Version:  2.0.40 2.2.26 2.4.37 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1

Linux/net/ipv6/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IPv6: Netfilter Configuration"
  6         depends on INET && IPV6 && NETFILTER
  7 
  8 config NF_DEFRAG_IPV6
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV6
 13         tristate "IPv6 connection tracking support"
 14         depends on INET && IPV6 && NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV6
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv6 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 if NF_TABLES
 29 
 30 config NF_TABLES_IPV6
 31         tristate "IPv6 nf_tables support"
 32         help
 33           This option enables the IPv6 support for nf_tables.
 34 
 35 if NF_TABLES_IPV6
 36 
 37 config NFT_CHAIN_ROUTE_IPV6
 38         tristate "IPv6 nf_tables route chain support"
 39         help
 40           This option enables the "route" chain for IPv6 in nf_tables. This
 41           chain type is used to force packet re-routing after mangling header
 42           fields such as the source, destination, flowlabel, hop-limit and
 43           the packet mark.
 44 
 45 config NFT_REJECT_IPV6
 46         select NF_REJECT_IPV6
 47         default NFT_REJECT
 48         tristate
 49 
 50 endif # NF_TABLES_IPV6
 51 endif # NF_TABLES
 52 
 53 config NF_REJECT_IPV6
 54         tristate "IPv6 packet rejection"
 55         default m if NETFILTER_ADVANCED=n
 56 
 57 config NF_LOG_IPV6
 58         tristate "IPv6 packet logging"
 59         default m if NETFILTER_ADVANCED=n
 60         select NF_LOG_COMMON
 61 
 62 config NF_NAT_IPV6
 63         tristate "IPv6 NAT"
 64         depends on NF_CONNTRACK_IPV6
 65         depends on NETFILTER_ADVANCED
 66         select NF_NAT
 67         help
 68           The IPv6 NAT option allows masquerading, port forwarding and other
 69           forms of full Network Address Port Translation. This can be
 70           controlled by iptables or nft.
 71 
 72 if NF_NAT_IPV6
 73 
 74 config NFT_CHAIN_NAT_IPV6
 75         depends on NF_TABLES_IPV6
 76         tristate "IPv6 nf_tables nat chain support"
 77         help
 78           This option enables the "nat" chain for IPv6 in nf_tables. This
 79           chain type is used to perform Network Address Translation (NAT)
 80           packet transformations such as the source, destination address and
 81           source and destination ports.
 82 
 83 config NF_NAT_MASQUERADE_IPV6
 84         tristate "IPv6 masquerade support"
 85         help
 86           This is the kernel functionality to provide NAT in the masquerade
 87           flavour (automatic source address selection) for IPv6.
 88 
 89 config NFT_MASQ_IPV6
 90         tristate "IPv6 masquerade support for nf_tables"
 91         depends on NF_TABLES_IPV6
 92         depends on NFT_MASQ
 93         select NF_NAT_MASQUERADE_IPV6
 94         help
 95           This is the expression that provides IPv4 masquerading support for
 96           nf_tables.
 97 
 98 config NFT_REDIR_IPV6
 99         tristate "IPv6 redirect support for nf_tables"
100         depends on NF_TABLES_IPV6
101         depends on NFT_REDIR
102         select NF_NAT_REDIRECT
103         help
104           This is the expression that provides IPv4 redirect support for
105           nf_tables.
106 
107 endif # NF_NAT_IPV6
108 
109 config IP6_NF_IPTABLES
110         tristate "IP6 tables support (required for filtering)"
111         depends on INET && IPV6
112         select NETFILTER_XTABLES
113         default m if NETFILTER_ADVANCED=n
114         help
115           ip6tables is a general, extensible packet identification framework.
116           Currently only the packet filtering and packet mangling subsystem
117           for IPv6 use this, but connection tracking is going to follow.
118           Say 'Y' or 'M' here if you want to use either of those.
119 
120           To compile it as a module, choose M here.  If unsure, say N.
121 
122 if IP6_NF_IPTABLES
123 
124 # The simple matches.
125 config IP6_NF_MATCH_AH
126         tristate '"ah" match support'
127         depends on NETFILTER_ADVANCED
128         help
129           This module allows one to match AH packets.
130 
131           To compile it as a module, choose M here.  If unsure, say N.
132 
133 config IP6_NF_MATCH_EUI64
134         tristate '"eui64" address check'
135         depends on NETFILTER_ADVANCED
136         help
137           This module performs checking on the IPv6 source address
138           Compares the last 64 bits with the EUI64 (delivered
139           from the MAC address) address
140 
141           To compile it as a module, choose M here.  If unsure, say N.
142 
143 config IP6_NF_MATCH_FRAG
144         tristate '"frag" Fragmentation header match support'
145         depends on NETFILTER_ADVANCED
146         help
147           frag matching allows you to match packets based on the fragmentation
148           header of the packet.
149 
150           To compile it as a module, choose M here.  If unsure, say N.
151 
152 config IP6_NF_MATCH_OPTS
153         tristate '"hbh" hop-by-hop and "dst" opts header match support'
154         depends on NETFILTER_ADVANCED
155         help
156           This allows one to match packets based on the hop-by-hop
157           and destination options headers of a packet.
158 
159           To compile it as a module, choose M here.  If unsure, say N.
160 
161 config IP6_NF_MATCH_HL
162         tristate '"hl" hoplimit match support'
163         depends on NETFILTER_ADVANCED
164         select NETFILTER_XT_MATCH_HL
165         ---help---
166         This is a backwards-compat option for the user's convenience
167         (e.g. when running oldconfig). It selects
168         CONFIG_NETFILTER_XT_MATCH_HL.
169 
170 config IP6_NF_MATCH_IPV6HEADER
171         tristate '"ipv6header" IPv6 Extension Headers Match'
172         default m if NETFILTER_ADVANCED=n
173         help
174           This module allows one to match packets based upon
175           the ipv6 extension headers.
176 
177           To compile it as a module, choose M here.  If unsure, say N.
178 
179 config IP6_NF_MATCH_MH
180         tristate '"mh" match support'
181         depends on NETFILTER_ADVANCED
182         help
183           This module allows one to match MH packets.
184 
185           To compile it as a module, choose M here.  If unsure, say N.
186 
187 config IP6_NF_MATCH_RPFILTER
188         tristate '"rpfilter" reverse path filter match support'
189         depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
190         ---help---
191           This option allows you to match packets whose replies would
192           go out via the interface the packet came in.
193 
194           To compile it as a module, choose M here.  If unsure, say N.
195           The module will be called ip6t_rpfilter.
196 
197 config IP6_NF_MATCH_RT
198         tristate '"rt" Routing header match support'
199         depends on NETFILTER_ADVANCED
200         help
201           rt matching allows you to match packets based on the routing
202           header of the packet.
203 
204           To compile it as a module, choose M here.  If unsure, say N.
205 
206 # The targets
207 config IP6_NF_TARGET_HL
208         tristate '"HL" hoplimit target support'
209         depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
210         select NETFILTER_XT_TARGET_HL
211         ---help---
212         This is a backwards-compatible option for the user's convenience
213         (e.g. when running oldconfig). It selects
214         CONFIG_NETFILTER_XT_TARGET_HL.
215 
216 config IP6_NF_FILTER
217         tristate "Packet filtering"
218         default m if NETFILTER_ADVANCED=n
219         help
220           Packet filtering defines a table `filter', which has a series of
221           rules for simple packet filtering at local input, forwarding and
222           local output.  See the man page for iptables(8).
223 
224           To compile it as a module, choose M here.  If unsure, say N.
225 
226 config IP6_NF_TARGET_REJECT
227         tristate "REJECT target support"
228         depends on IP6_NF_FILTER
229         select NF_REJECT_IPV6
230         default m if NETFILTER_ADVANCED=n
231         help
232           The REJECT target allows a filtering rule to specify that an ICMPv6
233           error should be issued in response to an incoming packet, rather
234           than silently being dropped.
235 
236           To compile it as a module, choose M here.  If unsure, say N.
237 
238 config IP6_NF_TARGET_SYNPROXY
239         tristate "SYNPROXY target support"
240         depends on NF_CONNTRACK && NETFILTER_ADVANCED
241         select NETFILTER_SYNPROXY
242         select SYN_COOKIES
243         help
244           The SYNPROXY target allows you to intercept TCP connections and
245           establish them using syncookies before they are passed on to the
246           server. This allows to avoid conntrack and server resource usage
247           during SYN-flood attacks.
248 
249           To compile it as a module, choose M here. If unsure, say N.
250 
251 config IP6_NF_MANGLE
252         tristate "Packet mangling"
253         default m if NETFILTER_ADVANCED=n
254         help
255           This option adds a `mangle' table to iptables: see the man page for
256           iptables(8).  This table is used for various packet alterations
257           which can effect how the packet is routed.
258 
259           To compile it as a module, choose M here.  If unsure, say N.
260 
261 config IP6_NF_RAW
262         tristate  'raw table support (required for TRACE)'
263         help
264           This option adds a `raw' table to ip6tables. This table is the very
265           first in the netfilter framework and hooks in at the PREROUTING
266           and OUTPUT chains.
267 
268           If you want to compile it as a module, say M here and read
269           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
270 
271 # security table for MAC policy
272 config IP6_NF_SECURITY
273        tristate "Security table"
274        depends on SECURITY
275        depends on NETFILTER_ADVANCED
276        help
277          This option adds a `security' table to iptables, for use
278          with Mandatory Access Control (MAC) policy.
279 
280          If unsure, say N.
281 
282 config IP6_NF_NAT
283         tristate "ip6tables NAT support"
284         depends on NF_CONNTRACK_IPV6
285         depends on NETFILTER_ADVANCED
286         select NF_NAT
287         select NF_NAT_IPV6
288         select NETFILTER_XT_NAT
289         help
290           This enables the `nat' table in ip6tables. This allows masquerading,
291           port forwarding and other forms of full Network Address Port
292           Translation.
293 
294           To compile it as a module, choose M here.  If unsure, say N.
295 
296 if IP6_NF_NAT
297 
298 config IP6_NF_TARGET_MASQUERADE
299         tristate "MASQUERADE target support"
300         select NF_NAT_MASQUERADE_IPV6
301         help
302           Masquerading is a special case of NAT: all outgoing connections are
303           changed to seem to come from a particular interface's address, and
304           if the interface goes down, those connections are lost.  This is
305           only useful for dialup accounts with dynamic IP address (ie. your IP
306           address will be different on next dialup).
307 
308           To compile it as a module, choose M here.  If unsure, say N.
309 
310 config IP6_NF_TARGET_NPT
311         tristate "NPT (Network Prefix translation) target support"
312         help
313           This option adds the `SNPT' and `DNPT' target, which perform
314           stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
315 
316           To compile it as a module, choose M here.  If unsure, say N.
317 
318 endif # IP6_NF_NAT
319 
320 endif # IP6_NF_IPTABLES
321 
322 endmenu
323 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us