[NETFILTER]: Fix ip[6]t_NFQUEUE Kconfig dependency

[linux-2.6-block.git] / net / ipv6 / netfilter / Kconfig

#
# IP netfilter configuration
#

menu "IPv6: Netfilter Configuration (EXPERIMENTAL)"
	depends on INET && IPV6 && NETFILTER && EXPERIMENTAL

#tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP6_NF_CONNTRACK
#if [ "$CONFIG_IP6_NF_CONNTRACK" != "n" ]; then
#  dep_tristate '  FTP protocol support' CONFIG_IP6_NF_FTP $CONFIG_IP6_NF_CONNTRACK
#fi
config IP6_NF_QUEUE
	tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"
	---help---

	  This option adds a queue handler to the kernel for IPv6
	  packets which enables users to receive the filtered packets
	  with QUEUE target using libipq.

	  THis option enables the old IPv6-only "ip6_queue" implementation
	  which has been obsoleted by the new "nfnetlink_queue" code (see
	  CONFIG_NETFILTER_NETLINK_QUEUE).

	  (C) Fernando Anton 2001
	  IPv64 Project - Work based in IPv64 draft by Arturo Azcorra.
	  Universidad Carlos III de Madrid
	  Universidad Politecnica de Alcala de Henares
	  email: <fanton@it.uc3m.es>.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_IPTABLES
	tristate "IP6 tables support (required for filtering/masq/NAT)"
	help
	  ip6tables is a general, extensible packet identification framework.
	  Currently only the packet filtering and packet mangling subsystem
	  for IPv6 use this, but connection tracking is going to follow.
	  Say 'Y' or 'M' here if you want to use either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

# The simple matches.
config IP6_NF_MATCH_LIMIT
	tristate "limit match support"
	depends on IP6_NF_IPTABLES
	help
	  limit matching allows you to control the rate at which a rule can be
	  matched: mainly useful in combination with the LOG target ("LOG
	  target support", below) and to avoid some Denial of Service attacks.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_MAC
	tristate "MAC address match support"
	depends on IP6_NF_IPTABLES
	help
	  mac matching allows you to match packets based on the source
	  Ethernet address of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_RT
	tristate "Routing header match support"
	depends on IP6_NF_IPTABLES
	help
	  rt matching allows you to match packets based on the routing
	  header of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_OPTS
	tristate "Hop-by-hop and Dst opts header match support"
	depends on IP6_NF_IPTABLES
	help
	  This allows one to match packets based on the hop-by-hop
	  and destination options headers of a packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_FRAG
	tristate "Fragmentation header match support"
	depends on IP6_NF_IPTABLES
	help
	  frag matching allows you to match packets based on the fragmentation
	  header of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_HL
	tristate "HL match support"
	depends on IP6_NF_IPTABLES
	help
	  HL matching allows you to match packets based on the hop
	  limit of the packet.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_MULTIPORT
	tristate "Multiple port match support"
	depends on IP6_NF_IPTABLES
	help
	  Multiport matching allows you to match TCP or UDP packets based on
	  a series of source or destination ports: normally a rule can only
	  match a single range of ports.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_OWNER
	tristate "Owner match support"
	depends on IP6_NF_IPTABLES
	help
	  Packet owner matching allows you to match locally-generated packets
	  based on who created them: the user, group, process or session.

	  To compile it as a module, choose M here.  If unsure, say N.

#  dep_tristate '  MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES
config IP6_NF_MATCH_MARK
	tristate "netfilter MARK match support"
	depends on IP6_NF_IPTABLES
	help
	  Netfilter mark matching allows you to match packets based on the
	  `nfmark' value in the packet.  This can be set by the MARK target
	  (see below).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_IPV6HEADER
	tristate "IPv6 Extension Headers Match"
	depends on IP6_NF_IPTABLES
	help
	  This module allows one to match packets based upon
	  the ipv6 extension headers.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_AHESP
	tristate "AH/ESP match support"
	depends on IP6_NF_IPTABLES
	help
	  This module allows one to match AH and ESP packets.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_LENGTH
	tristate "Packet Length match support"
	depends on IP6_NF_IPTABLES
	help
	  This option allows you to match the length of a packet against a
	  specific value or range of values.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_EUI64
	tristate "EUI64 address check"
	depends on IP6_NF_IPTABLES
	help
	  This module performs checking on the IPv6 source address
	  Compares the last 64 bits with the EUI64 (delivered
	  from the MAC address) address

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_MATCH_PHYSDEV
	tristate "Physdev match support"
	depends on IP6_NF_IPTABLES && BRIDGE_NETFILTER
	help
	  Physdev packet matching matches against the physical bridge ports
	  the IP packet arrived on or will leave by.

	  To compile it as a module, choose M here.  If unsure, say N.

#  dep_tristate '  Multiple port match support' CONFIG_IP6_NF_MATCH_MULTIPORT $CONFIG_IP6_NF_IPTABLES
#  dep_tristate '  TOS match support' CONFIG_IP6_NF_MATCH_TOS $CONFIG_IP6_NF_IPTABLES
#  if [ "$CONFIG_IP6_NF_CONNTRACK" != "n" ]; then
#    dep_tristate '  Connection state match support' CONFIG_IP6_NF_MATCH_STATE $CONFIG_IP6_NF_CONNTRACK $CONFIG_IP6_NF_IPTABLES 
#  fi
#  if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
#    dep_tristate '  Unclean match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_UNCLEAN $CONFIG_IP6_NF_IPTABLES
#    dep_tristate '  Owner match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_OWNER $CONFIG_IP6_NF_IPTABLES
#  fi
# The targets
config IP6_NF_FILTER
	tristate "Packet filtering"
	depends on IP6_NF_IPTABLES
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_LOG
	tristate "LOG target support"
	depends on IP6_NF_FILTER
	help
	  This option adds a `LOG' target, which allows you to create rules in
	  any iptables table which records the packet header to the syslog.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on IP6_NF_FILTER
	help
	  The REJECT target allows a filtering rule to specify that an ICMPv6
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_NFQUEUE
	tristate "NFQUEUE Target Support"
	depends on IP_NF_IPTABLES
	help
	  This Target replaced the old obsolete QUEUE target.

	  As opposed to QUEUE, it supports 65535 different queues,
	  not just one.

	  To compile it as a module, choose M here.  If unsure, say N.

#  if [ "$CONFIG_IP6_NF_FILTER" != "n" ]; then
#    dep_tristate '    REJECT target support' CONFIG_IP6_NF_TARGET_REJECT $CONFIG_IP6_NF_FILTER
#    if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
#      dep_tristate '    MIRROR target support (EXPERIMENTAL)' CONFIG_IP6_NF_TARGET_MIRROR $CONFIG_IP6_NF_FILTER
#    fi
#  fi
config IP6_NF_MANGLE
	tristate "Packet mangling"
	depends on IP6_NF_IPTABLES
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose M here.  If unsure, say N.

#    dep_tristate '    TOS target support' CONFIG_IP6_NF_TARGET_TOS $CONFIG_IP_NF_MANGLE
config IP6_NF_TARGET_MARK
	tristate "MARK target support"
	depends on IP6_NF_MANGLE
	help
	  This option adds a `MARK' target, which allows you to create rules
	  in the `mangle' table which alter the netfilter mark (nfmark) field
	  associated with the packet packet prior to routing. This can change
	  the routing method (see `Use netfilter MARK value as routing
	  key') and can also be used by other subsystems to change their
	  behavior.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP6_NF_TARGET_HL
	tristate  'HL (hoplimit) target support'
	depends on IP6_NF_MANGLE
	help
	  This option adds a `HL' target, which enables the user to decrement
	  the hoplimit value of the IPv6 header or set it to a given (lower)
	  value.
	
	  While it is safe to decrement the hoplimit value, this option also
	  enables functionality to increment and set the hoplimit value of the
	  IPv6 header to arbitrary values.  This is EXTREMELY DANGEROUS since
	  you can easily create immortal packets that loop forever on the
	  network.  

	  To compile it as a module, choose M here.  If unsure, say N.

#dep_tristate '  LOG target support' CONFIG_IP6_NF_TARGET_LOG $CONFIG_IP6_NF_IPTABLES
config IP6_NF_RAW
	tristate  'raw table support (required for TRACE)'
	depends on IP6_NF_IPTABLES
	help
	  This option adds a `raw' table to ip6tables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.
	
	  If you want to compile it as a module, say M here and read
	  <file:Documentation/modules.txt>.  If unsure, say `N'.

endmenu