Linus, please apply.
CONFIG_IP_MASQUERADE needs CONFIG_IP_ALWAYS_DEFRAG, the same as
CONFIG_IP_TRANSPARENT_PROXY does (which has a hack to turn on
CONFIG_IP_ALWAYS_DEFRAG internally).
This patch makes those dependencies explicit to stop misconfiguration.
Rusty.
--- linux/net/ipv4/Config.in.~1~ Mon Oct 5 02:51:45 1998
+++ linux/net/ipv4/Config.in Fri Nov 27 18:23:37 1998
@@ -31,21 +31,23 @@
define_bool CONFIG_NETLINK_DEV y
fi
fi
- bool 'IP: transparent proxy support' CONFIG_IP_TRANSPARENT_PROXY
- bool 'IP: always defragment' CONFIG_IP_ALWAYS_DEFRAG
+ bool 'IP: always defragment (required for masquerading)' CONFIG_IP_ALWAYS_DEFRAG
fi
fi
if [ "$CONFIG_IP_FIREWALL" = "y" ]; then
- bool 'IP: masquerading' CONFIG_IP_MASQUERADE
- if [ "$CONFIG_IP_MASQUERADE" != "n" ]; then
- comment 'Protocol-specific masquerading support will be built as modules.'
- bool 'IP: ICMP masquerading' CONFIG_IP_MASQUERADE_ICMP
- comment 'Protocol-specific masquerading support will be built as modules.'
- if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
- bool 'IP: masquerading special modules support' CONFIG_IP_MASQUERADE_MOD
- if [ "$CONFIG_IP_MASQUERADE_MOD" = "y" ]; then
- tristate 'IP: ipautofw masq support (EXPERIMENTAL)' CONFIG_IP_MASQUERADE_IPAUTOFW
- tristate 'IP: ipportfw masq support (EXPERIMENTAL)' CONFIG_IP_MASQUERADE_IPPORTFW
+ if [ "$CONFIG_IP_ALWAYS_DEFRAG" != "n" ]; then
+ bool 'IP: transparent proxy support' CONFIG_IP_TRANSPARENT_PROXY
+ bool 'IP: masquerading' CONFIG_IP_MASQUERADE
+ if [ "$CONFIG_IP_MASQUERADE" != "n" ]; then
+ comment 'Protocol-specific masquerading support will be built as modules.'
+ bool 'IP: ICMP masquerading' CONFIG_IP_MASQUERADE_ICMP
+ comment 'Protocol-specific masquerading support will be built as modules.'
+ if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then
+ bool 'IP: masquerading special modules support' CONFIG_IP_MASQUERADE_MOD
+ if [ "$CONFIG_IP_MASQUERADE_MOD" = "y" ]; then
+ tristate 'IP: ipautofw masq support (EXPERIMENTAL)' CONFIG_IP_MASQUERADE_IPAUTOFW
+ tristate 'IP: ipportfw masq support (EXPERIMENTAL)' CONFIG_IP_MASQUERADE_IPPORTFW
+ fi
fi
fi
fi
--- linux/Documentation/Configure.help.~1~ Fri Nov 27 18:03:52 1998
+++ linux/Documentation/Configure.help Fri Nov 27 18:19:37 1998
@@ -2397,9 +2397,6 @@
information on the WWW at
http://www.tor.shaw.wave.ca/~ambrose/kernel21.html.
- If you say Y here, you should also say Y to "IP: always defragment",
- below.
-
If you say Y here, then the modules ip_masq_ftp.o (for ftp file
transfers), ip_masq_irc.o (for irc chats), ip_masq_quake.o (you
guessed it), ip_masq_vdolive.o (for VDOLive video connections),
@@ -2503,7 +2500,7 @@
The module will be called ip_masq_markfw.o. If you want to compile
it as a module, say M here and read Documentation/modules.txt.
-IP: always defragment
+IP: always defragment (required for masquerading)
CONFIG_IP_ALWAYS_DEFRAG
If you say Y here, then all incoming fragments (parts of IP packets
that arose when some host between origin and destination decided
@@ -2511,17 +2508,12 @@
reassembled (defragmented) before being processed, even if they are
about to be forwarded.
- This option is highly recommended if you have said Y to "IP:
- masquerading" because that facility requires that second and further
- fragments can be related to TCP or UDP port numbers, which are only
- stored in the first fragment.
+ You must say Y here if you want to enable "IP: masquerading" or "IP:
+ transparent proxying".
When using "IP: firewalling" support, you might also want to say Y
here, to have a more reliable firewall (otherwise second and further
fragments must be dealt with by the firewall, which can be tricky).
-
- When using "IP: transparent proxying", this option is implicit,
- although it is safe to say Y here.
Only say Y here if running either a firewall that is the sole link
to your network or a transparent proxy; never ever say Y here for a
-- .sig lost in the mail.- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/