2005-04-16 16:20:36 -06:00
|
|
|
#
|
|
|
|
# IP netfilter configuration
|
|
|
|
#
|
|
|
|
|
2008-01-15 00:31:36 -07:00
|
|
|
menu "IPv6: Netfilter Configuration"
|
|
|
|
depends on INET && IPV6 && NETFILTER
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2010-10-24 17:38:32 -06:00
|
|
|
config NF_DEFRAG_IPV6
|
|
|
|
tristate
|
|
|
|
default n
|
|
|
|
|
2005-11-14 16:26:58 -07:00
|
|
|
config NF_CONNTRACK_IPV6
|
2008-01-15 00:31:36 -07:00
|
|
|
tristate "IPv6 connection tracking support"
|
|
|
|
depends on INET && IPV6 && NF_CONNTRACK
|
2007-12-17 23:47:05 -07:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2010-10-24 17:38:32 -06:00
|
|
|
select NF_DEFRAG_IPV6
|
2005-11-14 16:26:58 -07:00
|
|
|
---help---
|
|
|
|
Connection tracking keeps a record of what packets have passed
|
|
|
|
through your machine, in order to figure out how they are related
|
|
|
|
into connections.
|
|
|
|
|
|
|
|
This is IPv6 support on Layer 3 independent connection tracking.
|
|
|
|
Layer 3 independent connection tracking is experimental scheme
|
|
|
|
which generalize ip_conntrack to support other layer 3 protocols.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
2012-08-26 11:14:12 -06:00
|
|
|
|
2015-03-05 06:56:15 -07:00
|
|
|
if NF_TABLES
|
|
|
|
|
netfilter: add nftables
This patch adds nftables which is the intended successor of iptables.
This packet filtering framework reuses the existing netfilter hooks,
the connection tracking system, the NAT subsystem, the transparent
proxying engine, the logging infrastructure and the userspace packet
queueing facilities.
In a nutshell, nftables provides a pseudo-state machine with 4 general
purpose registers of 128 bits and 1 specific purpose register to store
verdicts. This pseudo-machine comes with an extensible instruction set,
a.k.a. "expressions" in the nftables jargon. The expressions included
in this patch provide the basic functionality, they are:
* bitwise: to perform bitwise operations.
* byteorder: to change from host/network endianess.
* cmp: to compare data with the content of the registers.
* counter: to enable counters on rules.
* ct: to store conntrack keys into register.
* exthdr: to match IPv6 extension headers.
* immediate: to load data into registers.
* limit: to limit matching based on packet rate.
* log: to log packets.
* meta: to match metainformation that usually comes with the skbuff.
* nat: to perform Network Address Translation.
* payload: to fetch data from the packet payload and store it into
registers.
* reject (IPv4 only): to explicitly close connection, eg. TCP RST.
Using this instruction-set, the userspace utility 'nft' can transform
the rules expressed in human-readable text representation (using a
new syntax, inspired by tcpdump) to nftables bytecode.
nftables also inherits the table, chain and rule objects from
iptables, but in a more configurable way, and it also includes the
original datatype-agnostic set infrastructure with mapping support.
This set infrastructure is enhanced in the follow up patch (netfilter:
nf_tables: add netlink set API).
This patch includes the following components:
* the netlink API: net/netfilter/nf_tables_api.c and
include/uapi/netfilter/nf_tables.h
* the packet filter core: net/netfilter/nf_tables_core.c
* the expressions (described above): net/netfilter/nft_*.c
* the filter tables: arp, IPv4, IPv6 and bridge:
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv4/netfilter/nf_tables_arp.c
net/bridge/netfilter/nf_tables_bridge.c
* the NAT table (IPv4 only):
net/ipv4/netfilter/nf_table_nat_ipv4.c
* the route table (similar to mangle):
net/ipv4/netfilter/nf_table_route_ipv4.c
net/ipv6/netfilter/nf_table_route_ipv6.c
* internal definitions under:
include/net/netfilter/nf_tables.h
include/net/netfilter/nf_tables_core.h
* It also includes an skeleton expression:
net/netfilter/nft_expr_template.c
and the preliminary implementation of the meta target
net/netfilter/nft_meta_target.c
It also includes a change in struct nf_hook_ops to add a new
pointer to store private data to the hook, that is used to store
the rule list per chain.
This patch is based on the patch from Patrick McHardy, plus merged
accumulated cleanups, fixes and small enhancements to the nftables
code that has been done since 2009, which are:
From Patrick McHardy:
* nf_tables: adjust netlink handler function signatures
* nf_tables: only retry table lookup after successful table module load
* nf_tables: fix event notification echo and avoid unnecessary messages
* nft_ct: add l3proto support
* nf_tables: pass expression context to nft_validate_data_load()
* nf_tables: remove redundant definition
* nft_ct: fix maxattr initialization
* nf_tables: fix invalid event type in nf_tables_getrule()
* nf_tables: simplify nft_data_init() usage
* nf_tables: build in more core modules
* nf_tables: fix double lookup expression unregistation
* nf_tables: move expression initialization to nf_tables_core.c
* nf_tables: build in payload module
* nf_tables: use NFPROTO constants
* nf_tables: rename pid variables to portid
* nf_tables: save 48 bits per rule
* nf_tables: introduce chain rename
* nf_tables: check for duplicate names on chain rename
* nf_tables: remove ability to specify handles for new rules
* nf_tables: return error for rule change request
* nf_tables: return error for NLM_F_REPLACE without rule handle
* nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
* nf_tables: fix NLM_F_MULTI usage in netlink notifications
* nf_tables: include NLM_F_APPEND in rule dumps
From Pablo Neira Ayuso:
* nf_tables: fix stack overflow in nf_tables_newrule
* nf_tables: nft_ct: fix compilation warning
* nf_tables: nft_ct: fix crash with invalid packets
* nft_log: group and qthreshold are 2^16
* nf_tables: nft_meta: fix socket uid,gid handling
* nft_counter: allow to restore counters
* nf_tables: fix module autoload
* nf_tables: allow to remove all rules placed in one chain
* nf_tables: use 64-bits rule handle instead of 16-bits
* nf_tables: fix chain after rule deletion
* nf_tables: improve deletion performance
* nf_tables: add missing code in route chain type
* nf_tables: rise maximum number of expressions from 12 to 128
* nf_tables: don't delete table if in use
* nf_tables: fix basechain release
From Tomasz Bursztyka:
* nf_tables: Add support for changing users chain's name
* nf_tables: Change chain's name to be fixed sized
* nf_tables: Add support for replacing a rule by another one
* nf_tables: Update uapi nftables netlink header documentation
From Florian Westphal:
* nft_log: group is u16, snaplen u32
From Phil Oester:
* nf_tables: operational limit match
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-14 03:00:02 -06:00
|
|
|
config NF_TABLES_IPV6
|
|
|
|
tristate "IPv6 nf_tables support"
|
2013-12-30 07:09:18 -07:00
|
|
|
help
|
|
|
|
This option enables the IPv6 support for nf_tables.
|
netfilter: add nftables
This patch adds nftables which is the intended successor of iptables.
This packet filtering framework reuses the existing netfilter hooks,
the connection tracking system, the NAT subsystem, the transparent
proxying engine, the logging infrastructure and the userspace packet
queueing facilities.
In a nutshell, nftables provides a pseudo-state machine with 4 general
purpose registers of 128 bits and 1 specific purpose register to store
verdicts. This pseudo-machine comes with an extensible instruction set,
a.k.a. "expressions" in the nftables jargon. The expressions included
in this patch provide the basic functionality, they are:
* bitwise: to perform bitwise operations.
* byteorder: to change from host/network endianess.
* cmp: to compare data with the content of the registers.
* counter: to enable counters on rules.
* ct: to store conntrack keys into register.
* exthdr: to match IPv6 extension headers.
* immediate: to load data into registers.
* limit: to limit matching based on packet rate.
* log: to log packets.
* meta: to match metainformation that usually comes with the skbuff.
* nat: to perform Network Address Translation.
* payload: to fetch data from the packet payload and store it into
registers.
* reject (IPv4 only): to explicitly close connection, eg. TCP RST.
Using this instruction-set, the userspace utility 'nft' can transform
the rules expressed in human-readable text representation (using a
new syntax, inspired by tcpdump) to nftables bytecode.
nftables also inherits the table, chain and rule objects from
iptables, but in a more configurable way, and it also includes the
original datatype-agnostic set infrastructure with mapping support.
This set infrastructure is enhanced in the follow up patch (netfilter:
nf_tables: add netlink set API).
This patch includes the following components:
* the netlink API: net/netfilter/nf_tables_api.c and
include/uapi/netfilter/nf_tables.h
* the packet filter core: net/netfilter/nf_tables_core.c
* the expressions (described above): net/netfilter/nft_*.c
* the filter tables: arp, IPv4, IPv6 and bridge:
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv4/netfilter/nf_tables_arp.c
net/bridge/netfilter/nf_tables_bridge.c
* the NAT table (IPv4 only):
net/ipv4/netfilter/nf_table_nat_ipv4.c
* the route table (similar to mangle):
net/ipv4/netfilter/nf_table_route_ipv4.c
net/ipv6/netfilter/nf_table_route_ipv6.c
* internal definitions under:
include/net/netfilter/nf_tables.h
include/net/netfilter/nf_tables_core.h
* It also includes an skeleton expression:
net/netfilter/nft_expr_template.c
and the preliminary implementation of the meta target
net/netfilter/nft_meta_target.c
It also includes a change in struct nf_hook_ops to add a new
pointer to store private data to the hook, that is used to store
the rule list per chain.
This patch is based on the patch from Patrick McHardy, plus merged
accumulated cleanups, fixes and small enhancements to the nftables
code that has been done since 2009, which are:
From Patrick McHardy:
* nf_tables: adjust netlink handler function signatures
* nf_tables: only retry table lookup after successful table module load
* nf_tables: fix event notification echo and avoid unnecessary messages
* nft_ct: add l3proto support
* nf_tables: pass expression context to nft_validate_data_load()
* nf_tables: remove redundant definition
* nft_ct: fix maxattr initialization
* nf_tables: fix invalid event type in nf_tables_getrule()
* nf_tables: simplify nft_data_init() usage
* nf_tables: build in more core modules
* nf_tables: fix double lookup expression unregistation
* nf_tables: move expression initialization to nf_tables_core.c
* nf_tables: build in payload module
* nf_tables: use NFPROTO constants
* nf_tables: rename pid variables to portid
* nf_tables: save 48 bits per rule
* nf_tables: introduce chain rename
* nf_tables: check for duplicate names on chain rename
* nf_tables: remove ability to specify handles for new rules
* nf_tables: return error for rule change request
* nf_tables: return error for NLM_F_REPLACE without rule handle
* nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
* nf_tables: fix NLM_F_MULTI usage in netlink notifications
* nf_tables: include NLM_F_APPEND in rule dumps
From Pablo Neira Ayuso:
* nf_tables: fix stack overflow in nf_tables_newrule
* nf_tables: nft_ct: fix compilation warning
* nf_tables: nft_ct: fix crash with invalid packets
* nft_log: group and qthreshold are 2^16
* nf_tables: nft_meta: fix socket uid,gid handling
* nft_counter: allow to restore counters
* nf_tables: fix module autoload
* nf_tables: allow to remove all rules placed in one chain
* nf_tables: use 64-bits rule handle instead of 16-bits
* nf_tables: fix chain after rule deletion
* nf_tables: improve deletion performance
* nf_tables: add missing code in route chain type
* nf_tables: rise maximum number of expressions from 12 to 128
* nf_tables: don't delete table if in use
* nf_tables: fix basechain release
From Tomasz Bursztyka:
* nf_tables: Add support for changing users chain's name
* nf_tables: Change chain's name to be fixed sized
* nf_tables: Add support for replacing a rule by another one
* nf_tables: Update uapi nftables netlink header documentation
From Florian Westphal:
* nft_log: group is u16, snaplen u32
From Phil Oester:
* nf_tables: operational limit match
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-14 03:00:02 -06:00
|
|
|
|
2015-03-05 06:56:15 -07:00
|
|
|
if NF_TABLES_IPV6
|
|
|
|
|
2013-10-10 15:21:26 -06:00
|
|
|
config NFT_CHAIN_ROUTE_IPV6
|
|
|
|
tristate "IPv6 nf_tables route chain support"
|
2013-12-30 07:09:18 -07:00
|
|
|
help
|
|
|
|
This option enables the "route" chain for IPv6 in nf_tables. This
|
|
|
|
chain type is used to force packet re-routing after mangling header
|
|
|
|
fields such as the source, destination, flowlabel, hop-limit and
|
|
|
|
the packet mark.
|
netfilter: add nftables
This patch adds nftables which is the intended successor of iptables.
This packet filtering framework reuses the existing netfilter hooks,
the connection tracking system, the NAT subsystem, the transparent
proxying engine, the logging infrastructure and the userspace packet
queueing facilities.
In a nutshell, nftables provides a pseudo-state machine with 4 general
purpose registers of 128 bits and 1 specific purpose register to store
verdicts. This pseudo-machine comes with an extensible instruction set,
a.k.a. "expressions" in the nftables jargon. The expressions included
in this patch provide the basic functionality, they are:
* bitwise: to perform bitwise operations.
* byteorder: to change from host/network endianess.
* cmp: to compare data with the content of the registers.
* counter: to enable counters on rules.
* ct: to store conntrack keys into register.
* exthdr: to match IPv6 extension headers.
* immediate: to load data into registers.
* limit: to limit matching based on packet rate.
* log: to log packets.
* meta: to match metainformation that usually comes with the skbuff.
* nat: to perform Network Address Translation.
* payload: to fetch data from the packet payload and store it into
registers.
* reject (IPv4 only): to explicitly close connection, eg. TCP RST.
Using this instruction-set, the userspace utility 'nft' can transform
the rules expressed in human-readable text representation (using a
new syntax, inspired by tcpdump) to nftables bytecode.
nftables also inherits the table, chain and rule objects from
iptables, but in a more configurable way, and it also includes the
original datatype-agnostic set infrastructure with mapping support.
This set infrastructure is enhanced in the follow up patch (netfilter:
nf_tables: add netlink set API).
This patch includes the following components:
* the netlink API: net/netfilter/nf_tables_api.c and
include/uapi/netfilter/nf_tables.h
* the packet filter core: net/netfilter/nf_tables_core.c
* the expressions (described above): net/netfilter/nft_*.c
* the filter tables: arp, IPv4, IPv6 and bridge:
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv4/netfilter/nf_tables_arp.c
net/bridge/netfilter/nf_tables_bridge.c
* the NAT table (IPv4 only):
net/ipv4/netfilter/nf_table_nat_ipv4.c
* the route table (similar to mangle):
net/ipv4/netfilter/nf_table_route_ipv4.c
net/ipv6/netfilter/nf_table_route_ipv6.c
* internal definitions under:
include/net/netfilter/nf_tables.h
include/net/netfilter/nf_tables_core.h
* It also includes an skeleton expression:
net/netfilter/nft_expr_template.c
and the preliminary implementation of the meta target
net/netfilter/nft_meta_target.c
It also includes a change in struct nf_hook_ops to add a new
pointer to store private data to the hook, that is used to store
the rule list per chain.
This patch is based on the patch from Patrick McHardy, plus merged
accumulated cleanups, fixes and small enhancements to the nftables
code that has been done since 2009, which are:
From Patrick McHardy:
* nf_tables: adjust netlink handler function signatures
* nf_tables: only retry table lookup after successful table module load
* nf_tables: fix event notification echo and avoid unnecessary messages
* nft_ct: add l3proto support
* nf_tables: pass expression context to nft_validate_data_load()
* nf_tables: remove redundant definition
* nft_ct: fix maxattr initialization
* nf_tables: fix invalid event type in nf_tables_getrule()
* nf_tables: simplify nft_data_init() usage
* nf_tables: build in more core modules
* nf_tables: fix double lookup expression unregistation
* nf_tables: move expression initialization to nf_tables_core.c
* nf_tables: build in payload module
* nf_tables: use NFPROTO constants
* nf_tables: rename pid variables to portid
* nf_tables: save 48 bits per rule
* nf_tables: introduce chain rename
* nf_tables: check for duplicate names on chain rename
* nf_tables: remove ability to specify handles for new rules
* nf_tables: return error for rule change request
* nf_tables: return error for NLM_F_REPLACE without rule handle
* nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
* nf_tables: fix NLM_F_MULTI usage in netlink notifications
* nf_tables: include NLM_F_APPEND in rule dumps
From Pablo Neira Ayuso:
* nf_tables: fix stack overflow in nf_tables_newrule
* nf_tables: nft_ct: fix compilation warning
* nf_tables: nft_ct: fix crash with invalid packets
* nft_log: group and qthreshold are 2^16
* nf_tables: nft_meta: fix socket uid,gid handling
* nft_counter: allow to restore counters
* nf_tables: fix module autoload
* nf_tables: allow to remove all rules placed in one chain
* nf_tables: use 64-bits rule handle instead of 16-bits
* nf_tables: fix chain after rule deletion
* nf_tables: improve deletion performance
* nf_tables: add missing code in route chain type
* nf_tables: rise maximum number of expressions from 12 to 128
* nf_tables: don't delete table if in use
* nf_tables: fix basechain release
From Tomasz Bursztyka:
* nf_tables: Add support for changing users chain's name
* nf_tables: Change chain's name to be fixed sized
* nf_tables: Add support for replacing a rule by another one
* nf_tables: Update uapi nftables netlink header documentation
From Florian Westphal:
* nft_log: group is u16, snaplen u32
From Phil Oester:
* nf_tables: operational limit match
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-14 03:00:02 -06:00
|
|
|
|
2014-02-05 08:03:38 -07:00
|
|
|
config NFT_REJECT_IPV6
|
2014-09-26 06:35:15 -06:00
|
|
|
select NF_REJECT_IPV6
|
2014-02-05 08:03:38 -07:00
|
|
|
default NFT_REJECT
|
|
|
|
tristate
|
|
|
|
|
2015-05-31 10:04:11 -06:00
|
|
|
config NFT_DUP_IPV6
|
|
|
|
tristate "IPv6 nf_tables packet duplication support"
|
|
|
|
select NF_DUP_IPV6
|
|
|
|
help
|
|
|
|
This module enables IPv6 packet duplication support for nf_tables.
|
|
|
|
|
2015-03-05 06:56:15 -07:00
|
|
|
endif # NF_TABLES_IPV6
|
|
|
|
endif # NF_TABLES
|
|
|
|
|
2015-05-31 09:54:44 -06:00
|
|
|
config NF_DUP_IPV6
|
|
|
|
tristate "Netfilter IPv6 packet duplication to alternate destination"
|
2015-09-29 13:10:05 -06:00
|
|
|
depends on !NF_CONNTRACK || NF_CONNTRACK
|
2015-05-31 09:54:44 -06:00
|
|
|
help
|
|
|
|
This option enables the nf_dup_ipv6 core, which duplicates an IPv6
|
|
|
|
packet to be rerouted to another destination.
|
|
|
|
|
2015-03-05 06:56:15 -07:00
|
|
|
config NF_REJECT_IPV6
|
|
|
|
tristate "IPv6 packet rejection"
|
|
|
|
default m if NETFILTER_ADVANCED=n
|
|
|
|
|
2014-06-28 10:39:01 -06:00
|
|
|
config NF_LOG_IPV6
|
|
|
|
tristate "IPv6 packet logging"
|
2014-09-02 06:26:17 -06:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2014-06-28 10:39:01 -06:00
|
|
|
select NF_LOG_COMMON
|
|
|
|
|
2014-08-11 10:21:49 -06:00
|
|
|
config NF_NAT_IPV6
|
|
|
|
tristate "IPv6 NAT"
|
|
|
|
depends on NF_CONNTRACK_IPV6
|
|
|
|
depends on NETFILTER_ADVANCED
|
|
|
|
select NF_NAT
|
|
|
|
help
|
|
|
|
The IPv6 NAT option allows masquerading, port forwarding and other
|
|
|
|
forms of full Network Address Port Translation. This can be
|
|
|
|
controlled by iptables or nft.
|
|
|
|
|
2014-09-11 09:42:00 -06:00
|
|
|
if NF_NAT_IPV6
|
|
|
|
|
|
|
|
config NFT_CHAIN_NAT_IPV6
|
|
|
|
depends on NF_TABLES_IPV6
|
|
|
|
tristate "IPv6 nf_tables nat chain support"
|
|
|
|
help
|
|
|
|
This option enables the "nat" chain for IPv6 in nf_tables. This
|
|
|
|
chain type is used to perform Network Address Translation (NAT)
|
|
|
|
packet transformations such as the source, destination address and
|
|
|
|
source and destination ports.
|
|
|
|
|
2014-09-11 09:51:27 -06:00
|
|
|
config NF_NAT_MASQUERADE_IPV6
|
|
|
|
tristate "IPv6 masquerade support"
|
|
|
|
help
|
|
|
|
This is the kernel functionality to provide NAT in the masquerade
|
|
|
|
flavour (automatic source address selection) for IPv6.
|
|
|
|
|
|
|
|
config NFT_MASQ_IPV6
|
|
|
|
tristate "IPv6 masquerade support for nf_tables"
|
|
|
|
depends on NF_TABLES_IPV6
|
|
|
|
depends on NFT_MASQ
|
|
|
|
select NF_NAT_MASQUERADE_IPV6
|
|
|
|
help
|
|
|
|
This is the expression that provides IPv4 masquerading support for
|
|
|
|
nf_tables.
|
|
|
|
|
2014-10-17 04:39:09 -06:00
|
|
|
config NFT_REDIR_IPV6
|
|
|
|
tristate "IPv6 redirect support for nf_tables"
|
|
|
|
depends on NF_TABLES_IPV6
|
|
|
|
depends on NFT_REDIR
|
2014-11-26 04:46:50 -07:00
|
|
|
select NF_NAT_REDIRECT
|
2014-10-17 04:39:09 -06:00
|
|
|
help
|
|
|
|
This is the expression that provides IPv4 redirect support for
|
|
|
|
nf_tables.
|
|
|
|
|
2014-09-11 09:42:00 -06:00
|
|
|
endif # NF_NAT_IPV6
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
config IP6_NF_IPTABLES
|
2006-10-30 16:12:16 -07:00
|
|
|
tristate "IP6 tables support (required for filtering)"
|
2008-01-15 00:31:36 -07:00
|
|
|
depends on INET && IPV6
|
2007-02-12 12:15:02 -07:00
|
|
|
select NETFILTER_XTABLES
|
2007-12-17 23:47:05 -07:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
|
|
|
ip6tables is a general, extensible packet identification framework.
|
|
|
|
Currently only the packet filtering and packet mangling subsystem
|
|
|
|
for IPv6 use this, but connection tracking is going to follow.
|
|
|
|
Say 'Y' or 'M' here if you want to use either of those.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2008-10-08 03:35:18 -06:00
|
|
|
if IP6_NF_IPTABLES
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
# The simple matches.
|
2008-10-08 03:35:17 -06:00
|
|
|
config IP6_NF_MATCH_AH
|
|
|
|
tristate '"ah" match support'
|
2007-12-17 23:47:05 -07:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
2008-10-08 03:35:17 -06:00
|
|
|
This module allows one to match AH packets.
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2008-10-08 03:35:17 -06:00
|
|
|
config IP6_NF_MATCH_EUI64
|
|
|
|
tristate '"eui64" address check'
|
2007-12-17 23:47:05 -07:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
2008-10-08 03:35:17 -06:00
|
|
|
This module performs checking on the IPv6 source address
|
|
|
|
Compares the last 64 bits with the EUI64 (delivered
|
|
|
|
from the MAC address) address
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_FRAG
|
2007-12-05 00:31:59 -07:00
|
|
|
tristate '"frag" Fragmentation header match support'
|
2007-12-17 23:47:05 -07:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
|
|
|
frag matching allows you to match packets based on the fragmentation
|
|
|
|
header of the packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2008-10-08 03:35:17 -06:00
|
|
|
config IP6_NF_MATCH_OPTS
|
|
|
|
tristate '"hbh" hop-by-hop and "dst" opts header match support'
|
|
|
|
depends on NETFILTER_ADVANCED
|
|
|
|
help
|
|
|
|
This allows one to match packets based on the hop-by-hop
|
|
|
|
and destination options headers of a packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2009-02-19 03:16:03 -07:00
|
|
|
config IP6_NF_MATCH_HL
|
|
|
|
tristate '"hl" hoplimit match support'
|
|
|
|
depends on NETFILTER_ADVANCED
|
|
|
|
select NETFILTER_XT_MATCH_HL
|
|
|
|
---help---
|
|
|
|
This is a backwards-compat option for the user's convenience
|
|
|
|
(e.g. when running oldconfig). It selects
|
2009-03-24 14:35:27 -06:00
|
|
|
CONFIG_NETFILTER_XT_MATCH_HL.
|
2009-02-19 03:16:03 -07:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
config IP6_NF_MATCH_IPV6HEADER
|
2007-12-05 00:31:59 -07:00
|
|
|
tristate '"ipv6header" IPv6 Extension Headers Match'
|
2008-01-30 06:26:10 -07:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
|
|
|
This module allows one to match packets based upon
|
|
|
|
the ipv6 extension headers.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2007-02-07 16:12:57 -07:00
|
|
|
config IP6_NF_MATCH_MH
|
2007-12-05 00:31:59 -07:00
|
|
|
tristate '"mh" match support'
|
2007-12-17 23:47:05 -07:00
|
|
|
depends on NETFILTER_ADVANCED
|
2007-02-07 16:12:57 -07:00
|
|
|
help
|
|
|
|
This module allows one to match MH packets.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2011-08-19 05:52:40 -06:00
|
|
|
config IP6_NF_MATCH_RPFILTER
|
|
|
|
tristate '"rpfilter" reverse path filter match support'
|
2015-06-12 05:58:52 -06:00
|
|
|
depends on NETFILTER_ADVANCED
|
|
|
|
depends on IP6_NF_MANGLE || IP6_NF_RAW
|
2011-08-19 05:52:40 -06:00
|
|
|
---help---
|
|
|
|
This option allows you to match packets whose replies would
|
|
|
|
go out via the interface the packet came in.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
The module will be called ip6t_rpfilter.
|
|
|
|
|
2008-10-08 03:35:17 -06:00
|
|
|
config IP6_NF_MATCH_RT
|
|
|
|
tristate '"rt" Routing header match support'
|
2007-12-17 23:47:05 -07:00
|
|
|
depends on NETFILTER_ADVANCED
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
2008-10-08 03:35:17 -06:00
|
|
|
rt matching allows you to match packets based on the routing
|
|
|
|
header of the packet.
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
# The targets
|
2009-02-19 03:16:03 -07:00
|
|
|
config IP6_NF_TARGET_HL
|
|
|
|
tristate '"HL" hoplimit target support'
|
2010-10-18 03:13:30 -06:00
|
|
|
depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
|
2009-02-19 03:16:03 -07:00
|
|
|
select NETFILTER_XT_TARGET_HL
|
|
|
|
---help---
|
2010-10-18 03:13:30 -06:00
|
|
|
This is a backwards-compatible option for the user's convenience
|
2009-02-19 03:16:03 -07:00
|
|
|
(e.g. when running oldconfig). It selects
|
2009-03-24 14:35:27 -06:00
|
|
|
CONFIG_NETFILTER_XT_TARGET_HL.
|
2009-02-19 03:16:03 -07:00
|
|
|
|
2008-10-08 03:35:17 -06:00
|
|
|
config IP6_NF_FILTER
|
|
|
|
tristate "Packet filtering"
|
2007-12-17 23:47:05 -07:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
2008-10-08 03:35:17 -06:00
|
|
|
Packet filtering defines a table `filter', which has a series of
|
|
|
|
rules for simple packet filtering at local input, forwarding and
|
|
|
|
local output. See the man page for iptables(8).
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-08-22 00:31:06 -06:00
|
|
|
config IP6_NF_TARGET_REJECT
|
|
|
|
tristate "REJECT target support"
|
|
|
|
depends on IP6_NF_FILTER
|
2014-09-26 06:35:15 -06:00
|
|
|
select NF_REJECT_IPV6
|
2007-12-17 23:47:05 -07:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-08-22 00:31:06 -06:00
|
|
|
help
|
|
|
|
The REJECT target allows a filtering rule to specify that an ICMPv6
|
|
|
|
error should be issued in response to an incoming packet, rather
|
|
|
|
than silently being dropped.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2013-08-27 00:50:16 -06:00
|
|
|
config IP6_NF_TARGET_SYNPROXY
|
|
|
|
tristate "SYNPROXY target support"
|
|
|
|
depends on NF_CONNTRACK && NETFILTER_ADVANCED
|
|
|
|
select NETFILTER_SYNPROXY
|
|
|
|
select SYN_COOKIES
|
|
|
|
help
|
|
|
|
The SYNPROXY target allows you to intercept TCP connections and
|
|
|
|
establish them using syncookies before they are passed on to the
|
|
|
|
server. This allows to avoid conntrack and server resource usage
|
|
|
|
during SYN-flood attacks.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
config IP6_NF_MANGLE
|
|
|
|
tristate "Packet mangling"
|
2007-12-17 23:47:05 -07:00
|
|
|
default m if NETFILTER_ADVANCED=n
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
|
|
|
This option adds a `mangle' table to iptables: see the man page for
|
|
|
|
iptables(8). This table is used for various packet alterations
|
|
|
|
which can effect how the packet is routed.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_RAW
|
|
|
|
tristate 'raw table support (required for TRACE)'
|
|
|
|
help
|
|
|
|
This option adds a `raw' table to ip6tables. This table is the very
|
|
|
|
first in the netfilter framework and hooks in at the PREROUTING
|
|
|
|
and OUTPUT chains.
|
2007-12-17 23:47:05 -07:00
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
If you want to compile it as a module, say M here and read
|
2007-03-16 07:28:43 -06:00
|
|
|
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2008-06-09 16:58:05 -06:00
|
|
|
# security table for MAC policy
|
|
|
|
config IP6_NF_SECURITY
|
|
|
|
tristate "Security table"
|
|
|
|
depends on SECURITY
|
2008-07-23 17:42:42 -06:00
|
|
|
depends on NETFILTER_ADVANCED
|
2008-06-09 16:58:05 -06:00
|
|
|
help
|
|
|
|
This option adds a `security' table to iptables, for use
|
|
|
|
with Mandatory Access Control (MAC) policy.
|
2012-09-18 13:03:39 -06:00
|
|
|
|
2008-06-09 16:58:05 -06:00
|
|
|
If unsure, say N.
|
|
|
|
|
2014-08-11 10:21:49 -06:00
|
|
|
config IP6_NF_NAT
|
|
|
|
tristate "ip6tables NAT support"
|
2012-09-18 13:03:39 -06:00
|
|
|
depends on NF_CONNTRACK_IPV6
|
|
|
|
depends on NETFILTER_ADVANCED
|
|
|
|
select NF_NAT
|
2014-08-11 10:21:49 -06:00
|
|
|
select NF_NAT_IPV6
|
|
|
|
select NETFILTER_XT_NAT
|
2012-09-18 13:03:39 -06:00
|
|
|
help
|
2014-08-11 10:21:49 -06:00
|
|
|
This enables the `nat' table in ip6tables. This allows masquerading,
|
|
|
|
port forwarding and other forms of full Network Address Port
|
|
|
|
Translation.
|
2012-09-18 13:03:39 -06:00
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2014-08-11 10:21:49 -06:00
|
|
|
if IP6_NF_NAT
|
2012-09-18 13:03:39 -06:00
|
|
|
|
|
|
|
config IP6_NF_TARGET_MASQUERADE
|
|
|
|
tristate "MASQUERADE target support"
|
2014-09-04 06:06:49 -06:00
|
|
|
select NF_NAT_MASQUERADE_IPV6
|
2012-09-18 13:03:39 -06:00
|
|
|
help
|
|
|
|
Masquerading is a special case of NAT: all outgoing connections are
|
|
|
|
changed to seem to come from a particular interface's address, and
|
|
|
|
if the interface goes down, those connections are lost. This is
|
|
|
|
only useful for dialup accounts with dynamic IP address (ie. your IP
|
|
|
|
address will be different on next dialup).
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_TARGET_NPT
|
|
|
|
tristate "NPT (Network Prefix translation) target support"
|
|
|
|
help
|
|
|
|
This option adds the `SNPT' and `DNPT' target, which perform
|
|
|
|
stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2014-08-11 10:21:49 -06:00
|
|
|
endif # IP6_NF_NAT
|
2012-09-18 13:03:39 -06:00
|
|
|
|
2008-10-08 03:35:18 -06:00
|
|
|
endif # IP6_NF_IPTABLES
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
endmenu
|
|
|
|
|