Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | # |
| 2 | # IP netfilter configuration |
| 3 | # |
| 4 | |
Patrick McHardy | 8ce22fc | 2008-01-14 23:31:36 -0800 | [diff] [blame] | 5 | menu "IPv6: Netfilter Configuration" |
| 6 | depends on INET && IPV6 && NETFILTER |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 7 | |
KOVACS Krisztian | f6318e5 | 2010-10-24 23:38:32 +0000 | [diff] [blame] | 8 | config NF_DEFRAG_IPV6 |
| 9 | tristate |
| 10 | default n |
| 11 | |
Yasuyuki Kozakai | 9bdf87d | 2005-11-14 15:26:58 -0800 | [diff] [blame] | 12 | config NF_CONNTRACK_IPV6 |
Patrick McHardy | 8ce22fc | 2008-01-14 23:31:36 -0800 | [diff] [blame] | 13 | tristate "IPv6 connection tracking support" |
| 14 | depends on INET && IPV6 && NF_CONNTRACK |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 15 | default m if NETFILTER_ADVANCED=n |
KOVACS Krisztian | f6318e5 | 2010-10-24 23:38:32 +0000 | [diff] [blame] | 16 | select NF_DEFRAG_IPV6 |
Yasuyuki Kozakai | 9bdf87d | 2005-11-14 15:26:58 -0800 | [diff] [blame] | 17 | ---help--- |
| 18 | Connection tracking keeps a record of what packets have passed |
| 19 | through your machine, in order to figure out how they are related |
| 20 | into connections. |
| 21 | |
| 22 | This is IPv6 support on Layer 3 independent connection tracking. |
| 23 | Layer 3 independent connection tracking is experimental scheme |
| 24 | which generalize ip_conntrack to support other layer 3 protocols. |
| 25 | |
| 26 | To compile it as a module, choose M here. If unsure, say N. |
| 27 | |
Patrick McHardy | 58a317f | 2012-08-26 19:14:12 +0200 | [diff] [blame] | 28 | config NF_NAT_IPV6 |
| 29 | tristate "IPv6 NAT" |
| 30 | depends on NF_CONNTRACK_IPV6 |
| 31 | depends on NETFILTER_ADVANCED |
| 32 | select NF_NAT |
| 33 | help |
| 34 | The IPv6 NAT option allows masquerading, port forwarding and other |
| 35 | forms of full Network Address Port Translation. It is controlled by |
| 36 | the `nat' table in ip6tables, see the man page for ip6tables(8). |
| 37 | |
| 38 | To compile it as a module, choose M here. If unsure, say N. |
| 39 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 40 | config IP6_NF_IPTABLES |
Patrick McHardy | 844dc7c | 2006-10-30 15:12:16 -0800 | [diff] [blame] | 41 | tristate "IP6 tables support (required for filtering)" |
Patrick McHardy | 8ce22fc | 2008-01-14 23:31:36 -0800 | [diff] [blame] | 42 | depends on INET && IPV6 |
Patrick McHardy | a3c941b | 2007-02-12 11:15:02 -0800 | [diff] [blame] | 43 | select NETFILTER_XTABLES |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 44 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 45 | help |
| 46 | ip6tables is a general, extensible packet identification framework. |
| 47 | Currently only the packet filtering and packet mangling subsystem |
| 48 | for IPv6 use this, but connection tracking is going to follow. |
| 49 | Say 'Y' or 'M' here if you want to use either of those. |
| 50 | |
| 51 | To compile it as a module, choose M here. If unsure, say N. |
| 52 | |
Jan Engelhardt | c2df73d | 2008-10-08 11:35:18 +0200 | [diff] [blame] | 53 | if IP6_NF_IPTABLES |
| 54 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 55 | # The simple matches. |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 56 | config IP6_NF_MATCH_AH |
| 57 | tristate '"ah" match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 58 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 59 | help |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 60 | This module allows one to match AH packets. |
| 61 | |
| 62 | To compile it as a module, choose M here. If unsure, say N. |
| 63 | |
| 64 | config IP6_NF_MATCH_EUI64 |
| 65 | tristate '"eui64" address check' |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 66 | depends on NETFILTER_ADVANCED |
| 67 | help |
| 68 | This module performs checking on the IPv6 source address |
| 69 | Compares the last 64 bits with the EUI64 (delivered |
| 70 | from the MAC address) address |
| 71 | |
| 72 | To compile it as a module, choose M here. If unsure, say N. |
| 73 | |
| 74 | config IP6_NF_MATCH_FRAG |
| 75 | tristate '"frag" Fragmentation header match support' |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 76 | depends on NETFILTER_ADVANCED |
| 77 | help |
| 78 | frag matching allows you to match packets based on the fragmentation |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 79 | header of the packet. |
| 80 | |
| 81 | To compile it as a module, choose M here. If unsure, say N. |
| 82 | |
| 83 | config IP6_NF_MATCH_OPTS |
Jan Engelhardt | 77d7358 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 84 | tristate '"hbh" hop-by-hop and "dst" opts header match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 85 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 86 | help |
| 87 | This allows one to match packets based on the hop-by-hop |
| 88 | and destination options headers of a packet. |
| 89 | |
| 90 | To compile it as a module, choose M here. If unsure, say N. |
| 91 | |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 92 | config IP6_NF_MATCH_HL |
| 93 | tristate '"hl" hoplimit match support' |
| 94 | depends on NETFILTER_ADVANCED |
| 95 | select NETFILTER_XT_MATCH_HL |
| 96 | ---help--- |
| 97 | This is a backwards-compat option for the user's convenience |
| 98 | (e.g. when running oldconfig). It selects |
Jan Engelhardt | 8dd1d04 | 2009-03-24 13:35:27 -0700 | [diff] [blame] | 99 | CONFIG_NETFILTER_XT_MATCH_HL. |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 100 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 101 | config IP6_NF_MATCH_IPV6HEADER |
Jan Engelhardt | 4c37799 | 2007-12-04 23:31:59 -0800 | [diff] [blame] | 102 | tristate '"ipv6header" IPv6 Extension Headers Match' |
Linus Torvalds | 44c45eb | 2008-01-31 00:26:10 +1100 | [diff] [blame] | 103 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 104 | help |
| 105 | This module allows one to match packets based upon |
| 106 | the ipv6 extension headers. |
| 107 | |
| 108 | To compile it as a module, choose M here. If unsure, say N. |
| 109 | |
Masahide NAKAMURA | a0ca215 | 2007-02-07 15:12:57 -0800 | [diff] [blame] | 110 | config IP6_NF_MATCH_MH |
Jan Engelhardt | 4c37799 | 2007-12-04 23:31:59 -0800 | [diff] [blame] | 111 | tristate '"mh" match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 112 | depends on NETFILTER_ADVANCED |
Masahide NAKAMURA | a0ca215 | 2007-02-07 15:12:57 -0800 | [diff] [blame] | 113 | help |
| 114 | This module allows one to match MH packets. |
| 115 | |
| 116 | To compile it as a module, choose M here. If unsure, say N. |
| 117 | |
Florian Westphal | e26f9a4 | 2011-08-19 13:52:40 +0200 | [diff] [blame] | 118 | config IP6_NF_MATCH_RPFILTER |
| 119 | tristate '"rpfilter" reverse path filter match support' |
| 120 | depends on NETFILTER_ADVANCED |
| 121 | ---help--- |
| 122 | This option allows you to match packets whose replies would |
| 123 | go out via the interface the packet came in. |
| 124 | |
| 125 | To compile it as a module, choose M here. If unsure, say N. |
| 126 | The module will be called ip6t_rpfilter. |
| 127 | |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 128 | config IP6_NF_MATCH_RT |
| 129 | tristate '"rt" Routing header match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 130 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 131 | help |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 132 | rt matching allows you to match packets based on the routing |
| 133 | header of the packet. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 134 | |
| 135 | To compile it as a module, choose M here. If unsure, say N. |
| 136 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 137 | # The targets |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 138 | config IP6_NF_TARGET_HL |
| 139 | tristate '"HL" hoplimit target support' |
Randy Dunlap | 76b6717 | 2010-10-18 11:13:30 +0200 | [diff] [blame] | 140 | depends on NETFILTER_ADVANCED && IP6_NF_MANGLE |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 141 | select NETFILTER_XT_TARGET_HL |
| 142 | ---help--- |
Randy Dunlap | 76b6717 | 2010-10-18 11:13:30 +0200 | [diff] [blame] | 143 | This is a backwards-compatible option for the user's convenience |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 144 | (e.g. when running oldconfig). It selects |
Jan Engelhardt | 8dd1d04 | 2009-03-24 13:35:27 -0700 | [diff] [blame] | 145 | CONFIG_NETFILTER_XT_TARGET_HL. |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 146 | |
Patrick McHardy | b3f644f | 2012-08-26 19:14:14 +0200 | [diff] [blame] | 147 | config IP6_NF_TARGET_MASQUERADE |
| 148 | tristate "MASQUERADE target support" |
| 149 | depends on NF_NAT_IPV6 |
| 150 | help |
| 151 | Masquerading is a special case of NAT: all outgoing connections are |
| 152 | changed to seem to come from a particular interface's address, and |
| 153 | if the interface goes down, those connections are lost. This is |
| 154 | only useful for dialup accounts with dynamic IP address (ie. your IP |
| 155 | address will be different on next dialup). |
| 156 | |
| 157 | To compile it as a module, choose M here. If unsure, say N. |
| 158 | |
Patrick McHardy | ed72d9e | 2012-08-26 19:14:18 +0200 | [diff] [blame] | 159 | config IP6_NF_TARGET_NETMAP |
| 160 | tristate "NETMAP target support" |
| 161 | depends on NF_NAT_IPV6 |
| 162 | help |
| 163 | NETMAP is an implementation of static 1:1 NAT mapping of network |
| 164 | addresses. It maps the network address part, while keeping the host |
| 165 | address part intact. |
| 166 | |
| 167 | To compile it as a module, choose M here. If unsure, say N. |
| 168 | |
Patrick McHardy | 115e23a | 2012-08-26 19:14:16 +0200 | [diff] [blame] | 169 | config IP6_NF_TARGET_REDIRECT |
| 170 | tristate "REDIRECT target support" |
| 171 | depends on NF_NAT_IPV6 |
| 172 | help |
| 173 | REDIRECT is a special case of NAT: all incoming connections are |
| 174 | mapped onto the incoming interface's address, causing the packets to |
| 175 | come to the local machine instead of passing through. This is |
| 176 | useful for transparent proxies. |
| 177 | |
| 178 | To compile it as a module, choose M here. If unsure, say N. |
| 179 | |
Patrick McHardy | 8a91bb0 | 2012-08-26 19:14:31 +0200 | [diff] [blame] | 180 | config IP6_NF_TARGET_NPT |
| 181 | tristate "NPT (Network Prefix translation) target support" |
| 182 | depends on NETFILTER_ADVANCED |
| 183 | help |
| 184 | This option adds the `SNPT' and `DNPT' target, which perform |
| 185 | stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. |
| 186 | |
| 187 | To compile it as a module, choose M here. If unsure, say N. |
| 188 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 189 | config IP6_NF_FILTER |
| 190 | tristate "Packet filtering" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 191 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 192 | help |
| 193 | Packet filtering defines a table `filter', which has a series of |
| 194 | rules for simple packet filtering at local input, forwarding and |
| 195 | local output. See the man page for iptables(8). |
| 196 | |
| 197 | To compile it as a module, choose M here. If unsure, say N. |
| 198 | |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 199 | config IP6_NF_TARGET_REJECT |
| 200 | tristate "REJECT target support" |
| 201 | depends on IP6_NF_FILTER |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 202 | default m if NETFILTER_ADVANCED=n |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 203 | help |
| 204 | The REJECT target allows a filtering rule to specify that an ICMPv6 |
| 205 | error should be issued in response to an incoming packet, rather |
| 206 | than silently being dropped. |
| 207 | |
| 208 | To compile it as a module, choose M here. If unsure, say N. |
| 209 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 210 | config IP6_NF_MANGLE |
| 211 | tristate "Packet mangling" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 212 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 213 | help |
| 214 | This option adds a `mangle' table to iptables: see the man page for |
| 215 | iptables(8). This table is used for various packet alterations |
| 216 | which can effect how the packet is routed. |
| 217 | |
| 218 | To compile it as a module, choose M here. If unsure, say N. |
| 219 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 220 | config IP6_NF_RAW |
| 221 | tristate 'raw table support (required for TRACE)' |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 222 | help |
| 223 | This option adds a `raw' table to ip6tables. This table is the very |
| 224 | first in the netfilter framework and hooks in at the PREROUTING |
| 225 | and OUTPUT chains. |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 226 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 227 | If you want to compile it as a module, say M here and read |
Alexander E. Patrakov | 39f5fb3 | 2007-03-16 18:28:43 +0500 | [diff] [blame] | 228 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 229 | |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 230 | # security table for MAC policy |
| 231 | config IP6_NF_SECURITY |
| 232 | tristate "Security table" |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 233 | depends on SECURITY |
Patrick McHardy | 70eed75 | 2008-07-23 16:42:42 -0700 | [diff] [blame] | 234 | depends on NETFILTER_ADVANCED |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 235 | help |
| 236 | This option adds a `security' table to iptables, for use |
| 237 | with Mandatory Access Control (MAC) policy. |
| 238 | |
| 239 | If unsure, say N. |
| 240 | |
Jan Engelhardt | c2df73d | 2008-10-08 11:35:18 +0200 | [diff] [blame] | 241 | endif # IP6_NF_IPTABLES |
| 242 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 243 | endmenu |
| 244 | |