Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 33b8e776 authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETFILTER]: Add CONFIG_NETFILTER_ADVANCED option 



The NETFILTER_ADVANCED option hides lots of the rather obscure netfilter
options when disabled and provides defaults (M) that should allow to
run a distribution firewall without further thinking.

Defaults to 'y' to avoid breaking current configurations.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 34498825

net/Kconfig

+12 −0
Original line number Original line Diff line number Diff line
@@ -144,9 +144,21 @@ config NETFILTER_DEBUG 
	  You can say Y here if you want to get additional messages useful in

	  You can say Y here if you want to get additional messages useful in

	  debugging the netfilter code.

	  debugging the netfilter code.





config NETFILTER_ADVANCED

	bool "Advanced netfilter configuration"

	depends on NETFILTER

	default y

	help

	  If you say Y here you can select between all the netfilter modules.

	  If you say N the more ununsual ones will not be shown and the

	  basic ones needed by most people will default to 'M'.



	  If unsure, say Y.



config BRIDGE_NETFILTER

config BRIDGE_NETFILTER

	bool "Bridged IP/ARP packets filtering"

	bool "Bridged IP/ARP packets filtering"

	depends on BRIDGE && NETFILTER && INET

	depends on BRIDGE && NETFILTER && INET

	depends on NETFILTER_ADVANCED

	default y

	default y

	---help---

	---help---

	  Enabling this option will let arptables resp. iptables see bridged

	  Enabling this option will let arptables resp. iptables see bridged

net/bridge/netfilter/Kconfig

+1 −1
Original line number Original line Diff line number Diff line
@@ -3,7 +3,7 @@ 
#

#





menu "Bridge: Netfilter Configuration"

menu "Bridge: Netfilter Configuration"

	depends on BRIDGE && NETFILTER

	depends on BRIDGE && BRIDGE_NETFILTER





config BRIDGE_NF_EBTABLES

config BRIDGE_NF_EBTABLES

	tristate "Ethernet Bridge tables (ebtables) support"

	tristate "Ethernet Bridge tables (ebtables) support"

net/decnet/netfilter/Kconfig

+1 −0
Original line number Original line Diff line number Diff line
@@ -4,6 +4,7 @@ 




menu "DECnet: Netfilter Configuration"

menu "DECnet: Netfilter Configuration"

	depends on DECNET && NETFILTER && EXPERIMENTAL

	depends on DECNET && NETFILTER && EXPERIMENTAL

	depends on NETFILTER_ADVANCED





config DECNET_NF_GRABULATOR

config DECNET_NF_GRABULATOR

	tristate "Routing message grabulator (for userland routing daemon)"

	tristate "Routing message grabulator (for userland routing daemon)"

net/ipv4/netfilter/Kconfig

+25 −1
Original line number Original line Diff line number Diff line
@@ -8,6 +8,7 @@ menu "IP: Netfilter Configuration" 
config NF_CONNTRACK_IPV4

config NF_CONNTRACK_IPV4

	tristate "IPv4 connection tracking support (required for NAT)"

	tristate "IPv4 connection tracking support (required for NAT)"

	depends on NF_CONNTRACK

	depends on NF_CONNTRACK

	default m if NETFILTER_ADVANCED=n

	---help---

	---help---

	  Connection tracking keeps a record of what packets have passed

	  Connection tracking keeps a record of what packets have passed

	  through your machine, in order to figure out how they are related

	  through your machine, in order to figure out how they are related
@@ -32,6 +33,7 @@ config NF_CONNTRACK_PROC_COMPAT 




config IP_NF_QUEUE

config IP_NF_QUEUE

	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"

	tristate "IP Userspace queueing via NETLINK (OBSOLETE)"

	depends on NETFILTER_ADVANCED

	help

	help

	  Netfilter has the ability to queue packets to user space: the

	  Netfilter has the ability to queue packets to user space: the

	  netlink device can be used to access them using this driver.

	  netlink device can be used to access them using this driver.
@@ -44,6 +46,7 @@ config IP_NF_QUEUE 




config IP_NF_IPTABLES

config IP_NF_IPTABLES

	tristate "IP tables support (required for filtering/masq/NAT)"

	tristate "IP tables support (required for filtering/masq/NAT)"

	default m if NETFILTER_ADVANCED=n

	select NETFILTER_XTABLES

	select NETFILTER_XTABLES

	help

	help

	  iptables is a general, extensible packet identification framework.

	  iptables is a general, extensible packet identification framework.
@@ -57,6 +60,7 @@ config IP_NF_IPTABLES 
config IP_NF_MATCH_IPRANGE

config IP_NF_MATCH_IPRANGE

	tristate '"iprange" match support'

	tristate '"iprange" match support'

	depends on IP_NF_IPTABLES

	depends on IP_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  This option makes possible to match IP addresses against IP address

	  This option makes possible to match IP addresses against IP address

	  ranges.

	  ranges.
@@ -66,6 +70,7 @@ config IP_NF_MATCH_IPRANGE 
config IP_NF_MATCH_RECENT

config IP_NF_MATCH_RECENT

	tristate '"recent" match support'

	tristate '"recent" match support'

	depends on IP_NF_IPTABLES

	depends on IP_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  This match is used for creating one or many lists of recently

	  This match is used for creating one or many lists of recently

	  used addresses and then matching against that/those list(s).

	  used addresses and then matching against that/those list(s).
@@ -78,6 +83,7 @@ config IP_NF_MATCH_RECENT 
config IP_NF_MATCH_ECN

config IP_NF_MATCH_ECN

	tristate '"ecn" match support'

	tristate '"ecn" match support'

	depends on IP_NF_IPTABLES

	depends on IP_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  This option adds a `ECN' match, which allows you to match against

	  This option adds a `ECN' match, which allows you to match against

	  the IPv4 and TCP header ECN fields.

	  the IPv4 and TCP header ECN fields.
@@ -87,6 +93,7 @@ config IP_NF_MATCH_ECN 
config IP_NF_MATCH_AH

config IP_NF_MATCH_AH

	tristate '"ah" match support'

	tristate '"ah" match support'

	depends on IP_NF_IPTABLES

	depends on IP_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  This match extension allows you to match a range of SPIs

	  This match extension allows you to match a range of SPIs

	  inside AH header of IPSec packets.

	  inside AH header of IPSec packets.
@@ -96,6 +103,7 @@ config IP_NF_MATCH_AH 
config IP_NF_MATCH_TTL

config IP_NF_MATCH_TTL

	tristate '"ttl" match support'

	tristate '"ttl" match support'

	depends on IP_NF_IPTABLES

	depends on IP_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user

	  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user

	  to match packets by their TTL value.

	  to match packets by their TTL value.
@@ -105,6 +113,7 @@ config IP_NF_MATCH_TTL 
config IP_NF_MATCH_ADDRTYPE

config IP_NF_MATCH_ADDRTYPE

	tristate '"addrtype" address type match support'

	tristate '"addrtype" address type match support'

	depends on IP_NF_IPTABLES

	depends on IP_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  This option allows you to match what routing thinks of an address,

	  This option allows you to match what routing thinks of an address,

	  eg. UNICAST, LOCAL, BROADCAST, ...

	  eg. UNICAST, LOCAL, BROADCAST, ...
@@ -116,6 +125,7 @@ config IP_NF_MATCH_ADDRTYPE 
config IP_NF_FILTER

config IP_NF_FILTER

	tristate "Packet filtering"

	tristate "Packet filtering"

	depends on IP_NF_IPTABLES

	depends on IP_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	help

	help

	  Packet filtering defines a table `filter', which has a series of

	  Packet filtering defines a table `filter', which has a series of

	  rules for simple packet filtering at local input, forwarding and

	  rules for simple packet filtering at local input, forwarding and
@@ -126,6 +136,7 @@ config IP_NF_FILTER 
config IP_NF_TARGET_REJECT

config IP_NF_TARGET_REJECT

	tristate "REJECT target support"

	tristate "REJECT target support"

	depends on IP_NF_FILTER

	depends on IP_NF_FILTER

	default m if NETFILTER_ADVANCED=n

	help

	help

	  The REJECT target allows a filtering rule to specify that an ICMP

	  The REJECT target allows a filtering rule to specify that an ICMP

	  error should be issued in response to an incoming packet, rather

	  error should be issued in response to an incoming packet, rather
@@ -136,6 +147,7 @@ config IP_NF_TARGET_REJECT 
config IP_NF_TARGET_LOG

config IP_NF_TARGET_LOG

	tristate "LOG target support"

	tristate "LOG target support"

	depends on IP_NF_IPTABLES

	depends on IP_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	help

	help

	  This option adds a `LOG' target, which allows you to create rules in

	  This option adds a `LOG' target, which allows you to create rules in

	  any iptables table which records the packet header to the syslog.

	  any iptables table which records the packet header to the syslog.
@@ -145,6 +157,7 @@ config IP_NF_TARGET_LOG 
config IP_NF_TARGET_ULOG

config IP_NF_TARGET_ULOG

	tristate "ULOG target support"

	tristate "ULOG target support"

	depends on IP_NF_IPTABLES

	depends on IP_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	---help---

	---help---





	  This option enables the old IPv4-only "ipt_ULOG" implementation

	  This option enables the old IPv4-only "ipt_ULOG" implementation
@@ -165,6 +178,7 @@ config IP_NF_TARGET_ULOG 
config NF_NAT

config NF_NAT

	tristate "Full NAT"

	tristate "Full NAT"

	depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4

	depends on IP_NF_IPTABLES && NF_CONNTRACK_IPV4

	default m if NETFILTER_ADVANCED=n

	help

	help

	  The Full NAT option allows masquerading, port forwarding and other

	  The Full NAT option allows masquerading, port forwarding and other

	  forms of full Network Address Port Translation.  It is controlled by

	  forms of full Network Address Port Translation.  It is controlled by
@@ -180,6 +194,7 @@ config NF_NAT_NEEDED 
config IP_NF_TARGET_MASQUERADE

config IP_NF_TARGET_MASQUERADE

	tristate "MASQUERADE target support"

	tristate "MASQUERADE target support"

	depends on NF_NAT

	depends on NF_NAT

	default m if NETFILTER_ADVANCED=n

	help

	help

	  Masquerading is a special case of NAT: all outgoing connections are

	  Masquerading is a special case of NAT: all outgoing connections are

	  changed to seem to come from a particular interface's address, and

	  changed to seem to come from a particular interface's address, and
@@ -192,6 +207,7 @@ config IP_NF_TARGET_MASQUERADE 
config IP_NF_TARGET_REDIRECT

config IP_NF_TARGET_REDIRECT

	tristate "REDIRECT target support"

	tristate "REDIRECT target support"

	depends on NF_NAT

	depends on NF_NAT

	depends on NETFILTER_ADVANCED

	help

	help

	  REDIRECT is a special case of NAT: all incoming connections are

	  REDIRECT is a special case of NAT: all incoming connections are

	  mapped onto the incoming interface's address, causing the packets to

	  mapped onto the incoming interface's address, causing the packets to
@@ -203,6 +219,7 @@ config IP_NF_TARGET_REDIRECT 
config IP_NF_TARGET_NETMAP

config IP_NF_TARGET_NETMAP

	tristate "NETMAP target support"

	tristate "NETMAP target support"

	depends on NF_NAT

	depends on NF_NAT

	depends on NETFILTER_ADVANCED

	help

	help

	  NETMAP is an implementation of static 1:1 NAT mapping of network

	  NETMAP is an implementation of static 1:1 NAT mapping of network

	  addresses. It maps the network address part, while keeping the host

	  addresses. It maps the network address part, while keeping the host
@@ -214,6 +231,7 @@ config IP_NF_TARGET_NETMAP 
config NF_NAT_SNMP_BASIC

config NF_NAT_SNMP_BASIC

	tristate "Basic SNMP-ALG support (EXPERIMENTAL)"

	tristate "Basic SNMP-ALG support (EXPERIMENTAL)"

	depends on EXPERIMENTAL && NF_NAT

	depends on EXPERIMENTAL && NF_NAT

	depends on NETFILTER_ADVANCED

	---help---

	---help---





	  This module implements an Application Layer Gateway (ALG) for

	  This module implements an Application Layer Gateway (ALG) for
@@ -277,6 +295,7 @@ config NF_NAT_SIP 
config IP_NF_MANGLE

config IP_NF_MANGLE

	tristate "Packet mangling"

	tristate "Packet mangling"

	depends on IP_NF_IPTABLES

	depends on IP_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	help

	help

	  This option adds a `mangle' table to iptables: see the man page for

	  This option adds a `mangle' table to iptables: see the man page for

	  iptables(8).  This table is used for various packet alterations

	  iptables(8).  This table is used for various packet alterations
@@ -287,6 +306,7 @@ config IP_NF_MANGLE 
config IP_NF_TARGET_ECN

config IP_NF_TARGET_ECN

	tristate "ECN target support"

	tristate "ECN target support"

	depends on IP_NF_MANGLE

	depends on IP_NF_MANGLE

	depends on NETFILTER_ADVANCED

	---help---

	---help---

	  This option adds a `ECN' target, which can be used in the iptables mangle

	  This option adds a `ECN' target, which can be used in the iptables mangle

	  table.  

	  table.
@@ -301,6 +321,7 @@ config IP_NF_TARGET_ECN 
config IP_NF_TARGET_TTL

config IP_NF_TARGET_TTL

	tristate  'TTL target support'

	tristate  'TTL target support'

	depends on IP_NF_MANGLE

	depends on IP_NF_MANGLE

	depends on NETFILTER_ADVANCED

	help

	help

	  This option adds a `TTL' target, which enables the user to modify

	  This option adds a `TTL' target, which enables the user to modify

	  the TTL value of the IP header.

	  the TTL value of the IP header.
@@ -316,6 +337,7 @@ config IP_NF_TARGET_CLUSTERIP 
	tristate "CLUSTERIP target support (EXPERIMENTAL)"

	tristate "CLUSTERIP target support (EXPERIMENTAL)"

	depends on IP_NF_MANGLE && EXPERIMENTAL

	depends on IP_NF_MANGLE && EXPERIMENTAL

	depends on NF_CONNTRACK_IPV4

	depends on NF_CONNTRACK_IPV4

	depends on NETFILTER_ADVANCED

	select NF_CONNTRACK_MARK

	select NF_CONNTRACK_MARK

	help

	help

	  The CLUSTERIP target allows you to build load-balancing clusters of

	  The CLUSTERIP target allows you to build load-balancing clusters of
@@ -328,6 +350,7 @@ config IP_NF_TARGET_CLUSTERIP 
config IP_NF_RAW

config IP_NF_RAW

	tristate  'raw table support (required for NOTRACK/TRACE)'

	tristate  'raw table support (required for NOTRACK/TRACE)'

	depends on IP_NF_IPTABLES

	depends on IP_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  This option adds a `raw' table to iptables. This table is the very

	  This option adds a `raw' table to iptables. This table is the very

	  first in the netfilter framework and hooks in at the PREROUTING

	  first in the netfilter framework and hooks in at the PREROUTING
@@ -340,6 +363,7 @@ config IP_NF_RAW 
config IP_NF_ARPTABLES

config IP_NF_ARPTABLES

	tristate "ARP tables support"

	tristate "ARP tables support"

	select NETFILTER_XTABLES

	select NETFILTER_XTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  arptables is a general, extensible packet identification framework.

	  arptables is a general, extensible packet identification framework.

	  The ARP packet filtering and mangling (manipulation)subsystems

	  The ARP packet filtering and mangling (manipulation)subsystems

net/ipv6/netfilter/Kconfig

+20 −3
Original line number Original line Diff line number Diff line
@@ -8,6 +8,7 @@ menu "IPv6: Netfilter Configuration (EXPERIMENTAL)" 
config NF_CONNTRACK_IPV6

config NF_CONNTRACK_IPV6

	tristate "IPv6 connection tracking support (EXPERIMENTAL)"

	tristate "IPv6 connection tracking support (EXPERIMENTAL)"

	depends on INET && IPV6 && EXPERIMENTAL && NF_CONNTRACK

	depends on INET && IPV6 && EXPERIMENTAL && NF_CONNTRACK

	default m if NETFILTER_ADVANCED=n

	---help---

	---help---

	  Connection tracking keeps a record of what packets have passed

	  Connection tracking keeps a record of what packets have passed

	  through your machine, in order to figure out how they are related

	  through your machine, in order to figure out how they are related
@@ -22,6 +23,7 @@ config NF_CONNTRACK_IPV6 
config IP6_NF_QUEUE

config IP6_NF_QUEUE

	tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"

	tristate "IP6 Userspace queueing via NETLINK (OBSOLETE)"

	depends on INET && IPV6 && NETFILTER && EXPERIMENTAL

	depends on INET && IPV6 && NETFILTER && EXPERIMENTAL

	depends on NETFILTER_ADVANCED

	---help---

	---help---





	  This option adds a queue handler to the kernel for IPv6

	  This option adds a queue handler to the kernel for IPv6
@@ -44,6 +46,7 @@ config IP6_NF_IPTABLES 
	tristate "IP6 tables support (required for filtering)"

	tristate "IP6 tables support (required for filtering)"

	depends on INET && IPV6 && EXPERIMENTAL

	depends on INET && IPV6 && EXPERIMENTAL

	select NETFILTER_XTABLES

	select NETFILTER_XTABLES

	default m if NETFILTER_ADVANCED=n

	help

	help

	  ip6tables is a general, extensible packet identification framework.

	  ip6tables is a general, extensible packet identification framework.

	  Currently only the packet filtering and packet mangling subsystem

	  Currently only the packet filtering and packet mangling subsystem
@@ -56,6 +59,7 @@ config IP6_NF_IPTABLES 
config IP6_NF_MATCH_RT

config IP6_NF_MATCH_RT

	tristate '"rt" Routing header match support'

	tristate '"rt" Routing header match support'

	depends on IP6_NF_IPTABLES

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  rt matching allows you to match packets based on the routing

	  rt matching allows you to match packets based on the routing

	  header of the packet.

	  header of the packet.
@@ -65,6 +69,7 @@ config IP6_NF_MATCH_RT 
config IP6_NF_MATCH_OPTS

config IP6_NF_MATCH_OPTS

	tristate '"hopbyhop" and "dst" opts header match support'

	tristate '"hopbyhop" and "dst" opts header match support'

	depends on IP6_NF_IPTABLES

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  This allows one to match packets based on the hop-by-hop

	  This allows one to match packets based on the hop-by-hop

	  and destination options headers of a packet.

	  and destination options headers of a packet.
@@ -74,6 +79,7 @@ config IP6_NF_MATCH_OPTS 
config IP6_NF_MATCH_FRAG

config IP6_NF_MATCH_FRAG

	tristate '"frag" Fragmentation header match support'

	tristate '"frag" Fragmentation header match support'

	depends on IP6_NF_IPTABLES

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  frag matching allows you to match packets based on the fragmentation

	  frag matching allows you to match packets based on the fragmentation

	  header of the packet.

	  header of the packet.
@@ -83,6 +89,7 @@ config IP6_NF_MATCH_FRAG 
config IP6_NF_MATCH_HL

config IP6_NF_MATCH_HL

	tristate '"hl" match support'

	tristate '"hl" match support'

	depends on IP6_NF_IPTABLES

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  HL matching allows you to match packets based on the hop

	  HL matching allows you to match packets based on the hop

	  limit of the packet.

	  limit of the packet.
@@ -92,6 +99,7 @@ config IP6_NF_MATCH_HL 
config IP6_NF_MATCH_IPV6HEADER

config IP6_NF_MATCH_IPV6HEADER

	tristate '"ipv6header" IPv6 Extension Headers Match'

	tristate '"ipv6header" IPv6 Extension Headers Match'

	depends on IP6_NF_IPTABLES

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  This module allows one to match packets based upon

	  This module allows one to match packets based upon

	  the ipv6 extension headers.

	  the ipv6 extension headers.
@@ -101,6 +109,7 @@ config IP6_NF_MATCH_IPV6HEADER 
config IP6_NF_MATCH_AH

config IP6_NF_MATCH_AH

	tristate '"ah" match support'

	tristate '"ah" match support'

	depends on IP6_NF_IPTABLES

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  This module allows one to match AH packets.

	  This module allows one to match AH packets.
@@ -109,6 +118,7 @@ config IP6_NF_MATCH_AH 
config IP6_NF_MATCH_MH

config IP6_NF_MATCH_MH

	tristate '"mh" match support'

	tristate '"mh" match support'

	depends on IP6_NF_IPTABLES

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  This module allows one to match MH packets.

	  This module allows one to match MH packets.
@@ -117,6 +127,7 @@ config IP6_NF_MATCH_MH 
config IP6_NF_MATCH_EUI64

config IP6_NF_MATCH_EUI64

	tristate '"eui64" address check'

	tristate '"eui64" address check'

	depends on IP6_NF_IPTABLES

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  This module performs checking on the IPv6 source address

	  This module performs checking on the IPv6 source address

	  Compares the last 64 bits with the EUI64 (delivered

	  Compares the last 64 bits with the EUI64 (delivered
@@ -128,6 +139,7 @@ config IP6_NF_MATCH_EUI64 
config IP6_NF_FILTER

config IP6_NF_FILTER

	tristate "Packet filtering"

	tristate "Packet filtering"

	depends on IP6_NF_IPTABLES

	depends on IP6_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	help

	help

	  Packet filtering defines a table `filter', which has a series of

	  Packet filtering defines a table `filter', which has a series of

	  rules for simple packet filtering at local input, forwarding and

	  rules for simple packet filtering at local input, forwarding and
@@ -138,6 +150,7 @@ config IP6_NF_FILTER 
config IP6_NF_TARGET_LOG

config IP6_NF_TARGET_LOG

	tristate "LOG target support"

	tristate "LOG target support"

	depends on IP6_NF_FILTER

	depends on IP6_NF_FILTER

	default m if NETFILTER_ADVANCED=n

	help

	help

	  This option adds a `LOG' target, which allows you to create rules in

	  This option adds a `LOG' target, which allows you to create rules in

	  any iptables table which records the packet header to the syslog.

	  any iptables table which records the packet header to the syslog.
@@ -147,6 +160,7 @@ config IP6_NF_TARGET_LOG 
config IP6_NF_TARGET_REJECT

config IP6_NF_TARGET_REJECT

	tristate "REJECT target support"

	tristate "REJECT target support"

	depends on IP6_NF_FILTER

	depends on IP6_NF_FILTER

	default m if NETFILTER_ADVANCED=n

	help

	help

	  The REJECT target allows a filtering rule to specify that an ICMPv6

	  The REJECT target allows a filtering rule to specify that an ICMPv6

	  error should be issued in response to an incoming packet, rather

	  error should be issued in response to an incoming packet, rather
@@ -157,6 +171,7 @@ config IP6_NF_TARGET_REJECT 
config IP6_NF_MANGLE

config IP6_NF_MANGLE

	tristate "Packet mangling"

	tristate "Packet mangling"

	depends on IP6_NF_IPTABLES

	depends on IP6_NF_IPTABLES

	default m if NETFILTER_ADVANCED=n

	help

	help

	  This option adds a `mangle' table to iptables: see the man page for

	  This option adds a `mangle' table to iptables: see the man page for

	  iptables(8).  This table is used for various packet alterations

	  iptables(8).  This table is used for various packet alterations
@@ -167,6 +182,7 @@ config IP6_NF_MANGLE 
config IP6_NF_TARGET_HL

config IP6_NF_TARGET_HL

	tristate  'HL (hoplimit) target support'

	tristate  'HL (hoplimit) target support'

	depends on IP6_NF_MANGLE

	depends on IP6_NF_MANGLE

	depends on NETFILTER_ADVANCED

	help

	help

	  This option adds a `HL' target, which enables the user to decrement

	  This option adds a `HL' target, which enables the user to decrement

	  the hoplimit value of the IPv6 header or set it to a given (lower)

	  the hoplimit value of the IPv6 header or set it to a given (lower)
@@ -183,6 +199,7 @@ config IP6_NF_TARGET_HL 
config IP6_NF_RAW

config IP6_NF_RAW

	tristate  'raw table support (required for TRACE)'

	tristate  'raw table support (required for TRACE)'

	depends on IP6_NF_IPTABLES

	depends on IP6_NF_IPTABLES

	depends on NETFILTER_ADVANCED

	help

	help

	  This option adds a `raw' table to ip6tables. This table is the very

	  This option adds a `raw' table to ip6tables. This table is the very

	  first in the netfilter framework and hooks in at the PREROUTING

	  first in the netfilter framework and hooks in at the PREROUTING