diff options
| author | Patrick McHardy <kaber@trash.net> | 2007-12-18 01:47:05 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-01-28 17:59:12 -0500 |
| commit | 33b8e776056202aceaf4c90f465d0f4ee53432ac (patch) | |
| tree | 24f6bc7b89a81d95b1b9c0f16254ad8423aed9cb /net/ipv6 | |
| parent | 34498825cb9062192b77fa02dae672a4fe6eec70 (diff) | |
[NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option
The NETFILTER_ADVANCED option hides lots of the rather obscure netfilter
options when disabled and provides defaults (M) that should allow to
run a distribution firewall without further thinking.
Defaults to 'y' to avoid breaking current configurations.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/Kconfig | 23 |
1 files changed, 20 insertions, 3 deletions
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index 5374c665f8d8..a6b4a9a10532 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig | |||
| @@ -8,6 +8,7 @@ menu "IPv6: Netfilter Configuration (EXPERIMENTAL)" | |||
| 8 | config NF_CONNTRACK_IPV6 | 8 | config NF_CONNTRACK_IPV6 |
| 9 | tristate "IPv6 connection tracking support (EXPERIMENTAL)" | 9 | tristate "IPv6 connection tracking support (EXPERIMENTAL)" |
| 10 | depends on INET && IPV6 && EXPERIMENTAL && NF_CONNTRACK | 10 | depends on INET && IPV6 && EXPERIMENTAL && NF_CONNTRACK |
| 11 | default m if NETFILTER_ADVANCED=n | ||
| 11 | ---help--- | 12 | ---help--- |
| 12 | Connection tracking keeps a record of what packets have passed | 13 | Connection tracking keeps a record of what packets have passed |
| 13 | through your machine, in order to figure out how they are related | 14 | through your machine, in order to figure out how they are related |
| @@ -22,6 +23,7 @@ config NF_CONNTRACK_IPV6 | |||
| 22 | config IP6_NF_QUEUE | 23 | config IP6_NF_QUEUE |
| 23 | tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)" | 24 | tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)" |
| 24 | depends on INET && IPV6 && NETFILTER && EXPERIMENTAL | 25 | depends on INET && IPV6 && NETFILTER && EXPERIMENTAL |
| 26 | depends on NETFILTER_ADVANCED | ||
| 25 | ---help--- | 27 | ---help--- |
| 26 | 28 | ||
| 27 | This option adds a queue handler to the kernel for IPv6 | 29 | This option adds a queue handler to the kernel for IPv6 |
| @@ -44,6 +46,7 @@ config IP6_NF_IPTABLES | |||
| 44 | tristate "IP6 tables support (required for filtering)" | 46 | tristate "IP6 tables support (required for filtering)" |
| 45 | depends on INET && IPV6 && EXPERIMENTAL | 47 | depends on INET && IPV6 && EXPERIMENTAL |
| 46 | select NETFILTER_XTABLES | 48 | select NETFILTER_XTABLES |
| 49 | default m if NETFILTER_ADVANCED=n | ||
| 47 | help | 50 | help |
| 48 | ip6tables is a general, extensible packet identification framework. | 51 | ip6tables is a general, extensible packet identification framework. |
| 49 | Currently only the packet filtering and packet mangling subsystem | 52 | Currently only the packet filtering and packet mangling subsystem |
| @@ -56,6 +59,7 @@ config IP6_NF_IPTABLES | |||
| 56 | config IP6_NF_MATCH_RT | 59 | config IP6_NF_MATCH_RT |
| 57 | tristate '"rt" Routing header match support' | 60 | tristate '"rt" Routing header match support' |
| 58 | depends on IP6_NF_IPTABLES | 61 | depends on IP6_NF_IPTABLES |
| 62 | depends on NETFILTER_ADVANCED | ||
| 59 | help | 63 | help |
| 60 | rt matching allows you to match packets based on the routing | 64 | rt matching allows you to match packets based on the routing |
| 61 | header of the packet. | 65 | header of the packet. |
| @@ -65,6 +69,7 @@ config IP6_NF_MATCH_RT | |||
| 65 | config IP6_NF_MATCH_OPTS | 69 | config IP6_NF_MATCH_OPTS |
| 66 | tristate '"hopbyhop" and "dst" opts header match support' | 70 | tristate '"hopbyhop" and "dst" opts header match support' |
| 67 | depends on IP6_NF_IPTABLES | 71 | depends on IP6_NF_IPTABLES |
| 72 | depends on NETFILTER_ADVANCED | ||
| 68 | help | 73 | help |
| 69 | This allows one to match packets based on the hop-by-hop | 74 | This allows one to match packets based on the hop-by-hop |
| 70 | and destination options headers of a packet. | 75 | and destination options headers of a packet. |
| @@ -74,6 +79,7 @@ config IP6_NF_MATCH_OPTS | |||
| 74 | config IP6_NF_MATCH_FRAG | 79 | config IP6_NF_MATCH_FRAG |
| 75 | tristate '"frag" Fragmentation header match support' | 80 | tristate '"frag" Fragmentation header match support' |
| 76 | depends on IP6_NF_IPTABLES | 81 | depends on IP6_NF_IPTABLES |
| 82 | depends on NETFILTER_ADVANCED | ||
| 77 | help | 83 | help |
| 78 | frag matching allows you to match packets based on the fragmentation | 84 | frag matching allows you to match packets based on the fragmentation |
| 79 | header of the packet. | 85 | header of the packet. |
| @@ -83,6 +89,7 @@ config IP6_NF_MATCH_FRAG | |||
| 83 | config IP6_NF_MATCH_HL | 89 | config IP6_NF_MATCH_HL |
| 84 | tristate '"hl" match support' | 90 | tristate '"hl" match support' |
| 85 | depends on IP6_NF_IPTABLES | 91 | depends on IP6_NF_IPTABLES |
| 92 | depends on NETFILTER_ADVANCED | ||
| 86 | help | 93 | help |
| 87 | HL matching allows you to match packets based on the hop | 94 | HL matching allows you to match packets based on the hop |
| 88 | limit of the packet. | 95 | limit of the packet. |
| @@ -92,6 +99,7 @@ config IP6_NF_MATCH_HL | |||
| 92 | config IP6_NF_MATCH_IPV6HEADER | 99 | config IP6_NF_MATCH_IPV6HEADER |
| 93 | tristate '"ipv6header" IPv6 Extension Headers Match' | 100 | tristate '"ipv6header" IPv6 Extension Headers Match' |
| 94 | depends on IP6_NF_IPTABLES | 101 | depends on IP6_NF_IPTABLES |
| 102 | depends on NETFILTER_ADVANCED | ||
| 95 | help | 103 | help |
| 96 | This module allows one to match packets based upon | 104 | This module allows one to match packets based upon |
| 97 | the ipv6 extension headers. | 105 | the ipv6 extension headers. |
| @@ -101,6 +109,7 @@ config IP6_NF_MATCH_IPV6HEADER | |||
| 101 | config IP6_NF_MATCH_AH | 109 | config IP6_NF_MATCH_AH |
| 102 | tristate '"ah" match support' | 110 | tristate '"ah" match support' |
| 103 | depends on IP6_NF_IPTABLES | 111 | depends on IP6_NF_IPTABLES |
| 112 | depends on NETFILTER_ADVANCED | ||
| 104 | help | 113 | help |
| 105 | This module allows one to match AH packets. | 114 | This module allows one to match AH packets. |
| 106 | 115 | ||
| @@ -109,6 +118,7 @@ config IP6_NF_MATCH_AH | |||
| 109 | config IP6_NF_MATCH_MH | 118 | config IP6_NF_MATCH_MH |
| 110 | tristate '"mh" match support' | 119 | tristate '"mh" match support' |
| 111 | depends on IP6_NF_IPTABLES | 120 | depends on IP6_NF_IPTABLES |
| 121 | depends on NETFILTER_ADVANCED | ||
| 112 | help | 122 | help |
| 113 | This module allows one to match MH packets. | 123 | This module allows one to match MH packets. |
| 114 | 124 | ||
| @@ -117,6 +127,7 @@ config IP6_NF_MATCH_MH | |||
| 117 | config IP6_NF_MATCH_EUI64 | 127 | config IP6_NF_MATCH_EUI64 |
| 118 | tristate '"eui64" address check' | 128 | tristate '"eui64" address check' |
| 119 | depends on IP6_NF_IPTABLES | 129 | depends on IP6_NF_IPTABLES |
| 130 | depends on NETFILTER_ADVANCED | ||
| 120 | help | 131 | help |
| 121 | This module performs checking on the IPv6 source address | 132 | This module performs checking on the IPv6 source address |
| 122 | Compares the last 64 bits with the EUI64 (delivered | 133 | Compares the last 64 bits with the EUI64 (delivered |
| @@ -128,6 +139,7 @@ config IP6_NF_MATCH_EUI64 | |||
| 128 | config IP6_NF_FILTER | 139 | config IP6_NF_FILTER |
| 129 | tristate "Packet filtering" | 140 | tristate "Packet filtering" |
| 130 | depends on IP6_NF_IPTABLES | 141 | depends on IP6_NF_IPTABLES |
| 142 | default m if NETFILTER_ADVANCED=n | ||
| 131 | help | 143 | help |
| 132 | Packet filtering defines a table `filter', which has a series of | 144 | Packet filtering defines a table `filter', which has a series of |
| 133 | rules for simple packet filtering at local input, forwarding and | 145 | rules for simple packet filtering at local input, forwarding and |
| @@ -138,6 +150,7 @@ config IP6_NF_FILTER | |||
| 138 | config IP6_NF_TARGET_LOG | 150 | config IP6_NF_TARGET_LOG |
| 139 | tristate "LOG target support" | 151 | tristate "LOG target support" |
| 140 | depends on IP6_NF_FILTER | 152 | depends on IP6_NF_FILTER |
| 153 | default m if NETFILTER_ADVANCED=n | ||
| 141 | help | 154 | help |
| 142 | This option adds a `LOG' target, which allows you to create rules in | 155 | This option adds a `LOG' target, which allows you to create rules in |
| 143 | any iptables table which records the packet header to the syslog. | 156 | any iptables table which records the packet header to the syslog. |
| @@ -147,6 +160,7 @@ config IP6_NF_TARGET_LOG | |||
| 147 | config IP6_NF_TARGET_REJECT | 160 | config IP6_NF_TARGET_REJECT |
| 148 | tristate "REJECT target support" | 161 | tristate "REJECT target support" |
| 149 | depends on IP6_NF_FILTER | 162 | depends on IP6_NF_FILTER |
| 163 | default m if NETFILTER_ADVANCED=n | ||
| 150 | help | 164 | help |
| 151 | The REJECT target allows a filtering rule to specify that an ICMPv6 | 165 | The REJECT target allows a filtering rule to specify that an ICMPv6 |
| 152 | error should be issued in response to an incoming packet, rather | 166 | error should be issued in response to an incoming packet, rather |
| @@ -157,6 +171,7 @@ config IP6_NF_TARGET_REJECT | |||
| 157 | config IP6_NF_MANGLE | 171 | config IP6_NF_MANGLE |
| 158 | tristate "Packet mangling" | 172 | tristate "Packet mangling" |
| 159 | depends on IP6_NF_IPTABLES | 173 | depends on IP6_NF_IPTABLES |
| 174 | default m if NETFILTER_ADVANCED=n | ||
| 160 | help | 175 | help |
| 161 | This option adds a `mangle' table to iptables: see the man page for | 176 | This option adds a `mangle' table to iptables: see the man page for |
| 162 | iptables(8). This table is used for various packet alterations | 177 | iptables(8). This table is used for various packet alterations |
| @@ -167,27 +182,29 @@ config IP6_NF_MANGLE | |||
| 167 | config IP6_NF_TARGET_HL | 182 | config IP6_NF_TARGET_HL |
| 168 | tristate 'HL (hoplimit) target support' | 183 | tristate 'HL (hoplimit) target support' |
| 169 | depends on IP6_NF_MANGLE | 184 | depends on IP6_NF_MANGLE |
| 185 | depends on NETFILTER_ADVANCED | ||
| 170 | help | 186 | help |
| 171 | This option adds a `HL' target, which enables the user to decrement | 187 | This option adds a `HL' target, which enables the user to decrement |
| 172 | the hoplimit value of the IPv6 header or set it to a given (lower) | 188 | the hoplimit value of the IPv6 header or set it to a given (lower) |
| 173 | value. | 189 | value. |
| 174 | 190 | ||
| 175 | While it is safe to decrement the hoplimit value, this option also | 191 | While it is safe to decrement the hoplimit value, this option also |
| 176 | enables functionality to increment and set the hoplimit value of the | 192 | enables functionality to increment and set the hoplimit value of the |
| 177 | IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since | 193 | IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since |
| 178 | you can easily create immortal packets that loop forever on the | 194 | you can easily create immortal packets that loop forever on the |
| 179 | network. | 195 | network. |
| 180 | 196 | ||
| 181 | To compile it as a module, choose M here. If unsure, say N. | 197 | To compile it as a module, choose M here. If unsure, say N. |
| 182 | 198 | ||
| 183 | config IP6_NF_RAW | 199 | config IP6_NF_RAW |
| 184 | tristate 'raw table support (required for TRACE)' | 200 | tristate 'raw table support (required for TRACE)' |
| 185 | depends on IP6_NF_IPTABLES | 201 | depends on IP6_NF_IPTABLES |
| 202 | depends on NETFILTER_ADVANCED | ||
| 186 | help | 203 | help |
| 187 | This option adds a `raw' table to ip6tables. This table is the very | 204 | This option adds a `raw' table to ip6tables. This table is the very |
| 188 | first in the netfilter framework and hooks in at the PREROUTING | 205 | first in the netfilter framework and hooks in at the PREROUTING |
| 189 | and OUTPUT chains. | 206 | and OUTPUT chains. |
| 190 | 207 | ||
| 191 | If you want to compile it as a module, say M here and read | 208 | If you want to compile it as a module, say M here and read |
| 192 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. | 209 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| 193 | 210 | ||