#
# IP netfilter configuration
#

menu "IPv6: Netfilter Configuration"
	depends on CONFIG_INET && CONFIG_IPV6 && CONFIG_NETFILTER

config CONFIG_NF_DEFRAG_IPV6
	tristate
	default n

config CONFIG_NF_CONNTRACK_IPV6
	tristate "IPv6 connection tracking support"
	depends on CONFIG_INET && CONFIG_IPV6 && CONFIG_NF_CONNTRACK
	default m if CONFIG_NETFILTER_ADVANCED=n
	select CONFIG_NF_DEFRAG_IPV6
	---help---
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections.

	  This is IPv6 support on Layer 3 independent connection tracking.
	  Layer 3 independent connection tracking is experimental scheme
	  which generalize ip_conntrack to support other layer 3 protocols.

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

config CONFIG_NF_SOCKET_IPV6
	tristate "IPv6 socket lookup support"
	help
	  This option enables the IPv6 socket lookup infrastructure. This
	  is used by the ip6tables socket match.

if CONFIG_NF_TABLES

config CONFIG_NF_TABLES_IPV6
	tristate "IPv6 nf_tables support"
	help
	  This option enables the IPv6 support for nf_tables.

if CONFIG_NF_TABLES_IPV6

config CONFIG_NFT_CHAIN_ROUTE_IPV6
	tristate "IPv6 nf_tables route chain support"
	help
	  This option enables the "route" chain for IPv6 in nf_tables. This
	  chain type is used to force packet re-routing after mangling header
	  fields such as the source, destination, flowlabel, hop-limit and
	  the packet mark.

config CONFIG_NFT_REJECT_IPV6
	select CONFIG_NF_REJECT_IPV6
	default CONFIG_NFT_REJECT
	tristate

config CONFIG_NFT_DUP_IPV6
	tristate "IPv6 nf_tables packet duplication support"
	depends on !CONFIG_NF_CONNTRACK || CONFIG_NF_CONNTRACK
	select CONFIG_NF_DUP_IPV6
	help
	  This module enables IPv6 packet duplication support for nf_tables.

config CONFIG_NFT_FIB_IPV6
	tristate "nf_tables fib / ipv6 route lookup support"
	select CONFIG_NFT_FIB
	help
	  This module enables IPv6 FIB lookups, e.g. for reverse path filtering.
	  It also allows query of the FIB for the route type, e.g. local, unicast,
	  multicast or blackhole.

endif # CONFIG_NF_TABLES_IPV6
endif # CONFIG_NF_TABLES

config CONFIG_NF_DUP_IPV6
	tristate "Netfilter IPv6 packet duplication to alternate destination"
	depends on !CONFIG_NF_CONNTRACK || CONFIG_NF_CONNTRACK
	help
	  This option enables the nf_dup_ipv6 core, which duplicates an IPv6
	  packet to be rerouted to another destination.

config CONFIG_NF_REJECT_IPV6
	tristate "IPv6 packet rejection"
	default m if CONFIG_NETFILTER_ADVANCED=n

config CONFIG_NF_LOG_IPV6
	tristate "IPv6 packet logging"
	default m if CONFIG_NETFILTER_ADVANCED=n
	select CONFIG_NF_LOG_COMMON

config CONFIG_NF_NAT_IPV6
	tristate "IPv6 NAT"
	depends on CONFIG_NF_CONNTRACK_IPV6
	depends on CONFIG_NETFILTER_ADVANCED
	select CONFIG_NF_NAT
	help
	  The IPv6 NAT option allows masquerading, port forwarding and other
	  forms of full Network Address Port Translation. This can be
	  controlled by iptables or nft.

if CONFIG_NF_NAT_IPV6

config CONFIG_NFT_CHAIN_NAT_IPV6
	depends on CONFIG_NF_TABLES_IPV6
	tristate "IPv6 nf_tables nat chain support"
	help
	  This option enables the "nat" chain for IPv6 in nf_tables. This
	  chain type is used to perform Network Address Translation (NAT)
	  packet transformations such as the source, destination address and
	  source and destination ports.

config CONFIG_NF_NAT_MASQUERADE_IPV6
	tristate "IPv6 masquerade support"
	help
	  This is the kernel functionality to provide NAT in the masquerade
	  flavour (automatic source address selection) for IPv6.

config CONFIG_NFT_MASQ_IPV6
	tristate "IPv6 masquerade support for nf_tables"
	depends on CONFIG_NF_TABLES_IPV6
	depends on CONFIG_NFT_MASQ
	select CONFIG_NF_NAT_MASQUERADE_IPV6
	help
	  This is the expression that provides IPv4 masquerading support for
	  nf_tables.

config CONFIG_NFT_REDIR_IPV6
	tristate "IPv6 redirect support for nf_tables"
	depends on CONFIG_NF_TABLES_IPV6
	depends on CONFIG_NFT_REDIR
	select CONFIG_NF_NAT_REDIRECT
	help
	  This is the expression that provides IPv4 redirect support for
	  nf_tables.

endif # CONFIG_NF_NAT_IPV6

config CONFIG_IP6_NF_IPTABLES
	tristate "IP6 tables support (required for filtering)"
	depends on CONFIG_INET && CONFIG_IPV6
	select CONFIG_NETFILTER_XTABLES
	default m if CONFIG_NETFILTER_ADVANCED=n
	help
	  ip6tables is a general, extensible packet identification framework.
	  Currently only the packet filtering and packet mangling subsystem
	  for IPv6 use this, but connection tracking is going to follow.
	  Say 'Y' or 'CONFIG_M' here if you want to use either of those.

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

if CONFIG_IP6_NF_IPTABLES

# The simple matches.
config CONFIG_IP6_NF_MATCH_AH
	tristate '"ah" match support'
	depends on CONFIG_NETFILTER_ADVANCED
	help
	  This module allows one to match AH packets.

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

config CONFIG_IP6_NF_MATCH_EUI64
	tristate '"eui64" address check'
	depends on CONFIG_NETFILTER_ADVANCED
	help
	  This module performs checking on the IPv6 source address
	  Compares the last 64 bits with the EUI64 (delivered
	  from the CONFIG_MAC address) address

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

config CONFIG_IP6_NF_MATCH_FRAG
	tristate '"frag" Fragmentation header match support'
	depends on CONFIG_NETFILTER_ADVANCED
	help
	  frag matching allows you to match packets based on the fragmentation
	  header of the packet.

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

config CONFIG_IP6_NF_MATCH_OPTS
	tristate '"hbh" hop-by-hop and "dst" opts header match support'
	depends on CONFIG_NETFILTER_ADVANCED
	help
	  This allows one to match packets based on the hop-by-hop
	  and destination options headers of a packet.

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

config CONFIG_IP6_NF_MATCH_HL
	tristate '"hl" hoplimit match support'
	depends on CONFIG_NETFILTER_ADVANCED
	select CONFIG_NETFILTER_XT_MATCH_HL
	---help---
	This is a backwards-compat option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_MATCH_HL.

config CONFIG_IP6_NF_MATCH_IPV6HEADER
	tristate '"ipv6header" IPv6 Extension Headers Match'
	default m if CONFIG_NETFILTER_ADVANCED=n
	help
	  This module allows one to match packets based upon
	  the ipv6 extension headers.

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

config CONFIG_IP6_NF_MATCH_MH
	tristate '"mh" match support'
	depends on CONFIG_NETFILTER_ADVANCED
	help
	  This module allows one to match MH packets.

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

config CONFIG_IP6_NF_MATCH_RPFILTER
	tristate '"rpfilter" reverse path filter match support'
	depends on CONFIG_NETFILTER_ADVANCED
	depends on CONFIG_IP6_NF_MANGLE || CONFIG_IP6_NF_RAW
	---help---
	  This option allows you to match packets whose replies would
	  go out via the interface the packet came in.

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.
	  The module will be called ip6t_rpfilter.

config CONFIG_IP6_NF_MATCH_RT
	tristate '"rt" Routing header match support'
	depends on CONFIG_NETFILTER_ADVANCED
	help
	  rt matching allows you to match packets based on the routing
	  header of the packet.

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

# The targets
config CONFIG_IP6_NF_TARGET_HL
	tristate '"HL" hoplimit target support'
	depends on CONFIG_NETFILTER_ADVANCED && CONFIG_IP6_NF_MANGLE
	select CONFIG_NETFILTER_XT_TARGET_HL
	---help---
	This is a backwards-compatible option for the user's convenience
	(e.g. when running oldconfig). It selects
	CONFIG_NETFILTER_XT_TARGET_HL.

config CONFIG_IP6_NF_FILTER
	tristate "Packet filtering"
	default m if CONFIG_NETFILTER_ADVANCED=n
	help
	  Packet filtering defines a table `filter', which has a series of
	  rules for simple packet filtering at local input, forwarding and
	  local output.  See the man page for iptables(8).

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

config CONFIG_IP6_NF_TARGET_REJECT
	tristate "REJECT target support"
	depends on CONFIG_IP6_NF_FILTER
	select CONFIG_NF_REJECT_IPV6
	default m if CONFIG_NETFILTER_ADVANCED=n
	help
	  The REJECT target allows a filtering rule to specify that an ICMPv6
	  error should be issued in response to an incoming packet, rather
	  than silently being dropped.

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

config CONFIG_IP6_NF_TARGET_SYNPROXY
	tristate "SYNPROXY target support"
	depends on CONFIG_NF_CONNTRACK && CONFIG_NETFILTER_ADVANCED
	select CONFIG_NETFILTER_SYNPROXY
	select CONFIG_SYN_COOKIES
	help
	  The SYNPROXY target allows you to intercept TCP connections and
	  establish them using syncookies before they are passed on to the
	  server. This allows to avoid conntrack and server resource usage
	  during SYN-flood attacks.

	  To compile it as a module, choose CONFIG_M here. If unsure, say N.

config CONFIG_IP6_NF_MANGLE
	tristate "Packet mangling"
	default m if CONFIG_NETFILTER_ADVANCED=n
	help
	  This option adds a `mangle' table to iptables: see the man page for
	  iptables(8).  This table is used for various packet alterations
	  which can effect how the packet is routed.

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

config CONFIG_IP6_NF_RAW
	tristate  'raw table support (required for TRACE)'
	help
	  This option adds a `raw' table to ip6tables. This table is the very
	  first in the netfilter framework and hooks in at the PREROUTING
	  and OUTPUT chains.

	  If you want to compile it as a module, say CONFIG_M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

# security table for CONFIG_MAC policy
config CONFIG_IP6_NF_SECURITY
       tristate "Security table"
       depends on CONFIG_SECURITY
       depends on CONFIG_NETFILTER_ADVANCED
       help
         This option adds a `security' table to iptables, for use
         with Mandatory Access Control (CONFIG_MAC) policy.

         If unsure, say N.

config CONFIG_IP6_NF_NAT
	tristate "ip6tables NAT support"
	depends on CONFIG_NF_CONNTRACK_IPV6
	depends on CONFIG_NETFILTER_ADVANCED
	select CONFIG_NF_NAT
	select CONFIG_NF_NAT_IPV6
	select CONFIG_NETFILTER_XT_NAT
	help
	  This enables the `nat' table in ip6tables. This allows masquerading,
	  port forwarding and other forms of full Network Address Port
	  Translation.

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

if CONFIG_IP6_NF_NAT

config CONFIG_IP6_NF_TARGET_MASQUERADE
	tristate "MASQUERADE target support"
	select CONFIG_NF_NAT_MASQUERADE_IPV6
	help
	  Masquerading is a special case of NAT: all outgoing connections are
	  changed to seem to come from a particular interface's address, and
	  if the interface goes down, those connections are lost.  This is
	  only useful for dialup accounts with dynamic IP address (ie. your IP
	  address will be different on next dialup).

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

config CONFIG_IP6_NF_TARGET_NPT
	tristate "NPT (Network Prefix translation) target support"
	help
	  This option adds the `SNPT' and `DNPT' target, which perform
	  stateless IPv6-to-IPv6 Network Prefix Translation per RFC 6296.

	  To compile it as a module, choose CONFIG_M here.  If unsure, say N.

endif # CONFIG_IP6_NF_NAT

endif # CONFIG_IP6_NF_IPTABLES

endmenu