1
2
3
4
5
6menu "IPv6: Netfilter Configuration"
7 depends on INET && IPV6 && NETFILTER
8
9config NF_SOCKET_IPV6
10 tristate "IPv6 socket lookup support"
11 help
12 This option enables the IPv6 socket lookup infrastructure. This
13 is used by the {ip6,nf}tables socket match.
14
15config NF_TPROXY_IPV6
16 tristate "IPv6 tproxy support"
17
18if NF_TABLES
19
20config NF_TABLES_IPV6
21 bool "IPv6 nf_tables support"
22 help
23 This option enables the IPv6 support for nf_tables.
24
25if NF_TABLES_IPV6
26
27config NFT_REJECT_IPV6
28 select NF_REJECT_IPV6
29 default NFT_REJECT
30 tristate
31
32config NFT_DUP_IPV6
33 tristate "IPv6 nf_tables packet duplication support"
34 depends on !NF_CONNTRACK || NF_CONNTRACK
35 select NF_DUP_IPV6
36 help
37 This module enables IPv6 packet duplication support for nf_tables.
38
39config NFT_FIB_IPV6
40 tristate "nf_tables fib / ipv6 route lookup support"
41 select NFT_FIB
42 help
43 This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
44 It also allows query of the FIB for the route type, e.g. local, unicast,
45 multicast or blackhole.
46
47endif
48endif
49
50config NF_FLOW_TABLE_IPV6
51 tristate "Netfilter flow table IPv6 module"
52 depends on NF_FLOW_TABLE
53 help
54 This option adds the flow table IPv6 support.
55
56 To compile it as a module, choose M here.
57
58config NF_DUP_IPV6
59 tristate "Netfilter IPv6 packet duplication to alternate destination"
60 depends on !NF_CONNTRACK || NF_CONNTRACK
61 help
62 This option enables the nf_dup_ipv6 core, which duplicates an IPv6
63 packet to be rerouted to another destination.
64
65config NF_REJECT_IPV6
66 tristate "IPv6 packet rejection"
67 default m if NETFILTER_ADVANCED=n
68
69config NF_LOG_IPV6
70 tristate "IPv6 packet logging"
71 default m if NETFILTER_ADVANCED=n
72 select NF_LOG_SYSLOG
73 help
74 This is a backwards-compat option for the user's convenience
75 (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.
76
77config IP6_NF_IPTABLES
78 tristate "IP6 tables support (required for filtering)"
79 depends on INET && IPV6
80 select NETFILTER_XTABLES
81 default m if NETFILTER_ADVANCED=n
82 help
83 ip6tables is a general, extensible packet identification framework.
84 Currently only the packet filtering and packet mangling subsystem
85 for IPv6 use this, but connection tracking is going to follow.
86 Say 'Y' or 'M' here if you want to use either of those.
87
88 To compile it as a module, choose M here. If unsure, say N.
89
90if IP6_NF_IPTABLES
91
92
93config IP6_NF_MATCH_AH
94 tristate '"ah" match support'
95 depends on NETFILTER_ADVANCED
96 help
97 This module allows one to match AH packets.
98
99 To compile it as a module, choose M here. If unsure, say N.
100
101config IP6_NF_MATCH_EUI64
102 tristate '"eui64" address check'
103 depends on NETFILTER_ADVANCED
104 help
105 This module performs checking on the IPv6 source address
106 Compares the last 64 bits with the EUI64 (delivered
107 from the MAC address) address
108
109 To compile it as a module, choose M here. If unsure, say N.
110
111config IP6_NF_MATCH_FRAG
112 tristate '"frag" Fragmentation header match support'
113 depends on NETFILTER_ADVANCED
114 help
115 frag matching allows you to match packets based on the fragmentation
116 header of the packet.
117
118 To compile it as a module, choose M here. If unsure, say N.
119
120config IP6_NF_MATCH_OPTS
121 tristate '"hbh" hop-by-hop and "dst" opts header match support'
122 depends on NETFILTER_ADVANCED
123 help
124 This allows one to match packets based on the hop-by-hop
125 and destination options headers of a packet.
126
127 To compile it as a module, choose M here. If unsure, say N.
128
129config IP6_NF_MATCH_HL
130 tristate '"hl" hoplimit match support'
131 depends on NETFILTER_ADVANCED
132 select NETFILTER_XT_MATCH_HL
133 help
134 This is a backwards-compat option for the user's convenience
135 (e.g. when running oldconfig). It selects
136 CONFIG_NETFILTER_XT_MATCH_HL.
137
138config IP6_NF_MATCH_IPV6HEADER
139 tristate '"ipv6header" IPv6 Extension Headers Match'
140 default m if NETFILTER_ADVANCED=n
141 help
142 This module allows one to match packets based upon
143 the ipv6 extension headers.
144
145 To compile it as a module, choose M here. If unsure, say N.
146
147config IP6_NF_MATCH_MH
148 tristate '"mh" match support'
149 depends on NETFILTER_ADVANCED
150 help
151 This module allows one to match MH packets.
152
153 To compile it as a module, choose M here. If unsure, say N.
154
155config IP6_NF_MATCH_RPFILTER
156 tristate '"rpfilter" reverse path filter match support'
157 depends on NETFILTER_ADVANCED
158 depends on IP6_NF_MANGLE || IP6_NF_RAW
159 help
160 This option allows you to match packets whose replies would
161 go out via the interface the packet came in.
162
163 To compile it as a module, choose M here. If unsure, say N.
164 The module will be called ip6t_rpfilter.
165
166config IP6_NF_MATCH_RT
167 tristate '"rt" Routing header match support'
168 depends on NETFILTER_ADVANCED
169 help
170 rt matching allows you to match packets based on the routing
171 header of the packet.
172
173 To compile it as a module, choose M here. If unsure, say N.
174
175config IP6_NF_MATCH_SRH
176 tristate '"srh" Segment Routing header match support'
177 depends on NETFILTER_ADVANCED
178 help
179 srh matching allows you to match packets based on the segment
180 routing header of the packet.
181
182 To compile it as a module, choose M here. If unsure, say N.
183
184
185config IP6_NF_TARGET_HL
186 tristate '"HL" hoplimit target support'
187 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
188 select NETFILTER_XT_TARGET_HL
189 help
190 This is a backwards-compatible option for the user's convenience
191 (e.g. when running oldconfig). It selects
192 CONFIG_NETFILTER_XT_TARGET_HL.
193
194config IP6_NF_FILTER
195 tristate "Packet filtering"
196 default m if NETFILTER_ADVANCED=n
197 help
198 Packet filtering defines a table `filter', which has a series of
199 rules for simple packet filtering at local input, forwarding and
200 local output. See the man page for iptables(8).
201
202 To compile it as a module, choose M here. If unsure, say N.
203
204config IP6_NF_TARGET_REJECT
205 tristate "REJECT target support"
206 depends on IP6_NF_FILTER
207 select NF_REJECT_IPV6
208 default m if NETFILTER_ADVANCED=n
209 help
210 The REJECT target allows a filtering rule to specify that an ICMPv6
211 error should be issued in response to an incoming packet, rather
212 than silently being dropped.
213
214 To compile it as a module, choose M here. If unsure, say N.
215
216config IP6_NF_TARGET_SYNPROXY
217 tristate "SYNPROXY target support"
218 depends on NF_CONNTRACK && NETFILTER_ADVANCED
219 select NETFILTER_SYNPROXY
220 select SYN_COOKIES
221 help
222 The SYNPROXY target allows you to intercept TCP connections and
223 establish them using syncookies before they are passed on to the
224 server. This allows to avoid conntrack and server resource usage
225 during SYN-flood attacks.
226
227 To compile it as a module, choose M here. If unsure, say N.
228
229config IP6_NF_MANGLE
230 tristate "Packet mangling"
231 default m if NETFILTER_ADVANCED=n
232 help
233 This option adds a `mangle' table to iptables: see the man page for
234 iptables(8). This table is used for various packet alterations
235 which can effect how the packet is routed.
236
237 To compile it as a module, choose M here. If unsure, say N.
238
239config IP6_NF_RAW
240 tristate 'raw table support (required for TRACE)'
241 help
242 This option adds a `raw' table to ip6tables. This table is the very
243 first in the netfilter framework and hooks in at the PREROUTING
244 and OUTPUT chains.
245
246 If you want to compile it as a module, say M here and read
247 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
248
249
250config IP6_NF_SECURITY
251 tristate "Security table"
252 depends on SECURITY
253 depends on NETFILTER_ADVANCED
254 help
255 This option adds a `security' table to iptables, for use
256 with Mandatory Access Control (MAC) policy.
257
258 If unsure, say N.
259
260config IP6_NF_NAT
261 tristate "ip6tables NAT support"
262 depends on NF_CONNTRACK
263 depends on NETFILTER_ADVANCED
264 select NF_NAT
265 select NETFILTER_XT_NAT
266 help
267 This enables the `nat' table in ip6tables. This allows masquerading,
268 port forwarding and other forms of full Network Address Port
269 Translation.
270
271 To compile it as a module, choose M here. If unsure, say N.
272
273if IP6_NF_NAT
274
275config IP6_NF_TARGET_MASQUERADE
276 tristate "MASQUERADE target support"
277 select NETFILTER_XT_TARGET_MASQUERADE
278 help
279 This is a backwards-compat option for the user's convenience
280 (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
281
282config IP6_NF_TARGET_NPT
283 tristate "NPT (Network Prefix translation) target support"
284 help
285 This option adds the `SNPT' and `DNPT' target, which perform
286 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
287
288 To compile it as a module, choose M here. If unsure, say N.
289
290endif
291
292endif
293endmenu
294
295config NF_DEFRAG_IPV6
296 tristate
297