2 # IP netfilter configuration
5 menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
12 config NF_CONNTRACK_IPV6
13 tristate "IPv6 connection tracking support"
14 depends on INET && IPV6 && NF_CONNTRACK
15 default m if NETFILTER_ADVANCED=n
18 Connection tracking keeps a record of what packets have passed
19 through your machine, in order to figure out how they are related
22 This is IPv6 support on Layer 3 independent connection tracking.
23 Layer 3 independent connection tracking is experimental scheme
24 which generalize ip_conntrack to support other layer 3 protocols.
26 To compile it as a module, choose M here. If unsure, say N.
29 tristate "IPv6 socket lookup support"
31 This option enables the IPv6 socket lookup infrastructure. This
32 is used by the ip6tables socket match.
37 tristate "IPv6 nf_tables support"
39 This option enables the IPv6 support for nf_tables.
43 config NFT_CHAIN_ROUTE_IPV6
44 tristate "IPv6 nf_tables route chain support"
46 This option enables the "route" chain for IPv6 in nf_tables. This
47 chain type is used to force packet re-routing after mangling header
48 fields such as the source, destination, flowlabel, hop-limit and
51 config NFT_REJECT_IPV6
57 tristate "IPv6 nf_tables packet duplication support"
58 depends on !NF_CONNTRACK || NF_CONNTRACK
61 This module enables IPv6 packet duplication support for nf_tables.
64 tristate "nf_tables fib / ipv6 route lookup support"
67 This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
68 It also allows query of the FIB for the route type, e.g. local, unicast,
69 multicast or blackhole.
71 endif # NF_TABLES_IPV6
74 config NF_FLOW_TABLE_IPV6
75 tristate "Netfilter flow table IPv6 module"
76 depends on NF_CONNTRACK && NF_TABLES
79 This option adds the flow table IPv6 support.
81 To compile it as a module, choose M here.
84 tristate "Netfilter IPv6 packet duplication to alternate destination"
85 depends on !NF_CONNTRACK || NF_CONNTRACK
87 This option enables the nf_dup_ipv6 core, which duplicates an IPv6
88 packet to be rerouted to another destination.
91 tristate "IPv6 packet rejection"
92 default m if NETFILTER_ADVANCED=n
95 tristate "IPv6 packet logging"
96 default m if NETFILTER_ADVANCED=n
101 depends on NF_CONNTRACK_IPV6
102 depends on NETFILTER_ADVANCED
105 The IPv6 NAT option allows masquerading, port forwarding and other
106 forms of full Network Address Port Translation. This can be
107 controlled by iptables or nft.
111 config NFT_CHAIN_NAT_IPV6
112 depends on NF_TABLES_IPV6
113 tristate "IPv6 nf_tables nat chain support"
115 This option enables the "nat" chain for IPv6 in nf_tables. This
116 chain type is used to perform Network Address Translation (NAT)
117 packet transformations such as the source, destination address and
118 source and destination ports.
120 config NF_NAT_MASQUERADE_IPV6
121 tristate "IPv6 masquerade support"
123 This is the kernel functionality to provide NAT in the masquerade
124 flavour (automatic source address selection) for IPv6.
127 tristate "IPv6 masquerade support for nf_tables"
128 depends on NF_TABLES_IPV6
130 select NF_NAT_MASQUERADE_IPV6
132 This is the expression that provides IPv4 masquerading support for
135 config NFT_REDIR_IPV6
136 tristate "IPv6 redirect support for nf_tables"
137 depends on NF_TABLES_IPV6
139 select NF_NAT_REDIRECT
141 This is the expression that provides IPv4 redirect support for
146 config IP6_NF_IPTABLES
147 tristate "IP6 tables support (required for filtering)"
148 depends on INET && IPV6
149 select NETFILTER_XTABLES
150 default m if NETFILTER_ADVANCED=n
152 ip6tables is a general, extensible packet identification framework.
153 Currently only the packet filtering and packet mangling subsystem
154 for IPv6 use this, but connection tracking is going to follow.
155 Say 'Y' or 'M' here if you want to use either of those.
157 To compile it as a module, choose M here. If unsure, say N.
161 # The simple matches.
162 config IP6_NF_MATCH_AH
163 tristate '"ah" match support'
164 depends on NETFILTER_ADVANCED
166 This module allows one to match AH packets.
168 To compile it as a module, choose M here. If unsure, say N.
170 config IP6_NF_MATCH_EUI64
171 tristate '"eui64" address check'
172 depends on NETFILTER_ADVANCED
174 This module performs checking on the IPv6 source address
175 Compares the last 64 bits with the EUI64 (delivered
176 from the MAC address) address
178 To compile it as a module, choose M here. If unsure, say N.
180 config IP6_NF_MATCH_FRAG
181 tristate '"frag" Fragmentation header match support'
182 depends on NETFILTER_ADVANCED
184 frag matching allows you to match packets based on the fragmentation
185 header of the packet.
187 To compile it as a module, choose M here. If unsure, say N.
189 config IP6_NF_MATCH_OPTS
190 tristate '"hbh" hop-by-hop and "dst" opts header match support'
191 depends on NETFILTER_ADVANCED
193 This allows one to match packets based on the hop-by-hop
194 and destination options headers of a packet.
196 To compile it as a module, choose M here. If unsure, say N.
198 config IP6_NF_MATCH_HL
199 tristate '"hl" hoplimit match support'
200 depends on NETFILTER_ADVANCED
201 select NETFILTER_XT_MATCH_HL
203 This is a backwards-compat option for the user's convenience
204 (e.g. when running oldconfig). It selects
205 CONFIG_NETFILTER_XT_MATCH_HL.
207 config IP6_NF_MATCH_IPV6HEADER
208 tristate '"ipv6header" IPv6 Extension Headers Match'
209 default m if NETFILTER_ADVANCED=n
211 This module allows one to match packets based upon
212 the ipv6 extension headers.
214 To compile it as a module, choose M here. If unsure, say N.
216 config IP6_NF_MATCH_MH
217 tristate '"mh" match support'
218 depends on NETFILTER_ADVANCED
220 This module allows one to match MH packets.
222 To compile it as a module, choose M here. If unsure, say N.
224 config IP6_NF_MATCH_RPFILTER
225 tristate '"rpfilter" reverse path filter match support'
226 depends on NETFILTER_ADVANCED
227 depends on IP6_NF_MANGLE || IP6_NF_RAW
229 This option allows you to match packets whose replies would
230 go out via the interface the packet came in.
232 To compile it as a module, choose M here. If unsure, say N.
233 The module will be called ip6t_rpfilter.
235 config IP6_NF_MATCH_RT
236 tristate '"rt" Routing header match support'
237 depends on NETFILTER_ADVANCED
239 rt matching allows you to match packets based on the routing
240 header of the packet.
242 To compile it as a module, choose M here. If unsure, say N.
244 config IP6_NF_MATCH_SRH
245 tristate '"srh" Segment Routing header match support'
246 depends on NETFILTER_ADVANCED
248 srh matching allows you to match packets based on the segment
249 routing header of the packet.
251 To compile it as a module, choose M here. If unsure, say N.
254 config IP6_NF_TARGET_HL
255 tristate '"HL" hoplimit target support'
256 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
257 select NETFILTER_XT_TARGET_HL
259 This is a backwards-compatible option for the user's convenience
260 (e.g. when running oldconfig). It selects
261 CONFIG_NETFILTER_XT_TARGET_HL.
264 tristate "Packet filtering"
265 default m if NETFILTER_ADVANCED=n
267 Packet filtering defines a table `filter', which has a series of
268 rules for simple packet filtering at local input, forwarding and
269 local output. See the man page for iptables(8).
271 To compile it as a module, choose M here. If unsure, say N.
273 config IP6_NF_TARGET_REJECT
274 tristate "REJECT target support"
275 depends on IP6_NF_FILTER
276 select NF_REJECT_IPV6
277 default m if NETFILTER_ADVANCED=n
279 The REJECT target allows a filtering rule to specify that an ICMPv6
280 error should be issued in response to an incoming packet, rather
281 than silently being dropped.
283 To compile it as a module, choose M here. If unsure, say N.
285 config IP6_NF_TARGET_SYNPROXY
286 tristate "SYNPROXY target support"
287 depends on NF_CONNTRACK && NETFILTER_ADVANCED
288 select NETFILTER_SYNPROXY
291 The SYNPROXY target allows you to intercept TCP connections and
292 establish them using syncookies before they are passed on to the
293 server. This allows to avoid conntrack and server resource usage
294 during SYN-flood attacks.
296 To compile it as a module, choose M here. If unsure, say N.
299 tristate "Packet mangling"
300 default m if NETFILTER_ADVANCED=n
302 This option adds a `mangle' table to iptables: see the man page for
303 iptables(8). This table is used for various packet alterations
304 which can effect how the packet is routed.
306 To compile it as a module, choose M here. If unsure, say N.
309 tristate 'raw table support (required for TRACE)'
311 This option adds a `raw' table to ip6tables. This table is the very
312 first in the netfilter framework and hooks in at the PREROUTING
315 If you want to compile it as a module, say M here and read
316 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
318 # security table for MAC policy
319 config IP6_NF_SECURITY
320 tristate "Security table"
322 depends on NETFILTER_ADVANCED
324 This option adds a `security' table to iptables, for use
325 with Mandatory Access Control (MAC) policy.
330 tristate "ip6tables NAT support"
331 depends on NF_CONNTRACK_IPV6
332 depends on NETFILTER_ADVANCED
335 select NETFILTER_XT_NAT
337 This enables the `nat' table in ip6tables. This allows masquerading,
338 port forwarding and other forms of full Network Address Port
341 To compile it as a module, choose M here. If unsure, say N.
345 config IP6_NF_TARGET_MASQUERADE
346 tristate "MASQUERADE target support"
347 select NF_NAT_MASQUERADE_IPV6
349 Masquerading is a special case of NAT: all outgoing connections are
350 changed to seem to come from a particular interface's address, and
351 if the interface goes down, those connections are lost. This is
352 only useful for dialup accounts with dynamic IP address (ie. your IP
353 address will be different on next dialup).
355 To compile it as a module, choose M here. If unsure, say N.
357 config IP6_NF_TARGET_NPT
358 tristate "NPT (Network Prefix translation) target support"
360 This option adds the `SNPT' and `DNPT' target, which perform
361 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
363 To compile it as a module, choose M here. If unsure, say N.
367 endif # IP6_NF_IPTABLES