Commit | Line | Data |
---|---|---|
ec8f24b7 | 1 | # SPDX-License-Identifier: GPL-2.0-only |
1da177e4 LT |
2 | # |
3 | # IP netfilter configuration | |
4 | # | |
5 | ||
8ce22fca PM |
6 | menu "IPv6: Netfilter Configuration" |
7 | depends on INET && IPV6 && NETFILTER | |
1da177e4 | 8 | |
8db4c5be PNA |
9 | config NF_SOCKET_IPV6 |
10 | tristate "IPv6 socket lookup support" | |
11 | help | |
12 | This option enables the IPv6 socket lookup infrastructure. This | |
45ca4e0c ME |
13 | is used by the {ip6,nf}tables socket match. |
14 | ||
15 | config NF_TPROXY_IPV6 | |
16 | tristate "IPv6 tproxy support" | |
8db4c5be | 17 | |
f04e599e PNA |
18 | if NF_TABLES |
19 | ||
96518518 | 20 | config NF_TABLES_IPV6 |
02c7b25e | 21 | bool "IPv6 nf_tables support" |
d497c635 PNA |
22 | help |
23 | This option enables the IPv6 support for nf_tables. | |
96518518 | 24 | |
f04e599e PNA |
25 | if NF_TABLES_IPV6 |
26 | ||
cc4723ca | 27 | config NFT_REJECT_IPV6 |
c8d7b98b | 28 | select NF_REJECT_IPV6 |
cc4723ca PM |
29 | default NFT_REJECT |
30 | tristate | |
31 | ||
d877f071 PNA |
32 | config NFT_DUP_IPV6 |
33 | tristate "IPv6 nf_tables packet duplication support" | |
d3340b79 | 34 | depends on !NF_CONNTRACK || NF_CONNTRACK |
d877f071 PNA |
35 | select NF_DUP_IPV6 |
36 | help | |
37 | This module enables IPv6 packet duplication support for nf_tables. | |
38 | ||
f6d0cbcf FW |
39 | config NFT_FIB_IPV6 |
40 | tristate "nf_tables fib / ipv6 route lookup support" | |
41 | select NFT_FIB | |
42 | help | |
43 | This module enables IPv6 FIB lookups, e.g. for reverse path filtering. | |
44 | It also allows query of the FIB for the route type, e.g. local, unicast, | |
45 | multicast or blackhole. | |
46 | ||
f04e599e PNA |
47 | endif # NF_TABLES_IPV6 |
48 | endif # NF_TABLES | |
49 | ||
09952107 | 50 | config NF_FLOW_TABLE_IPV6 |
09952107 | 51 | tristate "Netfilter flow table IPv6 module" |
6be3bcd7 | 52 | depends on NF_FLOW_TABLE |
09952107 PNA |
53 | help |
54 | This option adds the flow table IPv6 support. | |
55 | ||
56 | To compile it as a module, choose M here. | |
57 | ||
bbde9fc1 PNA |
58 | config NF_DUP_IPV6 |
59 | tristate "Netfilter IPv6 packet duplication to alternate destination" | |
6ece90f9 | 60 | depends on !NF_CONNTRACK || NF_CONNTRACK |
bbde9fc1 PNA |
61 | help |
62 | This option enables the nf_dup_ipv6 core, which duplicates an IPv6 | |
63 | packet to be rerouted to another destination. | |
64 | ||
f04e599e PNA |
65 | config NF_REJECT_IPV6 |
66 | tristate "IPv6 packet rejection" | |
67 | default m if NETFILTER_ADVANCED=n | |
68 | ||
c1878869 PNA |
69 | config NF_LOG_IPV6 |
70 | tristate "IPv6 packet logging" | |
41ad82f7 | 71 | default m if NETFILTER_ADVANCED=n |
c1878869 PNA |
72 | select NF_LOG_COMMON |
73 | ||
1da177e4 | 74 | config IP6_NF_IPTABLES |
844dc7c8 | 75 | tristate "IP6 tables support (required for filtering)" |
8ce22fca | 76 | depends on INET && IPV6 |
a3c941b0 | 77 | select NETFILTER_XTABLES |
33b8e776 | 78 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
79 | help |
80 | ip6tables is a general, extensible packet identification framework. | |
81 | Currently only the packet filtering and packet mangling subsystem | |
82 | for IPv6 use this, but connection tracking is going to follow. | |
83 | Say 'Y' or 'M' here if you want to use either of those. | |
84 | ||
85 | To compile it as a module, choose M here. If unsure, say N. | |
86 | ||
c2df73de JE |
87 | if IP6_NF_IPTABLES |
88 | ||
1da177e4 | 89 | # The simple matches. |
aba0d348 JE |
90 | config IP6_NF_MATCH_AH |
91 | tristate '"ah" match support' | |
33b8e776 | 92 | depends on NETFILTER_ADVANCED |
1da177e4 | 93 | help |
aba0d348 | 94 | This module allows one to match AH packets. |
1da177e4 LT |
95 | |
96 | To compile it as a module, choose M here. If unsure, say N. | |
97 | ||
aba0d348 JE |
98 | config IP6_NF_MATCH_EUI64 |
99 | tristate '"eui64" address check' | |
33b8e776 | 100 | depends on NETFILTER_ADVANCED |
1da177e4 | 101 | help |
aba0d348 JE |
102 | This module performs checking on the IPv6 source address |
103 | Compares the last 64 bits with the EUI64 (delivered | |
104 | from the MAC address) address | |
1da177e4 LT |
105 | |
106 | To compile it as a module, choose M here. If unsure, say N. | |
107 | ||
108 | config IP6_NF_MATCH_FRAG | |
4c37799c | 109 | tristate '"frag" Fragmentation header match support' |
33b8e776 | 110 | depends on NETFILTER_ADVANCED |
1da177e4 LT |
111 | help |
112 | frag matching allows you to match packets based on the fragmentation | |
113 | header of the packet. | |
114 | ||
115 | To compile it as a module, choose M here. If unsure, say N. | |
116 | ||
aba0d348 JE |
117 | config IP6_NF_MATCH_OPTS |
118 | tristate '"hbh" hop-by-hop and "dst" opts header match support' | |
aba0d348 JE |
119 | depends on NETFILTER_ADVANCED |
120 | help | |
121 | This allows one to match packets based on the hop-by-hop | |
122 | and destination options headers of a packet. | |
123 | ||
124 | To compile it as a module, choose M here. If unsure, say N. | |
125 | ||
4323362e JE |
126 | config IP6_NF_MATCH_HL |
127 | tristate '"hl" hoplimit match support' | |
128 | depends on NETFILTER_ADVANCED | |
129 | select NETFILTER_XT_MATCH_HL | |
a7f7f624 | 130 | help |
43da1411 KK |
131 | This is a backwards-compat option for the user's convenience |
132 | (e.g. when running oldconfig). It selects | |
133 | CONFIG_NETFILTER_XT_MATCH_HL. | |
4323362e | 134 | |
1da177e4 | 135 | config IP6_NF_MATCH_IPV6HEADER |
4c37799c | 136 | tristate '"ipv6header" IPv6 Extension Headers Match' |
44c45eb9 | 137 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
138 | help |
139 | This module allows one to match packets based upon | |
140 | the ipv6 extension headers. | |
141 | ||
142 | To compile it as a module, choose M here. If unsure, say N. | |
143 | ||
a0ca215a | 144 | config IP6_NF_MATCH_MH |
4c37799c | 145 | tristate '"mh" match support' |
33b8e776 | 146 | depends on NETFILTER_ADVANCED |
a0ca215a MN |
147 | help |
148 | This module allows one to match MH packets. | |
149 | ||
150 | To compile it as a module, choose M here. If unsure, say N. | |
151 | ||
e26f9a48 FW |
152 | config IP6_NF_MATCH_RPFILTER |
153 | tristate '"rpfilter" reverse path filter match support' | |
f09becc7 PNA |
154 | depends on NETFILTER_ADVANCED |
155 | depends on IP6_NF_MANGLE || IP6_NF_RAW | |
a7f7f624 | 156 | help |
e26f9a48 FW |
157 | This option allows you to match packets whose replies would |
158 | go out via the interface the packet came in. | |
159 | ||
160 | To compile it as a module, choose M here. If unsure, say N. | |
161 | The module will be called ip6t_rpfilter. | |
162 | ||
aba0d348 JE |
163 | config IP6_NF_MATCH_RT |
164 | tristate '"rt" Routing header match support' | |
33b8e776 | 165 | depends on NETFILTER_ADVANCED |
1da177e4 | 166 | help |
aba0d348 JE |
167 | rt matching allows you to match packets based on the routing |
168 | header of the packet. | |
1da177e4 LT |
169 | |
170 | To compile it as a module, choose M here. If unsure, say N. | |
171 | ||
202a8ff5 | 172 | config IP6_NF_MATCH_SRH |
bf69abad KK |
173 | tristate '"srh" Segment Routing header match support' |
174 | depends on NETFILTER_ADVANCED | |
175 | help | |
176 | srh matching allows you to match packets based on the segment | |
202a8ff5 AA |
177 | routing header of the packet. |
178 | ||
bf69abad | 179 | To compile it as a module, choose M here. If unsure, say N. |
202a8ff5 | 180 | |
1da177e4 | 181 | # The targets |
4323362e JE |
182 | config IP6_NF_TARGET_HL |
183 | tristate '"HL" hoplimit target support' | |
76b6717b | 184 | depends on NETFILTER_ADVANCED && IP6_NF_MANGLE |
4323362e | 185 | select NETFILTER_XT_TARGET_HL |
a7f7f624 | 186 | help |
43da1411 KK |
187 | This is a backwards-compatible option for the user's convenience |
188 | (e.g. when running oldconfig). It selects | |
189 | CONFIG_NETFILTER_XT_TARGET_HL. | |
4323362e | 190 | |
2203eb47 JE |
191 | config IP6_NF_FILTER |
192 | tristate "Packet filtering" | |
33b8e776 | 193 | default m if NETFILTER_ADVANCED=n |
1da177e4 | 194 | help |
2203eb47 JE |
195 | Packet filtering defines a table `filter', which has a series of |
196 | rules for simple packet filtering at local input, forwarding and | |
197 | local output. See the man page for iptables(8). | |
1da177e4 LT |
198 | |
199 | To compile it as a module, choose M here. If unsure, say N. | |
200 | ||
764d8a9f PM |
201 | config IP6_NF_TARGET_REJECT |
202 | tristate "REJECT target support" | |
203 | depends on IP6_NF_FILTER | |
c8d7b98b | 204 | select NF_REJECT_IPV6 |
33b8e776 | 205 | default m if NETFILTER_ADVANCED=n |
764d8a9f PM |
206 | help |
207 | The REJECT target allows a filtering rule to specify that an ICMPv6 | |
208 | error should be issued in response to an incoming packet, rather | |
209 | than silently being dropped. | |
210 | ||
211 | To compile it as a module, choose M here. If unsure, say N. | |
212 | ||
4ad36228 PM |
213 | config IP6_NF_TARGET_SYNPROXY |
214 | tristate "SYNPROXY target support" | |
215 | depends on NF_CONNTRACK && NETFILTER_ADVANCED | |
216 | select NETFILTER_SYNPROXY | |
217 | select SYN_COOKIES | |
218 | help | |
219 | The SYNPROXY target allows you to intercept TCP connections and | |
220 | establish them using syncookies before they are passed on to the | |
221 | server. This allows to avoid conntrack and server resource usage | |
222 | during SYN-flood attacks. | |
223 | ||
224 | To compile it as a module, choose M here. If unsure, say N. | |
225 | ||
1da177e4 LT |
226 | config IP6_NF_MANGLE |
227 | tristate "Packet mangling" | |
33b8e776 | 228 | default m if NETFILTER_ADVANCED=n |
1da177e4 LT |
229 | help |
230 | This option adds a `mangle' table to iptables: see the man page for | |
231 | iptables(8). This table is used for various packet alterations | |
232 | which can effect how the packet is routed. | |
233 | ||
234 | To compile it as a module, choose M here. If unsure, say N. | |
1da177e4 | 235 | |
1da177e4 LT |
236 | config IP6_NF_RAW |
237 | tristate 'raw table support (required for TRACE)' | |
1da177e4 LT |
238 | help |
239 | This option adds a `raw' table to ip6tables. This table is the very | |
240 | first in the netfilter framework and hooks in at the PREROUTING | |
241 | and OUTPUT chains. | |
33b8e776 | 242 | |
1da177e4 | 243 | If you want to compile it as a module, say M here and read |
cd238eff | 244 | <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. |
1da177e4 | 245 | |
17e6e59f JM |
246 | # security table for MAC policy |
247 | config IP6_NF_SECURITY | |
43da1411 KK |
248 | tristate "Security table" |
249 | depends on SECURITY | |
250 | depends on NETFILTER_ADVANCED | |
251 | help | |
252 | This option adds a `security' table to iptables, for use | |
253 | with Mandatory Access Control (MAC) policy. | |
254 | ||
255 | If unsure, say N. | |
17e6e59f | 256 | |
8993cf8e PNA |
257 | config IP6_NF_NAT |
258 | tristate "ip6tables NAT support" | |
a0ae2562 | 259 | depends on NF_CONNTRACK |
b0041d1b PNA |
260 | depends on NETFILTER_ADVANCED |
261 | select NF_NAT | |
8993cf8e | 262 | select NETFILTER_XT_NAT |
b0041d1b | 263 | help |
8993cf8e PNA |
264 | This enables the `nat' table in ip6tables. This allows masquerading, |
265 | port forwarding and other forms of full Network Address Port | |
266 | Translation. | |
b0041d1b PNA |
267 | |
268 | To compile it as a module, choose M here. If unsure, say N. | |
269 | ||
8993cf8e | 270 | if IP6_NF_NAT |
b0041d1b PNA |
271 | |
272 | config IP6_NF_TARGET_MASQUERADE | |
273 | tristate "MASQUERADE target support" | |
adf82acc | 274 | select NETFILTER_XT_TARGET_MASQUERADE |
b0041d1b | 275 | help |
adf82acc FW |
276 | This is a backwards-compat option for the user's convenience |
277 | (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE. | |
b0041d1b | 278 | |
b0041d1b PNA |
279 | config IP6_NF_TARGET_NPT |
280 | tristate "NPT (Network Prefix translation) target support" | |
281 | help | |
282 | This option adds the `SNPT' and `DNPT' target, which perform | |
283 | stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. | |
284 | ||
285 | To compile it as a module, choose M here. If unsure, say N. | |
286 | ||
8993cf8e | 287 | endif # IP6_NF_NAT |
b0041d1b | 288 | |
c2df73de | 289 | endif # IP6_NF_IPTABLES |
1da177e4 LT |
290 | endmenu |
291 | ||
a0ae2562 FW |
292 | config NF_DEFRAG_IPV6 |
293 | tristate |