2005-04-16 22:20:36 +00:00
|
|
|
#
|
|
|
|
# IP netfilter configuration
|
|
|
|
#
|
|
|
|
|
|
|
|
menu "IPv6: Netfilter Configuration (EXPERIMENTAL)"
|
|
|
|
depends on INET && IPV6 && NETFILTER && EXPERIMENTAL
|
|
|
|
|
2005-11-14 23:26:58 +00:00
|
|
|
config NF_CONNTRACK_IPV6
|
|
|
|
tristate "IPv6 support for new connection tracking (EXPERIMENTAL)"
|
|
|
|
depends on EXPERIMENTAL && NF_CONNTRACK
|
|
|
|
---help---
|
|
|
|
Connection tracking keeps a record of what packets have passed
|
|
|
|
through your machine, in order to figure out how they are related
|
|
|
|
into connections.
|
|
|
|
|
|
|
|
This is IPv6 support on Layer 3 independent connection tracking.
|
|
|
|
Layer 3 independent connection tracking is experimental scheme
|
|
|
|
which generalize ip_conntrack to support other layer 3 protocols.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
config IP6_NF_QUEUE
|
2005-08-10 02:44:15 +00:00
|
|
|
tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"
|
2005-04-16 22:20:36 +00:00
|
|
|
---help---
|
|
|
|
|
|
|
|
This option adds a queue handler to the kernel for IPv6
|
2005-08-10 02:44:15 +00:00
|
|
|
packets which enables users to receive the filtered packets
|
|
|
|
with QUEUE target using libipq.
|
|
|
|
|
|
|
|
THis option enables the old IPv6-only "ip6_queue" implementation
|
|
|
|
which has been obsoleted by the new "nfnetlink_queue" code (see
|
|
|
|
CONFIG_NETFILTER_NETLINK_QUEUE).
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
(C) Fernando Anton 2001
|
|
|
|
IPv64 Project - Work based in IPv64 draft by Arturo Azcorra.
|
|
|
|
Universidad Carlos III de Madrid
|
|
|
|
Universidad Politecnica de Alcala de Henares
|
|
|
|
email: <fanton@it.uc3m.es>.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_IPTABLES
|
|
|
|
tristate "IP6 tables support (required for filtering/masq/NAT)"
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
depends on NETFILTER_XTABLES
|
2005-04-16 22:20:36 +00:00
|
|
|
help
|
|
|
|
ip6tables is a general, extensible packet identification framework.
|
|
|
|
Currently only the packet filtering and packet mangling subsystem
|
|
|
|
for IPv6 use this, but connection tracking is going to follow.
|
|
|
|
Say 'Y' or 'M' here if you want to use either of those.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
# The simple matches.
|
|
|
|
config IP6_NF_MATCH_RT
|
|
|
|
tristate "Routing header match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
rt matching allows you to match packets based on the routing
|
|
|
|
header of the packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_OPTS
|
|
|
|
tristate "Hop-by-hop and Dst opts header match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
This allows one to match packets based on the hop-by-hop
|
|
|
|
and destination options headers of a packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_FRAG
|
|
|
|
tristate "Fragmentation header match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
frag matching allows you to match packets based on the fragmentation
|
|
|
|
header of the packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_HL
|
|
|
|
tristate "HL match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
HL matching allows you to match packets based on the hop
|
|
|
|
limit of the packet.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_MULTIPORT
|
|
|
|
tristate "Multiple port match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
Multiport matching allows you to match TCP or UDP packets based on
|
|
|
|
a series of source or destination ports: normally a rule can only
|
|
|
|
match a single range of ports.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_OWNER
|
|
|
|
tristate "Owner match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
Packet owner matching allows you to match locally-generated packets
|
|
|
|
based on who created them: the user, group, process or session.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_IPV6HEADER
|
|
|
|
tristate "IPv6 Extension Headers Match"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
This module allows one to match packets based upon
|
|
|
|
the ipv6 extension headers.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_AHESP
|
|
|
|
tristate "AH/ESP match support"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
This module allows one to match AH and ESP packets.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_MATCH_EUI64
|
|
|
|
tristate "EUI64 address check"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
This module performs checking on the IPv6 source address
|
|
|
|
Compares the last 64 bits with the EUI64 (delivered
|
|
|
|
from the MAC address) address
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2006-01-07 07:06:48 +00:00
|
|
|
config IP6_NF_MATCH_POLICY
|
|
|
|
tristate "IPsec policy match support"
|
|
|
|
depends on IP6_NF_IPTABLES && XFRM
|
|
|
|
help
|
|
|
|
Policy matching allows you to match packets based on the
|
|
|
|
IPsec policy that was used during decapsulation/will
|
|
|
|
be used during encapsulation.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
# The targets
|
|
|
|
config IP6_NF_FILTER
|
|
|
|
tristate "Packet filtering"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
Packet filtering defines a table `filter', which has a series of
|
|
|
|
rules for simple packet filtering at local input, forwarding and
|
|
|
|
local output. See the man page for iptables(8).
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
config IP6_NF_TARGET_LOG
|
|
|
|
tristate "LOG target support"
|
|
|
|
depends on IP6_NF_FILTER
|
|
|
|
help
|
|
|
|
This option adds a `LOG' target, which allows you to create rules in
|
|
|
|
any iptables table which records the packet header to the syslog.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-08-22 06:31:06 +00:00
|
|
|
config IP6_NF_TARGET_REJECT
|
|
|
|
tristate "REJECT target support"
|
|
|
|
depends on IP6_NF_FILTER
|
|
|
|
help
|
|
|
|
The REJECT target allows a filtering rule to specify that an ICMPv6
|
|
|
|
error should be issued in response to an incoming packet, rather
|
|
|
|
than silently being dropped.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
config IP6_NF_MANGLE
|
|
|
|
tristate "Packet mangling"
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
This option adds a `mangle' table to iptables: see the man page for
|
|
|
|
iptables(8). This table is used for various packet alterations
|
|
|
|
which can effect how the packet is routed.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-08-28 05:37:30 +00:00
|
|
|
config IP6_NF_TARGET_HL
|
|
|
|
tristate 'HL (hoplimit) target support'
|
|
|
|
depends on IP6_NF_MANGLE
|
|
|
|
help
|
|
|
|
This option adds a `HL' target, which enables the user to decrement
|
|
|
|
the hoplimit value of the IPv6 header or set it to a given (lower)
|
|
|
|
value.
|
|
|
|
|
|
|
|
While it is safe to decrement the hoplimit value, this option also
|
|
|
|
enables functionality to increment and set the hoplimit value of the
|
|
|
|
IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since
|
|
|
|
you can easily create immortal packets that loop forever on the
|
|
|
|
network.
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
config IP6_NF_RAW
|
|
|
|
tristate 'raw table support (required for TRACE)'
|
|
|
|
depends on IP6_NF_IPTABLES
|
|
|
|
help
|
|
|
|
This option adds a `raw' table to ip6tables. This table is the very
|
|
|
|
first in the netfilter framework and hooks in at the PREROUTING
|
|
|
|
and OUTPUT chains.
|
|
|
|
|
|
|
|
If you want to compile it as a module, say M here and read
|
|
|
|
<file:Documentation/modules.txt>. If unsure, say `N'.
|
|
|
|
|
|
|
|
endmenu
|
|
|
|
|