Version:  2.0.40 2.2.26 2.4.37 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2

Linux/net/ipv6/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IPv6: Netfilter Configuration"
  6         depends on INET && IPV6 && NETFILTER
  7 
  8 config NF_DEFRAG_IPV6
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV6
 13         tristate "IPv6 connection tracking support"
 14         depends on INET && IPV6 && NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV6
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv6 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 if NF_TABLES
 29 
 30 config NF_TABLES_IPV6
 31         tristate "IPv6 nf_tables support"
 32         help
 33           This option enables the IPv6 support for nf_tables.
 34 
 35 if NF_TABLES_IPV6
 36 
 37 config NFT_CHAIN_ROUTE_IPV6
 38         tristate "IPv6 nf_tables route chain support"
 39         help
 40           This option enables the "route" chain for IPv6 in nf_tables. This
 41           chain type is used to force packet re-routing after mangling header
 42           fields such as the source, destination, flowlabel, hop-limit and
 43           the packet mark.
 44 
 45 config NFT_REJECT_IPV6
 46         select NF_REJECT_IPV6
 47         default NFT_REJECT
 48         tristate
 49 
 50 endif # NF_TABLES_IPV6
 51 endif # NF_TABLES
 52 
 53 config NF_REJECT_IPV6
 54         tristate "IPv6 packet rejection"
 55         default m if NETFILTER_ADVANCED=n
 56 
 57 config NF_LOG_IPV6
 58         tristate "IPv6 packet logging"
 59         default m if NETFILTER_ADVANCED=n
 60         select NF_LOG_COMMON
 61 
 62 config NF_NAT_IPV6
 63         tristate "IPv6 NAT"
 64         depends on NF_CONNTRACK_IPV6
 65         depends on NETFILTER_ADVANCED
 66         select NF_NAT
 67         help
 68           The IPv6 NAT option allows masquerading, port forwarding and other
 69           forms of full Network Address Port Translation. This can be
 70           controlled by iptables or nft.
 71 
 72 if NF_NAT_IPV6
 73 
 74 config NFT_CHAIN_NAT_IPV6
 75         depends on NF_TABLES_IPV6
 76         tristate "IPv6 nf_tables nat chain support"
 77         help
 78           This option enables the "nat" chain for IPv6 in nf_tables. This
 79           chain type is used to perform Network Address Translation (NAT)
 80           packet transformations such as the source, destination address and
 81           source and destination ports.
 82 
 83 config NF_NAT_MASQUERADE_IPV6
 84         tristate "IPv6 masquerade support"
 85         help
 86           This is the kernel functionality to provide NAT in the masquerade
 87           flavour (automatic source address selection) for IPv6.
 88 
 89 config NFT_MASQ_IPV6
 90         tristate "IPv6 masquerade support for nf_tables"
 91         depends on NF_TABLES_IPV6
 92         depends on NFT_MASQ
 93         select NF_NAT_MASQUERADE_IPV6
 94         help
 95           This is the expression that provides IPv4 masquerading support for
 96           nf_tables.
 97 
 98 config NFT_REDIR_IPV6
 99         tristate "IPv6 redirect support for nf_tables"
100         depends on NF_TABLES_IPV6
101         depends on NFT_REDIR
102         select NF_NAT_REDIRECT
103         help
104           This is the expression that provides IPv4 redirect support for
105           nf_tables.
106 
107 endif # NF_NAT_IPV6
108 
109 config IP6_NF_IPTABLES
110         tristate "IP6 tables support (required for filtering)"
111         depends on INET && IPV6
112         select NETFILTER_XTABLES
113         default m if NETFILTER_ADVANCED=n
114         help
115           ip6tables is a general, extensible packet identification framework.
116           Currently only the packet filtering and packet mangling subsystem
117           for IPv6 use this, but connection tracking is going to follow.
118           Say 'Y' or 'M' here if you want to use either of those.
119 
120           To compile it as a module, choose M here.  If unsure, say N.
121 
122 if IP6_NF_IPTABLES
123 
124 # The simple matches.
125 config IP6_NF_MATCH_AH
126         tristate '"ah" match support'
127         depends on NETFILTER_ADVANCED
128         help
129           This module allows one to match AH packets.
130 
131           To compile it as a module, choose M here.  If unsure, say N.
132 
133 config IP6_NF_MATCH_EUI64
134         tristate '"eui64" address check'
135         depends on NETFILTER_ADVANCED
136         help
137           This module performs checking on the IPv6 source address
138           Compares the last 64 bits with the EUI64 (delivered
139           from the MAC address) address
140 
141           To compile it as a module, choose M here.  If unsure, say N.
142 
143 config IP6_NF_MATCH_FRAG
144         tristate '"frag" Fragmentation header match support'
145         depends on NETFILTER_ADVANCED
146         help
147           frag matching allows you to match packets based on the fragmentation
148           header of the packet.
149 
150           To compile it as a module, choose M here.  If unsure, say N.
151 
152 config IP6_NF_MATCH_OPTS
153         tristate '"hbh" hop-by-hop and "dst" opts header match support'
154         depends on NETFILTER_ADVANCED
155         help
156           This allows one to match packets based on the hop-by-hop
157           and destination options headers of a packet.
158 
159           To compile it as a module, choose M here.  If unsure, say N.
160 
161 config IP6_NF_MATCH_HL
162         tristate '"hl" hoplimit match support'
163         depends on NETFILTER_ADVANCED
164         select NETFILTER_XT_MATCH_HL
165         ---help---
166         This is a backwards-compat option for the user's convenience
167         (e.g. when running oldconfig). It selects
168         CONFIG_NETFILTER_XT_MATCH_HL.
169 
170 config IP6_NF_MATCH_IPV6HEADER
171         tristate '"ipv6header" IPv6 Extension Headers Match'
172         default m if NETFILTER_ADVANCED=n
173         help
174           This module allows one to match packets based upon
175           the ipv6 extension headers.
176 
177           To compile it as a module, choose M here.  If unsure, say N.
178 
179 config IP6_NF_MATCH_MH
180         tristate '"mh" match support'
181         depends on NETFILTER_ADVANCED
182         help
183           This module allows one to match MH packets.
184 
185           To compile it as a module, choose M here.  If unsure, say N.
186 
187 config IP6_NF_MATCH_RPFILTER
188         tristate '"rpfilter" reverse path filter match support'
189         depends on NETFILTER_ADVANCED
190         depends on IP6_NF_MANGLE || IP6_NF_RAW
191         ---help---
192           This option allows you to match packets whose replies would
193           go out via the interface the packet came in.
194 
195           To compile it as a module, choose M here.  If unsure, say N.
196           The module will be called ip6t_rpfilter.
197 
198 config IP6_NF_MATCH_RT
199         tristate '"rt" Routing header match support'
200         depends on NETFILTER_ADVANCED
201         help
202           rt matching allows you to match packets based on the routing
203           header of the packet.
204 
205           To compile it as a module, choose M here.  If unsure, say N.
206 
207 # The targets
208 config IP6_NF_TARGET_HL
209         tristate '"HL" hoplimit target support'
210         depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
211         select NETFILTER_XT_TARGET_HL
212         ---help---
213         This is a backwards-compatible option for the user's convenience
214         (e.g. when running oldconfig). It selects
215         CONFIG_NETFILTER_XT_TARGET_HL.
216 
217 config IP6_NF_FILTER
218         tristate "Packet filtering"
219         default m if NETFILTER_ADVANCED=n
220         help
221           Packet filtering defines a table `filter', which has a series of
222           rules for simple packet filtering at local input, forwarding and
223           local output.  See the man page for iptables(8).
224 
225           To compile it as a module, choose M here.  If unsure, say N.
226 
227 config IP6_NF_TARGET_REJECT
228         tristate "REJECT target support"
229         depends on IP6_NF_FILTER
230         select NF_REJECT_IPV6
231         default m if NETFILTER_ADVANCED=n
232         help
233           The REJECT target allows a filtering rule to specify that an ICMPv6
234           error should be issued in response to an incoming packet, rather
235           than silently being dropped.
236 
237           To compile it as a module, choose M here.  If unsure, say N.
238 
239 config IP6_NF_TARGET_SYNPROXY
240         tristate "SYNPROXY target support"
241         depends on NF_CONNTRACK && NETFILTER_ADVANCED
242         select NETFILTER_SYNPROXY
243         select SYN_COOKIES
244         help
245           The SYNPROXY target allows you to intercept TCP connections and
246           establish them using syncookies before they are passed on to the
247           server. This allows to avoid conntrack and server resource usage
248           during SYN-flood attacks.
249 
250           To compile it as a module, choose M here. If unsure, say N.
251 
252 config IP6_NF_MANGLE
253         tristate "Packet mangling"
254         default m if NETFILTER_ADVANCED=n
255         help
256           This option adds a `mangle' table to iptables: see the man page for
257           iptables(8).  This table is used for various packet alterations
258           which can effect how the packet is routed.
259 
260           To compile it as a module, choose M here.  If unsure, say N.
261 
262 config IP6_NF_RAW
263         tristate  'raw table support (required for TRACE)'
264         help
265           This option adds a `raw' table to ip6tables. This table is the very
266           first in the netfilter framework and hooks in at the PREROUTING
267           and OUTPUT chains.
268 
269           If you want to compile it as a module, say M here and read
270           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
271 
272 # security table for MAC policy
273 config IP6_NF_SECURITY
274        tristate "Security table"
275        depends on SECURITY
276        depends on NETFILTER_ADVANCED
277        help
278          This option adds a `security' table to iptables, for use
279          with Mandatory Access Control (MAC) policy.
280 
281          If unsure, say N.
282 
283 config IP6_NF_NAT
284         tristate "ip6tables NAT support"
285         depends on NF_CONNTRACK_IPV6
286         depends on NETFILTER_ADVANCED
287         select NF_NAT
288         select NF_NAT_IPV6
289         select NETFILTER_XT_NAT
290         help
291           This enables the `nat' table in ip6tables. This allows masquerading,
292           port forwarding and other forms of full Network Address Port
293           Translation.
294 
295           To compile it as a module, choose M here.  If unsure, say N.
296 
297 if IP6_NF_NAT
298 
299 config IP6_NF_TARGET_MASQUERADE
300         tristate "MASQUERADE target support"
301         select NF_NAT_MASQUERADE_IPV6
302         help
303           Masquerading is a special case of NAT: all outgoing connections are
304           changed to seem to come from a particular interface's address, and
305           if the interface goes down, those connections are lost.  This is
306           only useful for dialup accounts with dynamic IP address (ie. your IP
307           address will be different on next dialup).
308 
309           To compile it as a module, choose M here.  If unsure, say N.
310 
311 config IP6_NF_TARGET_NPT
312         tristate "NPT (Network Prefix translation) target support"
313         help
314           This option adds the `SNPT' and `DNPT' target, which perform
315           stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
316 
317           To compile it as a module, choose M here.  If unsure, say N.
318 
319 endif # IP6_NF_NAT
320 
321 endif # IP6_NF_IPTABLES
322 
323 endmenu
324 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us