1# SPDX-License-Identifier: GPL-2.0-only
2#
3# IP netfilter configuration
4#
5
6menu "IPv6: Netfilter Configuration"
7	depends on INET && IPV6 && NETFILTER
8
9config NF_SOCKET_IPV6
10	tristate "IPv6 socket lookup support"
11	help
12	  This option enables the IPv6 socket lookup infrastructure. This
13	  is used by the {ip6,nf}tables socket match.
14
15config NF_TPROXY_IPV6
16	tristate "IPv6 tproxy support"
17
18if NF_TABLES
19
20config NF_TABLES_IPV6
21	bool "IPv6 nf_tables support"
22	help
23	  This option enables the IPv6 support for nf_tables.
24
25if NF_TABLES_IPV6
26
27config NFT_REJECT_IPV6
28	select NF_REJECT_IPV6
29	default NFT_REJECT
30	tristate
31
32config NFT_DUP_IPV6
33	tristate "IPv6 nf_tables packet duplication support"
34	depends on !NF_CONNTRACK || NF_CONNTRACK
35	select NF_DUP_IPV6
36	help
37	  This module enables IPv6 packet duplication support for nf_tables.
38
39config NFT_FIB_IPV6
40	tristate "nf_tables fib / ipv6 route lookup support"
41	select NFT_FIB
42	help
43	  This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
44	  It also allows query of the FIB for the route type, e.g. local, unicast,
45	  multicast or blackhole.
46
47endif # NF_TABLES_IPV6
48endif # NF_TABLES
49
50config NF_DUP_IPV6
51	tristate "Netfilter IPv6 packet duplication to alternate destination"
52	depends on !NF_CONNTRACK || NF_CONNTRACK
53	help
54	  This option enables the nf_dup_ipv6 core, which duplicates an IPv6
55	  packet to be rerouted to another destination.
56
57config NF_REJECT_IPV6
58	tristate "IPv6 packet rejection"
59	default m if NETFILTER_ADVANCED=n
60
61config NF_LOG_IPV6
62	tristate "IPv6 packet logging"
63	default m if NETFILTER_ADVANCED=n
64	select NF_LOG_SYSLOG
65	help
66	  This is a backwards-compat option for the user's convenience
67	  (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.
68
69config IP6_NF_IPTABLES
70	tristate "IP6 tables support (required for filtering)"
71	depends on INET && IPV6
72	select NETFILTER_XTABLES
73	default m if NETFILTER_ADVANCED=n
74	help
75	  ip6tables is a general, extensible packet identification framework.
76	  Currently only the packet filtering and packet mangling subsystem
77	  for IPv6 use this, but connection tracking is going to follow.
78	  Say 'Y' or 'M' here if you want to use either of those.
79
80	  To compile it as a module, choose M here.  If unsure, say N.
81
82if IP6_NF_IPTABLES
83
84# The simple matches.
85config IP6_NF_MATCH_AH
86	tristate '"ah" match support'
87	depends on NETFILTER_ADVANCED
88	help
89	  This module allows one to match AH packets.
90
91	  To compile it as a module, choose M here.  If unsure, say N.
92
93config IP6_NF_MATCH_EUI64
94	tristate '"eui64" address check'
95	depends on NETFILTER_ADVANCED
96	help
97	  This module performs checking on the IPv6 source address
98	  Compares the last 64 bits with the EUI64 (delivered
99	  from the MAC address) address
100
101	  To compile it as a module, choose M here.  If unsure, say N.
102
103config IP6_NF_MATCH_FRAG
104	tristate '"frag" Fragmentation header match support'
105	depends on NETFILTER_ADVANCED
106	help
107	  frag matching allows you to match packets based on the fragmentation
108	  header of the packet.
109
110	  To compile it as a module, choose M here.  If unsure, say N.
111
112config IP6_NF_MATCH_OPTS
113	tristate '"hbh" hop-by-hop and "dst" opts header match support'
114	depends on NETFILTER_ADVANCED
115	help
116	  This allows one to match packets based on the hop-by-hop
117	  and destination options headers of a packet.
118
119	  To compile it as a module, choose M here.  If unsure, say N.
120
121config IP6_NF_MATCH_HL
122	tristate '"hl" hoplimit match support'
123	depends on NETFILTER_ADVANCED
124	select NETFILTER_XT_MATCH_HL
125	help
126	  This is a backwards-compat option for the user's convenience
127	  (e.g. when running oldconfig). It selects
128	  CONFIG_NETFILTER_XT_MATCH_HL.
129
130config IP6_NF_MATCH_IPV6HEADER
131	tristate '"ipv6header" IPv6 Extension Headers Match'
132	default m if NETFILTER_ADVANCED=n
133	help
134	  This module allows one to match packets based upon
135	  the ipv6 extension headers.
136
137	  To compile it as a module, choose M here.  If unsure, say N.
138
139config IP6_NF_MATCH_MH
140	tristate '"mh" match support'
141	depends on NETFILTER_ADVANCED
142	help
143	  This module allows one to match MH packets.
144
145	  To compile it as a module, choose M here.  If unsure, say N.
146
147config IP6_NF_MATCH_RPFILTER
148	tristate '"rpfilter" reverse path filter match support'
149	depends on NETFILTER_ADVANCED
150	depends on IP6_NF_MANGLE || IP6_NF_RAW
151	help
152	  This option allows you to match packets whose replies would
153	  go out via the interface the packet came in.
154
155	  To compile it as a module, choose M here.  If unsure, say N.
156	  The module will be called ip6t_rpfilter.
157
158config IP6_NF_MATCH_RT
159	tristate '"rt" Routing header match support'
160	depends on NETFILTER_ADVANCED
161	help
162	  rt matching allows you to match packets based on the routing
163	  header of the packet.
164
165	  To compile it as a module, choose M here.  If unsure, say N.
166
167config IP6_NF_MATCH_SRH
168	tristate '"srh" Segment Routing header match support'
169	depends on NETFILTER_ADVANCED
170	help
171	  srh matching allows you to match packets based on the segment
172	  routing header of the packet.
173
174	  To compile it as a module, choose M here.  If unsure, say N.
175
176# The targets
177config IP6_NF_TARGET_HL
178	tristate '"HL" hoplimit target support'
179	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
180	select NETFILTER_XT_TARGET_HL
181	help
182	  This is a backwards-compatible option for the user's convenience
183	  (e.g. when running oldconfig). It selects
184	  CONFIG_NETFILTER_XT_TARGET_HL.
185
186config IP6_NF_FILTER
187	tristate "Packet filtering"
188	default m if NETFILTER_ADVANCED=n
189	help
190	  Packet filtering defines a table `filter', which has a series of
191	  rules for simple packet filtering at local input, forwarding and
192	  local output.  See the man page for iptables(8).
193
194	  To compile it as a module, choose M here.  If unsure, say N.
195
196config IP6_NF_TARGET_REJECT
197	tristate "REJECT target support"
198	depends on IP6_NF_FILTER
199	select NF_REJECT_IPV6
200	default m if NETFILTER_ADVANCED=n
201	help
202	  The REJECT target allows a filtering rule to specify that an ICMPv6
203	  error should be issued in response to an incoming packet, rather
204	  than silently being dropped.
205
206	  To compile it as a module, choose M here.  If unsure, say N.
207
208config IP6_NF_TARGET_SYNPROXY
209	tristate "SYNPROXY target support"
210	depends on NF_CONNTRACK && NETFILTER_ADVANCED
211	select NETFILTER_SYNPROXY
212	select SYN_COOKIES
213	help
214	  The SYNPROXY target allows you to intercept TCP connections and
215	  establish them using syncookies before they are passed on to the
216	  server. This allows to avoid conntrack and server resource usage
217	  during SYN-flood attacks.
218
219	  To compile it as a module, choose M here. If unsure, say N.
220
221config IP6_NF_MANGLE
222	tristate "Packet mangling"
223	default m if NETFILTER_ADVANCED=n
224	help
225	  This option adds a `mangle' table to iptables: see the man page for
226	  iptables(8).  This table is used for various packet alterations
227	  which can effect how the packet is routed.
228
229	  To compile it as a module, choose M here.  If unsure, say N.
230
231config IP6_NF_RAW
232	tristate  'raw table support (required for TRACE)'
233	help
234	  This option adds a `raw' table to ip6tables. This table is the very
235	  first in the netfilter framework and hooks in at the PREROUTING
236	  and OUTPUT chains.
237
238	  If you want to compile it as a module, say M here and read
239	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
240
241# security table for MAC policy
242config IP6_NF_SECURITY
243	tristate "Security table"
244	depends on SECURITY
245	depends on NETFILTER_ADVANCED
246	help
247	  This option adds a `security' table to iptables, for use
248	  with Mandatory Access Control (MAC) policy.
249
250	  If unsure, say N.
251
252config IP6_NF_NAT
253	tristate "ip6tables NAT support"
254	depends on NF_CONNTRACK
255	depends on NETFILTER_ADVANCED
256	select NF_NAT
257	select NETFILTER_XT_NAT
258	help
259	  This enables the `nat' table in ip6tables. This allows masquerading,
260	  port forwarding and other forms of full Network Address Port
261	  Translation.
262
263	  To compile it as a module, choose M here.  If unsure, say N.
264
265if IP6_NF_NAT
266
267config IP6_NF_TARGET_MASQUERADE
268	tristate "MASQUERADE target support"
269	select NETFILTER_XT_TARGET_MASQUERADE
270	help
271	  This is a backwards-compat option for the user's convenience
272	  (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
273
274config IP6_NF_TARGET_NPT
275	tristate "NPT (Network Prefix translation) target support"
276	help
277	  This option adds the `SNPT' and `DNPT' target, which perform
278	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
279
280	  To compile it as a module, choose M here.  If unsure, say N.
281
282endif # IP6_NF_NAT
283
284endif # IP6_NF_IPTABLES
285endmenu
286
287config NF_DEFRAG_IPV6
288	tristate
289