1# SPDX-License-Identifier: GPL-2.0-only
2#
3# IP netfilter configuration
4#
5
6menu "IPv6: Netfilter Configuration"
7	depends on INET && IPV6 && NETFILTER
8
9config NF_SOCKET_IPV6
10	tristate "IPv6 socket lookup support"
11	help
12	  This option enables the IPv6 socket lookup infrastructure. This
13	  is used by the {ip6,nf}tables socket match.
14
15config NF_TPROXY_IPV6
16	tristate "IPv6 tproxy support"
17
18if NF_TABLES
19
20config NF_TABLES_IPV6
21	bool "IPv6 nf_tables support"
22	help
23	  This option enables the IPv6 support for nf_tables.
24
25if NF_TABLES_IPV6
26
27config NFT_REJECT_IPV6
28	select NF_REJECT_IPV6
29	default NFT_REJECT
30	tristate
31
32config NFT_DUP_IPV6
33	tristate "IPv6 nf_tables packet duplication support"
34	depends on !NF_CONNTRACK || NF_CONNTRACK
35	select NF_DUP_IPV6
36	help
37	  This module enables IPv6 packet duplication support for nf_tables.
38
39config NFT_FIB_IPV6
40	tristate "nf_tables fib / ipv6 route lookup support"
41	select NFT_FIB
42	help
43	  This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
44	  It also allows query of the FIB for the route type, e.g. local, unicast,
45	  multicast or blackhole.
46
47endif # NF_TABLES_IPV6
48endif # NF_TABLES
49
50config NF_FLOW_TABLE_IPV6
51	tristate "Netfilter flow table IPv6 module"
52	depends on NF_FLOW_TABLE
53	help
54	  This option adds the flow table IPv6 support.
55
56	  To compile it as a module, choose M here.
57
58config NF_DUP_IPV6
59	tristate "Netfilter IPv6 packet duplication to alternate destination"
60	depends on !NF_CONNTRACK || NF_CONNTRACK
61	help
62	  This option enables the nf_dup_ipv6 core, which duplicates an IPv6
63	  packet to be rerouted to another destination.
64
65config NF_REJECT_IPV6
66	tristate "IPv6 packet rejection"
67	default m if NETFILTER_ADVANCED=n
68
69config NF_LOG_IPV6
70	tristate "IPv6 packet logging"
71	default m if NETFILTER_ADVANCED=n
72	select NF_LOG_SYSLOG
73	help
74	  This is a backwards-compat option for the user's convenience
75	  (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.
76
77config IP6_NF_IPTABLES
78	tristate "IP6 tables support (required for filtering)"
79	depends on INET && IPV6
80	select NETFILTER_XTABLES
81	default m if NETFILTER_ADVANCED=n
82	help
83	  ip6tables is a general, extensible packet identification framework.
84	  Currently only the packet filtering and packet mangling subsystem
85	  for IPv6 use this, but connection tracking is going to follow.
86	  Say 'Y' or 'M' here if you want to use either of those.
87
88	  To compile it as a module, choose M here.  If unsure, say N.
89
90if IP6_NF_IPTABLES
91
92# The simple matches.
93config IP6_NF_MATCH_AH
94	tristate '"ah" match support'
95	depends on NETFILTER_ADVANCED
96	help
97	  This module allows one to match AH packets.
98
99	  To compile it as a module, choose M here.  If unsure, say N.
100
101config IP6_NF_MATCH_EUI64
102	tristate '"eui64" address check'
103	depends on NETFILTER_ADVANCED
104	help
105	  This module performs checking on the IPv6 source address
106	  Compares the last 64 bits with the EUI64 (delivered
107	  from the MAC address) address
108
109	  To compile it as a module, choose M here.  If unsure, say N.
110
111config IP6_NF_MATCH_FRAG
112	tristate '"frag" Fragmentation header match support'
113	depends on NETFILTER_ADVANCED
114	help
115	  frag matching allows you to match packets based on the fragmentation
116	  header of the packet.
117
118	  To compile it as a module, choose M here.  If unsure, say N.
119
120config IP6_NF_MATCH_OPTS
121	tristate '"hbh" hop-by-hop and "dst" opts header match support'
122	depends on NETFILTER_ADVANCED
123	help
124	  This allows one to match packets based on the hop-by-hop
125	  and destination options headers of a packet.
126
127	  To compile it as a module, choose M here.  If unsure, say N.
128
129config IP6_NF_MATCH_HL
130	tristate '"hl" hoplimit match support'
131	depends on NETFILTER_ADVANCED
132	select NETFILTER_XT_MATCH_HL
133	help
134	  This is a backwards-compat option for the user's convenience
135	  (e.g. when running oldconfig). It selects
136	  CONFIG_NETFILTER_XT_MATCH_HL.
137
138config IP6_NF_MATCH_IPV6HEADER
139	tristate '"ipv6header" IPv6 Extension Headers Match'
140	default m if NETFILTER_ADVANCED=n
141	help
142	  This module allows one to match packets based upon
143	  the ipv6 extension headers.
144
145	  To compile it as a module, choose M here.  If unsure, say N.
146
147config IP6_NF_MATCH_MH
148	tristate '"mh" match support'
149	depends on NETFILTER_ADVANCED
150	help
151	  This module allows one to match MH packets.
152
153	  To compile it as a module, choose M here.  If unsure, say N.
154
155config IP6_NF_MATCH_RPFILTER
156	tristate '"rpfilter" reverse path filter match support'
157	depends on NETFILTER_ADVANCED
158	depends on IP6_NF_MANGLE || IP6_NF_RAW
159	help
160	  This option allows you to match packets whose replies would
161	  go out via the interface the packet came in.
162
163	  To compile it as a module, choose M here.  If unsure, say N.
164	  The module will be called ip6t_rpfilter.
165
166config IP6_NF_MATCH_RT
167	tristate '"rt" Routing header match support'
168	depends on NETFILTER_ADVANCED
169	help
170	  rt matching allows you to match packets based on the routing
171	  header of the packet.
172
173	  To compile it as a module, choose M here.  If unsure, say N.
174
175config IP6_NF_MATCH_SRH
176	tristate '"srh" Segment Routing header match support'
177	depends on NETFILTER_ADVANCED
178	help
179	  srh matching allows you to match packets based on the segment
180	  routing header of the packet.
181
182	  To compile it as a module, choose M here.  If unsure, say N.
183
184# The targets
185config IP6_NF_TARGET_HL
186	tristate '"HL" hoplimit target support'
187	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
188	select NETFILTER_XT_TARGET_HL
189	help
190	  This is a backwards-compatible option for the user's convenience
191	  (e.g. when running oldconfig). It selects
192	  CONFIG_NETFILTER_XT_TARGET_HL.
193
194config IP6_NF_FILTER
195	tristate "Packet filtering"
196	default m if NETFILTER_ADVANCED=n
197	help
198	  Packet filtering defines a table `filter', which has a series of
199	  rules for simple packet filtering at local input, forwarding and
200	  local output.  See the man page for iptables(8).
201
202	  To compile it as a module, choose M here.  If unsure, say N.
203
204config IP6_NF_TARGET_REJECT
205	tristate "REJECT target support"
206	depends on IP6_NF_FILTER
207	select NF_REJECT_IPV6
208	default m if NETFILTER_ADVANCED=n
209	help
210	  The REJECT target allows a filtering rule to specify that an ICMPv6
211	  error should be issued in response to an incoming packet, rather
212	  than silently being dropped.
213
214	  To compile it as a module, choose M here.  If unsure, say N.
215
216config IP6_NF_TARGET_SYNPROXY
217	tristate "SYNPROXY target support"
218	depends on NF_CONNTRACK && NETFILTER_ADVANCED
219	select NETFILTER_SYNPROXY
220	select SYN_COOKIES
221	help
222	  The SYNPROXY target allows you to intercept TCP connections and
223	  establish them using syncookies before they are passed on to the
224	  server. This allows to avoid conntrack and server resource usage
225	  during SYN-flood attacks.
226
227	  To compile it as a module, choose M here. If unsure, say N.
228
229config IP6_NF_MANGLE
230	tristate "Packet mangling"
231	default m if NETFILTER_ADVANCED=n
232	help
233	  This option adds a `mangle' table to iptables: see the man page for
234	  iptables(8).  This table is used for various packet alterations
235	  which can effect how the packet is routed.
236
237	  To compile it as a module, choose M here.  If unsure, say N.
238
239config IP6_NF_RAW
240	tristate  'raw table support (required for TRACE)'
241	help
242	  This option adds a `raw' table to ip6tables. This table is the very
243	  first in the netfilter framework and hooks in at the PREROUTING
244	  and OUTPUT chains.
245
246	  If you want to compile it as a module, say M here and read
247	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
248
249# security table for MAC policy
250config IP6_NF_SECURITY
251	tristate "Security table"
252	depends on SECURITY
253	depends on NETFILTER_ADVANCED
254	help
255	  This option adds a `security' table to iptables, for use
256	  with Mandatory Access Control (MAC) policy.
257
258	  If unsure, say N.
259
260config IP6_NF_NAT
261	tristate "ip6tables NAT support"
262	depends on NF_CONNTRACK
263	depends on NETFILTER_ADVANCED
264	select NF_NAT
265	select NETFILTER_XT_NAT
266	help
267	  This enables the `nat' table in ip6tables. This allows masquerading,
268	  port forwarding and other forms of full Network Address Port
269	  Translation.
270
271	  To compile it as a module, choose M here.  If unsure, say N.
272
273if IP6_NF_NAT
274
275config IP6_NF_TARGET_MASQUERADE
276	tristate "MASQUERADE target support"
277	select NETFILTER_XT_TARGET_MASQUERADE
278	help
279	  This is a backwards-compat option for the user's convenience
280	  (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
281
282config IP6_NF_TARGET_NPT
283	tristate "NPT (Network Prefix translation) target support"
284	help
285	  This option adds the `SNPT' and `DNPT' target, which perform
286	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
287
288	  To compile it as a module, choose M here.  If unsure, say N.
289
290endif # IP6_NF_NAT
291
292endif # IP6_NF_IPTABLES
293endmenu
294
295config NF_DEFRAG_IPV6
296	tristate
297