Loading...
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 | #
# IP netfilter configuration
#
menu "IPv6: Netfilter Configuration"
depends on INET && IPV6 && NETFILTER
config NF_DEFRAG_IPV6
tristate
default n
config NF_CONNTRACK_IPV6
tristate "IPv6 connection tracking support"
depends on INET && IPV6 && NF_CONNTRACK
default m if NETFILTER_ADVANCED=n
select NF_DEFRAG_IPV6
---help---
Connection tracking keeps a record of what packets have passed
through your machine, in order to figure out how they are related
into connections.
This is IPv6 support on Layer 3 independent connection tracking.
Layer 3 independent connection tracking is experimental scheme
which generalize ip_conntrack to support other layer 3 protocols.
To compile it as a module, choose M here. If unsure, say N.
config NF_SOCKET_IPV6
tristate "IPv6 socket lookup support"
help
This option enables the IPv6 socket lookup infrastructure. This
is used by the ip6tables socket match.
if NF_TABLES
config NF_TABLES_IPV6
tristate "IPv6 nf_tables support"
help
This option enables the IPv6 support for nf_tables.
if NF_TABLES_IPV6
config NFT_CHAIN_ROUTE_IPV6
tristate "IPv6 nf_tables route chain support"
help
This option enables the "route" chain for IPv6 in nf_tables. This
chain type is used to force packet re-routing after mangling header
fields such as the source, destination, flowlabel, hop-limit and
the packet mark.
config NFT_REJECT_IPV6
select NF_REJECT_IPV6
default NFT_REJECT
tristate
config NFT_DUP_IPV6
tristate "IPv6 nf_tables packet duplication support"
depends on !NF_CONNTRACK || NF_CONNTRACK
select NF_DUP_IPV6
help
This module enables IPv6 packet duplication support for nf_tables.
config NFT_FIB_IPV6
tristate "nf_tables fib / ipv6 route lookup support"
select NFT_FIB
help
This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
It also allows query of the FIB for the route type, e.g. local, unicast,
multicast or blackhole.
endif # NF_TABLES_IPV6
endif # NF_TABLES
config NF_DUP_IPV6
tristate "Netfilter IPv6 packet duplication to alternate destination"
depends on !NF_CONNTRACK || NF_CONNTRACK
help
This option enables the nf_dup_ipv6 core, which duplicates an IPv6
packet to be rerouted to another destination.
config NF_REJECT_IPV6
tristate "IPv6 packet rejection"
default m if NETFILTER_ADVANCED=n
config NF_LOG_IPV6
tristate "IPv6 packet logging"
default m if NETFILTER_ADVANCED=n
select NF_LOG_COMMON
config NF_NAT_IPV6
tristate "IPv6 NAT"
depends on NF_CONNTRACK_IPV6
depends on NETFILTER_ADVANCED
select NF_NAT
help
The IPv6 NAT option allows masquerading, port forwarding and other
forms of full Network Address Port Translation. This can be
controlled by iptables or nft.
if NF_NAT_IPV6
config NFT_CHAIN_NAT_IPV6
depends on NF_TABLES_IPV6
tristate "IPv6 nf_tables nat chain support"
help
This option enables the "nat" chain for IPv6 in nf_tables. This
chain type is used to perform Network Address Translation (NAT)
packet transformations such as the source, destination address and
source and destination ports.
config NF_NAT_MASQUERADE_IPV6
tristate "IPv6 masquerade support"
help
This is the kernel functionality to provide NAT in the masquerade
flavour (automatic source address selection) for IPv6.
config NFT_MASQ_IPV6
tristate "IPv6 masquerade support for nf_tables"
depends on NF_TABLES_IPV6
depends on NFT_MASQ
select NF_NAT_MASQUERADE_IPV6
help
This is the expression that provides IPv4 masquerading support for
nf_tables.
config NFT_REDIR_IPV6
tristate "IPv6 redirect support for nf_tables"
depends on NF_TABLES_IPV6
depends on NFT_REDIR
select NF_NAT_REDIRECT
help
This is the expression that provides IPv4 redirect support for
nf_tables.
endif # NF_NAT_IPV6
config IP6_NF_IPTABLES
tristate "IP6 tables support (required for filtering)"
depends on INET && IPV6
select NETFILTER_XTABLES
default m if NETFILTER_ADVANCED=n
help
ip6tables is a general, extensible packet identification framework.
Currently only the packet filtering and packet mangling subsystem
for IPv6 use this, but connection tracking is going to follow.
Say 'Y' or 'M' here if you want to use either of those.
To compile it as a module, choose M here. If unsure, say N.
if IP6_NF_IPTABLES
# The simple matches.
config IP6_NF_MATCH_AH
tristate '"ah" match support'
depends on NETFILTER_ADVANCED
help
This module allows one to match AH packets.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_EUI64
tristate '"eui64" address check'
depends on NETFILTER_ADVANCED
help
This module performs checking on the IPv6 source address
Compares the last 64 bits with the EUI64 (delivered
from the MAC address) address
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_FRAG
tristate '"frag" Fragmentation header match support'
depends on NETFILTER_ADVANCED
help
frag matching allows you to match packets based on the fragmentation
header of the packet.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_OPTS
tristate '"hbh" hop-by-hop and "dst" opts header match support'
depends on NETFILTER_ADVANCED
help
This allows one to match packets based on the hop-by-hop
and destination options headers of a packet.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_HL
tristate '"hl" hoplimit match support'
depends on NETFILTER_ADVANCED
select NETFILTER_XT_MATCH_HL
---help---
This is a backwards-compat option for the user's convenience
(e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_MATCH_HL.
config IP6_NF_MATCH_IPV6HEADER
tristate '"ipv6header" IPv6 Extension Headers Match'
default m if NETFILTER_ADVANCED=n
help
This module allows one to match packets based upon
the ipv6 extension headers.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_MH
tristate '"mh" match support'
depends on NETFILTER_ADVANCED
help
This module allows one to match MH packets.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MATCH_RPFILTER
tristate '"rpfilter" reverse path filter match support'
depends on NETFILTER_ADVANCED
depends on IP6_NF_MANGLE || IP6_NF_RAW
---help---
This option allows you to match packets whose replies would
go out via the interface the packet came in.
To compile it as a module, choose M here. If unsure, say N.
The module will be called ip6t_rpfilter.
config IP6_NF_MATCH_RT
tristate '"rt" Routing header match support'
depends on NETFILTER_ADVANCED
help
rt matching allows you to match packets based on the routing
header of the packet.
To compile it as a module, choose M here. If unsure, say N.
# The targets
config IP6_NF_TARGET_HL
tristate '"HL" hoplimit target support'
depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
select NETFILTER_XT_TARGET_HL
---help---
This is a backwards-compatible option for the user's convenience
(e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_TARGET_HL.
config IP6_NF_FILTER
tristate "Packet filtering"
default m if NETFILTER_ADVANCED=n
help
Packet filtering defines a table `filter', which has a series of
rules for simple packet filtering at local input, forwarding and
local output. See the man page for iptables(8).
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_TARGET_REJECT
tristate "REJECT target support"
depends on IP6_NF_FILTER
select NF_REJECT_IPV6
default m if NETFILTER_ADVANCED=n
help
The REJECT target allows a filtering rule to specify that an ICMPv6
error should be issued in response to an incoming packet, rather
than silently being dropped.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_TARGET_SYNPROXY
tristate "SYNPROXY target support"
depends on NF_CONNTRACK && NETFILTER_ADVANCED
select NETFILTER_SYNPROXY
select SYN_COOKIES
help
The SYNPROXY target allows you to intercept TCP connections and
establish them using syncookies before they are passed on to the
server. This allows to avoid conntrack and server resource usage
during SYN-flood attacks.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_MANGLE
tristate "Packet mangling"
default m if NETFILTER_ADVANCED=n
help
This option adds a `mangle' table to iptables: see the man page for
iptables(8). This table is used for various packet alterations
which can effect how the packet is routed.
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_RAW
tristate 'raw table support (required for TRACE)'
help
This option adds a `raw' table to ip6tables. This table is the very
first in the netfilter framework and hooks in at the PREROUTING
and OUTPUT chains.
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
# security table for MAC policy
config IP6_NF_SECURITY
tristate "Security table"
depends on SECURITY
depends on NETFILTER_ADVANCED
help
This option adds a `security' table to iptables, for use
with Mandatory Access Control (MAC) policy.
If unsure, say N.
config IP6_NF_NAT
tristate "ip6tables NAT support"
depends on NF_CONNTRACK_IPV6
depends on NETFILTER_ADVANCED
select NF_NAT
select NF_NAT_IPV6
select NETFILTER_XT_NAT
help
This enables the `nat' table in ip6tables. This allows masquerading,
port forwarding and other forms of full Network Address Port
Translation.
To compile it as a module, choose M here. If unsure, say N.
if IP6_NF_NAT
config IP6_NF_TARGET_MASQUERADE
tristate "MASQUERADE target support"
select NF_NAT_MASQUERADE_IPV6
help
Masquerading is a special case of NAT: all outgoing connections are
changed to seem to come from a particular interface's address, and
if the interface goes down, those connections are lost. This is
only useful for dialup accounts with dynamic IP address (ie. your IP
address will be different on next dialup).
To compile it as a module, choose M here. If unsure, say N.
config IP6_NF_TARGET_NPT
tristate "NPT (Network Prefix translation) target support"
help
This option adds the `SNPT' and `DNPT' target, which perform
stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
To compile it as a module, choose M here. If unsure, say N.
endif # IP6_NF_NAT
endif # IP6_NF_IPTABLES
endmenu
|