Version:  2.0.40 2.2.26 2.4.37 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18

Linux/net/ipv6/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IPv6: Netfilter Configuration"
  6         depends on INET && IPV6 && NETFILTER
  7 
  8 config NF_DEFRAG_IPV6
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV6
 13         tristate "IPv6 connection tracking support"
 14         depends on INET && IPV6 && NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV6
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv6 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 config NF_TABLES_IPV6
 29         depends on NF_TABLES
 30         tristate "IPv6 nf_tables support"
 31         help
 32           This option enables the IPv6 support for nf_tables.
 33 
 34 config NFT_CHAIN_ROUTE_IPV6
 35         depends on NF_TABLES_IPV6
 36         tristate "IPv6 nf_tables route chain support"
 37         help
 38           This option enables the "route" chain for IPv6 in nf_tables. This
 39           chain type is used to force packet re-routing after mangling header
 40           fields such as the source, destination, flowlabel, hop-limit and
 41           the packet mark.
 42 
 43 config NF_REJECT_IPV6
 44         tristate "IPv6 packet rejection"
 45         default m if NETFILTER_ADVANCED=n
 46 
 47 config NFT_REJECT_IPV6
 48         depends on NF_TABLES_IPV6
 49         select NF_REJECT_IPV6
 50         default NFT_REJECT
 51         tristate
 52 
 53 config NF_LOG_IPV6
 54         tristate "IPv6 packet logging"
 55         default m if NETFILTER_ADVANCED=n
 56         select NF_LOG_COMMON
 57 
 58 config NF_NAT_IPV6
 59         tristate "IPv6 NAT"
 60         depends on NF_CONNTRACK_IPV6
 61         depends on NETFILTER_ADVANCED
 62         select NF_NAT
 63         help
 64           The IPv6 NAT option allows masquerading, port forwarding and other
 65           forms of full Network Address Port Translation. This can be
 66           controlled by iptables or nft.
 67 
 68 if NF_NAT_IPV6
 69 
 70 config NFT_CHAIN_NAT_IPV6
 71         depends on NF_TABLES_IPV6
 72         tristate "IPv6 nf_tables nat chain support"
 73         help
 74           This option enables the "nat" chain for IPv6 in nf_tables. This
 75           chain type is used to perform Network Address Translation (NAT)
 76           packet transformations such as the source, destination address and
 77           source and destination ports.
 78 
 79 config NF_NAT_MASQUERADE_IPV6
 80         tristate "IPv6 masquerade support"
 81         help
 82           This is the kernel functionality to provide NAT in the masquerade
 83           flavour (automatic source address selection) for IPv6.
 84 
 85 config NFT_MASQ_IPV6
 86         tristate "IPv6 masquerade support for nf_tables"
 87         depends on NF_TABLES_IPV6
 88         depends on NFT_MASQ
 89         select NF_NAT_MASQUERADE_IPV6
 90         help
 91           This is the expression that provides IPv4 masquerading support for
 92           nf_tables.
 93 
 94 endif # NF_NAT_IPV6
 95 
 96 config IP6_NF_IPTABLES
 97         tristate "IP6 tables support (required for filtering)"
 98         depends on INET && IPV6
 99         select NETFILTER_XTABLES
100         default m if NETFILTER_ADVANCED=n
101         help
102           ip6tables is a general, extensible packet identification framework.
103           Currently only the packet filtering and packet mangling subsystem
104           for IPv6 use this, but connection tracking is going to follow.
105           Say 'Y' or 'M' here if you want to use either of those.
106 
107           To compile it as a module, choose M here.  If unsure, say N.
108 
109 if IP6_NF_IPTABLES
110 
111 # The simple matches.
112 config IP6_NF_MATCH_AH
113         tristate '"ah" match support'
114         depends on NETFILTER_ADVANCED
115         help
116           This module allows one to match AH packets.
117 
118           To compile it as a module, choose M here.  If unsure, say N.
119 
120 config IP6_NF_MATCH_EUI64
121         tristate '"eui64" address check'
122         depends on NETFILTER_ADVANCED
123         help
124           This module performs checking on the IPv6 source address
125           Compares the last 64 bits with the EUI64 (delivered
126           from the MAC address) address
127 
128           To compile it as a module, choose M here.  If unsure, say N.
129 
130 config IP6_NF_MATCH_FRAG
131         tristate '"frag" Fragmentation header match support'
132         depends on NETFILTER_ADVANCED
133         help
134           frag matching allows you to match packets based on the fragmentation
135           header of the packet.
136 
137           To compile it as a module, choose M here.  If unsure, say N.
138 
139 config IP6_NF_MATCH_OPTS
140         tristate '"hbh" hop-by-hop and "dst" opts header match support'
141         depends on NETFILTER_ADVANCED
142         help
143           This allows one to match packets based on the hop-by-hop
144           and destination options headers of a packet.
145 
146           To compile it as a module, choose M here.  If unsure, say N.
147 
148 config IP6_NF_MATCH_HL
149         tristate '"hl" hoplimit match support'
150         depends on NETFILTER_ADVANCED
151         select NETFILTER_XT_MATCH_HL
152         ---help---
153         This is a backwards-compat option for the user's convenience
154         (e.g. when running oldconfig). It selects
155         CONFIG_NETFILTER_XT_MATCH_HL.
156 
157 config IP6_NF_MATCH_IPV6HEADER
158         tristate '"ipv6header" IPv6 Extension Headers Match'
159         default m if NETFILTER_ADVANCED=n
160         help
161           This module allows one to match packets based upon
162           the ipv6 extension headers.
163 
164           To compile it as a module, choose M here.  If unsure, say N.
165 
166 config IP6_NF_MATCH_MH
167         tristate '"mh" match support'
168         depends on NETFILTER_ADVANCED
169         help
170           This module allows one to match MH packets.
171 
172           To compile it as a module, choose M here.  If unsure, say N.
173 
174 config IP6_NF_MATCH_RPFILTER
175         tristate '"rpfilter" reverse path filter match support'
176         depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
177         ---help---
178           This option allows you to match packets whose replies would
179           go out via the interface the packet came in.
180 
181           To compile it as a module, choose M here.  If unsure, say N.
182           The module will be called ip6t_rpfilter.
183 
184 config IP6_NF_MATCH_RT
185         tristate '"rt" Routing header match support'
186         depends on NETFILTER_ADVANCED
187         help
188           rt matching allows you to match packets based on the routing
189           header of the packet.
190 
191           To compile it as a module, choose M here.  If unsure, say N.
192 
193 # The targets
194 config IP6_NF_TARGET_HL
195         tristate '"HL" hoplimit target support'
196         depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
197         select NETFILTER_XT_TARGET_HL
198         ---help---
199         This is a backwards-compatible option for the user's convenience
200         (e.g. when running oldconfig). It selects
201         CONFIG_NETFILTER_XT_TARGET_HL.
202 
203 config IP6_NF_FILTER
204         tristate "Packet filtering"
205         default m if NETFILTER_ADVANCED=n
206         help
207           Packet filtering defines a table `filter', which has a series of
208           rules for simple packet filtering at local input, forwarding and
209           local output.  See the man page for iptables(8).
210 
211           To compile it as a module, choose M here.  If unsure, say N.
212 
213 config IP6_NF_TARGET_REJECT
214         tristate "REJECT target support"
215         depends on IP6_NF_FILTER
216         select NF_REJECT_IPV6
217         default m if NETFILTER_ADVANCED=n
218         help
219           The REJECT target allows a filtering rule to specify that an ICMPv6
220           error should be issued in response to an incoming packet, rather
221           than silently being dropped.
222 
223           To compile it as a module, choose M here.  If unsure, say N.
224 
225 config IP6_NF_TARGET_SYNPROXY
226         tristate "SYNPROXY target support"
227         depends on NF_CONNTRACK && NETFILTER_ADVANCED
228         select NETFILTER_SYNPROXY
229         select SYN_COOKIES
230         help
231           The SYNPROXY target allows you to intercept TCP connections and
232           establish them using syncookies before they are passed on to the
233           server. This allows to avoid conntrack and server resource usage
234           during SYN-flood attacks.
235 
236           To compile it as a module, choose M here. If unsure, say N.
237 
238 config IP6_NF_MANGLE
239         tristate "Packet mangling"
240         default m if NETFILTER_ADVANCED=n
241         help
242           This option adds a `mangle' table to iptables: see the man page for
243           iptables(8).  This table is used for various packet alterations
244           which can effect how the packet is routed.
245 
246           To compile it as a module, choose M here.  If unsure, say N.
247 
248 config IP6_NF_RAW
249         tristate  'raw table support (required for TRACE)'
250         help
251           This option adds a `raw' table to ip6tables. This table is the very
252           first in the netfilter framework and hooks in at the PREROUTING
253           and OUTPUT chains.
254 
255           If you want to compile it as a module, say M here and read
256           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
257 
258 # security table for MAC policy
259 config IP6_NF_SECURITY
260        tristate "Security table"
261        depends on SECURITY
262        depends on NETFILTER_ADVANCED
263        help
264          This option adds a `security' table to iptables, for use
265          with Mandatory Access Control (MAC) policy.
266 
267          If unsure, say N.
268 
269 config IP6_NF_NAT
270         tristate "ip6tables NAT support"
271         depends on NF_CONNTRACK_IPV6
272         depends on NETFILTER_ADVANCED
273         select NF_NAT
274         select NF_NAT_IPV6
275         select NETFILTER_XT_NAT
276         help
277           This enables the `nat' table in ip6tables. This allows masquerading,
278           port forwarding and other forms of full Network Address Port
279           Translation.
280 
281           To compile it as a module, choose M here.  If unsure, say N.
282 
283 if IP6_NF_NAT
284 
285 config IP6_NF_TARGET_MASQUERADE
286         tristate "MASQUERADE target support"
287         select NF_NAT_MASQUERADE_IPV6
288         help
289           Masquerading is a special case of NAT: all outgoing connections are
290           changed to seem to come from a particular interface's address, and
291           if the interface goes down, those connections are lost.  This is
292           only useful for dialup accounts with dynamic IP address (ie. your IP
293           address will be different on next dialup).
294 
295           To compile it as a module, choose M here.  If unsure, say N.
296 
297 config IP6_NF_TARGET_NPT
298         tristate "NPT (Network Prefix translation) target support"
299         help
300           This option adds the `SNPT' and `DNPT' target, which perform
301           stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
302 
303           To compile it as a module, choose M here.  If unsure, say N.
304 
305 endif # IP6_NF_NAT
306 
307 endif # IP6_NF_IPTABLES
308 
309 endmenu
310 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us