diff options
| author | Patrick McHardy <kaber@trash.net> | 2007-12-18 01:47:05 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:59:12 -0500 |
| commit | 33b8e776056202aceaf4c90f465d0f4ee53432ac (patch) | |
| tree | 24f6bc7b89a81d95b1b9c0f16254ad8423aed9cb /net/ipv4 | |
| parent | 34498825cb9062192b77fa02dae672a4fe6eec70 (diff) | |
[NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option
The NETFILTER_ADVANCED option hides lots of the rather obscure netfilter
options when disabled and provides defaults (M) that should allow to
run a distribution firewall without further thinking.
Defaults to 'y' to avoid breaking current configurations.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/Kconfig | 26 |
1 files changed, 25 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index ad26f66b53e9..cface714edf3 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig | |||
| @@ -8,6 +8,7 @@ menu "IP: Netfilter Configuration" | |||
| 8 | config NF_CONNTRACK_IPV4 | 8 | config NF_CONNTRACK_IPV4 |
| 9 | tristate "IPv4 connection tracking support (required for NAT)" | 9 | tristate "IPv4 connection tracking support (required for NAT)" |
| 10 | depends on NF_CONNTRACK | 10 | depends on NF_CONNTRACK |
| 11 | default m if NETFILTER_ADVANCED=n | ||
| 11 | ---help--- | 12 | ---help--- |
| 12 | Connection tracking keeps a record of what packets have passed | 13 | Connection tracking keeps a record of what packets have passed |
| 13 | through your machine, in order to figure out how they are related | 14 | through your machine, in order to figure out how they are related |
| @@ -32,6 +33,7 @@ config NF_CONNTRACK_PROC_COMPAT | |||
| 32 | 33 | ||
| 33 | config IP_NF_QUEUE | 34 | config IP_NF_QUEUE |
| 34 | tristate "IP Userspace queueing via NETLINK (OBSOLETE)" | 35 | tristate "IP Userspace queueing via NETLINK (OBSOLETE)" |
| 36 | depends on NETFILTER_ADVANCED | ||
| 35 | help | 37 | help |
| 36 | Netfilter has the ability to queue packets to user space: the | 38 | Netfilter has the ability to queue packets to user space: the |
| 37 | netlink device can be used to access them using this driver. | 39 | netlink device can be used to access them using this driver. |
| @@ -44,6 +46,7 @@ config IP_NF_QUEUE | |||
| 44 | 46 | ||
| 45 | config IP_NF_IPTABLES | 47 | config IP_NF_IPTABLES |
| 46 | tristate "IP tables support (required for filtering/masq/NAT)" | 48 | tristate "IP tables support (required for filtering/masq/NAT)" |
| 49 | default m if NETFILTER_ADVANCED=n | ||
| 47 | select NETFILTER_XTABLES | 50 | select NETFILTER_XTABLES |
| 48 | help | 51 | help |
| 49 | iptables is a general, extensible packet identification framework. | 52 | iptables is a general, extensible packet identification framework. |
| @@ -57,6 +60,7 @@ config IP_NF_IPTABLES | |||
| 57 | config IP_NF_MATCH_IPRANGE | 60 | config IP_NF_MATCH_IPRANGE |
| 58 | tristate '"iprange" match support' | 61 | tristate '"iprange" match support' |
| 59 | depends on IP_NF_IPTABLES | 62 | depends on IP_NF_IPTABLES |
| 63 | depends on NETFILTER_ADVANCED | ||
| 60 | help | 64 | help |
| 61 | This option makes possible to match IP addresses against IP address | 65 | This option makes possible to match IP addresses against IP address |
| 62 | ranges. | 66 | ranges. |
| @@ -66,6 +70,7 @@ config IP_NF_MATCH_IPRANGE | |||
| 66 | config IP_NF_MATCH_RECENT | 70 | config IP_NF_MATCH_RECENT |
| 67 | tristate '"recent" match support' | 71 | tristate '"recent" match support' |
| 68 | depends on IP_NF_IPTABLES | 72 | depends on IP_NF_IPTABLES |
| 73 | depends on NETFILTER_ADVANCED | ||
| 69 | help | 74 | help |
| 70 | This match is used for creating one or many lists of recently | 75 | This match is used for creating one or many lists of recently |
| 71 | used addresses and then matching against that/those list(s). | 76 | used addresses and then matching against that/those list(s). |
| @@ -78,6 +83,7 @@ config IP_NF_MATCH_RECENT | |||
| 78 | config IP_NF_MATCH_ECN | 83 | config IP_NF_MATCH_ECN |
| 79 | tristate '"ecn" match support' | 84 | tristate '"ecn" match support' |
| 80 | depends on IP_NF_IPTABLES | 85 | depends on IP_NF_IPTABLES |
| 86 | depends on NETFILTER_ADVANCED | ||
| 81 | help | 87 | help |
| 82 | This option adds a `ECN' match, which allows you to match against | 88 | This option adds a `ECN' match, which allows you to match against |
| 83 | the IPv4 and TCP header ECN fields. | 89 | the IPv4 and TCP header ECN fields. |
| @@ -87,6 +93,7 @@ config IP_NF_MATCH_ECN | |||
| 87 | config IP_NF_MATCH_AH | 93 | config IP_NF_MATCH_AH |
| 88 | tristate '"ah" match support' | 94 | tristate '"ah" match support' |
| 89 | depends on IP_NF_IPTABLES | 95 | depends on IP_NF_IPTABLES |
| 96 | depends on NETFILTER_ADVANCED | ||
| 90 | help | 97 | help |
| 91 | This match extension allows you to match a range of SPIs | 98 | This match extension allows you to match a range of SPIs |
| 92 | inside AH header of IPSec packets. | 99 | inside AH header of IPSec packets. |
| @@ -96,6 +103,7 @@ config IP_NF_MATCH_AH | |||
| 96 | config IP_NF_MATCH_TTL | 103 | config IP_NF_MATCH_TTL |
| 97 | tristate '"ttl" match support' | 104 | tristate '"ttl" match support' |
| 98 | depends on IP_NF_IPTABLES | 105 | depends on IP_NF_IPTABLES |
| 106 | depends on NETFILTER_ADVANCED | ||
| 99 | help | 107 | help |
| 100 | This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user | 108 | This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user |
| 101 | to match packets by their TTL value. | 109 | to match packets by their TTL value. |
| @@ -105,10 +113,11 @@ config IP_NF_MATCH_TTL | |||
| 105 | config IP_NF_MATCH_ADDRTYPE | 113 | config IP_NF_MATCH_ADDRTYPE |
| 106 | tristate '"addrtype" address type match support' | 114 | tristate '"addrtype" address type match support' |
| 107 | depends on IP_NF_IPTABLES | 115 | depends on IP_NF_IPTABLES |
| 116 | depends on NETFILTER_ADVANCED | ||
| 108 | help | 117 | help |
| 109 | This option allows you to match what routing thinks of an address, | 118 | This option allows you to match what routing thinks of an address, |
| 110 | eg. UNICAST, LOCAL, BROADCAST, ... | 119 | eg. UNICAST, LOCAL, BROADCAST, ... |
| 111 | 120 | ||
| 112 | If you want to compile it as a module, say M here and read | 121 | If you want to compile it as a module, say M here and read |
| 113 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. | 122 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| 114 | 123 | ||
| @@ -116,6 +125,7 @@ config IP_NF_MATCH_ADDRTYPE | |||
| 116 | config IP_NF_FILTER | 125 | config IP_NF_FILTER |
| 117 | tristate "Packet filtering" | 126 | tristate "Packet filtering" |
| 118 | depends on IP_NF_IPTABLES | 127 | depends on IP_NF_IPTABLES |
| 128 | default m if NETFILTER_ADVANCED=n | ||
| 119 | help | 129 | help |
| 120 | Packet filtering defines a table `filter', which has a series of | 130 | Packet filtering defines a table `filter', which has a series of |
| 121 | rules for simple packet filtering at local input, forwarding and | 131 | rules for simple packet filtering at local input, forwarding and |
| @@ -126,6 +136,7 @@ config IP_NF_FILTER | |||
| 126 | config IP_NF_TARGET_REJECT | 136 | config IP_NF_TARGET_REJECT |
| 127 | tristate "REJECT target support" | 137 | tristate "REJECT target support" |
| 128 | depends on IP_NF_FILTER | 138 | depends on IP_NF_FILTER |
| 139 | default m if NETFILTER_ADVANCED=n | ||
| 129 | help | 140 | help |
| 130 | The REJECT target allows a filtering rule to specify that an ICMP | 141 | The REJECT target allows a filtering rule to specify that an ICMP |
| 131 | error should be issued in response to an incoming packet, rather | 142 | error should be issued in response to an incoming packet, rather |
| @@ -136,6 +147,7 @@ config IP_NF_TARGET_REJECT | |||
| 136 | config IP_NF_TARGET_LOG | 147 | config IP_NF_TARGET_LOG |
| 137 | tristate "LOG target support" | 148 | tristate "LOG target support" |
| 138 | depends on IP_NF_IPTABLES | 149 | depends on IP_NF_IPTABLES |
| 150 | default m if NETFILTER_ADVANCED=n | ||
| 139 | help | 151 | help |
| 140 | This option adds a `LOG' target, which allows you to create rules in | 152 | This option adds a `LOG' target, which allows you to create rules in |
| 141 | any iptables table which records the packet header to the syslog. | 153 | any iptables table which records the packet header to the syslog. |
| @@ -145,6 +157,7 @@ config IP_NF_TARGET_LOG | |||
| 145 | config IP_NF_TARGET_ULOG | 157 | config IP_NF_TARGET_ULOG |
| 146 | tristate "ULOG target support" | 158 | tristate "ULOG target support" |
| 147 | depends on IP_NF_IPTABLES | 159 | depends on IP_NF_IPTABLES |
| 160 | default m if NETFILTER_ADVANCED=n | ||
| 148 | ---help--- | 161 | ---help--- |
| 149 | 162 | ||
| 150 | This option enables the old IPv4-only "ipt_ULOG" implementation | 163 | This option enables the old IPv4-only "ipt_ULOG" implementation |
| @@ -165,6 +178,7 @@ config IP_NF_TARGET_ULOG | |||
| 165 | config NF_NAT | 178 | config NF_NAT |
| 166 | tristate "Full NAT" | 179 | tristate "Full NAT" |
| 167 | depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4 | 180 | depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4 |
| 181 | default m if NETFILTER_ADVANCED=n | ||
| 168 | help | 182 | help |
| 169 | The Full NAT option allows masquerading, port forwarding and other | 183 | The Full NAT option allows masquerading, port forwarding and other |
| 170 | forms of full Network Address Port Translation. It is controlled by | 184 | forms of full Network Address Port Translation. It is controlled by |
| @@ -180,6 +194,7 @@ config NF_NAT_NEEDED | |||
| 180 | config IP_NF_TARGET_MASQUERADE | 194 | config IP_NF_TARGET_MASQUERADE |
| 181 | tristate "MASQUERADE target support" | 195 | tristate "MASQUERADE target support" |
| 182 | depends on NF_NAT | 196 | depends on NF_NAT |
| 197 | default m if NETFILTER_ADVANCED=n | ||
| 183 | help | 198 | help |
| 184 | Masquerading is a special case of NAT: all outgoing connections are | 199 | Masquerading is a special case of NAT: all outgoing connections are |
| 185 | changed to seem to come from a particular interface's address, and | 200 | changed to seem to come from a particular interface's address, and |
| @@ -192,6 +207,7 @@ config IP_NF_TARGET_MASQUERADE | |||
| 192 | config IP_NF_TARGET_REDIRECT | 207 | config IP_NF_TARGET_REDIRECT |
| 193 | tristate "REDIRECT target support" | 208 | tristate "REDIRECT target support" |
| 194 | depends on NF_NAT | 209 | depends on NF_NAT |
| 210 | depends on NETFILTER_ADVANCED | ||
| 195 | help | 211 | help |
| 196 | REDIRECT is a special case of NAT: all incoming connections are | 212 | REDIRECT is a special case of NAT: all incoming connections are |
| 197 | mapped onto the incoming interface's address, causing the packets to | 213 | mapped onto the incoming interface's address, causing the packets to |
| @@ -203,6 +219,7 @@ config IP_NF_TARGET_REDIRECT | |||
| 203 | config IP_NF_TARGET_NETMAP | 219 | config IP_NF_TARGET_NETMAP |
| 204 | tristate "NETMAP target support" | 220 | tristate "NETMAP target support" |
| 205 | depends on NF_NAT | 221 | depends on NF_NAT |
| 222 | depends on NETFILTER_ADVANCED | ||
| 206 | help | 223 | help |
| 207 | NETMAP is an implementation of static 1:1 NAT mapping of network | 224 | NETMAP is an implementation of static 1:1 NAT mapping of network |
| 208 | addresses. It maps the network address part, while keeping the host | 225 | addresses. It maps the network address part, while keeping the host |
| @@ -214,6 +231,7 @@ config IP_NF_TARGET_NETMAP | |||
| 214 | config NF_NAT_SNMP_BASIC | 231 | config NF_NAT_SNMP_BASIC |
| 215 | tristate "Basic SNMP-ALG support (EXPERIMENTAL)" | 232 | tristate "Basic SNMP-ALG support (EXPERIMENTAL)" |
| 216 | depends on EXPERIMENTAL && NF_NAT | 233 | depends on EXPERIMENTAL && NF_NAT |
| 234 | depends on NETFILTER_ADVANCED | ||
| 217 | ---help--- | 235 | ---help--- |
| 218 | 236 | ||
| 219 | This module implements an Application Layer Gateway (ALG) for | 237 | This module implements an Application Layer Gateway (ALG) for |
| @@ -277,6 +295,7 @@ config NF_NAT_SIP | |||
| 277 | config IP_NF_MANGLE | 295 | config IP_NF_MANGLE |
| 278 | tristate "Packet mangling" | 296 | tristate "Packet mangling" |
| 279 | depends on IP_NF_IPTABLES | 297 | depends on IP_NF_IPTABLES |
| 298 | default m if NETFILTER_ADVANCED=n | ||
| 280 | help | 299 | help |
| 281 | This option adds a `mangle' table to iptables: see the man page for | 300 | This option adds a `mangle' table to iptables: see the man page for |
| 282 | iptables(8). This table is used for various packet alterations | 301 | iptables(8). This table is used for various packet alterations |
| @@ -287,6 +306,7 @@ config IP_NF_MANGLE | |||
| 287 | config IP_NF_TARGET_ECN | 306 | config IP_NF_TARGET_ECN |
| 288 | tristate "ECN target support" | 307 | tristate "ECN target support" |
| 289 | depends on IP_NF_MANGLE | 308 | depends on IP_NF_MANGLE |
| 309 | depends on NETFILTER_ADVANCED | ||
| 290 | ---help--- | 310 | ---help--- |
| 291 | This option adds a `ECN' target, which can be used in the iptables mangle | 311 | This option adds a `ECN' target, which can be used in the iptables mangle |
| 292 | table. | 312 | table. |
| @@ -301,6 +321,7 @@ config IP_NF_TARGET_ECN | |||
| 301 | config IP_NF_TARGET_TTL | 321 | config IP_NF_TARGET_TTL |
| 302 | tristate 'TTL target support' | 322 | tristate 'TTL target support' |
| 303 | depends on IP_NF_MANGLE | 323 | depends on IP_NF_MANGLE |
| 324 | depends on NETFILTER_ADVANCED | ||
| 304 | help | 325 | help |
| 305 | This option adds a `TTL' target, which enables the user to modify | 326 | This option adds a `TTL' target, which enables the user to modify |
| 306 | the TTL value of the IP header. | 327 | the TTL value of the IP header. |
| @@ -316,6 +337,7 @@ config IP_NF_TARGET_CLUSTERIP | |||
| 316 | tristate "CLUSTERIP target support (EXPERIMENTAL)" | 337 | tristate "CLUSTERIP target support (EXPERIMENTAL)" |
| 317 | depends on IP_NF_MANGLE && EXPERIMENTAL | 338 | depends on IP_NF_MANGLE && EXPERIMENTAL |
| 318 | depends on NF_CONNTRACK_IPV4 | 339 | depends on NF_CONNTRACK_IPV4 |
| 340 | depends on NETFILTER_ADVANCED | ||
| 319 | select NF_CONNTRACK_MARK | 341 | select NF_CONNTRACK_MARK |
| 320 | help | 342 | help |
| 321 | The CLUSTERIP target allows you to build load-balancing clusters of | 343 | The CLUSTERIP target allows you to build load-balancing clusters of |
| @@ -328,6 +350,7 @@ config IP_NF_TARGET_CLUSTERIP | |||
| 328 | config IP_NF_RAW | 350 | config IP_NF_RAW |
| 329 | tristate 'raw table support (required for NOTRACK/TRACE)' | 351 | tristate 'raw table support (required for NOTRACK/TRACE)' |
| 330 | depends on IP_NF_IPTABLES | 352 | depends on IP_NF_IPTABLES |
| 353 | depends on NETFILTER_ADVANCED | ||
| 331 | help | 354 | help |
| 332 | This option adds a `raw' table to iptables. This table is the very | 355 | This option adds a `raw' table to iptables. This table is the very |
| 333 | first in the netfilter framework and hooks in at the PREROUTING | 356 | first in the netfilter framework and hooks in at the PREROUTING |
| @@ -340,6 +363,7 @@ config IP_NF_RAW | |||
| 340 | config IP_NF_ARPTABLES | 363 | config IP_NF_ARPTABLES |
| 341 | tristate "ARP tables support" | 364 | tristate "ARP tables support" |
| 342 | select NETFILTER_XTABLES | 365 | select NETFILTER_XTABLES |
| 366 | depends on NETFILTER_ADVANCED | ||
| 343 | help | 367 | help |
| 344 | arptables is a general, extensible packet identification framework. | 368 | arptables is a general, extensible packet identification framework. |
| 345 | The ARP packet filtering and mangling (manipulation)subsystems | 369 | The ARP packet filtering and mangling (manipulation)subsystems |