Version:  2.0.40 2.2.26 2.4.37 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2 4.3 4.4

Linux/net/ipv6/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IPv6: Netfilter Configuration"
  6         depends on INET && IPV6 && NETFILTER
  7 
  8 config NF_DEFRAG_IPV6
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV6
 13         tristate "IPv6 connection tracking support"
 14         depends on INET && IPV6 && NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV6
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv6 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 if NF_TABLES
 29 
 30 config NF_TABLES_IPV6
 31         tristate "IPv6 nf_tables support"
 32         help
 33           This option enables the IPv6 support for nf_tables.
 34 
 35 if NF_TABLES_IPV6
 36 
 37 config NFT_CHAIN_ROUTE_IPV6
 38         tristate "IPv6 nf_tables route chain support"
 39         help
 40           This option enables the "route" chain for IPv6 in nf_tables. This
 41           chain type is used to force packet re-routing after mangling header
 42           fields such as the source, destination, flowlabel, hop-limit and
 43           the packet mark.
 44 
 45 config NFT_REJECT_IPV6
 46         select NF_REJECT_IPV6
 47         default NFT_REJECT
 48         tristate
 49 
 50 config NFT_DUP_IPV6
 51         tristate "IPv6 nf_tables packet duplication support"
 52         depends on !NF_CONNTRACK || NF_CONNTRACK
 53         select NF_DUP_IPV6
 54         help
 55           This module enables IPv6 packet duplication support for nf_tables.
 56 
 57 endif # NF_TABLES_IPV6
 58 endif # NF_TABLES
 59 
 60 config NF_DUP_IPV6
 61         tristate "Netfilter IPv6 packet duplication to alternate destination"
 62         depends on !NF_CONNTRACK || NF_CONNTRACK
 63         help
 64           This option enables the nf_dup_ipv6 core, which duplicates an IPv6
 65           packet to be rerouted to another destination.
 66 
 67 config NF_REJECT_IPV6
 68         tristate "IPv6 packet rejection"
 69         default m if NETFILTER_ADVANCED=n
 70 
 71 config NF_LOG_IPV6
 72         tristate "IPv6 packet logging"
 73         default m if NETFILTER_ADVANCED=n
 74         select NF_LOG_COMMON
 75 
 76 config NF_NAT_IPV6
 77         tristate "IPv6 NAT"
 78         depends on NF_CONNTRACK_IPV6
 79         depends on NETFILTER_ADVANCED
 80         select NF_NAT
 81         help
 82           The IPv6 NAT option allows masquerading, port forwarding and other
 83           forms of full Network Address Port Translation. This can be
 84           controlled by iptables or nft.
 85 
 86 if NF_NAT_IPV6
 87 
 88 config NFT_CHAIN_NAT_IPV6
 89         depends on NF_TABLES_IPV6
 90         tristate "IPv6 nf_tables nat chain support"
 91         help
 92           This option enables the "nat" chain for IPv6 in nf_tables. This
 93           chain type is used to perform Network Address Translation (NAT)
 94           packet transformations such as the source, destination address and
 95           source and destination ports.
 96 
 97 config NF_NAT_MASQUERADE_IPV6
 98         tristate "IPv6 masquerade support"
 99         help
100           This is the kernel functionality to provide NAT in the masquerade
101           flavour (automatic source address selection) for IPv6.
102 
103 config NFT_MASQ_IPV6
104         tristate "IPv6 masquerade support for nf_tables"
105         depends on NF_TABLES_IPV6
106         depends on NFT_MASQ
107         select NF_NAT_MASQUERADE_IPV6
108         help
109           This is the expression that provides IPv4 masquerading support for
110           nf_tables.
111 
112 config NFT_REDIR_IPV6
113         tristate "IPv6 redirect support for nf_tables"
114         depends on NF_TABLES_IPV6
115         depends on NFT_REDIR
116         select NF_NAT_REDIRECT
117         help
118           This is the expression that provides IPv4 redirect support for
119           nf_tables.
120 
121 endif # NF_NAT_IPV6
122 
123 config IP6_NF_IPTABLES
124         tristate "IP6 tables support (required for filtering)"
125         depends on INET && IPV6
126         select NETFILTER_XTABLES
127         default m if NETFILTER_ADVANCED=n
128         help
129           ip6tables is a general, extensible packet identification framework.
130           Currently only the packet filtering and packet mangling subsystem
131           for IPv6 use this, but connection tracking is going to follow.
132           Say 'Y' or 'M' here if you want to use either of those.
133 
134           To compile it as a module, choose M here.  If unsure, say N.
135 
136 if IP6_NF_IPTABLES
137 
138 # The simple matches.
139 config IP6_NF_MATCH_AH
140         tristate '"ah" match support'
141         depends on NETFILTER_ADVANCED
142         help
143           This module allows one to match AH packets.
144 
145           To compile it as a module, choose M here.  If unsure, say N.
146 
147 config IP6_NF_MATCH_EUI64
148         tristate '"eui64" address check'
149         depends on NETFILTER_ADVANCED
150         help
151           This module performs checking on the IPv6 source address
152           Compares the last 64 bits with the EUI64 (delivered
153           from the MAC address) address
154 
155           To compile it as a module, choose M here.  If unsure, say N.
156 
157 config IP6_NF_MATCH_FRAG
158         tristate '"frag" Fragmentation header match support'
159         depends on NETFILTER_ADVANCED
160         help
161           frag matching allows you to match packets based on the fragmentation
162           header of the packet.
163 
164           To compile it as a module, choose M here.  If unsure, say N.
165 
166 config IP6_NF_MATCH_OPTS
167         tristate '"hbh" hop-by-hop and "dst" opts header match support'
168         depends on NETFILTER_ADVANCED
169         help
170           This allows one to match packets based on the hop-by-hop
171           and destination options headers of a packet.
172 
173           To compile it as a module, choose M here.  If unsure, say N.
174 
175 config IP6_NF_MATCH_HL
176         tristate '"hl" hoplimit match support'
177         depends on NETFILTER_ADVANCED
178         select NETFILTER_XT_MATCH_HL
179         ---help---
180         This is a backwards-compat option for the user's convenience
181         (e.g. when running oldconfig). It selects
182         CONFIG_NETFILTER_XT_MATCH_HL.
183 
184 config IP6_NF_MATCH_IPV6HEADER
185         tristate '"ipv6header" IPv6 Extension Headers Match'
186         default m if NETFILTER_ADVANCED=n
187         help
188           This module allows one to match packets based upon
189           the ipv6 extension headers.
190 
191           To compile it as a module, choose M here.  If unsure, say N.
192 
193 config IP6_NF_MATCH_MH
194         tristate '"mh" match support'
195         depends on NETFILTER_ADVANCED
196         help
197           This module allows one to match MH packets.
198 
199           To compile it as a module, choose M here.  If unsure, say N.
200 
201 config IP6_NF_MATCH_RPFILTER
202         tristate '"rpfilter" reverse path filter match support'
203         depends on NETFILTER_ADVANCED
204         depends on IP6_NF_MANGLE || IP6_NF_RAW
205         ---help---
206           This option allows you to match packets whose replies would
207           go out via the interface the packet came in.
208 
209           To compile it as a module, choose M here.  If unsure, say N.
210           The module will be called ip6t_rpfilter.
211 
212 config IP6_NF_MATCH_RT
213         tristate '"rt" Routing header match support'
214         depends on NETFILTER_ADVANCED
215         help
216           rt matching allows you to match packets based on the routing
217           header of the packet.
218 
219           To compile it as a module, choose M here.  If unsure, say N.
220 
221 # The targets
222 config IP6_NF_TARGET_HL
223         tristate '"HL" hoplimit target support'
224         depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
225         select NETFILTER_XT_TARGET_HL
226         ---help---
227         This is a backwards-compatible option for the user's convenience
228         (e.g. when running oldconfig). It selects
229         CONFIG_NETFILTER_XT_TARGET_HL.
230 
231 config IP6_NF_FILTER
232         tristate "Packet filtering"
233         default m if NETFILTER_ADVANCED=n
234         help
235           Packet filtering defines a table `filter', which has a series of
236           rules for simple packet filtering at local input, forwarding and
237           local output.  See the man page for iptables(8).
238 
239           To compile it as a module, choose M here.  If unsure, say N.
240 
241 config IP6_NF_TARGET_REJECT
242         tristate "REJECT target support"
243         depends on IP6_NF_FILTER
244         select NF_REJECT_IPV6
245         default m if NETFILTER_ADVANCED=n
246         help
247           The REJECT target allows a filtering rule to specify that an ICMPv6
248           error should be issued in response to an incoming packet, rather
249           than silently being dropped.
250 
251           To compile it as a module, choose M here.  If unsure, say N.
252 
253 config IP6_NF_TARGET_SYNPROXY
254         tristate "SYNPROXY target support"
255         depends on NF_CONNTRACK && NETFILTER_ADVANCED
256         select NETFILTER_SYNPROXY
257         select SYN_COOKIES
258         help
259           The SYNPROXY target allows you to intercept TCP connections and
260           establish them using syncookies before they are passed on to the
261           server. This allows to avoid conntrack and server resource usage
262           during SYN-flood attacks.
263 
264           To compile it as a module, choose M here. If unsure, say N.
265 
266 config IP6_NF_MANGLE
267         tristate "Packet mangling"
268         default m if NETFILTER_ADVANCED=n
269         help
270           This option adds a `mangle' table to iptables: see the man page for
271           iptables(8).  This table is used for various packet alterations
272           which can effect how the packet is routed.
273 
274           To compile it as a module, choose M here.  If unsure, say N.
275 
276 config IP6_NF_RAW
277         tristate  'raw table support (required for TRACE)'
278         help
279           This option adds a `raw' table to ip6tables. This table is the very
280           first in the netfilter framework and hooks in at the PREROUTING
281           and OUTPUT chains.
282 
283           If you want to compile it as a module, say M here and read
284           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
285 
286 # security table for MAC policy
287 config IP6_NF_SECURITY
288        tristate "Security table"
289        depends on SECURITY
290        depends on NETFILTER_ADVANCED
291        help
292          This option adds a `security' table to iptables, for use
293          with Mandatory Access Control (MAC) policy.
294 
295          If unsure, say N.
296 
297 config IP6_NF_NAT
298         tristate "ip6tables NAT support"
299         depends on NF_CONNTRACK_IPV6
300         depends on NETFILTER_ADVANCED
301         select NF_NAT
302         select NF_NAT_IPV6
303         select NETFILTER_XT_NAT
304         help
305           This enables the `nat' table in ip6tables. This allows masquerading,
306           port forwarding and other forms of full Network Address Port
307           Translation.
308 
309           To compile it as a module, choose M here.  If unsure, say N.
310 
311 if IP6_NF_NAT
312 
313 config IP6_NF_TARGET_MASQUERADE
314         tristate "MASQUERADE target support"
315         select NF_NAT_MASQUERADE_IPV6
316         help
317           Masquerading is a special case of NAT: all outgoing connections are
318           changed to seem to come from a particular interface's address, and
319           if the interface goes down, those connections are lost.  This is
320           only useful for dialup accounts with dynamic IP address (ie. your IP
321           address will be different on next dialup).
322 
323           To compile it as a module, choose M here.  If unsure, say N.
324 
325 config IP6_NF_TARGET_NPT
326         tristate "NPT (Network Prefix translation) target support"
327         help
328           This option adds the `SNPT' and `DNPT' target, which perform
329           stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
330 
331           To compile it as a module, choose M here.  If unsure, say N.
332 
333 endif # IP6_NF_NAT
334 
335 endif # IP6_NF_IPTABLES
336 
337 endmenu
338 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us