d37d696804
rpfilter is only valid in raw/mangle PREROUTING, i.e. RPFILTER=y|m is useless without raw or mangle table support. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
226 lines
6.9 KiB
Plaintext
226 lines
6.9 KiB
Plaintext
#
|
|
# IP netfilter configuration
|
|
#
|
|
|
|
menu "IPv6: Netfilter Configuration"
|
|
depends on INET && IPV6 && NETFILTER
|
|
|
|
config NF_DEFRAG_IPV6
|
|
tristate
|
|
default n
|
|
|
|
config NF_CONNTRACK_IPV6
|
|
tristate "IPv6 connection tracking support"
|
|
depends on INET && IPV6 && NF_CONNTRACK
|
|
default m if NETFILTER_ADVANCED=n
|
|
select NF_DEFRAG_IPV6
|
|
---help---
|
|
Connection tracking keeps a record of what packets have passed
|
|
through your machine, in order to figure out how they are related
|
|
into connections.
|
|
|
|
This is IPv6 support on Layer 3 independent connection tracking.
|
|
Layer 3 independent connection tracking is experimental scheme
|
|
which generalize ip_conntrack to support other layer 3 protocols.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config IP6_NF_IPTABLES
|
|
tristate "IP6 tables support (required for filtering)"
|
|
depends on INET && IPV6
|
|
select NETFILTER_XTABLES
|
|
default m if NETFILTER_ADVANCED=n
|
|
help
|
|
ip6tables is a general, extensible packet identification framework.
|
|
Currently only the packet filtering and packet mangling subsystem
|
|
for IPv6 use this, but connection tracking is going to follow.
|
|
Say 'Y' or 'M' here if you want to use either of those.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
if IP6_NF_IPTABLES
|
|
|
|
# The simple matches.
|
|
config IP6_NF_MATCH_AH
|
|
tristate '"ah" match support'
|
|
depends on NETFILTER_ADVANCED
|
|
help
|
|
This module allows one to match AH packets.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config IP6_NF_MATCH_EUI64
|
|
tristate '"eui64" address check'
|
|
depends on NETFILTER_ADVANCED
|
|
help
|
|
This module performs checking on the IPv6 source address
|
|
Compares the last 64 bits with the EUI64 (delivered
|
|
from the MAC address) address
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config IP6_NF_MATCH_FRAG
|
|
tristate '"frag" Fragmentation header match support'
|
|
depends on NETFILTER_ADVANCED
|
|
help
|
|
frag matching allows you to match packets based on the fragmentation
|
|
header of the packet.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config IP6_NF_MATCH_OPTS
|
|
tristate '"hbh" hop-by-hop and "dst" opts header match support'
|
|
depends on NETFILTER_ADVANCED
|
|
help
|
|
This allows one to match packets based on the hop-by-hop
|
|
and destination options headers of a packet.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config IP6_NF_MATCH_HL
|
|
tristate '"hl" hoplimit match support'
|
|
depends on NETFILTER_ADVANCED
|
|
select NETFILTER_XT_MATCH_HL
|
|
---help---
|
|
This is a backwards-compat option for the user's convenience
|
|
(e.g. when running oldconfig). It selects
|
|
CONFIG_NETFILTER_XT_MATCH_HL.
|
|
|
|
config IP6_NF_MATCH_IPV6HEADER
|
|
tristate '"ipv6header" IPv6 Extension Headers Match'
|
|
default m if NETFILTER_ADVANCED=n
|
|
help
|
|
This module allows one to match packets based upon
|
|
the ipv6 extension headers.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config IP6_NF_MATCH_MH
|
|
tristate '"mh" match support'
|
|
depends on NETFILTER_ADVANCED
|
|
help
|
|
This module allows one to match MH packets.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config IP6_NF_MATCH_RPFILTER
|
|
tristate '"rpfilter" reverse path filter match support'
|
|
depends on NETFILTER_ADVANCED && (IP6_NF_MANGLE || IP6_NF_RAW)
|
|
---help---
|
|
This option allows you to match packets whose replies would
|
|
go out via the interface the packet came in.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
The module will be called ip6t_rpfilter.
|
|
|
|
config IP6_NF_MATCH_RT
|
|
tristate '"rt" Routing header match support'
|
|
depends on NETFILTER_ADVANCED
|
|
help
|
|
rt matching allows you to match packets based on the routing
|
|
header of the packet.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
# The targets
|
|
config IP6_NF_TARGET_HL
|
|
tristate '"HL" hoplimit target support'
|
|
depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
|
|
select NETFILTER_XT_TARGET_HL
|
|
---help---
|
|
This is a backwards-compatible option for the user's convenience
|
|
(e.g. when running oldconfig). It selects
|
|
CONFIG_NETFILTER_XT_TARGET_HL.
|
|
|
|
config IP6_NF_FILTER
|
|
tristate "Packet filtering"
|
|
default m if NETFILTER_ADVANCED=n
|
|
help
|
|
Packet filtering defines a table `filter', which has a series of
|
|
rules for simple packet filtering at local input, forwarding and
|
|
local output. See the man page for iptables(8).
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config IP6_NF_TARGET_REJECT
|
|
tristate "REJECT target support"
|
|
depends on IP6_NF_FILTER
|
|
default m if NETFILTER_ADVANCED=n
|
|
help
|
|
The REJECT target allows a filtering rule to specify that an ICMPv6
|
|
error should be issued in response to an incoming packet, rather
|
|
than silently being dropped.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config IP6_NF_MANGLE
|
|
tristate "Packet mangling"
|
|
default m if NETFILTER_ADVANCED=n
|
|
help
|
|
This option adds a `mangle' table to iptables: see the man page for
|
|
iptables(8). This table is used for various packet alterations
|
|
which can effect how the packet is routed.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config IP6_NF_RAW
|
|
tristate 'raw table support (required for TRACE)'
|
|
help
|
|
This option adds a `raw' table to ip6tables. This table is the very
|
|
first in the netfilter framework and hooks in at the PREROUTING
|
|
and OUTPUT chains.
|
|
|
|
If you want to compile it as a module, say M here and read
|
|
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
|
|
|
|
# security table for MAC policy
|
|
config IP6_NF_SECURITY
|
|
tristate "Security table"
|
|
depends on SECURITY
|
|
depends on NETFILTER_ADVANCED
|
|
help
|
|
This option adds a `security' table to iptables, for use
|
|
with Mandatory Access Control (MAC) policy.
|
|
|
|
If unsure, say N.
|
|
|
|
config NF_NAT_IPV6
|
|
tristate "IPv6 NAT"
|
|
depends on NF_CONNTRACK_IPV6
|
|
depends on NETFILTER_ADVANCED
|
|
select NF_NAT
|
|
help
|
|
The IPv6 NAT option allows masquerading, port forwarding and other
|
|
forms of full Network Address Port Translation. It is controlled by
|
|
the `nat' table in ip6tables, see the man page for ip6tables(8).
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
if NF_NAT_IPV6
|
|
|
|
config IP6_NF_TARGET_MASQUERADE
|
|
tristate "MASQUERADE target support"
|
|
help
|
|
Masquerading is a special case of NAT: all outgoing connections are
|
|
changed to seem to come from a particular interface's address, and
|
|
if the interface goes down, those connections are lost. This is
|
|
only useful for dialup accounts with dynamic IP address (ie. your IP
|
|
address will be different on next dialup).
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config IP6_NF_TARGET_NPT
|
|
tristate "NPT (Network Prefix translation) target support"
|
|
help
|
|
This option adds the `SNPT' and `DNPT' target, which perform
|
|
stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
endif # NF_NAT_IPV6
|
|
|
|
endif # IP6_NF_IPTABLES
|
|
|
|
endmenu
|
|
|