CONFIG_NETFILTER_ADVANCED

CONFIG_NETFILTER_ADVANCED

[David Miller]

Patrick I would like to propose that we do something similar to how we
handle all the non-trivial routing and TCP congestion control
settings.

And that is to have an "ADVANCED" guard that simply doesn't present
the myriad of netfilter modules and options we have.

Basically, if the user doesn't set CONFIG_NETFILTER_ADVANCED he gets
basic NAT and connection tracking support, that's it.

Or at least something along those lines.

Let me know what you think about this.  Linus has asked me for
something like this several times :)

Re: CONFIG_NETFILTER_ADVANCED

[Patrick McHardy]

David Miller wrote:
> Patrick I would like to propose that we do something similar to how we
> handle all the non-trivial routing and TCP congestion control
> settings.
>
> And that is to have an "ADVANCED" guard that simply doesn't present
> the myriad of netfilter modules and options we have.
>
> Basically, if the user doesn't set CONFIG_NETFILTER_ADVANCED he gets
> basic NAT and connection tracking support, that's it.
>
> Or at least something along those lines.
>
> Let me know what you think about this.  Linus has asked me for
> something like this several times :)

That sounds good, I believe we already talked at the workshop about
this. Additionally I'd like something that selects all modules at
once if it doesn't get too ugly since its a PITA to go through all
the options, and I usually do enable them :). I'll look into these
two things tommorrow.

Re: CONFIG_NETFILTER_ADVANCED

[Jan Engelhardt]

On Nov 16 2007 01:06, Patrick McHardy wrote:
> David Miller wrote:
>> Patrick I would like to propose that we do something similar to how we
>> handle all the non-trivial routing and TCP congestion control
>> settings.
>>
>> And that is to have an "ADVANCED" guard that simply doesn't present
>> the myriad of netfilter modules and options we have.
>>
>> Basically, if the user doesn't set CONFIG_NETFILTER_ADVANCED he gets
>> basic NAT and connection tracking support, that's it.
>>
>> Or at least something along those lines.

> That sounds good, I believe we already talked at the workshop about
> this. Additionally I'd like something that selects all modules at
> once if it doesn't get too ugly since its a PITA to go through all
> the options, and I usually do enable them :). I'll look into these
> two things tommorrow.

Yeah, I'd agree that on CONFIG_NETFILTER_ADVANCED=no, all the fluffy
modules should be selected. It is largely an allmodconfig inside
the nf menuconfig tree.

Re: CONFIG_NETFILTER_ADVANCED

[Patrick McHardy]

Jan Engelhardt wrote:
> On Nov 16 2007 01:06, Patrick McHardy wrote:
>> David Miller wrote:
>>> Patrick I would like to propose that we do something similar to how we
>>> handle all the non-trivial routing and TCP congestion control
>>> settings.
>>>
>>> And that is to have an "ADVANCED" guard that simply doesn't present
>>> the myriad of netfilter modules and options we have.
>>>
>>> Basically, if the user doesn't set CONFIG_NETFILTER_ADVANCED he gets
>>> basic NAT and connection tracking support, that's it.
>>>
>>> Or at least something along those lines.
> 
>> That sounds good, I believe we already talked at the workshop about
>> this. Additionally I'd like something that selects all modules at
>> once if it doesn't get too ugly since its a PITA to go through all
>> the options, and I usually do enable them :). I'll look into these
>> two things tommorrow.
> 
> Yeah, I'd agree that on CONFIG_NETFILTER_ADVANCED=no, all the fluffy
> modules should be selected. It is largely an allmodconfig inside
> the nf menuconfig tree.


Mhh I'm not sure if that should really select all modules, I was more
thinking of NETFILTER_ADVANCED=n should select the basic modules that
are needed to run let say a normal distribution firewall script, and
CONFIG_NETFILTER_ADVANCED=y would give you more choice over the modules.

Re: CONFIG_NETFILTER_ADVANCED

[David Miller]

From: Patrick McHardy <kaber@trash.net>
Date: Fri, 16 Nov 2007 11:10:33 +0100

> Jan Engelhardt wrote:
> > Yeah, I'd agree that on CONFIG_NETFILTER_ADVANCED=no, all the fluffy
> > modules should be selected. It is largely an allmodconfig inside
> > the nf menuconfig tree.
> 
> Mhh I'm not sure if that should really select all modules, I was more
> thinking of NETFILTER_ADVANCED=n should select the basic modules that
> are needed to run let say a normal distribution firewall script, and
> CONFIG_NETFILTER_ADVANCED=y would give you more choice over the modules.

I think this is what Jan meant to say, he just forgot a "not"
somewhere :-)

Re: CONFIG_NETFILTER_ADVANCED

[Jan Engelhardt]

On Nov 16 2007 02:12, David Miller wrote:
>> Jan Engelhardt wrote:
>> > Yeah, I'd agree that on CONFIG_NETFILTER_ADVANCED=no, all the fluffy
>> > modules should be selected. It is largely an allmodconfig inside
>> > the nf menuconfig tree.
>> 
>> Mhh I'm not sure if that should really select all modules, I was more
>> thinking of NETFILTER_ADVANCED=n should select the basic modules that
>> are needed to run let say a normal distribution firewall script, and
>> CONFIG_NETFILTER_ADVANCED=y would give you more choice over the modules.
>
>I think this is what Jan meant to say, he just forgot a "not"
>somewhere :-)
>
Actually I meant what I said. Providing a user with all the matches
and targets allows him to use tutorials like lartc.org without
having to think about whether a module is already in his kernel.

Well, anyway, what modules did you have in mind NETFILTER_ADVANCED=n would turn
on?

Re: CONFIG_NETFILTER_ADVANCED

[David Miller]

From: Jan Engelhardt <jengelh@computergmbh.de>
Date: Fri, 16 Nov 2007 13:19:43 +0100 (CET)

> Well, anyway, what modules did you have in mind NETFILTER_ADVANCED=n would turn
> on?

Basic NAT and connection tracking, nothing else.

Re: CONFIG_NETFILTER_ADVANCED

[Patrick McHardy]

David Miller wrote:
> From: Jan Engelhardt <jengelh@computergmbh.de>
> Date: Fri, 16 Nov 2007 13:19:43 +0100 (CET)
> 
>> Well, anyway, what modules did you have in mind NETFILTER_ADVANCED=n would turn
>> on?
> 
> Basic NAT and connection tracking, nothing else.


Thats not very useful without iptables and a couple of matches and
targets to make use of it :)

What I have in mind is roughly:

IPv4/IPv6 conntrack
NAT
ip_tables/ip6_tables
tables: filter, nat
matches: tcpudp, state, limit, hashlimit, policy
targets: LOG, NFLOG, TCPMSS, REJECT, MASQUERADE

That should be enough for a simple firewall script. I'm not sure
whether we should also select helpers though. Maybe the common
ones, like ftp, irc and sip?

Re: CONFIG_NETFILTER_ADVANCED

[Phil Oester]

On Fri, Nov 16, 2007 at 01:49:45PM +0100, Patrick McHardy wrote:
> What I have in mind is roughly:
> 
> IPv4/IPv6 conntrack
> NAT
> ip_tables/ip6_tables
> tables: filter, nat
> matches: tcpudp, state, limit, hashlimit, policy
> targets: LOG, NFLOG, TCPMSS, REJECT, MASQUERADE
> 
> That should be enough for a simple firewall script. I'm not sure
> whether we should also select helpers though. Maybe the common
> ones, like ftp, irc and sip?

I'd vote for at least FTP here...most users will use it at
some point (or if they don't, wonder why FTP is broken).

Phil

Re: CONFIG_NETFILTER_ADVANCED

[Patrick McHardy]

Phil Oester wrote:
> On Fri, Nov 16, 2007 at 01:49:45PM +0100, Patrick McHardy wrote:
>> What I have in mind is roughly:
>>
>> IPv4/IPv6 conntrack
>> NAT
>> ip_tables/ip6_tables
>> tables: filter, nat
>> matches: tcpudp, state, limit, hashlimit, policy
>> targets: LOG, NFLOG, TCPMSS, REJECT, MASQUERADE
>>
>> That should be enough for a simple firewall script. I'm not sure
>> whether we should also select helpers though. Maybe the common
>> ones, like ftp, irc and sip?
> 
> I'd vote for at least FTP here...most users will use it at
> some point (or if they don't, wonder why FTP is broken).


I agree. It would be useful if some users of a distribution that
includes a firewall script could check which modules it requires.

Re: CONFIG_NETFILTER_ADVANCED

[Amos Jeffries]

Patrick McHardy wrote:
> Phil Oester wrote:
>> On Fri, Nov 16, 2007 at 01:49:45PM +0100, Patrick McHardy wrote:
>>> What I have in mind is roughly:
>>>
>>> IPv4/IPv6 conntrack
>>> NAT
>>> ip_tables/ip6_tables
>>> tables: filter, nat
>>> matches: tcpudp, state, limit, hashlimit, policy
>>> targets: LOG, NFLOG, TCPMSS, REJECT, MASQUERADE
>>>
>>> That should be enough for a simple firewall script. I'm not sure
>>> whether we should also select helpers though. Maybe the common
>>> ones, like ftp, irc and sip?
>>
>> I'd vote for at least FTP here...most users will use it at
>> some point (or if they don't, wonder why FTP is broken).
> 
> 
> I agree. It would be useful if some users of a distribution that
> includes a firewall script could check which modules it requires.
> 

All right.
Here is the fairly common shorewall 3.4's default dependencies as taken 
from /usr/share/shorewall/modules .
These are not likely to change per-system without a clueful administrator.

#
# Essential Modules
#
loadmodule nfnetlink
loadmodule x_tables
loadmodule ip_tables
loadmodule iptable_filter
loadmodule iptable_mangle
loadmodule ip_conntrack
loadmodule nf_conntrack
loadmodule nf_conntrack_ipv4
loadmodule iptable_nat
loadmodule xt_state
loadmodule xt_tcpudp
#
# Other xtables modules
#
loadmodule xt_CLASSIFY
loadmodule xt_connmark
loadmodule xt_CONNMARK
loadmodule xt_conntrack
loadmodule xt_dccp
loadmodule xt_hashlimit
loadmodule xt_helper
loadmodule xt_length
loadmodule xt_limit
loadmodule xt_mac
loadmodule xt_mark
loadmodule xt_MARK
loadmodule xt_NFLOG
loadmodule xt_NFQUEUE
loadmodule xt_physdev
loadmodule xt_pkttype
loadmodule xt_tcpmss
#
# Helpers
#
loadmodule ip_conntrack_amanda
loadmodule ip_conntrack_ftp
loadmodule ip_conntrack_h323
loadmodule ip_conntrack_irc
loadmodule ip_conntrack_netbios_ns
loadmodule ip_conntrack_pptp
# loadmodule ip_conntrack_sip
loadmodule ip_conntrack_tftp
loadmodule ip_nat_amanda
loadmodule ip_nat_ftp
loadmodule ip_nat_h323
loadmodule ip_nat_irc
loadmodule ip_nat_pptp
# loadmodule ip_nat_sip
loadmodule ip_nat_snmp_basic
loadmodule ip_nat_tftp
loadmodule ip_set
loadmodule ip_set_iphash
loadmodule ip_set_ipmap
loadmodule ip_set_macipmap
loadmodule ip_set_portmap
#
# 2.6.20+ helpers
#
loadmodule nf_conntrack_ftp
loadmodule nf_conntrack_h323
loadmodule nf_conntrack_irc
loadmodule nf_conntrack_netbios_ns
loadmodule nf_conntrack_netlink
loadmodule nf_conntrack_pptp
loadmodule nf_conntrack_proto_gre
loadmodule nf_conntrack_proto_sctp
loadmodule nf_conntrack_sip
loadmodule nf_conntrack_tftp
loadmodule nf_nat_amanda
loadmodule nf_nat_ftp
loadmodule nf_nat_h323
loadmodule nf_nat_irc
loadmodule nf_nat
loadmodule nf_nat_pptp
loadmodule nf_nat_proto_gre
loadmodule nf_nat_sip
loadmodule nf_nat_snmp_basic
loadmodule nf_nat_tftp
#
# Traffic Shaping
#
loadmodule sch_sfq
loadmodule sch_ingress
loadmodule sch_htb
loadmodule cls_u32
#
# Extensions
#
loadmodule ipt_addrtype
loadmodule ipt_ah
loadmodule ipt_CLASSIFY
loadmodule ipt_CLUSTERIP
loadmodule ipt_comment
loadmodule ipt_connmark
loadmodule ipt_CONNMARK
loadmodule ipt_conntrack
loadmodule ipt_dscp
loadmodule ipt_DSCP
loadmodule ipt_ecn
loadmodule ipt_ECN
loadmodule ipt_esp
loadmodule ipt_hashlimit
loadmodule ipt_helper
loadmodule ipt_ipp2p
loadmodule ipt_iprange
loadmodule ipt_length
loadmodule ipt_limit
loadmodule ipt_LOG
loadmodule ipt_mac
loadmodule ipt_mark
loadmodule ipt_MARK
loadmodule ipt_MASQUERADE
loadmodule ipt_multiport
loadmodule ipt_NETMAP
loadmodule ipt_NOTRACK
loadmodule ipt_owner
loadmodule ipt_physdev
loadmodule ipt_pkttype
loadmodule ipt_policy
loadmodule ipt_realm
loadmodule ipt_recent
loadmodule ipt_REDIRECT
loadmodule ipt_REJECT
loadmodule ipt_SAME
loadmodule ipt_sctp
loadmodule ipt_set
loadmodule ipt_state
loadmodule ipt_tcpmss
loadmodule ipt_TCPMSS
loadmodule ipt_tos
loadmodule ipt_TOS
loadmodule ipt_ttl
loadmodule ipt_TTL
loadmodule ipt_ULOG



AYJ

Re: CONFIG_NETFILTER_ADVANCED

[Tom Eastep]

[-- Attachment #1: Type: text/plain, Size: 4651 bytes --]

Amos Jeffries wrote:

> 
> All right.
> Here is the fairly common shorewall 3.4's default dependencies as taken
> from /usr/share/shorewall/modules .
> These are not likely to change per-system without a clueful administrator.

A couple of things should be noted about this list.

a) It it includes modules that no longer exist in current kernels since
Shorewall is often run on older kernels.

b) It includes modules that currently aren't used by Shorewall. I've flagged
those below with <=================

c) The list includes traffic shaping modules which don't apply to the
current discussion.

As others have written, I think it is important to include the common
helpers since their absence usually messes people up.

> 
> #
> # Essential Modules
> #
> loadmodule nfnetlink
> loadmodule x_tables
> loadmodule ip_tables
> loadmodule iptable_filter
> loadmodule iptable_mangle
> loadmodule ip_conntrack
> loadmodule nf_conntrack
> loadmodule nf_conntrack_ipv4
> loadmodule iptable_nat
> loadmodule xt_state
> loadmodule xt_tcpudp
> #
> # Other xtables modules
> #
> loadmodule xt_CLASSIFY
> loadmodule xt_connmark
> loadmodule xt_CONNMARK
> loadmodule xt_conntrack
> loadmodule xt_dccp      <==================
> loadmodule xt_hashlimit <==================
> loadmodule xt_helper    <==================
> loadmodule xt_length    <==================
> loadmodule xt_limit
> loadmodule xt_mac
> loadmodule xt_mark
> loadmodule xt_MARK
> loadmodule xt_NFLOG
> loadmodule xt_NFQUEUE
> loadmodule xt_physdev
> loadmodule xt_pkttype
> loadmodule xt_tcpmss
> #
> # Helpers
> #
> loadmodule ip_conntrack_amanda 
> loadmodule ip_conntrack_ftp
> loadmodule ip_conntrack_h323
> loadmodule ip_conntrack_irc
> loadmodule ip_conntrack_netbios_ns
> loadmodule ip_conntrack_pptp
> # loadmodule ip_conntrack_sip
> loadmodule ip_conntrack_tftp
> loadmodule ip_nat_amanda
> loadmodule ip_nat_ftp
> loadmodule ip_nat_h323
> loadmodule ip_nat_irc
> loadmodule ip_nat_pptp
> # loadmodule ip_nat_sip
> loadmodule ip_nat_snmp_basic
> loadmodule ip_nat_tftp
> loadmodule ip_set
> loadmodule ip_set_iphash
> loadmodule ip_set_ipmap
> loadmodule ip_set_macipmap
> loadmodule ip_set_portmap
> #
> # 2.6.20+ helpers
> #
> loadmodule nf_conntrack_ftp
> loadmodule nf_conntrack_h323
> loadmodule nf_conntrack_irc
> loadmodule nf_conntrack_netbios_ns
> loadmodule nf_conntrack_netlink
> loadmodule nf_conntrack_pptp
> loadmodule nf_conntrack_proto_gre
> loadmodule nf_conntrack_proto_sctp
> loadmodule nf_conntrack_sip
> loadmodule nf_conntrack_tftp
> loadmodule nf_nat_amanda
> loadmodule nf_nat_ftp
> loadmodule nf_nat_h323
> loadmodule nf_nat_irc
> loadmodule nf_nat
> loadmodule nf_nat_pptp
> loadmodule nf_nat_proto_gre
> loadmodule nf_nat_sip
> loadmodule nf_nat_snmp_basic
> loadmodule nf_nat_tftp
> #
> # Traffic Shaping
> #
> loadmodule sch_sfq
> loadmodule sch_ingress
> loadmodule sch_htb
> loadmodule cls_u32
> #
> # Extensions
> #
> loadmodule ipt_addrtype
> loadmodule ipt_ah         <=================
> loadmodule ipt_CLASSIFY
> loadmodule ipt_CLUSTERIP  <=================
> loadmodule ipt_comment
> loadmodule ipt_connmark
> loadmodule ipt_CONNMARK
> loadmodule ipt_conntrack
> loadmodule ipt_dscp       <=================
> loadmodule ipt_DSCP       <=================
> loadmodule ipt_ecn
> loadmodule ipt_ECN
> loadmodule ipt_esp        <=================
> loadmodule ipt_hashlimit
> loadmodule ipt_helper
> loadmodule ipt_ipp2p
> loadmodule ipt_iprange
> loadmodule ipt_length     <==================
> loadmodule ipt_limit
> loadmodule ipt_LOG
> loadmodule ipt_mac
> loadmodule ipt_mark
> loadmodule ipt_MARK
> loadmodule ipt_MASQUERADE
> loadmodule ipt_multiport
> loadmodule ipt_NETMAP
> loadmodule ipt_NOTRACK    <===================
> loadmodule ipt_owner
> loadmodule ipt_physdev
> loadmodule ipt_pkttype
> loadmodule ipt_policy
> loadmodule ipt_realm
> loadmodule ipt_recent
> loadmodule ipt_REDIRECT
> loadmodule ipt_REJECT
> loadmodule ipt_SAME
> loadmodule ipt_sctp       <====================
> loadmodule ipt_set
> loadmodule ipt_state
> loadmodule ipt_tcpmss
> loadmodule ipt_TCPMSS
> loadmodule ipt_tos
> loadmodule ipt_TOS
> loadmodule ipt_ttl        <=====================
> loadmodule ipt_TTL        <=====================
> loadmodule ipt_ULOG
> 

-Tom
-- 
Tom Eastep    \ Nothing is foolproof to a sufficiently talented fool
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
PGP Public Key   \ https://lists.shorewall.net/teastep.pgp.key


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 252 bytes --]

Re: CONFIG_NETFILTER_ADVANCED

[David Miller]

From: Phil Oester <kernel@linuxace.com>
Date: Fri, 16 Nov 2007 07:35:41 -0800

> I'd vote for at least FTP here...most users will use it at
> some point (or if they don't, wonder why FTP is broken).

I disagree, passive ftp is extremely pervasive, there is no reason to
use traditional ftp these days.

I don't use it on my NAT box here at home and learned instintively
to type 'pftp' from the command line over time :-)

Re: CONFIG_NETFILTER_ADVANCED

[Benny Amorsen]

>>>>> "DM" == David Miller <davem@davemloft.net> writes:

DM> I disagree, passive ftp is extremely pervasive, there is no reason
DM> to use traditional ftp these days.

Active FTP needs helpers on the client side, passive FTP needs helpers
on the server side.


/Benny

Re: CONFIG_NETFILTER_ADVANCED

[Pascal Hambourg]

Hello,

Benny Amorsen a écrit :
> 
> DM> I disagree, passive ftp is extremely pervasive, there is no reason
> DM> to use traditional ftp these days.

So what ? The FTP helper is useful in both active and passive modes.

> Active FTP needs helpers on the client side, passive FTP needs helpers
> on the server side.

If you want to restrict outgoing connections you also need the FTP 
conntrack helper regardless of whether you're on the server or client side.
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: CONFIG_NETFILTER_ADVANCED

[Patrick McHardy]

Amos Jeffries wrote:
> Patrick McHardy wrote:
>>
>>
>> I agree. It would be useful if some users of a distribution that
>> includes a firewall script could check which modules it requires.
>>
>
> All right.
> Here is the fairly common shorewall 3.4's default dependencies as 
> taken from /usr/share/shorewall/modules .
> These are not likely to change per-system without a clueful 
> administrator.

This looks like basically everything. What I'm looking for is a list of
modules required for the firewall scripts included in SuSE, RH, ...

Re: CONFIG_NETFILTER_ADVANCED

[Patrick McHardy]

David Miller wrote:
> From: Phil Oester <kernel@linuxace.com>
> Date: Fri, 16 Nov 2007 07:35:41 -0800
>
>   
>> I'd vote for at least FTP here...most users will use it at
>> some point (or if they don't, wonder why FTP is broken).
>>     
>
> I disagree, passive ftp is extremely pervasive, there is no reason to
> use traditional ftp these days.

I'd expect that many distribution scripts load it anyway, and IMO the
point of this config option is to support basic distribution scripts
without going through all the options manually.

There must be someone on this list not running Debian or Ubuntu :) Could
some RH/Fedora/Suse user please post the output of lsmod on his system?

Re: CONFIG_NETFILTER_ADVANCED

[Jan Engelhardt]

On Nov 17 2007 17:08, Patrick McHardy wrote:
> Amos Jeffries wrote:
>> Patrick McHardy wrote:
>> >
>> >
>> > I agree. It would be useful if some users of a distribution that
>> > includes a firewall script could check which modules it requires.
>> >
>>
>> All right.
>> Here is the fairly common shorewall 3.4's default dependencies as taken from
>> /usr/share/shorewall/modules .
>> These are not likely to change per-system without a clueful administrator.
>
> This looks like basically everything. What I'm looking for is a list of

The problem is: you never know when they gonna change it!


> modules required for the firewall scripts included in SuSE, RH, ...

SUSE:

DNAT LOG MARK MASQUERADE REDIRECT REJECT TCPMSS esp
icmp icmpv6 limit pkttype policy
state tcp udp

But - surprise, surprise - it allows to load a file of custom rules,
so that basically means {ipt,ip6t,xt}_*, aka allmodconfig, like I said!
:)

Re: CONFIG_NETFILTER_ADVANCED

[Patrick McHardy]

Jan Engelhardt wrote:
> On Nov 17 2007 17:08, Patrick McHardy wrote:
>> Amos Jeffries wrote:
>>> Patrick McHardy wrote:
>>>>
>>>> I agree. It would be useful if some users of a distribution that
>>>> includes a firewall script could check which modules it requires.
>>>>
>>> All right.
>>> Here is the fairly common shorewall 3.4's default dependencies as taken from
>>> /usr/share/shorewall/modules .
>>> These are not likely to change per-system without a clueful administrator.
>> This looks like basically everything. What I'm looking for is a list of
> 
> The problem is: you never know when they gonna change it!
> 
> 
>> modules required for the firewall scripts included in SuSE, RH, ...
> 
> SUSE:
> 
> DNAT LOG MARK MASQUERADE REDIRECT REJECT TCPMSS esp
> icmp icmpv6 limit pkttype policy
> state tcp udp

Thanks. Any RH/Fedora users?

> But - surprise, surprise - it allows to load a file of custom rules,
> so that basically means {ipt,ip6t,xt}_*, aka allmodconfig, like I said!
> :)

Well, the point of the avanced option is to handle *advanced*
cases, so we don't need to cover manual adjustments (including
things like shorewall which are usually installed manually). The
default cases for people not having touched their *firewall*
configuration is enough. I wasn't able to find the SuSE-script,
but from a screenshot I could see that they do optionally handle
IPsec. So what I'm saying is that we should include f.i. the policy
match, and all other modules needed without manually attending
to the firewall, but nothing more.

IOW, its for people like Linus, presumably not touching their
default configuration, but unwilling to go through the 50+
options to decide themselves.

For people who want to compile-test them all (like me), we
still can have a CONFIG_NETFILTER_ALL option hidden under
CONFIG_NETFILTER_ADVANCED for simplicity, but that is a
different topic.

Re: CONFIG_NETFILTER_ADVANCED

[Al Boldi]

Patrick McHardy wrote:
> Well, the point of the avanced option is to handle *advanced*
> cases, so we don't need to cover manual adjustments (including
> things like shorewall which are usually installed manually). The
> default cases for people not having touched their *firewall*
> configuration is enough. I wasn't able to find the SuSE-script,
> but from a screenshot I could see that they do optionally handle
> IPsec. So what I'm saying is that we should include f.i. the policy
> match, and all other modules needed without manually attending
> to the firewall, but nothing more.
>
> IOW, its for people like Linus, presumably not touching their
> default configuration, but unwilling to go through the 50+
> options to decide themselves.
>
> For people who want to compile-test them all (like me), we
> still can have a CONFIG_NETFILTER_ALL option hidden under
> CONFIG_NETFILTER_ADVANCED for simplicity, but that is a
> different topic.

CONFIG_NETFILTER_ALL sounds great.  So why not have CONFIG_NETFILTER_MIN for 
a minimal setup, which would only select:

  targets: NOTRACK, MASQ, REJECT, LOG
  matches: state, mport

Then let the user select any additional modules, like IPsec/policy or 
FTP/helpers.


Thanks!

--
Al

Re: CONFIG_NETFILTER_ADVANCED

[Jan Engelhardt]

On Nov 18 2007 03:19, Patrick McHardy wrote:
>> 
>> SUSE:
>> 
>> DNAT LOG MARK MASQUERADE REDIRECT REJECT TCPMSS esp
>> icmp icmpv6 limit pkttype policy
>> state tcp udp
>
> Thanks. Any RH/Fedora users?
>
>> But - surprise, surprise - it allows to load a file of custom rules,
>> so that basically means {ipt,ip6t,xt}_*, aka allmodconfig, like I said!
>> :)
>
> Well, the point of the avanced option is to handle *advanced*
> cases, so we don't need to cover manual adjustments (including
> things like shorewall which are usually installed manually).

Well even in "manual installations", I prefer to compile one kernel for all
hosts of the same arch I am ever going to work with, because it takes its time,
and time is precious when the number of hosts grows towards +Infinity.

> The
> default cases for people not having touched their *firewall*
> configuration is enough. I wasn't able to find the SuSE-script,

Unpack
http://download.opensuse.org/distribution/SL-OSS-factory/inst-source/suse/src/SuSEfirewall2-3.6_SVNr183-15.src.rpm
look into sbin/SuSEfirewall2.

> but from a screenshot I could see that they do optionally handle
> IPsec. So what I'm saying is that we should include f.i. the policy
> match,

...which I listed above...

> and all other modules needed without manually attending
> to the firewall, but nothing more.
>
> IOW, its for people like Linus, presumably not touching their
> default configuration, but unwilling to go through the 50+
> options to decide themselves.
>
> For people who want to compile-test them all (like me), we
> still can have a CONFIG_NETFILTER_ALL option hidden under
> CONFIG_NETFILTER_ADVANCED for simplicity, but that is a
> different topic.
>
For compile-testing, allmodconfig is sufficient IMO.

Re: CONFIG_NETFILTER_ADVANCED

[Jozsef Kadlecsik]

Hi Patrick,

On Sun, 18 Nov 2007, Patrick McHardy wrote:

> For people who want to compile-test them all (like me), we
> still can have a CONFIG_NETFILTER_ALL option hidden under
> CONFIG_NETFILTER_ADVANCED for simplicity, but that is a
> different topic.

I think the other way around would be better:

CONFIG_NETFILTER		enable everyting
CONFIG_NETFILTER_WITHOUT_NAT	everything except NAT
CONFIG_NETFILTER_ADVANCED	select modules manually

This is more or less the most usual cases: typically almost everyone wants 
NAT and the wide range of matches and targets. Some places don't use NAT. 
And if someone wants to exclude modules or disable settings like 
conntrack flow accounting, in advanced mode it'd be possible to do so.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: CONFIG_NETFILTER_ADVANCED

[David Miller]

From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date: Sun, 18 Nov 2007 14:21:20 +0100 (CET)

> I think the other way around would be better:
> 
> CONFIG_NETFILTER		enable everyting
> CONFIG_NETFILTER_WITHOUT_NAT	everything except NAT
> CONFIG_NETFILTER_ADVANCED	select modules manually
> 
> This is more or less the most usual cases: typically almost everyone wants 
> NAT and the wide range of matches and targets. Some places don't use NAT. 
> And if someone wants to exclude modules or disable settings like 
> conntrack flow accounting, in advanced mode it'd be possible to do so.

This leaves no choice for the original purpose my
proposal was meant to address.

People like Linus who want one config option to choose
which gives them the basics but not "all the other random
crap" that he'll never use.

Re: CONFIG_NETFILTER_ADVANCED

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 2379 bytes --]

David Miller wrote:
> From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> Date: Sun, 18 Nov 2007 14:21:20 +0100 (CET)
> 
>> I think the other way around would be better:
>>
>> CONFIG_NETFILTER		enable everyting
>> CONFIG_NETFILTER_WITHOUT_NAT	everything except NAT
>> CONFIG_NETFILTER_ADVANCED	select modules manually
>>
>> This is more or less the most usual cases: typically almost everyone wants 
>> NAT and the wide range of matches and targets. Some places don't use NAT. 
>> And if someone wants to exclude modules or disable settings like 
>> conntrack flow accounting, in advanced mode it'd be possible to do so.
> 
> This leaves no choice for the original purpose my
> proposal was meant to address.
> 
> People like Linus who want one config option to choose
> which gives them the basics but not "all the other random
> crap" that he'll never use.


Just one option gets really ugly because select stupidly selects,
not caring about dependencies. So we'd have to duplicate all the
dependencies to decide when to select. My current attempt makes
lots of symbols depend on NETFILTER_ADVANCED, hiding them, and
uses default m if NETFILTER_ADVANCED=n for the remaining ones,
so you can simply hit enter until you're through the netfilter
stuff.

The modules currently defaulting to m are:

CONFIG_NETFILTER_NETLINK=m
CONFIG_NETFILTER_NETLINK_LOG=m
CONFIG_NF_CONNTRACK=m
CONFIG_NF_CONNTRACK_FTP=m
CONFIG_NF_CONNTRACK_IRC=m
CONFIG_NF_CONNTRACK_SIP=m
CONFIG_NF_CT_NETLINK=m
CONFIG_NETFILTER_XTABLES=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_NFLOG=m
CONFIG_NETFILTER_XT_TARGET_TCPMSS=m
CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NETFILTER_XT_MATCH_POLICY=m
CONFIG_NETFILTER_XT_MATCH_STATE=m
CONFIG_NF_CONNTRACK_IPV4=m
CONFIG_NF_CONNTRACK_PROC_COMPAT=y
CONFIG_IP_NF_IPTABLES=m
CONFIG_IP_NF_FILTER=m
CONFIG_IP_NF_TARGET_REJECT=m
CONFIG_IP_NF_TARGET_LOG=m
CONFIG_IP_NF_TARGET_ULOG=m
CONFIG_NF_NAT=m
CONFIG_NF_NAT_NEEDED=y
CONFIG_IP_NF_TARGET_MASQUERADE=m
CONFIG_NF_NAT_FTP=m
CONFIG_NF_NAT_IRC=m
CONFIG_NF_NAT_SIP=m
CONFIG_IP_NF_MANGLE=m
CONFIG_NF_CONNTRACK_IPV6=m
CONFIG_IP6_NF_IPTABLES=m
CONFIG_IP6_NF_FILTER=m
CONFIG_IP6_NF_TARGET_LOG=m
CONFIG_IP6_NF_TARGET_REJECT=m
CONFIG_IP6_NF_MANGLE=m

Of course without IPv6 the last 6 ones are missing. This brings us down
from 114 options to 36.

Any suggestions for improvement?

[-- Attachment #2: x --]
[-- Type: text/plain, Size: 34958 bytes --]

commit dec598b808b8233d5809a8164d87320d2e8d2e1b
Author: Patrick McHardy <kaber@trash.net>
Date:   Tue Nov 27 17:30:03 2007 +0100

    [NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option

diff --git a/net/Kconfig b/net/Kconfig
index 58ed2f4..b6a5d45 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -144,9 +144,21 @@ config NETFILTER_DEBUG
 	  You can say Y here if you want to get additional messages useful in
 	  debugging the netfilter code.
 
+config NETFILTER_ADVANCED
+	bool "Advanced netfilter configuration"
+	depends on NETFILTER
+	default y
+	help
+	  If you say Y here you can select between all the netfilter modules.
+	  If you say N the more ununsual ones will not be shown and the
+	  basic ones needed by most people will default to 'M'.
+
+	  If unsure, say Y.
+
 config BRIDGE_NETFILTER
 	bool "Bridged IP/ARP packets filtering"
 	depends on BRIDGE && NETFILTER && INET
+	depends on NETFILTER_ADVANCED
 	default y
 	---help---
 	  Enabling this option will let arptables resp. iptables see bridged
diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
index b84fc60..4a3e2bf 100644
--- a/net/bridge/netfilter/Kconfig
+++ b/net/bridge/netfilter/Kconfig
@@ -3,7 +3,7 @@
 #
 
 menu "Bridge: Netfilter Configuration"
-	depends on BRIDGE && NETFILTER
+	depends on BRIDGE && BRIDGE_NETFILTER
 
 config BRIDGE_NF_EBTABLES
 	tristate "Ethernet Bridge tables (ebtables) support"
diff --git a/net/decnet/netfilter/Kconfig b/net/decnet/netfilter/Kconfig
index ecdb3f9..2f81de5 100644
--- a/net/decnet/netfilter/Kconfig
+++ b/net/decnet/netfilter/Kconfig
@@ -4,6 +4,7 @@
 
 menu "DECnet: Netfilter Configuration"
 	depends on DECNET && NETFILTER && EXPERIMENTAL
+	depends on NETFILTER_ADVANCED
 
 config DECNET_NF_GRABULATOR
 	tristate "Routing message grabulator (for userland routing daemon)"
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index ad26f66..cface71 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -8,6 +8,7 @@ menu "IP: Netfilter Configuration"
 config NF_CONNTRACK_IPV4
 	tristate "IPv4 connection tracking support (required for NAT)"
 	depends on NF_CONNTRACK
+	default m if NETFILTER_ADVANCED=n
 	---help---
 	  Connection tracking keeps a record of what packets have passed
 	  through your machine, in order to figure out how they are related
@@ -32,6 +33,7 @@ config NF_CONNTRACK_PROC_COMPAT
 
 config IP_NF_QUEUE
 	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
+	depends on NETFILTER_ADVANCED
 	help
 	  Netfilter has the ability to queue packets to user space: the
 	  netlink device can be used to access them using this driver.
@@ -44,6 +46,7 @@ config IP_NF_QUEUE
 
 config IP_NF_IPTABLES
 	tristate "IP tables support (required for filtering/masq/NAT)"
+	default m if NETFILTER_ADVANCED=n
 	select NETFILTER_XTABLES
 	help
 	  iptables is a general, extensible packet identification framework.
@@ -57,6 +60,7 @@ config IP_NF_IPTABLES
 config IP_NF_MATCH_IPRANGE
 	tristate '"iprange" match support'
 	depends on IP_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This option makes possible to match IP addresses against IP address
 	  ranges.
@@ -66,6 +70,7 @@ config IP_NF_MATCH_IPRANGE
 config IP_NF_MATCH_RECENT
 	tristate '"recent" match support'
 	depends on IP_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This match is used for creating one or many lists of recently
 	  used addresses and then matching against that/those list(s).
@@ -78,6 +83,7 @@ config IP_NF_MATCH_RECENT
 config IP_NF_MATCH_ECN
 	tristate '"ecn" match support'
 	depends on IP_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `ECN' match, which allows you to match against
 	  the IPv4 and TCP header ECN fields.
@@ -87,6 +93,7 @@ config IP_NF_MATCH_ECN
 config IP_NF_MATCH_AH
 	tristate '"ah" match support'
 	depends on IP_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This match extension allows you to match a range of SPIs
 	  inside AH header of IPSec packets.
@@ -96,6 +103,7 @@ config IP_NF_MATCH_AH
 config IP_NF_MATCH_TTL
 	tristate '"ttl" match support'
 	depends on IP_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
 	  to match packets by their TTL value.
@@ -105,10 +113,11 @@ config IP_NF_MATCH_TTL
 config IP_NF_MATCH_ADDRTYPE
 	tristate '"addrtype" address type match support'
 	depends on IP_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This option allows you to match what routing thinks of an address,
 	  eg. UNICAST, LOCAL, BROADCAST, ...
-	
+
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
@@ -116,6 +125,7 @@ config IP_NF_MATCH_ADDRTYPE
 config IP_NF_FILTER
 	tristate "Packet filtering"
 	depends on IP_NF_IPTABLES
+	default m if NETFILTER_ADVANCED=n
 	help
 	  Packet filtering defines a table `filter', which has a series of
 	  rules for simple packet filtering at local input, forwarding and
@@ -126,6 +136,7 @@ config IP_NF_FILTER
 config IP_NF_TARGET_REJECT
 	tristate "REJECT target support"
 	depends on IP_NF_FILTER
+	default m if NETFILTER_ADVANCED=n
 	help
 	  The REJECT target allows a filtering rule to specify that an ICMP
 	  error should be issued in response to an incoming packet, rather
@@ -136,6 +147,7 @@ config IP_NF_TARGET_REJECT
 config IP_NF_TARGET_LOG
 	tristate "LOG target support"
 	depends on IP_NF_IPTABLES
+	default m if NETFILTER_ADVANCED=n
 	help
 	  This option adds a `LOG' target, which allows you to create rules in
 	  any iptables table which records the packet header to the syslog.
@@ -145,6 +157,7 @@ config IP_NF_TARGET_LOG
 config IP_NF_TARGET_ULOG
 	tristate "ULOG target support"
 	depends on IP_NF_IPTABLES
+	default m if NETFILTER_ADVANCED=n
 	---help---
 
 	  This option enables the old IPv4-only "ipt_ULOG" implementation
@@ -165,6 +178,7 @@ config IP_NF_TARGET_ULOG
 config NF_NAT
 	tristate "Full NAT"
 	depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4
+	default m if NETFILTER_ADVANCED=n
 	help
 	  The Full NAT option allows masquerading, port forwarding and other
 	  forms of full Network Address Port Translation.  It is controlled by
@@ -180,6 +194,7 @@ config NF_NAT_NEEDED
 config IP_NF_TARGET_MASQUERADE
 	tristate "MASQUERADE target support"
 	depends on NF_NAT
+	default m if NETFILTER_ADVANCED=n
 	help
 	  Masquerading is a special case of NAT: all outgoing connections are
 	  changed to seem to come from a particular interface's address, and
@@ -192,6 +207,7 @@ config IP_NF_TARGET_MASQUERADE
 config IP_NF_TARGET_REDIRECT
 	tristate "REDIRECT target support"
 	depends on NF_NAT
+	depends on NETFILTER_ADVANCED
 	help
 	  REDIRECT is a special case of NAT: all incoming connections are
 	  mapped onto the incoming interface's address, causing the packets to
@@ -203,6 +219,7 @@ config IP_NF_TARGET_REDIRECT
 config IP_NF_TARGET_NETMAP
 	tristate "NETMAP target support"
 	depends on NF_NAT
+	depends on NETFILTER_ADVANCED
 	help
 	  NETMAP is an implementation of static 1:1 NAT mapping of network
 	  addresses. It maps the network address part, while keeping the host
@@ -214,6 +231,7 @@ config IP_NF_TARGET_NETMAP
 config NF_NAT_SNMP_BASIC
 	tristate "Basic SNMP-ALG support (EXPERIMENTAL)"
 	depends on EXPERIMENTAL && NF_NAT
+	depends on NETFILTER_ADVANCED
 	---help---
 
 	  This module implements an Application Layer Gateway (ALG) for
@@ -277,6 +295,7 @@ config NF_NAT_SIP
 config IP_NF_MANGLE
 	tristate "Packet mangling"
 	depends on IP_NF_IPTABLES
+	default m if NETFILTER_ADVANCED=n
 	help
 	  This option adds a `mangle' table to iptables: see the man page for
 	  iptables(8).  This table is used for various packet alterations
@@ -287,6 +306,7 @@ config IP_NF_MANGLE
 config IP_NF_TARGET_ECN
 	tristate "ECN target support"
 	depends on IP_NF_MANGLE
+	depends on NETFILTER_ADVANCED
 	---help---
 	  This option adds a `ECN' target, which can be used in the iptables mangle
 	  table.  
@@ -301,6 +321,7 @@ config IP_NF_TARGET_ECN
 config IP_NF_TARGET_TTL
 	tristate  'TTL target support'
 	depends on IP_NF_MANGLE
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `TTL' target, which enables the user to modify
 	  the TTL value of the IP header.
@@ -316,6 +337,7 @@ config IP_NF_TARGET_CLUSTERIP
 	tristate "CLUSTERIP target support (EXPERIMENTAL)"
 	depends on IP_NF_MANGLE && EXPERIMENTAL
 	depends on NF_CONNTRACK_IPV4
+	depends on NETFILTER_ADVANCED
 	select NF_CONNTRACK_MARK
 	help
 	  The CLUSTERIP target allows you to build load-balancing clusters of
@@ -328,6 +350,7 @@ config IP_NF_TARGET_CLUSTERIP
 config IP_NF_RAW
 	tristate  'raw table support (required for NOTRACK/TRACE)'
 	depends on IP_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `raw' table to iptables. This table is the very
 	  first in the netfilter framework and hooks in at the PREROUTING
@@ -340,6 +363,7 @@ config IP_NF_RAW
 config IP_NF_ARPTABLES
 	tristate "ARP tables support"
 	select NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  arptables is a general, extensible packet identification framework.
 	  The ARP packet filtering and mangling (manipulation)subsystems
diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index 5374c66..a6b4a9a 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -8,6 +8,7 @@ menu "IPv6: Netfilter Configuration (EXPERIMENTAL)"
 config NF_CONNTRACK_IPV6
 	tristate "IPv6 connection tracking support (EXPERIMENTAL)"
 	depends on INET && IPV6 && EXPERIMENTAL && NF_CONNTRACK
+	default m if NETFILTER_ADVANCED=n
 	---help---
 	  Connection tracking keeps a record of what packets have passed
 	  through your machine, in order to figure out how they are related
@@ -22,6 +23,7 @@ config NF_CONNTRACK_IPV6
 config IP6_NF_QUEUE
 	tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"
 	depends on INET && IPV6 && NETFILTER && EXPERIMENTAL
+	depends on NETFILTER_ADVANCED
 	---help---
 
 	  This option adds a queue handler to the kernel for IPv6
@@ -44,6 +46,7 @@ config IP6_NF_IPTABLES
 	tristate "IP6 tables support (required for filtering)"
 	depends on INET && IPV6 && EXPERIMENTAL
 	select NETFILTER_XTABLES
+	default m if NETFILTER_ADVANCED=n
 	help
 	  ip6tables is a general, extensible packet identification framework.
 	  Currently only the packet filtering and packet mangling subsystem
@@ -56,6 +59,7 @@ config IP6_NF_IPTABLES
 config IP6_NF_MATCH_RT
 	tristate '"rt" Routing header match support'
 	depends on IP6_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  rt matching allows you to match packets based on the routing
 	  header of the packet.
@@ -65,6 +69,7 @@ config IP6_NF_MATCH_RT
 config IP6_NF_MATCH_OPTS
 	tristate '"hopbyhop" and "dst" opts header match support'
 	depends on IP6_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This allows one to match packets based on the hop-by-hop
 	  and destination options headers of a packet.
@@ -74,6 +79,7 @@ config IP6_NF_MATCH_OPTS
 config IP6_NF_MATCH_FRAG
 	tristate '"frag" Fragmentation header match support'
 	depends on IP6_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  frag matching allows you to match packets based on the fragmentation
 	  header of the packet.
@@ -83,6 +89,7 @@ config IP6_NF_MATCH_FRAG
 config IP6_NF_MATCH_HL
 	tristate '"hl" match support'
 	depends on IP6_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  HL matching allows you to match packets based on the hop
 	  limit of the packet.
@@ -92,6 +99,7 @@ config IP6_NF_MATCH_HL
 config IP6_NF_MATCH_IPV6HEADER
 	tristate '"ipv6header" IPv6 Extension Headers Match'
 	depends on IP6_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This module allows one to match packets based upon
 	  the ipv6 extension headers.
@@ -101,6 +109,7 @@ config IP6_NF_MATCH_IPV6HEADER
 config IP6_NF_MATCH_AH
 	tristate '"ah" match support'
 	depends on IP6_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This module allows one to match AH packets.
 
@@ -109,6 +118,7 @@ config IP6_NF_MATCH_AH
 config IP6_NF_MATCH_MH
 	tristate '"mh" match support'
 	depends on IP6_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This module allows one to match MH packets.
 
@@ -117,6 +127,7 @@ config IP6_NF_MATCH_MH
 config IP6_NF_MATCH_EUI64
 	tristate '"eui64" address check'
 	depends on IP6_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This module performs checking on the IPv6 source address
 	  Compares the last 64 bits with the EUI64 (delivered
@@ -128,6 +139,7 @@ config IP6_NF_MATCH_EUI64
 config IP6_NF_FILTER
 	tristate "Packet filtering"
 	depends on IP6_NF_IPTABLES
+	default m if NETFILTER_ADVANCED=n
 	help
 	  Packet filtering defines a table `filter', which has a series of
 	  rules for simple packet filtering at local input, forwarding and
@@ -138,6 +150,7 @@ config IP6_NF_FILTER
 config IP6_NF_TARGET_LOG
 	tristate "LOG target support"
 	depends on IP6_NF_FILTER
+	default m if NETFILTER_ADVANCED=n
 	help
 	  This option adds a `LOG' target, which allows you to create rules in
 	  any iptables table which records the packet header to the syslog.
@@ -147,6 +160,7 @@ config IP6_NF_TARGET_LOG
 config IP6_NF_TARGET_REJECT
 	tristate "REJECT target support"
 	depends on IP6_NF_FILTER
+	default m if NETFILTER_ADVANCED=n
 	help
 	  The REJECT target allows a filtering rule to specify that an ICMPv6
 	  error should be issued in response to an incoming packet, rather
@@ -157,6 +171,7 @@ config IP6_NF_TARGET_REJECT
 config IP6_NF_MANGLE
 	tristate "Packet mangling"
 	depends on IP6_NF_IPTABLES
+	default m if NETFILTER_ADVANCED=n
 	help
 	  This option adds a `mangle' table to iptables: see the man page for
 	  iptables(8).  This table is used for various packet alterations
@@ -167,27 +182,29 @@ config IP6_NF_MANGLE
 config IP6_NF_TARGET_HL
 	tristate  'HL (hoplimit) target support'
 	depends on IP6_NF_MANGLE
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `HL' target, which enables the user to decrement
 	  the hoplimit value of the IPv6 header or set it to a given (lower)
 	  value.
-	
+
 	  While it is safe to decrement the hoplimit value, this option also
 	  enables functionality to increment and set the hoplimit value of the
 	  IPv6 header to arbitrary values.  This is EXTREMELY DANGEROUS since
 	  you can easily create immortal packets that loop forever on the
-	  network.  
+	  network.
 
 	  To compile it as a module, choose M here.  If unsure, say N.
 
 config IP6_NF_RAW
 	tristate  'raw table support (required for TRACE)'
 	depends on IP6_NF_IPTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `raw' table to ip6tables. This table is the very
 	  first in the netfilter framework and hooks in at the PREROUTING
 	  and OUTPUT chains.
-	
+
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 5a353d1..d34008a 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -6,6 +6,7 @@ config NETFILTER_NETLINK
 
 config NETFILTER_NETLINK_QUEUE
 	tristate "Netfilter NFQUEUE over NFNETLINK interface"
+	depends on NETFILTER_ADVANCED
 	select NETFILTER_NETLINK
 	help
 	  If this option is enabled, the kernel will include support
@@ -13,6 +14,7 @@ config NETFILTER_NETLINK_QUEUE
 	  
 config NETFILTER_NETLINK_LOG
 	tristate "Netfilter LOG over NFNETLINK interface"
+	default m if NETFILTER_ADVANCED=n
 	select NETFILTER_NETLINK
 	help
 	  If this option is enabled, the kernel will include support
@@ -24,6 +26,7 @@ config NETFILTER_NETLINK_LOG
 
 config NF_CONNTRACK
 	tristate "Netfilter connection tracking support"
+	default m if NETFILTER_ADVANCED=n
 	help
 	  Connection tracking keeps a record of what packets have passed
 	  through your machine, in order to figure out how they are related
@@ -38,6 +41,7 @@ config NF_CONNTRACK
 
 config NF_CT_ACCT
 	bool "Connection tracking flow accounting"
+	depends on NETFILTER_ADVANCED
 	depends on NF_CONNTRACK
 	help
 	  If this option is enabled, the connection tracking code will
@@ -50,6 +54,7 @@ config NF_CT_ACCT
 
 config NF_CONNTRACK_MARK
 	bool  'Connection mark tracking support'
+	depends on NETFILTER_ADVANCED
 	depends on NF_CONNTRACK
 	help
 	  This option enables support for connection marks, used by the
@@ -60,6 +65,7 @@ config NF_CONNTRACK_MARK
 config NF_CONNTRACK_SECMARK
 	bool  'Connection tracking security mark support'
 	depends on NF_CONNTRACK && NETWORK_SECMARK
+	default m if NETFILTER_ADVANCED=n
 	help
 	  This option enables security markings to be applied to
 	  connections.  Typically they are copied to connections from
@@ -72,6 +78,7 @@ config NF_CONNTRACK_SECMARK
 config NF_CONNTRACK_EVENTS
 	bool "Connection tracking events (EXPERIMENTAL)"
 	depends on EXPERIMENTAL && NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
 	help
 	  If this option is enabled, the connection tracking code will
 	  provide a notifier chain that can be used by other kernel code
@@ -86,7 +93,7 @@ config NF_CT_PROTO_GRE
 config NF_CT_PROTO_SCTP
 	tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
 	depends on EXPERIMENTAL && NF_CONNTRACK
-	default n
+	depends on NETFILTER_ADVANCED
 	help
 	  With this option enabled, the layer 3 independent connection
 	  tracking code will be able to do state tracking on SCTP connections.
@@ -97,6 +104,7 @@ config NF_CT_PROTO_SCTP
 config NF_CT_PROTO_UDPLITE
 	tristate 'UDP-Lite protocol connection tracking support (EXPERIMENTAL)'
 	depends on EXPERIMENTAL && NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
 	help
 	  With this option enabled, the layer 3 independent connection
 	  tracking code will be able to do state tracking on UDP-Lite
@@ -107,6 +115,7 @@ config NF_CT_PROTO_UDPLITE
 config NF_CONNTRACK_AMANDA
 	tristate "Amanda backup protocol support"
 	depends on NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
 	select TEXTSEARCH
 	select TEXTSEARCH_KMP
 	help
@@ -122,6 +131,7 @@ config NF_CONNTRACK_AMANDA
 config NF_CONNTRACK_FTP
 	tristate "FTP protocol support"
 	depends on NF_CONNTRACK
+	default m if NETFILTER_ADVANCED=n
 	help
 	  Tracking FTP connections is problematic: special helpers are
 	  required for tracking them, and doing masquerading and other forms
@@ -136,6 +146,7 @@ config NF_CONNTRACK_FTP
 config NF_CONNTRACK_H323
 	tristate "H.323 protocol support (EXPERIMENTAL)"
 	depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n)
+	depends on NETFILTER_ADVANCED
 	help
 	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
 	  important VoIP protocols, it is widely used by voice hardware and
@@ -155,6 +166,7 @@ config NF_CONNTRACK_H323
 config NF_CONNTRACK_IRC
 	tristate "IRC protocol support"
 	depends on NF_CONNTRACK
+	default m if NETFILTER_ADVANCED=n
 	help
 	  There is a commonly-used extension to IRC called
 	  Direct Client-to-Client Protocol (DCC).  This enables users to send
@@ -170,6 +182,7 @@ config NF_CONNTRACK_IRC
 config NF_CONNTRACK_NETBIOS_NS
 	tristate "NetBIOS name service protocol support (EXPERIMENTAL)"
 	depends on EXPERIMENTAL && NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
 	help
 	  NetBIOS name service requests are sent as broadcast messages from an
 	  unprivileged port and responded to with unicast messages to the
@@ -189,6 +202,7 @@ config NF_CONNTRACK_NETBIOS_NS
 config NF_CONNTRACK_PPTP
 	tristate "PPtP protocol support"
 	depends on NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
 	select NF_CT_PROTO_GRE
 	help
 	  This module adds support for PPTP (Point to Point Tunnelling
@@ -208,6 +222,7 @@ config NF_CONNTRACK_PPTP
 config NF_CONNTRACK_SANE
 	tristate "SANE protocol support (EXPERIMENTAL)"
 	depends on EXPERIMENTAL && NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
 	help
 	  SANE is a protocol for remote access to scanners as implemented
 	  by the 'saned' daemon. Like FTP, it uses separate control and
@@ -221,6 +236,7 @@ config NF_CONNTRACK_SANE
 config NF_CONNTRACK_SIP
 	tristate "SIP protocol support (EXPERIMENTAL)"
 	depends on EXPERIMENTAL && NF_CONNTRACK
+	default m if NETFILTER_ADVANCED=n
 	help
 	  SIP is an application-layer control protocol that can establish,
 	  modify, and terminate multimedia sessions (conferences) such as
@@ -233,6 +249,7 @@ config NF_CONNTRACK_SIP
 config NF_CONNTRACK_TFTP
 	tristate "TFTP protocol support"
 	depends on NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
 	help
 	  TFTP connection tracking helper, this is required depending
 	  on how restrictive your ruleset is.
@@ -246,11 +263,13 @@ config NF_CT_NETLINK
 	depends on EXPERIMENTAL && NF_CONNTRACK
 	select NETFILTER_NETLINK
 	depends on NF_NAT=n || NF_NAT
+	default m if NETFILTER_ADVANCED=n
 	help
 	  This option enables support for a netlink-based userspace interface
 
 config NETFILTER_XTABLES
 	tristate "Netfilter Xtables support (required for ip_tables)"
+	default m if NETFILTER_ADVANCED=n
 	help
 	  This is required if you intend to use any of ip_tables,
 	  ip6_tables or arp_tables.
@@ -260,6 +279,7 @@ config NETFILTER_XTABLES
 config NETFILTER_XT_TARGET_CLASSIFY
 	tristate '"CLASSIFY" target support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `CLASSIFY' target, which enables the user to set
 	  the priority of a packet. Some qdiscs can use this value for
@@ -274,12 +294,13 @@ config NETFILTER_XT_TARGET_CONNMARK
 	depends on NETFILTER_XTABLES
 	depends on IP_NF_MANGLE || IP6_NF_MANGLE
 	depends on NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
 	select NF_CONNTRACK_MARK
 	help
 	  This option adds a `CONNMARK' target, which allows one to manipulate
 	  the connection mark value.  Similar to the MARK target, but
 	  affects the connection mark value rather than the packet mark value.
-	
+
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/kbuild/modules.txt>.  The module will be called
 	  ipt_CONNMARK.ko.  If unsure, say `N'.
@@ -288,6 +309,7 @@ config NETFILTER_XT_TARGET_DSCP
 	tristate '"DSCP" and "TOS" target support'
 	depends on NETFILTER_XTABLES
 	depends on IP_NF_MANGLE || IP6_NF_MANGLE
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `DSCP' target, which allows you to manipulate
 	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
@@ -303,6 +325,7 @@ config NETFILTER_XT_TARGET_DSCP
 config NETFILTER_XT_TARGET_MARK
 	tristate '"MARK" target support'
 	depends on NETFILTER_XTABLES
+	default m if NETFILTER_ADVANCED=n
 	help
 	  This option adds a `MARK' target, which allows you to create rules
 	  in the `mangle' table which alter the netfilter mark (nfmark) field
@@ -316,6 +339,7 @@ config NETFILTER_XT_TARGET_MARK
 config NETFILTER_XT_TARGET_NFQUEUE
 	tristate '"NFQUEUE" target Support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This target replaced the old obsolete QUEUE target.
 
@@ -327,6 +351,7 @@ config NETFILTER_XT_TARGET_NFQUEUE
 config NETFILTER_XT_TARGET_NFLOG
 	tristate '"NFLOG" target support'
 	depends on NETFILTER_XTABLES
+	default m if NETFILTER_ADVANCED=n
 	help
 	  This option enables the NFLOG target, which allows to LOG
 	  messages through the netfilter logging API, which can use
@@ -340,12 +365,13 @@ config NETFILTER_XT_TARGET_NOTRACK
 	depends on NETFILTER_XTABLES
 	depends on IP_NF_RAW || IP6_NF_RAW
 	depends on NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
 	help
 	  The NOTRACK target allows a select rule to specify
 	  which packets *not* to enter the conntrack/NAT
 	  subsystem with all the consequences (no ICMP error tracking,
 	  no protocol helpers for the selected packets).
-	
+
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
@@ -353,6 +379,7 @@ config NETFILTER_XT_TARGET_TRACE
 	tristate  '"TRACE" target support'
 	depends on NETFILTER_XTABLES
 	depends on IP_NF_RAW || IP6_NF_RAW
+	depends on NETFILTER_ADVANCED
 	help
 	  The TRACE target allows you to mark packets so that the kernel
 	  will log every rule which match the packets as those traverse
@@ -364,6 +391,7 @@ config NETFILTER_XT_TARGET_TRACE
 config NETFILTER_XT_TARGET_SECMARK
 	tristate '"SECMARK" target support'
 	depends on NETFILTER_XTABLES && NETWORK_SECMARK
+	default m if NETFILTER_ADVANCED=n
 	help
 	  The SECMARK target allows security marking of network
 	  packets, for use with security subsystems.
@@ -373,6 +401,7 @@ config NETFILTER_XT_TARGET_SECMARK
 config NETFILTER_XT_TARGET_CONNSECMARK
 	tristate '"CONNSECMARK" target support'
 	depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK
+	default m if NETFILTER_ADVANCED=n
 	help
 	  The CONNSECMARK target copies security markings from packets
 	  to connections, and restores security markings from connections
@@ -384,6 +413,7 @@ config NETFILTER_XT_TARGET_CONNSECMARK
 config NETFILTER_XT_TARGET_TCPMSS
 	tristate '"TCPMSS" target support'
 	depends on NETFILTER_XTABLES && (IPV6 || IPV6=n)
+	default m if NETFILTER_ADVANCED=n
 	---help---
 	  This option adds a `TCPMSS' target, which allows you to alter the
 	  MSS value of TCP SYN packets, to control the maximum size for that
@@ -411,6 +441,7 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP
 	tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)'
 	depends on EXPERIMENTAL && NETFILTER_XTABLES
 	depends on IP_NF_MANGLE || IP6_NF_MANGLE
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a "TCPOPTSTRIP" target, which allows you to strip
 	  TCP options from TCP packets.
@@ -418,6 +449,7 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP
 config NETFILTER_XT_MATCH_COMMENT
 	tristate  '"comment" match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `comment' dummy-match, which allows you to put
 	  comments in your iptables ruleset.
@@ -429,6 +461,7 @@ config NETFILTER_XT_MATCH_CONNBYTES
 	tristate  '"connbytes" per-connection counter match support'
 	depends on NETFILTER_XTABLES
 	depends on NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
 	select NF_CT_ACCT
 	help
 	  This option adds a `connbytes' match, which allows you to match the
@@ -441,6 +474,7 @@ config NETFILTER_XT_MATCH_CONNLIMIT
 	tristate '"connlimit" match support"'
 	depends on NETFILTER_XTABLES
 	depends on NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
 	---help---
 	  This match allows you to match against the number of parallel
 	  connections to a server per client IP address (or address block).
@@ -449,11 +483,12 @@ config NETFILTER_XT_MATCH_CONNMARK
 	tristate  '"connmark" connection mark match support'
 	depends on NETFILTER_XTABLES
 	depends on NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
 	select NF_CONNTRACK_MARK
 	help
 	  This option adds a `connmark' match, which allows you to match the
 	  connection mark value previously set for the session by `CONNMARK'. 
-	
+
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/kbuild/modules.txt>.  The module will be called
 	  ipt_connmark.ko.  If unsure, say `N'.
@@ -462,6 +497,7 @@ config NETFILTER_XT_MATCH_CONNTRACK
 	tristate '"conntrack" connection tracking match support'
 	depends on NETFILTER_XTABLES
 	depends on NF_CONNTRACK
+	default m if NETFILTER_ADVANCED=n
 	help
 	  This is a general conntrack match module, a superset of the state match.
 
@@ -474,6 +510,7 @@ config NETFILTER_XT_MATCH_CONNTRACK
 config NETFILTER_XT_MATCH_DCCP
 	tristate '"dccp" protocol match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  With this option enabled, you will be able to use the iptables
 	  `dccp' match in order to match on DCCP source/destination ports
@@ -485,6 +522,7 @@ config NETFILTER_XT_MATCH_DCCP
 config NETFILTER_XT_MATCH_DSCP
 	tristate '"dscp" and "tos" match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `DSCP' match, which allows you to match against
 	  the IPv4/IPv6 header DSCP field (differentiated services codepoint).
@@ -500,6 +538,7 @@ config NETFILTER_XT_MATCH_DSCP
 config NETFILTER_XT_MATCH_ESP
 	tristate '"esp" match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This match extension allows you to match a range of SPIs
 	  inside ESP header of IPSec packets.
@@ -510,6 +549,7 @@ config NETFILTER_XT_MATCH_HELPER
 	tristate '"helper" match support'
 	depends on NETFILTER_XTABLES
 	depends on NF_CONNTRACK
+	depends on NETFILTER_ADVANCED
 	help
 	  Helper matching allows you to match packets in dynamic connections
 	  tracked by a conntrack-helper, ie. ip_conntrack_ftp
@@ -519,6 +559,7 @@ config NETFILTER_XT_MATCH_HELPER
 config NETFILTER_XT_MATCH_LENGTH
 	tristate '"length" match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This option allows you to match the length of a packet against a
 	  specific value or range of values.
@@ -528,6 +569,7 @@ config NETFILTER_XT_MATCH_LENGTH
 config NETFILTER_XT_MATCH_LIMIT
 	tristate '"limit" match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  limit matching allows you to control the rate at which a rule can be
 	  matched: mainly useful in combination with the LOG target ("LOG
@@ -538,6 +580,7 @@ config NETFILTER_XT_MATCH_LIMIT
 config NETFILTER_XT_MATCH_MAC
 	tristate '"mac" address match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  MAC matching allows you to match packets based on the source
 	  Ethernet address of the packet.
@@ -547,6 +590,7 @@ config NETFILTER_XT_MATCH_MAC
 config NETFILTER_XT_MATCH_MARK
 	tristate '"mark" match support'
 	depends on NETFILTER_XTABLES
+	default m if NETFILTER_ADVANCED=n
 	help
 	  Netfilter mark matching allows you to match packets based on the
 	  `nfmark' value in the packet.  This can be set by the MARK target
@@ -557,6 +601,7 @@ config NETFILTER_XT_MATCH_MARK
 config NETFILTER_XT_MATCH_OWNER
 	tristate '"owner" match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	---help---
 	Socket owner matching allows you to match locally-generated packets
 	based on who created the socket: the user or group. It is also
@@ -565,6 +610,7 @@ config NETFILTER_XT_MATCH_OWNER
 config NETFILTER_XT_MATCH_POLICY
 	tristate 'IPsec "policy" match support'
 	depends on NETFILTER_XTABLES && XFRM
+	default m if NETFILTER_ADVANCED=n
 	help
 	  Policy matching allows you to match packets based on the
 	  IPsec policy that was used during decapsulation/will
@@ -575,6 +621,7 @@ config NETFILTER_XT_MATCH_POLICY
 config NETFILTER_XT_MATCH_MULTIPORT
 	tristate '"multiport" Multiple port match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  Multiport matching allows you to match TCP or UDP packets based on
 	  a series of source or destination ports: normally a rule can only
@@ -585,6 +632,7 @@ config NETFILTER_XT_MATCH_MULTIPORT
 config NETFILTER_XT_MATCH_PHYSDEV
 	tristate '"physdev" match support'
 	depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER
+	depends on NETFILTER_ADVANCED
 	help
 	  Physdev packet matching matches against the physical bridge ports
 	  the IP packet arrived on or will leave by.
@@ -594,6 +642,7 @@ config NETFILTER_XT_MATCH_PHYSDEV
 config NETFILTER_XT_MATCH_PKTTYPE
 	tristate '"pkttype" packet type match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  Packet type matching allows you to match a packet by
 	  its "class", eg. BROADCAST, MULTICAST, ...
@@ -606,6 +655,7 @@ config NETFILTER_XT_MATCH_PKTTYPE
 config NETFILTER_XT_MATCH_QUOTA
 	tristate '"quota" match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `quota' match, which allows to match on a
 	  byte counter.
@@ -616,20 +666,22 @@ config NETFILTER_XT_MATCH_QUOTA
 config NETFILTER_XT_MATCH_REALM
 	tristate  '"realm" match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	select NET_CLS_ROUTE
 	help
 	  This option adds a `realm' match, which allows you to use the realm
 	  key from the routing subsystem inside iptables.
-	
+
 	  This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option 
 	  in tc world.
-	
+
 	  If you want to compile it as a module, say M here and read
 	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
 config NETFILTER_XT_MATCH_SCTP
 	tristate  '"sctp" protocol match support (EXPERIMENTAL)'
 	depends on NETFILTER_XTABLES && EXPERIMENTAL
+	depends on NETFILTER_ADVANCED
 	help
 	  With this option enabled, you will be able to use the 
 	  `sctp' match in order to match on SCTP source/destination ports
@@ -642,6 +694,7 @@ config NETFILTER_XT_MATCH_STATE
 	tristate '"state" match support'
 	depends on NETFILTER_XTABLES
 	depends on NF_CONNTRACK
+	default m if NETFILTER_ADVANCED=n
 	help
 	  Connection state matching allows you to match packets based on their
 	  relationship to a tracked connection (ie. previous packets).  This
@@ -652,6 +705,7 @@ config NETFILTER_XT_MATCH_STATE
 config NETFILTER_XT_MATCH_STATISTIC
 	tristate '"statistic" match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `statistic' match, which allows you to match
 	  on packets periodically or randomly with a given percentage.
@@ -661,6 +715,7 @@ config NETFILTER_XT_MATCH_STATISTIC
 config NETFILTER_XT_MATCH_STRING
 	tristate  '"string" match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	select TEXTSEARCH
 	select TEXTSEARCH_KMP
 	select TEXTSEARCH_BM
@@ -674,6 +729,7 @@ config NETFILTER_XT_MATCH_STRING
 config NETFILTER_XT_MATCH_TCPMSS
 	tristate '"tcpmss" match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `tcpmss' match, which allows you to examine the
 	  MSS value of TCP SYN packets, which control the maximum packet size
@@ -684,6 +740,7 @@ config NETFILTER_XT_MATCH_TCPMSS
 config NETFILTER_XT_MATCH_TIME
 	tristate '"time" match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	---help---
 	  This option adds a "time" match, which allows you to match based on
 	  the packet arrival time (at the machine which netfilter is running)
@@ -698,6 +755,7 @@ config NETFILTER_XT_MATCH_TIME
 config NETFILTER_XT_MATCH_U32
 	tristate '"u32" match support'
 	depends on NETFILTER_XTABLES
+	depends on NETFILTER_ADVANCED
 	---help---
 	  u32 allows you to extract quantities of up to 4 bytes from a packet,
 	  AND them with specified masks, shift them by specified amounts and
@@ -711,6 +769,7 @@ config NETFILTER_XT_MATCH_U32
 config NETFILTER_XT_MATCH_HASHLIMIT
 	tristate '"hashlimit" match support'
 	depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n)
+	depends on NETFILTER_ADVANCED
 	help
 	  This option adds a `hashlimit' match.