Version:  2.0.40 2.2.26 2.4.37 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17

Linux/net/ipv6/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IPv6: Netfilter Configuration"
  6         depends on INET && IPV6 && NETFILTER
  7 
  8 config NF_DEFRAG_IPV6
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV6
 13         tristate "IPv6 connection tracking support"
 14         depends on INET && IPV6 && NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV6
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv6 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 config NF_TABLES_IPV6
 29         depends on NF_TABLES
 30         tristate "IPv6 nf_tables support"
 31         help
 32           This option enables the IPv6 support for nf_tables.
 33 
 34 config NFT_CHAIN_ROUTE_IPV6
 35         depends on NF_TABLES_IPV6
 36         tristate "IPv6 nf_tables route chain support"
 37         help
 38           This option enables the "route" chain for IPv6 in nf_tables. This
 39           chain type is used to force packet re-routing after mangling header
 40           fields such as the source, destination, flowlabel, hop-limit and
 41           the packet mark.
 42 
 43 config NFT_CHAIN_NAT_IPV6
 44         depends on NF_TABLES_IPV6
 45         depends on NF_NAT_IPV6 && NFT_NAT
 46         tristate "IPv6 nf_tables nat chain support"
 47         help
 48           This option enables the "nat" chain for IPv6 in nf_tables. This
 49           chain type is used to perform Network Address Translation (NAT)
 50           packet transformations such as the source, destination address and
 51           source and destination ports.
 52 
 53 config NFT_REJECT_IPV6
 54         depends on NF_TABLES_IPV6
 55         default NFT_REJECT
 56         tristate
 57 
 58 config NF_LOG_IPV6
 59         tristate "IPv6 packet logging"
 60         default m if NETFILTER_ADVANCED=n
 61         select NF_LOG_COMMON
 62 
 63 config NF_NAT_IPV6
 64         tristate "IPv6 NAT"
 65         depends on NF_CONNTRACK_IPV6
 66         depends on NETFILTER_ADVANCED
 67         select NF_NAT
 68         help
 69           The IPv6 NAT option allows masquerading, port forwarding and other
 70           forms of full Network Address Port Translation. This can be
 71           controlled by iptables or nft.
 72 
 73 config IP6_NF_IPTABLES
 74         tristate "IP6 tables support (required for filtering)"
 75         depends on INET && IPV6
 76         select NETFILTER_XTABLES
 77         default m if NETFILTER_ADVANCED=n
 78         help
 79           ip6tables is a general, extensible packet identification framework.
 80           Currently only the packet filtering and packet mangling subsystem
 81           for IPv6 use this, but connection tracking is going to follow.
 82           Say 'Y' or 'M' here if you want to use either of those.
 83 
 84           To compile it as a module, choose M here.  If unsure, say N.
 85 
 86 if IP6_NF_IPTABLES
 87 
 88 # The simple matches.
 89 config IP6_NF_MATCH_AH
 90         tristate '"ah" match support'
 91         depends on NETFILTER_ADVANCED
 92         help
 93           This module allows one to match AH packets.
 94 
 95           To compile it as a module, choose M here.  If unsure, say N.
 96 
 97 config IP6_NF_MATCH_EUI64
 98         tristate '"eui64" address check'
 99         depends on NETFILTER_ADVANCED
100         help
101           This module performs checking on the IPv6 source address
102           Compares the last 64 bits with the EUI64 (delivered
103           from the MAC address) address
104 
105           To compile it as a module, choose M here.  If unsure, say N.
106 
107 config IP6_NF_MATCH_FRAG
108         tristate '"frag" Fragmentation header match support'
109         depends on NETFILTER_ADVANCED
110         help
111           frag matching allows you to match packets based on the fragmentation
112           header of the packet.
113 
114           To compile it as a module, choose M here.  If unsure, say N.
115 
116 config IP6_NF_MATCH_OPTS
117         tristate '"hbh" hop-by-hop and "dst" opts header match support'
118         depends on NETFILTER_ADVANCED
119         help
120           This allows one to match packets based on the hop-by-hop
121           and destination options headers of a packet.
122 
123           To compile it as a module, choose M here.  If unsure, say N.
124 
125 config IP6_NF_MATCH_HL
126         tristate '"hl" hoplimit match support'
127         depends on NETFILTER_ADVANCED
128         select NETFILTER_XT_MATCH_HL
129         ---help---
130         This is a backwards-compat option for the user's convenience
131         (e.g. when running oldconfig). It selects
132         CONFIG_NETFILTER_XT_MATCH_HL.
133 
134 config IP6_NF_MATCH_IPV6HEADER
135         tristate '"ipv6header" IPv6 Extension Headers Match'
136         default m if NETFILTER_ADVANCED=n
137         help
138           This module allows one to match packets based upon
139           the ipv6 extension headers.
140 
141           To compile it as a module, choose M here.  If unsure, say N.
142 
143 config IP6_NF_MATCH_MH
144         tristate '"mh" match support'
145         depends on NETFILTER_ADVANCED
146         help
147           This module allows one to match MH packets.
148 
149           To compile it as a module, choose M here.  If unsure, say N.
150 
151 config IP6_NF_MATCH_RPFILTER
152         tristate '"rpfilter" reverse path filter match support'
153         depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
154         ---help---
155           This option allows you to match packets whose replies would
156           go out via the interface the packet came in.
157 
158           To compile it as a module, choose M here.  If unsure, say N.
159           The module will be called ip6t_rpfilter.
160 
161 config IP6_NF_MATCH_RT
162         tristate '"rt" Routing header match support'
163         depends on NETFILTER_ADVANCED
164         help
165           rt matching allows you to match packets based on the routing
166           header of the packet.
167 
168           To compile it as a module, choose M here.  If unsure, say N.
169 
170 # The targets
171 config IP6_NF_TARGET_HL
172         tristate '"HL" hoplimit target support'
173         depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
174         select NETFILTER_XT_TARGET_HL
175         ---help---
176         This is a backwards-compatible option for the user's convenience
177         (e.g. when running oldconfig). It selects
178         CONFIG_NETFILTER_XT_TARGET_HL.
179 
180 config IP6_NF_FILTER
181         tristate "Packet filtering"
182         default m if NETFILTER_ADVANCED=n
183         help
184           Packet filtering defines a table `filter', which has a series of
185           rules for simple packet filtering at local input, forwarding and
186           local output.  See the man page for iptables(8).
187 
188           To compile it as a module, choose M here.  If unsure, say N.
189 
190 config IP6_NF_TARGET_REJECT
191         tristate "REJECT target support"
192         depends on IP6_NF_FILTER
193         default m if NETFILTER_ADVANCED=n
194         help
195           The REJECT target allows a filtering rule to specify that an ICMPv6
196           error should be issued in response to an incoming packet, rather
197           than silently being dropped.
198 
199           To compile it as a module, choose M here.  If unsure, say N.
200 
201 config IP6_NF_TARGET_SYNPROXY
202         tristate "SYNPROXY target support"
203         depends on NF_CONNTRACK && NETFILTER_ADVANCED
204         select NETFILTER_SYNPROXY
205         select SYN_COOKIES
206         help
207           The SYNPROXY target allows you to intercept TCP connections and
208           establish them using syncookies before they are passed on to the
209           server. This allows to avoid conntrack and server resource usage
210           during SYN-flood attacks.
211 
212           To compile it as a module, choose M here. If unsure, say N.
213 
214 config IP6_NF_MANGLE
215         tristate "Packet mangling"
216         default m if NETFILTER_ADVANCED=n
217         help
218           This option adds a `mangle' table to iptables: see the man page for
219           iptables(8).  This table is used for various packet alterations
220           which can effect how the packet is routed.
221 
222           To compile it as a module, choose M here.  If unsure, say N.
223 
224 config IP6_NF_RAW
225         tristate  'raw table support (required for TRACE)'
226         help
227           This option adds a `raw' table to ip6tables. This table is the very
228           first in the netfilter framework and hooks in at the PREROUTING
229           and OUTPUT chains.
230 
231           If you want to compile it as a module, say M here and read
232           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
233 
234 # security table for MAC policy
235 config IP6_NF_SECURITY
236        tristate "Security table"
237        depends on SECURITY
238        depends on NETFILTER_ADVANCED
239        help
240          This option adds a `security' table to iptables, for use
241          with Mandatory Access Control (MAC) policy.
242 
243          If unsure, say N.
244 
245 config IP6_NF_NAT
246         tristate "ip6tables NAT support"
247         depends on NF_CONNTRACK_IPV6
248         depends on NETFILTER_ADVANCED
249         select NF_NAT
250         select NF_NAT_IPV6
251         select NETFILTER_XT_NAT
252         help
253           This enables the `nat' table in ip6tables. This allows masquerading,
254           port forwarding and other forms of full Network Address Port
255           Translation.
256 
257           To compile it as a module, choose M here.  If unsure, say N.
258 
259 if IP6_NF_NAT
260 
261 config IP6_NF_TARGET_MASQUERADE
262         tristate "MASQUERADE target support"
263         help
264           Masquerading is a special case of NAT: all outgoing connections are
265           changed to seem to come from a particular interface's address, and
266           if the interface goes down, those connections are lost.  This is
267           only useful for dialup accounts with dynamic IP address (ie. your IP
268           address will be different on next dialup).
269 
270           To compile it as a module, choose M here.  If unsure, say N.
271 
272 config IP6_NF_TARGET_NPT
273         tristate "NPT (Network Prefix translation) target support"
274         help
275           This option adds the `SNPT' and `DNPT' target, which perform
276           stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
277 
278           To compile it as a module, choose M here.  If unsure, say N.
279 
280 endif # IP6_NF_NAT
281 
282 endif # IP6_NF_IPTABLES
283 
284 endmenu
285 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us