2005-04-16 22:20:36 +00:00
|
|
|
#
|
|
|
|
# IP netfilter configuration
|
|
|
|
#
|
|
|
|
|
2008-01-15 07:31:36 +00:00
|
|
|
menu "IPv6: Netfilter Configuration"
|
|
|
|
depends on INET && IPV6 && NETFILTER
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2005-11-14 23:26:58 +00:00
|
|
|
config NF_CONNTRACK_IPV6
|
2008-01-15 07:31:36 +00:00
|
|
|
tristate "IPv6 connection tracking support"
|
|
|
|
depends on INET && IPV6 && NF_CONNTRACK
|
2007-12-18 06:47:05 +00:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-11-14 23:26:58 +00:00
|
|
|
---help---
|
|
|
|
Connection tracking keeps a record of what packets have passed
|
|
|
|
through your machine, in order to figure out how they are related
|
|
|
|
into connections.
|
|
|
|
|
|
|
|
This is IPv6 support on Layer 3 independent connection tracking.
|
|
|
|
Layer 3 independent connection tracking is experimental scheme
|
|
|
|
which generalize ip_conntrack to support other layer 3 protocols.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
config IP6_NF_QUEUE
|
2005-08-10 02:44:15 +00:00
|
|
|
tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"
|
2008-01-15 07:31:36 +00:00
|
|
|
depends on INET && IPV6 && NETFILTER
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 22:20:36 +00:00
|
|
|
---help---
|
|
|
|
|
|
|
|
This option adds a queue handler to the kernel for IPv6
|
2005-08-10 02:44:15 +00:00
|
|
|
packets which enables users to receive the filtered packets
|
|
|
|
with QUEUE target using libipq.
|
|
|
|
|
2007-05-09 05:12:20 +00:00
|
|
|
This option enables the old IPv6-only "ip6_queue" implementation
|
2005-08-10 02:44:15 +00:00
|
|
|
which has been obsoleted by the new "nfnetlink_queue" code (see
|
|
|
|
CONFIG_NETFILTER_NETLINK_QUEUE).
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
(C) Fernando Anton 2001
|
|
|
|
IPv64 Project - Work based in IPv64 draft by Arturo Azcorra.
|
|
|
|
Universidad Carlos III de Madrid
|
|
|
|
Universidad Politecnica de Alcala de Henares
|
|
|
|
email: <fanton@it.uc3m.es>.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_IPTABLES
|
2006-10-30 23:12:16 +00:00
|
|
|
tristate "IP6 tables support (required for filtering)"
|
2008-01-15 07:31:36 +00:00
|
|
|
depends on INET && IPV6
|
2007-02-12 19:15:02 +00:00
|
|
|
select NETFILTER_XTABLES
|
2007-12-18 06:47:05 +00:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
ip6tables is a general, extensible packet identification framework.
|
|
|
|
Currently only the packet filtering and packet mangling subsystem
|
|
|
|
for IPv6 use this, but connection tracking is going to follow.
|
|
|
|
Say 'Y' or 'M' here if you want to use either of those.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
# The simple matches.
|
|
|
|
config IP6_NF_MATCH_RT
|
2007-12-05 07:31:59 +00:00
|
|
|
tristate '"rt" Routing header match support'
|
2005-04-16 22:20:36 +00:00
|
|
|
depends on IP6_NF_IPTABLES
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
rt matching allows you to match packets based on the routing
|
|
|
|
header of the packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_OPTS
|
2007-12-05 07:31:59 +00:00
|
|
|
tristate '"hopbyhop" and "dst" opts header match support'
|
2005-04-16 22:20:36 +00:00
|
|
|
depends on IP6_NF_IPTABLES
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
This allows one to match packets based on the hop-by-hop
|
|
|
|
and destination options headers of a packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_FRAG
|
2007-12-05 07:31:59 +00:00
|
|
|
tristate '"frag" Fragmentation header match support'
|
2005-04-16 22:20:36 +00:00
|
|
|
depends on IP6_NF_IPTABLES
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
frag matching allows you to match packets based on the fragmentation
|
|
|
|
header of the packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_HL
|
2007-12-05 07:31:59 +00:00
|
|
|
tristate '"hl" match support'
|
2005-04-16 22:20:36 +00:00
|
|
|
depends on IP6_NF_IPTABLES
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
HL matching allows you to match packets based on the hop
|
|
|
|
limit of the packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_IPV6HEADER
|
2007-12-05 07:31:59 +00:00
|
|
|
tristate '"ipv6header" IPv6 Extension Headers Match'
|
2005-04-16 22:20:36 +00:00
|
|
|
depends on IP6_NF_IPTABLES
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
This module allows one to match packets based upon
|
|
|
|
the ipv6 extension headers.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2006-04-01 10:22:30 +00:00
|
|
|
config IP6_NF_MATCH_AH
|
2007-12-05 07:31:59 +00:00
|
|
|
tristate '"ah" match support'
|
2005-04-16 22:20:36 +00:00
|
|
|
depends on IP6_NF_IPTABLES
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
2006-04-01 10:22:30 +00:00
|
|
|
This module allows one to match AH packets.
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2007-02-07 23:12:57 +00:00
|
|
|
config IP6_NF_MATCH_MH
|
2007-12-05 07:31:59 +00:00
|
|
|
tristate '"mh" match support'
|
2007-02-07 23:12:57 +00:00
|
|
|
depends on IP6_NF_IPTABLES
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2007-02-07 23:12:57 +00:00
|
|
|
help
|
|
|
|
This module allows one to match MH packets.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
config IP6_NF_MATCH_EUI64
|
2007-12-05 07:31:59 +00:00
|
|
|
tristate '"eui64" address check'
|
2005-04-16 22:20:36 +00:00
|
|
|
depends on IP6_NF_IPTABLES
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
This module performs checking on the IPv6 source address
|
|
|
|
Compares the last 64 bits with the EUI64 (delivered
|
|
|
|
from the MAC address) address
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
# The targets
|
|
|
|
config IP6_NF_FILTER
|
|
|
|
tristate "Packet filtering"
|
|
|
|
depends on IP6_NF_IPTABLES
|
2007-12-18 06:47:05 +00:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
Packet filtering defines a table `filter', which has a series of
|
|
|
|
rules for simple packet filtering at local input, forwarding and
|
|
|
|
local output. See the man page for iptables(8).
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_TARGET_LOG
|
|
|
|
tristate "LOG target support"
|
|
|
|
depends on IP6_NF_FILTER
|
2007-12-18 06:47:05 +00:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
This option adds a `LOG' target, which allows you to create rules in
|
|
|
|
any iptables table which records the packet header to the syslog.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-08-22 06:31:06 +00:00
|
|
|
config IP6_NF_TARGET_REJECT
|
|
|
|
tristate "REJECT target support"
|
|
|
|
depends on IP6_NF_FILTER
|
2007-12-18 06:47:05 +00:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-08-22 06:31:06 +00:00
|
|
|
help
|
|
|
|
The REJECT target allows a filtering rule to specify that an ICMPv6
|
|
|
|
error should be issued in response to an incoming packet, rather
|
|
|
|
than silently being dropped.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
config IP6_NF_MANGLE
|
|
|
|
tristate "Packet mangling"
|
|
|
|
depends on IP6_NF_IPTABLES
|
2007-12-18 06:47:05 +00:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
This option adds a `mangle' table to iptables: see the man page for
|
|
|
|
iptables(8). This table is used for various packet alterations
|
|
|
|
which can effect how the packet is routed.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-08-28 05:37:30 +00:00
|
|
|
config IP6_NF_TARGET_HL
|
|
|
|
tristate 'HL (hoplimit) target support'
|
|
|
|
depends on IP6_NF_MANGLE
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-08-28 05:37:30 +00:00
|
|
|
help
|
|
|
|
This option adds a `HL' target, which enables the user to decrement
|
|
|
|
the hoplimit value of the IPv6 header or set it to a given (lower)
|
|
|
|
value.
|
2007-12-18 06:47:05 +00:00
|
|
|
|
2005-08-28 05:37:30 +00:00
|
|
|
While it is safe to decrement the hoplimit value, this option also
|
|
|
|
enables functionality to increment and set the hoplimit value of the
|
|
|
|
IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since
|
|
|
|
you can easily create immortal packets that loop forever on the
|
2007-12-18 06:47:05 +00:00
|
|
|
network.
|
2005-08-28 05:37:30 +00:00
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
config IP6_NF_RAW
|
|
|
|
tristate 'raw table support (required for TRACE)'
|
|
|
|
depends on IP6_NF_IPTABLES
|
2007-12-18 06:47:05 +00:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
This option adds a `raw' table to ip6tables. This table is the very
|
|
|
|
first in the netfilter framework and hooks in at the PREROUTING
|
|
|
|
and OUTPUT chains.
|
2007-12-18 06:47:05 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
If you want to compile it as a module, say M here and read
|
2007-03-16 13:28:43 +00:00
|
|
|
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
endmenu
|
|
|
|
|