18 +0200[diff] [blame]63if IP6_NF_IPTABLES
64
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]65# The simple matches.
Jan Engelhardtaba0d342008-10-08 11:35:17 +0200[diff] [blame]66config IP6_NF_MATCH_AH
67 tristate '"ah" match support'
Patrick McHardy33b8e772007-12-17 22:47:05 -0800[diff] [blame]68 depends on NETFILTER_ADVANCED
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]69 help
Jan Engelhardtaba0d342008-10-08 11:35:17 +0200[diff] [blame]70 This module allows one to match AH packets.
71
72 To compile it as a module, choose M here. If unsure, say N.
73
74config IP6_NF_MATCH_EUI64
75 tristate '"eui64" address check'
Jan Engelhardtaba0d342008-10-08 11:35:17 +0200[diff] [blame]76 depends on NETFILTER_ADVANCED
77 help
78 This module performs checking on the IPv6 source address
79 Compares the last 64 bits with the EUI64 (delivered
80 from the MAC address) address
81
82 To compile it as a module, choose M here. If unsure, say N.
83
84config IP6_NF_MATCH_FRAG
85 tristate '"frag" Fragmentation header match support'
Jan Engelhardtaba0d342008-10-08 11:35:17 +0200[diff] [blame]86 depends on NETFILTER_ADVANCED
87 help
88 frag matching allows you to match packets based on the fragmentation
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]89 header of the packet.
90
91 To compile it as a module, choose M here. If unsure, say N.
92
93config IP6_NF_MATCH_OPTS
Jan Engelhardt77d73582008-10-08 11:35:17 +0200[diff] [blame]94 tristate '"hbh" hop-by-hop and "dst" opts header match support'
Patrick McHardy33b8e772007-12-17 22:47:05 -0800[diff] [blame]95 depends on NETFILTER_ADVANCED
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]96 help
97 This allows one to match packets based on the hop-by-hop
98 and destination options headers of a packet.
99
100 To compile it as a module, choose M here. If unsure, say N.
101
Jan Engelhardt43233622009-02-19 11:16:03 +0100[diff] [blame]102config IP6_NF_MATCH_HL
103 tristate '"hl" hoplimit match support'
104 depends on NETFILTER_ADVANCED
105 select NETFILTER_XT_MATCH_HL
106 ---help---
107 This is a backwards-compat option for the user's convenience
108 (e.g. when running oldconfig). It selects
Jan Engelhardt8dd1d042009-03-24 13:35:27 -0700[diff] [blame]109 CONFIG_NETFILTER_XT_MATCH_HL.
Jan Engelhardt43233622009-02-19 11:16:03 +0100[diff] [blame]110
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]111config IP6_NF_MATCH_IPV6HEADER
Jan Engelhardt4c377992007-12-04 23:31:59 -0800[diff] [blame]112 tristate '"ipv6header" IPv6 Extension Headers Match'
Linus Torvalds44c45eb2008-01-31 00:26:10 +1100[diff] [blame]113 default m if NETFILTER_ADVANCED=n
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]114 help
115 This module allows one to match packets based upon
116 the ipv6 extension headers.
117
118 To compile it as a module, choose M here. If unsure, say N.
119
Masahide NAKAMURAa0ca2152007-02-07 15:12:57 -0800[diff] [blame]120config IP6_NF_MATCH_MH
Jan Engelhardt4c377992007-12-04 23:31:59 -0800[diff] [blame]121 tristate '"mh" match support'
Patrick McHardy33b8e772007-12-17 22:47:05 -0800[diff] [blame]122 depends on NETFILTER_ADVANCED
Masahide NAKAMURAa0ca2152007-02-07 15:12:57 -0800[diff] [blame]123 help
124 This module allows one to match MH packets.
125
126 To compile it as a module, choose M here. If unsure, say N.
127
Jan Engelhardtaba0d342008-10-08 11:35:17 +0200[diff] [blame]128config IP6_NF_MATCH_RT
129 tristate '"rt" Routing header match support'
Patrick McHardy33b8e772007-12-17 22:47:05 -0800[diff] [blame]130 depends on NETFILTER_ADVANCED
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]131 help
Jan Engelhardtaba0d342008-10-08 11:35:17 +0200[diff] [blame]132 rt matching allows you to match packets based on the routing
133 header of the packet.
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]134
135 To compile it as a module, choose M here. If unsure, say N.
136
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]137# The targets
Jan Engelhardt43233622009-02-19 11:16:03 +0100[diff] [blame]138config IP6_NF_TARGET_HL
139 tristate '"HL" hoplimit target support'
Randy Dunlap76b67172010-10-18 11:13:30 +0200[diff] [blame]140 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
Jan Engelhardt43233622009-02-19 11:16:03 +0100[diff] [blame]141 select NETFILTER_XT_TARGET_HL
142 ---help---
Randy Dunlap76b67172010-10-18 11:13:30 +0200[diff] [blame]143 This is a backwards-compatible option for the user's convenience
Jan Engelhardt43233622009-02-19 11:16:03 +0100[diff] [blame]144 (e.g. when running oldconfig). It selects
Jan Engelhardt8dd1d042009-03-24 13:35:27 -0700[diff] [blame]145 CONFIG_NETFILTER_XT_TARGET_HL.
Jan Engelhardt43233622009-02-19 11:16:03 +0100[diff] [blame]146
Jan Engelhardt2203eb42008-10-08 11:35:17 +0200[diff] [blame]147config IP6_NF_TARGET_LOG
148 tristate "LOG target support"
Jan Engelhardt2203eb42008-10-08 11:35:17 +0200[diff] [blame]149 default m if NETFILTER_ADVANCED=n
150 help
151 This option adds a `LOG' target, which allows you to create rules in
152 any iptables table which records the packet header to the syslog.
153
154 To compile it as a module, choose M here. If unsure, say N.
155
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]156config IP6_NF_FILTER
157 tristate "Packet filtering"
Patrick McHardy33b8e772007-12-17 22:47:05 -0800[diff] [blame]158 default m if NETFILTER_ADVANCED=n
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]159 help
160 Packet filtering defines a table `filter', which has a series of
161 rules for simple packet filtering at local input, forwarding and
162 local output. See the man page for iptables(8).
163
164 To compile it as a module, choose M here. If unsure, say N.
165
Patrick McHardy764d8a92005-08-21 23:31:06 -0700[diff] [blame]166config IP6_NF_TARGET_REJECT
167 tristate "REJECT target support"
168 depends on IP6_NF_FILTER
Patrick McHardy33b8e772007-12-17 22:47:05 -0800[diff] [blame]169 default m if NETFILTER_ADVANCED=n
Patrick McHardy764d8a92005-08-21 23:31:06 -0700[diff] [blame]170 help
171 The REJECT target allows a filtering rule to specify that an ICMPv6
172 error should be issued in response to an incoming packet, rather
173 than silently being dropped.
174
175 To compile it as a module, choose M here. If unsure, say N.
176
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]177config IP6_NF_MANGLE
178 tristate "Packet mangling"
Patrick McHardy33b8e772007-12-17 22:47:05 -0800[diff] [blame]179 default m if NETFILTER_ADVANCED=n
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]180 help
181 This option adds a `mangle' table to iptables: see the man page for
182 iptables(8). This table is used for various packet alterations
183 which can effect how the packet is routed.
184
185 To compile it as a module, choose M here. If unsure, say N.
186
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]187config IP6_NF_RAW
188 tristate 'raw table support (required for TRACE)'
Patrick McHardy33b8e772007-12-17 22:47:05 -0800[diff] [blame]189 depends on NETFILTER_ADVANCED
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]190 help
191 This option adds a `raw' table to ip6tables. This table is the very
192 first in the netfilter framework and hooks in at the PREROUTING
193 and OUTPUT chains.
Patrick McHardy33b8e772007-12-17 22:47:05 -0800[diff] [blame]194
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]195 If you want to compile it as a module, say M here and read
Alexander E. Patrakov39f5fb32007-03-16 18:28:43 +0500[diff] [blame]196 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]197
James Morris17e6e592008-06-09 15:58:05 -0700[diff] [blame]198# security table for MAC policy
199config IP6_NF_SECURITY
200 tristate "Security table"
James Morris17e6e592008-06-09 15:58:05 -0700[diff] [blame]201 depends on SECURITY
Patrick McHardy70eed752008-07-23 16:42:42 -0700[diff] [blame]202 depends on NETFILTER_ADVANCED
James Morris17e6e592008-06-09 15:58:05 -0700[diff] [blame]203 help
204 This option adds a `security' table to iptables, for use
205 with Mandatory Access Control (MAC) policy.
206
207 If unsure, say N.
208
Jan Engelhardtc2df73d2008-10-08 11:35:18 +0200[diff] [blame]209endif # IP6_NF_IPTABLES
210
Linus Torvalds1da177e2005-04-16 15:20:36 -0700[diff] [blame]211endmenu
212