Version:  2.0.40 2.2.26 2.4.37 3.13 3.14 3.15 3.16 3.17 3.18 3.19 4.0 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10

Linux/net/ipv6/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IPv6: Netfilter Configuration"
  6         depends on INET && IPV6 && NETFILTER
  7 
  8 config NF_DEFRAG_IPV6
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV6
 13         tristate "IPv6 connection tracking support"
 14         depends on INET && IPV6 && NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV6
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv6 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 config NF_SOCKET_IPV6
 29         tristate "IPv6 socket lookup support"
 30         help
 31           This option enables the IPv6 socket lookup infrastructure. This
 32           is used by the ip6tables socket match.
 33 
 34 if NF_TABLES
 35 
 36 config NF_TABLES_IPV6
 37         tristate "IPv6 nf_tables support"
 38         help
 39           This option enables the IPv6 support for nf_tables.
 40 
 41 if NF_TABLES_IPV6
 42 
 43 config NFT_CHAIN_ROUTE_IPV6
 44         tristate "IPv6 nf_tables route chain support"
 45         help
 46           This option enables the "route" chain for IPv6 in nf_tables. This
 47           chain type is used to force packet re-routing after mangling header
 48           fields such as the source, destination, flowlabel, hop-limit and
 49           the packet mark.
 50 
 51 config NFT_REJECT_IPV6
 52         select NF_REJECT_IPV6
 53         default NFT_REJECT
 54         tristate
 55 
 56 config NFT_DUP_IPV6
 57         tristate "IPv6 nf_tables packet duplication support"
 58         depends on !NF_CONNTRACK || NF_CONNTRACK
 59         select NF_DUP_IPV6
 60         help
 61           This module enables IPv6 packet duplication support for nf_tables.
 62 
 63 config NFT_FIB_IPV6
 64         tristate "nf_tables fib / ipv6 route lookup support"
 65         select NFT_FIB
 66         help
 67           This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
 68           It also allows query of the FIB for the route type, e.g. local, unicast,
 69           multicast or blackhole.
 70 
 71 endif # NF_TABLES_IPV6
 72 endif # NF_TABLES
 73 
 74 config NF_DUP_IPV6
 75         tristate "Netfilter IPv6 packet duplication to alternate destination"
 76         depends on !NF_CONNTRACK || NF_CONNTRACK
 77         help
 78           This option enables the nf_dup_ipv6 core, which duplicates an IPv6
 79           packet to be rerouted to another destination.
 80 
 81 config NF_REJECT_IPV6
 82         tristate "IPv6 packet rejection"
 83         default m if NETFILTER_ADVANCED=n
 84 
 85 config NF_LOG_IPV6
 86         tristate "IPv6 packet logging"
 87         default m if NETFILTER_ADVANCED=n
 88         select NF_LOG_COMMON
 89 
 90 config NF_NAT_IPV6
 91         tristate "IPv6 NAT"
 92         depends on NF_CONNTRACK_IPV6
 93         depends on NETFILTER_ADVANCED
 94         select NF_NAT
 95         help
 96           The IPv6 NAT option allows masquerading, port forwarding and other
 97           forms of full Network Address Port Translation. This can be
 98           controlled by iptables or nft.
 99 
100 if NF_NAT_IPV6
101 
102 config NFT_CHAIN_NAT_IPV6
103         depends on NF_TABLES_IPV6
104         tristate "IPv6 nf_tables nat chain support"
105         help
106           This option enables the "nat" chain for IPv6 in nf_tables. This
107           chain type is used to perform Network Address Translation (NAT)
108           packet transformations such as the source, destination address and
109           source and destination ports.
110 
111 config NF_NAT_MASQUERADE_IPV6
112         tristate "IPv6 masquerade support"
113         help
114           This is the kernel functionality to provide NAT in the masquerade
115           flavour (automatic source address selection) for IPv6.
116 
117 config NFT_MASQ_IPV6
118         tristate "IPv6 masquerade support for nf_tables"
119         depends on NF_TABLES_IPV6
120         depends on NFT_MASQ
121         select NF_NAT_MASQUERADE_IPV6
122         help
123           This is the expression that provides IPv4 masquerading support for
124           nf_tables.
125 
126 config NFT_REDIR_IPV6
127         tristate "IPv6 redirect support for nf_tables"
128         depends on NF_TABLES_IPV6
129         depends on NFT_REDIR
130         select NF_NAT_REDIRECT
131         help
132           This is the expression that provides IPv4 redirect support for
133           nf_tables.
134 
135 endif # NF_NAT_IPV6
136 
137 config IP6_NF_IPTABLES
138         tristate "IP6 tables support (required for filtering)"
139         depends on INET && IPV6
140         select NETFILTER_XTABLES
141         default m if NETFILTER_ADVANCED=n
142         help
143           ip6tables is a general, extensible packet identification framework.
144           Currently only the packet filtering and packet mangling subsystem
145           for IPv6 use this, but connection tracking is going to follow.
146           Say 'Y' or 'M' here if you want to use either of those.
147 
148           To compile it as a module, choose M here.  If unsure, say N.
149 
150 if IP6_NF_IPTABLES
151 
152 # The simple matches.
153 config IP6_NF_MATCH_AH
154         tristate '"ah" match support'
155         depends on NETFILTER_ADVANCED
156         help
157           This module allows one to match AH packets.
158 
159           To compile it as a module, choose M here.  If unsure, say N.
160 
161 config IP6_NF_MATCH_EUI64
162         tristate '"eui64" address check'
163         depends on NETFILTER_ADVANCED
164         help
165           This module performs checking on the IPv6 source address
166           Compares the last 64 bits with the EUI64 (delivered
167           from the MAC address) address
168 
169           To compile it as a module, choose M here.  If unsure, say N.
170 
171 config IP6_NF_MATCH_FRAG
172         tristate '"frag" Fragmentation header match support'
173         depends on NETFILTER_ADVANCED
174         help
175           frag matching allows you to match packets based on the fragmentation
176           header of the packet.
177 
178           To compile it as a module, choose M here.  If unsure, say N.
179 
180 config IP6_NF_MATCH_OPTS
181         tristate '"hbh" hop-by-hop and "dst" opts header match support'
182         depends on NETFILTER_ADVANCED
183         help
184           This allows one to match packets based on the hop-by-hop
185           and destination options headers of a packet.
186 
187           To compile it as a module, choose M here.  If unsure, say N.
188 
189 config IP6_NF_MATCH_HL
190         tristate '"hl" hoplimit match support'
191         depends on NETFILTER_ADVANCED
192         select NETFILTER_XT_MATCH_HL
193         ---help---
194         This is a backwards-compat option for the user's convenience
195         (e.g. when running oldconfig). It selects
196         CONFIG_NETFILTER_XT_MATCH_HL.
197 
198 config IP6_NF_MATCH_IPV6HEADER
199         tristate '"ipv6header" IPv6 Extension Headers Match'
200         default m if NETFILTER_ADVANCED=n
201         help
202           This module allows one to match packets based upon
203           the ipv6 extension headers.
204 
205           To compile it as a module, choose M here.  If unsure, say N.
206 
207 config IP6_NF_MATCH_MH
208         tristate '"mh" match support'
209         depends on NETFILTER_ADVANCED
210         help
211           This module allows one to match MH packets.
212 
213           To compile it as a module, choose M here.  If unsure, say N.
214 
215 config IP6_NF_MATCH_RPFILTER
216         tristate '"rpfilter" reverse path filter match support'
217         depends on NETFILTER_ADVANCED
218         depends on IP6_NF_MANGLE || IP6_NF_RAW
219         ---help---
220           This option allows you to match packets whose replies would
221           go out via the interface the packet came in.
222 
223           To compile it as a module, choose M here.  If unsure, say N.
224           The module will be called ip6t_rpfilter.
225 
226 config IP6_NF_MATCH_RT
227         tristate '"rt" Routing header match support'
228         depends on NETFILTER_ADVANCED
229         help
230           rt matching allows you to match packets based on the routing
231           header of the packet.
232 
233           To compile it as a module, choose M here.  If unsure, say N.
234 
235 # The targets
236 config IP6_NF_TARGET_HL
237         tristate '"HL" hoplimit target support'
238         depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
239         select NETFILTER_XT_TARGET_HL
240         ---help---
241         This is a backwards-compatible option for the user's convenience
242         (e.g. when running oldconfig). It selects
243         CONFIG_NETFILTER_XT_TARGET_HL.
244 
245 config IP6_NF_FILTER
246         tristate "Packet filtering"
247         default m if NETFILTER_ADVANCED=n
248         help
249           Packet filtering defines a table `filter', which has a series of
250           rules for simple packet filtering at local input, forwarding and
251           local output.  See the man page for iptables(8).
252 
253           To compile it as a module, choose M here.  If unsure, say N.
254 
255 config IP6_NF_TARGET_REJECT
256         tristate "REJECT target support"
257         depends on IP6_NF_FILTER
258         select NF_REJECT_IPV6
259         default m if NETFILTER_ADVANCED=n
260         help
261           The REJECT target allows a filtering rule to specify that an ICMPv6
262           error should be issued in response to an incoming packet, rather
263           than silently being dropped.
264 
265           To compile it as a module, choose M here.  If unsure, say N.
266 
267 config IP6_NF_TARGET_SYNPROXY
268         tristate "SYNPROXY target support"
269         depends on NF_CONNTRACK && NETFILTER_ADVANCED
270         select NETFILTER_SYNPROXY
271         select SYN_COOKIES
272         help
273           The SYNPROXY target allows you to intercept TCP connections and
274           establish them using syncookies before they are passed on to the
275           server. This allows to avoid conntrack and server resource usage
276           during SYN-flood attacks.
277 
278           To compile it as a module, choose M here. If unsure, say N.
279 
280 config IP6_NF_MANGLE
281         tristate "Packet mangling"
282         default m if NETFILTER_ADVANCED=n
283         help
284           This option adds a `mangle' table to iptables: see the man page for
285           iptables(8).  This table is used for various packet alterations
286           which can effect how the packet is routed.
287 
288           To compile it as a module, choose M here.  If unsure, say N.
289 
290 config IP6_NF_RAW
291         tristate  'raw table support (required for TRACE)'
292         help
293           This option adds a `raw' table to ip6tables. This table is the very
294           first in the netfilter framework and hooks in at the PREROUTING
295           and OUTPUT chains.
296 
297           If you want to compile it as a module, say M here and read
298           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
299 
300 # security table for MAC policy
301 config IP6_NF_SECURITY
302        tristate "Security table"
303        depends on SECURITY
304        depends on NETFILTER_ADVANCED
305        help
306          This option adds a `security' table to iptables, for use
307          with Mandatory Access Control (MAC) policy.
308 
309          If unsure, say N.
310 
311 config IP6_NF_NAT
312         tristate "ip6tables NAT support"
313         depends on NF_CONNTRACK_IPV6
314         depends on NETFILTER_ADVANCED
315         select NF_NAT
316         select NF_NAT_IPV6
317         select NETFILTER_XT_NAT
318         help
319           This enables the `nat' table in ip6tables. This allows masquerading,
320           port forwarding and other forms of full Network Address Port
321           Translation.
322 
323           To compile it as a module, choose M here.  If unsure, say N.
324 
325 if IP6_NF_NAT
326 
327 config IP6_NF_TARGET_MASQUERADE
328         tristate "MASQUERADE target support"
329         select NF_NAT_MASQUERADE_IPV6
330         help
331           Masquerading is a special case of NAT: all outgoing connections are
332           changed to seem to come from a particular interface's address, and
333           if the interface goes down, those connections are lost.  This is
334           only useful for dialup accounts with dynamic IP address (ie. your IP
335           address will be different on next dialup).
336 
337           To compile it as a module, choose M here.  If unsure, say N.
338 
339 config IP6_NF_TARGET_NPT
340         tristate "NPT (Network Prefix translation) target support"
341         help
342           This option adds the `SNPT' and `DNPT' target, which perform
343           stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
344 
345           To compile it as a module, choose M here.  If unsure, say N.
346 
347 endif # IP6_NF_NAT
348 
349 endif # IP6_NF_IPTABLES
350 
351 endmenu
352 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us