2 # IP netfilter configuration
5 menu "IPv6: Netfilter Configuration"
6 depends on INET && IPV6 && NETFILTER
9 tristate "IPv6 socket lookup support"
11 This option enables the IPv6 socket lookup infrastructure. This
12 is used by the {ip6,nf}tables socket match.
15 tristate "IPv6 tproxy support"
20 bool "IPv6 nf_tables support"
22 This option enables the IPv6 support for nf_tables.
26 config NFT_CHAIN_ROUTE_IPV6
27 tristate "IPv6 nf_tables route chain support"
29 This option enables the "route" chain for IPv6 in nf_tables. This
30 chain type is used to force packet re-routing after mangling header
31 fields such as the source, destination, flowlabel, hop-limit and
34 config NFT_REJECT_IPV6
40 tristate "IPv6 nf_tables packet duplication support"
41 depends on !NF_CONNTRACK || NF_CONNTRACK
44 This module enables IPv6 packet duplication support for nf_tables.
47 tristate "nf_tables fib / ipv6 route lookup support"
50 This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
51 It also allows query of the FIB for the route type, e.g. local, unicast,
52 multicast or blackhole.
54 endif # NF_TABLES_IPV6
57 config NF_FLOW_TABLE_IPV6
58 tristate "Netfilter flow table IPv6 module"
59 depends on NF_FLOW_TABLE
61 This option adds the flow table IPv6 support.
63 To compile it as a module, choose M here.
66 tristate "Netfilter IPv6 packet duplication to alternate destination"
67 depends on !NF_CONNTRACK || NF_CONNTRACK
69 This option enables the nf_dup_ipv6 core, which duplicates an IPv6
70 packet to be rerouted to another destination.
73 tristate "IPv6 packet rejection"
74 default m if NETFILTER_ADVANCED=n
77 tristate "IPv6 packet logging"
78 default m if NETFILTER_ADVANCED=n
81 config IP6_NF_IPTABLES
82 tristate "IP6 tables support (required for filtering)"
83 depends on INET && IPV6
84 select NETFILTER_XTABLES
85 default m if NETFILTER_ADVANCED=n
87 ip6tables is a general, extensible packet identification framework.
88 Currently only the packet filtering and packet mangling subsystem
89 for IPv6 use this, but connection tracking is going to follow.
90 Say 'Y' or 'M' here if you want to use either of those.
92 To compile it as a module, choose M here. If unsure, say N.
97 config IP6_NF_MATCH_AH
98 tristate '"ah" match support'
99 depends on NETFILTER_ADVANCED
101 This module allows one to match AH packets.
103 To compile it as a module, choose M here. If unsure, say N.
105 config IP6_NF_MATCH_EUI64
106 tristate '"eui64" address check'
107 depends on NETFILTER_ADVANCED
109 This module performs checking on the IPv6 source address
110 Compares the last 64 bits with the EUI64 (delivered
111 from the MAC address) address
113 To compile it as a module, choose M here. If unsure, say N.
115 config IP6_NF_MATCH_FRAG
116 tristate '"frag" Fragmentation header match support'
117 depends on NETFILTER_ADVANCED
119 frag matching allows you to match packets based on the fragmentation
120 header of the packet.
122 To compile it as a module, choose M here. If unsure, say N.
124 config IP6_NF_MATCH_OPTS
125 tristate '"hbh" hop-by-hop and "dst" opts header match support'
126 depends on NETFILTER_ADVANCED
128 This allows one to match packets based on the hop-by-hop
129 and destination options headers of a packet.
131 To compile it as a module, choose M here. If unsure, say N.
133 config IP6_NF_MATCH_HL
134 tristate '"hl" hoplimit match support'
135 depends on NETFILTER_ADVANCED
136 select NETFILTER_XT_MATCH_HL
138 This is a backwards-compat option for the user's convenience
139 (e.g. when running oldconfig). It selects
140 CONFIG_NETFILTER_XT_MATCH_HL.
142 config IP6_NF_MATCH_IPV6HEADER
143 tristate '"ipv6header" IPv6 Extension Headers Match'
144 default m if NETFILTER_ADVANCED=n
146 This module allows one to match packets based upon
147 the ipv6 extension headers.
149 To compile it as a module, choose M here. If unsure, say N.
151 config IP6_NF_MATCH_MH
152 tristate '"mh" match support'
153 depends on NETFILTER_ADVANCED
155 This module allows one to match MH packets.
157 To compile it as a module, choose M here. If unsure, say N.
159 config IP6_NF_MATCH_RPFILTER
160 tristate '"rpfilter" reverse path filter match support'
161 depends on NETFILTER_ADVANCED
162 depends on IP6_NF_MANGLE || IP6_NF_RAW
164 This option allows you to match packets whose replies would
165 go out via the interface the packet came in.
167 To compile it as a module, choose M here. If unsure, say N.
168 The module will be called ip6t_rpfilter.
170 config IP6_NF_MATCH_RT
171 tristate '"rt" Routing header match support'
172 depends on NETFILTER_ADVANCED
174 rt matching allows you to match packets based on the routing
175 header of the packet.
177 To compile it as a module, choose M here. If unsure, say N.
179 config IP6_NF_MATCH_SRH
180 tristate '"srh" Segment Routing header match support'
181 depends on NETFILTER_ADVANCED
183 srh matching allows you to match packets based on the segment
184 routing header of the packet.
186 To compile it as a module, choose M here. If unsure, say N.
189 config IP6_NF_TARGET_HL
190 tristate '"HL" hoplimit target support'
191 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
192 select NETFILTER_XT_TARGET_HL
194 This is a backwards-compatible option for the user's convenience
195 (e.g. when running oldconfig). It selects
196 CONFIG_NETFILTER_XT_TARGET_HL.
199 tristate "Packet filtering"
200 default m if NETFILTER_ADVANCED=n
202 Packet filtering defines a table `filter', which has a series of
203 rules for simple packet filtering at local input, forwarding and
204 local output. See the man page for iptables(8).
206 To compile it as a module, choose M here. If unsure, say N.
208 config IP6_NF_TARGET_REJECT
209 tristate "REJECT target support"
210 depends on IP6_NF_FILTER
211 select NF_REJECT_IPV6
212 default m if NETFILTER_ADVANCED=n
214 The REJECT target allows a filtering rule to specify that an ICMPv6
215 error should be issued in response to an incoming packet, rather
216 than silently being dropped.
218 To compile it as a module, choose M here. If unsure, say N.
220 config IP6_NF_TARGET_SYNPROXY
221 tristate "SYNPROXY target support"
222 depends on NF_CONNTRACK && NETFILTER_ADVANCED
223 select NETFILTER_SYNPROXY
226 The SYNPROXY target allows you to intercept TCP connections and
227 establish them using syncookies before they are passed on to the
228 server. This allows to avoid conntrack and server resource usage
229 during SYN-flood attacks.
231 To compile it as a module, choose M here. If unsure, say N.
234 tristate "Packet mangling"
235 default m if NETFILTER_ADVANCED=n
237 This option adds a `mangle' table to iptables: see the man page for
238 iptables(8). This table is used for various packet alterations
239 which can effect how the packet is routed.
241 To compile it as a module, choose M here. If unsure, say N.
244 tristate 'raw table support (required for TRACE)'
246 This option adds a `raw' table to ip6tables. This table is the very
247 first in the netfilter framework and hooks in at the PREROUTING
250 If you want to compile it as a module, say M here and read
251 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
253 # security table for MAC policy
254 config IP6_NF_SECURITY
255 tristate "Security table"
257 depends on NETFILTER_ADVANCED
259 This option adds a `security' table to iptables, for use
260 with Mandatory Access Control (MAC) policy.
265 tristate "ip6tables NAT support"
266 depends on NF_CONNTRACK
267 depends on NETFILTER_ADVANCED
269 select NETFILTER_XT_NAT
271 This enables the `nat' table in ip6tables. This allows masquerading,
272 port forwarding and other forms of full Network Address Port
275 To compile it as a module, choose M here. If unsure, say N.
279 config IP6_NF_TARGET_MASQUERADE
280 tristate "MASQUERADE target support"
281 select NF_NAT_MASQUERADE
283 Masquerading is a special case of NAT: all outgoing connections are
284 changed to seem to come from a particular interface's address, and
285 if the interface goes down, those connections are lost. This is
286 only useful for dialup accounts with dynamic IP address (ie. your IP
287 address will be different on next dialup).
289 To compile it as a module, choose M here. If unsure, say N.
291 config IP6_NF_TARGET_NPT
292 tristate "NPT (Network Prefix translation) target support"
294 This option adds the `SNPT' and `DNPT' target, which perform
295 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
297 To compile it as a module, choose M here. If unsure, say N.
301 endif # IP6_NF_IPTABLES
304 config NF_DEFRAG_IPV6