netfilter: add IPv6 SYNPROXY target

Add an IPv6 version of the SYNPROXY target. The main differences to the IPv4 version is routing and IP header construction. Signed-off-by: Patrick McHardy <kaber@trash.net> Tested-by: Martin Topholm <mph@one.com> Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Patrick McHardy <kaber@trash.net> 2013-08-27 08:50:16 +0200
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2013-08-28 00:28:13 +0200
commit: 4ad362282cb45bbc831a182e45637da8c5bd7aa1 (patch)
tree: 66d91d0ac5947985d41ff8c12cbed39fa2548e9d /net/ipv6/netfilter/Kconfig
parent: 81eb6a1487718a89621a0e0be7fafd0cd7c429a4 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 4433ab40e7de..a7f842b29b67 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -153,6 +153,19 @@ config IP6_NF_TARGET_REJECT
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
+config IP6_NF_TARGET_SYNPROXY
+	tristate "SYNPROXY target support"
+	depends on NF_CONNTRACK && NETFILTER_ADVANCED
+	select NETFILTER_SYNPROXY
+	select SYN_COOKIES
+	help
+	  The SYNPROXY target allows you to intercept TCP connections and
+	  establish them using syncookies before they are passed on to the
+	  server. This allows to avoid conntrack and server resource usage
+	  during SYN-flood attacks.
+
+	  To compile it as a module, choose M here. If unsure, say N.
+
 config IP6_NF_MANGLE
 	tristate "Packet mangling"
 	default m if NETFILTER_ADVANCED=n
author	Patrick McHardy <kaber@trash.net>	2013-08-27 08:50:16 +0200
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2013-08-28 00:28:13 +0200
commit	4ad362282cb45bbc831a182e45637da8c5bd7aa1 (patch)
tree	66d91d0ac5947985d41ff8c12cbed39fa2548e9d /net/ipv6/netfilter/Kconfig
parent	81eb6a1487718a89621a0e0be7fafd0cd7c429a4 (diff)