2 # IP netfilter configuration
5 menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
12 config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
30 tristate "IPv6 nf_tables support"
32 This option enables the IPv6 support for nf_tables.
34 config NFT_CHAIN_ROUTE_IPV6
35 depends on NF_TABLES_IPV6
36 tristate "IPv6 nf_tables route chain support"
38 This option enables the "route" chain for IPv6 in nf_tables. This
39 chain type is used to force packet re-routing after mangling header
40 fields such as the source, destination, flowlabel, hop-limit and
43 config NFT_CHAIN_NAT_IPV6
44 depends on NF_TABLES_IPV6
45 depends on NF_NAT_IPV6 && NFT_NAT
46 tristate "IPv6 nf_tables nat chain support"
48 This option enables the "nat" chain for IPv6 in nf_tables. This
49 chain type is used to perform Network Address Translation (NAT)
50 packet transformations such as the source, destination address and
51 source and destination ports.
53 config NFT_REJECT_IPV6
54 depends on NF_TABLES_IPV6
59 tristate "IPv6 packet logging"
60 depends on NETFILTER_ADVANCED
63 config IP6_NF_IPTABLES
64 tristate "IP6 tables support (required for filtering)"
65 depends on INET && IPV6
66 select NETFILTER_XTABLES
67 default m if NETFILTER_ADVANCED=n
69 ip6tables is a general, extensible packet identification framework.
70 Currently only the packet filtering and packet mangling subsystem
71 for IPv6 use this, but connection tracking is going to follow.
72 Say 'Y' or 'M' here if you want to use either of those.
74 To compile it as a module, choose M here. If unsure, say N.
79 config IP6_NF_MATCH_AH
80 tristate '"ah" match support'
81 depends on NETFILTER_ADVANCED
83 This module allows one to match AH packets.
85 To compile it as a module, choose M here. If unsure, say N.
87 config IP6_NF_MATCH_EUI64
88 tristate '"eui64" address check'
89 depends on NETFILTER_ADVANCED
91 This module performs checking on the IPv6 source address
92 Compares the last 64 bits with the EUI64 (delivered
93 from the MAC address) address
95 To compile it as a module, choose M here. If unsure, say N.
97 config IP6_NF_MATCH_FRAG
98 tristate '"frag" Fragmentation header match support'
99 depends on NETFILTER_ADVANCED
101 frag matching allows you to match packets based on the fragmentation
102 header of the packet.
104 To compile it as a module, choose M here. If unsure, say N.
106 config IP6_NF_MATCH_OPTS
107 tristate '"hbh" hop-by-hop and "dst" opts header match support'
108 depends on NETFILTER_ADVANCED
110 This allows one to match packets based on the hop-by-hop
111 and destination options headers of a packet.
113 To compile it as a module, choose M here. If unsure, say N.
115 config IP6_NF_MATCH_HL
116 tristate '"hl" hoplimit match support'
117 depends on NETFILTER_ADVANCED
118 select NETFILTER_XT_MATCH_HL
120 This is a backwards-compat option for the user's convenience
121 (e.g. when running oldconfig). It selects
122 CONFIG_NETFILTER_XT_MATCH_HL.
124 config IP6_NF_MATCH_IPV6HEADER
125 tristate '"ipv6header" IPv6 Extension Headers Match'
126 default m if NETFILTER_ADVANCED=n
128 This module allows one to match packets based upon
129 the ipv6 extension headers.
131 To compile it as a module, choose M here. If unsure, say N.
133 config IP6_NF_MATCH_MH
134 tristate '"mh" match support'
135 depends on NETFILTER_ADVANCED
137 This module allows one to match MH packets.
139 To compile it as a module, choose M here. If unsure, say N.
141 config IP6_NF_MATCH_RPFILTER
142 tristate '"rpfilter" reverse path filter match support'
143 depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
145 This option allows you to match packets whose replies would
146 go out via the interface the packet came in.
148 To compile it as a module, choose M here. If unsure, say N.
149 The module will be called ip6t_rpfilter.
151 config IP6_NF_MATCH_RT
152 tristate '"rt" Routing header match support'
153 depends on NETFILTER_ADVANCED
155 rt matching allows you to match packets based on the routing
156 header of the packet.
158 To compile it as a module, choose M here. If unsure, say N.
161 config IP6_NF_TARGET_HL
162 tristate '"HL" hoplimit target support'
163 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
164 select NETFILTER_XT_TARGET_HL
166 This is a backwards-compatible option for the user's convenience
167 (e.g. when running oldconfig). It selects
168 CONFIG_NETFILTER_XT_TARGET_HL.
171 tristate "Packet filtering"
172 default m if NETFILTER_ADVANCED=n
174 Packet filtering defines a table `filter', which has a series of
175 rules for simple packet filtering at local input, forwarding and
176 local output. See the man page for iptables(8).
178 To compile it as a module, choose M here. If unsure, say N.
180 config IP6_NF_TARGET_REJECT
181 tristate "REJECT target support"
182 depends on IP6_NF_FILTER
183 default m if NETFILTER_ADVANCED=n
185 The REJECT target allows a filtering rule to specify that an ICMPv6
186 error should be issued in response to an incoming packet, rather
187 than silently being dropped.
189 To compile it as a module, choose M here. If unsure, say N.
191 config IP6_NF_TARGET_SYNPROXY
192 tristate "SYNPROXY target support"
193 depends on NF_CONNTRACK && NETFILTER_ADVANCED
194 select NETFILTER_SYNPROXY
197 The SYNPROXY target allows you to intercept TCP connections and
198 establish them using syncookies before they are passed on to the
199 server. This allows to avoid conntrack and server resource usage
200 during SYN-flood attacks.
202 To compile it as a module, choose M here. If unsure, say N.
205 tristate "Packet mangling"
206 default m if NETFILTER_ADVANCED=n
208 This option adds a `mangle' table to iptables: see the man page for
209 iptables(8). This table is used for various packet alterations
210 which can effect how the packet is routed.
212 To compile it as a module, choose M here. If unsure, say N.
215 tristate 'raw table support (required for TRACE)'
217 This option adds a `raw' table to ip6tables. This table is the very
218 first in the netfilter framework and hooks in at the PREROUTING
221 If you want to compile it as a module, say M here and read
222 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
224 # security table for MAC policy
225 config IP6_NF_SECURITY
226 tristate "Security table"
228 depends on NETFILTER_ADVANCED
230 This option adds a `security' table to iptables, for use
231 with Mandatory Access Control (MAC) policy.
237 depends on NF_CONNTRACK_IPV6
238 depends on NETFILTER_ADVANCED
241 The IPv6 NAT option allows masquerading, port forwarding and other
242 forms of full Network Address Port Translation. It is controlled by
243 the `nat' table in ip6tables, see the man page for ip6tables(8).
245 To compile it as a module, choose M here. If unsure, say N.
249 config IP6_NF_TARGET_MASQUERADE
250 tristate "MASQUERADE target support"
252 Masquerading is a special case of NAT: all outgoing connections are
253 changed to seem to come from a particular interface's address, and
254 if the interface goes down, those connections are lost. This is
255 only useful for dialup accounts with dynamic IP address (ie. your IP
256 address will be different on next dialup).
258 To compile it as a module, choose M here. If unsure, say N.
260 config IP6_NF_TARGET_NPT
261 tristate "NPT (Network Prefix translation) target support"
263 This option adds the `SNPT' and `DNPT' target, which perform
264 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
266 To compile it as a module, choose M here. If unsure, say N.
270 endif # IP6_NF_IPTABLES