1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
|
diff -Nur linux-3.7.3.orig/net/Kconfig linux-3.7.3/net/Kconfig
--- linux-3.7.3.orig/net/Kconfig 2013-01-17 17:47:40.000000000 +0100
+++ linux-3.7.3/net/Kconfig 2013-01-19 18:19:55.000000000 +0100
@@ -163,7 +163,7 @@
config NETFILTER_ADVANCED
bool "Advanced netfilter configuration"
depends on NETFILTER
- default y
+ default n
help
If you say Y here you can select between all the netfilter modules.
If you say N the more unusual ones will not be shown and the
@@ -175,7 +175,7 @@
bool "Bridged IP/ARP packets filtering"
depends on BRIDGE && NETFILTER && INET
depends on NETFILTER_ADVANCED
- default y
+ default n
---help---
Enabling this option will let arptables resp. iptables see bridged
ARP resp. IP traffic. If you want a bridging firewall, you probably
diff -Nur linux-3.7.3.orig/net/netfilter/Kconfig linux-3.7.3/net/netfilter/Kconfig
--- linux-3.7.3.orig/net/netfilter/Kconfig 2013-01-17 17:47:40.000000000 +0100
+++ linux-3.7.3/net/netfilter/Kconfig 2013-01-19 18:21:41.000000000 +0100
@@ -22,7 +22,6 @@
config NETFILTER_NETLINK_LOG
tristate "Netfilter LOG over NFNETLINK interface"
- default m if NETFILTER_ADVANCED=n
select NETFILTER_NETLINK
help
If this option is enabled, the kernel will include support
@@ -34,7 +33,6 @@
config NF_CONNTRACK
tristate "Netfilter connection tracking support"
- default m if NETFILTER_ADVANCED=n
help
Connection tracking keeps a record of what packets have passed
through your machine, in order to figure out how they are related
@@ -60,7 +58,6 @@
config NF_CONNTRACK_SECMARK
bool 'Connection tracking security mark support'
depends on NETWORK_SECMARK
- default m if NETFILTER_ADVANCED=n
help
This option enables security markings to be applied to
connections. Typically they are copied to connections from
@@ -177,7 +174,6 @@
config NF_CONNTRACK_FTP
tristate "FTP protocol support"
- default m if NETFILTER_ADVANCED=n
help
Tracking FTP connections is problematic: special helpers are
required for tracking them, and doing masquerading and other forms
@@ -211,7 +207,6 @@
config NF_CONNTRACK_IRC
tristate "IRC protocol support"
- default m if NETFILTER_ADVANCED=n
help
There is a commonly-used extension to IRC called
Direct Client-to-Client Protocol (DCC). This enables users to send
@@ -296,7 +291,6 @@
config NF_CONNTRACK_SIP
tristate "SIP protocol support"
- default m if NETFILTER_ADVANCED=n
help
SIP is an application-layer control protocol that can establish,
modify, and terminate multimedia sessions (conferences) such as
@@ -320,7 +314,6 @@
config NF_CT_NETLINK
tristate 'Connection tracking netlink interface'
select NETFILTER_NETLINK
- default m if NETFILTER_ADVANCED=n
help
This option enables support for a netlink-based userspace interface
@@ -424,7 +417,6 @@
config NETFILTER_XTABLES
tristate "Netfilter Xtables support (required for ip_tables)"
- default m if NETFILTER_ADVANCED=n
help
This is required if you intend to use any of ip_tables,
ip6_tables or arp_tables.
@@ -435,7 +427,6 @@
config NETFILTER_XT_MARK
tristate 'nfmark target and match support'
- default m if NETFILTER_ADVANCED=n
---help---
This option adds the "MARK" target and "mark" match.
@@ -527,7 +518,6 @@
config NETFILTER_XT_TARGET_CONNSECMARK
tristate '"CONNSECMARK" target support'
depends on NF_CONNTRACK && NF_CONNTRACK_SECMARK
- default m if NETFILTER_ADVANCED=n
help
The CONNSECMARK target copies security markings from packets
to connections, and restores security markings from connections
@@ -632,7 +622,6 @@
config NETFILTER_XT_TARGET_LOG
tristate "LOG target support"
- default m if NETFILTER_ADVANCED=n
help
This option adds a `LOG' target, which allows you to create rules in
any iptables table which records the packet header to the syslog.
@@ -660,7 +649,6 @@
config NETFILTER_XT_TARGET_NFLOG
tristate '"NFLOG" target support'
- default m if NETFILTER_ADVANCED=n
select NETFILTER_NETLINK_LOG
help
This option enables the NFLOG target, which allows to LOG
@@ -741,7 +729,6 @@
config NETFILTER_XT_TARGET_SECMARK
tristate '"SECMARK" target support'
depends on NETWORK_SECMARK
- default m if NETFILTER_ADVANCED=n
help
The SECMARK target allows security marking of network
packets, for use with security subsystems.
@@ -751,7 +738,6 @@
config NETFILTER_XT_TARGET_TCPMSS
tristate '"TCPMSS" target support'
depends on (IPV6 || IPV6=n)
- default m if NETFILTER_ADVANCED=n
---help---
This option adds a `TCPMSS' target, which allows you to alter the
MSS value of TCP SYN packets, to control the maximum size for that
@@ -856,7 +842,6 @@
config NETFILTER_XT_MATCH_CONNTRACK
tristate '"conntrack" connection tracking match support'
depends on NF_CONNTRACK
- default m if NETFILTER_ADVANCED=n
help
This is a general conntrack match module, a superset of the state match.
@@ -1063,7 +1048,6 @@
config NETFILTER_XT_MATCH_POLICY
tristate 'IPsec "policy" match support'
depends on XFRM
- default m if NETFILTER_ADVANCED=n
help
Policy matching allows you to match packets based on the
IPsec policy that was used during decapsulation/will
@@ -1170,7 +1154,6 @@
config NETFILTER_XT_MATCH_STATE
tristate '"state" match support'
depends on NF_CONNTRACK
- default m if NETFILTER_ADVANCED=n
help
Connection state matching allows you to match packets based on their
relationship to a tracked connection (ie. previous packets). This
|