Version:  2.0.40 2.2.26 2.4.37 2.6.39 3.0 3.1 3.2 3.3 3.4 3.5 3.6 3.7 3.8 3.9 3.10 3.11 3.12 3.13 3.14 3.15

Linux/net/ipv6/netfilter/Kconfig

  1 #
  2 # IP netfilter configuration
  3 #
  4 
  5 menu "IPv6: Netfilter Configuration"
  6         depends on INET && IPV6 && NETFILTER
  7 
  8 config NF_DEFRAG_IPV6
  9         tristate
 10         default n
 11 
 12 config NF_CONNTRACK_IPV6
 13         tristate "IPv6 connection tracking support"
 14         depends on INET && IPV6 && NF_CONNTRACK
 15         default m if NETFILTER_ADVANCED=n
 16         select NF_DEFRAG_IPV6
 17         ---help---
 18           Connection tracking keeps a record of what packets have passed
 19           through your machine, in order to figure out how they are related
 20           into connections.
 21 
 22           This is IPv6 support on Layer 3 independent connection tracking.
 23           Layer 3 independent connection tracking is experimental scheme
 24           which generalize ip_conntrack to support other layer 3 protocols.
 25 
 26           To compile it as a module, choose M here.  If unsure, say N.
 27 
 28 config NF_TABLES_IPV6
 29         depends on NF_TABLES
 30         tristate "IPv6 nf_tables support"
 31         help
 32           This option enables the IPv6 support for nf_tables.
 33 
 34 config NFT_CHAIN_ROUTE_IPV6
 35         depends on NF_TABLES_IPV6
 36         tristate "IPv6 nf_tables route chain support"
 37         help
 38           This option enables the "route" chain for IPv6 in nf_tables. This
 39           chain type is used to force packet re-routing after mangling header
 40           fields such as the source, destination, flowlabel, hop-limit and
 41           the packet mark.
 42 
 43 config NFT_CHAIN_NAT_IPV6
 44         depends on NF_TABLES_IPV6
 45         depends on NF_NAT_IPV6 && NFT_NAT
 46         tristate "IPv6 nf_tables nat chain support"
 47         help
 48           This option enables the "nat" chain for IPv6 in nf_tables. This
 49           chain type is used to perform Network Address Translation (NAT)
 50           packet transformations such as the source, destination address and
 51           source and destination ports.
 52 
 53 config NFT_REJECT_IPV6
 54         depends on NF_TABLES_IPV6
 55         default NFT_REJECT
 56         tristate
 57 
 58 config IP6_NF_IPTABLES
 59         tristate "IP6 tables support (required for filtering)"
 60         depends on INET && IPV6
 61         select NETFILTER_XTABLES
 62         default m if NETFILTER_ADVANCED=n
 63         help
 64           ip6tables is a general, extensible packet identification framework.
 65           Currently only the packet filtering and packet mangling subsystem
 66           for IPv6 use this, but connection tracking is going to follow.
 67           Say 'Y' or 'M' here if you want to use either of those.
 68 
 69           To compile it as a module, choose M here.  If unsure, say N.
 70 
 71 if IP6_NF_IPTABLES
 72 
 73 # The simple matches.
 74 config IP6_NF_MATCH_AH
 75         tristate '"ah" match support'
 76         depends on NETFILTER_ADVANCED
 77         help
 78           This module allows one to match AH packets.
 79 
 80           To compile it as a module, choose M here.  If unsure, say N.
 81 
 82 config IP6_NF_MATCH_EUI64
 83         tristate '"eui64" address check'
 84         depends on NETFILTER_ADVANCED
 85         help
 86           This module performs checking on the IPv6 source address
 87           Compares the last 64 bits with the EUI64 (delivered
 88           from the MAC address) address
 89 
 90           To compile it as a module, choose M here.  If unsure, say N.
 91 
 92 config IP6_NF_MATCH_FRAG
 93         tristate '"frag" Fragmentation header match support'
 94         depends on NETFILTER_ADVANCED
 95         help
 96           frag matching allows you to match packets based on the fragmentation
 97           header of the packet.
 98 
 99           To compile it as a module, choose M here.  If unsure, say N.
100 
101 config IP6_NF_MATCH_OPTS
102         tristate '"hbh" hop-by-hop and "dst" opts header match support'
103         depends on NETFILTER_ADVANCED
104         help
105           This allows one to match packets based on the hop-by-hop
106           and destination options headers of a packet.
107 
108           To compile it as a module, choose M here.  If unsure, say N.
109 
110 config IP6_NF_MATCH_HL
111         tristate '"hl" hoplimit match support'
112         depends on NETFILTER_ADVANCED
113         select NETFILTER_XT_MATCH_HL
114         ---help---
115         This is a backwards-compat option for the user's convenience
116         (e.g. when running oldconfig). It selects
117         CONFIG_NETFILTER_XT_MATCH_HL.
118 
119 config IP6_NF_MATCH_IPV6HEADER
120         tristate '"ipv6header" IPv6 Extension Headers Match'
121         default m if NETFILTER_ADVANCED=n
122         help
123           This module allows one to match packets based upon
124           the ipv6 extension headers.
125 
126           To compile it as a module, choose M here.  If unsure, say N.
127 
128 config IP6_NF_MATCH_MH
129         tristate '"mh" match support'
130         depends on NETFILTER_ADVANCED
131         help
132           This module allows one to match MH packets.
133 
134           To compile it as a module, choose M here.  If unsure, say N.
135 
136 config IP6_NF_MATCH_RPFILTER
137         tristate '"rpfilter" reverse path filter match support'
138         depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
139         ---help---
140           This option allows you to match packets whose replies would
141           go out via the interface the packet came in.
142 
143           To compile it as a module, choose M here.  If unsure, say N.
144           The module will be called ip6t_rpfilter.
145 
146 config IP6_NF_MATCH_RT
147         tristate '"rt" Routing header match support'
148         depends on NETFILTER_ADVANCED
149         help
150           rt matching allows you to match packets based on the routing
151           header of the packet.
152 
153           To compile it as a module, choose M here.  If unsure, say N.
154 
155 # The targets
156 config IP6_NF_TARGET_HL
157         tristate '"HL" hoplimit target support'
158         depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
159         select NETFILTER_XT_TARGET_HL
160         ---help---
161         This is a backwards-compatible option for the user's convenience
162         (e.g. when running oldconfig). It selects
163         CONFIG_NETFILTER_XT_TARGET_HL.
164 
165 config IP6_NF_FILTER
166         tristate "Packet filtering"
167         default m if NETFILTER_ADVANCED=n
168         help
169           Packet filtering defines a table `filter', which has a series of
170           rules for simple packet filtering at local input, forwarding and
171           local output.  See the man page for iptables(8).
172 
173           To compile it as a module, choose M here.  If unsure, say N.
174 
175 config IP6_NF_TARGET_REJECT
176         tristate "REJECT target support"
177         depends on IP6_NF_FILTER
178         default m if NETFILTER_ADVANCED=n
179         help
180           The REJECT target allows a filtering rule to specify that an ICMPv6
181           error should be issued in response to an incoming packet, rather
182           than silently being dropped.
183 
184           To compile it as a module, choose M here.  If unsure, say N.
185 
186 config IP6_NF_TARGET_SYNPROXY
187         tristate "SYNPROXY target support"
188         depends on NF_CONNTRACK && NETFILTER_ADVANCED
189         select NETFILTER_SYNPROXY
190         select SYN_COOKIES
191         help
192           The SYNPROXY target allows you to intercept TCP connections and
193           establish them using syncookies before they are passed on to the
194           server. This allows to avoid conntrack and server resource usage
195           during SYN-flood attacks.
196 
197           To compile it as a module, choose M here. If unsure, say N.
198 
199 config IP6_NF_MANGLE
200         tristate "Packet mangling"
201         default m if NETFILTER_ADVANCED=n
202         help
203           This option adds a `mangle' table to iptables: see the man page for
204           iptables(8).  This table is used for various packet alterations
205           which can effect how the packet is routed.
206 
207           To compile it as a module, choose M here.  If unsure, say N.
208 
209 config IP6_NF_RAW
210         tristate  'raw table support (required for TRACE)'
211         help
212           This option adds a `raw' table to ip6tables. This table is the very
213           first in the netfilter framework and hooks in at the PREROUTING
214           and OUTPUT chains.
215 
216           If you want to compile it as a module, say M here and read
217           <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
218 
219 # security table for MAC policy
220 config IP6_NF_SECURITY
221        tristate "Security table"
222        depends on SECURITY
223        depends on NETFILTER_ADVANCED
224        help
225          This option adds a `security' table to iptables, for use
226          with Mandatory Access Control (MAC) policy.
227 
228          If unsure, say N.
229 
230 config NF_NAT_IPV6
231         tristate "IPv6 NAT"
232         depends on NF_CONNTRACK_IPV6
233         depends on NETFILTER_ADVANCED
234         select NF_NAT
235         help
236           The IPv6 NAT option allows masquerading, port forwarding and other
237           forms of full Network Address Port Translation. It is controlled by
238           the `nat' table in ip6tables, see the man page for ip6tables(8).
239 
240           To compile it as a module, choose M here.  If unsure, say N.
241 
242 if NF_NAT_IPV6
243 
244 config IP6_NF_TARGET_MASQUERADE
245         tristate "MASQUERADE target support"
246         help
247           Masquerading is a special case of NAT: all outgoing connections are
248           changed to seem to come from a particular interface's address, and
249           if the interface goes down, those connections are lost.  This is
250           only useful for dialup accounts with dynamic IP address (ie. your IP
251           address will be different on next dialup).
252 
253           To compile it as a module, choose M here.  If unsure, say N.
254 
255 config IP6_NF_TARGET_NPT
256         tristate "NPT (Network Prefix translation) target support"
257         help
258           This option adds the `SNPT' and `DNPT' target, which perform
259           stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
260 
261           To compile it as a module, choose M here.  If unsure, say N.
262 
263 endif # NF_NAT_IPV6
264 
265 endif # IP6_NF_IPTABLES
266 
267 endmenu
268 

This page was automatically generated by LXR 0.3.1 (source).  •  Linux is a registered trademark of Linus Torvalds  •  Contact us