From: Tomas Szepe <szepe@pinerecords.com>
To: davem@redhat.com, netfilter-devel@lists.netfilter.org
Cc: lkml <linux-kernel@vger.kernel.org>
Subject: [TRIVIAL] place IPv4 netfilter submenu where it belongs
Date: Sat, 26 Jul 2003 22:06:46 +0200 [thread overview]
Message-ID: <20030726200646.GF16160@louise.pinerecords.com> (raw)
$subj
Patch against -bk3.
--
Tomas Szepe <szepe@pinerecords.com>
diff -urN a/net/Kconfig b/net/Kconfig
--- a/net/Kconfig 2003-05-27 08:06:58.000000000 +0200
+++ b/net/Kconfig 2003-07-26 21:45:02.000000000 +0200
@@ -58,66 +58,6 @@
the real netlink socket.
This is a backward compatibility option, choose Y for now.
-config NETFILTER
- bool "Network packet filtering (replaces ipchains)"
- ---help---
- Netfilter is a framework for filtering and mangling network packets
- that pass through your Linux box.
-
- The most common use of packet filtering is to run your Linux box as
- a firewall protecting a local network from the Internet. The type of
- firewall provided by this kernel support is called a "packet
- filter", which means that it can reject individual network packets
- based on type, source, destination etc. The other kind of firewall,
- a "proxy-based" one, is more secure but more intrusive and more
- bothersome to set up; it inspects the network traffic much more
- closely, modifies it and has knowledge about the higher level
- protocols, which a packet filter lacks. Moreover, proxy-based
- firewalls often require changes to the programs running on the local
- clients. Proxy-based firewalls don't need support by the kernel, but
- they are often combined with a packet filter, which only works if
- you say Y here.
-
- You should also say Y here if you intend to use your Linux box as
- the gateway to the Internet for a local network of machines without
- globally valid IP addresses. This is called "masquerading": if one
- of the computers on your local network wants to send something to
- the outside, your box can "masquerade" as that computer, i.e. it
- forwards the traffic to the intended outside destination, but
- modifies the packets to make it look like they came from the
- firewall box itself. It works both ways: if the outside host
- replies, the Linux box will silently forward the traffic to the
- correct local computer. This way, the computers on your local net
- are completely invisible to the outside world, even though they can
- reach the outside and can receive replies. It is even possible to
- run globally visible servers from within a masqueraded local network
- using a mechanism called portforwarding. Masquerading is also often
- called NAT (Network Address Translation).
-
- Another use of Netfilter is in transparent proxying: if a machine on
- the local network tries to connect to an outside host, your Linux
- box can transparently forward the traffic to a local server,
- typically a caching proxy server.
-
- Various modules exist for netfilter which replace the previous
- masquerading (ipmasqadm), packet filtering (ipchains), transparent
- proxying, and portforwarding mechanisms. Please see
- <file:Documentation/Changes> under "iptables" for the location of
- these packages.
-
- Make sure to say N to "Fast switching" below if you intend to say Y
- here, as Fast switching currently bypasses netfilter.
-
- Chances are that you should say Y here if you compile a kernel which
- will run as a router and N for regular hosts. If unsure, say N.
-
-config NETFILTER_DEBUG
- bool "Network packet filtering debugging"
- depends on NETFILTER
- help
- You can say Y here if you want to get additional messages useful in
- debugging the netfilter code.
-
config UNIX
tristate "Unix domain sockets"
---help---
diff -urN a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
--- a/net/ipv4/netfilter/Kconfig 2003-07-10 23:30:37.000000000 +0200
+++ b/net/ipv4/netfilter/Kconfig 2003-07-26 21:48:25.000000000 +0200
@@ -2,8 +2,69 @@
# IP netfilter configuration
#
+config NETFILTER
+ bool "Network packet filtering (replaces ipchains)"
+ depends on INET
+ ---help---
+ Netfilter is a framework for filtering and mangling network packets
+ that pass through your Linux box.
+
+ The most common use of packet filtering is to run your Linux box as
+ a firewall protecting a local network from the Internet. The type of
+ firewall provided by this kernel support is called a "packet
+ filter", which means that it can reject individual network packets
+ based on type, source, destination etc. The other kind of firewall,
+ a "proxy-based" one, is more secure but more intrusive and more
+ bothersome to set up; it inspects the network traffic much more
+ closely, modifies it and has knowledge about the higher level
+ protocols, which a packet filter lacks. Moreover, proxy-based
+ firewalls often require changes to the programs running on the local
+ clients. Proxy-based firewalls don't need support by the kernel, but
+ they are often combined with a packet filter, which only works if
+ you say Y here.
+
+ You should also say Y here if you intend to use your Linux box as
+ the gateway to the Internet for a local network of machines without
+ globally valid IP addresses. This is called "masquerading": if one
+ of the computers on your local network wants to send something to
+ the outside, your box can "masquerade" as that computer, i.e. it
+ forwards the traffic to the intended outside destination, but
+ modifies the packets to make it look like they came from the
+ firewall box itself. It works both ways: if the outside host
+ replies, the Linux box will silently forward the traffic to the
+ correct local computer. This way, the computers on your local net
+ are completely invisible to the outside world, even though they can
+ reach the outside and can receive replies. It is even possible to
+ run globally visible servers from within a masqueraded local network
+ using a mechanism called portforwarding. Masquerading is also often
+ called NAT (Network Address Translation).
+
+ Another use of Netfilter is in transparent proxying: if a machine on
+ the local network tries to connect to an outside host, your Linux
+ box can transparently forward the traffic to a local server,
+ typically a caching proxy server.
+
+ Various modules exist for netfilter which replace the previous
+ masquerading (ipmasqadm), packet filtering (ipchains), transparent
+ proxying, and portforwarding mechanisms. Please see
+ <file:Documentation/Changes> under "iptables" for the location of
+ these packages.
+
+ Make sure to say N to "Fast switching" below if you intend to say Y
+ here, as Fast switching currently bypasses netfilter.
+
+ Chances are that you should say Y here if you compile a kernel which
+ will run as a router and N for regular hosts. If unsure, say N.
+
menu "IP: Netfilter Configuration"
- depends on INET && NETFILTER
+ depends on NETFILTER
+
+config NETFILTER_DEBUG
+ bool "Network packet filtering debugging"
+ help
+ You can say Y here if you want to get additional messages useful in
+ debugging the netfilter code.
+
config IP_NF_CONNTRACK
tristate "Connection tracking (required for masq/NAT)"
@@ -588,4 +649,3 @@
<file:Documentation/modules.txt>. If unsure, say `N'.
endmenu
-
next reply other threads:[~2003-07-26 19:52 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-07-26 20:06 Tomas Szepe [this message]
2003-07-27 23:09 ` [TRIVIAL] place IPv4 netfilter submenu where it belongs David S. Miller
2003-07-28 5:50 ` Tomas Szepe
2003-07-29 4:26 ` Tomas Szepe
2003-07-30 5:38 ` David S. Miller
2003-07-30 14:08 ` Harald Welte
2003-07-30 23:54 ` David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030726200646.GF16160@louise.pinerecords.com \
--to=szepe@pinerecords.com \
--cc=davem@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).