2005-04-16 22:20:36 +00:00
|
|
|
#
|
|
|
|
# IP netfilter configuration
|
|
|
|
#
|
|
|
|
|
|
|
|
menu "IPv6: Netfilter Configuration (EXPERIMENTAL)"
|
|
|
|
depends on INET && IPV6 && NETFILTER && EXPERIMENTAL
|
|
|
|
|
2005-11-14 23:26:58 +00:00
|
|
|
config NF_CONNTRACK_IPV6
|
|
|
|
tristate "IPv6 support for new connection tracking (EXPERIMENTAL)"
|
|
|
|
depends on EXPERIMENTAL && NF_CONNTRACK
|
|
|
|
---help---
|
|
|
|
Connection tracking keeps a record of what packets have passed
|
|
|
|
through your machine, in order to figure out how they are related
|
|
|
|
into connections.
|
|
|
|
|
|
|
|
This is IPv6 support on Layer 3 independent connection tracking.
|
|
|
|
Layer 3 independent connection tracking is experimental scheme
|
|
|
|
which generalize ip_conntrack to support other layer 3 protocols.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
config IP6_NF_QUEUE
|
2005-08-10 02:44:15 +00:00
|
|
|
tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"
|
2005-04-16 22:20:36 +00:00
|
|
|
---help---
|
|
|
|
|
|
|
|
This option adds a queue handler to the kernel for IPv6
|
2005-08-10 02:44:15 +00:00
|
|
|
packets which enables users to receive the filtered packets
|
|
|
|
with QUEUE target using libipq.
|
|
|
|
|
|
|
|
THis option enables the old IPv6-only "ip6_queue" implementation
|
|
|
|
which has been obsoleted by the new "nfnetlink_queue" code (see
|
|
|
|
CONFIG_NETFILTER_NETLINK_QUEUE).
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
(C) Fernando Anton 2001
|
|
|
|
IPv64 Project - Work based in IPv64 draft by Arturo Azcorra.
|
|
|
|
Universidad Carlos III de Madrid
|
|
|
|
Universidad Politecnica de Alcala de Henares
|
|
|
|
email: <fanton@it.uc3m.es>.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_IPTABLES
|
|
|
|
tristate "IP6 tables support (required for filtering/masq/NAT)"
|
|
|
|
help
|
|
|
|
ip6tables is a general, extensible packet identification framework.
|
|
|
|
Currently only the packet filtering and packet mangling subsystem
|
|
|
|
for IPv6 use this, but connection tracking is going to follow.
|
|
|
|
Say 'Y' or 'M' here if you want to use either of those.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
# The simple matches.
|
|
|
|
config IP6_NF_MATCH_LIMIT
|
|
|
|
tristate "limit match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
limit matching allows you to control the rate at which a rule can be
|
|
|
|
matched: mainly useful in combination with the LOG target ("LOG
|
|
|
|
target support", below) and to avoid some Denial of Service attacks.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_MAC
|
|
|
|
tristate "MAC address match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
mac matching allows you to match packets based on the source
|
|
|
|
Ethernet address of the packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_RT
|
|
|
|
tristate "Routing header match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
rt matching allows you to match packets based on the routing
|
|
|
|
header of the packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_OPTS
|
|
|
|
tristate "Hop-by-hop and Dst opts header match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
This allows one to match packets based on the hop-by-hop
|
|
|
|
and destination options headers of a packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_FRAG
|
|
|
|
tristate "Fragmentation header match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
frag matching allows you to match packets based on the fragmentation
|
|
|
|
header of the packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_HL
|
|
|
|
tristate "HL match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
HL matching allows you to match packets based on the hop
|
|
|
|
limit of the packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_MULTIPORT
|
|
|
|
tristate "Multiple port match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
Multiport matching allows you to match TCP or UDP packets based on
|
|
|
|
a series of source or destination ports: normally a rule can only
|
|
|
|
match a single range of ports.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_OWNER
|
|
|
|
tristate "Owner match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
Packet owner matching allows you to match locally-generated packets
|
|
|
|
based on who created them: the user, group, process or session.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_MARK
|
|
|
|
tristate "netfilter MARK match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
Netfilter mark matching allows you to match packets based on the
|
|
|
|
`nfmark' value in the packet. This can be set by the MARK target
|
|
|
|
(see below).
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_IPV6HEADER
|
|
|
|
tristate "IPv6 Extension Headers Match"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
This module allows one to match packets based upon
|
|
|
|
the ipv6 extension headers.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_AHESP
|
|
|
|
tristate "AH/ESP match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
This module allows one to match AH and ESP packets.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_LENGTH
|
|
|
|
tristate "Packet Length match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
This option allows you to match the length of a packet against a
|
|
|
|
specific value or range of values.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_EUI64
|
|
|
|
tristate "EUI64 address check"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
This module performs checking on the IPv6 source address
|
|
|
|
Compares the last 64 bits with the EUI64 (delivered
|
|
|
|
from the MAC address) address
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_PHYSDEV
|
|
|
|
tristate "Physdev match support"
|
|
|
|
depends on IP6_NF_IPTABLES && BRIDGE_NETFILTER
|
|
|
|
help
|
|
|
|
Physdev packet matching matches against the physical bridge ports
|
|
|
|
the IP packet arrived on or will leave by.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2006-01-07 07:06:48 +00:00
|
|
|
config IP6_NF_MATCH_POLICY
|
|
|
|
tristate "IPsec policy match support"
|
|
|
|
depends on IP6_NF_IPTABLES && XFRM
|
|
|
|
help
|
|
|
|
Policy matching allows you to match packets based on the
|
|
|
|
IPsec policy that was used during decapsulation/will
|
|
|
|
be used during encapsulation.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
# The targets
|
|
|
|
config IP6_NF_FILTER
|
|
|
|
tristate "Packet filtering"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
Packet filtering defines a table `filter', which has a series of
|
|
|
|
rules for simple packet filtering at local input, forwarding and
|
|
|
|
local output. See the man page for iptables(8).
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_TARGET_LOG
|
|
|
|
tristate "LOG target support"
|
|
|
|
depends on IP6_NF_FILTER
|
|
|
|
help
|
|
|
|
This option adds a `LOG' target, which allows you to create rules in
|
|
|
|
any iptables table which records the packet header to the syslog.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-08-22 06:31:06 +00:00
|
|
|
config IP6_NF_TARGET_REJECT
|
|
|
|
tristate "REJECT target support"
|
|
|
|
depends on IP6_NF_FILTER
|
|
|
|
help
|
|
|
|
The REJECT target allows a filtering rule to specify that an ICMPv6
|
|
|
|
error should be issued in response to an incoming packet, rather
|
|
|
|
than silently being dropped.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-09-24 23:52:03 +00:00
|
|
|
config IP6_NF_TARGET_NFQUEUE
|
|
|
|
tristate "NFQUEUE Target Support"
|
2005-12-19 21:53:26 +00:00
|
|
|
depends on IP6_NF_IPTABLES
|
2005-09-24 23:52:03 +00:00
|
|
|
help
|
|
|
|
This Target replaced the old obsolete QUEUE target.
|
|
|
|
|
|
|
|
As opposed to QUEUE, it supports 65535 different queues,
|
|
|
|
not just one.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
config IP6_NF_MANGLE
|
|
|
|
tristate "Packet mangling"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
This option adds a `mangle' table to iptables: see the man page for
|
|
|
|
iptables(8). This table is used for various packet alterations
|
|
|
|
which can effect how the packet is routed.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_TARGET_MARK
|
|
|
|
tristate "MARK target support"
|
|
|
|
depends on IP6_NF_MANGLE
|
|
|
|
help
|
|
|
|
This option adds a `MARK' target, which allows you to create rules
|
|
|
|
in the `mangle' table which alter the netfilter mark (nfmark) field
|
|
|
|
associated with the packet packet prior to routing. This can change
|
|
|
|
the routing method (see `Use netfilter MARK value as routing
|
|
|
|
key') and can also be used by other subsystems to change their
|
|
|
|
behavior.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-08-28 05:37:30 +00:00
|
|
|
config IP6_NF_TARGET_HL
|
|
|
|
tristate 'HL (hoplimit) target support'
|
|
|
|
depends on IP6_NF_MANGLE
|
|
|
|
help
|
|
|
|
This option adds a `HL' target, which enables the user to decrement
|
|
|
|
the hoplimit value of the IPv6 header or set it to a given (lower)
|
|
|
|
value.
|
|
|
|
|
|
|
|
While it is safe to decrement the hoplimit value, this option also
|
|
|
|
enables functionality to increment and set the hoplimit value of the
|
|
|
|
IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since
|
|
|
|
you can easily create immortal packets that loop forever on the
|
|
|
|
network.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
config IP6_NF_RAW
|
|
|
|
tristate 'raw table support (required for TRACE)'
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
This option adds a `raw' table to ip6tables. This table is the very
|
|
|
|
first in the netfilter framework and hooks in at the PREROUTING
|
|
|
|
and OUTPUT chains.
|
|
|
|
|
|
|
|
If you want to compile it as a module, say M here and read
|
|
|
|
<file:Documentation/modules.txt>. If unsure, say `N'.
|
|
|
|
|
|
|
|
endmenu
|
|
|
|
|