1# SPDX-License-Identifier: GPL-2.0-only
2#
3# IP netfilter configuration
4#
5
6menu "IPv6: Netfilter Configuration"
7	depends on INET && IPV6 && NETFILTER
8
9# old sockopt interface and eval loop
10config IP6_NF_IPTABLES_LEGACY
11	tristate "Legacy IP6 tables support"
12	depends on INET && IPV6
13	select NETFILTER_XTABLES
14	default n
15	help
16	  ip6tables is a legacy packet classifier.
17	  This is not needed if you are using iptables over nftables
18	  (iptables-nft).
19
20config NF_SOCKET_IPV6
21	tristate "IPv6 socket lookup support"
22	help
23	  This option enables the IPv6 socket lookup infrastructure. This
24	  is used by the {ip6,nf}tables socket match.
25
26config NF_TPROXY_IPV6
27	tristate "IPv6 tproxy support"
28
29if NF_TABLES
30
31config NF_TABLES_IPV6
32	bool "IPv6 nf_tables support"
33	help
34	  This option enables the IPv6 support for nf_tables.
35
36if NF_TABLES_IPV6
37
38config NFT_REJECT_IPV6
39	select NF_REJECT_IPV6
40	default NFT_REJECT
41	tristate
42
43config NFT_DUP_IPV6
44	tristate "IPv6 nf_tables packet duplication support"
45	depends on !NF_CONNTRACK || NF_CONNTRACK
46	select NF_DUP_IPV6
47	help
48	  This module enables IPv6 packet duplication support for nf_tables.
49
50config NFT_FIB_IPV6
51	tristate "nf_tables fib / ipv6 route lookup support"
52	select NFT_FIB
53	help
54	  This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
55	  It also allows query of the FIB for the route type, e.g. local, unicast,
56	  multicast or blackhole.
57
58endif # NF_TABLES_IPV6
59endif # NF_TABLES
60
61config NF_DUP_IPV6
62	tristate "Netfilter IPv6 packet duplication to alternate destination"
63	depends on !NF_CONNTRACK || NF_CONNTRACK
64	help
65	  This option enables the nf_dup_ipv6 core, which duplicates an IPv6
66	  packet to be rerouted to another destination.
67
68config NF_REJECT_IPV6
69	tristate "IPv6 packet rejection"
70	default m if NETFILTER_ADVANCED=n
71
72config NF_LOG_IPV6
73	tristate "IPv6 packet logging"
74	default m if NETFILTER_ADVANCED=n
75	select NF_LOG_SYSLOG
76	help
77	  This is a backwards-compat option for the user's convenience
78	  (e.g. when running oldconfig). It selects CONFIG_NF_LOG_SYSLOG.
79
80config IP6_NF_IPTABLES
81	tristate "IP6 tables support (required for filtering)"
82	depends on INET && IPV6
83	select NETFILTER_XTABLES
84	default m if NETFILTER_ADVANCED=n
85	help
86	  ip6tables is a general, extensible packet identification framework.
87	  Currently only the packet filtering and packet mangling subsystem
88	  for IPv6 use this, but connection tracking is going to follow.
89	  Say 'Y' or 'M' here if you want to use either of those.
90
91	  To compile it as a module, choose M here.  If unsure, say N.
92
93if IP6_NF_IPTABLES
94
95# The simple matches.
96config IP6_NF_MATCH_AH
97	tristate '"ah" match support'
98	depends on NETFILTER_ADVANCED
99	help
100	  This module allows one to match AH packets.
101
102	  To compile it as a module, choose M here.  If unsure, say N.
103
104config IP6_NF_MATCH_EUI64
105	tristate '"eui64" address check'
106	depends on NETFILTER_ADVANCED
107	help
108	  This module performs checking on the IPv6 source address
109	  Compares the last 64 bits with the EUI64 (delivered
110	  from the MAC address) address
111
112	  To compile it as a module, choose M here.  If unsure, say N.
113
114config IP6_NF_MATCH_FRAG
115	tristate '"frag" Fragmentation header match support'
116	depends on NETFILTER_ADVANCED
117	help
118	  frag matching allows you to match packets based on the fragmentation
119	  header of the packet.
120
121	  To compile it as a module, choose M here.  If unsure, say N.
122
123config IP6_NF_MATCH_OPTS
124	tristate '"hbh" hop-by-hop and "dst" opts header match support'
125	depends on NETFILTER_ADVANCED
126	help
127	  This allows one to match packets based on the hop-by-hop
128	  and destination options headers of a packet.
129
130	  To compile it as a module, choose M here.  If unsure, say N.
131
132config IP6_NF_MATCH_HL
133	tristate '"hl" hoplimit match support'
134	depends on NETFILTER_ADVANCED
135	select NETFILTER_XT_MATCH_HL
136	help
137	  This is a backwards-compat option for the user's convenience
138	  (e.g. when running oldconfig). It selects
139	  CONFIG_NETFILTER_XT_MATCH_HL.
140
141config IP6_NF_MATCH_IPV6HEADER
142	tristate '"ipv6header" IPv6 Extension Headers Match'
143	default m if NETFILTER_ADVANCED=n
144	help
145	  This module allows one to match packets based upon
146	  the ipv6 extension headers.
147
148	  To compile it as a module, choose M here.  If unsure, say N.
149
150config IP6_NF_MATCH_MH
151	tristate '"mh" match support'
152	depends on NETFILTER_ADVANCED
153	help
154	  This module allows one to match MH packets.
155
156	  To compile it as a module, choose M here.  If unsure, say N.
157
158config IP6_NF_MATCH_RPFILTER
159	tristate '"rpfilter" reverse path filter match support'
160	depends on NETFILTER_ADVANCED
161	depends on IP6_NF_MANGLE || IP6_NF_RAW || NFT_COMPAT
162	help
163	  This option allows you to match packets whose replies would
164	  go out via the interface the packet came in.
165
166	  To compile it as a module, choose M here.  If unsure, say N.
167	  The module will be called ip6t_rpfilter.
168
169config IP6_NF_MATCH_RT
170	tristate '"rt" Routing header match support'
171	depends on NETFILTER_ADVANCED
172	help
173	  rt matching allows you to match packets based on the routing
174	  header of the packet.
175
176	  To compile it as a module, choose M here.  If unsure, say N.
177
178config IP6_NF_MATCH_SRH
179	tristate '"srh" Segment Routing header match support'
180	depends on NETFILTER_ADVANCED
181	help
182	  srh matching allows you to match packets based on the segment
183	  routing header of the packet.
184
185	  To compile it as a module, choose M here.  If unsure, say N.
186
187# The targets
188config IP6_NF_TARGET_HL
189	tristate '"HL" hoplimit target support'
190	depends on NETFILTER_ADVANCED && IP6_NF_MANGLE
191	select NETFILTER_XT_TARGET_HL
192	help
193	  This is a backwards-compatible option for the user's convenience
194	  (e.g. when running oldconfig). It selects
195	  CONFIG_NETFILTER_XT_TARGET_HL.
196
197config IP6_NF_FILTER
198	tristate "Packet filtering"
199	default m if NETFILTER_ADVANCED=n
200	select IP6_NF_IPTABLES_LEGACY
201	tristate
202	help
203	  Packet filtering defines a table `filter', which has a series of
204	  rules for simple packet filtering at local input, forwarding and
205	  local output.  See the man page for iptables(8).
206
207	  To compile it as a module, choose M here.  If unsure, say N.
208
209config IP6_NF_TARGET_REJECT
210	tristate "REJECT target support"
211	depends on IP6_NF_FILTER || NFT_COMPAT
212	select NF_REJECT_IPV6
213	default m if NETFILTER_ADVANCED=n
214	help
215	  The REJECT target allows a filtering rule to specify that an ICMPv6
216	  error should be issued in response to an incoming packet, rather
217	  than silently being dropped.
218
219	  To compile it as a module, choose M here.  If unsure, say N.
220
221config IP6_NF_TARGET_SYNPROXY
222	tristate "SYNPROXY target support"
223	depends on NF_CONNTRACK && NETFILTER_ADVANCED
224	select NETFILTER_SYNPROXY
225	select SYN_COOKIES
226	help
227	  The SYNPROXY target allows you to intercept TCP connections and
228	  establish them using syncookies before they are passed on to the
229	  server. This allows to avoid conntrack and server resource usage
230	  during SYN-flood attacks.
231
232	  To compile it as a module, choose M here. If unsure, say N.
233
234config IP6_NF_MANGLE
235	tristate "Packet mangling"
236	default m if NETFILTER_ADVANCED=n
237	select IP6_NF_IPTABLES_LEGACY
238	help
239	  This option adds a `mangle' table to iptables: see the man page for
240	  iptables(8).  This table is used for various packet alterations
241	  which can effect how the packet is routed.
242
243	  To compile it as a module, choose M here.  If unsure, say N.
244
245config IP6_NF_RAW
246	tristate  'raw table support (required for TRACE)'
247	select IP6_NF_IPTABLES_LEGACY
248	help
249	  This option adds a `raw' table to ip6tables. This table is the very
250	  first in the netfilter framework and hooks in at the PREROUTING
251	  and OUTPUT chains.
252
253	  If you want to compile it as a module, say M here and read
254	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
255
256# security table for MAC policy
257config IP6_NF_SECURITY
258	tristate "Security table"
259	depends on SECURITY
260	depends on NETFILTER_ADVANCED
261	select IP6_NF_IPTABLES_LEGACY
262	help
263	  This option adds a `security' table to iptables, for use
264	  with Mandatory Access Control (MAC) policy.
265
266	  If unsure, say N.
267
268config IP6_NF_NAT
269	tristate "ip6tables NAT support"
270	depends on NF_CONNTRACK
271	depends on NETFILTER_ADVANCED
272	select NF_NAT
273	select IP6_NF_IPTABLES_LEGACY
274	select NETFILTER_XT_NAT
275	help
276	  This enables the `nat' table in ip6tables. This allows masquerading,
277	  port forwarding and other forms of full Network Address Port
278	  Translation.
279
280	  To compile it as a module, choose M here.  If unsure, say N.
281
282config IP6_NF_TARGET_MASQUERADE
283	tristate "MASQUERADE target support"
284	select NETFILTER_XT_TARGET_MASQUERADE
285	depends on IP6_NF_NAT
286	help
287	  This is a backwards-compat option for the user's convenience
288	  (e.g. when running oldconfig). It selects NETFILTER_XT_TARGET_MASQUERADE.
289
290config IP6_NF_TARGET_NPT
291	tristate "NPT (Network Prefix translation) target support"
292	depends on IP6_NF_NAT || NFT_COMPAT
293	help
294	  This option adds the `SNPT' and `DNPT' target, which perform
295	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.
296
297	  To compile it as a module, choose M here.  If unsure, say N.
298
299endif # IP6_NF_IPTABLES
300endmenu
301
302config NF_DEFRAG_IPV6
303	tristate
304