Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | # |
| 2 | # IP netfilter configuration |
| 3 | # |
| 4 | |
Patrick McHardy | 8ce22fc | 2008-01-14 23:31:36 -0800 | [diff] [blame] | 5 | menu "IPv6: Netfilter Configuration" |
| 6 | depends on INET && IPV6 && NETFILTER |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 7 | |
KOVACS Krisztian | f6318e5 | 2010-10-24 23:38:32 +0000 | [diff] [blame] | 8 | config NF_DEFRAG_IPV6 |
| 9 | tristate |
| 10 | default n |
| 11 | |
Yasuyuki Kozakai | 9bdf87d | 2005-11-14 15:26:58 -0800 | [diff] [blame] | 12 | config NF_CONNTRACK_IPV6 |
Patrick McHardy | 8ce22fc | 2008-01-14 23:31:36 -0800 | [diff] [blame] | 13 | tristate "IPv6 connection tracking support" |
| 14 | depends on INET && IPV6 && NF_CONNTRACK |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 15 | default m if NETFILTER_ADVANCED=n |
KOVACS Krisztian | f6318e5 | 2010-10-24 23:38:32 +0000 | [diff] [blame] | 16 | select NF_DEFRAG_IPV6 |
Yasuyuki Kozakai | 9bdf87d | 2005-11-14 15:26:58 -0800 | [diff] [blame] | 17 | ---help--- |
| 18 | Connection tracking keeps a record of what packets have passed |
| 19 | through your machine, in order to figure out how they are related |
| 20 | into connections. |
| 21 | |
| 22 | This is IPv6 support on Layer 3 independent connection tracking. |
| 23 | Layer 3 independent connection tracking is experimental scheme |
| 24 | which generalize ip_conntrack to support other layer 3 protocols. |
| 25 | |
| 26 | To compile it as a module, choose M here. If unsure, say N. |
| 27 | |
Pablo Neira Ayuso | f04e599 | 2015-03-05 14:56:15 +0100 | [diff] [blame] | 28 | if NF_TABLES |
| 29 | |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 30 | config NF_TABLES_IPV6 |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 31 | tristate "IPv6 nf_tables support" |
Pablo Neira Ayuso | d497c63 | 2013-12-30 15:09:18 +0100 | [diff] [blame] | 32 | help |
| 33 | This option enables the IPv6 support for nf_tables. |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 34 | |
Pablo Neira Ayuso | f04e599 | 2015-03-05 14:56:15 +0100 | [diff] [blame] | 35 | if NF_TABLES_IPV6 |
| 36 | |
Pablo Neira Ayuso | 9370761 | 2013-10-10 23:21:26 +0200 | [diff] [blame] | 37 | config NFT_CHAIN_ROUTE_IPV6 |
Pablo Neira Ayuso | 9370761 | 2013-10-10 23:21:26 +0200 | [diff] [blame] | 38 | tristate "IPv6 nf_tables route chain support" |
Pablo Neira Ayuso | d497c63 | 2013-12-30 15:09:18 +0100 | [diff] [blame] | 39 | help |
| 40 | This option enables the "route" chain for IPv6 in nf_tables. This |
| 41 | chain type is used to force packet re-routing after mangling header |
| 42 | fields such as the source, destination, flowlabel, hop-limit and |
| 43 | the packet mark. |
Patrick McHardy | 9651851 | 2013-10-14 11:00:02 +0200 | [diff] [blame] | 44 | |
Patrick McHardy | cc4723c | 2014-02-05 15:03:38 +0000 | [diff] [blame] | 45 | config NFT_REJECT_IPV6 |
Pablo Neira Ayuso | c8d7b98 | 2014-09-26 14:35:15 +0200 | [diff] [blame] | 46 | select NF_REJECT_IPV6 |
Patrick McHardy | cc4723c | 2014-02-05 15:03:38 +0000 | [diff] [blame] | 47 | default NFT_REJECT |
| 48 | tristate |
| 49 | |
Pablo Neira Ayuso | d877f07 | 2015-05-31 18:04:11 +0200 | [diff] [blame] | 50 | config NFT_DUP_IPV6 |
| 51 | tristate "IPv6 nf_tables packet duplication support" |
Pablo Neira Ayuso | d3340b7 | 2015-12-09 22:06:59 +0100 | [diff] [blame] | 52 | depends on !NF_CONNTRACK || NF_CONNTRACK |
Pablo Neira Ayuso | d877f07 | 2015-05-31 18:04:11 +0200 | [diff] [blame] | 53 | select NF_DUP_IPV6 |
| 54 | help |
| 55 | This module enables IPv6 packet duplication support for nf_tables. |
| 56 | |
Pablo Neira Ayuso | f04e599 | 2015-03-05 14:56:15 +0100 | [diff] [blame] | 57 | endif # NF_TABLES_IPV6 |
| 58 | endif # NF_TABLES |
| 59 | |
Pablo Neira Ayuso | bbde9fc | 2015-05-31 17:54:44 +0200 | [diff] [blame] | 60 | config NF_DUP_IPV6 |
| 61 | tristate "Netfilter IPv6 packet duplication to alternate destination" |
Pablo Neira Ayuso | 6ece90f | 2015-09-29 21:10:05 +0200 | [diff] [blame] | 62 | depends on !NF_CONNTRACK || NF_CONNTRACK |
Pablo Neira Ayuso | bbde9fc | 2015-05-31 17:54:44 +0200 | [diff] [blame] | 63 | help |
| 64 | This option enables the nf_dup_ipv6 core, which duplicates an IPv6 |
| 65 | packet to be rerouted to another destination. |
| 66 | |
Pablo Neira Ayuso | f04e599 | 2015-03-05 14:56:15 +0100 | [diff] [blame] | 67 | config NF_REJECT_IPV6 |
| 68 | tristate "IPv6 packet rejection" |
| 69 | default m if NETFILTER_ADVANCED=n |
| 70 | |
Pablo Neira Ayuso | c187886 | 2014-06-28 18:39:01 +0200 | [diff] [blame] | 71 | config NF_LOG_IPV6 |
| 72 | tristate "IPv6 packet logging" |
Pablo Neira | 41ad82f | 2014-09-02 14:26:17 +0200 | [diff] [blame] | 73 | default m if NETFILTER_ADVANCED=n |
Pablo Neira Ayuso | c187886 | 2014-06-28 18:39:01 +0200 | [diff] [blame] | 74 | select NF_LOG_COMMON |
| 75 | |
Pablo Neira Ayuso | 8993cf8 | 2014-08-11 18:21:49 +0200 | [diff] [blame] | 76 | config NF_NAT_IPV6 |
| 77 | tristate "IPv6 NAT" |
| 78 | depends on NF_CONNTRACK_IPV6 |
| 79 | depends on NETFILTER_ADVANCED |
| 80 | select NF_NAT |
| 81 | help |
| 82 | The IPv6 NAT option allows masquerading, port forwarding and other |
| 83 | forms of full Network Address Port Translation. This can be |
| 84 | controlled by iptables or nft. |
| 85 | |
Pablo Neira Ayuso | 3e8dc21 | 2014-09-11 17:42:00 +0200 | [diff] [blame] | 86 | if NF_NAT_IPV6 |
| 87 | |
| 88 | config NFT_CHAIN_NAT_IPV6 |
| 89 | depends on NF_TABLES_IPV6 |
| 90 | tristate "IPv6 nf_tables nat chain support" |
| 91 | help |
| 92 | This option enables the "nat" chain for IPv6 in nf_tables. This |
| 93 | chain type is used to perform Network Address Translation (NAT) |
| 94 | packet transformations such as the source, destination address and |
| 95 | source and destination ports. |
| 96 | |
Pablo Neira Ayuso | 0bbe80e | 2014-09-11 17:51:27 +0200 | [diff] [blame] | 97 | config NF_NAT_MASQUERADE_IPV6 |
| 98 | tristate "IPv6 masquerade support" |
| 99 | help |
| 100 | This is the kernel functionality to provide NAT in the masquerade |
| 101 | flavour (automatic source address selection) for IPv6. |
| 102 | |
| 103 | config NFT_MASQ_IPV6 |
| 104 | tristate "IPv6 masquerade support for nf_tables" |
| 105 | depends on NF_TABLES_IPV6 |
| 106 | depends on NFT_MASQ |
| 107 | select NF_NAT_MASQUERADE_IPV6 |
| 108 | help |
| 109 | This is the expression that provides IPv4 masquerading support for |
| 110 | nf_tables. |
| 111 | |
Arturo Borrero | e9105f1 | 2014-10-17 12:39:09 +0200 | [diff] [blame] | 112 | config NFT_REDIR_IPV6 |
| 113 | tristate "IPv6 redirect support for nf_tables" |
| 114 | depends on NF_TABLES_IPV6 |
| 115 | depends on NFT_REDIR |
Pablo Neira Ayuso | b59eaf9 | 2014-11-26 12:46:50 +0100 | [diff] [blame] | 116 | select NF_NAT_REDIRECT |
Arturo Borrero | e9105f1 | 2014-10-17 12:39:09 +0200 | [diff] [blame] | 117 | help |
| 118 | This is the expression that provides IPv4 redirect support for |
| 119 | nf_tables. |
| 120 | |
Pablo Neira Ayuso | 3e8dc21 | 2014-09-11 17:42:00 +0200 | [diff] [blame] | 121 | endif # NF_NAT_IPV6 |
| 122 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 123 | config IP6_NF_IPTABLES |
Patrick McHardy | 844dc7c | 2006-10-30 15:12:16 -0800 | [diff] [blame] | 124 | tristate "IP6 tables support (required for filtering)" |
Patrick McHardy | 8ce22fc | 2008-01-14 23:31:36 -0800 | [diff] [blame] | 125 | depends on INET && IPV6 |
Patrick McHardy | a3c941b | 2007-02-12 11:15:02 -0800 | [diff] [blame] | 126 | select NETFILTER_XTABLES |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 127 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 128 | help |
| 129 | ip6tables is a general, extensible packet identification framework. |
| 130 | Currently only the packet filtering and packet mangling subsystem |
| 131 | for IPv6 use this, but connection tracking is going to follow. |
| 132 | Say 'Y' or 'M' here if you want to use either of those. |
| 133 | |
| 134 | To compile it as a module, choose M here. If unsure, say N. |
| 135 | |
Jan Engelhardt | c2df73d | 2008-10-08 11:35:18 +0200 | [diff] [blame] | 136 | if IP6_NF_IPTABLES |
| 137 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 138 | # The simple matches. |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 139 | config IP6_NF_MATCH_AH |
| 140 | tristate '"ah" match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 141 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 142 | help |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 143 | This module allows one to match AH packets. |
| 144 | |
| 145 | To compile it as a module, choose M here. If unsure, say N. |
| 146 | |
| 147 | config IP6_NF_MATCH_EUI64 |
| 148 | tristate '"eui64" address check' |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 149 | depends on NETFILTER_ADVANCED |
| 150 | help |
| 151 | This module performs checking on the IPv6 source address |
| 152 | Compares the last 64 bits with the EUI64 (delivered |
| 153 | from the MAC address) address |
| 154 | |
| 155 | To compile it as a module, choose M here. If unsure, say N. |
| 156 | |
| 157 | config IP6_NF_MATCH_FRAG |
| 158 | tristate '"frag" Fragmentation header match support' |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 159 | depends on NETFILTER_ADVANCED |
| 160 | help |
| 161 | frag matching allows you to match packets based on the fragmentation |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 162 | header of the packet. |
| 163 | |
| 164 | To compile it as a module, choose M here. If unsure, say N. |
| 165 | |
| 166 | config IP6_NF_MATCH_OPTS |
Jan Engelhardt | 77d7358 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 167 | tristate '"hbh" hop-by-hop and "dst" opts header match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 168 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 169 | help |
| 170 | This allows one to match packets based on the hop-by-hop |
| 171 | and destination options headers of a packet. |
| 172 | |
| 173 | To compile it as a module, choose M here. If unsure, say N. |
| 174 | |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 175 | config IP6_NF_MATCH_HL |
| 176 | tristate '"hl" hoplimit match support' |
| 177 | depends on NETFILTER_ADVANCED |
| 178 | select NETFILTER_XT_MATCH_HL |
| 179 | ---help--- |
| 180 | This is a backwards-compat option for the user's convenience |
| 181 | (e.g. when running oldconfig). It selects |
Jan Engelhardt | 8dd1d04 | 2009-03-24 13:35:27 -0700 | [diff] [blame] | 182 | CONFIG_NETFILTER_XT_MATCH_HL. |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 183 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 184 | config IP6_NF_MATCH_IPV6HEADER |
Jan Engelhardt | 4c37799 | 2007-12-04 23:31:59 -0800 | [diff] [blame] | 185 | tristate '"ipv6header" IPv6 Extension Headers Match' |
Linus Torvalds | 44c45eb | 2008-01-31 00:26:10 +1100 | [diff] [blame] | 186 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 187 | help |
| 188 | This module allows one to match packets based upon |
| 189 | the ipv6 extension headers. |
| 190 | |
| 191 | To compile it as a module, choose M here. If unsure, say N. |
| 192 | |
Masahide NAKAMURA | a0ca215 | 2007-02-07 15:12:57 -0800 | [diff] [blame] | 193 | config IP6_NF_MATCH_MH |
Jan Engelhardt | 4c37799 | 2007-12-04 23:31:59 -0800 | [diff] [blame] | 194 | tristate '"mh" match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 195 | depends on NETFILTER_ADVANCED |
Masahide NAKAMURA | a0ca215 | 2007-02-07 15:12:57 -0800 | [diff] [blame] | 196 | help |
| 197 | This module allows one to match MH packets. |
| 198 | |
| 199 | To compile it as a module, choose M here. If unsure, say N. |
| 200 | |
Florian Westphal | e26f9a4 | 2011-08-19 13:52:40 +0200 | [diff] [blame] | 201 | config IP6_NF_MATCH_RPFILTER |
| 202 | tristate '"rpfilter" reverse path filter match support' |
Pablo Neira Ayuso | f09becc | 2015-06-12 13:58:52 +0200 | [diff] [blame] | 203 | depends on NETFILTER_ADVANCED |
| 204 | depends on IP6_NF_MANGLE || IP6_NF_RAW |
Florian Westphal | e26f9a4 | 2011-08-19 13:52:40 +0200 | [diff] [blame] | 205 | ---help--- |
| 206 | This option allows you to match packets whose replies would |
| 207 | go out via the interface the packet came in. |
| 208 | |
| 209 | To compile it as a module, choose M here. If unsure, say N. |
| 210 | The module will be called ip6t_rpfilter. |
| 211 | |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 212 | config IP6_NF_MATCH_RT |
| 213 | tristate '"rt" Routing header match support' |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 214 | depends on NETFILTER_ADVANCED |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 215 | help |
Jan Engelhardt | aba0d34 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 216 | rt matching allows you to match packets based on the routing |
| 217 | header of the packet. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 218 | |
| 219 | To compile it as a module, choose M here. If unsure, say N. |
| 220 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 221 | # The targets |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 222 | config IP6_NF_TARGET_HL |
| 223 | tristate '"HL" hoplimit target support' |
Randy Dunlap | 76b6717 | 2010-10-18 11:13:30 +0200 | [diff] [blame] | 224 | depends on NETFILTER_ADVANCED && IP6_NF_MANGLE |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 225 | select NETFILTER_XT_TARGET_HL |
| 226 | ---help--- |
Randy Dunlap | 76b6717 | 2010-10-18 11:13:30 +0200 | [diff] [blame] | 227 | This is a backwards-compatible option for the user's convenience |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 228 | (e.g. when running oldconfig). It selects |
Jan Engelhardt | 8dd1d04 | 2009-03-24 13:35:27 -0700 | [diff] [blame] | 229 | CONFIG_NETFILTER_XT_TARGET_HL. |
Jan Engelhardt | 4323362 | 2009-02-19 11:16:03 +0100 | [diff] [blame] | 230 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 231 | config IP6_NF_FILTER |
| 232 | tristate "Packet filtering" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 233 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 234 | help |
| 235 | Packet filtering defines a table `filter', which has a series of |
| 236 | rules for simple packet filtering at local input, forwarding and |
| 237 | local output. See the man page for iptables(8). |
| 238 | |
| 239 | To compile it as a module, choose M here. If unsure, say N. |
| 240 | |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 241 | config IP6_NF_TARGET_REJECT |
| 242 | tristate "REJECT target support" |
| 243 | depends on IP6_NF_FILTER |
Pablo Neira Ayuso | c8d7b98 | 2014-09-26 14:35:15 +0200 | [diff] [blame] | 244 | select NF_REJECT_IPV6 |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 245 | default m if NETFILTER_ADVANCED=n |
Patrick McHardy | 764d8a9 | 2005-08-21 23:31:06 -0700 | [diff] [blame] | 246 | help |
| 247 | The REJECT target allows a filtering rule to specify that an ICMPv6 |
| 248 | error should be issued in response to an incoming packet, rather |
| 249 | than silently being dropped. |
| 250 | |
| 251 | To compile it as a module, choose M here. If unsure, say N. |
| 252 | |
Patrick McHardy | 4ad3622 | 2013-08-27 08:50:16 +0200 | [diff] [blame] | 253 | config IP6_NF_TARGET_SYNPROXY |
| 254 | tristate "SYNPROXY target support" |
| 255 | depends on NF_CONNTRACK && NETFILTER_ADVANCED |
| 256 | select NETFILTER_SYNPROXY |
| 257 | select SYN_COOKIES |
| 258 | help |
| 259 | The SYNPROXY target allows you to intercept TCP connections and |
| 260 | establish them using syncookies before they are passed on to the |
| 261 | server. This allows to avoid conntrack and server resource usage |
| 262 | during SYN-flood attacks. |
| 263 | |
| 264 | To compile it as a module, choose M here. If unsure, say N. |
| 265 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 266 | config IP6_NF_MANGLE |
| 267 | tristate "Packet mangling" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 268 | default m if NETFILTER_ADVANCED=n |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 269 | help |
| 270 | This option adds a `mangle' table to iptables: see the man page for |
| 271 | iptables(8). This table is used for various packet alterations |
| 272 | which can effect how the packet is routed. |
| 273 | |
| 274 | To compile it as a module, choose M here. If unsure, say N. |
| 275 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 276 | config IP6_NF_RAW |
| 277 | tristate 'raw table support (required for TRACE)' |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 278 | help |
| 279 | This option adds a `raw' table to ip6tables. This table is the very |
| 280 | first in the netfilter framework and hooks in at the PREROUTING |
| 281 | and OUTPUT chains. |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 282 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 283 | If you want to compile it as a module, say M here and read |
Alexander E. Patrakov | 39f5fb3 | 2007-03-16 18:28:43 +0500 | [diff] [blame] | 284 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 285 | |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 286 | # security table for MAC policy |
| 287 | config IP6_NF_SECURITY |
| 288 | tristate "Security table" |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 289 | depends on SECURITY |
Patrick McHardy | 70eed75 | 2008-07-23 16:42:42 -0700 | [diff] [blame] | 290 | depends on NETFILTER_ADVANCED |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 291 | help |
| 292 | This option adds a `security' table to iptables, for use |
| 293 | with Mandatory Access Control (MAC) policy. |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 294 | |
James Morris | 17e6e59 | 2008-06-09 15:58:05 -0700 | [diff] [blame] | 295 | If unsure, say N. |
| 296 | |
Pablo Neira Ayuso | 8993cf8 | 2014-08-11 18:21:49 +0200 | [diff] [blame] | 297 | config IP6_NF_NAT |
| 298 | tristate "ip6tables NAT support" |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 299 | depends on NF_CONNTRACK_IPV6 |
| 300 | depends on NETFILTER_ADVANCED |
| 301 | select NF_NAT |
Pablo Neira Ayuso | 8993cf8 | 2014-08-11 18:21:49 +0200 | [diff] [blame] | 302 | select NF_NAT_IPV6 |
| 303 | select NETFILTER_XT_NAT |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 304 | help |
Pablo Neira Ayuso | 8993cf8 | 2014-08-11 18:21:49 +0200 | [diff] [blame] | 305 | This enables the `nat' table in ip6tables. This allows masquerading, |
| 306 | port forwarding and other forms of full Network Address Port |
| 307 | Translation. |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 308 | |
| 309 | To compile it as a module, choose M here. If unsure, say N. |
| 310 | |
Pablo Neira Ayuso | 8993cf8 | 2014-08-11 18:21:49 +0200 | [diff] [blame] | 311 | if IP6_NF_NAT |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 312 | |
| 313 | config IP6_NF_TARGET_MASQUERADE |
| 314 | tristate "MASQUERADE target support" |
Arturo Borrero | be6b635 | 2014-09-04 14:06:49 +0200 | [diff] [blame] | 315 | select NF_NAT_MASQUERADE_IPV6 |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 316 | help |
| 317 | Masquerading is a special case of NAT: all outgoing connections are |
| 318 | changed to seem to come from a particular interface's address, and |
| 319 | if the interface goes down, those connections are lost. This is |
| 320 | only useful for dialup accounts with dynamic IP address (ie. your IP |
| 321 | address will be different on next dialup). |
| 322 | |
| 323 | To compile it as a module, choose M here. If unsure, say N. |
| 324 | |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 325 | config IP6_NF_TARGET_NPT |
| 326 | tristate "NPT (Network Prefix translation) target support" |
| 327 | help |
| 328 | This option adds the `SNPT' and `DNPT' target, which perform |
| 329 | stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. |
| 330 | |
| 331 | To compile it as a module, choose M here. If unsure, say N. |
| 332 | |
Pablo Neira Ayuso | 8993cf8 | 2014-08-11 18:21:49 +0200 | [diff] [blame] | 333 | endif # IP6_NF_NAT |
Pablo Neira Ayuso | b0041d1 | 2012-09-18 21:03:39 +0200 | [diff] [blame] | 334 | |
Jan Engelhardt | c2df73d | 2008-10-08 11:35:18 +0200 | [diff] [blame] | 335 | endif # IP6_NF_IPTABLES |
| 336 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 337 | endmenu |
| 338 | |