xref: /linux/net/ipv6/netfilter/Kconfig (revision 307797159ac25fe5a2048bf5c6a5718298edca57) 
1#
2# IP netfilter configuration
3#
4
5menu "IPv6: Netfilter Configuration"
6	depends on INET && IPV6 && NETFILTER
7
8config NF_SOCKET_IPV6
9	tristate "IPv6 socket lookup support"
10	help
11	  This option enables the IPv6 socket lookup infrastructure. This
12	  is used by the {ip6,nf}tables socket match.
13
14config NF_TPROXY_IPV6
15	tristate "IPv6 tproxy support"
16
17if NF_TABLES
18
19config NF_TABLES_IPV6
20	bool "IPv6 nf_tables support"
21	help
22	  This option enables the IPv6 support for nf_tables.
23
24if NF_TABLES_IPV6
25
26config NFT_CHAIN_ROUTE_IPV6
27	tristate "IPv6 nf_tables route chain support"
28	help
29	  This option enables the "route" chain for IPv6 in nf_tables. This
30	  chain type is used to force packet re-routing after mangling header
31	  fields such as the source, destination, flowlabel, hop-limit and
32	  the packet mark.
33
34if NF_NAT_IPV6
35
36config NFT_CHAIN_NAT_IPV6
37	tristate "IPv6 nf_tables nat chain support"
38	help
39	  This option enables the "nat" chain for IPv6 in nf_tables. This
40	  chain type is used to perform Network Address Translation (NAT)
41	  packet transformations such as the source, destination address and
42	  source and destination ports.
43
44config NFT_MASQ_IPV6
45	tristate "IPv6 masquerade support for nf_tables"
46	depends on NFT_MASQ
47	select NF_NAT_MASQUERADE_IPV6
48	help
49	  This is the expression that provides IPv4 masquerading support for
50	  nf_tables.
51
52config NFT_REDIR_IPV6
53	tristate "IPv6 redirect support for nf_tables"
54	depends on NFT_REDIR
55	select NF_NAT_REDIRECT
56	help
57	  This is the expression that provides IPv4 redirect support for
58	  nf_tables.
59
60endif # NF_NAT_IPV6
61
62config NFT_REJECT_IPV6
63	select NF_REJECT_IPV6
64	default NFT_REJECT
65	tristate
66
67config NFT_DUP_IPV6
68	tristate "IPv6 nf_tables packet duplication support"
69	depends on !NF_CONNTRACK || NF_CONNTRACK
70	select NF_DUP_IPV6
71	help
72	  This module enables IPv6 packet duplication support for nf_tables.
73
74config NFT_FIB_IPV6
75	tristate "nf_tables fib / ipv6 route lookup support"
76	select NFT_FIB
77	help
78	  This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
79	  It also allows query of the FIB for the route type, e.g. local, unicast,
80	  multicast or blackhole.
81
82endif # NF_TABLES_IPV6
83endif # NF_TABLES
84
85config NF_FLOW_TABLE_IPV6
86	tristate "Netfilter flow table IPv6 module"
87	depends on NF_FLOW_TABLE
88	help
89	  This option adds the flow table IPv6 support.
90
91	  To compile it as a module, choose M here.
92
93config NF_DUP_IPV6
94	tristate "Netfilter IPv6 packet duplication to alternate destination"
95	depends on !NF_CONNTRACK || NF_CONNTRACK
96	help
97	  This option enables the nf_dup_ipv6 core, which duplicates an IPv6
98	  packet to be rerouted to another destination.
99
100config NF_REJECT_IPV6
101	tristate "IPv6 packet rejection"
102	default m if NETFILTER_ADVANCED=n
103
104config NF_LOG_IPV6
105	tristate "IPv6 packet logging"
106	default m if NETFILTER_ADVANCED=n
107	select NF_LOG_COMMON
108
109config NF_NAT_IPV6
110	tristate "IPv6 NAT"
111	depends on NF_CONNTRACK
112	depends on NETFILTER_ADVANCED
113	select NF_NAT
114	help
115	  The IPv6 NAT option allows masquerading, port forwarding and other
116	  forms of full Network Address Port Translation. This can be
117	  controlled by iptables or nft.
118
119if NF_NAT_IPV6
120
121config NF_NAT_MASQUERADE_IPV6
122	bool
123
124endif # NF_NAT_IPV6
125
126config IP6_NF_IPTABLES
127	tristate "IP6 tables support (required for filtering)"
128	depends on INET && IPV6
129	select NETFILTER_XTABLES
130	default m if NETFILTER_ADVANCED=n
131	help
132	  ip6tables is a general, extensible packet identification framework.
133	  Currently only the packet filtering and packet mangling subsystem
134	  for IPv6 use this, but connection tracking is going to follow.
135	  Say 'Y' or 'M' here if you want to use either of those.
136
137	  To compile it as a module, choose M here.  If unsure, say N.
138
139if IP6_NF_IPTABLES
140
141# The simple matches.
142config IP6_NF_MATCH_AH
143	tristate '"ah" match support'
144	depends on NETFILTER_ADVANCED
145	help
146	  This module allows one to match AH packets.
147
148	  To compile it as a module, choose M here.  If unsure, say N.
149
150config IP6_NF_MATCH_EUI64
151	tristate '"eui64" address check'
152	depends on NETFILTER_ADVANCED
153	help
154	  This module performs checking on the IPv6 source address
155	  Compares the last 64 bits with the EUI64 (delivered
156	  from the MAC address) address
157
158	  To compile it as a module, choose M here.  If unsure, say N.
159
160config IP6_NF_MATCH_FRAG
161	tristate '"frag" Fragmentation header match support'
162	depends on NETFILTER_ADVANCED
163	help
164	  frag matching allows you to match packets based on the fragmentation
165	  header of the packet.
166
167	  To compile it as a module, choose M here.  If unsure, say N.
168
169config IP6_NF_MATCH_OPTS
170	tristate '"hbh" hop-by-hop and "dst" opts header match support'
171	depends on NETFILTER_ADVANCED
172	help
173	  This allows one to match packets based on the hop-by-hop
174	  and destination options headers of a packet.
175
176	  To compile it as a module, choose M here.  If unsure, say N.
177
178config IP6_NF_MATCH_HL
179	tristate '"hl" hoplimit match support'
180	depends on NETFILTER_ADVANCED
181	select NETFILTER_XT_MATCH_HL
182	---help---
183	This is a backwards-compat option for the user's convenience
184	(e.g. when running oldconfig). It selects
185	CONFIG_NETFILTER_XT_MATCH_HL.
186
187config IP6_NF_MATCH_IPV6HEADER
188	tristate '"ipv6header" IPv6 Extension Headers Match'
189	default m if NETFILTER_ADVANCED=n
190	help
191	  This module allows one to match packets based upon
192	  the ipv6 extension headers.
193
194	  To compile it as a module, choose M here.  If unsure, say N.
195
196config IP6_NF_MATCH_MH
197	tristate '"mh" match support'
198	depends on NETFILTER_ADVANCED
199	help
200	  This module allows one to match MH packets.
201
202	  To compile it as a module, choose M here.  If unsure, say N.
203
204config IP6_NF_MATCH_RPFILTER
205	tristate '"rpfilter" reverse path filter match support'
206	depends on NETFILTER_ADVANCED
207	depends on IP6_NF_MANGLE || IP6_NF_RAW
208	---help---
209	  This option allows you to match packets whose replies would
210	  go out via the interface the packet came in.
211
212	  To compile it as a module, choose M here.  If unsure, say N.
213	  The module will be called ip6t_rpfilter.
214
215config IP6_NF_MATCH_RT
216	tristate '"rt" Routing header match support'
217	depends on NETFILTER_ADVANCED
218	help
219	  rt matching allows you to match packets based on the routing
220	  header of the packet.
221
222	  To compile it as a module, choose M here.  If unsure, say N.
223
224config IP6_NF_MATCH_SRH
225        tristate '"srh" Segment Routing header match support'
226        depends on NETFILTER_ADVANCED
227        help
228          srh matching allows you to match packets based on the segment
229	  routing header of the packet.
230
231          To compile it as a module, choose M here.  If unsure, say N.
232
233# The targets
234config IP6_NF_TARGET_HL
235	tristate '"HL" hoplimit target support'
236	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
237	select NETFILTER_XT_TARGET_HL
238	---help---
239	This is a backwards-compatible option for the user's convenience
240	(e.g. when running oldconfig). It selects
241	CONFIG_NETFILTER_XT_TARGET_HL.
242
243config IP6_NF_FILTER
244	tristate "Packet filtering"
245	default m if NETFILTER_ADVANCED=n
246	help
247	  Packet filtering defines a table `filter', which has a series of
248	  rules for simple packet filtering at local input, forwarding and
249	  local output.  See the man page for iptables(8).
250
251	  To compile it as a module, choose M here.  If unsure, say N.
252
253config IP6_NF_TARGET_REJECT
254	tristate "REJECT target support"
255	depends on IP6_NF_FILTER
256	select NF_REJECT_IPV6
257	default m if NETFILTER_ADVANCED=n
258	help
259	  The REJECT target allows a filtering rule to specify that an ICMPv6
260	  error should be issued in response to an incoming packet, rather
261	  than silently being dropped.
262
263	  To compile it as a module, choose M here.  If unsure, say N.
264
265config IP6_NF_TARGET_SYNPROXY
266	tristate "SYNPROXY target support"
267	depends on NF_CONNTRACK && NETFILTER_ADVANCED
268	select NETFILTER_SYNPROXY
269	select SYN_COOKIES
270	help
271	  The SYNPROXY target allows you to intercept TCP connections and
272	  establish them using syncookies before they are passed on to the
273	  server. This allows to avoid conntrack and server resource usage
274	  during SYN-flood attacks.
275
276	  To compile it as a module, choose M here. If unsure, say N.
277
278config IP6_NF_MANGLE
279	tristate "Packet mangling"
280	default m if NETFILTER_ADVANCED=n
281	help
282	  This option adds a `mangle' table to iptables: see the man page for
283	  iptables(8).  This table is used for various packet alterations
284	  which can effect how the packet is routed.
285
286	  To compile it as a module, choose M here.  If unsure, say N.
287
288config IP6_NF_RAW
289	tristate  'raw table support (required for TRACE)'
290	help
291	  This option adds a `raw' table to ip6tables. This table is the very
292	  first in the netfilter framework and hooks in at the PREROUTING
293	  and OUTPUT chains.
294
295	  If you want to compile it as a module, say M here and read
296	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
297
298# security table for MAC policy
299config IP6_NF_SECURITY
300       tristate "Security table"
301       depends on SECURITY
302       depends on NETFILTER_ADVANCED
303       help
304         This option adds a `security' table to iptables, for use
305         with Mandatory Access Control (MAC) policy.
306
307         If unsure, say N.
308
309config IP6_NF_NAT
310	tristate "ip6tables NAT support"
311	depends on NF_CONNTRACK
312	depends on NETFILTER_ADVANCED
313	select NF_NAT
314	select NF_NAT_IPV6
315	select NETFILTER_XT_NAT
316	help
317	  This enables the `nat' table in ip6tables. This allows masquerading,
318	  port forwarding and other forms of full Network Address Port
319	  Translation.
320
321	  To compile it as a module, choose M here.  If unsure, say N.
322
323if IP6_NF_NAT
324
325config IP6_NF_TARGET_MASQUERADE
326	tristate "MASQUERADE target support"
327	select NF_NAT_MASQUERADE_IPV6
328	help
329	  Masquerading is a special case of NAT: all outgoing connections are
330	  changed to seem to come from a particular interface's address, and
331	  if the interface goes down, those connections are lost.  This is
332	  only useful for dialup accounts with dynamic IP address (ie. your IP
333	  address will be different on next dialup).
334
335	  To compile it as a module, choose M here.  If unsure, say N.
336
337config IP6_NF_TARGET_NPT
338	tristate "NPT (Network Prefix translation) target support"
339	help
340	  This option adds the `SNPT' and `DNPT' target, which perform
341	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
342
343	  To compile it as a module, choose M here.  If unsure, say N.
344
345endif # IP6_NF_NAT
346
347endif # IP6_NF_IPTABLES
348endmenu
349
350config NF_DEFRAG_IPV6
351	tristate
352