# SPDX-License-Identifier: GPL-2.0-only
|
#
|
# IP netfilter configuration
|
#
|
|
menu "IPv6: Netfilter Configuration"
|
depends on INET && IPV6 && NETFILTER
|
|
config NF_SOCKET_IPV6
|
tristate "IPv6 socket lookup support"
|
help
|
This option enables the IPv6 socket lookup infrastructure. This
|
is used by the {ip6,nf}tables socket match.
|
|
config NF_TPROXY_IPV6
|
tristate "IPv6 tproxy support"
|
|
if NF_TABLES
|
|
config NF_TABLES_IPV6
|
bool "IPv6 nf_tables support"
|
help
|
This option enables the IPv6 support for nf_tables.
|
|
if NF_TABLES_IPV6
|
|
config NFT_REJECT_IPV6
|
select NF_REJECT_IPV6
|
default NFT_REJECT
|
tristate
|
|
config NFT_DUP_IPV6
|
tristate "IPv6 nf_tables packet duplication support"
|
depends on !NF_CONNTRACK || NF_CONNTRACK
|
select NF_DUP_IPV6
|
help
|
This module enables IPv6 packet duplication support for nf_tables.
|
|
config NFT_FIB_IPV6
|
tristate "nf_tables fib / ipv6 route lookup support"
|
select NFT_FIB
|
help
|
This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
|
It also allows query of the FIB for the route type, e.g. local, unicast,
|
multicast or blackhole.
|
|
endif # NF_TABLES_IPV6
|
endif # NF_TABLES
|
|
config NF_FLOW_TABLE_IPV6
|
tristate "Netfilter flow table IPv6 module"
|
depends on NF_FLOW_TABLE
|
help
|
This option adds the flow table IPv6 support.
|
|
To compile it as a module, choose M here.
|
|
config NF_DUP_IPV6
|
tristate "Netfilter IPv6 packet duplication to alternate destination"
|
depends on !NF_CONNTRACK || NF_CONNTRACK
|
help
|
This option enables the nf_dup_ipv6 core, which duplicates an IPv6
|
packet to be rerouted to another destination.
|
|
config NF_REJECT_IPV6
|
tristate "IPv6 packet rejection"
|
default m if NETFILTER_ADVANCED=n
|
|
config NF_LOG_IPV6
|
tristate "IPv6 packet logging"
|
default m if NETFILTER_ADVANCED=n
|
select NF_LOG_COMMON
|
|
config IP6_NF_IPTABLES
|
tristate "IP6 tables support (required for filtering)"
|
depends on INET && IPV6
|
select NETFILTER_XTABLES
|
default m if NETFILTER_ADVANCED=n
|
help
|
ip6tables is a general, extensible packet identification framework.
|
Currently only the packet filtering and packet mangling subsystem
|
for IPv6 use this, but connection tracking is going to follow.
|
Say 'Y' or 'M' here if you want to use either of those.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
if IP6_NF_IPTABLES
|
|
# The simple matches.
|
config IP6_NF_MATCH_AH
|
tristate '"ah" match support'
|
depends on NETFILTER_ADVANCED
|
help
|
This module allows one to match AH packets.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config IP6_NF_MATCH_EUI64
|
tristate '"eui64" address check'
|
depends on NETFILTER_ADVANCED
|
help
|
This module performs checking on the IPv6 source address
|
Compares the last 64 bits with the EUI64 (delivered
|
from the MAC address) address
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config IP6_NF_MATCH_FRAG
|
tristate '"frag" Fragmentation header match support'
|
depends on NETFILTER_ADVANCED
|
help
|
frag matching allows you to match packets based on the fragmentation
|
header of the packet.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config IP6_NF_MATCH_OPTS
|
tristate '"hbh" hop-by-hop and "dst" opts header match support'
|
depends on NETFILTER_ADVANCED
|
help
|
This allows one to match packets based on the hop-by-hop
|
and destination options headers of a packet.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config IP6_NF_MATCH_HL
|
tristate '"hl" hoplimit match support'
|
depends on NETFILTER_ADVANCED
|
select NETFILTER_XT_MATCH_HL
|
help
|
This is a backwards-compat option for the user's convenience
|
(e.g. when running oldconfig). It selects
|
CONFIG_NETFILTER_XT_MATCH_HL.
|
|
config IP6_NF_MATCH_IPV6HEADER
|
tristate '"ipv6header" IPv6 Extension Headers Match'
|
default m if NETFILTER_ADVANCED=n
|
help
|
This module allows one to match packets based upon
|
the ipv6 extension headers.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config IP6_NF_MATCH_MH
|
tristate '"mh" match support'
|
depends on NETFILTER_ADVANCED
|
help
|
This module allows one to match MH packets.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config IP6_NF_MATCH_RPFILTER
|
tristate '"rpfilter" reverse path filter match support'
|
depends on NETFILTER_ADVANCED
|
depends on IP6_NF_MANGLE || IP6_NF_RAW
|
help
|
This option allows you to match packets whose replies would
|
go out via the interface the packet came in.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
The module will be called ip6t_rpfilter.
|
|
config IP6_NF_MATCH_RT
|
tristate '"rt" Routing header match support'
|
depends on NETFILTER_ADVANCED
|
help
|
rt matching allows you to match packets based on the routing
|
header of the packet.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config IP6_NF_MATCH_SRH
|
tristate '"srh" Segment Routing header match support'
|
depends on NETFILTER_ADVANCED
|
help
|
srh matching allows you to match packets based on the segment
|
routing header of the packet.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
# The targets
|
config IP6_NF_TARGET_HL
|
tristate '"HL" hoplimit target support'
|
depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
|
select NETFILTER_XT_TARGET_HL
|
help
|
This is a backwards-compatible option for the user's convenience
|
(e.g. when running oldconfig). It selects
|
CONFIG_NETFILTER_XT_TARGET_HL.
|
|
config IP6_NF_FILTER
|
tristate "Packet filtering"
|
default m if NETFILTER_ADVANCED=n
|
help
|
Packet filtering defines a table `filter', which has a series of
|
rules for simple packet filtering at local input, forwarding and
|
local output. See the man page for iptables(8).
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config IP6_NF_TARGET_REJECT
|
tristate "REJECT target support"
|
depends on IP6_NF_FILTER
|
select NF_REJECT_IPV6
|
default m if NETFILTER_ADVANCED=n
|
help
|
The REJECT target allows a filtering rule to specify that an ICMPv6
|
error should be issued in response to an incoming packet, rather
|
than silently being dropped.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config IP6_NF_TARGET_SYNPROXY
|
tristate "SYNPROXY target support"
|
depends on NF_CONNTRACK && NETFILTER_ADVANCED
|
select NETFILTER_SYNPROXY
|
select SYN_COOKIES
|
help
|
The SYNPROXY target allows you to intercept TCP connections and
|
establish them using syncookies before they are passed on to the
|
server. This allows to avoid conntrack and server resource usage
|
during SYN-flood attacks.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config IP6_NF_MANGLE
|
tristate "Packet mangling"
|
default m if NETFILTER_ADVANCED=n
|
help
|
This option adds a `mangle' table to iptables: see the man page for
|
iptables(8). This table is used for various packet alterations
|
which can effect how the packet is routed.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config IP6_NF_RAW
|
tristate 'raw table support (required for TRACE)'
|
help
|
This option adds a `raw' table to ip6tables. This table is the very
|
first in the netfilter framework and hooks in at the PREROUTING
|
and OUTPUT chains.
|
|
If you want to compile it as a module, say M here and read
|
<file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
|
|
# security table for MAC policy
|
config IP6_NF_SECURITY
|
tristate "Security table"
|
depends on SECURITY
|
depends on NETFILTER_ADVANCED
|
help
|
This option adds a `security' table to iptables, for use
|
with Mandatory Access Control (MAC) policy.
|
|
If unsure, say N.
|
|
config IP6_NF_NAT
|
tristate "ip6tables NAT support"
|
depends on NF_CONNTRACK
|
depends on NETFILTER_ADVANCED
|
select NF_NAT
|
select NETFILTER_XT_NAT
|
help
|
This enables the `nat' table in ip6tables. This allows masquerading,
|
port forwarding and other forms of full Network Address Port
|
Translation.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
if IP6_NF_NAT
|
|
config IP6_NF_TARGET_MASQUERADE
|
tristate "MASQUERADE target support"
|
select NETFILTER_XT_TARGET_MASQUERADE
|
help
|
This is a backwards-compat option for the user's convenience
|
(e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
|
|
config IP6_NF_TARGET_NPT
|
tristate "NPT (Network Prefix translation) target support"
|
help
|
This option adds the `SNPT' and `DNPT' target, which perform
|
stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
endif # IP6_NF_NAT
|
|
endif # IP6_NF_IPTABLES
|
endmenu
|
|
config NF_DEFRAG_IPV6
|
tristate
|
