Version:  2.0.40 2.2.26 2.4.37 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15 3.16 3.17 3.18 3.19

Linux/net/ipv6/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IPv6: Netfilter Configuration"
  6         depends on INET && IPV6 && NETFILTER
  7 
  8 config NF_DEFRAG_IPV6
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV6
 13         tristate "IPv6 connection tracking support"
 14         depends on INET && IPV6 && NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV6
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv6 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 config NF_TABLES_IPV6
 29         depends on NF_TABLES
 30         tristate "IPv6 nf_tables support"
 31         help
 32           This option enables the IPv6 support for nf_tables.
 33 
 34 config NFT_CHAIN_ROUTE_IPV6
 35         depends on NF_TABLES_IPV6
 36         tristate "IPv6 nf_tables route chain support"
 37         help
 38           This option enables the "route" chain for IPv6 in nf_tables. This
 39           chain type is used to force packet re-routing after mangling header
 40           fields such as the source, destination, flowlabel, hop-limit and
 41           the packet mark.
 42 
 43 config NF_REJECT_IPV6
 44         tristate "IPv6 packet rejection"
 45         default m if NETFILTER_ADVANCED=n
 46 
 47 config NFT_REJECT_IPV6
 48         depends on NF_TABLES_IPV6
 49         select NF_REJECT_IPV6
 50         default NFT_REJECT
 51         tristate
 52 
 53 config NF_LOG_IPV6
 54         tristate "IPv6 packet logging"
 55         default m if NETFILTER_ADVANCED=n
 56         select NF_LOG_COMMON
 57 
 58 config NF_NAT_IPV6
 59         tristate "IPv6 NAT"
 60         depends on NF_CONNTRACK_IPV6
 61         depends on NETFILTER_ADVANCED
 62         select NF_NAT
 63         help
 64           The IPv6 NAT option allows masquerading, port forwarding and other
 65           forms of full Network Address Port Translation. This can be
 66           controlled by iptables or nft.
 67 
 68 if NF_NAT_IPV6
 69 
 70 config NFT_CHAIN_NAT_IPV6
 71         depends on NF_TABLES_IPV6
 72         tristate "IPv6 nf_tables nat chain support"
 73         help
 74           This option enables the "nat" chain for IPv6 in nf_tables. This
 75           chain type is used to perform Network Address Translation (NAT)
 76           packet transformations such as the source, destination address and
 77           source and destination ports.
 78 
 79 config NF_NAT_MASQUERADE_IPV6
 80         tristate "IPv6 masquerade support"
 81         help
 82           This is the kernel functionality to provide NAT in the masquerade
 83           flavour (automatic source address selection) for IPv6.
 84 
 85 config NFT_MASQ_IPV6
 86         tristate "IPv6 masquerade support for nf_tables"
 87         depends on NF_TABLES_IPV6
 88         depends on NFT_MASQ
 89         select NF_NAT_MASQUERADE_IPV6
 90         help
 91           This is the expression that provides IPv4 masquerading support for
 92           nf_tables.
 93 
 94 config NFT_REDIR_IPV6
 95         tristate "IPv6 redirect support for nf_tables"
 96         depends on NF_TABLES_IPV6
 97         depends on NFT_REDIR
 98         select NF_NAT_REDIRECT
 99         help
100           This is the expression that provides IPv4 redirect support for
101           nf_tables.
102 
103 endif # NF_NAT_IPV6
104 
105 config IP6_NF_IPTABLES
106         tristate "IP6 tables support (required for filtering)"
107         depends on INET && IPV6
108         select NETFILTER_XTABLES
109         default m if NETFILTER_ADVANCED=n
110         help
111           ip6tables is a general, extensible packet identification framework.
112           Currently only the packet filtering and packet mangling subsystem
113           for IPv6 use this, but connection tracking is going to follow.
114           Say 'Y' or 'M' here if you want to use either of those.
115 
116           To compile it as a module, choose M here.  If unsure, say N.
117 
118 if IP6_NF_IPTABLES
119 
120 # The simple matches.
121 config IP6_NF_MATCH_AH
122         tristate '"ah" match support'
123         depends on NETFILTER_ADVANCED
124         help
125           This module allows one to match AH packets.
126 
127           To compile it as a module, choose M here.  If unsure, say N.
128 
129 config IP6_NF_MATCH_EUI64
130         tristate '"eui64" address check'
131         depends on NETFILTER_ADVANCED
132         help
133           This module performs checking on the IPv6 source address
134           Compares the last 64 bits with the EUI64 (delivered
135           from the MAC address) address
136 
137           To compile it as a module, choose M here.  If unsure, say N.
138 
139 config IP6_NF_MATCH_FRAG
140         tristate '"frag" Fragmentation header match support'
141         depends on NETFILTER_ADVANCED
142         help
143           frag matching allows you to match packets based on the fragmentation
144           header of the packet.
145 
146           To compile it as a module, choose M here.  If unsure, say N.
147 
148 config IP6_NF_MATCH_OPTS
149         tristate '"hbh" hop-by-hop and "dst" opts header match support'
150         depends on NETFILTER_ADVANCED
151         help
152           This allows one to match packets based on the hop-by-hop
153           and destination options headers of a packet.
154 
155           To compile it as a module, choose M here.  If unsure, say N.
156 
157 config IP6_NF_MATCH_HL
158         tristate '"hl" hoplimit match support'
159         depends on NETFILTER_ADVANCED
160         select NETFILTER_XT_MATCH_HL
161         ---help---
162         This is a backwards-compat option for the user's convenience
163         (e.g. when running oldconfig). It selects
164         CONFIG_NETFILTER_XT_MATCH_HL.
165 
166 config IP6_NF_MATCH_IPV6HEADER
167         tristate '"ipv6header" IPv6 Extension Headers Match'
168         default m if NETFILTER_ADVANCED=n
169         help
170           This module allows one to match packets based upon
171           the ipv6 extension headers.
172 
173           To compile it as a module, choose M here.  If unsure, say N.
174 
175 config IP6_NF_MATCH_MH
176         tristate '"mh" match support'
177         depends on NETFILTER_ADVANCED
178         help
179           This module allows one to match MH packets.
180 
181           To compile it as a module, choose M here.  If unsure, say N.
182 
183 config IP6_NF_MATCH_RPFILTER
184         tristate '"rpfilter" reverse path filter match support'
185         depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
186         ---help---
187           This option allows you to match packets whose replies would
188           go out via the interface the packet came in.
189 
190           To compile it as a module, choose M here.  If unsure, say N.
191           The module will be called ip6t_rpfilter.
192 
193 config IP6_NF_MATCH_RT
194         tristate '"rt" Routing header match support'
195         depends on NETFILTER_ADVANCED
196         help
197           rt matching allows you to match packets based on the routing
198           header of the packet.
199 
200           To compile it as a module, choose M here.  If unsure, say N.
201 
202 # The targets
203 config IP6_NF_TARGET_HL
204         tristate '"HL" hoplimit target support'
205         depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
206         select NETFILTER_XT_TARGET_HL
207         ---help---
208         This is a backwards-compatible option for the user's convenience
209         (e.g. when running oldconfig). It selects
210         CONFIG_NETFILTER_XT_TARGET_HL.
211 
212 config IP6_NF_FILTER
213         tristate "Packet filtering"
214         default m if NETFILTER_ADVANCED=n
215         help
216           Packet filtering defines a table `filter', which has a series of
217           rules for simple packet filtering at local input, forwarding and
218           local output.  See the man page for iptables(8).
219 
220           To compile it as a module, choose M here.  If unsure, say N.
221 
222 config IP6_NF_TARGET_REJECT
223         tristate "REJECT target support"
224         depends on IP6_NF_FILTER
225         select NF_REJECT_IPV6
226         default m if NETFILTER_ADVANCED=n
227         help
228           The REJECT target allows a filtering rule to specify that an ICMPv6
229           error should be issued in response to an incoming packet, rather
230           than silently being dropped.
231 
232           To compile it as a module, choose M here.  If unsure, say N.
233 
234 config IP6_NF_TARGET_SYNPROXY
235         tristate "SYNPROXY target support"
236         depends on NF_CONNTRACK && NETFILTER_ADVANCED
237         select NETFILTER_SYNPROXY
238         select SYN_COOKIES
239         help
240           The SYNPROXY target allows you to intercept TCP connections and
241           establish them using syncookies before they are passed on to the
242           server. This allows to avoid conntrack and server resource usage
243           during SYN-flood attacks.
244 
245           To compile it as a module, choose M here. If unsure, say N.
246 
247 config IP6_NF_MANGLE
248         tristate "Packet mangling"
249         default m if NETFILTER_ADVANCED=n
250         help
251           This option adds a `mangle' table to iptables: see the man page for
252           iptables(8).  This table is used for various packet alterations
253           which can effect how the packet is routed.
254 
255           To compile it as a module, choose M here.  If unsure, say N.
256 
257 config IP6_NF_RAW
258         tristate  'raw table support (required for TRACE)'
259         help
260           This option adds a `raw' table to ip6tables. This table is the very
261           first in the netfilter framework and hooks in at the PREROUTING
262           and OUTPUT chains.
263 
264           If you want to compile it as a module, say M here and read
265           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
266 
267 # security table for MAC policy
268 config IP6_NF_SECURITY
269        tristate "Security table"
270        depends on SECURITY
271        depends on NETFILTER_ADVANCED
272        help
273          This option adds a `security' table to iptables, for use
274          with Mandatory Access Control (MAC) policy.
275 
276          If unsure, say N.
277 
278 config IP6_NF_NAT
279         tristate "ip6tables NAT support"
280         depends on NF_CONNTRACK_IPV6
281         depends on NETFILTER_ADVANCED
282         select NF_NAT
283         select NF_NAT_IPV6
284         select NETFILTER_XT_NAT
285         help
286           This enables the `nat' table in ip6tables. This allows masquerading,
287           port forwarding and other forms of full Network Address Port
288           Translation.
289 
290           To compile it as a module, choose M here.  If unsure, say N.
291 
292 if IP6_NF_NAT
293 
294 config IP6_NF_TARGET_MASQUERADE
295         tristate "MASQUERADE target support"
296         select NF_NAT_MASQUERADE_IPV6
297         help
298           Masquerading is a special case of NAT: all outgoing connections are
299           changed to seem to come from a particular interface's address, and
300           if the interface goes down, those connections are lost.  This is
301           only useful for dialup accounts with dynamic IP address (ie. your IP
302           address will be different on next dialup).
303 
304           To compile it as a module, choose M here.  If unsure, say N.
305 
306 config IP6_NF_TARGET_NPT
307         tristate "NPT (Network Prefix translation) target support"
308         help
309           This option adds the `SNPT' and `DNPT' target, which perform
310           stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
311 
312           To compile it as a module, choose M here.  If unsure, say N.
313 
314 endif # IP6_NF_NAT
315 
316 endif # IP6_NF_IPTABLES
317 
318 endmenu
319 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us