[linux-2.6-block.git] / net / ipv6 / netfilter / Kconfig

# SPDX-License-Identifier: GPL-2.0-only
#
# IP netfilter configuration
#

menu "IPv6: Netfilter Configuration"
	depends on INET && IPV6 && NETFILTER

config NF_SOCKET_IPV6
	tristate "IPv6 socket lookup support"
	help
	  This option enables the IPv6 socket lookup infrastructure. This
	  is used by the {ip6,nf}tables socket match.

config NF_TPROXY_IPV6
	tristate "IPv6 tproxy support"

if NF_TABLES

config NF_TABLES_IPV6
	bool "IPv6 nf_tables support"
	help
	  This option enables the IPv6 support for nf_tables.

if NF_TABLES_IPV6

config NFT_REJECT_IPV6
	select NF_REJECT_IPV6
	default NFT_REJECT
	tristate

config NFT_DUP_IPV6
	tristate "IPv6 nf_tables packet duplication support"
	depends on !NF_CONNTRACK || NF_CONNTRACK
	select NF_DUP_IPV6
	help
	  This module enables IPv6 packet duplication support for nf_tables.

config NFT_FIB_IPV6
	tristate "nf_tables fib / ipv6 route lookup support"
	select NFT_FIB
	help
	  This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
	  It also allows query of the FIB for the route type, e.g. local, unicast,
	  multicast or blackhole.

endif # NF_TABLES_IPV6
endif # NF_TABLES

config NF_FLOW_TABLE_IPV6
	tristate "Netfilter flow table IPv6 module"
	depends on NF_FLOW_TABLE
	help
	  This option adds the flow table IPv6 support.

	  To compile it as a module, choose M here.

config NF_DUP_IPV6
	tristate "Netfilter IPv6 packet duplication to alternate destination"
	depends on !NF_CONNTRACK || NF_CONNTRACK
	help
	  This option enables the nf_dup_ipv6 core, which duplicates an IPv6
	  packet to be rerouted to another destination.

config NF_REJECT_IPV6
	tristate "IPv6 packet rejection"
	default m if NETFILTER_ADVANCED=n

config NF_LOG_IPV6
	tristate "IPv6 packet logging"
	default m if NETFILTER_ADVANCED=n
	select NF_LOG_COMMON

config IP6_NF_IPTABLES
	tristate "IP6 tables support (required for filtering)"
	depends on INET && IPV6
	select NETFILTER_XTABLES
	default m if NETFILTER_ADVANCED=n
	help
	  ip6tables is a general, extensible packet identification framework.
	  Currently only the packet filtering and packet mangling subsystem
	  for IPv6 use this, but connection tracking is going to follow.
	  Say 'Y' or 'M' here if you want to use either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP6_NF_IPTABLES

# The simple matches.
config IP6_NF_MATCH_AH
	tristate '"ah" match support'
	depends on NETFILTER_ADVANCED
	help
	  This module allows one to match AH packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_EUI64
	tristate '"eui64" address check'
	depends on NETFILTER_ADVANCED
	help
	  This module performs checking on the IPv6 source address
	  Compares the last 64 bits with the EUI64 (delivered
	  from the MAC address) address

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_FRAG
	tristate '"frag" Fragmentation header match support'
	depends on NETFILTER_ADVANCED
	help
	  frag matching allows you to match packets based on the fragmentation
	  header of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_OPTS
	tristate '"hbh" hop-by-hop and "dst" opts header match support'
	depends on NETFILTER_ADVANCED
	help
	  This allows one to match packets based on the hop-by-hop
	  and destination options headers of a packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_HL
	tristate '"hl" hoplimit match support'
	depends on NETFILTER_ADVANCED
	select NETFILTER_XT_MATCH_HL
	---help---
	  This is a backwards-compat option for the user's convenience
	  (e.g. when running oldconfig). It selects
	  CONFIG_NETFILTER_XT_MATCH_HL.

config IP6_NF_MATCH_IPV6HEADER
	tristate '"ipv6header" IPv6 Extension Headers Match'
	default m if NETFILTER_ADVANCED=n
	help
	  This module allows one to match packets based upon
	  the ipv6 extension headers.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_MH
	tristate '"mh" match support'
	depends on NETFILTER_ADVANCED
	help
	  This module allows one to match MH packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_RPFILTER
	tristate '"rpfilter" reverse path filter match support'
	depends on NETFILTER_ADVANCED
	depends on IP6_NF_MANGLE || IP6_NF_RAW
	---help---
	  This option allows you to match packets whose replies would
	  go out via the interface the packet came in.

	  To compile it as a module, choose M here.  If unsure, say N.
	  The module will be called ip6t_rpfilter.

config IP6_NF_MATCH_RT
	tristate '"rt" Routing header match support'
	depends on NETFILTER_ADVANCED
	help
	  rt matching allows you to match packets based on the routing
	  header of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_SRH
	tristate '"srh" Segment Routing header match support'
	depends on NETFILTER_ADVANCED
	help
	  srh matching allows you to match packets based on the segment
	  routing header of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

# The targets
config IP6_NF_TARGET_HL
	tristate '"HL" hoplimit target support'
	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
	select NETFILTER_XT_TARGET_HL
	---help---
	  This is a backwards-compatible option for the user's convenience
	  (e.g. when running oldconfig). It selects
	  CONFIG_NETFILTER_XT_TARGET_HL.

config IP6_NF_FILTER
	tristate "Packet filtering"
	default m if NETFILTER_ADVANCED=n
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on IP6_NF_FILTER
	select NF_REJECT_IPV6
	default m if NETFILTER_ADVANCED=n
	help
	  The REJECT target allows a filtering rule to specify that an ICMPv6
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_SYNPROXY
	tristate "SYNPROXY target support"
	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	select NETFILTER_SYNPROXY
	select SYN_COOKIES
	help
	  The SYNPROXY target allows you to intercept TCP connections and
	  establish them using syncookies before they are passed on to the
	  server. This allows to avoid conntrack and server resource usage
	  during SYN-flood attacks.

	  To compile it as a module, choose M here. If unsure, say N.

config IP6_NF_MANGLE
	tristate "Packet mangling"
	default m if NETFILTER_ADVANCED=n
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_RAW
	tristate  'raw table support (required for TRACE)'
	help
	  This option adds a `raw' table to ip6tables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.

# security table for MAC policy
config IP6_NF_SECURITY
	tristate "Security table"
	depends on SECURITY
	depends on NETFILTER_ADVANCED
	help
	  This option adds a `security' table to iptables, for use
	  with Mandatory Access Control (MAC) policy.

	  If unsure, say N.

config IP6_NF_NAT
	tristate "ip6tables NAT support"
	depends on NF_CONNTRACK
	depends on NETFILTER_ADVANCED
	select NF_NAT
	select NETFILTER_XT_NAT
	help
	  This enables the `nat' table in ip6tables. This allows masquerading,
	  port forwarding and other forms of full Network Address Port
	  Translation.

	  To compile it as a module, choose M here.  If unsure, say N.

if IP6_NF_NAT

config IP6_NF_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	select NETFILTER_XT_TARGET_MASQUERADE
	help
	  This is a backwards-compat option for the user's convenience
	  (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.

config IP6_NF_TARGET_NPT
	tristate "NPT (Network Prefix translation) target support"
	help
	  This option adds the `SNPT' and `DNPT' target, which perform
	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.

	  To compile it as a module, choose M here.  If unsure, say N.

endif # IP6_NF_NAT

endif # IP6_NF_IPTABLES
endmenu

config NF_DEFRAG_IPV6
	tristate
Commit	Line	Data
ec8f24b7	1	# SPDX-License-Identifier: GPL-2.0-only
1da177e4 LT	2	#
	3	# IP netfilter configuration
	4	#
	5
8ce22fca PM	6	menu "IPv6: Netfilter Configuration"
8ce22fca PM	7	depends on INET && IPV6 && NETFILTER
1da177e4	8
8db4c5be PNA	9	config NF_SOCKET_IPV6
	10	tristate "IPv6 socket lookup support"
	11	help
	12	This option enables the IPv6 socket lookup infrastructure. This
45ca4e0c ME	13	is used by the {ip6,nf}tables socket match.
	14
	15	config NF_TPROXY_IPV6
	16	tristate "IPv6 tproxy support"
8db4c5be	17
f04e599e PNA	18	if NF_TABLES
f04e599e PNA	19
96518518	20	config NF_TABLES_IPV6
02c7b25e	21	bool "IPv6 nf_tables support"
d497c635 PNA	22	help
d497c635 PNA	23	This option enables the IPv6 support for nf_tables.
96518518	24
f04e599e PNA	25	if NF_TABLES_IPV6
f04e599e PNA	26
cc4723ca	27	config NFT_REJECT_IPV6
c8d7b98b	28	select NF_REJECT_IPV6
cc4723ca PM	29	default NFT_REJECT
	30	tristate
	31
d877f071 PNA	32	config NFT_DUP_IPV6
d877f071 PNA	33	tristate "IPv6 nf_tables packet duplication support"
d3340b79	34	depends on !NF_CONNTRACK \|\| NF_CONNTRACK
d877f071 PNA	35	select NF_DUP_IPV6
	36	help
	37	This module enables IPv6 packet duplication support for nf_tables.
	38
f6d0cbcf FW	39	config NFT_FIB_IPV6
	40	tristate "nf_tables fib / ipv6 route lookup support"
	41	select NFT_FIB
	42	help
	43	This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
	44	It also allows query of the FIB for the route type, e.g. local, unicast,
	45	multicast or blackhole.
	46
f04e599e PNA	47	endif # NF_TABLES_IPV6
	48	endif # NF_TABLES
	49
09952107	50	config NF_FLOW_TABLE_IPV6
09952107	51	tristate "Netfilter flow table IPv6 module"
6be3bcd7	52	depends on NF_FLOW_TABLE
09952107 PNA	53	help
	54	This option adds the flow table IPv6 support.
	55
	56	To compile it as a module, choose M here.
	57
bbde9fc1 PNA	58	config NF_DUP_IPV6
bbde9fc1 PNA	59	tristate "Netfilter IPv6 packet duplication to alternate destination"
6ece90f9	60	depends on !NF_CONNTRACK \|\| NF_CONNTRACK
bbde9fc1 PNA	61	help
	62	This option enables the nf_dup_ipv6 core, which duplicates an IPv6
	63	packet to be rerouted to another destination.
	64
f04e599e PNA	65	config NF_REJECT_IPV6
	66	tristate "IPv6 packet rejection"
	67	default m if NETFILTER_ADVANCED=n
	68
c1878869 PNA	69	config NF_LOG_IPV6
c1878869 PNA	70	tristate "IPv6 packet logging"
41ad82f7	71	default m if NETFILTER_ADVANCED=n
c1878869 PNA	72	select NF_LOG_COMMON
c1878869 PNA	73
1da177e4	74	config IP6_NF_IPTABLES
844dc7c8	75	tristate "IP6 tables support (required for filtering)"
8ce22fca	76	depends on INET && IPV6
a3c941b0	77	select NETFILTER_XTABLES
33b8e776	78	default m if NETFILTER_ADVANCED=n
1da177e4 LT	79	help
	80	ip6tables is a general, extensible packet identification framework.
	81	Currently only the packet filtering and packet mangling subsystem
	82	for IPv6 use this, but connection tracking is going to follow.
	83	Say 'Y' or 'M' here if you want to use either of those.
	84
	85	To compile it as a module, choose M here. If unsure, say N.
	86
c2df73de JE	87	if IP6_NF_IPTABLES
c2df73de JE	88
1da177e4	89	# The simple matches.
aba0d348 JE	90	config IP6_NF_MATCH_AH
aba0d348 JE	91	tristate '"ah" match support'
33b8e776	92	depends on NETFILTER_ADVANCED
1da177e4	93	help
aba0d348	94	This module allows one to match AH packets.
1da177e4 LT	95
	96	To compile it as a module, choose M here. If unsure, say N.
	97
aba0d348 JE	98	config IP6_NF_MATCH_EUI64
aba0d348 JE	99	tristate '"eui64" address check'
33b8e776	100	depends on NETFILTER_ADVANCED
1da177e4	101	help
aba0d348 JE	102	This module performs checking on the IPv6 source address
	103	Compares the last 64 bits with the EUI64 (delivered
	104	from the MAC address) address
1da177e4 LT	105
	106	To compile it as a module, choose M here. If unsure, say N.
	107
	108	config IP6_NF_MATCH_FRAG
4c37799c	109	tristate '"frag" Fragmentation header match support'
33b8e776	110	depends on NETFILTER_ADVANCED
1da177e4 LT	111	help
	112	frag matching allows you to match packets based on the fragmentation
	113	header of the packet.
	114
	115	To compile it as a module, choose M here. If unsure, say N.
	116
aba0d348 JE	117	config IP6_NF_MATCH_OPTS
aba0d348 JE	118	tristate '"hbh" hop-by-hop and "dst" opts header match support'
aba0d348 JE	119	depends on NETFILTER_ADVANCED
	120	help
	121	This allows one to match packets based on the hop-by-hop
	122	and destination options headers of a packet.
	123
	124	To compile it as a module, choose M here. If unsure, say N.
	125
4323362e JE	126	config IP6_NF_MATCH_HL
	127	tristate '"hl" hoplimit match support'
	128	depends on NETFILTER_ADVANCED
	129	select NETFILTER_XT_MATCH_HL
	130	---help---
43da1411 KK	131	This is a backwards-compat option for the user's convenience
	132	(e.g. when running oldconfig). It selects
	133	CONFIG_NETFILTER_XT_MATCH_HL.
4323362e	134
1da177e4	135	config IP6_NF_MATCH_IPV6HEADER
4c37799c	136	tristate '"ipv6header" IPv6 Extension Headers Match'
44c45eb9	137	default m if NETFILTER_ADVANCED=n
1da177e4 LT	138	help
	139	This module allows one to match packets based upon
	140	the ipv6 extension headers.
	141
	142	To compile it as a module, choose M here. If unsure, say N.
	143
a0ca215a	144	config IP6_NF_MATCH_MH
4c37799c	145	tristate '"mh" match support'
33b8e776	146	depends on NETFILTER_ADVANCED
a0ca215a MN	147	help
	148	This module allows one to match MH packets.
	149
	150	To compile it as a module, choose M here. If unsure, say N.
	151
e26f9a48 FW	152	config IP6_NF_MATCH_RPFILTER
e26f9a48 FW	153	tristate '"rpfilter" reverse path filter match support'
f09becc7 PNA	154	depends on NETFILTER_ADVANCED
f09becc7 PNA	155	depends on IP6_NF_MANGLE \|\| IP6_NF_RAW
e26f9a48 FW	156	---help---
	157	This option allows you to match packets whose replies would
	158	go out via the interface the packet came in.
	159
	160	To compile it as a module, choose M here. If unsure, say N.
	161	The module will be called ip6t_rpfilter.
	162
aba0d348 JE	163	config IP6_NF_MATCH_RT
aba0d348 JE	164	tristate '"rt" Routing header match support'
33b8e776	165	depends on NETFILTER_ADVANCED
1da177e4	166	help
aba0d348 JE	167	rt matching allows you to match packets based on the routing
aba0d348 JE	168	header of the packet.
1da177e4 LT	169
	170	To compile it as a module, choose M here. If unsure, say N.
	171
202a8ff5	172	config IP6_NF_MATCH_SRH
bf69abad KK	173	tristate '"srh" Segment Routing header match support'
	174	depends on NETFILTER_ADVANCED
	175	help
	176	srh matching allows you to match packets based on the segment
202a8ff5 AA	177	routing header of the packet.
202a8ff5 AA	178
bf69abad	179	To compile it as a module, choose M here. If unsure, say N.
202a8ff5	180
1da177e4	181	# The targets
4323362e JE	182	config IP6_NF_TARGET_HL
4323362e JE	183	tristate '"HL" hoplimit target support'
76b6717b	184	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
4323362e JE	185	select NETFILTER_XT_TARGET_HL
4323362e JE	186	---help---
43da1411 KK	187	This is a backwards-compatible option for the user's convenience
	188	(e.g. when running oldconfig). It selects
	189	CONFIG_NETFILTER_XT_TARGET_HL.
4323362e	190
2203eb47 JE	191	config IP6_NF_FILTER
2203eb47 JE	192	tristate "Packet filtering"
33b8e776	193	default m if NETFILTER_ADVANCED=n
1da177e4	194	help
2203eb47 JE	195	Packet filtering defines a table `filter', which has a series of
	196	rules for simple packet filtering at local input, forwarding and
	197	local output. See the man page for iptables(8).
1da177e4 LT	198
	199	To compile it as a module, choose M here. If unsure, say N.
	200
764d8a9f PM	201	config IP6_NF_TARGET_REJECT
	202	tristate "REJECT target support"
	203	depends on IP6_NF_FILTER
c8d7b98b	204	select NF_REJECT_IPV6
33b8e776	205	default m if NETFILTER_ADVANCED=n
764d8a9f PM	206	help
	207	The REJECT target allows a filtering rule to specify that an ICMPv6
	208	error should be issued in response to an incoming packet, rather
	209	than silently being dropped.
	210
	211	To compile it as a module, choose M here. If unsure, say N.
	212
4ad36228 PM	213	config IP6_NF_TARGET_SYNPROXY
	214	tristate "SYNPROXY target support"
	215	depends on NF_CONNTRACK && NETFILTER_ADVANCED
	216	select NETFILTER_SYNPROXY
	217	select SYN_COOKIES
	218	help
	219	The SYNPROXY target allows you to intercept TCP connections and
	220	establish them using syncookies before they are passed on to the
	221	server. This allows to avoid conntrack and server resource usage
	222	during SYN-flood attacks.
	223
	224	To compile it as a module, choose M here. If unsure, say N.
	225
1da177e4 LT	226	config IP6_NF_MANGLE
1da177e4 LT	227	tristate "Packet mangling"
33b8e776	228	default m if NETFILTER_ADVANCED=n
1da177e4 LT	229	help
	230	This option adds a `mangle' table to iptables: see the man page for
	231	iptables(8). This table is used for various packet alterations
	232	which can effect how the packet is routed.
	233
	234	To compile it as a module, choose M here. If unsure, say N.
1da177e4	235
1da177e4 LT	236	config IP6_NF_RAW
1da177e4 LT	237	tristate 'raw table support (required for TRACE)'
1da177e4 LT	238	help
	239	This option adds a `raw' table to ip6tables. This table is the very
	240	first in the netfilter framework and hooks in at the PREROUTING
	241	and OUTPUT chains.
33b8e776	242
1da177e4	243	If you want to compile it as a module, say M here and read
cd238eff	244	<file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1da177e4	245
17e6e59f JM	246	# security table for MAC policy
17e6e59f JM	247	config IP6_NF_SECURITY
43da1411 KK	248	tristate "Security table"
	249	depends on SECURITY
	250	depends on NETFILTER_ADVANCED
	251	help
	252	This option adds a `security' table to iptables, for use
	253	with Mandatory Access Control (MAC) policy.
	254
	255	If unsure, say N.
17e6e59f	256
8993cf8e PNA	257	config IP6_NF_NAT
8993cf8e PNA	258	tristate "ip6tables NAT support"
a0ae2562	259	depends on NF_CONNTRACK
b0041d1b PNA	260	depends on NETFILTER_ADVANCED
b0041d1b PNA	261	select NF_NAT
8993cf8e	262	select NETFILTER_XT_NAT
b0041d1b	263	help
8993cf8e PNA	264	This enables the `nat' table in ip6tables. This allows masquerading,
	265	port forwarding and other forms of full Network Address Port
	266	Translation.
b0041d1b PNA	267
	268	To compile it as a module, choose M here. If unsure, say N.
	269
8993cf8e	270	if IP6_NF_NAT
b0041d1b PNA	271
	272	config IP6_NF_TARGET_MASQUERADE
	273	tristate "MASQUERADE target support"
adf82acc	274	select NETFILTER_XT_TARGET_MASQUERADE
b0041d1b	275	help
adf82acc FW	276	This is a backwards-compat option for the user's convenience
adf82acc FW	277	(e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
b0041d1b	278
b0041d1b PNA	279	config IP6_NF_TARGET_NPT
	280	tristate "NPT (Network Prefix translation) target support"
	281	help
	282	This option adds the `SNPT' and `DNPT' target, which perform
	283	stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
	284
	285	To compile it as a module, choose M here. If unsure, say N.
	286
8993cf8e	287	endif # IP6_NF_NAT
b0041d1b	288
c2df73de	289	endif # IP6_NF_IPTABLES
1da177e4 LT	290	endmenu
1da177e4 LT	291
a0ae2562 FW	292	config NF_DEFRAG_IPV6
a0ae2562 FW	293	tristate