Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | # |
| 2 | # IP netfilter configuration |
| 3 | # |
| 4 | |
Patrick McHardy | 8ce22fc | 2008-01-14 23:31:36 -0800 | [diff] [blame] | 5 | menu "IPv6: Netfilter Configuration" |
| 6 | depends on INET && IPV6 && NETFILTER |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 7 | |
KOVACS Krisztian | f6318e5 | 2010-10-24 23:38:32 +0000 | [diff] [blame] | 8 | config NF_DEFRAG_IPV6 |
| 9 | tristate |
| 10 | default n |
| 11 | |
Yasuyuki Kozakai | 9bdf87d | 2005-11-14 15:26:58 -0800 | [diff] [blame] | 12 | config NF_CONNTRACK_IPV6 |
Patrick McHardy | 8ce22fc | 2008-01-14 23:31:36 -0800 | [diff] [blame] | 13 | tristate "IPv6 connection tracking support" |
| 14 | depends on INET && IPV6 && NF_CONNTRACK |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 15 | default m if NETFILTER_ADVANCED=n |
KOVACS Krisztian | f6318e5 | 2010-10-24 23:38:32 +0000 | [diff] [blame] | 16 | select NF_DEFRAG_IPV6 |
Yasuyuki Kozakai | 9bdf87d | 2005-11-14 15:26:58 -0800 | [diff] [blame] | 17 | ---help--- |
| 18 | Connection tracking keeps a record of what packets have passed |
| 19 | through your machine, in order to figure out how they are related |
| 20 | into connections. |
| 21 | |
| 22 | This is IPv6 support on Layer 3 independent connection tracking. |
| 23 | Layer 3 independent connection tracking is experimental scheme |
| 24 | which generalize ip_conntrack to support other layer 3 protocols. |
| 25 | |
| 26 | To compile it as a module, choose M here. If unsure, say N. |
| 27 | |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 28 | config NF_TABLES_IPV6 |
| 29 | depends on NF_TABLES |
| 30 | tristate "IPv6 nf_tables support" |
Pablo Neira Ayuso | d497c63 | 2013-12-30 15:09:18 +0100 | [diff] [blame] | 31 | help |
| 32 | This option enables the IPv6 support for nf_tables. |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 33 | |
Pablo Neira Ayuso | 9370761 | 2013-10-10 23:21:26 +0200 | [diff] [blame] | 34 | config NFT_CHAIN_ROUTE_IPV6 |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 35 | depends on NF_TABLES_IPV6 |
Pablo Neira Ayuso | 9370761 | 2013-10-10 23:21:26 +0200 | [diff] [blame] | 36 | tristate "IPv6 nf_tables route chain support" |
Pablo Neira Ayuso | d497c63 | 2013-12-30 15:09:18 +0100 | [diff] [blame] | 37 | help |
| 38 | This option enables the "route" chain for IPv6 in nf_tables. This |
| 39 | chain type is used to force packet re-routing after mangling header |
| 40 | fields such as the source, destination, flowlabel, hop-limit and |
| 41 | the packet mark. |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 42 | |
Tomasz Bursztyka | eb31628 | 2013-10-10 13:39:19 +0200 | [diff] [blame] | 43 | config NFT_CHAIN_NAT_IPV6 |
| 44 | depends on NF_TABLES_IPV6 |
| 45 | depends on NF_NAT_IPV6 && NFT_NAT |
| 46 | tristate "IPv6 nf_tables nat chain support" |
Pablo Neira Ayuso | d497c63 | 2013-12-30 15:09:18 +0100 | [diff] [blame] | 47 | help |
| 48 | This option enables the "nat" chain for IPv6 in nf_tables. This |
| 49 | chain type is used to perform Network Address Translation (NAT) |
| 50 | packet transformations such as the source, destination address and |
| 51 | source and destination ports. |
Tomasz Bursztyka | eb31628 | 2013-10-10 13:39:19 +0200 | [diff] [blame] | 52 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 53 | config IP6_NF_IPTABLES |
Patrick McHardy | 844dc7c | 2006-10-30 15:12:16 -0800 | [diff] [blame] | 54 | tristate "IP6 tables support (required for filtering)" |
Patrick McHardy | 8ce22fc | 2008-01-14 23:31:36 -0800 | [diff] [blame] | 55 | depends on INET && IPV6 |
Patrick McHardy | a3c941b | 2007-02-12 11:15:02 -0800 | [diff] [blame] | 56 | select NETFILTER_XTABLES |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 57 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 58 | help |
| 59 | ip6tables is a general, extensible packet identification framework. |
| 60 | Currently only the packet filtering and packet mangling subsystem |
| 61 | for IPv6 use this, but connection tracking is going to follow. |
| 62 | Say 'Y' or 'M' here if you want to use either of those. |
| 63 | |
| 64 | To compile it as a module, choose M here. If unsure, say N. |
| 65 | |
Jan Engelhardt | c2df73d | 2008-10-08 11:35:18 +0200 | [diff] [blame] | 66 | if IP6_NF_IPTABLES |
| 67 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 68 | # The simple matches. |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 69 | config IP6_NF_MATCH_AH |
| 70 | tristate '"ah" match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 71 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 72 | help |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 73 | This module allows one to match AH packets. |
| 74 | |
| 75 | To compile it as a module, choose M here. If unsure, say N. |
| 76 | |
| 77 | config IP6_NF_MATCH_EUI64 |
| 78 | tristate '"eui64" address check' |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 79 | depends on NETFILTER_ADVANCED |
| 80 | help |
| 81 | This module performs checking on the IPv6 source address |
| 82 | Compares the last 64 bits with the EUI64 (delivered |
| 83 | from the MAC address) address |
| 84 | |
| 85 | To compile it as a module, choose M here. If unsure, say N. |
| 86 | |
| 87 | config IP6_NF_MATCH_FRAG |
| 88 | tristate '"frag" Fragmentation header match support' |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 89 | depends on NETFILTER_ADVANCED |
| 90 | help |
| 91 | frag matching allows you to match packets based on the fragmentation |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 92 | header of the packet. |
| 93 | |
| 94 | To compile it as a module, choose M here. If unsure, say N. |
| 95 | |
| 96 | config IP6_NF_MATCH_OPTS |
Jan Engelhardt | 77d7358 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 97 | tristate '"hbh" hop-by-hop and "dst" opts header match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 98 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 99 | help |
| 100 | This allows one to match packets based on the hop-by-hop |
| 101 | and destination options headers of a packet. |
| 102 | |
| 103 | To compile it as a module, choose M here. If unsure, say N. |
| 104 | |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 105 | config IP6_NF_MATCH_HL |
| 106 | tristate '"hl" hoplimit match support' |
| 107 | depends on NETFILTER_ADVANCED |
| 108 | select NETFILTER_XT_MATCH_HL |
| 109 | ---help--- |
| 110 | This is a backwards-compat option for the user's convenience |
| 111 | (e.g. when running oldconfig). It selects |
Jan Engelhardt | 8dd1d04 | 2009-03-24 13:35:27 -0700 | [diff] [blame] | 112 | CONFIG_NETFILTER_XT_MATCH_HL. |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 113 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 114 | config IP6_NF_MATCH_IPV6HEADER |
Jan Engelhardt | 4c37799 | 2007-12-04 23:31:59 -0800 | [diff] [blame] | 115 | tristate '"ipv6header" IPv6 Extension Headers Match' |
Linus Torvalds | 44c45eb | 2008-01-31 00:26:10 +1100 | [diff] [blame] | 116 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 117 | help |
| 118 | This module allows one to match packets based upon |
| 119 | the ipv6 extension headers. |
| 120 | |
| 121 | To compile it as a module, choose M here. If unsure, say N. |
| 122 | |
Masahide NAKAMURA | a0ca215 | 2007-02-07 15:12:57 -0800 | [diff] [blame] | 123 | config IP6_NF_MATCH_MH |
Jan Engelhardt | 4c37799 | 2007-12-04 23:31:59 -0800 | [diff] [blame] | 124 | tristate '"mh" match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 125 | depends on NETFILTER_ADVANCED |
Masahide NAKAMURA | a0ca215 | 2007-02-07 15:12:57 -0800 | [diff] [blame] | 126 | help |
| 127 | This module allows one to match MH packets. |
| 128 | |
| 129 | To compile it as a module, choose M here. If unsure, say N. |
| 130 | |
Florian Westphal | e26f9a4 | 2011-08-19 13:52:40 +0200 | [diff] [blame] | 131 | config IP6_NF_MATCH_RPFILTER |
| 132 | tristate '"rpfilter" reverse path filter match support' |
Florian Westphal | d37d696 | 2013-04-17 22:45:25 +0000 | [diff] [blame] | 133 | depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW) |
Florian Westphal | e26f9a4 | 2011-08-19 13:52:40 +0200 | [diff] [blame] | 134 | ---help--- |
| 135 | This option allows you to match packets whose replies would |
| 136 | go out via the interface the packet came in. |
| 137 | |
| 138 | To compile it as a module, choose M here. If unsure, say N. |
| 139 | The module will be called ip6t_rpfilter. |
| 140 | |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 141 | config IP6_NF_MATCH_RT |
| 142 | tristate '"rt" Routing header match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 143 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 144 | help |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 145 | rt matching allows you to match packets based on the routing |
| 146 | header of the packet. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 147 | |
| 148 | To compile it as a module, choose M here. If unsure, say N. |
| 149 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 150 | # The targets |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 151 | config IP6_NF_TARGET_HL |
| 152 | tristate '"HL" hoplimit target support' |
Randy Dunlap | 76b6717 | 2010-10-18 11:13:30 +0200 | [diff] [blame] | 153 | depends on NETFILTER_ADVANCED && IP6_NF_MANGLE |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 154 | select NETFILTER_XT_TARGET_HL |
| 155 | ---help--- |
Randy Dunlap | 76b6717 | 2010-10-18 11:13:30 +0200 | [diff] [blame] | 156 | This is a backwards-compatible option for the user's convenience |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 157 | (e.g. when running oldconfig). It selects |
Jan Engelhardt | 8dd1d04 | 2009-03-24 13:35:27 -0700 | [diff] [blame] | 158 | CONFIG_NETFILTER_XT_TARGET_HL. |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 159 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 160 | config IP6_NF_FILTER |
| 161 | tristate "Packet filtering" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 162 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 163 | help |
| 164 | Packet filtering defines a table `filter', which has a series of |
| 165 | rules for simple packet filtering at local input, forwarding and |
| 166 | local output. See the man page for iptables(8). |
| 167 | |
| 168 | To compile it as a module, choose M here. If unsure, say N. |
| 169 | |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 170 | config IP6_NF_TARGET_REJECT |
| 171 | tristate "REJECT target support" |
| 172 | depends on IP6_NF_FILTER |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 173 | default m if NETFILTER_ADVANCED=n |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 174 | help |
| 175 | The REJECT target allows a filtering rule to specify that an ICMPv6 |
| 176 | error should be issued in response to an incoming packet, rather |
| 177 | than silently being dropped. |
| 178 | |
| 179 | To compile it as a module, choose M here. If unsure, say N. |
| 180 | |
Patrick McHardy | 4ad3622 | 2013-08-27 08:50:16 +0200 | [diff] [blame] | 181 | config IP6_NF_TARGET_SYNPROXY |
| 182 | tristate "SYNPROXY target support" |
| 183 | depends on NF_CONNTRACK && NETFILTER_ADVANCED |
| 184 | select NETFILTER_SYNPROXY |
| 185 | select SYN_COOKIES |
| 186 | help |
| 187 | The SYNPROXY target allows you to intercept TCP connections and |
| 188 | establish them using syncookies before they are passed on to the |
| 189 | server. This allows to avoid conntrack and server resource usage |
| 190 | during SYN-flood attacks. |
| 191 | |
| 192 | To compile it as a module, choose M here. If unsure, say N. |
| 193 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 194 | config IP6_NF_MANGLE |
| 195 | tristate "Packet mangling" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 196 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 197 | help |
| 198 | This option adds a `mangle' table to iptables: see the man page for |
| 199 | iptables(8). This table is used for various packet alterations |
| 200 | which can effect how the packet is routed. |
| 201 | |
| 202 | To compile it as a module, choose M here. If unsure, say N. |
| 203 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 204 | config IP6_NF_RAW |
| 205 | tristate 'raw table support (required for TRACE)' |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 206 | help |
| 207 | This option adds a `raw' table to ip6tables. This table is the very |
| 208 | first in the netfilter framework and hooks in at the PREROUTING |
| 209 | and OUTPUT chains. |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 210 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 211 | If you want to compile it as a module, say M here and read |
Alexander E. Patrakov | 39f5fb3 | 2007-03-16 18:28:43 +0500 | [diff] [blame] | 212 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 213 | |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 214 | # security table for MAC policy |
| 215 | config IP6_NF_SECURITY |
| 216 | tristate "Security table" |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 217 | depends on SECURITY |
Patrick McHardy | 70eed75 | 2008-07-23 16:42:42 -0700 | [diff] [blame] | 218 | depends on NETFILTER_ADVANCED |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 219 | help |
| 220 | This option adds a `security' table to iptables, for use |
| 221 | with Mandatory Access Control (MAC) policy. |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 222 | |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 223 | If unsure, say N. |
| 224 | |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 225 | config NF_NAT_IPV6 |
| 226 | tristate "IPv6 NAT" |
| 227 | depends on NF_CONNTRACK_IPV6 |
| 228 | depends on NETFILTER_ADVANCED |
| 229 | select NF_NAT |
| 230 | help |
| 231 | The IPv6 NAT option allows masquerading, port forwarding and other |
| 232 | forms of full Network Address Port Translation. It is controlled by |
| 233 | the `nat' table in ip6tables, see the man page for ip6tables(8). |
| 234 | |
| 235 | To compile it as a module, choose M here. If unsure, say N. |
| 236 | |
| 237 | if NF_NAT_IPV6 |
| 238 | |
| 239 | config IP6_NF_TARGET_MASQUERADE |
| 240 | tristate "MASQUERADE target support" |
| 241 | help |
| 242 | Masquerading is a special case of NAT: all outgoing connections are |
| 243 | changed to seem to come from a particular interface's address, and |
| 244 | if the interface goes down, those connections are lost. This is |
| 245 | only useful for dialup accounts with dynamic IP address (ie. your IP |
| 246 | address will be different on next dialup). |
| 247 | |
| 248 | To compile it as a module, choose M here. If unsure, say N. |
| 249 | |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 250 | config IP6_NF_TARGET_NPT |
| 251 | tristate "NPT (Network Prefix translation) target support" |
| 252 | help |
| 253 | This option adds the `SNPT' and `DNPT' target, which perform |
| 254 | stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. |
| 255 | |
| 256 | To compile it as a module, choose M here. If unsure, say N. |
| 257 | |
| 258 | endif # NF_NAT_IPV6 |
| 259 | |
Jan Engelhardt | c2df73d | 2008-10-08 11:35:18 +0200 | [diff] [blame] | 260 | endif # IP6_NF_IPTABLES |
| 261 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 262 | endmenu |
| 263 | |