Kconfig (8556B)
1# SPDX-License-Identifier: GPL-2.0-only 2# 3# IP netfilter configuration 4# 5 6menu "IPv6: Netfilter Configuration" 7 depends on INET && IPV6 && NETFILTER 8 9config NF_SOCKET_IPV6 10 tristate "IPv6 socket lookup support" 11 help 12 This option enables the IPv6 socket lookup infrastructure. This 13 is used by the {ip6,nf}tables socket match. 14 15config NF_TPROXY_IPV6 16 tristate "IPv6 tproxy support" 17 18if NF_TABLES 19 20config NF_TABLES_IPV6 21 bool "IPv6 nf_tables support" 22 help 23 This option enables the IPv6 support for nf_tables. 24 25if NF_TABLES_IPV6 26 27config NFT_REJECT_IPV6 28 select NF_REJECT_IPV6 29 default NFT_REJECT 30 tristate 31 32config NFT_DUP_IPV6 33 tristate "IPv6 nf_tables packet duplication support" 34 depends on !NF_CONNTRACK || NF_CONNTRACK 35 select NF_DUP_IPV6 36 help 37 This module enables IPv6 packet duplication support for nf_tables. 38 39config NFT_FIB_IPV6 40 tristate "nf_tables fib / ipv6 route lookup support" 41 select NFT_FIB 42 help 43 This module enables IPv6 FIB lookups, e.g. for reverse path filtering. 44 It also allows query of the FIB for the route type, e.g. local, unicast, 45 multicast or blackhole. 46 47endif # NF_TABLES_IPV6 48endif # NF_TABLES 49 50config NF_DUP_IPV6 51 tristate "Netfilter IPv6 packet duplication to alternate destination" 52 depends on !NF_CONNTRACK || NF_CONNTRACK 53 help 54 This option enables the nf_dup_ipv6 core, which duplicates an IPv6 55 packet to be rerouted to another destination. 56 57config NF_REJECT_IPV6 58 tristate "IPv6 packet rejection" 59 default m if NETFILTER_ADVANCED=n 60 61config NF_LOG_IPV6 62 tristate "IPv6 packet logging" 63 default m if NETFILTER_ADVANCED=n 64 select NF_LOG_SYSLOG 65 help 66 This is a backwards-compat option for the user's convenience 67 (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG. 68 69config IP6_NF_IPTABLES 70 tristate "IP6 tables support (required for filtering)" 71 depends on INET && IPV6 72 select NETFILTER_XTABLES 73 default m if NETFILTER_ADVANCED=n 74 help 75 ip6tables is a general, extensible packet identification framework. 76 Currently only the packet filtering and packet mangling subsystem 77 for IPv6 use this, but connection tracking is going to follow. 78 Say 'Y' or 'M' here if you want to use either of those. 79 80 To compile it as a module, choose M here. If unsure, say N. 81 82if IP6_NF_IPTABLES 83 84# The simple matches. 85config IP6_NF_MATCH_AH 86 tristate '"ah" match support' 87 depends on NETFILTER_ADVANCED 88 help 89 This module allows one to match AH packets. 90 91 To compile it as a module, choose M here. If unsure, say N. 92 93config IP6_NF_MATCH_EUI64 94 tristate '"eui64" address check' 95 depends on NETFILTER_ADVANCED 96 help 97 This module performs checking on the IPv6 source address 98 Compares the last 64 bits with the EUI64 (delivered 99 from the MAC address) address 100 101 To compile it as a module, choose M here. If unsure, say N. 102 103config IP6_NF_MATCH_FRAG 104 tristate '"frag" Fragmentation header match support' 105 depends on NETFILTER_ADVANCED 106 help 107 frag matching allows you to match packets based on the fragmentation 108 header of the packet. 109 110 To compile it as a module, choose M here. If unsure, say N. 111 112config IP6_NF_MATCH_OPTS 113 tristate '"hbh" hop-by-hop and "dst" opts header match support' 114 depends on NETFILTER_ADVANCED 115 help 116 This allows one to match packets based on the hop-by-hop 117 and destination options headers of a packet. 118 119 To compile it as a module, choose M here. If unsure, say N. 120 121config IP6_NF_MATCH_HL 122 tristate '"hl" hoplimit match support' 123 depends on NETFILTER_ADVANCED 124 select NETFILTER_XT_MATCH_HL 125 help 126 This is a backwards-compat option for the user's convenience 127 (e.g. when running oldconfig). It selects 128 CONFIG_NETFILTER_XT_MATCH_HL. 129 130config IP6_NF_MATCH_IPV6HEADER 131 tristate '"ipv6header" IPv6 Extension Headers Match' 132 default m if NETFILTER_ADVANCED=n 133 help 134 This module allows one to match packets based upon 135 the ipv6 extension headers. 136 137 To compile it as a module, choose M here. If unsure, say N. 138 139config IP6_NF_MATCH_MH 140 tristate '"mh" match support' 141 depends on NETFILTER_ADVANCED 142 help 143 This module allows one to match MH packets. 144 145 To compile it as a module, choose M here. If unsure, say N. 146 147config IP6_NF_MATCH_RPFILTER 148 tristate '"rpfilter" reverse path filter match support' 149 depends on NETFILTER_ADVANCED 150 depends on IP6_NF_MANGLE || IP6_NF_RAW 151 help 152 This option allows you to match packets whose replies would 153 go out via the interface the packet came in. 154 155 To compile it as a module, choose M here. If unsure, say N. 156 The module will be called ip6t_rpfilter. 157 158config IP6_NF_MATCH_RT 159 tristate '"rt" Routing header match support' 160 depends on NETFILTER_ADVANCED 161 help 162 rt matching allows you to match packets based on the routing 163 header of the packet. 164 165 To compile it as a module, choose M here. If unsure, say N. 166 167config IP6_NF_MATCH_SRH 168 tristate '"srh" Segment Routing header match support' 169 depends on NETFILTER_ADVANCED 170 help 171 srh matching allows you to match packets based on the segment 172 routing header of the packet. 173 174 To compile it as a module, choose M here. If unsure, say N. 175 176# The targets 177config IP6_NF_TARGET_HL 178 tristate '"HL" hoplimit target support' 179 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 180 select NETFILTER_XT_TARGET_HL 181 help 182 This is a backwards-compatible option for the user's convenience 183 (e.g. when running oldconfig). It selects 184 CONFIG_NETFILTER_XT_TARGET_HL. 185 186config IP6_NF_FILTER 187 tristate "Packet filtering" 188 default m if NETFILTER_ADVANCED=n 189 help 190 Packet filtering defines a table `filter', which has a series of 191 rules for simple packet filtering at local input, forwarding and 192 local output. See the man page for iptables(8). 193 194 To compile it as a module, choose M here. If unsure, say N. 195 196config IP6_NF_TARGET_REJECT 197 tristate "REJECT target support" 198 depends on IP6_NF_FILTER 199 select NF_REJECT_IPV6 200 default m if NETFILTER_ADVANCED=n 201 help 202 The REJECT target allows a filtering rule to specify that an ICMPv6 203 error should be issued in response to an incoming packet, rather 204 than silently being dropped. 205 206 To compile it as a module, choose M here. If unsure, say N. 207 208config IP6_NF_TARGET_SYNPROXY 209 tristate "SYNPROXY target support" 210 depends on NF_CONNTRACK && NETFILTER_ADVANCED 211 select NETFILTER_SYNPROXY 212 select SYN_COOKIES 213 help 214 The SYNPROXY target allows you to intercept TCP connections and 215 establish them using syncookies before they are passed on to the 216 server. This allows to avoid conntrack and server resource usage 217 during SYN-flood attacks. 218 219 To compile it as a module, choose M here. If unsure, say N. 220 221config IP6_NF_MANGLE 222 tristate "Packet mangling" 223 default m if NETFILTER_ADVANCED=n 224 help 225 This option adds a `mangle' table to iptables: see the man page for 226 iptables(8). This table is used for various packet alterations 227 which can effect how the packet is routed. 228 229 To compile it as a module, choose M here. If unsure, say N. 230 231config IP6_NF_RAW 232 tristate 'raw table support (required for TRACE)' 233 help 234 This option adds a `raw' table to ip6tables. This table is the very 235 first in the netfilter framework and hooks in at the PREROUTING 236 and OUTPUT chains. 237 238 If you want to compile it as a module, say M here and read 239 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 240 241# security table for MAC policy 242config IP6_NF_SECURITY 243 tristate "Security table" 244 depends on SECURITY 245 depends on NETFILTER_ADVANCED 246 help 247 This option adds a `security' table to iptables, for use 248 with Mandatory Access Control (MAC) policy. 249 250 If unsure, say N. 251 252config IP6_NF_NAT 253 tristate "ip6tables NAT support" 254 depends on NF_CONNTRACK 255 depends on NETFILTER_ADVANCED 256 select NF_NAT 257 select NETFILTER_XT_NAT 258 help 259 This enables the `nat' table in ip6tables. This allows masquerading, 260 port forwarding and other forms of full Network Address Port 261 Translation. 262 263 To compile it as a module, choose M here. If unsure, say N. 264 265if IP6_NF_NAT 266 267config IP6_NF_TARGET_MASQUERADE 268 tristate "MASQUERADE target support" 269 select NETFILTER_XT_TARGET_MASQUERADE 270 help 271 This is a backwards-compat option for the user's convenience 272 (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE. 273 274config IP6_NF_TARGET_NPT 275 tristate "NPT (Network Prefix translation) target support" 276 help 277 This option adds the `SNPT' and `DNPT' target, which perform 278 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 279 280 To compile it as a module, choose M here. If unsure, say N. 281 282endif # IP6_NF_NAT 283 284endif # IP6_NF_IPTABLES 285endmenu 286 287config NF_DEFRAG_IPV6 288 tristate