aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-12-18 01:47:05 -0500
committerDavid S. Miller <davem@davemloft.net>2008-01-28 17:59:12 -0500
commit33b8e776056202aceaf4c90f465d0f4ee53432ac (patch)
tree24f6bc7b89a81d95b1b9c0f16254ad8423aed9cb
parent34498825cb9062192b77fa02dae672a4fe6eec70 (diff)
[NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option
The NETFILTER_ADVANCED option hides lots of the rather obscure netfilter options when disabled and provides defaults (M) that should allow to run a distribution firewall without further thinking. Defaults to 'y' to avoid breaking current configurations. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat
-rw-r--r--net/Kconfig12
-rw-r--r--net/bridge/netfilter/Kconfig2
-rw-r--r--net/decnet/netfilter/Kconfig1
-rw-r--r--net/ipv4/netfilter/Kconfig26
-rw-r--r--net/ipv6/netfilter/Kconfig23
-rw-r--r--net/netfilter/Kconfig71
6 files changed, 124 insertions, 11 deletions
diff --git a/net/Kconfig b/net/Kconfig
index 58ed2f4199d..b6a5d454f2f 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -144,9 +144,21 @@ config NETFILTER_DEBUG
144 You can say Y here if you want to get additional messages useful in 144 You can say Y here if you want to get additional messages useful in
145 debugging the netfilter code. 145 debugging the netfilter code.
146 146
147config NETFILTER_ADVANCED
148 bool "Advanced netfilter configuration"
149 depends on NETFILTER
150 default y
151 help
152 If you say Y here you can select between all the netfilter modules.
153 If you say N the more ununsual ones will not be shown and the
154 basic ones needed by most people will default to 'M'.
155
156 If unsure, say Y.
157
147config BRIDGE_NETFILTER 158config BRIDGE_NETFILTER
148 bool "Bridged IP/ARP packets filtering" 159 bool "Bridged IP/ARP packets filtering"
149 depends on BRIDGE && NETFILTER && INET 160 depends on BRIDGE && NETFILTER && INET
161 depends on NETFILTER_ADVANCED
150 default y 162 default y
151 ---help--- 163 ---help---
152 Enabling this option will let arptables resp. iptables see bridged 164 Enabling this option will let arptables resp. iptables see bridged
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index b84fc6075fe..4a3e2bf892c 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -3,7 +3,7 @@
3# 3#
4 4
5menu "Bridge: Netfilter Configuration" 5menu "Bridge: Netfilter Configuration"
6 depends on BRIDGE && NETFILTER 6 depends on BRIDGE && BRIDGE_NETFILTER
7 7
8config BRIDGE_NF_EBTABLES 8config BRIDGE_NF_EBTABLES
9 tristate "Ethernet Bridge tables (ebtables) support" 9 tristate "Ethernet Bridge tables (ebtables) support"
diff --git a/net/decnet/netfilter/Kconfig b/net/decnet/netfilter/Kconfig
index ecdb3f9f14c..2f81de5e752 100644
--- a/net/decnet/netfilter/Kconfig
+++ b/net/decnet/netfilter/Kconfig
@@ -4,6 +4,7 @@
4 4
5menu "DECnet: Netfilter Configuration" 5menu "DECnet: Netfilter Configuration"
6 depends on DECNET && NETFILTER && EXPERIMENTAL 6 depends on DECNET && NETFILTER && EXPERIMENTAL
7 depends on NETFILTER_ADVANCED
7 8
8config DECNET_NF_GRABULATOR 9config DECNET_NF_GRABULATOR
9 tristate "Routing message grabulator (for userland routing daemon)" 10 tristate "Routing message grabulator (for userland routing daemon)"
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index ad26f66b53e..cface714edf 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -8,6 +8,7 @@ menu "IP: Netfilter Configuration"
8config NF_CONNTRACK_IPV4 8config NF_CONNTRACK_IPV4
9 tristate "IPv4 connection tracking support (required for NAT)" 9 tristate "IPv4 connection tracking support (required for NAT)"
10 depends on NF_CONNTRACK 10 depends on NF_CONNTRACK
11 default m if NETFILTER_ADVANCED=n
11 ---help--- 12 ---help---
12 Connection tracking keeps a record of what packets have passed 13 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related 14 through your machine, in order to figure out how they are related
@@ -32,6 +33,7 @@ config NF_CONNTRACK_PROC_COMPAT
32 33
33config IP_NF_QUEUE 34config IP_NF_QUEUE
34 tristate "IP Userspace queueing via NETLINK (OBSOLETE)" 35 tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
36 depends on NETFILTER_ADVANCED
35 help 37 help
36 Netfilter has the ability to queue packets to user space: the 38 Netfilter has the ability to queue packets to user space: the
37 netlink device can be used to access them using this driver. 39 netlink device can be used to access them using this driver.
@@ -44,6 +46,7 @@ config IP_NF_QUEUE
44 46
45config IP_NF_IPTABLES 47config IP_NF_IPTABLES
46 tristate "IP tables support (required for filtering/masq/NAT)" 48 tristate "IP tables support (required for filtering/masq/NAT)"
49 default m if NETFILTER_ADVANCED=n
47 select NETFILTER_XTABLES 50 select NETFILTER_XTABLES
48 help 51 help
49 iptables is a general, extensible packet identification framework. 52 iptables is a general, extensible packet identification framework.
@@ -57,6 +60,7 @@ config IP_NF_IPTABLES
57config IP_NF_MATCH_IPRANGE 60config IP_NF_MATCH_IPRANGE
58 tristate '"iprange" match support' 61 tristate '"iprange" match support'
59 depends on IP_NF_IPTABLES 62 depends on IP_NF_IPTABLES
63 depends on NETFILTER_ADVANCED
60 help 64 help
61 This option makes possible to match IP addresses against IP address 65 This option makes possible to match IP addresses against IP address
62 ranges. 66 ranges.
@@ -66,6 +70,7 @@ config IP_NF_MATCH_IPRANGE
66config IP_NF_MATCH_RECENT 70config IP_NF_MATCH_RECENT
67 tristate '"recent" match support' 71 tristate '"recent" match support'
68 depends on IP_NF_IPTABLES 72 depends on IP_NF_IPTABLES
73 depends on NETFILTER_ADVANCED
69 help 74 help
70 This match is used for creating one or many lists of recently 75 This match is used for creating one or many lists of recently
71 used addresses and then matching against that/those list(s). 76 used addresses and then matching against that/those list(s).
@@ -78,6 +83,7 @@ config IP_NF_MATCH_RECENT
78config IP_NF_MATCH_ECN 83config IP_NF_MATCH_ECN
79 tristate '"ecn" match support' 84 tristate '"ecn" match support'
80 depends on IP_NF_IPTABLES 85 depends on IP_NF_IPTABLES
86 depends on NETFILTER_ADVANCED
81 help 87 help
82 This option adds a `ECN' match, which allows you to match against 88 This option adds a `ECN' match, which allows you to match against
83 the IPv4 and TCP header ECN fields. 89 the IPv4 and TCP header ECN fields.
@@ -87,6 +93,7 @@ config IP_NF_MATCH_ECN
87config IP_NF_MATCH_AH 93config IP_NF_MATCH_AH
88 tristate '"ah" match support' 94 tristate '"ah" match support'
89 depends on IP_NF_IPTABLES 95 depends on IP_NF_IPTABLES
96 depends on NETFILTER_ADVANCED
90 help 97 help
91 This match extension allows you to match a range of SPIs 98 This match extension allows you to match a range of SPIs
92 inside AH header of IPSec packets. 99 inside AH header of IPSec packets.
@@ -96,6 +103,7 @@ config IP_NF_MATCH_AH
96config IP_NF_MATCH_TTL 103config IP_NF_MATCH_TTL
97 tristate '"ttl" match support' 104 tristate '"ttl" match support'
98 depends on IP_NF_IPTABLES 105 depends on IP_NF_IPTABLES
106 depends on NETFILTER_ADVANCED
99 help 107 help
100 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user 108 This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
101 to match packets by their TTL value. 109 to match packets by their TTL value.
@@ -105,10 +113,11 @@ config IP_NF_MATCH_TTL
105config IP_NF_MATCH_ADDRTYPE 113config IP_NF_MATCH_ADDRTYPE
106 tristate '"addrtype" address type match support' 114 tristate '"addrtype" address type match support'
107 depends on IP_NF_IPTABLES 115 depends on IP_NF_IPTABLES
116 depends on NETFILTER_ADVANCED
108 help 117 help
109 This option allows you to match what routing thinks of an address, 118 This option allows you to match what routing thinks of an address,
110 eg. UNICAST, LOCAL, BROADCAST, ... 119 eg. UNICAST, LOCAL, BROADCAST, ...
111 120
112 If you want to compile it as a module, say M here and read 121 If you want to compile it as a module, say M here and read
113 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 122 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
114 123
@@ -116,6 +125,7 @@ config IP_NF_MATCH_ADDRTYPE
116config IP_NF_FILTER 125config IP_NF_FILTER
117 tristate "Packet filtering" 126 tristate "Packet filtering"
118 depends on IP_NF_IPTABLES 127 depends on IP_NF_IPTABLES
128 default m if NETFILTER_ADVANCED=n
119 help 129 help
120 Packet filtering defines a table `filter', which has a series of 130 Packet filtering defines a table `filter', which has a series of
121 rules for simple packet filtering at local input, forwarding and 131 rules for simple packet filtering at local input, forwarding and
@@ -126,6 +136,7 @@ config IP_NF_FILTER
126config IP_NF_TARGET_REJECT 136config IP_NF_TARGET_REJECT
127 tristate "REJECT target support" 137 tristate "REJECT target support"
128 depends on IP_NF_FILTER 138 depends on IP_NF_FILTER
139 default m if NETFILTER_ADVANCED=n
129 help 140 help
130 The REJECT target allows a filtering rule to specify that an ICMP 141 The REJECT target allows a filtering rule to specify that an ICMP
131 error should be issued in response to an incoming packet, rather 142 error should be issued in response to an incoming packet, rather
@@ -136,6 +147,7 @@ config IP_NF_TARGET_REJECT
136config IP_NF_TARGET_LOG 147config IP_NF_TARGET_LOG
137 tristate "LOG target support" 148 tristate "LOG target support"
138 depends on IP_NF_IPTABLES 149 depends on IP_NF_IPTABLES
150 default m if NETFILTER_ADVANCED=n
139 help 151 help
140 This option adds a `LOG' target, which allows you to create rules in 152 This option adds a `LOG' target, which allows you to create rules in
141 any iptables table which records the packet header to the syslog. 153 any iptables table which records the packet header to the syslog.
@@ -145,6 +157,7 @@ config IP_NF_TARGET_LOG
145config IP_NF_TARGET_ULOG 157config IP_NF_TARGET_ULOG
146 tristate "ULOG target support" 158 tristate "ULOG target support"
147 depends on IP_NF_IPTABLES 159 depends on IP_NF_IPTABLES
160 default m if NETFILTER_ADVANCED=n
148 ---help--- 161 ---help---
149 162
150 This option enables the old IPv4-only "ipt_ULOG" implementation 163 This option enables the old IPv4-only "ipt_ULOG" implementation
@@ -165,6 +178,7 @@ config IP_NF_TARGET_ULOG
165config NF_NAT 178config NF_NAT
166 tristate "Full NAT" 179 tristate "Full NAT"
167 depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4 180 depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
181 default m if NETFILTER_ADVANCED=n
168 help 182 help
169 The Full NAT option allows masquerading, port forwarding and other 183 The Full NAT option allows masquerading, port forwarding and other
170 forms of full Network Address Port Translation. It is controlled by 184 forms of full Network Address Port Translation. It is controlled by
@@ -180,6 +194,7 @@ config NF_NAT_NEEDED
180config IP_NF_TARGET_MASQUERADE 194config IP_NF_TARGET_MASQUERADE
181 tristate "MASQUERADE target support" 195 tristate "MASQUERADE target support"
182 depends on NF_NAT 196 depends on NF_NAT
197 default m if NETFILTER_ADVANCED=n
183 help 198 help
184 Masquerading is a special case of NAT: all outgoing connections are 199 Masquerading is a special case of NAT: all outgoing connections are
185 changed to seem to come from a particular interface's address, and 200 changed to seem to come from a particular interface's address, and
@@ -192,6 +207,7 @@ config IP_NF_TARGET_MASQUERADE
192config IP_NF_TARGET_REDIRECT 207config IP_NF_TARGET_REDIRECT
193 tristate "REDIRECT target support" 208 tristate "REDIRECT target support"
194 depends on NF_NAT 209 depends on NF_NAT
210 depends on NETFILTER_ADVANCED
195 help 211 help
196 REDIRECT is a special case of NAT: all incoming connections are 212 REDIRECT is a special case of NAT: all incoming connections are
197 mapped onto the incoming interface's address, causing the packets to 213 mapped onto the incoming interface's address, causing the packets to
@@ -203,6 +219,7 @@ config IP_NF_TARGET_REDIRECT
203config IP_NF_TARGET_NETMAP 219config IP_NF_TARGET_NETMAP
204 tristate "NETMAP target support" 220 tristate "NETMAP target support"
205 depends on NF_NAT 221 depends on NF_NAT
222 depends on NETFILTER_ADVANCED
206 help 223 help
207 NETMAP is an implementation of static 1:1 NAT mapping of network 224 NETMAP is an implementation of static 1:1 NAT mapping of network
208 addresses. It maps the network address part, while keeping the host 225 addresses. It maps the network address part, while keeping the host
@@ -214,6 +231,7 @@ config IP_NF_TARGET_NETMAP
214config NF_NAT_SNMP_BASIC 231config NF_NAT_SNMP_BASIC
215 tristate "Basic SNMP-ALG support (EXPERIMENTAL)" 232 tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
216 depends on EXPERIMENTAL && NF_NAT 233 depends on EXPERIMENTAL && NF_NAT
234 depends on NETFILTER_ADVANCED
217 ---help--- 235 ---help---
218 236
219 This module implements an Application Layer Gateway (ALG) for 237 This module implements an Application Layer Gateway (ALG) for
@@ -277,6 +295,7 @@ config NF_NAT_SIP
277config IP_NF_MANGLE 295config IP_NF_MANGLE
278 tristate "Packet mangling" 296 tristate "Packet mangling"
279 depends on IP_NF_IPTABLES 297 depends on IP_NF_IPTABLES
298 default m if NETFILTER_ADVANCED=n
280 help 299 help
281 This option adds a `mangle' table to iptables: see the man page for 300 This option adds a `mangle' table to iptables: see the man page for
282 iptables(8). This table is used for various packet alterations 301 iptables(8). This table is used for various packet alterations
@@ -287,6 +306,7 @@ config IP_NF_MANGLE
287config IP_NF_TARGET_ECN 306config IP_NF_TARGET_ECN
288 tristate "ECN target support" 307 tristate "ECN target support"
289 depends on IP_NF_MANGLE 308 depends on IP_NF_MANGLE
309 depends on NETFILTER_ADVANCED
290 ---help--- 310 ---help---
291 This option adds a `ECN' target, which can be used in the iptables mangle 311 This option adds a `ECN' target, which can be used in the iptables mangle
292 table. 312 table.
@@ -301,6 +321,7 @@ config IP_NF_TARGET_ECN
301config IP_NF_TARGET_TTL 321config IP_NF_TARGET_TTL
302 tristate 'TTL target support' 322 tristate 'TTL target support'
303 depends on IP_NF_MANGLE 323 depends on IP_NF_MANGLE
324 depends on NETFILTER_ADVANCED
304 help 325 help
305 This option adds a `TTL' target, which enables the user to modify 326 This option adds a `TTL' target, which enables the user to modify
306 the TTL value of the IP header. 327 the TTL value of the IP header.
@@ -316,6 +337,7 @@ config IP_NF_TARGET_CLUSTERIP
316 tristate "CLUSTERIP target support (EXPERIMENTAL)" 337 tristate "CLUSTERIP target support (EXPERIMENTAL)"
317 depends on IP_NF_MANGLE && EXPERIMENTAL 338 depends on IP_NF_MANGLE && EXPERIMENTAL
318 depends on NF_CONNTRACK_IPV4 339 depends on NF_CONNTRACK_IPV4
340 depends on NETFILTER_ADVANCED
319 select NF_CONNTRACK_MARK 341 select NF_CONNTRACK_MARK
320 help 342 help
321 The CLUSTERIP target allows you to build load-balancing clusters of 343 The CLUSTERIP target allows you to build load-balancing clusters of
@@ -328,6 +350,7 @@ config IP_NF_TARGET_CLUSTERIP
328config IP_NF_RAW 350config IP_NF_RAW
329 tristate 'raw table support (required for NOTRACK/TRACE)' 351 tristate 'raw table support (required for NOTRACK/TRACE)'
330 depends on IP_NF_IPTABLES 352 depends on IP_NF_IPTABLES
353 depends on NETFILTER_ADVANCED
331 help 354 help
332 This option adds a `raw' table to iptables. This table is the very 355 This option adds a `raw' table to iptables. This table is the very
333 first in the netfilter framework and hooks in at the PREROUTING 356 first in the netfilter framework and hooks in at the PREROUTING
@@ -340,6 +363,7 @@ config IP_NF_RAW
340config IP_NF_ARPTABLES 363config IP_NF_ARPTABLES
341 tristate "ARP tables support" 364 tristate "ARP tables support"
342 select NETFILTER_XTABLES 365 select NETFILTER_XTABLES
366 depends on NETFILTER_ADVANCED
343 help 367 help
344 arptables is a general, extensible packet identification framework. 368 arptables is a general, extensible packet identification framework.
345 The ARP packet filtering and mangling (manipulation)subsystems 369 The ARP packet filtering and mangling (manipulation)subsystems
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 5374c665f8d..a6b4a9a1053 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -8,6 +8,7 @@ menu "IPv6: Netfilter Configuration (EXPERIMENTAL)"
8config NF_CONNTRACK_IPV6 8config NF_CONNTRACK_IPV6
9 tristate "IPv6 connection tracking support (EXPERIMENTAL)" 9 tristate "IPv6 connection tracking support (EXPERIMENTAL)"
10 depends on INET && IPV6 && EXPERIMENTAL && NF_CONNTRACK 10 depends on INET && IPV6 && EXPERIMENTAL && NF_CONNTRACK
11 default m if NETFILTER_ADVANCED=n
11 ---help--- 12 ---help---
12 Connection tracking keeps a record of what packets have passed 13 Connection tracking keeps a record of what packets have passed
13 through your machine, in order to figure out how they are related 14 through your machine, in order to figure out how they are related
@@ -22,6 +23,7 @@ config NF_CONNTRACK_IPV6
22config IP6_NF_QUEUE 23config IP6_NF_QUEUE
23 tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)" 24 tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"
24 depends on INET && IPV6 && NETFILTER && EXPERIMENTAL 25 depends on INET && IPV6 && NETFILTER && EXPERIMENTAL
26 depends on NETFILTER_ADVANCED
25 ---help--- 27 ---help---
26 28
27 This option adds a queue handler to the kernel for IPv6 29 This option adds a queue handler to the kernel for IPv6
@@ -44,6 +46,7 @@ config IP6_NF_IPTABLES
44 tristate "IP6 tables support (required for filtering)" 46 tristate "IP6 tables support (required for filtering)"
45 depends on INET && IPV6 && EXPERIMENTAL 47 depends on INET && IPV6 && EXPERIMENTAL
46 select NETFILTER_XTABLES 48 select NETFILTER_XTABLES
49 default m if NETFILTER_ADVANCED=n
47 help 50 help
48 ip6tables is a general, extensible packet identification framework. 51 ip6tables is a general, extensible packet identification framework.
49 Currently only the packet filtering and packet mangling subsystem 52 Currently only the packet filtering and packet mangling subsystem
@@ -56,6 +59,7 @@ config IP6_NF_IPTABLES
56config IP6_NF_MATCH_RT 59config IP6_NF_MATCH_RT
57 tristate '"rt" Routing header match support' 60 tristate '"rt" Routing header match support'
58 depends on IP6_NF_IPTABLES 61 depends on IP6_NF_IPTABLES
62 depends on NETFILTER_ADVANCED
59 help 63 help
60 rt matching allows you to match packets based on the routing 64 rt matching allows you to match packets based on the routing
61 header of the packet. 65 header of the packet.
@@ -65,6 +69,7 @@ config IP6_NF_MATCH_RT
65config IP6_NF_MATCH_OPTS 69config IP6_NF_MATCH_OPTS
66 tristate '"hopbyhop" and "dst" opts header match support' 70 tristate '"hopbyhop" and "dst" opts header match support'
67 depends on IP6_NF_IPTABLES 71 depends on IP6_NF_IPTABLES
72 depends on NETFILTER_ADVANCED
68 help 73 help
69 This allows one to match packets based on the hop-by-hop 74 This allows one to match packets based on the hop-by-hop
70 and destination options headers of a packet. 75 and destination options headers of a packet.
@@ -74,6 +79,7 @@ config IP6_NF_MATCH_OPTS
74config IP6_NF_MATCH_FRAG 79config IP6_NF_MATCH_FRAG
75 tristate '"frag" Fragmentation header match support' 80 tristate '"frag" Fragmentation header match support'
76 depends on IP6_NF_IPTABLES 81 depends on IP6_NF_IPTABLES
82 depends on NETFILTER_ADVANCED
77 help 83 help
78 frag matching allows you to match packets based on the fragmentation 84 frag matching allows you to match packets based on the fragmentation
79 header of the packet. 85 header of the packet.
@@ -83,6 +89,7 @@ config IP6_NF_MATCH_FRAG
83config IP6_NF_MATCH_HL 89config IP6_NF_MATCH_HL
84 tristate '"hl" match support' 90 tristate '"hl" match support'
85 depends on IP6_NF_IPTABLES 91 depends on IP6_NF_IPTABLES
92 depends on NETFILTER_ADVANCED
86 help 93 help
87 HL matching allows you to match packets based on the hop 94 HL matching allows you to match packets based on the hop
88 limit of the packet. 95 limit of the packet.
@@ -92,6 +99,7 @@ config IP6_NF_MATCH_HL
92config IP6_NF_MATCH_IPV6HEADER 99config IP6_NF_MATCH_IPV6HEADER
93 tristate '"ipv6header" IPv6 Extension Headers Match' 100 tristate '"ipv6header" IPv6 Extension Headers Match'
94 depends on IP6_NF_IPTABLES 101 depends on IP6_NF_IPTABLES
102 depends on NETFILTER_ADVANCED
95 help 103 help
96 This module allows one to match packets based upon 104 This module allows one to match packets based upon
97 the ipv6 extension headers. 105 the ipv6 extension headers.
@@ -101,6 +109,7 @@ config IP6_NF_MATCH_IPV6HEADER
101config IP6_NF_MATCH_AH 109config IP6_NF_MATCH_AH
102 tristate '"ah" match support' 110 tristate '"ah" match support'
103 depends on IP6_NF_IPTABLES 111 depends on IP6_NF_IPTABLES
112 depends on NETFILTER_ADVANCED
104 help 113 help
105 This module allows one to match AH packets. 114 This module allows one to match AH packets.
106 115
@@ -109,6 +118,7 @@ config IP6_NF_MATCH_AH
109config IP6_NF_MATCH_MH 118config IP6_NF_MATCH_MH
110 tristate '"mh" match support' 119 tristate '"mh" match support'
111 depends on IP6_NF_IPTABLES 120 depends on IP6_NF_IPTABLES
121 depends on NETFILTER_ADVANCED
112 help 122 help
113 This module allows one to match MH packets. 123 This module allows one to match MH packets.
114 124
@@ -117,6 +127,7 @@ config IP6_NF_MATCH_MH
117config IP6_NF_MATCH_EUI64 127config IP6_NF_MATCH_EUI64
118 tristate '"eui64" address check' 128 tristate '"eui64" address check'
119 depends on IP6_NF_IPTABLES 129 depends on IP6_NF_IPTABLES
130 depends on NETFILTER_ADVANCED
120 help 131 help
121 This module performs checking on the IPv6 source address 132 This module performs checking on the IPv6 source address
122 Compares the last 64 bits with the EUI64 (delivered 133 Compares the last 64 bits with the EUI64 (delivered
@@ -128,6 +139,7 @@ config IP6_NF_MATCH_EUI64
128config IP6_NF_FILTER 139config IP6_NF_FILTER
129 tristate "Packet filtering" 140 tristate "Packet filtering"
130 depends on IP6_NF_IPTABLES 141 depends on IP6_NF_IPTABLES
142 default m if NETFILTER_ADVANCED=n
131 help 143 help
132 Packet filtering defines a table `filter', which has a series of 144 Packet filtering defines a table `filter', which has a series of
133 rules for simple packet filtering at local input, forwarding and 145 rules for simple packet filtering at local input, forwarding and
@@ -138,6 +150,7 @@ config IP6_NF_FILTER
138config IP6_NF_TARGET_LOG 150config IP6_NF_TARGET_LOG
139 tristate "LOG target support" 151 tristate "LOG target support"
140 depends on IP6_NF_FILTER 152 depends on IP6_NF_FILTER
153 default m if NETFILTER_ADVANCED=n
141 help 154 help
142 This option adds a `LOG' target, which allows you to create rules in 155 This option adds a `LOG' target, which allows you to create rules in
143 any iptables table which records the packet header to the syslog. 156 any iptables table which records the packet header to the syslog.
@@ -147,6 +160,7 @@ config IP6_NF_TARGET_LOG
147config IP6_NF_TARGET_REJECT 160config IP6_NF_TARGET_REJECT
148 tristate "REJECT target support" 161 tristate "REJECT target support"
149 depends on IP6_NF_FILTER 162 depends on IP6_NF_FILTER
163 default m if NETFILTER_ADVANCED=n
150 help 164 help
151 The REJECT target allows a filtering rule to specify that an ICMPv6 165 The REJECT target allows a filtering rule to specify that an ICMPv6
152 error should be issued in response to an incoming packet, rather 166 error should be issued in response to an incoming packet, rather
@@ -157,6 +171,7 @@ config IP6_NF_TARGET_REJECT
157config IP6_NF_MANGLE 171config IP6_NF_MANGLE
158 tristate "Packet mangling" 172 tristate "Packet mangling"
159 depends on IP6_NF_IPTABLES 173 depends on IP6_NF_IPTABLES
174 default m if NETFILTER_ADVANCED=n
160 help 175 help
161 This option adds a `mangle' table to iptables: see the man page for 176 This option adds a `mangle' table to iptables: see the man page for
162 iptables(8). This table is used for various packet alterations 177 iptables(8). This table is used for various packet alterations
@@ -167,27 +182,29 @@ config IP6_NF_MANGLE
167config IP6_NF_TARGET_HL 182config IP6_NF_TARGET_HL
168 tristate 'HL (hoplimit) target support' 183 tristate 'HL (hoplimit) target support'
169 depends on IP6_NF_MANGLE 184 depends on IP6_NF_MANGLE
185 depends on NETFILTER_ADVANCED
170 help 186 help
171 This option adds a `HL' target, which enables the user to decrement 187 This option adds a `HL' target, which enables the user to decrement
172 the hoplimit value of the IPv6 header or set it to a given (lower) 188 the hoplimit value of the IPv6 header or set it to a given (lower)
173 value. 189 value.
174 190
175 While it is safe to decrement the hoplimit value, this option also 191 While it is safe to decrement the hoplimit value, this option also
176 enables functionality to increment and set the hoplimit value of the 192 enables functionality to increment and set the hoplimit value of the
177 IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since 193 IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since
178 you can easily create immortal packets that loop forever on the 194 you can easily create immortal packets that loop forever on the
179 network. 195 network.
180 196
181 To compile it as a module, choose M here. If unsure, say N. 197 To compile it as a module, choose M here. If unsure, say N.
182 198
183config IP6_NF_RAW 199config IP6_NF_RAW
184 tristate 'raw table support (required for TRACE)' 200 tristate 'raw table support (required for TRACE)'
185 depends on IP6_NF_IPTABLES 201 depends on IP6_NF_IPTABLES
202 depends on NETFILTER_ADVANCED
186 help 203 help
187 This option adds a `raw' table to ip6tables. This table is the very 204 This option adds a `raw' table to ip6tables. This table is the very
188 first in the netfilter framework and hooks in at the PREROUTING 205 first in the netfilter framework and hooks in at the PREROUTING
189 and OUTPUT chains. 206 and OUTPUT chains.
190 207
191 If you want to compile it as a module, say M here and read 208 If you want to compile it as a module, say M here and read
192 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 209 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
193 210
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index bb61f83c7a7..96dbe9f56bc 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -6,6 +6,7 @@ config NETFILTER_NETLINK
6 6
7config NETFILTER_NETLINK_QUEUE 7config NETFILTER_NETLINK_QUEUE
8 tristate "Netfilter NFQUEUE over NFNETLINK interface" 8 tristate "Netfilter NFQUEUE over NFNETLINK interface"
9 depends on NETFILTER_ADVANCED
9 select NETFILTER_NETLINK 10 select NETFILTER_NETLINK
10 help 11 help
11 If this option is enabled, the kernel will include support 12 If this option is enabled, the kernel will include support
@@ -13,6 +14,7 @@ config NETFILTER_NETLINK_QUEUE
13 14
14config NETFILTER_NETLINK_LOG 15config NETFILTER_NETLINK_LOG
15 tristate "Netfilter LOG over NFNETLINK interface" 16 tristate "Netfilter LOG over NFNETLINK interface"
17 default m if NETFILTER_ADVANCED=n
16 select NETFILTER_NETLINK 18 select NETFILTER_NETLINK
17 help 19 help
18 If this option is enabled, the kernel will include support 20 If this option is enabled, the kernel will include support
@@ -24,6 +26,7 @@ config NETFILTER_NETLINK_LOG
24 26
25config NF_CONNTRACK 27config NF_CONNTRACK
26 tristate "Netfilter connection tracking support" 28 tristate "Netfilter connection tracking support"
29 default m if NETFILTER_ADVANCED=n
27 help 30 help
28 Connection tracking keeps a record of what packets have passed 31 Connection tracking keeps a record of what packets have passed
29 through your machine, in order to figure out how they are related 32 through your machine, in order to figure out how they are related
@@ -38,6 +41,7 @@ config NF_CONNTRACK
38 41
39config NF_CT_ACCT 42config NF_CT_ACCT
40 bool "Connection tracking flow accounting" 43 bool "Connection tracking flow accounting"
44 depends on NETFILTER_ADVANCED
41 depends on NF_CONNTRACK 45 depends on NF_CONNTRACK
42 help 46 help
43 If this option is enabled, the connection tracking code will 47 If this option is enabled, the connection tracking code will
@@ -50,6 +54,7 @@ config NF_CT_ACCT
50 54
51config NF_CONNTRACK_MARK 55config NF_CONNTRACK_MARK
52 bool 'Connection mark tracking support' 56 bool 'Connection mark tracking support'
57 depends on NETFILTER_ADVANCED
53 depends on NF_CONNTRACK 58 depends on NF_CONNTRACK
54 help 59 help
55 This option enables support for connection marks, used by the 60 This option enables support for connection marks, used by the
@@ -60,6 +65,7 @@ config NF_CONNTRACK_MARK
60config NF_CONNTRACK_SECMARK 65config NF_CONNTRACK_SECMARK
61 bool 'Connection tracking security mark support' 66 bool 'Connection tracking security mark support'
62 depends on NF_CONNTRACK && NETWORK_SECMARK 67 depends on NF_CONNTRACK && NETWORK_SECMARK
68 default m if NETFILTER_ADVANCED=n
63 help 69 help
64 This option enables security markings to be applied to 70 This option enables security markings to be applied to
65 connections. Typically they are copied to connections from 71 connections. Typically they are copied to connections from
@@ -72,6 +78,7 @@ config NF_CONNTRACK_SECMARK
72config NF_CONNTRACK_EVENTS 78config NF_CONNTRACK_EVENTS
73 bool "Connection tracking events (EXPERIMENTAL)" 79 bool "Connection tracking events (EXPERIMENTAL)"
74 depends on EXPERIMENTAL && NF_CONNTRACK 80 depends on EXPERIMENTAL && NF_CONNTRACK
81 depends on NETFILTER_ADVANCED
75 help 82 help
76 If this option is enabled, the connection tracking code will 83 If this option is enabled, the connection tracking code will
77 provide a notifier chain that can be used by other kernel code 84 provide a notifier chain that can be used by other kernel code
@@ -86,7 +93,7 @@ config NF_CT_PROTO_GRE
86config NF_CT_PROTO_SCTP 93config NF_CT_PROTO_SCTP
87 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' 94 tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
88 depends on EXPERIMENTAL && NF_CONNTRACK 95 depends on EXPERIMENTAL && NF_CONNTRACK
89 default n 96 depends on NETFILTER_ADVANCED
90 help 97 help
91 With this option enabled, the layer 3 independent connection 98 With this option enabled, the layer 3 independent connection
92 tracking code will be able to do state tracking on SCTP connections. 99 tracking code will be able to do state tracking on SCTP connections.
@@ -97,6 +104,7 @@ config NF_CT_PROTO_SCTP
97config NF_CT_PROTO_UDPLITE 104config NF_CT_PROTO_UDPLITE
98 tristate 'UDP-Lite protocol connection tracking support (EXPERIMENTAL)' 105 tristate 'UDP-Lite protocol connection tracking support (EXPERIMENTAL)'
99 depends on EXPERIMENTAL && NF_CONNTRACK 106 depends on EXPERIMENTAL && NF_CONNTRACK
107 depends on NETFILTER_ADVANCED
100 help 108 help
101 With this option enabled, the layer 3 independent connection 109 With this option enabled, the layer 3 independent connection
102 tracking code will be able to do state tracking on UDP-Lite 110 tracking code will be able to do state tracking on UDP-Lite
@@ -107,6 +115,7 @@ config NF_CT_PROTO_UDPLITE
107config NF_CONNTRACK_AMANDA 115config NF_CONNTRACK_AMANDA
108 tristate "Amanda backup protocol support" 116 tristate "Amanda backup protocol support"
109 depends on NF_CONNTRACK 117 depends on NF_CONNTRACK
118 depends on NETFILTER_ADVANCED
110 select TEXTSEARCH 119 select TEXTSEARCH
111 select TEXTSEARCH_KMP 120 select TEXTSEARCH_KMP
112 help 121 help
@@ -122,6 +131,7 @@ config NF_CONNTRACK_AMANDA
122config NF_CONNTRACK_FTP 131config NF_CONNTRACK_FTP
123 tristate "FTP protocol support" 132 tristate "FTP protocol support"
124 depends on NF_CONNTRACK 133 depends on NF_CONNTRACK
134 default m if NETFILTER_ADVANCED=n
125 help 135 help
126 Tracking FTP connections is problematic: special helpers are 136 Tracking FTP connections is problematic: special helpers are
127 required for tracking them, and doing masquerading and other forms 137 required for tracking them, and doing masquerading and other forms
@@ -136,6 +146,7 @@ config NF_CONNTRACK_FTP
136config NF_CONNTRACK_H323 146config NF_CONNTRACK_H323
137 tristate "H.323 protocol support (EXPERIMENTAL)" 147 tristate "H.323 protocol support (EXPERIMENTAL)"
138 depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n) 148 depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n)
149 depends on NETFILTER_ADVANCED
139 help 150 help
140 H.323 is a VoIP signalling protocol from ITU-T. As one of the most 151 H.323 is a VoIP signalling protocol from ITU-T. As one of the most
141 important VoIP protocols, it is widely used by voice hardware and 152 important VoIP protocols, it is widely used by voice hardware and
@@ -155,6 +166,7 @@ config NF_CONNTRACK_H323
155config NF_CONNTRACK_IRC 166config NF_CONNTRACK_IRC
156 tristate "IRC protocol support" 167 tristate "IRC protocol support"
157 depends on NF_CONNTRACK 168 depends on NF_CONNTRACK
169 default m if NETFILTER_ADVANCED=n
158 help 170 help
159 There is a commonly-used extension to IRC called 171 There is a commonly-used extension to IRC called
160 Direct Client-to-Client Protocol (DCC). This enables users to send 172 Direct Client-to-Client Protocol (DCC). This enables users to send
@@ -170,6 +182,7 @@ config NF_CONNTRACK_IRC
170config NF_CONNTRACK_NETBIOS_NS 182config NF_CONNTRACK_NETBIOS_NS
171 tristate "NetBIOS name service protocol support (EXPERIMENTAL)" 183 tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
172 depends on EXPERIMENTAL && NF_CONNTRACK 184 depends on EXPERIMENTAL && NF_CONNTRACK
185 depends on NETFILTER_ADVANCED
173 help 186 help
174 NetBIOS name service requests are sent as broadcast messages from an 187 NetBIOS name service requests are sent as broadcast messages from an
175 unprivileged port and responded to with unicast messages to the 188 unprivileged port and responded to with unicast messages to the
@@ -189,6 +202,7 @@ config NF_CONNTRACK_NETBIOS_NS
189config NF_CONNTRACK_PPTP 202config NF_CONNTRACK_PPTP
190 tristate "PPtP protocol support" 203 tristate "PPtP protocol support"
191 depends on NF_CONNTRACK 204 depends on NF_CONNTRACK
205 depends on NETFILTER_ADVANCED
192 select NF_CT_PROTO_GRE 206 select NF_CT_PROTO_GRE
193 help 207 help
194 This module adds support for PPTP (Point to Point Tunnelling 208 This module adds support for PPTP (Point to Point Tunnelling
@@ -208,6 +222,7 @@ config NF_CONNTRACK_PPTP
208config NF_CONNTRACK_SANE 222config NF_CONNTRACK_SANE
209 tristate "SANE protocol support (EXPERIMENTAL)" 223 tristate "SANE protocol support (EXPERIMENTAL)"
210 depends on EXPERIMENTAL && NF_CONNTRACK 224 depends on EXPERIMENTAL && NF_CONNTRACK
225 depends on NETFILTER_ADVANCED
211 help 226 help
212 SANE is a protocol for remote access to scanners as implemented 227 SANE is a protocol for remote access to scanners as implemented
213 by the 'saned' daemon. Like FTP, it uses separate control and 228 by the 'saned' daemon. Like FTP, it uses separate control and
@@ -221,6 +236,7 @@ config NF_CONNTRACK_SANE
221config NF_CONNTRACK_SIP 236config NF_CONNTRACK_SIP
222 tristate "SIP protocol support (EXPERIMENTAL)" 237 tristate "SIP protocol support (EXPERIMENTAL)"
223 depends on EXPERIMENTAL && NF_CONNTRACK 238 depends on EXPERIMENTAL && NF_CONNTRACK
239 default m if NETFILTER_ADVANCED=n
224 help 240 help
225 SIP is an application-layer control protocol that can establish, 241 SIP is an application-layer control protocol that can establish,
226 modify, and terminate multimedia sessions (conferences) such as 242 modify, and terminate multimedia sessions (conferences) such as
@@ -233,6 +249,7 @@ config NF_CONNTRACK_SIP
233config NF_CONNTRACK_TFTP 249config NF_CONNTRACK_TFTP
234 tristate "TFTP protocol support" 250 tristate "TFTP protocol support"
235 depends on NF_CONNTRACK 251 depends on NF_CONNTRACK
252 depends on NETFILTER_ADVANCED
236 help 253 help
237 TFTP connection tracking helper, this is required depending 254 TFTP connection tracking helper, this is required depending
238 on how restrictive your ruleset is. 255 on how restrictive your ruleset is.
@@ -246,11 +263,13 @@ config NF_CT_NETLINK
246 depends on EXPERIMENTAL && NF_CONNTRACK 263 depends on EXPERIMENTAL && NF_CONNTRACK
247 select NETFILTER_NETLINK 264 select NETFILTER_NETLINK
248 depends on NF_NAT=n || NF_NAT 265 depends on NF_NAT=n || NF_NAT
266 default m if NETFILTER_ADVANCED=n
249 help 267 help
250 This option enables support for a netlink-based userspace interface 268 This option enables support for a netlink-based userspace interface
251 269
252config NETFILTER_XTABLES 270config NETFILTER_XTABLES
253 tristate "Netfilter Xtables support (required for ip_tables)" 271 tristate "Netfilter Xtables support (required for ip_tables)"
272 default m if NETFILTER_ADVANCED=n
254 help 273 help
255 This is required if you intend to use any of ip_tables, 274 This is required if you intend to use any of ip_tables,
256 ip6_tables or arp_tables. 275 ip6_tables or arp_tables.
@@ -260,6 +279,7 @@ config NETFILTER_XTABLES
260config NETFILTER_XT_TARGET_CLASSIFY 279config NETFILTER_XT_TARGET_CLASSIFY
261 tristate '"CLASSIFY" target support' 280 tristate '"CLASSIFY" target support'
262 depends on NETFILTER_XTABLES 281 depends on NETFILTER_XTABLES
282 depends on NETFILTER_ADVANCED
263 help 283 help
264 This option adds a `CLASSIFY' target, which enables the user to set 284 This option adds a `CLASSIFY' target, which enables the user to set
265 the priority of a packet. Some qdiscs can use this value for 285 the priority of a packet. Some qdiscs can use this value for
@@ -274,12 +294,13 @@ config NETFILTER_XT_TARGET_CONNMARK
274 depends on NETFILTER_XTABLES 294 depends on NETFILTER_XTABLES
275 depends on IP_NF_MANGLE || IP6_NF_MANGLE 295 depends on IP_NF_MANGLE || IP6_NF_MANGLE
276 depends on NF_CONNTRACK 296 depends on NF_CONNTRACK
297 depends on NETFILTER_ADVANCED
277 select NF_CONNTRACK_MARK 298 select NF_CONNTRACK_MARK
278 help 299 help
279 This option adds a `CONNMARK' target, which allows one to manipulate 300 This option adds a `CONNMARK' target, which allows one to manipulate
280 the connection mark value. Similar to the MARK target, but 301 the connection mark value. Similar to the MARK target, but
281 affects the connection mark value rather than the packet mark value. 302 affects the connection mark value rather than the packet mark value.
282 303
283 If you want to compile it as a module, say M here and read 304 If you want to compile it as a module, say M here and read
284 <file:Documentation/kbuild/modules.txt>. The module will be called 305 <file:Documentation/kbuild/modules.txt>. The module will be called
285 ipt_CONNMARK.ko. If unsure, say `N'. 306 ipt_CONNMARK.ko. If unsure, say `N'.
@@ -288,6 +309,7 @@ config NETFILTER_XT_TARGET_DSCP
288 tristate '"DSCP" and "TOS" target support' 309 tristate '"DSCP" and "TOS" target support'
289 depends on NETFILTER_XTABLES 310 depends on NETFILTER_XTABLES
290 depends on IP_NF_MANGLE || IP6_NF_MANGLE 311 depends on IP_NF_MANGLE || IP6_NF_MANGLE
312 depends on NETFILTER_ADVANCED
291 help 313 help
292 This option adds a `DSCP' target, which allows you to manipulate 314 This option adds a `DSCP' target, which allows you to manipulate
293 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 315 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
@@ -303,6 +325,7 @@ config NETFILTER_XT_TARGET_DSCP
303config NETFILTER_XT_TARGET_MARK 325config NETFILTER_XT_TARGET_MARK
304 tristate '"MARK" target support' 326 tristate '"MARK" target support'
305 depends on NETFILTER_XTABLES 327 depends on NETFILTER_XTABLES
328 default m if NETFILTER_ADVANCED=n
306 help 329 help
307 This option adds a `MARK' target, which allows you to create rules 330 This option adds a `MARK' target, which allows you to create rules
308 in the `mangle' table which alter the netfilter mark (nfmark) field 331 in the `mangle' table which alter the netfilter mark (nfmark) field
@@ -316,6 +339,7 @@ config NETFILTER_XT_TARGET_MARK
316config NETFILTER_XT_TARGET_NFQUEUE 339config NETFILTER_XT_TARGET_NFQUEUE
317 tristate '"NFQUEUE" target Support' 340 tristate '"NFQUEUE" target Support'
318 depends on NETFILTER_XTABLES 341 depends on NETFILTER_XTABLES
342 depends on NETFILTER_ADVANCED
319 help 343 help
320 This target replaced the old obsolete QUEUE target. 344 This target replaced the old obsolete QUEUE target.
321 345
@@ -327,6 +351,7 @@ config NETFILTER_XT_TARGET_NFQUEUE
327config NETFILTER_XT_TARGET_NFLOG 351config NETFILTER_XT_TARGET_NFLOG
328 tristate '"NFLOG" target support' 352 tristate '"NFLOG" target support'
329 depends on NETFILTER_XTABLES 353 depends on NETFILTER_XTABLES
354 default m if NETFILTER_ADVANCED=n
330 help 355 help
331 This option enables the NFLOG target, which allows to LOG 356 This option enables the NFLOG target, which allows to LOG
332 messages through the netfilter logging API, which can use 357 messages through the netfilter logging API, which can use
@@ -340,12 +365,13 @@ config NETFILTER_XT_TARGET_NOTRACK
340 depends on NETFILTER_XTABLES 365 depends on NETFILTER_XTABLES
341 depends on IP_NF_RAW || IP6_NF_RAW 366 depends on IP_NF_RAW || IP6_NF_RAW
342 depends on NF_CONNTRACK 367 depends on NF_CONNTRACK
368 depends on NETFILTER_ADVANCED
343 help 369 help
344 The NOTRACK target allows a select rule to specify 370 The NOTRACK target allows a select rule to specify
345 which packets *not* to enter the conntrack/NAT 371 which packets *not* to enter the conntrack/NAT
346 subsystem with all the consequences (no ICMP error tracking, 372 subsystem with all the consequences (no ICMP error tracking,
347 no protocol helpers for the selected packets). 373 no protocol helpers for the selected packets).
348 374
349 If you want to compile it as a module, say M here and read 375 If you want to compile it as a module, say M here and read
350 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 376 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
351 377
@@ -363,6 +389,7 @@ config NETFILTER_XT_TARGET_TRACE
363 tristate '"TRACE" target support' 389 tristate '"TRACE" target support'
364 depends on NETFILTER_XTABLES 390 depends on NETFILTER_XTABLES
365 depends on IP_NF_RAW || IP6_NF_RAW 391 depends on IP_NF_RAW || IP6_NF_RAW
392 depends on NETFILTER_ADVANCED
366 help 393 help
367 The TRACE target allows you to mark packets so that the kernel 394 The TRACE target allows you to mark packets so that the kernel
368 will log every rule which match the packets as those traverse 395 will log every rule which match the packets as those traverse
@@ -374,6 +401,7 @@ config NETFILTER_XT_TARGET_TRACE
374config NETFILTER_XT_TARGET_SECMARK 401config NETFILTER_XT_TARGET_SECMARK
375 tristate '"SECMARK" target support' 402 tristate '"SECMARK" target support'
376 depends on NETFILTER_XTABLES && NETWORK_SECMARK 403 depends on NETFILTER_XTABLES && NETWORK_SECMARK
404 default m if NETFILTER_ADVANCED=n
377 help 405 help
378 The SECMARK target allows security marking of network 406 The SECMARK target allows security marking of network
379 packets, for use with security subsystems. 407 packets, for use with security subsystems.
@@ -383,6 +411,7 @@ config NETFILTER_XT_TARGET_SECMARK
383config NETFILTER_XT_TARGET_CONNSECMARK 411config NETFILTER_XT_TARGET_CONNSECMARK
384 tristate '"CONNSECMARK" target support' 412 tristate '"CONNSECMARK" target support'
385 depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK 413 depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK
414 default m if NETFILTER_ADVANCED=n
386 help 415 help
387 The CONNSECMARK target copies security markings from packets 416 The CONNSECMARK target copies security markings from packets
388 to connections, and restores security markings from connections 417 to connections, and restores security markings from connections
@@ -394,6 +423,7 @@ config NETFILTER_XT_TARGET_CONNSECMARK
394config NETFILTER_XT_TARGET_TCPMSS 423config NETFILTER_XT_TARGET_TCPMSS
395 tristate '"TCPMSS" target support' 424 tristate '"TCPMSS" target support'
396 depends on NETFILTER_XTABLES && (IPV6 || IPV6=n) 425 depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)
426 default m if NETFILTER_ADVANCED=n
397 ---help--- 427 ---help---
398 This option adds a `TCPMSS' target, which allows you to alter the 428 This option adds a `TCPMSS' target, which allows you to alter the
399 MSS value of TCP SYN packets, to control the maximum size for that 429 MSS value of TCP SYN packets, to control the maximum size for that
@@ -421,6 +451,7 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP
421 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' 451 tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
422 depends on EXPERIMENTAL && NETFILTER_XTABLES 452 depends on EXPERIMENTAL && NETFILTER_XTABLES
423 depends on IP_NF_MANGLE || IP6_NF_MANGLE 453 depends on IP_NF_MANGLE || IP6_NF_MANGLE
454 depends on NETFILTER_ADVANCED
424 help 455 help
425 This option adds a "TCPOPTSTRIP" target, which allows you to strip 456 This option adds a "TCPOPTSTRIP" target, which allows you to strip
426 TCP options from TCP packets. 457 TCP options from TCP packets.
@@ -428,6 +459,7 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP
428config NETFILTER_XT_MATCH_COMMENT 459config NETFILTER_XT_MATCH_COMMENT
429 tristate '"comment" match support' 460 tristate '"comment" match support'
430 depends on NETFILTER_XTABLES 461 depends on NETFILTER_XTABLES
462 depends on NETFILTER_ADVANCED
431 help 463 help
432 This option adds a `comment' dummy-match, which allows you to put 464 This option adds a `comment' dummy-match, which allows you to put
433 comments in your iptables ruleset. 465 comments in your iptables ruleset.
@@ -439,6 +471,7 @@ config NETFILTER_XT_MATCH_CONNBYTES
439 tristate '"connbytes" per-connection counter match support' 471 tristate '"connbytes" per-connection counter match support'
440 depends on NETFILTER_XTABLES 472 depends on NETFILTER_XTABLES
441 depends on NF_CONNTRACK 473 depends on NF_CONNTRACK
474 depends on NETFILTER_ADVANCED
442 select NF_CT_ACCT 475 select NF_CT_ACCT
443 help 476 help
444 This option adds a `connbytes' match, which allows you to match the 477 This option adds a `connbytes' match, which allows you to match the
@@ -451,6 +484,7 @@ config NETFILTER_XT_MATCH_CONNLIMIT
451 tristate '"connlimit" match support"' 484 tristate '"connlimit" match support"'
452 depends on NETFILTER_XTABLES 485 depends on NETFILTER_XTABLES
453 depends on NF_CONNTRACK 486 depends on NF_CONNTRACK
487 depends on NETFILTER_ADVANCED
454 ---help--- 488 ---help---
455 This match allows you to match against the number of parallel 489 This match allows you to match against the number of parallel
456 connections to a server per client IP address (or address block). 490 connections to a server per client IP address (or address block).
@@ -459,11 +493,12 @@ config NETFILTER_XT_MATCH_CONNMARK
459 tristate '"connmark" connection mark match support' 493 tristate '"connmark" connection mark match support'
460 depends on NETFILTER_XTABLES 494 depends on NETFILTER_XTABLES
461 depends on NF_CONNTRACK 495 depends on NF_CONNTRACK
496 depends on NETFILTER_ADVANCED
462 select NF_CONNTRACK_MARK 497 select NF_CONNTRACK_MARK
463 help 498 help
464 This option adds a `connmark' match, which allows you to match the 499 This option adds a `connmark' match, which allows you to match the
465 connection mark value previously set for the session by `CONNMARK'. 500 connection mark value previously set for the session by `CONNMARK'.
466 501
467 If you want to compile it as a module, say M here and read 502 If you want to compile it as a module, say M here and read
468 <file:Documentation/kbuild/modules.txt>. The module will be called 503 <file:Documentation/kbuild/modules.txt>. The module will be called
469 ipt_connmark.ko. If unsure, say `N'. 504 ipt_connmark.ko. If unsure, say `N'.
@@ -472,6 +507,7 @@ config NETFILTER_XT_MATCH_CONNTRACK
472 tristate '"conntrack" connection tracking match support' 507 tristate '"conntrack" connection tracking match support'
473 depends on NETFILTER_XTABLES 508 depends on NETFILTER_XTABLES
474 depends on NF_CONNTRACK 509 depends on NF_CONNTRACK
510 default m if NETFILTER_ADVANCED=n
475 help 511 help
476 This is a general conntrack match module, a superset of the state match. 512 This is a general conntrack match module, a superset of the state match.
477 513
@@ -484,6 +520,7 @@ config NETFILTER_XT_MATCH_CONNTRACK
484config NETFILTER_XT_MATCH_DCCP 520config NETFILTER_XT_MATCH_DCCP
485 tristate '"dccp" protocol match support' 521 tristate '"dccp" protocol match support'
486 depends on NETFILTER_XTABLES 522 depends on NETFILTER_XTABLES
523 depends on NETFILTER_ADVANCED
487 help 524 help
488 With this option enabled, you will be able to use the iptables 525 With this option enabled, you will be able to use the iptables
489 `dccp' match in order to match on DCCP source/destination ports 526 `dccp' match in order to match on DCCP source/destination ports
@@ -495,6 +532,7 @@ config NETFILTER_XT_MATCH_DCCP
495config NETFILTER_XT_MATCH_DSCP 532config NETFILTER_XT_MATCH_DSCP
496 tristate '"dscp" and "tos" match support' 533 tristate '"dscp" and "tos" match support'
497 depends on NETFILTER_XTABLES 534 depends on NETFILTER_XTABLES
535 depends on NETFILTER_ADVANCED
498 help 536 help
499 This option adds a `DSCP' match, which allows you to match against 537 This option adds a `DSCP' match, which allows you to match against
500 the IPv4/IPv6 header DSCP field (differentiated services codepoint). 538 the IPv4/IPv6 header DSCP field (differentiated services codepoint).
@@ -510,6 +548,7 @@ config NETFILTER_XT_MATCH_DSCP
510config NETFILTER_XT_MATCH_ESP 548config NETFILTER_XT_MATCH_ESP
511 tristate '"esp" match support' 549 tristate '"esp" match support'
512 depends on NETFILTER_XTABLES 550 depends on NETFILTER_XTABLES
551 depends on NETFILTER_ADVANCED
513 help 552 help
514 This match extension allows you to match a range of SPIs 553 This match extension allows you to match a range of SPIs
515 inside ESP header of IPSec packets. 554 inside ESP header of IPSec packets.
@@ -520,6 +559,7 @@ config NETFILTER_XT_MATCH_HELPER
520 tristate '"helper" match support' 559 tristate '"helper" match support'
521 depends on NETFILTER_XTABLES 560 depends on NETFILTER_XTABLES
522 depends on NF_CONNTRACK 561 depends on NF_CONNTRACK
562 depends on NETFILTER_ADVANCED
523 help 563 help
524 Helper matching allows you to match packets in dynamic connections 564 Helper matching allows you to match packets in dynamic connections
525 tracked by a conntrack-helper, ie. ip_conntrack_ftp 565 tracked by a conntrack-helper, ie. ip_conntrack_ftp
@@ -529,6 +569,7 @@ config NETFILTER_XT_MATCH_HELPER
529config NETFILTER_XT_MATCH_LENGTH 569config NETFILTER_XT_MATCH_LENGTH
530 tristate '"length" match support' 570 tristate '"length" match support'
531 depends on NETFILTER_XTABLES 571 depends on NETFILTER_XTABLES
572 depends on NETFILTER_ADVANCED
532 help 573 help
533 This option allows you to match the length of a packet against a 574 This option allows you to match the length of a packet against a
534 specific value or range of values. 575 specific value or range of values.
@@ -538,6 +579,7 @@ config NETFILTER_XT_MATCH_LENGTH
538config NETFILTER_XT_MATCH_LIMIT 579config NETFILTER_XT_MATCH_LIMIT
539 tristate '"limit" match support' 580 tristate '"limit" match support'
540 depends on NETFILTER_XTABLES 581 depends on NETFILTER_XTABLES
582 depends on NETFILTER_ADVANCED
541 help 583 help
542 limit matching allows you to control the rate at which a rule can be 584 limit matching allows you to control the rate at which a rule can be
543 matched: mainly useful in combination with the LOG target ("LOG 585 matched: mainly useful in combination with the LOG target ("LOG
@@ -548,6 +590,7 @@ config NETFILTER_XT_MATCH_LIMIT
548config NETFILTER_XT_MATCH_MAC 590config NETFILTER_XT_MATCH_MAC
549 tristate '"mac" address match support' 591 tristate '"mac" address match support'
550 depends on NETFILTER_XTABLES 592 depends on NETFILTER_XTABLES
593 depends on NETFILTER_ADVANCED
551 help 594 help
552 MAC matching allows you to match packets based on the source 595 MAC matching allows you to match packets based on the source
553 Ethernet address of the packet. 596 Ethernet address of the packet.
@@ -557,6 +600,7 @@ config NETFILTER_XT_MATCH_MAC
557config NETFILTER_XT_MATCH_MARK 600config NETFILTER_XT_MATCH_MARK
558 tristate '"mark" match support' 601 tristate '"mark" match support'
559 depends on NETFILTER_XTABLES 602 depends on NETFILTER_XTABLES
603 default m if NETFILTER_ADVANCED=n
560 help 604 help
561 Netfilter mark matching allows you to match packets based on the 605 Netfilter mark matching allows you to match packets based on the
562 `nfmark' value in the packet. This can be set by the MARK target 606 `nfmark' value in the packet. This can be set by the MARK target
@@ -567,6 +611,7 @@ config NETFILTER_XT_MATCH_MARK
567config NETFILTER_XT_MATCH_OWNER 611config NETFILTER_XT_MATCH_OWNER
568 tristate '"owner" match support' 612 tristate '"owner" match support'
569 depends on NETFILTER_XTABLES 613 depends on NETFILTER_XTABLES
614 depends on NETFILTER_ADVANCED
570 ---help--- 615 ---help---
571 Socket owner matching allows you to match locally-generated packets 616 Socket owner matching allows you to match locally-generated packets
572 based on who created the socket: the user or group. It is also 617 based on who created the socket: the user or group. It is also
@@ -575,6 +620,7 @@ config NETFILTER_XT_MATCH_OWNER
575config NETFILTER_XT_MATCH_POLICY 620config NETFILTER_XT_MATCH_POLICY
576 tristate 'IPsec "policy" match support' 621 tristate 'IPsec "policy" match support'
577 depends on NETFILTER_XTABLES && XFRM 622 depends on NETFILTER_XTABLES && XFRM
623 default m if NETFILTER_ADVANCED=n
578 help 624 help
579 Policy matching allows you to match packets based on the 625 Policy matching allows you to match packets based on the
580 IPsec policy that was used during decapsulation/will 626 IPsec policy that was used during decapsulation/will
@@ -585,6 +631,7 @@ config NETFILTER_XT_MATCH_POLICY
585config NETFILTER_XT_MATCH_MULTIPORT 631config NETFILTER_XT_MATCH_MULTIPORT
586 tristate '"multiport" Multiple port match support' 632 tristate '"multiport" Multiple port match support'
587 depends on NETFILTER_XTABLES 633 depends on NETFILTER_XTABLES
634 depends on NETFILTER_ADVANCED
588 help 635 help
589 Multiport matching allows you to match TCP or UDP packets based on 636 Multiport matching allows you to match TCP or UDP packets based on
590 a series of source or destination ports: normally a rule can only 637 a series of source or destination ports: normally a rule can only
@@ -595,6 +642,7 @@ config NETFILTER_XT_MATCH_MULTIPORT
595config NETFILTER_XT_MATCH_PHYSDEV 642config NETFILTER_XT_MATCH_PHYSDEV
596 tristate '"physdev" match support' 643 tristate '"physdev" match support'
597 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER 644 depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER
645 depends on NETFILTER_ADVANCED
598 help 646 help
599 Physdev packet matching matches against the physical bridge ports 647 Physdev packet matching matches against the physical bridge ports
600 the IP packet arrived on or will leave by. 648 the IP packet arrived on or will leave by.
@@ -604,6 +652,7 @@ config NETFILTER_XT_MATCH_PHYSDEV
604config NETFILTER_XT_MATCH_PKTTYPE 652config NETFILTER_XT_MATCH_PKTTYPE
605 tristate '"pkttype" packet type match support' 653 tristate '"pkttype" packet type match support'
606 depends on NETFILTER_XTABLES 654 depends on NETFILTER_XTABLES
655 depends on NETFILTER_ADVANCED
607 help 656 help
608 Packet type matching allows you to match a packet by 657 Packet type matching allows you to match a packet by
609 its "class", eg. BROADCAST, MULTICAST, ... 658 its "class", eg. BROADCAST, MULTICAST, ...
@@ -616,6 +665,7 @@ config NETFILTER_XT_MATCH_PKTTYPE
616config NETFILTER_XT_MATCH_QUOTA 665config NETFILTER_XT_MATCH_QUOTA
617 tristate '"quota" match support' 666 tristate '"quota" match support'
618 depends on NETFILTER_XTABLES 667 depends on NETFILTER_XTABLES
668 depends on NETFILTER_ADVANCED
619 help 669 help
620 This option adds a `quota' match, which allows to match on a 670 This option adds a `quota' match, which allows to match on a
621 byte counter. 671 byte counter.
@@ -636,20 +686,22 @@ config NETFILTER_XT_MATCH_RATEEST
636config NETFILTER_XT_MATCH_REALM 686config NETFILTER_XT_MATCH_REALM
637 tristate '"realm" match support' 687 tristate '"realm" match support'
638 depends on NETFILTER_XTABLES 688 depends on NETFILTER_XTABLES
689 depends on NETFILTER_ADVANCED
639 select NET_CLS_ROUTE 690 select NET_CLS_ROUTE
640 help 691 help
641 This option adds a `realm' match, which allows you to use the realm 692 This option adds a `realm' match, which allows you to use the realm
642 key from the routing subsystem inside iptables. 693 key from the routing subsystem inside iptables.
643 694
644 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 695 This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
645 in tc world. 696 in tc world.
646 697
647 If you want to compile it as a module, say M here and read 698 If you want to compile it as a module, say M here and read
648 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 699 <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
649 700
650config NETFILTER_XT_MATCH_SCTP 701config NETFILTER_XT_MATCH_SCTP
651 tristate '"sctp" protocol match support (EXPERIMENTAL)' 702 tristate '"sctp" protocol match support (EXPERIMENTAL)'
652 depends on NETFILTER_XTABLES && EXPERIMENTAL 703 depends on NETFILTER_XTABLES && EXPERIMENTAL
704 depends on NETFILTER_ADVANCED
653 help 705 help
654 With this option enabled, you will be able to use the 706 With this option enabled, you will be able to use the
655 `sctp' match in order to match on SCTP source/destination ports 707 `sctp' match in order to match on SCTP source/destination ports
@@ -662,6 +714,7 @@ config NETFILTER_XT_MATCH_STATE
662 tristate '"state" match support' 714 tristate '"state" match support'
663 depends on NETFILTER_XTABLES 715 depends on NETFILTER_XTABLES
664 depends on NF_CONNTRACK 716 depends on NF_CONNTRACK
717 default m if NETFILTER_ADVANCED=n
665 help 718 help
666 Connection state matching allows you to match packets based on their 719 Connection state matching allows you to match packets based on their
667 relationship to a tracked connection (ie. previous packets). This 720 relationship to a tracked connection (ie. previous packets). This
@@ -672,6 +725,7 @@ config NETFILTER_XT_MATCH_STATE
672config NETFILTER_XT_MATCH_STATISTIC 725config NETFILTER_XT_MATCH_STATISTIC
673 tristate '"statistic" match support' 726 tristate '"statistic" match support'
674 depends on NETFILTER_XTABLES 727 depends on NETFILTER_XTABLES
728 depends on NETFILTER_ADVANCED
675 help 729 help
676 This option adds a `statistic' match, which allows you to match 730 This option adds a `statistic' match, which allows you to match
677 on packets periodically or randomly with a given percentage. 731 on packets periodically or randomly with a given percentage.
@@ -681,6 +735,7 @@ config NETFILTER_XT_MATCH_STATISTIC
681config NETFILTER_XT_MATCH_STRING 735config NETFILTER_XT_MATCH_STRING
682 tristate '"string" match support' 736 tristate '"string" match support'
683 depends on NETFILTER_XTABLES 737 depends on NETFILTER_XTABLES
738 depends on NETFILTER_ADVANCED
684 select TEXTSEARCH 739 select TEXTSEARCH
685 select TEXTSEARCH_KMP 740 select TEXTSEARCH_KMP
686 select TEXTSEARCH_BM 741 select TEXTSEARCH_BM
@@ -694,6 +749,7 @@ config NETFILTER_XT_MATCH_STRING
694config NETFILTER_XT_MATCH_TCPMSS 749config NETFILTER_XT_MATCH_TCPMSS
695 tristate '"tcpmss" match support' 750 tristate '"tcpmss" match support'
696 depends on NETFILTER_XTABLES 751 depends on NETFILTER_XTABLES
752 depends on NETFILTER_ADVANCED
697 help 753 help
698 This option adds a `tcpmss' match, which allows you to examine the 754 This option adds a `tcpmss' match, which allows you to examine the
699 MSS value of TCP SYN packets, which control the maximum packet size 755 MSS value of TCP SYN packets, which control the maximum packet size
@@ -704,6 +760,7 @@ config NETFILTER_XT_MATCH_TCPMSS
704config NETFILTER_XT_MATCH_TIME 760config NETFILTER_XT_MATCH_TIME
705 tristate '"time" match support' 761 tristate '"time" match support'
706 depends on NETFILTER_XTABLES 762 depends on NETFILTER_XTABLES
763 depends on NETFILTER_ADVANCED
707 ---help--- 764 ---help---
708 This option adds a "time" match, which allows you to match based on 765 This option adds a "time" match, which allows you to match based on
709 the packet arrival time (at the machine which netfilter is running) 766 the packet arrival time (at the machine which netfilter is running)
@@ -718,6 +775,7 @@ config NETFILTER_XT_MATCH_TIME
718config NETFILTER_XT_MATCH_U32 775config NETFILTER_XT_MATCH_U32
719 tristate '"u32" match support' 776 tristate '"u32" match support'
720 depends on NETFILTER_XTABLES 777 depends on NETFILTER_XTABLES
778 depends on NETFILTER_ADVANCED
721 ---help--- 779 ---help---
722 u32 allows you to extract quantities of up to 4 bytes from a packet, 780 u32 allows you to extract quantities of up to 4 bytes from a packet,
723 AND them with specified masks, shift them by specified amounts and 781 AND them with specified masks, shift them by specified amounts and
@@ -731,6 +789,7 @@ config NETFILTER_XT_MATCH_U32
731config NETFILTER_XT_MATCH_HASHLIMIT 789config NETFILTER_XT_MATCH_HASHLIMIT
732 tristate '"hashlimit" match support' 790 tristate '"hashlimit" match support'
733 depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) 791 depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
792 depends on NETFILTER_ADVANCED
734 help 793 help
735 This option adds a `hashlimit' match. 794 This option adds a `hashlimit' match.
736 795
generated by cgit v1.2.2 (git 2.25.0) at 2024-10-20 09:06:09 -0400