projects / linux-2.6-block.git / blame
| Commit | Line | Data |
|---|---|---|
| 1da177e4 LT |
1 | # |
| 2 | # IP netfilter configuration | |
| 3 | # | |
| 4 | ||
| 5 | menu "IPv6: Netfilter Configuration (EXPERIMENTAL)" | |
| 6 | depends on INET && IPV6 && NETFILTER && EXPERIMENTAL | |
| 7 | ||
| 9bdf87d9 | 8 | config NF_CONNTRACK_IPV6 |
| a3c47977 | 9 | tristate "IPv6 connection tracking support (EXPERIMENTAL)" |
| 9b54d5c6 | 10 | depends on INET && IPV6 && EXPERIMENTAL && NF_CONNTRACK |
| 33b8e776 | 11 | default m if NETFILTER_ADVANCED=n |
| 9bdf87d9 YK |
12 | ---help--- |
| 13 | Connection tracking keeps a record of what packets have passed | |
| 14 | through your machine, in order to figure out how they are related | |
| 15 | into connections. | |
| 16 | ||
| 17 | This is IPv6 support on Layer 3 independent connection tracking. | |
| 18 | Layer 3 independent connection tracking is experimental scheme | |
| 19 | which generalize ip_conntrack to support other layer 3 protocols. | |
| 20 | ||
| 21 | To compile it as a module, choose M here. If unsure, say N. | |
| 22 | ||
| 1da177e4 | 23 | config IP6_NF_QUEUE |
| 7af4cc3f | 24 | tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)" |
| 9b54d5c6 | 25 | depends on INET && IPV6 && NETFILTER && EXPERIMENTAL |
| 33b8e776 | 26 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
27 | ---help--- |
| 28 | ||
| 29 | This option adds a queue handler to the kernel for IPv6 | |
| 7af4cc3f HW |
30 | packets which enables users to receive the filtered packets |
| 31 | with QUEUE target using libipq. | |
| 32 | ||
| 3dde6ad8 | 33 | This option enables the old IPv6-only "ip6_queue" implementation |
| 7af4cc3f HW |
34 | which has been obsoleted by the new "nfnetlink_queue" code (see |
| 35 | CONFIG_NETFILTER_NETLINK_QUEUE). | |
| 1da177e4 LT |
36 | |
| 37 | (C) Fernando Anton 2001 | |
| 38 | IPv64 Project - Work based in IPv64 draft by Arturo Azcorra. | |
| 39 | Universidad Carlos III de Madrid | |
| 40 | Universidad Politecnica de Alcala de Henares | |
| 41 | email: <fanton@it.uc3m.es>. | |
| 42 | ||
| 43 | To compile it as a module, choose M here. If unsure, say N. | |
| 44 | ||
| 45 | config IP6_NF_IPTABLES | |
| 844dc7c8 | 46 | tristate "IP6 tables support (required for filtering)" |
| a3c941b0 PM |
47 | depends on INET && IPV6 && EXPERIMENTAL |
| 48 | select NETFILTER_XTABLES | |
| 33b8e776 | 49 | default m if NETFILTER_ADVANCED=n |
| 1da177e4 LT |
50 | help |
| 51 | ip6tables is a general, extensible packet identification framework. | |
| 52 | Currently only the packet filtering and packet mangling subsystem | |
| 53 | for IPv6 use this, but connection tracking is going to follow. | |
| 54 | Say 'Y' or 'M' here if you want to use either of those. | |
| 55 | ||
| 56 | To compile it as a module, choose M here. If unsure, say N. | |
| 57 | ||
| 58 | # The simple matches. | |
| 1da177e4 | 59 | config IP6_NF_MATCH_RT |
| 4c37799c | 60 | tristate '"rt" Routing header match support' |
| 1da177e4 | 61 | depends on IP6_NF_IPTABLES |
| 33b8e776 | 62 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
63 | help |
| 64 | rt matching allows you to match packets based on the routing | |
| 65 | header of the packet. | |
| 66 | ||
| 67 | To compile it as a module, choose M here. If unsure, say N. | |
| 68 | ||
| 69 | config IP6_NF_MATCH_OPTS | |
| 4c37799c | 70 | tristate '"hopbyhop" and "dst" opts header match support' |
| 1da177e4 | 71 | depends on IP6_NF_IPTABLES |
| 33b8e776 | 72 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
73 | help |
| 74 | This allows one to match packets based on the hop-by-hop | |
| 75 | and destination options headers of a packet. | |
| 76 | ||
| 77 | To compile it as a module, choose M here. If unsure, say N. | |
| 78 | ||
| 79 | config IP6_NF_MATCH_FRAG | |
| 4c37799c | 80 | tristate '"frag" Fragmentation header match support' |
| 1da177e4 | 81 | depends on IP6_NF_IPTABLES |
| 33b8e776 | 82 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
83 | help |
| 84 | frag matching allows you to match packets based on the fragmentation | |
| 85 | header of the packet. | |
| 86 | ||
| 87 | To compile it as a module, choose M here. If unsure, say N. | |
| 88 | ||
| 89 | config IP6_NF_MATCH_HL | |
| 4c37799c | 90 | tristate '"hl" match support' |
| 1da177e4 | 91 | depends on IP6_NF_IPTABLES |
| 33b8e776 | 92 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
93 | help |
| 94 | HL matching allows you to match packets based on the hop | |
| 95 | limit of the packet. | |
| 96 | ||
| 97 | To compile it as a module, choose M here. If unsure, say N. | |
| 98 | ||
| 1da177e4 | 99 | config IP6_NF_MATCH_IPV6HEADER |
| 4c37799c | 100 | tristate '"ipv6header" IPv6 Extension Headers Match' |
| 1da177e4 | 101 | depends on IP6_NF_IPTABLES |
| 33b8e776 | 102 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
103 | help |
| 104 | This module allows one to match packets based upon | |
| 105 | the ipv6 extension headers. | |
| 106 | ||
| 107 | To compile it as a module, choose M here. If unsure, say N. | |
| 108 | ||
| dc5ab2fa | 109 | config IP6_NF_MATCH_AH |
| 4c37799c | 110 | tristate '"ah" match support' |
| 1da177e4 | 111 | depends on IP6_NF_IPTABLES |
| 33b8e776 | 112 | depends on NETFILTER_ADVANCED |
| 1da177e4 | 113 | help |
| dc5ab2fa | 114 | This module allows one to match AH packets. |
| 1da177e4 LT |
115 | |
| 116 | To compile it as a module, choose M here. If unsure, say N. | |
| 117 | ||
| a0ca215a | 118 | config IP6_NF_MATCH_MH |
| 4c37799c | 119 | tristate '"mh" match support' |
| a0ca215a | 120 | depends on IP6_NF_IPTABLES |
| 33b8e776 | 121 | depends on NETFILTER_ADVANCED |
| a0ca215a MN |
122 | help |
| 123 | This module allows one to match MH packets. | |
| 124 | ||
| 125 | To compile it as a module, choose M here. If unsure, say N. | |
| 126 | ||
| 1da177e4 | 127 | config IP6_NF_MATCH_EUI64 |
| 4c37799c | 128 | tristate '"eui64" address check' |
| 1da177e4 | 129 | depends on IP6_NF_IPTABLES |
| 33b8e776 | 130 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
131 | help |
| 132 | This module performs checking on the IPv6 source address | |
| 133 | Compares the last 64 bits with the EUI64 (delivered | |
| 134 | from the MAC address) address | |
| 135 | ||
| 136 | To compile it as a module, choose M here. If unsure, say N. | |
| 137 | ||
| 1da177e4 LT |
138 | # The targets |
| 139 | config IP6_NF_FILTER | |
| 140 | tristate "Packet filtering" | |
| 141 | depends on IP6_NF_IPTABLES | |
| 33b8e776 | 142 | default m if NETFILTER_ADVANCED=n |
| 1da177e4 LT |
143 | help |
| 144 | Packet filtering defines a table `filter', which has a series of | |
| 145 | rules for simple packet filtering at local input, forwarding and | |
| 146 | local output. See the man page for iptables(8). | |
| 147 | ||
| 148 | To compile it as a module, choose M here. If unsure, say N. | |
| 149 | ||
| 150 | config IP6_NF_TARGET_LOG | |
| 151 | tristate "LOG target support" | |
| 152 | depends on IP6_NF_FILTER | |
| 33b8e776 | 153 | default m if NETFILTER_ADVANCED=n |
| 1da177e4 LT |
154 | help |
| 155 | This option adds a `LOG' target, which allows you to create rules in | |
| 156 | any iptables table which records the packet header to the syslog. | |
| 157 | ||
| 158 | To compile it as a module, choose M here. If unsure, say N. | |
| 159 | ||
| 764d8a9f PM |
160 | config IP6_NF_TARGET_REJECT |
| 161 | tristate "REJECT target support" | |
| 162 | depends on IP6_NF_FILTER | |
| 33b8e776 | 163 | default m if NETFILTER_ADVANCED=n |
| 764d8a9f PM |
164 | help |
| 165 | The REJECT target allows a filtering rule to specify that an ICMPv6 | |
| 166 | error should be issued in response to an incoming packet, rather | |
| 167 | than silently being dropped. | |
| 168 | ||
| 169 | To compile it as a module, choose M here. If unsure, say N. | |
| 170 | ||
| 1da177e4 LT |
171 | config IP6_NF_MANGLE |
| 172 | tristate "Packet mangling" | |
| 173 | depends on IP6_NF_IPTABLES | |
| 33b8e776 | 174 | default m if NETFILTER_ADVANCED=n |
| 1da177e4 LT |
175 | help |
| 176 | This option adds a `mangle' table to iptables: see the man page for | |
| 177 | iptables(8). This table is used for various packet alterations | |
| 178 | which can effect how the packet is routed. | |
| 179 | ||
| 180 | To compile it as a module, choose M here. If unsure, say N. | |
| 1da177e4 | 181 | |
| 0ac4f893 HW |
182 | config IP6_NF_TARGET_HL |
| 183 | tristate 'HL (hoplimit) target support' | |
| 184 | depends on IP6_NF_MANGLE | |
| 33b8e776 | 185 | depends on NETFILTER_ADVANCED |
| 0ac4f893 HW |
186 | help |
| 187 | This option adds a `HL' target, which enables the user to decrement | |
| 188 | the hoplimit value of the IPv6 header or set it to a given (lower) | |
| 189 | value. | |
| 33b8e776 | 190 | |
| 0ac4f893 HW |
191 | While it is safe to decrement the hoplimit value, this option also |
| 192 | enables functionality to increment and set the hoplimit value of the | |
| 193 | IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since | |
| 194 | you can easily create immortal packets that loop forever on the | |
| 33b8e776 | 195 | network. |
| 0ac4f893 HW |
196 | |
| 197 | To compile it as a module, choose M here. If unsure, say N. | |
| 198 | ||
| 1da177e4 LT |
199 | config IP6_NF_RAW |
| 200 | tristate 'raw table support (required for TRACE)' | |
| 201 | depends on IP6_NF_IPTABLES | |
| 33b8e776 | 202 | depends on NETFILTER_ADVANCED |
| 1da177e4 LT |
203 | help |
| 204 | This option adds a `raw' table to ip6tables. This table is the very | |
| 205 | first in the netfilter framework and hooks in at the PREROUTING | |
| 206 | and OUTPUT chains. | |
| 33b8e776 | 207 | |
| 1da177e4 | 208 | If you want to compile it as a module, say M here and read |
| 39f5fb30 | 209 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| 1da177e4 LT |
210 | |
| 211 | endmenu | |
| 212 |