1 # SPDX-License-Identifier: GPL-2.0-only
2 #
3 # IP netfilter configuration
4 #
5 
6 menu "IPv6: Netfilter Configuration"
7 	depends on INET && IPV6 && NETFILTER
8 
9 # old sockopt interface and eval loop
10 config IP6_NF_IPTABLES_LEGACY
11 	tristate
12 
13 config NF_SOCKET_IPV6
14 	tristate "IPv6 socket lookup support"
15 	help
16 	  This option enables the IPv6 socket lookup infrastructure. This
17 	  is used by the {ip6,nf}tables socket match.
18 
19 config NF_TPROXY_IPV6
20 	tristate "IPv6 tproxy support"
21 
22 if NF_TABLES
23 
24 config NF_TABLES_IPV6
25 	bool "IPv6 nf_tables support"
26 	help
27 	  This option enables the IPv6 support for nf_tables.
28 
29 if NF_TABLES_IPV6
30 
31 config NFT_REJECT_IPV6
32 	select NF_REJECT_IPV6
33 	default NFT_REJECT
34 	tristate
35 
36 config NFT_DUP_IPV6
37 	tristate "IPv6 nf_tables packet duplication support"
38 	depends on !NF_CONNTRACK || NF_CONNTRACK
39 	select NF_DUP_IPV6
40 	help
41 	  This module enables IPv6 packet duplication support for nf_tables.
42 
43 config NFT_FIB_IPV6
44 	tristate "nf_tables fib / ipv6 route lookup support"
45 	select NFT_FIB
46 	help
47 	  This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
48 	  It also allows query of the FIB for the route type, e.g. local, unicast,
49 	  multicast or blackhole.
50 
51 endif # NF_TABLES_IPV6
52 endif # NF_TABLES
53 
54 config NF_DUP_IPV6
55 	tristate "Netfilter IPv6 packet duplication to alternate destination"
56 	depends on !NF_CONNTRACK || NF_CONNTRACK
57 	help
58 	  This option enables the nf_dup_ipv6 core, which duplicates an IPv6
59 	  packet to be rerouted to another destination.
60 
61 config NF_REJECT_IPV6
62 	tristate "IPv6 packet rejection"
63 	default m if NETFILTER_ADVANCED=n
64 
65 config NF_LOG_IPV6
66 	tristate "IPv6 packet logging"
67 	default m if NETFILTER_ADVANCED=n
68 	select NF_LOG_SYSLOG
69 	help
70 	  This is a backwards-compat option for the user's convenience
71 	  (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.
72 
73 config IP6_NF_IPTABLES
74 	tristate "IP6 tables support (required for filtering)"
75 	depends on INET && IPV6
76 	select NETFILTER_XTABLES
77 	default m if NETFILTER_ADVANCED=n
78 	help
79 	  ip6tables is a general, extensible packet identification framework.
80 	  Currently only the packet filtering and packet mangling subsystem
81 	  for IPv6 use this, but connection tracking is going to follow.
82 	  Say 'Y' or 'M' here if you want to use either of those.
83 
84 	  To compile it as a module, choose M here.  If unsure, say N.
85 
86 if IP6_NF_IPTABLES
87 
88 # The simple matches.
89 config IP6_NF_MATCH_AH
90 	tristate '"ah" match support'
91 	depends on NETFILTER_ADVANCED
92 	help
93 	  This module allows one to match AH packets.
94 
95 	  To compile it as a module, choose M here.  If unsure, say N.
96 
97 config IP6_NF_MATCH_EUI64
98 	tristate '"eui64" address check'
99 	depends on NETFILTER_ADVANCED
100 	help
101 	  This module performs checking on the IPv6 source address
102 	  Compares the last 64 bits with the EUI64 (delivered
103 	  from the MAC address) address
104 
105 	  To compile it as a module, choose M here.  If unsure, say N.
106 
107 config IP6_NF_MATCH_FRAG
108 	tristate '"frag" Fragmentation header match support'
109 	depends on NETFILTER_ADVANCED
110 	help
111 	  frag matching allows you to match packets based on the fragmentation
112 	  header of the packet.
113 
114 	  To compile it as a module, choose M here.  If unsure, say N.
115 
116 config IP6_NF_MATCH_OPTS
117 	tristate '"hbh" hop-by-hop and "dst" opts header match support'
118 	depends on NETFILTER_ADVANCED
119 	help
120 	  This allows one to match packets based on the hop-by-hop
121 	  and destination options headers of a packet.
122 
123 	  To compile it as a module, choose M here.  If unsure, say N.
124 
125 config IP6_NF_MATCH_HL
126 	tristate '"hl" hoplimit match support'
127 	depends on NETFILTER_ADVANCED
128 	select NETFILTER_XT_MATCH_HL
129 	help
130 	  This is a backwards-compat option for the user's convenience
131 	  (e.g. when running oldconfig). It selects
132 	  CONFIG_NETFILTER_XT_MATCH_HL.
133 
134 config IP6_NF_MATCH_IPV6HEADER
135 	tristate '"ipv6header" IPv6 Extension Headers Match'
136 	default m if NETFILTER_ADVANCED=n
137 	help
138 	  This module allows one to match packets based upon
139 	  the ipv6 extension headers.
140 
141 	  To compile it as a module, choose M here.  If unsure, say N.
142 
143 config IP6_NF_MATCH_MH
144 	tristate '"mh" match support'
145 	depends on NETFILTER_ADVANCED
146 	help
147 	  This module allows one to match MH packets.
148 
149 	  To compile it as a module, choose M here.  If unsure, say N.
150 
151 config IP6_NF_MATCH_RPFILTER
152 	tristate '"rpfilter" reverse path filter match support'
153 	depends on NETFILTER_ADVANCED
154 	depends on IP6_NF_MANGLE || IP6_NF_RAW || NFT_COMPAT
155 	help
156 	  This option allows you to match packets whose replies would
157 	  go out via the interface the packet came in.
158 
159 	  To compile it as a module, choose M here.  If unsure, say N.
160 	  The module will be called ip6t_rpfilter.
161 
162 config IP6_NF_MATCH_RT
163 	tristate '"rt" Routing header match support'
164 	depends on NETFILTER_ADVANCED
165 	help
166 	  rt matching allows you to match packets based on the routing
167 	  header of the packet.
168 
169 	  To compile it as a module, choose M here.  If unsure, say N.
170 
171 config IP6_NF_MATCH_SRH
172 	tristate '"srh" Segment Routing header match support'
173 	depends on NETFILTER_ADVANCED
174 	help
175 	  srh matching allows you to match packets based on the segment
176 	  routing header of the packet.
177 
178 	  To compile it as a module, choose M here.  If unsure, say N.
179 
180 # The targets
181 config IP6_NF_TARGET_HL
182 	tristate '"HL" hoplimit target support'
183 	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
184 	select NETFILTER_XT_TARGET_HL
185 	help
186 	  This is a backwards-compatible option for the user's convenience
187 	  (e.g. when running oldconfig). It selects
188 	  CONFIG_NETFILTER_XT_TARGET_HL.
189 
190 config IP6_NF_FILTER
191 	tristate "Packet filtering"
192 	default m if NETFILTER_ADVANCED=n
193 	select IP6_NF_IPTABLES_LEGACY
194 	tristate
195 	help
196 	  Packet filtering defines a table `filter', which has a series of
197 	  rules for simple packet filtering at local input, forwarding and
198 	  local output.  See the man page for iptables(8).
199 
200 	  To compile it as a module, choose M here.  If unsure, say N.
201 
202 config IP6_NF_TARGET_REJECT
203 	tristate "REJECT target support"
204 	depends on IP6_NF_FILTER || NFT_COMPAT
205 	select NF_REJECT_IPV6
206 	default m if NETFILTER_ADVANCED=n
207 	help
208 	  The REJECT target allows a filtering rule to specify that an ICMPv6
209 	  error should be issued in response to an incoming packet, rather
210 	  than silently being dropped.
211 
212 	  To compile it as a module, choose M here.  If unsure, say N.
213 
214 config IP6_NF_TARGET_SYNPROXY
215 	tristate "SYNPROXY target support"
216 	depends on NF_CONNTRACK && NETFILTER_ADVANCED
217 	select NETFILTER_SYNPROXY
218 	select SYN_COOKIES
219 	help
220 	  The SYNPROXY target allows you to intercept TCP connections and
221 	  establish them using syncookies before they are passed on to the
222 	  server. This allows to avoid conntrack and server resource usage
223 	  during SYN-flood attacks.
224 
225 	  To compile it as a module, choose M here. If unsure, say N.
226 
227 config IP6_NF_MANGLE
228 	tristate "Packet mangling"
229 	default m if NETFILTER_ADVANCED=n
230 	select IP6_NF_IPTABLES_LEGACY
231 	help
232 	  This option adds a `mangle' table to iptables: see the man page for
233 	  iptables(8).  This table is used for various packet alterations
234 	  which can effect how the packet is routed.
235 
236 	  To compile it as a module, choose M here.  If unsure, say N.
237 
238 config IP6_NF_RAW
239 	tristate  'raw table support (required for TRACE)'
240 	select IP6_NF_IPTABLES_LEGACY
241 	help
242 	  This option adds a `raw' table to ip6tables. This table is the very
243 	  first in the netfilter framework and hooks in at the PREROUTING
244 	  and OUTPUT chains.
245 
246 	  If you want to compile it as a module, say M here and read
247 	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
248 
249 # security table for MAC policy
250 config IP6_NF_SECURITY
251 	tristate "Security table"
252 	depends on SECURITY
253 	depends on NETFILTER_ADVANCED
254 	select IP6_NF_IPTABLES_LEGACY
255 	help
256 	  This option adds a `security' table to iptables, for use
257 	  with Mandatory Access Control (MAC) policy.
258 
259 	  If unsure, say N.
260 
261 config IP6_NF_NAT
262 	tristate "ip6tables NAT support"
263 	depends on NF_CONNTRACK
264 	depends on NETFILTER_ADVANCED
265 	select NF_NAT
266 	select IP6_NF_IPTABLES_LEGACY
267 	select NETFILTER_XT_NAT
268 	help
269 	  This enables the `nat' table in ip6tables. This allows masquerading,
270 	  port forwarding and other forms of full Network Address Port
271 	  Translation.
272 
273 	  To compile it as a module, choose M here.  If unsure, say N.
274 
275 config IP6_NF_TARGET_MASQUERADE
276 	tristate "MASQUERADE target support"
277 	select NETFILTER_XT_TARGET_MASQUERADE
278 	depends on IP6_NF_NAT
279 	help
280 	  This is a backwards-compat option for the user's convenience
281 	  (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
282 
283 config IP6_NF_TARGET_NPT
284 	tristate "NPT (Network Prefix translation) target support"
285 	depends on IP6_NF_NAT || NFT_COMPAT
286 	help
287 	  This option adds the `SNPT' and `DNPT' target, which perform
288 	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
289 
290 	  To compile it as a module, choose M here.  If unsure, say N.
291 
292 endif # IP6_NF_IPTABLES
293 endmenu
294 
295 config NF_DEFRAG_IPV6
296 	tristate
297