| # |
| # IP netfilter configuration |
| # |
| |
| menu "IPv6: Netfilter Configuration (EXPERIMENTAL)" |
| depends on INET && IPV6 && NETFILTER && EXPERIMENTAL |
| |
| config NF_CONNTRACK_IPV6 |
| tristate "IPv6 support for new connection tracking (EXPERIMENTAL)" |
| depends on EXPERIMENTAL && NF_CONNTRACK |
| ---help--- |
| Connection tracking keeps a record of what packets have passed |
| through your machine, in order to figure out how they are related |
| into connections. |
| |
| This is IPv6 support on Layer 3 independent connection tracking. |
| Layer 3 independent connection tracking is experimental scheme |
| which generalize ip_conntrack to support other layer 3 protocols. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_QUEUE |
| tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)" |
| ---help--- |
| |
| This option adds a queue handler to the kernel for IPv6 |
| packets which enables users to receive the filtered packets |
| with QUEUE target using libipq. |
| |
| THis option enables the old IPv6-only "ip6_queue" implementation |
| which has been obsoleted by the new "nfnetlink_queue" code (see |
| CONFIG_NETFILTER_NETLINK_QUEUE). |
| |
| (C) Fernando Anton 2001 |
| IPv64 Project - Work based in IPv64 draft by Arturo Azcorra. |
| Universidad Carlos III de Madrid |
| Universidad Politecnica de Alcala de Henares |
| email: <fanton@it.uc3m.es>. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_IPTABLES |
| tristate "IP6 tables support (required for filtering/masq/NAT)" |
| depends on NETFILTER_XTABLES |
| help |
| ip6tables is a general, extensible packet identification framework. |
| Currently only the packet filtering and packet mangling subsystem |
| for IPv6 use this, but connection tracking is going to follow. |
| Say 'Y' or 'M' here if you want to use either of those. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| # The simple matches. |
| config IP6_NF_MATCH_RT |
| tristate "Routing header match support" |
| depends on IP6_NF_IPTABLES |
| help |
| rt matching allows you to match packets based on the routing |
| header of the packet. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_MATCH_OPTS |
| tristate "Hop-by-hop and Dst opts header match support" |
| depends on IP6_NF_IPTABLES |
| help |
| This allows one to match packets based on the hop-by-hop |
| and destination options headers of a packet. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_MATCH_FRAG |
| tristate "Fragmentation header match support" |
| depends on IP6_NF_IPTABLES |
| help |
| frag matching allows you to match packets based on the fragmentation |
| header of the packet. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_MATCH_HL |
| tristate "HL match support" |
| depends on IP6_NF_IPTABLES |
| help |
| HL matching allows you to match packets based on the hop |
| limit of the packet. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_MATCH_MULTIPORT |
| tristate "Multiple port match support" |
| depends on IP6_NF_IPTABLES |
| help |
| Multiport matching allows you to match TCP or UDP packets based on |
| a series of source or destination ports: normally a rule can only |
| match a single range of ports. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_MATCH_OWNER |
| tristate "Owner match support" |
| depends on IP6_NF_IPTABLES |
| help |
| Packet owner matching allows you to match locally-generated packets |
| based on who created them: the user, group, process or session. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_MATCH_IPV6HEADER |
| tristate "IPv6 Extension Headers Match" |
| depends on IP6_NF_IPTABLES |
| help |
| This module allows one to match packets based upon |
| the ipv6 extension headers. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_MATCH_AHESP |
| tristate "AH/ESP match support" |
| depends on IP6_NF_IPTABLES |
| help |
| This module allows one to match AH and ESP packets. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_MATCH_EUI64 |
| tristate "EUI64 address check" |
| depends on IP6_NF_IPTABLES |
| help |
| This module performs checking on the IPv6 source address |
| Compares the last 64 bits with the EUI64 (delivered |
| from the MAC address) address |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_MATCH_POLICY |
| tristate "IPsec policy match support" |
| depends on IP6_NF_IPTABLES && XFRM |
| help |
| Policy matching allows you to match packets based on the |
| IPsec policy that was used during decapsulation/will |
| be used during encapsulation. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| # The targets |
| config IP6_NF_FILTER |
| tristate "Packet filtering" |
| depends on IP6_NF_IPTABLES |
| help |
| Packet filtering defines a table `filter', which has a series of |
| rules for simple packet filtering at local input, forwarding and |
| local output. See the man page for iptables(8). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_TARGET_LOG |
| tristate "LOG target support" |
| depends on IP6_NF_FILTER |
| help |
| This option adds a `LOG' target, which allows you to create rules in |
| any iptables table which records the packet header to the syslog. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_TARGET_REJECT |
| tristate "REJECT target support" |
| depends on IP6_NF_FILTER |
| help |
| The REJECT target allows a filtering rule to specify that an ICMPv6 |
| error should be issued in response to an incoming packet, rather |
| than silently being dropped. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_MANGLE |
| tristate "Packet mangling" |
| depends on IP6_NF_IPTABLES |
| help |
| This option adds a `mangle' table to iptables: see the man page for |
| iptables(8). This table is used for various packet alterations |
| which can effect how the packet is routed. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_TARGET_HL |
| tristate 'HL (hoplimit) target support' |
| depends on IP6_NF_MANGLE |
| help |
| This option adds a `HL' target, which enables the user to decrement |
| the hoplimit value of the IPv6 header or set it to a given (lower) |
| value. |
| |
| While it is safe to decrement the hoplimit value, this option also |
| enables functionality to increment and set the hoplimit value of the |
| IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since |
| you can easily create immortal packets that loop forever on the |
| network. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config IP6_NF_RAW |
| tristate 'raw table support (required for TRACE)' |
| depends on IP6_NF_IPTABLES |
| help |
| This option adds a `raw' table to ip6tables. This table is the very |
| first in the netfilter framework and hooks in at the PREROUTING |
| and OUTPUT chains. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/modules.txt>. If unsure, say `N'. |
| |
| endmenu |
| |