* CONFIG_NETFILTER_ADVANCED @ 2007-11-16 0:01 David Miller 2007-11-16 0:06 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 0 siblings, 1 reply; 24+ messages in thread From: David Miller @ 2007-11-16 0:01 UTC (permalink / raw) To: kaber; +Cc: netfilter-devel Patrick I would like to propose that we do something similar to how we handle all the non-trivial routing and TCP congestion control settings. And that is to have an "ADVANCED" guard that simply doesn't present the myriad of netfilter modules and options we have. Basically, if the user doesn't set CONFIG_NETFILTER_ADVANCED he gets basic NAT and connection tracking support, that's it. Or at least something along those lines. Let me know what you think about this. Linus has asked me for something like this several times :) ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-16 0:01 CONFIG_NETFILTER_ADVANCED David Miller @ 2007-11-16 0:06 ` Patrick McHardy 2007-11-16 0:41 ` CONFIG_NETFILTER_ADVANCED Jan Engelhardt 0 siblings, 1 reply; 24+ messages in thread From: Patrick McHardy @ 2007-11-16 0:06 UTC (permalink / raw) To: David Miller; +Cc: netfilter-devel David Miller wrote: > Patrick I would like to propose that we do something similar to how we > handle all the non-trivial routing and TCP congestion control > settings. > > And that is to have an "ADVANCED" guard that simply doesn't present > the myriad of netfilter modules and options we have. > > Basically, if the user doesn't set CONFIG_NETFILTER_ADVANCED he gets > basic NAT and connection tracking support, that's it. > > Or at least something along those lines. > > Let me know what you think about this. Linus has asked me for > something like this several times :) That sounds good, I believe we already talked at the workshop about this. Additionally I'd like something that selects all modules at once if it doesn't get too ugly since its a PITA to go through all the options, and I usually do enable them :). I'll look into these two things tommorrow. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-16 0:06 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy @ 2007-11-16 0:41 ` Jan Engelhardt 2007-11-16 10:10 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 0 siblings, 1 reply; 24+ messages in thread From: Jan Engelhardt @ 2007-11-16 0:41 UTC (permalink / raw) To: Patrick McHardy; +Cc: David Miller, netfilter-devel On Nov 16 2007 01:06, Patrick McHardy wrote: > David Miller wrote: >> Patrick I would like to propose that we do something similar to how we >> handle all the non-trivial routing and TCP congestion control >> settings. >> >> And that is to have an "ADVANCED" guard that simply doesn't present >> the myriad of netfilter modules and options we have. >> >> Basically, if the user doesn't set CONFIG_NETFILTER_ADVANCED he gets >> basic NAT and connection tracking support, that's it. >> >> Or at least something along those lines. > That sounds good, I believe we already talked at the workshop about > this. Additionally I'd like something that selects all modules at > once if it doesn't get too ugly since its a PITA to go through all > the options, and I usually do enable them :). I'll look into these > two things tommorrow. Yeah, I'd agree that on CONFIG_NETFILTER_ADVANCED=no, all the fluffy modules should be selected. It is largely an allmodconfig inside the nf menuconfig tree. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-16 0:41 ` CONFIG_NETFILTER_ADVANCED Jan Engelhardt @ 2007-11-16 10:10 ` Patrick McHardy 2007-11-16 10:12 ` CONFIG_NETFILTER_ADVANCED David Miller 0 siblings, 1 reply; 24+ messages in thread From: Patrick McHardy @ 2007-11-16 10:10 UTC (permalink / raw) To: Jan Engelhardt; +Cc: David Miller, netfilter-devel Jan Engelhardt wrote: > On Nov 16 2007 01:06, Patrick McHardy wrote: >> David Miller wrote: >>> Patrick I would like to propose that we do something similar to how we >>> handle all the non-trivial routing and TCP congestion control >>> settings. >>> >>> And that is to have an "ADVANCED" guard that simply doesn't present >>> the myriad of netfilter modules and options we have. >>> >>> Basically, if the user doesn't set CONFIG_NETFILTER_ADVANCED he gets >>> basic NAT and connection tracking support, that's it. >>> >>> Or at least something along those lines. > >> That sounds good, I believe we already talked at the workshop about >> this. Additionally I'd like something that selects all modules at >> once if it doesn't get too ugly since its a PITA to go through all >> the options, and I usually do enable them :). I'll look into these >> two things tommorrow. > > Yeah, I'd agree that on CONFIG_NETFILTER_ADVANCED=no, all the fluffy > modules should be selected. It is largely an allmodconfig inside > the nf menuconfig tree. Mhh I'm not sure if that should really select all modules, I was more thinking of NETFILTER_ADVANCED=n should select the basic modules that are needed to run let say a normal distribution firewall script, and CONFIG_NETFILTER_ADVANCED=y would give you more choice over the modules. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-16 10:10 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy @ 2007-11-16 10:12 ` David Miller 2007-11-16 12:19 ` CONFIG_NETFILTER_ADVANCED Jan Engelhardt 0 siblings, 1 reply; 24+ messages in thread From: David Miller @ 2007-11-16 10:12 UTC (permalink / raw) To: kaber; +Cc: jengelh, netfilter-devel From: Patrick McHardy <kaber@trash.net> Date: Fri, 16 Nov 2007 11:10:33 +0100 > Jan Engelhardt wrote: > > Yeah, I'd agree that on CONFIG_NETFILTER_ADVANCED=no, all the fluffy > > modules should be selected. It is largely an allmodconfig inside > > the nf menuconfig tree. > > Mhh I'm not sure if that should really select all modules, I was more > thinking of NETFILTER_ADVANCED=n should select the basic modules that > are needed to run let say a normal distribution firewall script, and > CONFIG_NETFILTER_ADVANCED=y would give you more choice over the modules. I think this is what Jan meant to say, he just forgot a "not" somewhere :-) ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-16 10:12 ` CONFIG_NETFILTER_ADVANCED David Miller @ 2007-11-16 12:19 ` Jan Engelhardt 2007-11-16 12:44 ` CONFIG_NETFILTER_ADVANCED David Miller 0 siblings, 1 reply; 24+ messages in thread From: Jan Engelhardt @ 2007-11-16 12:19 UTC (permalink / raw) To: David Miller; +Cc: kaber, netfilter-devel On Nov 16 2007 02:12, David Miller wrote: >> Jan Engelhardt wrote: >> > Yeah, I'd agree that on CONFIG_NETFILTER_ADVANCED=no, all the fluffy >> > modules should be selected. It is largely an allmodconfig inside >> > the nf menuconfig tree. >> >> Mhh I'm not sure if that should really select all modules, I was more >> thinking of NETFILTER_ADVANCED=n should select the basic modules that >> are needed to run let say a normal distribution firewall script, and >> CONFIG_NETFILTER_ADVANCED=y would give you more choice over the modules. > >I think this is what Jan meant to say, he just forgot a "not" >somewhere :-) > Actually I meant what I said. Providing a user with all the matches and targets allows him to use tutorials like lartc.org without having to think about whether a module is already in his kernel. Well, anyway, what modules did you have in mind NETFILTER_ADVANCED=n would turn on? ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-16 12:19 ` CONFIG_NETFILTER_ADVANCED Jan Engelhardt @ 2007-11-16 12:44 ` David Miller 2007-11-16 12:49 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 0 siblings, 1 reply; 24+ messages in thread From: David Miller @ 2007-11-16 12:44 UTC (permalink / raw) To: jengelh; +Cc: kaber, netfilter-devel From: Jan Engelhardt <jengelh@computergmbh.de> Date: Fri, 16 Nov 2007 13:19:43 +0100 (CET) > Well, anyway, what modules did you have in mind NETFILTER_ADVANCED=n would turn > on? Basic NAT and connection tracking, nothing else. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-16 12:44 ` CONFIG_NETFILTER_ADVANCED David Miller @ 2007-11-16 12:49 ` Patrick McHardy 2007-11-16 15:35 ` CONFIG_NETFILTER_ADVANCED Phil Oester 0 siblings, 1 reply; 24+ messages in thread From: Patrick McHardy @ 2007-11-16 12:49 UTC (permalink / raw) To: David Miller; +Cc: jengelh, netfilter-devel David Miller wrote: > From: Jan Engelhardt <jengelh@computergmbh.de> > Date: Fri, 16 Nov 2007 13:19:43 +0100 (CET) > >> Well, anyway, what modules did you have in mind NETFILTER_ADVANCED=n would turn >> on? > > Basic NAT and connection tracking, nothing else. Thats not very useful without iptables and a couple of matches and targets to make use of it :) What I have in mind is roughly: IPv4/IPv6 conntrack NAT ip_tables/ip6_tables tables: filter, nat matches: tcpudp, state, limit, hashlimit, policy targets: LOG, NFLOG, TCPMSS, REJECT, MASQUERADE That should be enough for a simple firewall script. I'm not sure whether we should also select helpers though. Maybe the common ones, like ftp, irc and sip? ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-16 12:49 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy @ 2007-11-16 15:35 ` Phil Oester 2007-11-16 15:47 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 2007-11-17 0:19 ` CONFIG_NETFILTER_ADVANCED David Miller 0 siblings, 2 replies; 24+ messages in thread From: Phil Oester @ 2007-11-16 15:35 UTC (permalink / raw) To: Patrick McHardy; +Cc: David Miller, jengelh, netfilter-devel On Fri, Nov 16, 2007 at 01:49:45PM +0100, Patrick McHardy wrote: > What I have in mind is roughly: > > IPv4/IPv6 conntrack > NAT > ip_tables/ip6_tables > tables: filter, nat > matches: tcpudp, state, limit, hashlimit, policy > targets: LOG, NFLOG, TCPMSS, REJECT, MASQUERADE > > That should be enough for a simple firewall script. I'm not sure > whether we should also select helpers though. Maybe the common > ones, like ftp, irc and sip? I'd vote for at least FTP here...most users will use it at some point (or if they don't, wonder why FTP is broken). Phil ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-16 15:35 ` CONFIG_NETFILTER_ADVANCED Phil Oester @ 2007-11-16 15:47 ` Patrick McHardy 2007-11-16 23:29 ` CONFIG_NETFILTER_ADVANCED Amos Jeffries 2007-11-17 0:19 ` CONFIG_NETFILTER_ADVANCED David Miller 1 sibling, 1 reply; 24+ messages in thread From: Patrick McHardy @ 2007-11-16 15:47 UTC (permalink / raw) To: Phil Oester; +Cc: David Miller, jengelh, netfilter-devel Phil Oester wrote: > On Fri, Nov 16, 2007 at 01:49:45PM +0100, Patrick McHardy wrote: >> What I have in mind is roughly: >> >> IPv4/IPv6 conntrack >> NAT >> ip_tables/ip6_tables >> tables: filter, nat >> matches: tcpudp, state, limit, hashlimit, policy >> targets: LOG, NFLOG, TCPMSS, REJECT, MASQUERADE >> >> That should be enough for a simple firewall script. I'm not sure >> whether we should also select helpers though. Maybe the common >> ones, like ftp, irc and sip? > > I'd vote for at least FTP here...most users will use it at > some point (or if they don't, wonder why FTP is broken). I agree. It would be useful if some users of a distribution that includes a firewall script could check which modules it requires. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-16 15:47 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy @ 2007-11-16 23:29 ` Amos Jeffries 2007-11-17 0:13 ` CONFIG_NETFILTER_ADVANCED Tom Eastep 2007-11-17 16:08 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 0 siblings, 2 replies; 24+ messages in thread From: Amos Jeffries @ 2007-11-16 23:29 UTC (permalink / raw) To: Patrick McHardy; +Cc: Phil Oester, David Miller, jengelh, netfilter-devel Patrick McHardy wrote: > Phil Oester wrote: >> On Fri, Nov 16, 2007 at 01:49:45PM +0100, Patrick McHardy wrote: >>> What I have in mind is roughly: >>> >>> IPv4/IPv6 conntrack >>> NAT >>> ip_tables/ip6_tables >>> tables: filter, nat >>> matches: tcpudp, state, limit, hashlimit, policy >>> targets: LOG, NFLOG, TCPMSS, REJECT, MASQUERADE >>> >>> That should be enough for a simple firewall script. I'm not sure >>> whether we should also select helpers though. Maybe the common >>> ones, like ftp, irc and sip? >> >> I'd vote for at least FTP here...most users will use it at >> some point (or if they don't, wonder why FTP is broken). > > > I agree. It would be useful if some users of a distribution that > includes a firewall script could check which modules it requires. > All right. Here is the fairly common shorewall 3.4's default dependencies as taken from /usr/share/shorewall/modules . These are not likely to change per-system without a clueful administrator. # # Essential Modules # loadmodule nfnetlink loadmodule x_tables loadmodule ip_tables loadmodule iptable_filter loadmodule iptable_mangle loadmodule ip_conntrack loadmodule nf_conntrack loadmodule nf_conntrack_ipv4 loadmodule iptable_nat loadmodule xt_state loadmodule xt_tcpudp # # Other xtables modules # loadmodule xt_CLASSIFY loadmodule xt_connmark loadmodule xt_CONNMARK loadmodule xt_conntrack loadmodule xt_dccp loadmodule xt_hashlimit loadmodule xt_helper loadmodule xt_length loadmodule xt_limit loadmodule xt_mac loadmodule xt_mark loadmodule xt_MARK loadmodule xt_NFLOG loadmodule xt_NFQUEUE loadmodule xt_physdev loadmodule xt_pkttype loadmodule xt_tcpmss # # Helpers # loadmodule ip_conntrack_amanda loadmodule ip_conntrack_ftp loadmodule ip_conntrack_h323 loadmodule ip_conntrack_irc loadmodule ip_conntrack_netbios_ns loadmodule ip_conntrack_pptp # loadmodule ip_conntrack_sip loadmodule ip_conntrack_tftp loadmodule ip_nat_amanda loadmodule ip_nat_ftp loadmodule ip_nat_h323 loadmodule ip_nat_irc loadmodule ip_nat_pptp # loadmodule ip_nat_sip loadmodule ip_nat_snmp_basic loadmodule ip_nat_tftp loadmodule ip_set loadmodule ip_set_iphash loadmodule ip_set_ipmap loadmodule ip_set_macipmap loadmodule ip_set_portmap # # 2.6.20+ helpers # loadmodule nf_conntrack_ftp loadmodule nf_conntrack_h323 loadmodule nf_conntrack_irc loadmodule nf_conntrack_netbios_ns loadmodule nf_conntrack_netlink loadmodule nf_conntrack_pptp loadmodule nf_conntrack_proto_gre loadmodule nf_conntrack_proto_sctp loadmodule nf_conntrack_sip loadmodule nf_conntrack_tftp loadmodule nf_nat_amanda loadmodule nf_nat_ftp loadmodule nf_nat_h323 loadmodule nf_nat_irc loadmodule nf_nat loadmodule nf_nat_pptp loadmodule nf_nat_proto_gre loadmodule nf_nat_sip loadmodule nf_nat_snmp_basic loadmodule nf_nat_tftp # # Traffic Shaping # loadmodule sch_sfq loadmodule sch_ingress loadmodule sch_htb loadmodule cls_u32 # # Extensions # loadmodule ipt_addrtype loadmodule ipt_ah loadmodule ipt_CLASSIFY loadmodule ipt_CLUSTERIP loadmodule ipt_comment loadmodule ipt_connmark loadmodule ipt_CONNMARK loadmodule ipt_conntrack loadmodule ipt_dscp loadmodule ipt_DSCP loadmodule ipt_ecn loadmodule ipt_ECN loadmodule ipt_esp loadmodule ipt_hashlimit loadmodule ipt_helper loadmodule ipt_ipp2p loadmodule ipt_iprange loadmodule ipt_length loadmodule ipt_limit loadmodule ipt_LOG loadmodule ipt_mac loadmodule ipt_mark loadmodule ipt_MARK loadmodule ipt_MASQUERADE loadmodule ipt_multiport loadmodule ipt_NETMAP loadmodule ipt_NOTRACK loadmodule ipt_owner loadmodule ipt_physdev loadmodule ipt_pkttype loadmodule ipt_policy loadmodule ipt_realm loadmodule ipt_recent loadmodule ipt_REDIRECT loadmodule ipt_REJECT loadmodule ipt_SAME loadmodule ipt_sctp loadmodule ipt_set loadmodule ipt_state loadmodule ipt_tcpmss loadmodule ipt_TCPMSS loadmodule ipt_tos loadmodule ipt_TOS loadmodule ipt_ttl loadmodule ipt_TTL loadmodule ipt_ULOG AYJ ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-16 23:29 ` CONFIG_NETFILTER_ADVANCED Amos Jeffries @ 2007-11-17 0:13 ` Tom Eastep 2007-11-17 16:08 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 1 sibling, 0 replies; 24+ messages in thread From: Tom Eastep @ 2007-11-17 0:13 UTC (permalink / raw) To: Amos Jeffries Cc: Patrick McHardy, Phil Oester, David Miller, jengelh, netfilter-devel [-- Attachment #1: Type: text/plain, Size: 4651 bytes --] Amos Jeffries wrote: > > All right. > Here is the fairly common shorewall 3.4's default dependencies as taken > from /usr/share/shorewall/modules . > These are not likely to change per-system without a clueful administrator. A couple of things should be noted about this list. a) It it includes modules that no longer exist in current kernels since Shorewall is often run on older kernels. b) It includes modules that currently aren't used by Shorewall. I've flagged those below with <================= c) The list includes traffic shaping modules which don't apply to the current discussion. As others have written, I think it is important to include the common helpers since their absence usually messes people up. > > # > # Essential Modules > # > loadmodule nfnetlink > loadmodule x_tables > loadmodule ip_tables > loadmodule iptable_filter > loadmodule iptable_mangle > loadmodule ip_conntrack > loadmodule nf_conntrack > loadmodule nf_conntrack_ipv4 > loadmodule iptable_nat > loadmodule xt_state > loadmodule xt_tcpudp > # > # Other xtables modules > # > loadmodule xt_CLASSIFY > loadmodule xt_connmark > loadmodule xt_CONNMARK > loadmodule xt_conntrack > loadmodule xt_dccp <================== > loadmodule xt_hashlimit <================== > loadmodule xt_helper <================== > loadmodule xt_length <================== > loadmodule xt_limit > loadmodule xt_mac > loadmodule xt_mark > loadmodule xt_MARK > loadmodule xt_NFLOG > loadmodule xt_NFQUEUE > loadmodule xt_physdev > loadmodule xt_pkttype > loadmodule xt_tcpmss > # > # Helpers > # > loadmodule ip_conntrack_amanda > loadmodule ip_conntrack_ftp > loadmodule ip_conntrack_h323 > loadmodule ip_conntrack_irc > loadmodule ip_conntrack_netbios_ns > loadmodule ip_conntrack_pptp > # loadmodule ip_conntrack_sip > loadmodule ip_conntrack_tftp > loadmodule ip_nat_amanda > loadmodule ip_nat_ftp > loadmodule ip_nat_h323 > loadmodule ip_nat_irc > loadmodule ip_nat_pptp > # loadmodule ip_nat_sip > loadmodule ip_nat_snmp_basic > loadmodule ip_nat_tftp > loadmodule ip_set > loadmodule ip_set_iphash > loadmodule ip_set_ipmap > loadmodule ip_set_macipmap > loadmodule ip_set_portmap > # > # 2.6.20+ helpers > # > loadmodule nf_conntrack_ftp > loadmodule nf_conntrack_h323 > loadmodule nf_conntrack_irc > loadmodule nf_conntrack_netbios_ns > loadmodule nf_conntrack_netlink > loadmodule nf_conntrack_pptp > loadmodule nf_conntrack_proto_gre > loadmodule nf_conntrack_proto_sctp > loadmodule nf_conntrack_sip > loadmodule nf_conntrack_tftp > loadmodule nf_nat_amanda > loadmodule nf_nat_ftp > loadmodule nf_nat_h323 > loadmodule nf_nat_irc > loadmodule nf_nat > loadmodule nf_nat_pptp > loadmodule nf_nat_proto_gre > loadmodule nf_nat_sip > loadmodule nf_nat_snmp_basic > loadmodule nf_nat_tftp > # > # Traffic Shaping > # > loadmodule sch_sfq > loadmodule sch_ingress > loadmodule sch_htb > loadmodule cls_u32 > # > # Extensions > # > loadmodule ipt_addrtype > loadmodule ipt_ah <================= > loadmodule ipt_CLASSIFY > loadmodule ipt_CLUSTERIP <================= > loadmodule ipt_comment > loadmodule ipt_connmark > loadmodule ipt_CONNMARK > loadmodule ipt_conntrack > loadmodule ipt_dscp <================= > loadmodule ipt_DSCP <================= > loadmodule ipt_ecn > loadmodule ipt_ECN > loadmodule ipt_esp <================= > loadmodule ipt_hashlimit > loadmodule ipt_helper > loadmodule ipt_ipp2p > loadmodule ipt_iprange > loadmodule ipt_length <================== > loadmodule ipt_limit > loadmodule ipt_LOG > loadmodule ipt_mac > loadmodule ipt_mark > loadmodule ipt_MARK > loadmodule ipt_MASQUERADE > loadmodule ipt_multiport > loadmodule ipt_NETMAP > loadmodule ipt_NOTRACK <=================== > loadmodule ipt_owner > loadmodule ipt_physdev > loadmodule ipt_pkttype > loadmodule ipt_policy > loadmodule ipt_realm > loadmodule ipt_recent > loadmodule ipt_REDIRECT > loadmodule ipt_REJECT > loadmodule ipt_SAME > loadmodule ipt_sctp <==================== > loadmodule ipt_set > loadmodule ipt_state > loadmodule ipt_tcpmss > loadmodule ipt_TCPMSS > loadmodule ipt_tos > loadmodule ipt_TOS > loadmodule ipt_ttl <===================== > loadmodule ipt_TTL <===================== > loadmodule ipt_ULOG > -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key [-- Attachment #2: OpenPGP digital signature --] [-- Type: application/pgp-signature, Size: 252 bytes --] ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-16 23:29 ` CONFIG_NETFILTER_ADVANCED Amos Jeffries 2007-11-17 0:13 ` CONFIG_NETFILTER_ADVANCED Tom Eastep @ 2007-11-17 16:08 ` Patrick McHardy 2007-11-17 21:19 ` CONFIG_NETFILTER_ADVANCED Jan Engelhardt 1 sibling, 1 reply; 24+ messages in thread From: Patrick McHardy @ 2007-11-17 16:08 UTC (permalink / raw) To: Amos Jeffries; +Cc: Phil Oester, David Miller, jengelh, netfilter-devel Amos Jeffries wrote: > Patrick McHardy wrote: >> >> >> I agree. It would be useful if some users of a distribution that >> includes a firewall script could check which modules it requires. >> > > All right. > Here is the fairly common shorewall 3.4's default dependencies as > taken from /usr/share/shorewall/modules . > These are not likely to change per-system without a clueful > administrator. This looks like basically everything. What I'm looking for is a list of modules required for the firewall scripts included in SuSE, RH, ... ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-17 16:08 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy @ 2007-11-17 21:19 ` Jan Engelhardt 2007-11-18 2:19 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 0 siblings, 1 reply; 24+ messages in thread From: Jan Engelhardt @ 2007-11-17 21:19 UTC (permalink / raw) To: Patrick McHardy; +Cc: Amos Jeffries, Phil Oester, David Miller, netfilter-devel On Nov 17 2007 17:08, Patrick McHardy wrote: > Amos Jeffries wrote: >> Patrick McHardy wrote: >> > >> > >> > I agree. It would be useful if some users of a distribution that >> > includes a firewall script could check which modules it requires. >> > >> >> All right. >> Here is the fairly common shorewall 3.4's default dependencies as taken from >> /usr/share/shorewall/modules . >> These are not likely to change per-system without a clueful administrator. > > This looks like basically everything. What I'm looking for is a list of The problem is: you never know when they gonna change it! > modules required for the firewall scripts included in SuSE, RH, ... SUSE: DNAT LOG MARK MASQUERADE REDIRECT REJECT TCPMSS esp icmp icmpv6 limit pkttype policy state tcp udp But - surprise, surprise - it allows to load a file of custom rules, so that basically means {ipt,ip6t,xt}_*, aka allmodconfig, like I said! :) ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-17 21:19 ` CONFIG_NETFILTER_ADVANCED Jan Engelhardt @ 2007-11-18 2:19 ` Patrick McHardy 2007-11-18 9:35 ` CONFIG_NETFILTER_ADVANCED Jan Engelhardt 2007-11-18 13:21 ` CONFIG_NETFILTER_ADVANCED Jozsef Kadlecsik 0 siblings, 2 replies; 24+ messages in thread From: Patrick McHardy @ 2007-11-18 2:19 UTC (permalink / raw) To: Jan Engelhardt; +Cc: Amos Jeffries, Phil Oester, David Miller, netfilter-devel Jan Engelhardt wrote: > On Nov 17 2007 17:08, Patrick McHardy wrote: >> Amos Jeffries wrote: >>> Patrick McHardy wrote: >>>> >>>> I agree. It would be useful if some users of a distribution that >>>> includes a firewall script could check which modules it requires. >>>> >>> All right. >>> Here is the fairly common shorewall 3.4's default dependencies as taken from >>> /usr/share/shorewall/modules . >>> These are not likely to change per-system without a clueful administrator. >> This looks like basically everything. What I'm looking for is a list of > > The problem is: you never know when they gonna change it! > > >> modules required for the firewall scripts included in SuSE, RH, ... > > SUSE: > > DNAT LOG MARK MASQUERADE REDIRECT REJECT TCPMSS esp > icmp icmpv6 limit pkttype policy > state tcp udp Thanks. Any RH/Fedora users? > But - surprise, surprise - it allows to load a file of custom rules, > so that basically means {ipt,ip6t,xt}_*, aka allmodconfig, like I said! > :) Well, the point of the avanced option is to handle *advanced* cases, so we don't need to cover manual adjustments (including things like shorewall which are usually installed manually). The default cases for people not having touched their *firewall* configuration is enough. I wasn't able to find the SuSE-script, but from a screenshot I could see that they do optionally handle IPsec. So what I'm saying is that we should include f.i. the policy match, and all other modules needed without manually attending to the firewall, but nothing more. IOW, its for people like Linus, presumably not touching their default configuration, but unwilling to go through the 50+ options to decide themselves. For people who want to compile-test them all (like me), we still can have a CONFIG_NETFILTER_ALL option hidden under CONFIG_NETFILTER_ADVANCED for simplicity, but that is a different topic. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-18 2:19 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy @ 2007-11-18 9:35 ` Jan Engelhardt 2007-11-18 13:21 ` CONFIG_NETFILTER_ADVANCED Jozsef Kadlecsik 1 sibling, 0 replies; 24+ messages in thread From: Jan Engelhardt @ 2007-11-18 9:35 UTC (permalink / raw) To: Patrick McHardy; +Cc: Amos Jeffries, Phil Oester, David Miller, netfilter-devel On Nov 18 2007 03:19, Patrick McHardy wrote: >> >> SUSE: >> >> DNAT LOG MARK MASQUERADE REDIRECT REJECT TCPMSS esp >> icmp icmpv6 limit pkttype policy >> state tcp udp > > Thanks. Any RH/Fedora users? > >> But - surprise, surprise - it allows to load a file of custom rules, >> so that basically means {ipt,ip6t,xt}_*, aka allmodconfig, like I said! >> :) > > Well, the point of the avanced option is to handle *advanced* > cases, so we don't need to cover manual adjustments (including > things like shorewall which are usually installed manually). Well even in "manual installations", I prefer to compile one kernel for all hosts of the same arch I am ever going to work with, because it takes its time, and time is precious when the number of hosts grows towards +Infinity. > The > default cases for people not having touched their *firewall* > configuration is enough. I wasn't able to find the SuSE-script, Unpack http://download.opensuse.org/distribution/SL-OSS-factory/inst-source/suse/src/SuSEfirewall2-3.6_SVNr183-15.src.rpm look into sbin/SuSEfirewall2. > but from a screenshot I could see that they do optionally handle > IPsec. So what I'm saying is that we should include f.i. the policy > match, ...which I listed above... > and all other modules needed without manually attending > to the firewall, but nothing more. > > IOW, its for people like Linus, presumably not touching their > default configuration, but unwilling to go through the 50+ > options to decide themselves. > > For people who want to compile-test them all (like me), we > still can have a CONFIG_NETFILTER_ALL option hidden under > CONFIG_NETFILTER_ADVANCED for simplicity, but that is a > different topic. > For compile-testing, allmodconfig is sufficient IMO. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-18 2:19 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 2007-11-18 9:35 ` CONFIG_NETFILTER_ADVANCED Jan Engelhardt @ 2007-11-18 13:21 ` Jozsef Kadlecsik 2007-11-18 21:40 ` CONFIG_NETFILTER_ADVANCED David Miller 1 sibling, 1 reply; 24+ messages in thread From: Jozsef Kadlecsik @ 2007-11-18 13:21 UTC (permalink / raw) To: Patrick McHardy; +Cc: netfilter-devel Hi Patrick, On Sun, 18 Nov 2007, Patrick McHardy wrote: > For people who want to compile-test them all (like me), we > still can have a CONFIG_NETFILTER_ALL option hidden under > CONFIG_NETFILTER_ADVANCED for simplicity, but that is a > different topic. I think the other way around would be better: CONFIG_NETFILTER enable everyting CONFIG_NETFILTER_WITHOUT_NAT everything except NAT CONFIG_NETFILTER_ADVANCED select modules manually This is more or less the most usual cases: typically almost everyone wants NAT and the wide range of matches and targets. Some places don't use NAT. And if someone wants to exclude modules or disable settings like conntrack flow accounting, in advanced mode it'd be possible to do so. Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-18 13:21 ` CONFIG_NETFILTER_ADVANCED Jozsef Kadlecsik @ 2007-11-18 21:40 ` David Miller 2007-11-27 16:34 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 0 siblings, 1 reply; 24+ messages in thread From: David Miller @ 2007-11-18 21:40 UTC (permalink / raw) To: kadlec; +Cc: kaber, netfilter-devel From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Date: Sun, 18 Nov 2007 14:21:20 +0100 (CET) > I think the other way around would be better: > > CONFIG_NETFILTER enable everyting > CONFIG_NETFILTER_WITHOUT_NAT everything except NAT > CONFIG_NETFILTER_ADVANCED select modules manually > > This is more or less the most usual cases: typically almost everyone wants > NAT and the wide range of matches and targets. Some places don't use NAT. > And if someone wants to exclude modules or disable settings like > conntrack flow accounting, in advanced mode it'd be possible to do so. This leaves no choice for the original purpose my proposal was meant to address. People like Linus who want one config option to choose which gives them the basics but not "all the other random crap" that he'll never use. ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-18 21:40 ` CONFIG_NETFILTER_ADVANCED David Miller @ 2007-11-27 16:34 ` Patrick McHardy 0 siblings, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-11-27 16:34 UTC (permalink / raw) To: David Miller; +Cc: kadlec, netfilter-devel [-- Attachment #1: Type: text/plain, Size: 2379 bytes --] David Miller wrote: > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > Date: Sun, 18 Nov 2007 14:21:20 +0100 (CET) > >> I think the other way around would be better: >> >> CONFIG_NETFILTER enable everyting >> CONFIG_NETFILTER_WITHOUT_NAT everything except NAT >> CONFIG_NETFILTER_ADVANCED select modules manually >> >> This is more or less the most usual cases: typically almost everyone wants >> NAT and the wide range of matches and targets. Some places don't use NAT. >> And if someone wants to exclude modules or disable settings like >> conntrack flow accounting, in advanced mode it'd be possible to do so. > > This leaves no choice for the original purpose my > proposal was meant to address. > > People like Linus who want one config option to choose > which gives them the basics but not "all the other random > crap" that he'll never use. Just one option gets really ugly because select stupidly selects, not caring about dependencies. So we'd have to duplicate all the dependencies to decide when to select. My current attempt makes lots of symbols depend on NETFILTER_ADVANCED, hiding them, and uses default m if NETFILTER_ADVANCED=n for the remaining ones, so you can simply hit enter until you're through the netfilter stuff. The modules currently defaulting to m are: CONFIG_NETFILTER_NETLINK=m CONFIG_NETFILTER_NETLINK_LOG=m CONFIG_NF_CONNTRACK=m CONFIG_NF_CONNTRACK_FTP=m CONFIG_NF_CONNTRACK_IRC=m CONFIG_NF_CONNTRACK_SIP=m CONFIG_NF_CT_NETLINK=m CONFIG_NETFILTER_XTABLES=m CONFIG_NETFILTER_XT_TARGET_MARK=m CONFIG_NETFILTER_XT_TARGET_NFLOG=m CONFIG_NETFILTER_XT_TARGET_TCPMSS=m CONFIG_NETFILTER_XT_MATCH_CONNTRACK=m CONFIG_NETFILTER_XT_MATCH_MARK=m CONFIG_NETFILTER_XT_MATCH_POLICY=m CONFIG_NETFILTER_XT_MATCH_STATE=m CONFIG_NF_CONNTRACK_IPV4=m CONFIG_NF_CONNTRACK_PROC_COMPAT=y CONFIG_IP_NF_IPTABLES=m CONFIG_IP_NF_FILTER=m CONFIG_IP_NF_TARGET_REJECT=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_NF_NAT=m CONFIG_NF_NAT_NEEDED=y CONFIG_IP_NF_TARGET_MASQUERADE=m CONFIG_NF_NAT_FTP=m CONFIG_NF_NAT_IRC=m CONFIG_NF_NAT_SIP=m CONFIG_IP_NF_MANGLE=m CONFIG_NF_CONNTRACK_IPV6=m CONFIG_IP6_NF_IPTABLES=m CONFIG_IP6_NF_FILTER=m CONFIG_IP6_NF_TARGET_LOG=m CONFIG_IP6_NF_TARGET_REJECT=m CONFIG_IP6_NF_MANGLE=m Of course without IPv6 the last 6 ones are missing. This brings us down from 114 options to 36. Any suggestions for improvement? [-- Attachment #2: x --] [-- Type: text/plain, Size: 34958 bytes --] commit dec598b808b8233d5809a8164d87320d2e8d2e1b Author: Patrick McHardy <kaber@trash.net> Date: Tue Nov 27 17:30:03 2007 +0100 [NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option diff --git a/net/Kconfig b/net/Kconfig index 58ed2f4..b6a5d45 100644 --- a/net/Kconfig +++ b/net/Kconfig @@ -144,9 +144,21 @@ config NETFILTER_DEBUG You can say Y here if you want to get additional messages useful in debugging the netfilter code. +config NETFILTER_ADVANCED + bool "Advanced netfilter configuration" + depends on NETFILTER + default y + help + If you say Y here you can select between all the netfilter modules. + If you say N the more ununsual ones will not be shown and the + basic ones needed by most people will default to 'M'. + + If unsure, say Y. + config BRIDGE_NETFILTER bool "Bridged IP/ARP packets filtering" depends on BRIDGE && NETFILTER && INET + depends on NETFILTER_ADVANCED default y ---help--- Enabling this option will let arptables resp. iptables see bridged diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig index b84fc60..4a3e2bf 100644 --- a/net/bridge/netfilter/Kconfig +++ b/net/bridge/netfilter/Kconfig @@ -3,7 +3,7 @@ # menu "Bridge: Netfilter Configuration" - depends on BRIDGE && NETFILTER + depends on BRIDGE && BRIDGE_NETFILTER config BRIDGE_NF_EBTABLES tristate "Ethernet Bridge tables (ebtables) support" diff --git a/net/decnet/netfilter/Kconfig b/net/decnet/netfilter/Kconfig index ecdb3f9..2f81de5 100644 --- a/net/decnet/netfilter/Kconfig +++ b/net/decnet/netfilter/Kconfig @@ -4,6 +4,7 @@ menu "DECnet: Netfilter Configuration" depends on DECNET && NETFILTER && EXPERIMENTAL + depends on NETFILTER_ADVANCED config DECNET_NF_GRABULATOR tristate "Routing message grabulator (for userland routing daemon)" diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index ad26f66..cface71 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig @@ -8,6 +8,7 @@ menu "IP: Netfilter Configuration" config NF_CONNTRACK_IPV4 tristate "IPv4 connection tracking support (required for NAT)" depends on NF_CONNTRACK + default m if NETFILTER_ADVANCED=n ---help--- Connection tracking keeps a record of what packets have passed through your machine, in order to figure out how they are related @@ -32,6 +33,7 @@ config NF_CONNTRACK_PROC_COMPAT config IP_NF_QUEUE tristate "IP Userspace queueing via NETLINK (OBSOLETE)" + depends on NETFILTER_ADVANCED help Netfilter has the ability to queue packets to user space: the netlink device can be used to access them using this driver. @@ -44,6 +46,7 @@ config IP_NF_QUEUE config IP_NF_IPTABLES tristate "IP tables support (required for filtering/masq/NAT)" + default m if NETFILTER_ADVANCED=n select NETFILTER_XTABLES help iptables is a general, extensible packet identification framework. @@ -57,6 +60,7 @@ config IP_NF_IPTABLES config IP_NF_MATCH_IPRANGE tristate '"iprange" match support' depends on IP_NF_IPTABLES + depends on NETFILTER_ADVANCED help This option makes possible to match IP addresses against IP address ranges. @@ -66,6 +70,7 @@ config IP_NF_MATCH_IPRANGE config IP_NF_MATCH_RECENT tristate '"recent" match support' depends on IP_NF_IPTABLES + depends on NETFILTER_ADVANCED help This match is used for creating one or many lists of recently used addresses and then matching against that/those list(s). @@ -78,6 +83,7 @@ config IP_NF_MATCH_RECENT config IP_NF_MATCH_ECN tristate '"ecn" match support' depends on IP_NF_IPTABLES + depends on NETFILTER_ADVANCED help This option adds a `ECN' match, which allows you to match against the IPv4 and TCP header ECN fields. @@ -87,6 +93,7 @@ config IP_NF_MATCH_ECN config IP_NF_MATCH_AH tristate '"ah" match support' depends on IP_NF_IPTABLES + depends on NETFILTER_ADVANCED help This match extension allows you to match a range of SPIs inside AH header of IPSec packets. @@ -96,6 +103,7 @@ config IP_NF_MATCH_AH config IP_NF_MATCH_TTL tristate '"ttl" match support' depends on IP_NF_IPTABLES + depends on NETFILTER_ADVANCED help This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user to match packets by their TTL value. @@ -105,10 +113,11 @@ config IP_NF_MATCH_TTL config IP_NF_MATCH_ADDRTYPE tristate '"addrtype" address type match support' depends on IP_NF_IPTABLES + depends on NETFILTER_ADVANCED help This option allows you to match what routing thinks of an address, eg. UNICAST, LOCAL, BROADCAST, ... - + If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. @@ -116,6 +125,7 @@ config IP_NF_MATCH_ADDRTYPE config IP_NF_FILTER tristate "Packet filtering" depends on IP_NF_IPTABLES + default m if NETFILTER_ADVANCED=n help Packet filtering defines a table `filter', which has a series of rules for simple packet filtering at local input, forwarding and @@ -126,6 +136,7 @@ config IP_NF_FILTER config IP_NF_TARGET_REJECT tristate "REJECT target support" depends on IP_NF_FILTER + default m if NETFILTER_ADVANCED=n help The REJECT target allows a filtering rule to specify that an ICMP error should be issued in response to an incoming packet, rather @@ -136,6 +147,7 @@ config IP_NF_TARGET_REJECT config IP_NF_TARGET_LOG tristate "LOG target support" depends on IP_NF_IPTABLES + default m if NETFILTER_ADVANCED=n help This option adds a `LOG' target, which allows you to create rules in any iptables table which records the packet header to the syslog. @@ -145,6 +157,7 @@ config IP_NF_TARGET_LOG config IP_NF_TARGET_ULOG tristate "ULOG target support" depends on IP_NF_IPTABLES + default m if NETFILTER_ADVANCED=n ---help--- This option enables the old IPv4-only "ipt_ULOG" implementation @@ -165,6 +178,7 @@ config IP_NF_TARGET_ULOG config NF_NAT tristate "Full NAT" depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4 + default m if NETFILTER_ADVANCED=n help The Full NAT option allows masquerading, port forwarding and other forms of full Network Address Port Translation. It is controlled by @@ -180,6 +194,7 @@ config NF_NAT_NEEDED config IP_NF_TARGET_MASQUERADE tristate "MASQUERADE target support" depends on NF_NAT + default m if NETFILTER_ADVANCED=n help Masquerading is a special case of NAT: all outgoing connections are changed to seem to come from a particular interface's address, and @@ -192,6 +207,7 @@ config IP_NF_TARGET_MASQUERADE config IP_NF_TARGET_REDIRECT tristate "REDIRECT target support" depends on NF_NAT + depends on NETFILTER_ADVANCED help REDIRECT is a special case of NAT: all incoming connections are mapped onto the incoming interface's address, causing the packets to @@ -203,6 +219,7 @@ config IP_NF_TARGET_REDIRECT config IP_NF_TARGET_NETMAP tristate "NETMAP target support" depends on NF_NAT + depends on NETFILTER_ADVANCED help NETMAP is an implementation of static 1:1 NAT mapping of network addresses. It maps the network address part, while keeping the host @@ -214,6 +231,7 @@ config IP_NF_TARGET_NETMAP config NF_NAT_SNMP_BASIC tristate "Basic SNMP-ALG support (EXPERIMENTAL)" depends on EXPERIMENTAL && NF_NAT + depends on NETFILTER_ADVANCED ---help--- This module implements an Application Layer Gateway (ALG) for @@ -277,6 +295,7 @@ config NF_NAT_SIP config IP_NF_MANGLE tristate "Packet mangling" depends on IP_NF_IPTABLES + default m if NETFILTER_ADVANCED=n help This option adds a `mangle' table to iptables: see the man page for iptables(8). This table is used for various packet alterations @@ -287,6 +306,7 @@ config IP_NF_MANGLE config IP_NF_TARGET_ECN tristate "ECN target support" depends on IP_NF_MANGLE + depends on NETFILTER_ADVANCED ---help--- This option adds a `ECN' target, which can be used in the iptables mangle table. @@ -301,6 +321,7 @@ config IP_NF_TARGET_ECN config IP_NF_TARGET_TTL tristate 'TTL target support' depends on IP_NF_MANGLE + depends on NETFILTER_ADVANCED help This option adds a `TTL' target, which enables the user to modify the TTL value of the IP header. @@ -316,6 +337,7 @@ config IP_NF_TARGET_CLUSTERIP tristate "CLUSTERIP target support (EXPERIMENTAL)" depends on IP_NF_MANGLE && EXPERIMENTAL depends on NF_CONNTRACK_IPV4 + depends on NETFILTER_ADVANCED select NF_CONNTRACK_MARK help The CLUSTERIP target allows you to build load-balancing clusters of @@ -328,6 +350,7 @@ config IP_NF_TARGET_CLUSTERIP config IP_NF_RAW tristate 'raw table support (required for NOTRACK/TRACE)' depends on IP_NF_IPTABLES + depends on NETFILTER_ADVANCED help This option adds a `raw' table to iptables. This table is the very first in the netfilter framework and hooks in at the PREROUTING @@ -340,6 +363,7 @@ config IP_NF_RAW config IP_NF_ARPTABLES tristate "ARP tables support" select NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help arptables is a general, extensible packet identification framework. The ARP packet filtering and mangling (manipulation)subsystems diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig index 5374c66..a6b4a9a 100644 --- a/net/ipv6/netfilter/Kconfig +++ b/net/ipv6/netfilter/Kconfig @@ -8,6 +8,7 @@ menu "IPv6: Netfilter Configuration (EXPERIMENTAL)" config NF_CONNTRACK_IPV6 tristate "IPv6 connection tracking support (EXPERIMENTAL)" depends on INET && IPV6 && EXPERIMENTAL && NF_CONNTRACK + default m if NETFILTER_ADVANCED=n ---help--- Connection tracking keeps a record of what packets have passed through your machine, in order to figure out how they are related @@ -22,6 +23,7 @@ config NF_CONNTRACK_IPV6 config IP6_NF_QUEUE tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)" depends on INET && IPV6 && NETFILTER && EXPERIMENTAL + depends on NETFILTER_ADVANCED ---help--- This option adds a queue handler to the kernel for IPv6 @@ -44,6 +46,7 @@ config IP6_NF_IPTABLES tristate "IP6 tables support (required for filtering)" depends on INET && IPV6 && EXPERIMENTAL select NETFILTER_XTABLES + default m if NETFILTER_ADVANCED=n help ip6tables is a general, extensible packet identification framework. Currently only the packet filtering and packet mangling subsystem @@ -56,6 +59,7 @@ config IP6_NF_IPTABLES config IP6_NF_MATCH_RT tristate '"rt" Routing header match support' depends on IP6_NF_IPTABLES + depends on NETFILTER_ADVANCED help rt matching allows you to match packets based on the routing header of the packet. @@ -65,6 +69,7 @@ config IP6_NF_MATCH_RT config IP6_NF_MATCH_OPTS tristate '"hopbyhop" and "dst" opts header match support' depends on IP6_NF_IPTABLES + depends on NETFILTER_ADVANCED help This allows one to match packets based on the hop-by-hop and destination options headers of a packet. @@ -74,6 +79,7 @@ config IP6_NF_MATCH_OPTS config IP6_NF_MATCH_FRAG tristate '"frag" Fragmentation header match support' depends on IP6_NF_IPTABLES + depends on NETFILTER_ADVANCED help frag matching allows you to match packets based on the fragmentation header of the packet. @@ -83,6 +89,7 @@ config IP6_NF_MATCH_FRAG config IP6_NF_MATCH_HL tristate '"hl" match support' depends on IP6_NF_IPTABLES + depends on NETFILTER_ADVANCED help HL matching allows you to match packets based on the hop limit of the packet. @@ -92,6 +99,7 @@ config IP6_NF_MATCH_HL config IP6_NF_MATCH_IPV6HEADER tristate '"ipv6header" IPv6 Extension Headers Match' depends on IP6_NF_IPTABLES + depends on NETFILTER_ADVANCED help This module allows one to match packets based upon the ipv6 extension headers. @@ -101,6 +109,7 @@ config IP6_NF_MATCH_IPV6HEADER config IP6_NF_MATCH_AH tristate '"ah" match support' depends on IP6_NF_IPTABLES + depends on NETFILTER_ADVANCED help This module allows one to match AH packets. @@ -109,6 +118,7 @@ config IP6_NF_MATCH_AH config IP6_NF_MATCH_MH tristate '"mh" match support' depends on IP6_NF_IPTABLES + depends on NETFILTER_ADVANCED help This module allows one to match MH packets. @@ -117,6 +127,7 @@ config IP6_NF_MATCH_MH config IP6_NF_MATCH_EUI64 tristate '"eui64" address check' depends on IP6_NF_IPTABLES + depends on NETFILTER_ADVANCED help This module performs checking on the IPv6 source address Compares the last 64 bits with the EUI64 (delivered @@ -128,6 +139,7 @@ config IP6_NF_MATCH_EUI64 config IP6_NF_FILTER tristate "Packet filtering" depends on IP6_NF_IPTABLES + default m if NETFILTER_ADVANCED=n help Packet filtering defines a table `filter', which has a series of rules for simple packet filtering at local input, forwarding and @@ -138,6 +150,7 @@ config IP6_NF_FILTER config IP6_NF_TARGET_LOG tristate "LOG target support" depends on IP6_NF_FILTER + default m if NETFILTER_ADVANCED=n help This option adds a `LOG' target, which allows you to create rules in any iptables table which records the packet header to the syslog. @@ -147,6 +160,7 @@ config IP6_NF_TARGET_LOG config IP6_NF_TARGET_REJECT tristate "REJECT target support" depends on IP6_NF_FILTER + default m if NETFILTER_ADVANCED=n help The REJECT target allows a filtering rule to specify that an ICMPv6 error should be issued in response to an incoming packet, rather @@ -157,6 +171,7 @@ config IP6_NF_TARGET_REJECT config IP6_NF_MANGLE tristate "Packet mangling" depends on IP6_NF_IPTABLES + default m if NETFILTER_ADVANCED=n help This option adds a `mangle' table to iptables: see the man page for iptables(8). This table is used for various packet alterations @@ -167,27 +182,29 @@ config IP6_NF_MANGLE config IP6_NF_TARGET_HL tristate 'HL (hoplimit) target support' depends on IP6_NF_MANGLE + depends on NETFILTER_ADVANCED help This option adds a `HL' target, which enables the user to decrement the hoplimit value of the IPv6 header or set it to a given (lower) value. - + While it is safe to decrement the hoplimit value, this option also enables functionality to increment and set the hoplimit value of the IPv6 header to arbitrary values. This is EXTREMELY DANGEROUS since you can easily create immortal packets that loop forever on the - network. + network. To compile it as a module, choose M here. If unsure, say N. config IP6_NF_RAW tristate 'raw table support (required for TRACE)' depends on IP6_NF_IPTABLES + depends on NETFILTER_ADVANCED help This option adds a `raw' table to ip6tables. This table is the very first in the netfilter framework and hooks in at the PREROUTING and OUTPUT chains. - + If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 5a353d1..d34008a 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -6,6 +6,7 @@ config NETFILTER_NETLINK config NETFILTER_NETLINK_QUEUE tristate "Netfilter NFQUEUE over NFNETLINK interface" + depends on NETFILTER_ADVANCED select NETFILTER_NETLINK help If this option is enabled, the kernel will include support @@ -13,6 +14,7 @@ config NETFILTER_NETLINK_QUEUE config NETFILTER_NETLINK_LOG tristate "Netfilter LOG over NFNETLINK interface" + default m if NETFILTER_ADVANCED=n select NETFILTER_NETLINK help If this option is enabled, the kernel will include support @@ -24,6 +26,7 @@ config NETFILTER_NETLINK_LOG config NF_CONNTRACK tristate "Netfilter connection tracking support" + default m if NETFILTER_ADVANCED=n help Connection tracking keeps a record of what packets have passed through your machine, in order to figure out how they are related @@ -38,6 +41,7 @@ config NF_CONNTRACK config NF_CT_ACCT bool "Connection tracking flow accounting" + depends on NETFILTER_ADVANCED depends on NF_CONNTRACK help If this option is enabled, the connection tracking code will @@ -50,6 +54,7 @@ config NF_CT_ACCT config NF_CONNTRACK_MARK bool 'Connection mark tracking support' + depends on NETFILTER_ADVANCED depends on NF_CONNTRACK help This option enables support for connection marks, used by the @@ -60,6 +65,7 @@ config NF_CONNTRACK_MARK config NF_CONNTRACK_SECMARK bool 'Connection tracking security mark support' depends on NF_CONNTRACK && NETWORK_SECMARK + default m if NETFILTER_ADVANCED=n help This option enables security markings to be applied to connections. Typically they are copied to connections from @@ -72,6 +78,7 @@ config NF_CONNTRACK_SECMARK config NF_CONNTRACK_EVENTS bool "Connection tracking events (EXPERIMENTAL)" depends on EXPERIMENTAL && NF_CONNTRACK + depends on NETFILTER_ADVANCED help If this option is enabled, the connection tracking code will provide a notifier chain that can be used by other kernel code @@ -86,7 +93,7 @@ config NF_CT_PROTO_GRE config NF_CT_PROTO_SCTP tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)' depends on EXPERIMENTAL && NF_CONNTRACK - default n + depends on NETFILTER_ADVANCED help With this option enabled, the layer 3 independent connection tracking code will be able to do state tracking on SCTP connections. @@ -97,6 +104,7 @@ config NF_CT_PROTO_SCTP config NF_CT_PROTO_UDPLITE tristate 'UDP-Lite protocol connection tracking support (EXPERIMENTAL)' depends on EXPERIMENTAL && NF_CONNTRACK + depends on NETFILTER_ADVANCED help With this option enabled, the layer 3 independent connection tracking code will be able to do state tracking on UDP-Lite @@ -107,6 +115,7 @@ config NF_CT_PROTO_UDPLITE config NF_CONNTRACK_AMANDA tristate "Amanda backup protocol support" depends on NF_CONNTRACK + depends on NETFILTER_ADVANCED select TEXTSEARCH select TEXTSEARCH_KMP help @@ -122,6 +131,7 @@ config NF_CONNTRACK_AMANDA config NF_CONNTRACK_FTP tristate "FTP protocol support" depends on NF_CONNTRACK + default m if NETFILTER_ADVANCED=n help Tracking FTP connections is problematic: special helpers are required for tracking them, and doing masquerading and other forms @@ -136,6 +146,7 @@ config NF_CONNTRACK_FTP config NF_CONNTRACK_H323 tristate "H.323 protocol support (EXPERIMENTAL)" depends on EXPERIMENTAL && NF_CONNTRACK && (IPV6 || IPV6=n) + depends on NETFILTER_ADVANCED help H.323 is a VoIP signalling protocol from ITU-T. As one of the most important VoIP protocols, it is widely used by voice hardware and @@ -155,6 +166,7 @@ config NF_CONNTRACK_H323 config NF_CONNTRACK_IRC tristate "IRC protocol support" depends on NF_CONNTRACK + default m if NETFILTER_ADVANCED=n help There is a commonly-used extension to IRC called Direct Client-to-Client Protocol (DCC). This enables users to send @@ -170,6 +182,7 @@ config NF_CONNTRACK_IRC config NF_CONNTRACK_NETBIOS_NS tristate "NetBIOS name service protocol support (EXPERIMENTAL)" depends on EXPERIMENTAL && NF_CONNTRACK + depends on NETFILTER_ADVANCED help NetBIOS name service requests are sent as broadcast messages from an unprivileged port and responded to with unicast messages to the @@ -189,6 +202,7 @@ config NF_CONNTRACK_NETBIOS_NS config NF_CONNTRACK_PPTP tristate "PPtP protocol support" depends on NF_CONNTRACK + depends on NETFILTER_ADVANCED select NF_CT_PROTO_GRE help This module adds support for PPTP (Point to Point Tunnelling @@ -208,6 +222,7 @@ config NF_CONNTRACK_PPTP config NF_CONNTRACK_SANE tristate "SANE protocol support (EXPERIMENTAL)" depends on EXPERIMENTAL && NF_CONNTRACK + depends on NETFILTER_ADVANCED help SANE is a protocol for remote access to scanners as implemented by the 'saned' daemon. Like FTP, it uses separate control and @@ -221,6 +236,7 @@ config NF_CONNTRACK_SANE config NF_CONNTRACK_SIP tristate "SIP protocol support (EXPERIMENTAL)" depends on EXPERIMENTAL && NF_CONNTRACK + default m if NETFILTER_ADVANCED=n help SIP is an application-layer control protocol that can establish, modify, and terminate multimedia sessions (conferences) such as @@ -233,6 +249,7 @@ config NF_CONNTRACK_SIP config NF_CONNTRACK_TFTP tristate "TFTP protocol support" depends on NF_CONNTRACK + depends on NETFILTER_ADVANCED help TFTP connection tracking helper, this is required depending on how restrictive your ruleset is. @@ -246,11 +263,13 @@ config NF_CT_NETLINK depends on EXPERIMENTAL && NF_CONNTRACK select NETFILTER_NETLINK depends on NF_NAT=n || NF_NAT + default m if NETFILTER_ADVANCED=n help This option enables support for a netlink-based userspace interface config NETFILTER_XTABLES tristate "Netfilter Xtables support (required for ip_tables)" + default m if NETFILTER_ADVANCED=n help This is required if you intend to use any of ip_tables, ip6_tables or arp_tables. @@ -260,6 +279,7 @@ config NETFILTER_XTABLES config NETFILTER_XT_TARGET_CLASSIFY tristate '"CLASSIFY" target support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help This option adds a `CLASSIFY' target, which enables the user to set the priority of a packet. Some qdiscs can use this value for @@ -274,12 +294,13 @@ config NETFILTER_XT_TARGET_CONNMARK depends on NETFILTER_XTABLES depends on IP_NF_MANGLE || IP6_NF_MANGLE depends on NF_CONNTRACK + depends on NETFILTER_ADVANCED select NF_CONNTRACK_MARK help This option adds a `CONNMARK' target, which allows one to manipulate the connection mark value. Similar to the MARK target, but affects the connection mark value rather than the packet mark value. - + If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. The module will be called ipt_CONNMARK.ko. If unsure, say `N'. @@ -288,6 +309,7 @@ config NETFILTER_XT_TARGET_DSCP tristate '"DSCP" and "TOS" target support' depends on NETFILTER_XTABLES depends on IP_NF_MANGLE || IP6_NF_MANGLE + depends on NETFILTER_ADVANCED help This option adds a `DSCP' target, which allows you to manipulate the IPv4/IPv6 header DSCP field (differentiated services codepoint). @@ -303,6 +325,7 @@ config NETFILTER_XT_TARGET_DSCP config NETFILTER_XT_TARGET_MARK tristate '"MARK" target support' depends on NETFILTER_XTABLES + default m if NETFILTER_ADVANCED=n help This option adds a `MARK' target, which allows you to create rules in the `mangle' table which alter the netfilter mark (nfmark) field @@ -316,6 +339,7 @@ config NETFILTER_XT_TARGET_MARK config NETFILTER_XT_TARGET_NFQUEUE tristate '"NFQUEUE" target Support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help This target replaced the old obsolete QUEUE target. @@ -327,6 +351,7 @@ config NETFILTER_XT_TARGET_NFQUEUE config NETFILTER_XT_TARGET_NFLOG tristate '"NFLOG" target support' depends on NETFILTER_XTABLES + default m if NETFILTER_ADVANCED=n help This option enables the NFLOG target, which allows to LOG messages through the netfilter logging API, which can use @@ -340,12 +365,13 @@ config NETFILTER_XT_TARGET_NOTRACK depends on NETFILTER_XTABLES depends on IP_NF_RAW || IP6_NF_RAW depends on NF_CONNTRACK + depends on NETFILTER_ADVANCED help The NOTRACK target allows a select rule to specify which packets *not* to enter the conntrack/NAT subsystem with all the consequences (no ICMP error tracking, no protocol helpers for the selected packets). - + If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. @@ -353,6 +379,7 @@ config NETFILTER_XT_TARGET_TRACE tristate '"TRACE" target support' depends on NETFILTER_XTABLES depends on IP_NF_RAW || IP6_NF_RAW + depends on NETFILTER_ADVANCED help The TRACE target allows you to mark packets so that the kernel will log every rule which match the packets as those traverse @@ -364,6 +391,7 @@ config NETFILTER_XT_TARGET_TRACE config NETFILTER_XT_TARGET_SECMARK tristate '"SECMARK" target support' depends on NETFILTER_XTABLES && NETWORK_SECMARK + default m if NETFILTER_ADVANCED=n help The SECMARK target allows security marking of network packets, for use with security subsystems. @@ -373,6 +401,7 @@ config NETFILTER_XT_TARGET_SECMARK config NETFILTER_XT_TARGET_CONNSECMARK tristate '"CONNSECMARK" target support' depends on NETFILTER_XTABLES && NF_CONNTRACK && NF_CONNTRACK_SECMARK + default m if NETFILTER_ADVANCED=n help The CONNSECMARK target copies security markings from packets to connections, and restores security markings from connections @@ -384,6 +413,7 @@ config NETFILTER_XT_TARGET_CONNSECMARK config NETFILTER_XT_TARGET_TCPMSS tristate '"TCPMSS" target support' depends on NETFILTER_XTABLES && (IPV6 || IPV6=n) + default m if NETFILTER_ADVANCED=n ---help--- This option adds a `TCPMSS' target, which allows you to alter the MSS value of TCP SYN packets, to control the maximum size for that @@ -411,6 +441,7 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP tristate '"TCPOPTSTRIP" target support (EXPERIMENTAL)' depends on EXPERIMENTAL && NETFILTER_XTABLES depends on IP_NF_MANGLE || IP6_NF_MANGLE + depends on NETFILTER_ADVANCED help This option adds a "TCPOPTSTRIP" target, which allows you to strip TCP options from TCP packets. @@ -418,6 +449,7 @@ config NETFILTER_XT_TARGET_TCPOPTSTRIP config NETFILTER_XT_MATCH_COMMENT tristate '"comment" match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help This option adds a `comment' dummy-match, which allows you to put comments in your iptables ruleset. @@ -429,6 +461,7 @@ config NETFILTER_XT_MATCH_CONNBYTES tristate '"connbytes" per-connection counter match support' depends on NETFILTER_XTABLES depends on NF_CONNTRACK + depends on NETFILTER_ADVANCED select NF_CT_ACCT help This option adds a `connbytes' match, which allows you to match the @@ -441,6 +474,7 @@ config NETFILTER_XT_MATCH_CONNLIMIT tristate '"connlimit" match support"' depends on NETFILTER_XTABLES depends on NF_CONNTRACK + depends on NETFILTER_ADVANCED ---help--- This match allows you to match against the number of parallel connections to a server per client IP address (or address block). @@ -449,11 +483,12 @@ config NETFILTER_XT_MATCH_CONNMARK tristate '"connmark" connection mark match support' depends on NETFILTER_XTABLES depends on NF_CONNTRACK + depends on NETFILTER_ADVANCED select NF_CONNTRACK_MARK help This option adds a `connmark' match, which allows you to match the connection mark value previously set for the session by `CONNMARK'. - + If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. The module will be called ipt_connmark.ko. If unsure, say `N'. @@ -462,6 +497,7 @@ config NETFILTER_XT_MATCH_CONNTRACK tristate '"conntrack" connection tracking match support' depends on NETFILTER_XTABLES depends on NF_CONNTRACK + default m if NETFILTER_ADVANCED=n help This is a general conntrack match module, a superset of the state match. @@ -474,6 +510,7 @@ config NETFILTER_XT_MATCH_CONNTRACK config NETFILTER_XT_MATCH_DCCP tristate '"dccp" protocol match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help With this option enabled, you will be able to use the iptables `dccp' match in order to match on DCCP source/destination ports @@ -485,6 +522,7 @@ config NETFILTER_XT_MATCH_DCCP config NETFILTER_XT_MATCH_DSCP tristate '"dscp" and "tos" match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help This option adds a `DSCP' match, which allows you to match against the IPv4/IPv6 header DSCP field (differentiated services codepoint). @@ -500,6 +538,7 @@ config NETFILTER_XT_MATCH_DSCP config NETFILTER_XT_MATCH_ESP tristate '"esp" match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help This match extension allows you to match a range of SPIs inside ESP header of IPSec packets. @@ -510,6 +549,7 @@ config NETFILTER_XT_MATCH_HELPER tristate '"helper" match support' depends on NETFILTER_XTABLES depends on NF_CONNTRACK + depends on NETFILTER_ADVANCED help Helper matching allows you to match packets in dynamic connections tracked by a conntrack-helper, ie. ip_conntrack_ftp @@ -519,6 +559,7 @@ config NETFILTER_XT_MATCH_HELPER config NETFILTER_XT_MATCH_LENGTH tristate '"length" match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help This option allows you to match the length of a packet against a specific value or range of values. @@ -528,6 +569,7 @@ config NETFILTER_XT_MATCH_LENGTH config NETFILTER_XT_MATCH_LIMIT tristate '"limit" match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help limit matching allows you to control the rate at which a rule can be matched: mainly useful in combination with the LOG target ("LOG @@ -538,6 +580,7 @@ config NETFILTER_XT_MATCH_LIMIT config NETFILTER_XT_MATCH_MAC tristate '"mac" address match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help MAC matching allows you to match packets based on the source Ethernet address of the packet. @@ -547,6 +590,7 @@ config NETFILTER_XT_MATCH_MAC config NETFILTER_XT_MATCH_MARK tristate '"mark" match support' depends on NETFILTER_XTABLES + default m if NETFILTER_ADVANCED=n help Netfilter mark matching allows you to match packets based on the `nfmark' value in the packet. This can be set by the MARK target @@ -557,6 +601,7 @@ config NETFILTER_XT_MATCH_MARK config NETFILTER_XT_MATCH_OWNER tristate '"owner" match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED ---help--- Socket owner matching allows you to match locally-generated packets based on who created the socket: the user or group. It is also @@ -565,6 +610,7 @@ config NETFILTER_XT_MATCH_OWNER config NETFILTER_XT_MATCH_POLICY tristate 'IPsec "policy" match support' depends on NETFILTER_XTABLES && XFRM + default m if NETFILTER_ADVANCED=n help Policy matching allows you to match packets based on the IPsec policy that was used during decapsulation/will @@ -575,6 +621,7 @@ config NETFILTER_XT_MATCH_POLICY config NETFILTER_XT_MATCH_MULTIPORT tristate '"multiport" Multiple port match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help Multiport matching allows you to match TCP or UDP packets based on a series of source or destination ports: normally a rule can only @@ -585,6 +632,7 @@ config NETFILTER_XT_MATCH_MULTIPORT config NETFILTER_XT_MATCH_PHYSDEV tristate '"physdev" match support' depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER + depends on NETFILTER_ADVANCED help Physdev packet matching matches against the physical bridge ports the IP packet arrived on or will leave by. @@ -594,6 +642,7 @@ config NETFILTER_XT_MATCH_PHYSDEV config NETFILTER_XT_MATCH_PKTTYPE tristate '"pkttype" packet type match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help Packet type matching allows you to match a packet by its "class", eg. BROADCAST, MULTICAST, ... @@ -606,6 +655,7 @@ config NETFILTER_XT_MATCH_PKTTYPE config NETFILTER_XT_MATCH_QUOTA tristate '"quota" match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help This option adds a `quota' match, which allows to match on a byte counter. @@ -616,20 +666,22 @@ config NETFILTER_XT_MATCH_QUOTA config NETFILTER_XT_MATCH_REALM tristate '"realm" match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED select NET_CLS_ROUTE help This option adds a `realm' match, which allows you to use the realm key from the routing subsystem inside iptables. - + This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option in tc world. - + If you want to compile it as a module, say M here and read <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. config NETFILTER_XT_MATCH_SCTP tristate '"sctp" protocol match support (EXPERIMENTAL)' depends on NETFILTER_XTABLES && EXPERIMENTAL + depends on NETFILTER_ADVANCED help With this option enabled, you will be able to use the `sctp' match in order to match on SCTP source/destination ports @@ -642,6 +694,7 @@ config NETFILTER_XT_MATCH_STATE tristate '"state" match support' depends on NETFILTER_XTABLES depends on NF_CONNTRACK + default m if NETFILTER_ADVANCED=n help Connection state matching allows you to match packets based on their relationship to a tracked connection (ie. previous packets). This @@ -652,6 +705,7 @@ config NETFILTER_XT_MATCH_STATE config NETFILTER_XT_MATCH_STATISTIC tristate '"statistic" match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help This option adds a `statistic' match, which allows you to match on packets periodically or randomly with a given percentage. @@ -661,6 +715,7 @@ config NETFILTER_XT_MATCH_STATISTIC config NETFILTER_XT_MATCH_STRING tristate '"string" match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED select TEXTSEARCH select TEXTSEARCH_KMP select TEXTSEARCH_BM @@ -674,6 +729,7 @@ config NETFILTER_XT_MATCH_STRING config NETFILTER_XT_MATCH_TCPMSS tristate '"tcpmss" match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED help This option adds a `tcpmss' match, which allows you to examine the MSS value of TCP SYN packets, which control the maximum packet size @@ -684,6 +740,7 @@ config NETFILTER_XT_MATCH_TCPMSS config NETFILTER_XT_MATCH_TIME tristate '"time" match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED ---help--- This option adds a "time" match, which allows you to match based on the packet arrival time (at the machine which netfilter is running) @@ -698,6 +755,7 @@ config NETFILTER_XT_MATCH_TIME config NETFILTER_XT_MATCH_U32 tristate '"u32" match support' depends on NETFILTER_XTABLES + depends on NETFILTER_ADVANCED ---help--- u32 allows you to extract quantities of up to 4 bytes from a packet, AND them with specified masks, shift them by specified amounts and @@ -711,6 +769,7 @@ config NETFILTER_XT_MATCH_U32 config NETFILTER_XT_MATCH_HASHLIMIT tristate '"hashlimit" match support' depends on NETFILTER_XTABLES && (IP6_NF_IPTABLES || IP6_NF_IPTABLES=n) + depends on NETFILTER_ADVANCED help This option adds a `hashlimit' match. ^ permalink raw reply related [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-16 15:35 ` CONFIG_NETFILTER_ADVANCED Phil Oester 2007-11-16 15:47 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy @ 2007-11-17 0:19 ` David Miller 2007-11-17 8:48 ` CONFIG_NETFILTER_ADVANCED Benny Amorsen 2007-11-17 16:14 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 1 sibling, 2 replies; 24+ messages in thread From: David Miller @ 2007-11-17 0:19 UTC (permalink / raw) To: kernel; +Cc: kaber, jengelh, netfilter-devel From: Phil Oester <kernel@linuxace.com> Date: Fri, 16 Nov 2007 07:35:41 -0800 > I'd vote for at least FTP here...most users will use it at > some point (or if they don't, wonder why FTP is broken). I disagree, passive ftp is extremely pervasive, there is no reason to use traditional ftp these days. I don't use it on my NAT box here at home and learned instintively to type 'pftp' from the command line over time :-) ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-17 0:19 ` CONFIG_NETFILTER_ADVANCED David Miller @ 2007-11-17 8:48 ` Benny Amorsen 2007-11-17 15:29 ` CONFIG_NETFILTER_ADVANCED Pascal Hambourg 2007-11-17 16:14 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 1 sibling, 1 reply; 24+ messages in thread From: Benny Amorsen @ 2007-11-17 8:48 UTC (permalink / raw) To: netfilter-devel >>>>> "DM" == David Miller <davem@davemloft.net> writes: DM> I disagree, passive ftp is extremely pervasive, there is no reason DM> to use traditional ftp these days. Active FTP needs helpers on the client side, passive FTP needs helpers on the server side. /Benny ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-17 8:48 ` CONFIG_NETFILTER_ADVANCED Benny Amorsen @ 2007-11-17 15:29 ` Pascal Hambourg 0 siblings, 0 replies; 24+ messages in thread From: Pascal Hambourg @ 2007-11-17 15:29 UTC (permalink / raw) To: netfilter-devel Hello, Benny Amorsen a écrit : > > DM> I disagree, passive ftp is extremely pervasive, there is no reason > DM> to use traditional ftp these days. So what ? The FTP helper is useful in both active and passive modes. > Active FTP needs helpers on the client side, passive FTP needs helpers > on the server side. If you want to restrict outgoing connections you also need the FTP conntrack helper regardless of whether you're on the server or client side. - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED 2007-11-17 0:19 ` CONFIG_NETFILTER_ADVANCED David Miller 2007-11-17 8:48 ` CONFIG_NETFILTER_ADVANCED Benny Amorsen @ 2007-11-17 16:14 ` Patrick McHardy 1 sibling, 0 replies; 24+ messages in thread From: Patrick McHardy @ 2007-11-17 16:14 UTC (permalink / raw) To: David Miller; +Cc: kernel, jengelh, netfilter-devel David Miller wrote: > From: Phil Oester <kernel@linuxace.com> > Date: Fri, 16 Nov 2007 07:35:41 -0800 > > >> I'd vote for at least FTP here...most users will use it at >> some point (or if they don't, wonder why FTP is broken). >> > > I disagree, passive ftp is extremely pervasive, there is no reason to > use traditional ftp these days. I'd expect that many distribution scripts load it anyway, and IMO the point of this config option is to support basic distribution scripts without going through all the options manually. There must be someone on this list not running Debian or Ubuntu :) Could some RH/Fedora/Suse user please post the output of lsmod on his system? ^ permalink raw reply [flat|nested] 24+ messages in thread
* Re: CONFIG_NETFILTER_ADVANCED
@ 2007-11-18 6:05 Al Boldi
0 siblings, 0 replies; 24+ messages in thread
From: Al Boldi @ 2007-11-18 6:05 UTC (permalink / raw)
To: netfilter-devel
Patrick McHardy wrote:
> Well, the point of the avanced option is to handle *advanced*
> cases, so we don't need to cover manual adjustments (including
> things like shorewall which are usually installed manually). The
> default cases for people not having touched their *firewall*
> configuration is enough. I wasn't able to find the SuSE-script,
> but from a screenshot I could see that they do optionally handle
> IPsec. So what I'm saying is that we should include f.i. the policy
> match, and all other modules needed without manually attending
> to the firewall, but nothing more.
>
> IOW, its for people like Linus, presumably not touching their
> default configuration, but unwilling to go through the 50+
> options to decide themselves.
>
> For people who want to compile-test them all (like me), we
> still can have a CONFIG_NETFILTER_ALL option hidden under
> CONFIG_NETFILTER_ADVANCED for simplicity, but that is a
> different topic.
CONFIG_NETFILTER_ALL sounds great. So why not have CONFIG_NETFILTER_MIN for
a minimal setup, which would only select:
targets: NOTRACK, MASQ, REJECT, LOG
matches: state, mport
Then let the user select any additional modules, like IPsec/policy or
FTP/helpers.
Thanks!
--
Al
^ permalink raw reply [flat|nested] 24+ messages in threadend of thread, other threads:[~2007-11-27 16:34 UTC | newest] Thread overview: 24+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2007-11-16 0:01 CONFIG_NETFILTER_ADVANCED David Miller 2007-11-16 0:06 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 2007-11-16 0:41 ` CONFIG_NETFILTER_ADVANCED Jan Engelhardt 2007-11-16 10:10 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 2007-11-16 10:12 ` CONFIG_NETFILTER_ADVANCED David Miller 2007-11-16 12:19 ` CONFIG_NETFILTER_ADVANCED Jan Engelhardt 2007-11-16 12:44 ` CONFIG_NETFILTER_ADVANCED David Miller 2007-11-16 12:49 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 2007-11-16 15:35 ` CONFIG_NETFILTER_ADVANCED Phil Oester 2007-11-16 15:47 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 2007-11-16 23:29 ` CONFIG_NETFILTER_ADVANCED Amos Jeffries 2007-11-17 0:13 ` CONFIG_NETFILTER_ADVANCED Tom Eastep 2007-11-17 16:08 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 2007-11-17 21:19 ` CONFIG_NETFILTER_ADVANCED Jan Engelhardt 2007-11-18 2:19 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 2007-11-18 9:35 ` CONFIG_NETFILTER_ADVANCED Jan Engelhardt 2007-11-18 13:21 ` CONFIG_NETFILTER_ADVANCED Jozsef Kadlecsik 2007-11-18 21:40 ` CONFIG_NETFILTER_ADVANCED David Miller 2007-11-27 16:34 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy 2007-11-17 0:19 ` CONFIG_NETFILTER_ADVANCED David Miller 2007-11-17 8:48 ` CONFIG_NETFILTER_ADVANCED Benny Amorsen 2007-11-17 15:29 ` CONFIG_NETFILTER_ADVANCED Pascal Hambourg 2007-11-17 16:14 ` CONFIG_NETFILTER_ADVANCED Patrick McHardy -- strict thread matches above, loose matches on Subject: below -- 2007-11-18 6:05 CONFIG_NETFILTER_ADVANCED Al Boldi
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).