Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | # |
2 | # IP netfilter configuration | |
3 | # | |
4 | ||
5 | menu "IPv6: Netfilter Configuration (EXPERIMENTAL)" | |
6 | depends on INET && IPV6 && NETFILTER && EXPERIMENTAL | |
7 | ||
8 | #tristate 'Connection tracking (required for masq/NAT)' CONFIG_IP6_NF_CONNTRACK | |
9 | #if [ "$CONFIG_IP6_NF_CONNTRACK" != "n" ]; then | |
10 | # dep_tristate ' FTP protocol support' CONFIG_IP6_NF_FTP $CONFIG_IP6_NF_CONNTRACK | |
11 | #fi | |
12 | config IP6_NF_QUEUE | |
7af4cc3f | 13 | tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)" |
1da177e4 LT |
14 | ---help--- |
15 | ||
16 | This option adds a queue handler to the kernel for IPv6 | |
7af4cc3f HW |
17 | packets which enables users to receive the filtered packets |
18 | with QUEUE target using libipq. | |
19 | ||
20 | THis option enables the old IPv6-only "ip6_queue" implementation | |
21 | which has been obsoleted by the new "nfnetlink_queue" code (see | |
22 | CONFIG_NETFILTER_NETLINK_QUEUE). | |
1da177e4 LT |
23 | |
24 | (C) Fernando Anton 2001 | |
25 | IPv64 Project - Work based in IPv64 draft by Arturo Azcorra. | |
26 | Universidad Carlos III de Madrid | |
27 | Universidad Politecnica de Alcala de Henares | |
28 | email: <fanton@it.uc3m.es>. | |
29 | ||
30 | To compile it as a module, choose M here. If unsure, say N. | |
31 | ||
32 | config IP6_NF_IPTABLES | |
33 | tristate "IP6 tables support (required for filtering/masq/NAT)" | |
34 | help | |
35 | ip6tables is a general, extensible packet identification framework. | |
36 | Currently only the packet filtering and packet mangling subsystem | |
37 | for IPv6 use this, but connection tracking is going to follow. | |
38 | Say 'Y' or 'M' here if you want to use either of those. | |
39 | ||
40 | To compile it as a module, choose M here. If unsure, say N. | |
41 | ||
42 | # The simple matches. | |
43 | config IP6_NF_MATCH_LIMIT | |
44 | tristate "limit match support" | |
45 | depends on IP6_NF_IPTABLES | |
46 | help | |
47 | limit matching allows you to control the rate at which a rule can be | |
48 | matched: mainly useful in combination with the LOG target ("LOG | |
49 | target support", below) and to avoid some Denial of Service attacks. | |
50 | ||
51 | To compile it as a module, choose M here. If unsure, say N. | |
52 | ||
53 | config IP6_NF_MATCH_MAC | |
54 | tristate "MAC address match support" | |
55 | depends on IP6_NF_IPTABLES | |
56 | help | |
57 | mac matching allows you to match packets based on the source | |
58 | Ethernet address of the packet. | |
59 | ||
60 | To compile it as a module, choose M here. If unsure, say N. | |
61 | ||
62 | config IP6_NF_MATCH_RT | |
63 | tristate "Routing header match support" | |
64 | depends on IP6_NF_IPTABLES | |
65 | help | |
66 | rt matching allows you to match packets based on the routing | |
67 | header of the packet. | |
68 | ||
69 | To compile it as a module, choose M here. If unsure, say N. | |
70 | ||
71 | config IP6_NF_MATCH_OPTS | |
72 | tristate "Hop-by-hop and Dst opts header match support" | |
73 | depends on IP6_NF_IPTABLES | |
74 | help | |
75 | This allows one to match packets based on the hop-by-hop | |
76 | and destination options headers of a packet. | |
77 | ||
78 | To compile it as a module, choose M here. If unsure, say N. | |
79 | ||
80 | config IP6_NF_MATCH_FRAG | |
81 | tristate "Fragmentation header match support" | |
82 | depends on IP6_NF_IPTABLES | |
83 | help | |
84 | frag matching allows you to match packets based on the fragmentation | |
85 | header of the packet. | |
86 | ||
87 | To compile it as a module, choose M here. If unsure, say N. | |
88 | ||
89 | config IP6_NF_MATCH_HL | |
90 | tristate "HL match support" | |
91 | depends on IP6_NF_IPTABLES | |
92 | help | |
93 | HL matching allows you to match packets based on the hop | |
94 | limit of the packet. | |
95 | ||
96 | To compile it as a module, choose M here. If unsure, say N. | |
97 | ||
98 | config IP6_NF_MATCH_MULTIPORT | |
99 | tristate "Multiple port match support" | |
100 | depends on IP6_NF_IPTABLES | |
101 | help | |
102 | Multiport matching allows you to match TCP or UDP packets based on | |
103 | a series of source or destination ports: normally a rule can only | |
104 | match a single range of ports. | |
105 | ||
106 | To compile it as a module, choose M here. If unsure, say N. | |
107 | ||
108 | config IP6_NF_MATCH_OWNER | |
109 | tristate "Owner match support" | |
110 | depends on IP6_NF_IPTABLES | |
111 | help | |
112 | Packet owner matching allows you to match locally-generated packets | |
113 | based on who created them: the user, group, process or session. | |
114 | ||
115 | To compile it as a module, choose M here. If unsure, say N. | |
116 | ||
117 | # dep_tristate ' MAC address match support' CONFIG_IP6_NF_MATCH_MAC $CONFIG_IP6_NF_IPTABLES | |
118 | config IP6_NF_MATCH_MARK | |
119 | tristate "netfilter MARK match support" | |
120 | depends on IP6_NF_IPTABLES | |
121 | help | |
122 | Netfilter mark matching allows you to match packets based on the | |
123 | `nfmark' value in the packet. This can be set by the MARK target | |
124 | (see below). | |
125 | ||
126 | To compile it as a module, choose M here. If unsure, say N. | |
127 | ||
128 | config IP6_NF_MATCH_IPV6HEADER | |
129 | tristate "IPv6 Extension Headers Match" | |
130 | depends on IP6_NF_IPTABLES | |
131 | help | |
132 | This module allows one to match packets based upon | |
133 | the ipv6 extension headers. | |
134 | ||
135 | To compile it as a module, choose M here. If unsure, say N. | |
136 | ||
137 | config IP6_NF_MATCH_AHESP | |
138 | tristate "AH/ESP match support" | |
139 | depends on IP6_NF_IPTABLES | |
140 | help | |
141 | This module allows one to match AH and ESP packets. | |
142 | ||
143 | To compile it as a module, choose M here. If unsure, say N. | |
144 | ||
145 | config IP6_NF_MATCH_LENGTH | |
146 | tristate "Packet Length match support" | |
147 | depends on IP6_NF_IPTABLES | |
148 | help | |
149 | This option allows you to match the length of a packet against a | |
150 | specific value or range of values. | |
151 | ||
152 | To compile it as a module, choose M here. If unsure, say N. | |
153 | ||
154 | config IP6_NF_MATCH_EUI64 | |
155 | tristate "EUI64 address check" | |
156 | depends on IP6_NF_IPTABLES | |
157 | help | |
158 | This module performs checking on the IPv6 source address | |
159 | Compares the last 64 bits with the EUI64 (delivered | |
160 | from the MAC address) address | |
161 | ||
162 | To compile it as a module, choose M here. If unsure, say N. | |
163 | ||
164 | config IP6_NF_MATCH_PHYSDEV | |
165 | tristate "Physdev match support" | |
166 | depends on IP6_NF_IPTABLES && BRIDGE_NETFILTER | |
167 | help | |
168 | Physdev packet matching matches against the physical bridge ports | |
169 | the IP packet arrived on or will leave by. | |
170 | ||
171 | To compile it as a module, choose M here. If unsure, say N. | |
172 | ||
173 | # dep_tristate ' Multiple port match support' CONFIG_IP6_NF_MATCH_MULTIPORT $CONFIG_IP6_NF_IPTABLES | |
174 | # dep_tristate ' TOS match support' CONFIG_IP6_NF_MATCH_TOS $CONFIG_IP6_NF_IPTABLES | |
175 | # if [ "$CONFIG_IP6_NF_CONNTRACK" != "n" ]; then | |
176 | # dep_tristate ' Connection state match support' CONFIG_IP6_NF_MATCH_STATE $CONFIG_IP6_NF_CONNTRACK $CONFIG_IP6_NF_IPTABLES | |
177 | # fi | |
178 | # if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then | |
179 | # dep_tristate ' Unclean match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_UNCLEAN $CONFIG_IP6_NF_IPTABLES | |
180 | # dep_tristate ' Owner match support (EXPERIMENTAL)' CONFIG_IP6_NF_MATCH_OWNER $CONFIG_IP6_NF_IPTABLES | |
181 | # fi | |
182 | # The targets | |
183 | config IP6_NF_FILTER | |
184 | tristate "Packet filtering" | |
185 | depends on IP6_NF_IPTABLES | |
186 | help | |
187 | Packet filtering defines a table `filter', which has a series of | |
188 | rules for simple packet filtering at local input, forwarding and | |
189 | local output. See the man page for iptables(8). | |
190 | ||
191 | To compile it as a module, choose M here. If unsure, say N. | |
192 | ||
193 | config IP6_NF_TARGET_LOG | |
194 | tristate "LOG target support" | |
195 | depends on IP6_NF_FILTER | |
196 | help | |
197 | This option adds a `LOG' target, which allows you to create rules in | |
198 | any iptables table which records the packet header to the syslog. | |
199 | ||
200 | To compile it as a module, choose M here. If unsure, say N. | |
201 | ||
764d8a9f PM |
202 | config IP6_NF_TARGET_REJECT |
203 | tristate "REJECT target support" | |
204 | depends on IP6_NF_FILTER | |
205 | help | |
206 | The REJECT target allows a filtering rule to specify that an ICMPv6 | |
207 | error should be issued in response to an incoming packet, rather | |
208 | than silently being dropped. | |
209 | ||
210 | To compile it as a module, choose M here. If unsure, say N. | |
211 | ||
d67b24c4 HW |
212 | config IP6_NF_TARGET_NFQUEUE |
213 | tristate "NFQUEUE Target Support" | |
214 | depends on IP_NF_IPTABLES | |
215 | help | |
216 | This Target replaced the old obsolete QUEUE target. | |
217 | ||
218 | As opposed to QUEUE, it supports 65535 different queues, | |
219 | not just one. | |
220 | ||
221 | To compile it as a module, choose M here. If unsure, say N. | |
222 | ||
1da177e4 LT |
223 | # if [ "$CONFIG_IP6_NF_FILTER" != "n" ]; then |
224 | # dep_tristate ' REJECT target support' CONFIG_IP6_NF_TARGET_REJECT $CONFIG_IP6_NF_FILTER | |
225 | # if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then | |
226 | # dep_tristate ' MIRROR target support (EXPERIMENTAL)' CONFIG_IP6_NF_TARGET_MIRROR $CONFIG_IP6_NF_FILTER | |
227 | # fi | |
228 | # fi | |
229 | config IP6_NF_MANGLE | |
230 | tristate "Packet mangling" | |
231 | depends on IP6_NF_IPTABLES | |
232 | help | |
233 | This option adds a `mangle' table to iptables: see the man page for | |
234 | iptables(8). This table is used for various packet alterations | |
235 | which can effect how the packet is routed. | |
236 | ||
237 | To compile it as a module, choose M here. If unsure, say N. | |
238 | ||
239 | # dep_tristate ' TOS target support' CONFIG_IP6_NF_TARGET_TOS $CONFIG_IP_NF_MANGLE | |
240 | config IP6_NF_TARGET_MARK | |
241 | tristate "MARK target support" | |
242 | depends on IP6_NF_MANGLE | |
243 | help | |
244 | This option adds a `MARK' target, which allows you to create rules | |
245 | in the `mangle' table which alter the netfilter mark (nfmark) field | |
246 | associated with the packet packet prior to routing. This can change | |
247 | the routing method (see `Use netfilter MARK value as routing | |
248 | key') and can also be used by other subsystems to change their | |
249 | behavior. | |
250 | ||
251 | To compile it as a module, choose M here. If unsure, say N. | |
252 | ||
0ac4f893 HW |
253 | config IP6_NF_TARGET_HL |
254 | tristate 'HL (hoplimit) target support' | |
255 | depends on IP6_NF_MANGLE | |
256 | help | |
257 | This option adds a `HL' target, which enables the user to decrement | |
258 | the hoplimit value of the IPv6 header or set it to a given (lower) | |
259 | value. | |
260 | ||
261 | While it is safe to decrement the hoplimit value, this option also | |
262 | enables functionality to increment and set the hoplimit value of the | |
263 | IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since | |
264 | you can easily create immortal packets that loop forever on the | |
265 | network. | |
266 | ||
267 | To compile it as a module, choose M here. If unsure, say N. | |
268 | ||
1da177e4 LT |
269 | #dep_tristate ' LOG target support' CONFIG_IP6_NF_TARGET_LOG $CONFIG_IP6_NF_IPTABLES |
270 | config IP6_NF_RAW | |
271 | tristate 'raw table support (required for TRACE)' | |
272 | depends on IP6_NF_IPTABLES | |
273 | help | |
274 | This option adds a `raw' table to ip6tables. This table is the very | |
275 | first in the netfilter framework and hooks in at the PREROUTING | |
276 | and OUTPUT chains. | |
277 | ||
278 | If you want to compile it as a module, say M here and read | |
279 | <file:Documentation/modules.txt>. If unsure, say `N'. | |
280 | ||
281 | endmenu | |
282 |