[2.4 patch] netfilter Configure.help cleanup

[2.4 patch] netfilter Configure.help cleanup

[Adrian Bunk]

The patch below does the following changes to the netfilter entries in 
Configure.help in 2.4.22-pre2:
- order similar to net/ipv4/netfilter/Config.in
- remove useless short descriptions above CONFIG_*
- added CONFIG_IP_NF_MATCH_RECENT entry (stolen from 2.5)

Please apply
Adrian

--- linux-2.4.22-pre2-full/Documentation/Configure.help.old	2003-06-28 00:55:54.000000000 +0200
+++ linux-2.4.22-pre2-full/Documentation/Configure.help	2003-06-28 01:20:11.000000000 +0200
@@ -2511,7 +2511,6 @@
   You can say Y here if you want to get additional messages useful in
   debugging the netfilter code.
 
-Connection tracking (required for masq/NAT)
 CONFIG_IP_NF_CONNTRACK
   Connection tracking keeps a record of what packets have passed
   through your machine, in order to figure out how they are related
@@ -2525,7 +2524,14 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Amanda protocol support
+CONFIG_IP_NF_FTP
+  Tracking FTP connections is problematic: special helpers are
+  required for tracking them, and doing masquerading and other forms
+  of Network Address Translation on them.
+
+  If you want to compile it as a module, say M here and read
+  <file:Documentation/modules.txt>.  If unsure, say `Y'.
+
 CONFIG_IP_NF_AMANDA
   If you are running the Amanda backup package (http://www.amanda.org/)
   on this machine or machines that will be MASQUERADED through this
@@ -2537,8 +2543,15 @@
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
+CONFIG_IP_NF_TFTP
+  TFTP connection tracking helper, this is required depending
+  on how restrictive your ruleset is.
+  If you are using a tftp client behind -j SNAT or -j MASQUERADING
+  you will need this.
+
+  If you want to compile it as a module, say M here and read
+  Documentation/modules.txt.  If unsure, say `Y'.
 
-IRC Send/Chat protocol support
 CONFIG_IP_NF_IRC
   There is a commonly-used extension to IRC called
   Direct Client-to-Client Protocol (DCC).  This enables users to send
@@ -2552,26 +2565,6 @@
   If you want to compile it as a module, say 'M' here and read
   Documentation/modules.txt.  If unsure, say 'N'.
 
-TFTP protocol support
-CONFIG_IP_NF_TFTP
-  TFTP connection tracking helper, this is required depending
-  on how restrictive your ruleset is.
-  If you are using a tftp client behind -j SNAT or -j MASQUERADING
-  you will need this.
-
-  If you want to compile it as a module, say M here and read
-  Documentation/modules.txt.  If unsure, say `Y'.
-
-FTP protocol support
-CONFIG_IP_NF_FTP
-  Tracking FTP connections is problematic: special helpers are
-  required for tracking them, and doing masquerading and other forms
-  of Network Address Translation on them.
-
-  If you want to compile it as a module, say M here and read
-  <file:Documentation/modules.txt>.  If unsure, say `Y'.
-
-User space queueing via NETLINK
 CONFIG_IP_NF_QUEUE
   Netfilter has the ability to queue packets to user space: the
   netlink device can be used to access them using this driver.
@@ -2579,7 +2572,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-IP tables support (required for filtering/masq/NAT)
 CONFIG_IP_NF_IPTABLES
   iptables is a general, extensible packet identification framework.
   The packet filtering and full NAT (masquerading, port forwarding,
@@ -2589,7 +2581,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-limit match support
 CONFIG_IP_NF_MATCH_LIMIT
   limit matching allows you to control the rate at which a rule can be
   matched: mainly useful in combination with the LOG target ("LOG
@@ -2598,7 +2589,13 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-skb->pkt_type packet match support
+CONFIG_IP_NF_MATCH_MAC
+  MAC matching allows you to match packets based on the source
+  Ethernet address of the packet.
+
+  If you want to compile it as a module, say M here and read
+  <file:Documentation/modules.txt>.  If unsure, say `N'.
+
 CONFIG_IP_NF_MATCH_PKTTYPE
   This patch allows you to match packet in accrodance
   to its "class", eg. BROADCAST, MULTICAST, ...
@@ -2609,15 +2606,6 @@
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
-MAC address match support
-CONFIG_IP_NF_MATCH_MAC
-  MAC matching allows you to match packets based on the source
-  Ethernet address of the packet.
-
-  If you want to compile it as a module, say M here and read
-  <file:Documentation/modules.txt>.  If unsure, say `N'.
-
-Netfilter MARK match support
 CONFIG_IP_NF_MATCH_MARK
   Netfilter mark matching allows you to match packets based on the
   `nfmark' value in the packet.  This can be set by the MARK target
@@ -2626,7 +2614,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Multiple port match support
 CONFIG_IP_NF_MATCH_MULTIPORT
   Multiport matching allows you to match TCP or UDP packets based on
   a series of source or destination ports: normally a rule can only
@@ -2635,31 +2622,30 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-TTL match support
-CONFIG_IP_NF_MATCH_TTL
-  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
-  to match packets by their TTL value.
+CONFIG_IP_NF_MATCH_TOS
+  TOS matching allows you to match packets based on the Type Of
+  Service fields of the IP packet.
 
   If you want to compile it as a module, say M here and read
-  Documentation/modules.txt.  If unsure, say `N'.
+  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-LENGTH match support
-CONFIG_IP_NF_MATCH_LENGTH
-  This option allows you to match the length of a packet against a
-  specific value or range of values.
+CONFIG_IP_NF_MATCH_RECENT
+  This match is used for creating one or many lists of recently
+  used addresses and then matching against that/those list(s).
+
+  Short options are available by using 'iptables -m recent -h'
+  Official Website: <http://snowman.net/projects/ipt_recent/>
 
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-AH/ESP match support
-CONFIG_IP_NF_MATCH_AH_ESP
-  These two match extensions (`ah' and `esp') allow you to match a
-  range of SPIs inside AH or ESP headers of IPSec packets.
+CONFIG_IP_NF_MATCH_ECN
+  This option adds a `ECN' match, which allows you to match against
+  the IPv4 and TCP header ECN fields.
 
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
-DSCP match support
 CONFIG_IP_NF_MATCH_DSCP
   This option adds a `DSCP' match, which allows you to match against
   the IPv4 header DSCP field (DSCP codepoint).
@@ -2669,39 +2655,42 @@
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
- 
-
-ECN match support
-CONFIG_IP_NF_MATCH_ECN
-  This option adds a `ECN' match, which allows you to match against
-  the IPv4 and TCP header ECN fields.
+CONFIG_IP_NF_MATCH_AH_ESP
+  These two match extensions (`ah' and `esp') allow you to match a
+  range of SPIs inside AH or ESP headers of IPSec packets.
 
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
- 
-
-TOS match support
-CONFIG_IP_NF_MATCH_TOS
-  TOS matching allows you to match packets based on the Type Of
-  Service fields of the IP packet.
+CONFIG_IP_NF_MATCH_LENGTH
+  This option allows you to match the length of a packet against a
+  specific value or range of values.
 
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-conntrack match support
-CONFIG_IP_NF_MATCH_CONNTRACK
-  This is a general conntrack match module, a superset of the state match.
-
-  It allows matching on additional conntrack information, which is
-  useful in complex configurations, such as NAT gateways with multiple
-  internet links or tunnels.
+CONFIG_IP_NF_MATCH_TTL
+  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
+  to match packets by their TTL value.
 
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
+CONFIG_IP_NF_MATCH_TCPMSS
+  This option adds a `tcpmss' match, which allows you to examine the
+  MSS value of TCP SYN packets, which control the maximum packet size
+  for that connection.
+
+  If you want to compile it as a module, say M here and read
+  <file:Documentation/modules.txt>.  If unsure, say `N'.
+
+CONFIG_IP_NF_MATCH_HELPER
+  Helper matching allows you to match packets in dynamic connections
+  tracked by a conntrack-helper, ie. ip_conntrack_ftp
+
+  If you want to compile it as a module, say M here and read
+  Documentation/modules.txt.  If unsure, say `Y'.
 
-Connection state match support
 CONFIG_IP_NF_MATCH_STATE
   Connection state matching allows you to match packets based on their
   relationship to a tracked connection (ie. previous packets).  This
@@ -2710,7 +2699,16 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Unclean match support
+CONFIG_IP_NF_MATCH_CONNTRACK
+  This is a general conntrack match module, a superset of the state match.
+
+  It allows matching on additional conntrack information, which is
+  useful in complex configurations, such as NAT gateways with multiple
+  internet links or tunnels.
+
+  If you want to compile it as a module, say M here and read
+  Documentation/modules.txt.  If unsure, say `N'.
+
 CONFIG_IP_NF_MATCH_UNCLEAN
   Unclean packet matching matches any strange or invalid packets, by
   looking at a series of fields in the IP, TCP, UDP and ICMP headers.
@@ -2718,7 +2716,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Owner match support
 CONFIG_IP_NF_MATCH_OWNER
   Packet owner matching allows you to match locally-generated packets
   based on who created them: the user, group, process or session.
@@ -2726,7 +2723,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Packet filtering
 CONFIG_IP_NF_FILTER
   Packet filtering defines a table `filter', which has a series of
   rules for simple packet filtering at local input, forwarding and
@@ -2735,7 +2731,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-REJECT target support
 CONFIG_IP_NF_TARGET_REJECT
   The REJECT target allows a filtering rule to specify that an ICMP
   error should be issued in response to an incoming packet, rather
@@ -2744,7 +2739,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-MIRROR target support
 CONFIG_IP_NF_TARGET_MIRROR
   The MIRROR target allows a filtering rule to specify that an
   incoming packet should be bounced back to the sender.
@@ -2752,20 +2746,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Local NAT support
-CONFIG_IP_NF_NAT_LOCAL
-  This option enables support for NAT of locally originated connections. 
-  Enable this if you need to use destination NAT on connections
-  originating from local processes on the nat box itself.
-
-  Please note that you will need a recent version (>= 1.2.6a)
-  of the iptables userspace program in order to use this feature.
-  See <http://www.iptables.org/> for download instructions.
-
-  If unsure, say 'N'.
-
-
-Full NAT (Network Address Translation)
 CONFIG_IP_NF_NAT
   The Full NAT option allows masquerading, port forwarding and other
   forms of full Network Address Port Translation.  It is controlled by
@@ -2774,7 +2754,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-MASQUERADE target support
 CONFIG_IP_NF_TARGET_MASQUERADE
   Masquerading is a special case of NAT: all outgoing connections are
   changed to seem to come from a particular interface's address, and
@@ -2785,9 +2764,27 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Basic SNMP-ALG support
-CONFIG_IP_NF_NAT_SNMP_BASIC
+CONFIG_IP_NF_TARGET_REDIRECT
+  REDIRECT is a special case of NAT: all incoming connections are
+  mapped onto the incoming interface's address, causing the packets to
+  come to the local machine instead of passing through.  This is
+  useful for transparent proxies.
+
+  If you want to compile it as a module, say M here and read
+  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
+CONFIG_IP_NF_NAT_LOCAL
+  This option enables support for NAT of locally originated connections. 
+  Enable this if you need to use destination NAT on connections
+  originating from local processes on the nat box itself.
+
+  Please note that you will need a recent version (>= 1.2.6a)
+  of the iptables userspace program in order to use this feature.
+  See <http://www.iptables.org/> for download instructions.
+
+  If unsure, say 'N'.
+
+CONFIG_IP_NF_NAT_SNMP_BASIC
   This module implements an Application Layer Gateway (ALG) for
   SNMP payloads.  In conjunction with NAT, it allows a network
   management system to access multiple private networks with
@@ -2799,17 +2796,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-REDIRECT target support
-CONFIG_IP_NF_TARGET_REDIRECT
-  REDIRECT is a special case of NAT: all incoming connections are
-  mapped onto the incoming interface's address, causing the packets to
-  come to the local machine instead of passing through.  This is
-  useful for transparent proxies.
-
-  If you want to compile it as a module, say M here and read
-  <file:Documentation/modules.txt>.  If unsure, say `N'.
-
-Packet mangling
 CONFIG_IP_NF_MANGLE
   This option adds a `mangle' table to iptables: see the man page for
   iptables(8).  This table is used for various packet alterations
@@ -2818,25 +2804,17 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-DSCP target support
-CONFIG_IP_NF_TARGET_DSCP
-  This option adds a `DSCP' target, which allows you to create rules in
-  the iptables mangle table. The selected packet has the DSCP field set
-  to the hex value provided on the command line; unlike the TOS target
-  which will only set the legal values within ip.h.
-
-  The DSCP field can be set to any value between 0x0 and 0x4f. It does
-  take into account that bits 6 and 7 are used by ECN.
+CONFIG_IP_NF_TARGET_TOS
+  This option adds a `TOS' target, which allows you to create rules in
+  the `mangle' table which alter the Type Of Service field of an IP
+  packet prior to routing.
 
   If you want to compile it as a module, say M here and read
-  Documentation/modules.txt.  If unsure, say `N'.
-
- 
+  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-ECN target support
 CONFIG_IP_NF_TARGET_ECN
   This option adds a `ECN' target, which can be used in the iptables mangle
-  table.  
+  table.
 
   You can use this target to remove the ECN bits from the IPv4 header of
   an IP packet.  This is particularly useful, if you need to work around
@@ -2846,18 +2824,18 @@
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
- 
+CONFIG_IP_NF_TARGET_DSCP
+  This option adds a `DSCP' target, which allows you to create rules in
+  the iptables mangle table. The selected packet has the DSCP field set
+  to the hex value provided on the command line; unlike the TOS target
+  which will only set the legal values within ip.h.
 
-TOS target support
-CONFIG_IP_NF_TARGET_TOS
-  This option adds a `TOS' target, which allows you to create rules in
-  the `mangle' table which alter the Type Of Service field of an IP
-  packet prior to routing.
+  The DSCP field can be set to any value between 0x0 and 0x4f. It does
+  take into account that bits 6 and 7 are used by ECN.
 
   If you want to compile it as a module, say M here and read
-  <file:Documentation/modules.txt>.  If unsure, say `N'.
+  Documentation/modules.txt.  If unsure, say `N'.
 
-MARK target support
 CONFIG_IP_NF_TARGET_MARK
   This option adds a `MARK' target, which allows you to create rules
   in the `mangle' table which alter the netfilter mark (nfmark) field
@@ -2869,7 +2847,25 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-TCPMSS target support
+CONFIG_IP_NF_TARGET_LOG
+  This option adds a `LOG' target, which allows you to create rules in
+  any iptables table which records the packet header to the syslog.
+
+  If you want to compile it as a module, say M here and read
+  <file:Documentation/modules.txt>.  If unsure, say `N'.
+
+CONFIG_IP_NF_TARGET_ULOG
+  This option adds a `ULOG' target, which allows you to create rules in
+  any iptables table. The packet is passed to a userspace logging
+  daemon using netlink multicast sockets; unlike the LOG target
+  which can only be viewed through syslog.
+
+  The appropriate userspace logging daemon (ulogd) may be obtained from
+  <http://www.gnumonks.org/projects/ulogd>
+
+  If you want to compile it as a module, say M here and read
+  Documentation/modules.txt.  If unsure, say `N'.
+
 CONFIG_IP_NF_TARGET_TCPMSS
   This option adds a `TCPMSS' target, which allows you to alter the
   MSS value of TCP SYN packets, to control the maximum size for that
@@ -2894,45 +2890,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Helper match support
-CONFIG_IP_NF_MATCH_HELPER
-  Helper matching allows you to match packets in dynamic connections
-  tracked by a conntrack-helper, ie. ip_conntrack_ftp
-
-  If you want to compile it as a module, say M here and read
-  Documentation/modules.txt.  If unsure, say `Y'.
-
-TCPMSS match support
-CONFIG_IP_NF_MATCH_TCPMSS
-  This option adds a `tcpmss' match, which allows you to examine the
-  MSS value of TCP SYN packets, which control the maximum packet size
-  for that connection.
-
-  If you want to compile it as a module, say M here and read
-  <file:Documentation/modules.txt>.  If unsure, say `N'.
-
-ULOG target support
-CONFIG_IP_NF_TARGET_ULOG
-  This option adds a `ULOG' target, which allows you to create rules in
-  any iptables table. The packet is passed to a userspace logging
-  daemon using netlink multicast sockets; unlike the LOG target
-  which can only be viewed through syslog.
-
-  The appropriate userspace logging daemon (ulogd) may be obtained from
-  <http://www.gnumonks.org/projects/ulogd>
-
-  If you want to compile it as a module, say M here and read
-  Documentation/modules.txt.  If unsure, say `N'.
-
-LOG target support
-CONFIG_IP_NF_TARGET_LOG
-  This option adds a `LOG' target, which allows you to create rules in
-  any iptables table which records the packet header to the syslog.
-
-  If you want to compile it as a module, say M here and read
-  <file:Documentation/modules.txt>.  If unsure, say `N'.
-
-ipchains (2.2-style) support
 CONFIG_IP_NF_COMPAT_IPCHAINS
   This option places ipchains (with masquerading and redirection
   support) back into the kernel, using the new netfilter
@@ -2943,7 +2900,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-ipfwadm (2.0-style) support
 CONFIG_IP_NF_COMPAT_IPFWADM
   This option places ipfwadm (with masquerading and redirection
   support) back into the kernel, using the new netfilter

Re: [2.4 patch] netfilter Configure.help cleanup

[Rusty Russell]

In message <20030627233357.GN24661@fs.tum.de> you write:
> - remove useless short descriptions above CONFIG_*

> -Connection tracking (required for masq/NAT)
>  CONFIG_IP_NF_CONNTRACK

Can you really do this?  A quick skim didn't find anyone else skipping
this line...

Thanks,
Rusty.
--
  Anyone who quotes me in their sig is an idiot. -- Rusty Russell.

Re: [2.4 patch] netfilter Configure.help cleanup

[Marcelo Tosatti]

Make that go through davem, please.

On Mon, 30 Jun 2003, Rusty Russell wrote:

> In message <20030627233357.GN24661@fs.tum.de> you write:
> > - remove useless short descriptions above CONFIG_*
>
> > -Connection tracking (required for masq/NAT)
> >  CONFIG_IP_NF_CONNTRACK
>
> Can you really do this?  A quick skim didn't find anyone else skipping
> this line...
>
> Thanks,
> Rusty.
> --
>   Anyone who quotes me in their sig is an idiot. -- Rusty Russell.
>

Re: [2.4 patch] netfilter Configure.help cleanup

[Adrian Bunk]

On Mon, Jun 30, 2003 at 02:38:12PM +1000, Rusty Russell wrote:
> In message <20030627233357.GN24661@fs.tum.de> you write:
> > - remove useless short descriptions above CONFIG_*
> 
> > -Connection tracking (required for masq/NAT)
> >  CONFIG_IP_NF_CONNTRACK
> 
> Can you really do this?  A quick skim didn't find anyone else skipping
> this line...

These lines are only (sometimes outdated) copies of the lines in the
Config.in files that are not used by any tool I am aware of. 

> Thanks,
> Rusty.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed

Re: [2.4 patch] netfilter Configure.help cleanup

[Adrian Bunk]

On Wed, Jul 02, 2003 at 04:25:05PM -0300, Marcelo Tosatti wrote:
> 
> Make that go through davem, please.

Hi Dave,

the patch below does the following changes to the netfilter entries in
Configure.help in 2.4.22-pre2:
- order similar to net/ipv4/netfilter/Config.in
- remove useless short descriptions above CONFIG_*
- added CONFIG_IP_NF_MATCH_RECENT entry (stolen from 2.5)

It still applies against 2.4.22-pre6.
 
Please apply
Adrian



--- linux-2.4.22-pre2-full/Documentation/Configure.help.old	2003-06-28 00:55:54.000000000 +0200
+++ linux-2.4.22-pre2-full/Documentation/Configure.help	2003-06-28 01:20:11.000000000 +0200
@@ -2511,7 +2511,6 @@
   You can say Y here if you want to get additional messages useful in
   debugging the netfilter code.
 
-Connection tracking (required for masq/NAT)
 CONFIG_IP_NF_CONNTRACK
   Connection tracking keeps a record of what packets have passed
   through your machine, in order to figure out how they are related
@@ -2525,7 +2524,14 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Amanda protocol support
+CONFIG_IP_NF_FTP
+  Tracking FTP connections is problematic: special helpers are
+  required for tracking them, and doing masquerading and other forms
+  of Network Address Translation on them.
+
+  If you want to compile it as a module, say M here and read
+  <file:Documentation/modules.txt>.  If unsure, say `Y'.
+
 CONFIG_IP_NF_AMANDA
   If you are running the Amanda backup package (http://www.amanda.org/)
   on this machine or machines that will be MASQUERADED through this
@@ -2537,8 +2543,15 @@
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
+CONFIG_IP_NF_TFTP
+  TFTP connection tracking helper, this is required depending
+  on how restrictive your ruleset is.
+  If you are using a tftp client behind -j SNAT or -j MASQUERADING
+  you will need this.
+
+  If you want to compile it as a module, say M here and read
+  Documentation/modules.txt.  If unsure, say `Y'.
 
-IRC Send/Chat protocol support
 CONFIG_IP_NF_IRC
   There is a commonly-used extension to IRC called
   Direct Client-to-Client Protocol (DCC).  This enables users to send
@@ -2552,26 +2565,6 @@
   If you want to compile it as a module, say 'M' here and read
   Documentation/modules.txt.  If unsure, say 'N'.
 
-TFTP protocol support
-CONFIG_IP_NF_TFTP
-  TFTP connection tracking helper, this is required depending
-  on how restrictive your ruleset is.
-  If you are using a tftp client behind -j SNAT or -j MASQUERADING
-  you will need this.
-
-  If you want to compile it as a module, say M here and read
-  Documentation/modules.txt.  If unsure, say `Y'.
-
-FTP protocol support
-CONFIG_IP_NF_FTP
-  Tracking FTP connections is problematic: special helpers are
-  required for tracking them, and doing masquerading and other forms
-  of Network Address Translation on them.
-
-  If you want to compile it as a module, say M here and read
-  <file:Documentation/modules.txt>.  If unsure, say `Y'.
-
-User space queueing via NETLINK
 CONFIG_IP_NF_QUEUE
   Netfilter has the ability to queue packets to user space: the
   netlink device can be used to access them using this driver.
@@ -2579,7 +2572,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-IP tables support (required for filtering/masq/NAT)
 CONFIG_IP_NF_IPTABLES
   iptables is a general, extensible packet identification framework.
   The packet filtering and full NAT (masquerading, port forwarding,
@@ -2589,7 +2581,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-limit match support
 CONFIG_IP_NF_MATCH_LIMIT
   limit matching allows you to control the rate at which a rule can be
   matched: mainly useful in combination with the LOG target ("LOG
@@ -2598,7 +2589,13 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-skb->pkt_type packet match support
+CONFIG_IP_NF_MATCH_MAC
+  MAC matching allows you to match packets based on the source
+  Ethernet address of the packet.
+
+  If you want to compile it as a module, say M here and read
+  <file:Documentation/modules.txt>.  If unsure, say `N'.
+
 CONFIG_IP_NF_MATCH_PKTTYPE
   This patch allows you to match packet in accrodance
   to its "class", eg. BROADCAST, MULTICAST, ...
@@ -2609,15 +2606,6 @@
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
-MAC address match support
-CONFIG_IP_NF_MATCH_MAC
-  MAC matching allows you to match packets based on the source
-  Ethernet address of the packet.
-
-  If you want to compile it as a module, say M here and read
-  <file:Documentation/modules.txt>.  If unsure, say `N'.
-
-Netfilter MARK match support
 CONFIG_IP_NF_MATCH_MARK
   Netfilter mark matching allows you to match packets based on the
   `nfmark' value in the packet.  This can be set by the MARK target
@@ -2626,7 +2614,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Multiple port match support
 CONFIG_IP_NF_MATCH_MULTIPORT
   Multiport matching allows you to match TCP or UDP packets based on
   a series of source or destination ports: normally a rule can only
@@ -2635,31 +2622,30 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-TTL match support
-CONFIG_IP_NF_MATCH_TTL
-  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
-  to match packets by their TTL value.
+CONFIG_IP_NF_MATCH_TOS
+  TOS matching allows you to match packets based on the Type Of
+  Service fields of the IP packet.
 
   If you want to compile it as a module, say M here and read
-  Documentation/modules.txt.  If unsure, say `N'.
+  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-LENGTH match support
-CONFIG_IP_NF_MATCH_LENGTH
-  This option allows you to match the length of a packet against a
-  specific value or range of values.
+CONFIG_IP_NF_MATCH_RECENT
+  This match is used for creating one or many lists of recently
+  used addresses and then matching against that/those list(s).
+
+  Short options are available by using 'iptables -m recent -h'
+  Official Website: <http://snowman.net/projects/ipt_recent/>
 
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-AH/ESP match support
-CONFIG_IP_NF_MATCH_AH_ESP
-  These two match extensions (`ah' and `esp') allow you to match a
-  range of SPIs inside AH or ESP headers of IPSec packets.
+CONFIG_IP_NF_MATCH_ECN
+  This option adds a `ECN' match, which allows you to match against
+  the IPv4 and TCP header ECN fields.
 
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
-DSCP match support
 CONFIG_IP_NF_MATCH_DSCP
   This option adds a `DSCP' match, which allows you to match against
   the IPv4 header DSCP field (DSCP codepoint).
@@ -2669,39 +2655,42 @@
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
- 
-
-ECN match support
-CONFIG_IP_NF_MATCH_ECN
-  This option adds a `ECN' match, which allows you to match against
-  the IPv4 and TCP header ECN fields.
+CONFIG_IP_NF_MATCH_AH_ESP
+  These two match extensions (`ah' and `esp') allow you to match a
+  range of SPIs inside AH or ESP headers of IPSec packets.
 
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
- 
-
-TOS match support
-CONFIG_IP_NF_MATCH_TOS
-  TOS matching allows you to match packets based on the Type Of
-  Service fields of the IP packet.
+CONFIG_IP_NF_MATCH_LENGTH
+  This option allows you to match the length of a packet against a
+  specific value or range of values.
 
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-conntrack match support
-CONFIG_IP_NF_MATCH_CONNTRACK
-  This is a general conntrack match module, a superset of the state match.
-
-  It allows matching on additional conntrack information, which is
-  useful in complex configurations, such as NAT gateways with multiple
-  internet links or tunnels.
+CONFIG_IP_NF_MATCH_TTL
+  This adds CONFIG_IP_NF_MATCH_TTL option, which enabled the user
+  to match packets by their TTL value.
 
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
+CONFIG_IP_NF_MATCH_TCPMSS
+  This option adds a `tcpmss' match, which allows you to examine the
+  MSS value of TCP SYN packets, which control the maximum packet size
+  for that connection.
+
+  If you want to compile it as a module, say M here and read
+  <file:Documentation/modules.txt>.  If unsure, say `N'.
+
+CONFIG_IP_NF_MATCH_HELPER
+  Helper matching allows you to match packets in dynamic connections
+  tracked by a conntrack-helper, ie. ip_conntrack_ftp
+
+  If you want to compile it as a module, say M here and read
+  Documentation/modules.txt.  If unsure, say `Y'.
 
-Connection state match support
 CONFIG_IP_NF_MATCH_STATE
   Connection state matching allows you to match packets based on their
   relationship to a tracked connection (ie. previous packets).  This
@@ -2710,7 +2699,16 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Unclean match support
+CONFIG_IP_NF_MATCH_CONNTRACK
+  This is a general conntrack match module, a superset of the state match.
+
+  It allows matching on additional conntrack information, which is
+  useful in complex configurations, such as NAT gateways with multiple
+  internet links or tunnels.
+
+  If you want to compile it as a module, say M here and read
+  Documentation/modules.txt.  If unsure, say `N'.
+
 CONFIG_IP_NF_MATCH_UNCLEAN
   Unclean packet matching matches any strange or invalid packets, by
   looking at a series of fields in the IP, TCP, UDP and ICMP headers.
@@ -2718,7 +2716,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Owner match support
 CONFIG_IP_NF_MATCH_OWNER
   Packet owner matching allows you to match locally-generated packets
   based on who created them: the user, group, process or session.
@@ -2726,7 +2723,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Packet filtering
 CONFIG_IP_NF_FILTER
   Packet filtering defines a table `filter', which has a series of
   rules for simple packet filtering at local input, forwarding and
@@ -2735,7 +2731,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-REJECT target support
 CONFIG_IP_NF_TARGET_REJECT
   The REJECT target allows a filtering rule to specify that an ICMP
   error should be issued in response to an incoming packet, rather
@@ -2744,7 +2739,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-MIRROR target support
 CONFIG_IP_NF_TARGET_MIRROR
   The MIRROR target allows a filtering rule to specify that an
   incoming packet should be bounced back to the sender.
@@ -2752,20 +2746,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Local NAT support
-CONFIG_IP_NF_NAT_LOCAL
-  This option enables support for NAT of locally originated connections. 
-  Enable this if you need to use destination NAT on connections
-  originating from local processes on the nat box itself.
-
-  Please note that you will need a recent version (>= 1.2.6a)
-  of the iptables userspace program in order to use this feature.
-  See <http://www.iptables.org/> for download instructions.
-
-  If unsure, say 'N'.
-
-
-Full NAT (Network Address Translation)
 CONFIG_IP_NF_NAT
   The Full NAT option allows masquerading, port forwarding and other
   forms of full Network Address Port Translation.  It is controlled by
@@ -2774,7 +2754,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-MASQUERADE target support
 CONFIG_IP_NF_TARGET_MASQUERADE
   Masquerading is a special case of NAT: all outgoing connections are
   changed to seem to come from a particular interface's address, and
@@ -2785,9 +2764,27 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Basic SNMP-ALG support
-CONFIG_IP_NF_NAT_SNMP_BASIC
+CONFIG_IP_NF_TARGET_REDIRECT
+  REDIRECT is a special case of NAT: all incoming connections are
+  mapped onto the incoming interface's address, causing the packets to
+  come to the local machine instead of passing through.  This is
+  useful for transparent proxies.
+
+  If you want to compile it as a module, say M here and read
+  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
+CONFIG_IP_NF_NAT_LOCAL
+  This option enables support for NAT of locally originated connections. 
+  Enable this if you need to use destination NAT on connections
+  originating from local processes on the nat box itself.
+
+  Please note that you will need a recent version (>= 1.2.6a)
+  of the iptables userspace program in order to use this feature.
+  See <http://www.iptables.org/> for download instructions.
+
+  If unsure, say 'N'.
+
+CONFIG_IP_NF_NAT_SNMP_BASIC
   This module implements an Application Layer Gateway (ALG) for
   SNMP payloads.  In conjunction with NAT, it allows a network
   management system to access multiple private networks with
@@ -2799,17 +2796,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-REDIRECT target support
-CONFIG_IP_NF_TARGET_REDIRECT
-  REDIRECT is a special case of NAT: all incoming connections are
-  mapped onto the incoming interface's address, causing the packets to
-  come to the local machine instead of passing through.  This is
-  useful for transparent proxies.
-
-  If you want to compile it as a module, say M here and read
-  <file:Documentation/modules.txt>.  If unsure, say `N'.
-
-Packet mangling
 CONFIG_IP_NF_MANGLE
   This option adds a `mangle' table to iptables: see the man page for
   iptables(8).  This table is used for various packet alterations
@@ -2818,25 +2804,17 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-DSCP target support
-CONFIG_IP_NF_TARGET_DSCP
-  This option adds a `DSCP' target, which allows you to create rules in
-  the iptables mangle table. The selected packet has the DSCP field set
-  to the hex value provided on the command line; unlike the TOS target
-  which will only set the legal values within ip.h.
-
-  The DSCP field can be set to any value between 0x0 and 0x4f. It does
-  take into account that bits 6 and 7 are used by ECN.
+CONFIG_IP_NF_TARGET_TOS
+  This option adds a `TOS' target, which allows you to create rules in
+  the `mangle' table which alter the Type Of Service field of an IP
+  packet prior to routing.
 
   If you want to compile it as a module, say M here and read
-  Documentation/modules.txt.  If unsure, say `N'.
-
- 
+  <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-ECN target support
 CONFIG_IP_NF_TARGET_ECN
   This option adds a `ECN' target, which can be used in the iptables mangle
-  table.  
+  table.
 
   You can use this target to remove the ECN bits from the IPv4 header of
   an IP packet.  This is particularly useful, if you need to work around
@@ -2846,18 +2824,18 @@
   If you want to compile it as a module, say M here and read
   Documentation/modules.txt.  If unsure, say `N'.
 
- 
+CONFIG_IP_NF_TARGET_DSCP
+  This option adds a `DSCP' target, which allows you to create rules in
+  the iptables mangle table. The selected packet has the DSCP field set
+  to the hex value provided on the command line; unlike the TOS target
+  which will only set the legal values within ip.h.
 
-TOS target support
-CONFIG_IP_NF_TARGET_TOS
-  This option adds a `TOS' target, which allows you to create rules in
-  the `mangle' table which alter the Type Of Service field of an IP
-  packet prior to routing.
+  The DSCP field can be set to any value between 0x0 and 0x4f. It does
+  take into account that bits 6 and 7 are used by ECN.
 
   If you want to compile it as a module, say M here and read
-  <file:Documentation/modules.txt>.  If unsure, say `N'.
+  Documentation/modules.txt.  If unsure, say `N'.
 
-MARK target support
 CONFIG_IP_NF_TARGET_MARK
   This option adds a `MARK' target, which allows you to create rules
   in the `mangle' table which alter the netfilter mark (nfmark) field
@@ -2869,7 +2847,25 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-TCPMSS target support
+CONFIG_IP_NF_TARGET_LOG
+  This option adds a `LOG' target, which allows you to create rules in
+  any iptables table which records the packet header to the syslog.
+
+  If you want to compile it as a module, say M here and read
+  <file:Documentation/modules.txt>.  If unsure, say `N'.
+
+CONFIG_IP_NF_TARGET_ULOG
+  This option adds a `ULOG' target, which allows you to create rules in
+  any iptables table. The packet is passed to a userspace logging
+  daemon using netlink multicast sockets; unlike the LOG target
+  which can only be viewed through syslog.
+
+  The appropriate userspace logging daemon (ulogd) may be obtained from
+  <http://www.gnumonks.org/projects/ulogd>
+
+  If you want to compile it as a module, say M here and read
+  Documentation/modules.txt.  If unsure, say `N'.
+
 CONFIG_IP_NF_TARGET_TCPMSS
   This option adds a `TCPMSS' target, which allows you to alter the
   MSS value of TCP SYN packets, to control the maximum size for that
@@ -2894,45 +2890,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-Helper match support
-CONFIG_IP_NF_MATCH_HELPER
-  Helper matching allows you to match packets in dynamic connections
-  tracked by a conntrack-helper, ie. ip_conntrack_ftp
-
-  If you want to compile it as a module, say M here and read
-  Documentation/modules.txt.  If unsure, say `Y'.
-
-TCPMSS match support
-CONFIG_IP_NF_MATCH_TCPMSS
-  This option adds a `tcpmss' match, which allows you to examine the
-  MSS value of TCP SYN packets, which control the maximum packet size
-  for that connection.
-
-  If you want to compile it as a module, say M here and read
-  <file:Documentation/modules.txt>.  If unsure, say `N'.
-
-ULOG target support
-CONFIG_IP_NF_TARGET_ULOG
-  This option adds a `ULOG' target, which allows you to create rules in
-  any iptables table. The packet is passed to a userspace logging
-  daemon using netlink multicast sockets; unlike the LOG target
-  which can only be viewed through syslog.
-
-  The appropriate userspace logging daemon (ulogd) may be obtained from
-  <http://www.gnumonks.org/projects/ulogd>
-
-  If you want to compile it as a module, say M here and read
-  Documentation/modules.txt.  If unsure, say `N'.
-
-LOG target support
-CONFIG_IP_NF_TARGET_LOG
-  This option adds a `LOG' target, which allows you to create rules in
-  any iptables table which records the packet header to the syslog.
-
-  If you want to compile it as a module, say M here and read
-  <file:Documentation/modules.txt>.  If unsure, say `N'.
-
-ipchains (2.2-style) support
 CONFIG_IP_NF_COMPAT_IPCHAINS
   This option places ipchains (with masquerading and redirection
   support) back into the kernel, using the new netfilter
@@ -2943,7 +2900,6 @@
   If you want to compile it as a module, say M here and read
   <file:Documentation/modules.txt>.  If unsure, say `N'.
 
-ipfwadm (2.0-style) support
 CONFIG_IP_NF_COMPAT_IPFWADM
   This option places ipfwadm (with masquerading and redirection
   support) back into the kernel, using the new netfilter

Re: [2.4 patch] netfilter Configure.help cleanup

[David S. Miller]

On Thu, 17 Jul 2003 22:13:05 +0200
Adrian Bunk <bunk@fs.tum.de> wrote:

> On Wed, Jul 02, 2003 at 04:25:05PM -0300, Marcelo Tosatti wrote:
> > 
> > Make that go through davem, please.
> 
> Hi Dave,

I'll wait to get this via the next patch drop I get
from the netfilter folks, it's always wise to go through
them for netfilter patches ;-)

Re: [2.4 patch] netfilter Configure.help cleanup

[Rusty Russell]

In message <20030717201304.GL1407@fs.tum.de> you write:
> On Wed, Jul 02, 2003 at 04:25:05PM -0300, Marcelo Tosatti wrote:
> > 
> > Make that go through davem, please.
> 
> Hi Dave,
> 
> the patch below does the following changes to the netfilter entries in
> Configure.help in 2.4.22-pre2:
> - order similar to net/ipv4/netfilter/Config.in
> - remove useless short descriptions above CONFIG_*
> - added CONFIG_IP_NF_MATCH_RECENT entry (stolen from 2.5)

Sorry Adrian, I think this is overzealous.

Please just add the CONFIG_IP_NF_MATCH_RECENT entry.  Remember,
"stable" means "boring". 8)

Rusty.
--
  Anyone who quotes me in their sig is an idiot. -- Rusty Russell.

Re: [2.4 patch] netfilter Configure.help cleanup

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 1237 bytes --]

On Fri, Jul 18, 2003 at 11:06:49AM +1000, Rusty Russell wrote:
> In message <20030717201304.GL1407@fs.tum.de> you write:
>
> > the patch below does the following changes to the netfilter entries in
> > Configure.help in 2.4.22-pre2:
> > - order similar to net/ipv4/netfilter/Config.in
> > - remove useless short descriptions above CONFIG_*
> > - added CONFIG_IP_NF_MATCH_RECENT entry (stolen from 2.5)
> 
> Sorry Adrian, I think this is overzealous.
> 
> Please just add the CONFIG_IP_NF_MATCH_RECENT entry.  Remember,
> "stable" means "boring". 8)

I will submit the RECENT entry to davem with my next set of patches.

Does everybody else have an ordered Configure.help?  if yes, I'd accept
the patch to comply with common practice.  If not, I would just say: who
cares about the order, it's processed by {old,menu,x}config anyway.

> Rusty.

-- 
- Harald Welte <laforge@netfilter.org>             http://www.netfilter.org/
============================================================================
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]

Re: [2.4 patch] netfilter Configure.help cleanup

[Adrian Bunk]

On Fri, Jul 25, 2003 at 10:50:24PM +0200, Harald Welte wrote:
> On Fri, Jul 18, 2003 at 11:06:49AM +1000, Rusty Russell wrote:
> > In message <20030717201304.GL1407@fs.tum.de> you write:
> >
> > > the patch below does the following changes to the netfilter entries in
> > > Configure.help in 2.4.22-pre2:
> > > - order similar to net/ipv4/netfilter/Config.in
> > > - remove useless short descriptions above CONFIG_*
> > > - added CONFIG_IP_NF_MATCH_RECENT entry (stolen from 2.5)
> > 
> > Sorry Adrian, I think this is overzealous.
> > 
> > Please just add the CONFIG_IP_NF_MATCH_RECENT entry.  Remember,
> > "stable" means "boring". 8)
> 
> I will submit the RECENT entry to davem with my next set of patches.
> 
> Does everybody else have an ordered Configure.help?  if yes, I'd accept

Most subsytems have their Configure.help entries ordered according to 
the Config.in order.

> the patch to comply with common practice.  If not, I would just say: who
> cares about the order, it's processed by {old,menu,x}config anyway.

I'm not religious regarding the order of Configure.help entries, and in 
2.6 this problem will be non-existant.

cu
Adrian

-- 

       "Is there not promise of rain?" Ling Tan asked suddenly out
        of the darkness. There had been need of rain for many days.
       "Only a promise," Lao Er said.
                                       Pearl S. Buck - Dragon Seed