[NETFILTER]: Fix ip6_tables extension header bypass bug

[powerpc.git] / net / netfilter / Kconfig

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index b1622b7..f619c65 100644 (file)
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -148,6 +148,18 @@ config NETFILTER_XT_TARGET_CONNMARK
          <file:Documentation/modules.txt>.  The module will be called
          ipt_CONNMARK.o.  If unsure, say `N'.
 
          <file:Documentation/modules.txt>.  The module will be called
          ipt_CONNMARK.o.  If unsure, say `N'.
 

+config NETFILTER_XT_TARGET_DSCP
+       tristate '"DSCP" target support'
+       depends on NETFILTER_XTABLES
+       depends on IP_NF_MANGLE || IP6_NF_MANGLE
+       help
+         This option adds a `DSCP' target, which allows you to manipulate
+         the IPv4/IPv6 header DSCP field (differentiated services codepoint).
+
+         The DSCP field can have any value between 0x0 and 0x3f inclusive.
+
+         To compile it as a module, choose M here.  If unsure, say N.
+

 config NETFILTER_XT_TARGET_MARK
        tristate '"MARK" target support'
        depends on NETFILTER_XTABLES
 config NETFILTER_XT_TARGET_MARK
        tristate '"MARK" target support'
        depends on NETFILTER_XTABLES


@@ -197,7 +209,9 @@ config NETFILTER_XT_TARGET_SECMARK
 
 config NETFILTER_XT_TARGET_CONNSECMARK
        tristate '"CONNSECMARK" target support'
 
 config NETFILTER_XT_TARGET_CONNSECMARK
        tristate '"CONNSECMARK" target support'

-       depends on NETFILTER_XTABLES && (NF_CONNTRACK_SECMARK || IP_NF_CONNTRACK_SECMARK)
+       depends on NETFILTER_XTABLES && \
+                  ((NF_CONNTRACK && NF_CONNTRACK_SECMARK) || \
+                   (IP_NF_CONNTRACK && IP_NF_CONNTRACK_SECMARK))

        help
          The CONNSECMARK target copies security markings from packets
          to connections, and restores security markings from connections
        help
          The CONNSECMARK target copies security markings from packets
          to connections, and restores security markings from connections


@@ -263,6 +277,17 @@ config NETFILTER_XT_MATCH_DCCP
          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.
 
          If you want to compile it as a module, say M here and read
          <file:Documentation/modules.txt>.  If unsure, say `N'.
 

+config NETFILTER_XT_MATCH_DSCP
+       tristate '"DSCP" match support'
+       depends on NETFILTER_XTABLES
+       help
+         This option adds a `DSCP' match, which allows you to match against
+         the IPv4/IPv6 header DSCP field (differentiated services codepoint).
+
+         The DSCP field can have any value between 0x0 and 0x3f inclusive.
+
+         To compile it as a module, choose M here.  If unsure, say N.
+

 config NETFILTER_XT_MATCH_ESP
        tristate '"ESP" match support'
        depends on NETFILTER_XTABLES
 config NETFILTER_XT_MATCH_ESP
        tristate '"ESP" match support'
        depends on NETFILTER_XTABLES


@@ -342,7 +367,7 @@ config NETFILTER_XT_MATCH_MULTIPORT
 
 config NETFILTER_XT_MATCH_PHYSDEV
        tristate '"physdev" match support'
 
 config NETFILTER_XT_MATCH_PHYSDEV
        tristate '"physdev" match support'

-       depends on NETFILTER_XTABLES && BRIDGE_NETFILTER
+       depends on NETFILTER_XTABLES && BRIDGE && BRIDGE_NETFILTER

        help
          Physdev packet matching matches against the physical bridge ports
          the IP packet arrived on or will leave by.
        help
          Physdev packet matching matches against the physical bridge ports
          the IP packet arrived on or will leave by.


@@ -386,8 +411,8 @@ config NETFILTER_XT_MATCH_REALM
          <file:Documentation/modules.txt>.  If unsure, say `N'.
 
 config NETFILTER_XT_MATCH_SCTP
          <file:Documentation/modules.txt>.  If unsure, say `N'.
 
 config NETFILTER_XT_MATCH_SCTP

-       tristate  '"sctp" protocol match support'
-       depends on NETFILTER_XTABLES
+       tristate  '"sctp" protocol match support (EXPERIMENTAL)'
+       depends on NETFILTER_XTABLES && EXPERIMENTAL

        help
          With this option enabled, you will be able to use the 
          `sctp' match in order to match on SCTP source/destination ports
        help
          With this option enabled, you will be able to use the 
          `sctp' match in order to match on SCTP source/destination ports


@@ -411,7 +436,10 @@ config NETFILTER_XT_MATCH_STATISTIC
        tristate '"statistic" match support'
        depends on NETFILTER_XTABLES
        help
        tristate '"statistic" match support'
        depends on NETFILTER_XTABLES
        help

-         statistic module
+         This option adds a `statistic' match, which allows you to match
+         on packets periodically or randomly with a given percentage.
+
+         To compile it as a module, choose M here.  If unsure, say N.

 
 config NETFILTER_XT_MATCH_STRING
        tristate  '"string" match support'
 
 config NETFILTER_XT_MATCH_STRING
        tristate  '"string" match support'