Re: [PATCH nf-next] netfilter: add help information to new nf_tables Kconfig options

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hello,

Some comments below even if I've got one of the worst English of the
place ;)

On Mon, 2013-12-30 at 15:03 +0100, Pablo Neira Ayuso wrote:
> Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
> ---
>  net/ipv4/netfilter/Kconfig |   18 ++++++++++++++++++
>  net/ipv6/netfilter/Kconfig |   12 ++++++++++++
>  net/netfilter/Kconfig      |   38 ++++++++++++++++++++++++++++++++++++++
>  3 files changed, 68 insertions(+)
> 
> diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
> index 40d5607..0cb82fa 100644
> --- a/net/ipv4/netfilter/Kconfig
> +++ b/net/ipv4/netfilter/Kconfig
> @@ -39,23 +39,41 @@ config NF_CONNTRACK_PROC_COMPAT
>  config NF_TABLES_IPV4
>  	depends on NF_TABLES
>  	tristate "IPv4 nf_tables support"
> +	help
> +	  This option enables the IPv4 support for nf_tables.
>  
>  config NFT_REJECT_IPV4
>  	depends on NF_TABLES_IPV4
>  	tristate "nf_tables IPv4 reject support"
> +	help
> +	  This option adds the "reject" expression that you can use to
> +	  explicitly deny and notify via TCP reset/ICMP informational errors
> +	  unallowed traffic.

I would say:

This option adds the "reject" expression that you can use to explicitly
deny traffic and notify it via TCP reset/ICMP informational errors.

>  
>  config NFT_CHAIN_ROUTE_IPV4
>  	depends on NF_TABLES_IPV4
>  	tristate "IPv4 nf_tables route chain support"
> +	help
> +	  This option enables the "route" chain for IPv4 in nf_tables. This
> +	  chain type is used to force packet re-routing after mangling header
> +	  fields such as the source, destination, type of service and
> +	  the packet mark.
>  
>  config NFT_CHAIN_NAT_IPV4
>  	depends on NF_TABLES_IPV4
>  	depends on NF_NAT_IPV4 && NFT_NAT
>  	tristate "IPv4 nf_tables nat chain support"
> +	help
> +	  This option enables the "nat" chain for IPv4 in nf_tables. This
> +	  chain type is used to perform Network Address Translation (NAT)
> +	  packet transformations such as the source, destination address and
> +	  source and destination ports.
>  
>  config NF_TABLES_ARP
>  	depends on NF_TABLES
>  	tristate "ARP nf_tables support"
> +	help
> +	  This option enables the ARP support for nf_tables.
>  
>  config IP_NF_IPTABLES
>  	tristate "IP tables support (required for filtering/masq/NAT)"
> diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
> index 7702f9e..35750df 100644
> --- a/net/ipv6/netfilter/Kconfig
> +++ b/net/ipv6/netfilter/Kconfig
> @@ -28,15 +28,27 @@ config NF_CONNTRACK_IPV6
>  config NF_TABLES_IPV6
>  	depends on NF_TABLES
>  	tristate "IPv6 nf_tables support"
> +	help
> +	  This option enables the IPv6 support for nf_tables.
>  
>  config NFT_CHAIN_ROUTE_IPV6
>  	depends on NF_TABLES_IPV6
>  	tristate "IPv6 nf_tables route chain support"
> +	help
> +	  This option enables the "route" chain for IPv6 in nf_tables. This
> +	  chain type is used to force packet re-routing after mangling header
> +	  fields such as the source, destination, flowlabel, hop-limit and
> +	  the packet mark.
>  
>  config NFT_CHAIN_NAT_IPV6
>  	depends on NF_TABLES_IPV6
>  	depends on NF_NAT_IPV6 && NFT_NAT
>  	tristate "IPv6 nf_tables nat chain support"
> +	help
> +	  This option enables the "nat" chain for IPv6 in nf_tables. This
> +	  chain type is used to perform Network Address Translation (NAT)
> +	  packet transformations such as the source, destination address and
> +	  source and destination ports.
>  
>  config IP6_NF_IPTABLES
>  	tristate "IP6 tables support (required for filtering)"
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index 01f9f64..22c19d2 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -416,45 +416,83 @@ endif # NF_CONNTRACK
>  config NF_TABLES
>  	select NETFILTER_NETLINK
>  	tristate "Netfilter nf_tables support"
> +	help
> +	  nftables is the new packet classification framework that intends to
> +	  replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
> +	  provides a pseudo-state machine with an extensible instruction-set
> +	  (also known as expressions) that the userspace 'nft' utility
> +	  (http://www.netfilter.org/projects/nftables) uses to build the
> +	  rule-set. It also comes with the generic set infrastructure that
> +	  allows you to construct mappings between matchings and actions
> +	  for performance lookups.
> +
> +	  To compile it as a module, choose M here.
>  
>  config NFT_EXTHDR
>  	depends on NF_TABLES
>  	tristate "Netfilter nf_tables IPv6 exthdr module"
> +	help
> +	  This option adds the "exthdr" expression that you can use to match
> +	  IPv6 extension headers.
>  
>  config NFT_META
>  	depends on NF_TABLES
>  	tristate "Netfilter nf_tables meta module"
> +	help
> +	  This option adds the "meta" expression that you can use to match and
> +	  to set packet metainformation such as the packet mark.

I would add info about iface matching that is one of the more commonly
used matching in meta:

This option adds the "meta" expression that you can use to match and to
set packet metainformation such as the packet mark or network interface.

++
-- 
Eric Leblond <eric@xxxxxxxxx>

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux