Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | # |
2 | # IP netfilter configuration | |
3 | # | |
4 | ||
8ce22fca PM |
5 | menu "IPv6: Netfilter Configuration" |
6 | depends on INET && IPV6 && NETFILTER | |
1da177e4 | 7 | |
9bdf87d9 | 8 | config NF_CONNTRACK_IPV6 |
8ce22fca PM |
9 | tristate "IPv6 connection tracking support" |
10 | depends on INET && IPV6 && NF_CONNTRACK | |
33b8e776 | 11 | default m if NETFILTER_ADVANCED=n |
9bdf87d9 YK |
12 | ---help--- |
13 | Connection tracking keeps a record of what packets have passed | |
14 | through your machine, in order to figure out how they are related | |
15 | into connections. | |
16 | ||
17 | This is IPv6 support on Layer 3 independent connection tracking. | |
18 | Layer 3 independent connection tracking is experimental scheme | |
19 | which generalize ip_conntrack to support other layer 3 protocols. | |
20 | ||
21 | To compile it as a module, choose M here. If unsure, say N. | |
22 | ||
1da177e4 | 23 | config IP6_NF_QUEUE |
7af4cc3f | 24 | tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)" |
8ce22fca | 25 | depends on INET && IPV6 && NETFILTER |
33b8e776 | 26 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
27 | ---help--- |
28 | ||
29 | This option adds a queue handler to the kernel for IPv6 | |
7af4cc3f HW |
30 | packets which enables users to receive the filtered packets |
31 | with QUEUE target using libipq. | |
32 | ||
3dde6ad8 | 33 | This option enables the old IPv6-only "ip6_queue" implementation |
7af4cc3f HW |
34 | which has been obsoleted by the new "nfnetlink_queue" code (see |
35 | CONFIG_NETFILTER_NETLINK_QUEUE). | |
1da177e4 LT |
36 | |
37 | (C) Fernando Anton 2001 | |
38 | IPv64 Project - Work based in IPv64 draft by Arturo Azcorra. | |
39 | Universidad Carlos III de Madrid | |
40 | Universidad Politecnica de Alcala de Henares | |
41 | email: <fanton@it.uc3m.es>. | |
42 | ||
43 | To compile it as a module, choose M here. If unsure, say N. | |
44 | ||
45 | config IP6_NF_IPTABLES | |
844dc7c8 | 46 | tristate "IP6 tables support (required for filtering)" |
8ce22fca | 47 | depends on INET && IPV6 |
a3c941b0 | 48 | select NETFILTER_XTABLES |
33b8e776 | 49 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
50 | help |
51 | ip6tables is a general, extensible packet identification framework. | |
52 | Currently only the packet filtering and packet mangling subsystem | |
53 | for IPv6 use this, but connection tracking is going to follow. | |
54 | Say 'Y' or 'M' here if you want to use either of those. | |
55 | ||
56 | To compile it as a module, choose M here. If unsure, say N. | |
57 | ||
c2df73de JE |
58 | if IP6_NF_IPTABLES |
59 | ||
1da177e4 | 60 | # The simple matches. |
aba0d348 JE |
61 | config IP6_NF_MATCH_AH |
62 | tristate '"ah" match support' | |
33b8e776 | 63 | depends on NETFILTER_ADVANCED |
1da177e4 | 64 | help |
aba0d348 | 65 | This module allows one to match AH packets. |
1da177e4 LT |
66 | |
67 | To compile it as a module, choose M here. If unsure, say N. | |
68 | ||
aba0d348 JE |
69 | config IP6_NF_MATCH_EUI64 |
70 | tristate '"eui64" address check' | |
33b8e776 | 71 | depends on NETFILTER_ADVANCED |
1da177e4 | 72 | help |
aba0d348 JE |
73 | This module performs checking on the IPv6 source address |
74 | Compares the last 64 bits with the EUI64 (delivered | |
75 | from the MAC address) address | |
1da177e4 LT |
76 | |
77 | To compile it as a module, choose M here. If unsure, say N. | |
78 | ||
79 | config IP6_NF_MATCH_FRAG | |
4c37799c | 80 | tristate '"frag" Fragmentation header match support' |
33b8e776 | 81 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
82 | help |
83 | frag matching allows you to match packets based on the fragmentation | |
84 | header of the packet. | |
85 | ||
86 | To compile it as a module, choose M here. If unsure, say N. | |
87 | ||
aba0d348 JE |
88 | config IP6_NF_MATCH_OPTS |
89 | tristate '"hbh" hop-by-hop and "dst" opts header match support' | |
aba0d348 JE |
90 | depends on NETFILTER_ADVANCED |
91 | help | |
92 | This allows one to match packets based on the hop-by-hop | |
93 | and destination options headers of a packet. | |
94 | ||
95 | To compile it as a module, choose M here. If unsure, say N. | |
96 | ||
1da177e4 | 97 | config IP6_NF_MATCH_HL |
4c37799c | 98 | tristate '"hl" match support' |
33b8e776 | 99 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
100 | help |
101 | HL matching allows you to match packets based on the hop | |
102 | limit of the packet. | |
103 | ||
104 | To compile it as a module, choose M here. If unsure, say N. | |
105 | ||
1da177e4 | 106 | config IP6_NF_MATCH_IPV6HEADER |
4c37799c | 107 | tristate '"ipv6header" IPv6 Extension Headers Match' |
44c45eb9 | 108 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
109 | help |
110 | This module allows one to match packets based upon | |
111 | the ipv6 extension headers. | |
112 | ||
113 | To compile it as a module, choose M here. If unsure, say N. | |
114 | ||
a0ca215a | 115 | config IP6_NF_MATCH_MH |
4c37799c | 116 | tristate '"mh" match support' |
33b8e776 | 117 | depends on NETFILTER_ADVANCED |
a0ca215a MN |
118 | help |
119 | This module allows one to match MH packets. | |
120 | ||
121 | To compile it as a module, choose M here. If unsure, say N. | |
122 | ||
aba0d348 JE |
123 | config IP6_NF_MATCH_RT |
124 | tristate '"rt" Routing header match support' | |
33b8e776 | 125 | depends on NETFILTER_ADVANCED |
1da177e4 | 126 | help |
aba0d348 JE |
127 | rt matching allows you to match packets based on the routing |
128 | header of the packet. | |
1da177e4 LT |
129 | |
130 | To compile it as a module, choose M here. If unsure, say N. | |
131 | ||
1da177e4 | 132 | # The targets |
2203eb47 JE |
133 | config IP6_NF_TARGET_LOG |
134 | tristate "LOG target support" | |
33b8e776 | 135 | default m if NETFILTER_ADVANCED=n |
1da177e4 | 136 | help |
2203eb47 JE |
137 | This option adds a `LOG' target, which allows you to create rules in |
138 | any iptables table which records the packet header to the syslog. | |
1da177e4 LT |
139 | |
140 | To compile it as a module, choose M here. If unsure, say N. | |
141 | ||
2203eb47 JE |
142 | config IP6_NF_FILTER |
143 | tristate "Packet filtering" | |
33b8e776 | 144 | default m if NETFILTER_ADVANCED=n |
1da177e4 | 145 | help |
2203eb47 JE |
146 | Packet filtering defines a table `filter', which has a series of |
147 | rules for simple packet filtering at local input, forwarding and | |
148 | local output. See the man page for iptables(8). | |
1da177e4 LT |
149 | |
150 | To compile it as a module, choose M here. If unsure, say N. | |
151 | ||
764d8a9f PM |
152 | config IP6_NF_TARGET_REJECT |
153 | tristate "REJECT target support" | |
154 | depends on IP6_NF_FILTER | |
33b8e776 | 155 | default m if NETFILTER_ADVANCED=n |
764d8a9f PM |
156 | help |
157 | The REJECT target allows a filtering rule to specify that an ICMPv6 | |
158 | error should be issued in response to an incoming packet, rather | |
159 | than silently being dropped. | |
160 | ||
161 | To compile it as a module, choose M here. If unsure, say N. | |
162 | ||
1da177e4 LT |
163 | config IP6_NF_MANGLE |
164 | tristate "Packet mangling" | |
33b8e776 | 165 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
166 | help |
167 | This option adds a `mangle' table to iptables: see the man page for | |
168 | iptables(8). This table is used for various packet alterations | |
169 | which can effect how the packet is routed. | |
170 | ||
171 | To compile it as a module, choose M here. If unsure, say N. | |
1da177e4 | 172 | |
0ac4f893 HW |
173 | config IP6_NF_TARGET_HL |
174 | tristate 'HL (hoplimit) target support' | |
175 | depends on IP6_NF_MANGLE | |
33b8e776 | 176 | depends on NETFILTER_ADVANCED |
0ac4f893 HW |
177 | help |
178 | This option adds a `HL' target, which enables the user to decrement | |
179 | the hoplimit value of the IPv6 header or set it to a given (lower) | |
180 | value. | |
33b8e776 | 181 | |
0ac4f893 HW |
182 | While it is safe to decrement the hoplimit value, this option also |
183 | enables functionality to increment and set the hoplimit value of the | |
184 | IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since | |
185 | you can easily create immortal packets that loop forever on the | |
33b8e776 | 186 | network. |
0ac4f893 HW |
187 | |
188 | To compile it as a module, choose M here. If unsure, say N. | |
189 | ||
1da177e4 LT |
190 | config IP6_NF_RAW |
191 | tristate 'raw table support (required for TRACE)' | |
33b8e776 | 192 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
193 | help |
194 | This option adds a `raw' table to ip6tables. This table is the very | |
195 | first in the netfilter framework and hooks in at the PREROUTING | |
196 | and OUTPUT chains. | |
33b8e776 | 197 | |
1da177e4 | 198 | If you want to compile it as a module, say M here and read |
39f5fb30 | 199 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
1da177e4 | 200 | |
17e6e59f JM |
201 | # security table for MAC policy |
202 | config IP6_NF_SECURITY | |
203 | tristate "Security table" | |
17e6e59f | 204 | depends on SECURITY |
70eed75d | 205 | depends on NETFILTER_ADVANCED |
17e6e59f JM |
206 | help |
207 | This option adds a `security' table to iptables, for use | |
208 | with Mandatory Access Control (MAC) policy. | |
209 | ||
210 | If unsure, say N. | |
211 | ||
c2df73de JE |
212 | endif # IP6_NF_IPTABLES |
213 | ||
1da177e4 LT |
214 | endmenu |
215 |