1# SPDX-License-Identifier: GPL-2.0-only 2# 3# IP netfilter configuration 4# 5 6menu "IPv6: Netfilter Configuration" 7 depends on INET && IPV6 && NETFILTER 8 9# old sockopt interface and eval loop 10config IP6_NF_IPTABLES_LEGACY 11 tristate "Legacy IP6 tables support" 12 depends on INET && IPV6 && NETFILTER_XTABLES_LEGACY 13 default m if NETFILTER_XTABLES_LEGACY 14 help 15 ip6tables is a legacy packet classifier. 16 This is not needed if you are using iptables over nftables 17 (iptables-nft). 18 19config NF_SOCKET_IPV6 20 tristate "IPv6 socket lookup support" 21 help 22 This option enables the IPv6 socket lookup infrastructure. This 23 is used by the {ip6,nf}tables socket match. 24 25config NF_TPROXY_IPV6 26 tristate "IPv6 tproxy support" 27 28if NF_TABLES 29 30config NF_TABLES_IPV6 31 bool "IPv6 nf_tables support" 32 help 33 This option enables the IPv6 support for nf_tables. 34 35if NF_TABLES_IPV6 36 37config NFT_REJECT_IPV6 38 select NF_REJECT_IPV6 39 default NFT_REJECT 40 tristate 41 42config NFT_DUP_IPV6 43 tristate "IPv6 nf_tables packet duplication support" 44 depends on !NF_CONNTRACK || NF_CONNTRACK 45 select NF_DUP_IPV6 46 help 47 This module enables IPv6 packet duplication support for nf_tables. 48 49config NFT_FIB_IPV6 50 tristate "nf_tables fib / ipv6 route lookup support" 51 select NFT_FIB 52 help 53 This module enables IPv6 FIB lookups, e.g. for reverse path filtering. 54 It also allows query of the FIB for the route type, e.g. local, unicast, 55 multicast or blackhole. 56 57endif # NF_TABLES_IPV6 58endif # NF_TABLES 59 60config NF_DUP_IPV6 61 tristate "Netfilter IPv6 packet duplication to alternate destination" 62 depends on !NF_CONNTRACK || NF_CONNTRACK 63 help 64 This option enables the nf_dup_ipv6 core, which duplicates an IPv6 65 packet to be rerouted to another destination. 66 67config NF_REJECT_IPV6 68 tristate "IPv6 packet rejection" 69 default m if NETFILTER_ADVANCED=n 70 71config NF_LOG_IPV6 72 tristate "IPv6 packet logging" 73 default m if NETFILTER_ADVANCED=n 74 select NF_LOG_SYSLOG 75 help 76 This is a backwards-compat option for the user's convenience 77 (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG. 78 79config IP6_NF_IPTABLES 80 tristate "IP6 tables support (required for filtering)" 81 depends on INET && IPV6 82 select NETFILTER_XTABLES 83 default m if NETFILTER_ADVANCED=n 84 help 85 ip6tables is a general, extensible packet identification framework. 86 Currently only the packet filtering and packet mangling subsystem 87 for IPv6 use this, but connection tracking is going to follow. 88 Say 'Y' or 'M' here if you want to use either of those. 89 90 To compile it as a module, choose M here. If unsure, say N. 91 92if IP6_NF_IPTABLES 93 94# The simple matches. 95config IP6_NF_MATCH_AH 96 tristate '"ah" match support' 97 depends on NETFILTER_ADVANCED 98 help 99 This module allows one to match AH packets. 100 101 To compile it as a module, choose M here. If unsure, say N. 102 103config IP6_NF_MATCH_EUI64 104 tristate '"eui64" address check' 105 depends on NETFILTER_ADVANCED 106 help 107 This module performs checking on the IPv6 source address 108 Compares the last 64 bits with the EUI64 (delivered 109 from the MAC address) address 110 111 To compile it as a module, choose M here. If unsure, say N. 112 113config IP6_NF_MATCH_FRAG 114 tristate '"frag" Fragmentation header match support' 115 depends on NETFILTER_ADVANCED 116 help 117 frag matching allows you to match packets based on the fragmentation 118 header of the packet. 119 120 To compile it as a module, choose M here. If unsure, say N. 121 122config IP6_NF_MATCH_OPTS 123 tristate '"hbh" hop-by-hop and "dst" opts header match support' 124 depends on NETFILTER_ADVANCED 125 help 126 This allows one to match packets based on the hop-by-hop 127 and destination options headers of a packet. 128 129 To compile it as a module, choose M here. If unsure, say N. 130 131config IP6_NF_MATCH_HL 132 tristate '"hl" hoplimit match support' 133 depends on NETFILTER_ADVANCED 134 select NETFILTER_XT_MATCH_HL 135 help 136 This is a backwards-compat option for the user's convenience 137 (e.g. when running oldconfig). It selects 138 CONFIG_NETFILTER_XT_MATCH_HL. 139 140config IP6_NF_MATCH_IPV6HEADER 141 tristate '"ipv6header" IPv6 Extension Headers Match' 142 default m if NETFILTER_ADVANCED=n 143 help 144 This module allows one to match packets based upon 145 the ipv6 extension headers. 146 147 To compile it as a module, choose M here. If unsure, say N. 148 149config IP6_NF_MATCH_MH 150 tristate '"mh" match support' 151 depends on NETFILTER_ADVANCED 152 help 153 This module allows one to match MH packets. 154 155 To compile it as a module, choose M here. If unsure, say N. 156 157config IP6_NF_MATCH_RPFILTER 158 tristate '"rpfilter" reverse path filter match support' 159 depends on NETFILTER_ADVANCED 160 depends on IP6_NF_MANGLE || IP6_NF_RAW || NFT_COMPAT 161 help 162 This option allows you to match packets whose replies would 163 go out via the interface the packet came in. 164 165 To compile it as a module, choose M here. If unsure, say N. 166 The module will be called ip6t_rpfilter. 167 168config IP6_NF_MATCH_RT 169 tristate '"rt" Routing header match support' 170 depends on NETFILTER_ADVANCED 171 help 172 rt matching allows you to match packets based on the routing 173 header of the packet. 174 175 To compile it as a module, choose M here. If unsure, say N. 176 177config IP6_NF_MATCH_SRH 178 tristate '"srh" Segment Routing header match support' 179 depends on NETFILTER_ADVANCED 180 help 181 srh matching allows you to match packets based on the segment 182 routing header of the packet. 183 184 To compile it as a module, choose M here. If unsure, say N. 185 186# The targets 187config IP6_NF_TARGET_HL 188 tristate '"HL" hoplimit target support' 189 depends on NETFILTER_ADVANCED && IP6_NF_MANGLE 190 select NETFILTER_XT_TARGET_HL 191 help 192 This is a backwards-compatible option for the user's convenience 193 (e.g. when running oldconfig). It selects 194 CONFIG_NETFILTER_XT_TARGET_HL. 195 196config IP6_NF_FILTER 197 tristate "Packet filtering" 198 default m if NETFILTER_ADVANCED=n || IP6_NF_IPTABLES_LEGACY 199 depends on IP6_NF_IPTABLES_LEGACY 200 tristate 201 help 202 Packet filtering defines a table `filter', which has a series of 203 rules for simple packet filtering at local input, forwarding and 204 local output. See the man page for iptables(8). 205 206 To compile it as a module, choose M here. If unsure, say N. 207 208config IP6_NF_TARGET_REJECT 209 tristate "REJECT target support" 210 depends on IP6_NF_FILTER || NFT_COMPAT 211 select NF_REJECT_IPV6 212 default m if NETFILTER_ADVANCED=n 213 help 214 The REJECT target allows a filtering rule to specify that an ICMPv6 215 error should be issued in response to an incoming packet, rather 216 than silently being dropped. 217 218 To compile it as a module, choose M here. If unsure, say N. 219 220config IP6_NF_TARGET_SYNPROXY 221 tristate "SYNPROXY target support" 222 depends on NF_CONNTRACK && NETFILTER_ADVANCED 223 select NETFILTER_SYNPROXY 224 select SYN_COOKIES 225 help 226 The SYNPROXY target allows you to intercept TCP connections and 227 establish them using syncookies before they are passed on to the 228 server. This allows to avoid conntrack and server resource usage 229 during SYN-flood attacks. 230 231 To compile it as a module, choose M here. If unsure, say N. 232 233config IP6_NF_MANGLE 234 tristate "Packet mangling" 235 default m if NETFILTER_ADVANCED=n || IP6_NF_IPTABLES_LEGACY 236 depends on IP6_NF_IPTABLES_LEGACY 237 help 238 This option adds a `mangle' table to iptables: see the man page for 239 iptables(8). This table is used for various packet alterations 240 which can effect how the packet is routed. 241 242 To compile it as a module, choose M here. If unsure, say N. 243 244config IP6_NF_RAW 245 tristate 'raw table support (required for TRACE)' 246 depends on IP6_NF_IPTABLES_LEGACY 247 help 248 This option adds a `raw' table to ip6tables. This table is the very 249 first in the netfilter framework and hooks in at the PREROUTING 250 and OUTPUT chains. 251 252 If you want to compile it as a module, say M here and read 253 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 254 255# security table for MAC policy 256config IP6_NF_SECURITY 257 tristate "Security table" 258 depends on SECURITY 259 depends on NETFILTER_ADVANCED 260 depends on IP6_NF_IPTABLES_LEGACY 261 help 262 This option adds a `security' table to iptables, for use 263 with Mandatory Access Control (MAC) policy. 264 265 If unsure, say N. 266 267config IP6_NF_NAT 268 tristate "ip6tables NAT support" 269 depends on NF_CONNTRACK 270 depends on NETFILTER_ADVANCED 271 depends on IP6_NF_IPTABLES_LEGACY 272 select NF_NAT 273 select NETFILTER_XT_NAT 274 help 275 This enables the `nat' table in ip6tables. This allows masquerading, 276 port forwarding and other forms of full Network Address Port 277 Translation. 278 279 To compile it as a module, choose M here. If unsure, say N. 280 281config IP6_NF_TARGET_MASQUERADE 282 tristate "MASQUERADE target support" 283 select NETFILTER_XT_TARGET_MASQUERADE 284 depends on IP6_NF_NAT 285 help 286 This is a backwards-compat option for the user's convenience 287 (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE. 288 289config IP6_NF_TARGET_NPT 290 tristate "NPT (Network Prefix translation) target support" 291 depends on IP6_NF_NAT || NFT_COMPAT 292 help 293 This option adds the `SNPT' and `DNPT' target, which perform 294 stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296. 295 296 To compile it as a module, choose M here. If unsure, say N. 297 298endif # IP6_NF_IPTABLES 299endmenu 300 301config NF_DEFRAG_IPV6 302 tristate 303