update to 3.17.7, rework netfilter support a little bit

3 files changed, 126 insertions, 131 deletions

diff --git a/target/linux/config/Config.in.netfilter b/target/linux/config/Config.in.netfilter
index 13f64d957..900e9ae64 100644
--- a/target/linux/config/Config.in.netfilter
+++ b/target/linux/config/Config.in.netfilter
@@ -1,4 +1,4 @@
-menu "Netfilter (Firewall/Filtering)"
+menu "Netfilter"
 
 config ADK_KERNEL_NETFILTER
 	boolean
@@ -16,7 +16,7 @@ config ADK_KERNEL_BRIDGE_NETFILTER
 	default n
 
 config ADK_KERNEL_NETFILTER_XTABLES
-	tristate "Netfilter Xtables support (required for ip_tables)"
+	tristate
 	select ADK_KERNEL_NETFILTER
 	select ADK_KERNEL_NETFILTER_ADVANCED
 	default y if ADK_PACKAGE_IPTABLES
@@ -118,6 +118,10 @@ config ADK_KERNEL_IP_NF_MATCH_STATE
 	select ADK_KERNEL_NETFILTER_XT_MATCH_STATE
 	default n
 
+config ADK_KERNEL_NETFILTER_XT_NAT
+	tristate
+	default n
+
 config ADK_KERNEL_NETFILTER_XT_MATCH_STATE
 	tristate
 	default n
@@ -145,7 +149,7 @@ menu "Core Netfilter Configuration"
 source target/linux/config/Config.in.netfilter.core
 endmenu
 
-menu "IP: Netfilter Configuration"
+menu "IPv4: Netfilter Configuration"
 source target/linux/config/Config.in.netfilter.ip4
 endmenu
 
diff --git a/target/linux/config/Config.in.netfilter.core b/target/linux/config/Config.in.netfilter.core
index d5665bbdc..5a42efd04 100644
--- a/target/linux/config/Config.in.netfilter.core
+++ b/target/linux/config/Config.in.netfilter.core
@@ -1,12 +1,5 @@
-config ADK_KERNEL_NETFILTER_NETLINK_LOG
-	tristate 'Netfilter LOG over NFNETLINK interface'
-	help
-	  If this option is enabled, the kernel will include support                                                                                        
-	  for logging packets via NFNETLINK.
-
 config ADK_KERNEL_NF_CONNTRACK
-	prompt 'Netfilter connection tracking support'
-	tristate
+	tristate 'Netfilter connection tracking support'
 	select ADK_KERNEL_NETFILTER_XTABLES
 	default m if ADK_PACKAGE_IPTABLES
 	default n
@@ -18,64 +11,8 @@ config ADK_KERNEL_NF_CONNTRACK
 	  Layer 3 independent connection tracking is experimental scheme
 	  which generalize ip_conntrack to support other layer 3 protocols.
 
-config ADK_KERNEL_NETFILTER_XT_TARGET_CHECKSUM
-	tristate '"CHECKSUM" target support'
-	select ADK_KERNEL_IP_NF_IPTABLES
-	select ADK_KERNEL_NETFILTER_XTABLES
-	select ADK_KERNEL_IP_NF_MANGLE
-	select ADK_KERNEL_NETFILTER_ADVANCED
-	help
-
-config ADK_KERNEL_NETFILTER_XT_TARGET_CLASSIFY
-	tristate '"CLASSIFY" target support'
-	select ADK_KERNEL_NETFILTER_XTABLES
-	help
-	  This option adds a `CLASSIFY' target, which enables the user to set
-	  the priority of a packet. Some qdiscs can use this value for
-	  classification, among these are:
-
-  	  atm, cbq, dsmark, pfifo_fast, htb, prio
-
-config ADK_KERNEL_NETFILTER_XT_TARGET_CONNMARK
-	tristate '"CONNMARK" target support'
-	select ADK_KERNEL_NETFILTER_XTABLES
-	select ADK_KERNEL_NF_CONNTRACK
-	help
-	  This option adds a `CONNMARK' target, which allows one to manipulate
-	  the connection mark value.  Similar to the MARK target, but
-	  affects the connection mark value rather than the packet mark value.
-
-config ADK_KERNEL_NETFILTER_XT_TARGET_MARK
-	tristate '"MARK" target support'
-	select ADK_KERNEL_NETFILTER_XTABLES
-	help
-	  This option adds a `MARK' target, which allows you to create rules
-	  in the `mangle' table which alter the netfilter mark (nfmark) field
-	  associated with the packet prior to routing. This can change
-	  the routing method (see `Use netfilter MARK value as routing
-	  key') and can also be used by other subsystems to change their
-	  behavior.
-
-config ADK_KERNEL_NETFILTER_XT_TARGET_NFQUEUE
-	tristate '"NFQUEUE" target support'
-	select ADK_KERNEL_NETFILTER_XTABLES
-	help
-	  This target replaced the old obsolete QUEUE target.
-
-	  As opposed to QUEUE, it supports 65535 different queues,
-	  not just one.
-
-config ADK_KERNEL_NETFILTER_XT_TARGET_LOG
-	tristate 'LOG target support'
-	depends on ADK_KERNEL_IP_NF_FILTER
-	help
-	  This option adds a `LOG' target, which allows you to create rules in
-	  any iptables table which records the packet header to the syslog.
-
-config ADK_KERNEL_NETFILTER_XT_TARGET_TCPMSS
-	tristate 'TCPMSS target'
-	select ADK_KERNEL_NETFILTER_XTABLES
-	help
+menu "Netfilter connection tracking support for special protocols"
+depends on ADK_KERNEL_NF_CONNTRACK
 
 config ADK_KERNEL_NF_CONNTRACK_MARK
 	bool 'Connection mark tracking support'
@@ -106,12 +43,6 @@ config ADK_KERNEL_NF_CONNTRACK_FTP
 	  required for tracking them, and doing masquerading and other forms
 	  of Network Address Translation on them.
 
-#config ADK_KERNEL_NF_CONNTRACK_RTSP
-#	tristate 'RTSP protocol support'
-#	depends on ADK_KERNEL_NF_CONNTRACK
-#	help
-#	  Tracking RTSP connections might be required for IPTV.
-
 config ADK_KERNEL_NF_CONNTRACK_IRC
 	tristate 'IRC protocol support'
 	depends on ADK_KERNEL_NF_CONNTRACK
@@ -126,7 +57,7 @@ config ADK_KERNEL_NF_CONNTRACK_IRC
 	  have others initiate chats, or everything else in IRC.
 
 config ADK_KERNEL_NF_CONNTRACK_NETBIOS_NS
-	tristate 'NetBIOS name service protocol support (EXPERIMENTAL)'
+	tristate 'NetBIOS name service protocol support'
 	depends on ADK_KERNEL_NF_CONNTRACK
 	help
 	  NetBIOS name service requests are sent as broadcast messages from an
@@ -151,18 +82,6 @@ config ADK_KERNEL_NF_CONNTRACK_TFTP
 	  If you are using a tftp client behind -j SNAT or -j MASQUERADING
 	  you will need this.
 
-#config ADK_KERNEL_NF_CONNTRACK_AMANDA
-#	tristate 'Amanda backup protocol support'
-#	depends on ADK_KERNEL_NF_CONNTRACK
-#	#FIXME TEXTSEARCH && TEXTSEARCH_KMP
-#	help
-#	  If you are running the Amanda backup package <http://www.amanda.org/>
-#	  on this machine or machines that will be MASQUERADED through this
-#	  machine, then you may want to enable this feature.  This allows the
-#	  connection tracking and natting code to allow the sub-channels that
-#	  Amanda requires for communication of the backup data, messages and
-#	  index.
-
 config ADK_KERNEL_NF_CONNTRACK_PPTP
 	tristate 'PPTP protocol support'
 	depends on ADK_KERNEL_NF_CONNTRACK
@@ -178,7 +97,7 @@ config ADK_KERNEL_NF_CONNTRACK_PPTP
 	  net/ipv4/netfilter/ip_conntrack_pptp.c
 
 config ADK_KERNEL_NF_CONNTRACK_H323
-	tristate 'H.323 protocol support (EXPERIMENTAL)'
+	tristate 'H.323 protocol support'
 	depends on ADK_KERNEL_NF_CONNTRACK
 	help
 	  H.323 is a VoIP signalling protocol from ITU-T. As one of the most
@@ -195,7 +114,7 @@ config ADK_KERNEL_NF_CONNTRACK_H323
 	  visit http://nath323.sourceforge.net/.
 
 config ADK_KERNEL_NF_CONNTRACK_SIP
-	tristate 'SIP protocol support (EXPERIMENTAL)'
+	tristate 'SIP protocol support'
 	depends on ADK_KERNEL_NF_CONNTRACK
 	help
 	  SIP is an application-layer control protocol that can establish,
@@ -204,3 +123,73 @@ config ADK_KERNEL_NF_CONNTRACK_SIP
 	  the ip_nat_sip modules you can support the protocol on a connection
 	  tracking/NATing firewall.
 
+endmenu
+
+config ADK_KERNEL_NETFILTER_NETLINK_LOG
+	tristate 'Netfilter LOG over NFNETLINK interface'
+	help
+	  If this option is enabled, the kernel will include support                                                                                        
+	  for logging packets via NFNETLINK.
+
+menu "Netfilter target support"
+
+config ADK_KERNEL_NETFILTER_XT_TARGET_CHECKSUM
+	tristate '"CHECKSUM" target support'
+	select ADK_KERNEL_IP_NF_IPTABLES
+	select ADK_KERNEL_NETFILTER_XTABLES
+	select ADK_KERNEL_IP_NF_MANGLE
+	select ADK_KERNEL_NETFILTER_ADVANCED
+	help
+
+config ADK_KERNEL_NETFILTER_XT_TARGET_CLASSIFY
+	tristate '"CLASSIFY" target support'
+	select ADK_KERNEL_NETFILTER_XTABLES
+	help
+	  This option adds a `CLASSIFY' target, which enables the user to set
+	  the priority of a packet. Some qdiscs can use this value for
+	  classification, among these are:
+
+  	  atm, cbq, dsmark, pfifo_fast, htb, prio
+
+config ADK_KERNEL_NETFILTER_XT_TARGET_CONNMARK
+	tristate '"CONNMARK" target support'
+	select ADK_KERNEL_NETFILTER_XTABLES
+	select ADK_KERNEL_NF_CONNTRACK
+	help
+	  This option adds a `CONNMARK' target, which allows one to manipulate
+	  the connection mark value.  Similar to the MARK target, but
+	  affects the connection mark value rather than the packet mark value.
+
+config ADK_KERNEL_NETFILTER_XT_TARGET_MARK
+	tristate '"MARK" target support'
+	select ADK_KERNEL_NETFILTER_XTABLES
+	help
+	  This option adds a `MARK' target, which allows you to create rules
+	  in the `mangle' table which alter the netfilter mark (nfmark) field
+	  associated with the packet prior to routing. This can change
+	  the routing method (see `Use netfilter MARK value as routing
+	  key') and can also be used by other subsystems to change their
+	  behavior.
+
+config ADK_KERNEL_NETFILTER_XT_TARGET_NFQUEUE
+	tristate '"NFQUEUE" target support'
+	select ADK_KERNEL_NETFILTER_XTABLES
+	help
+	  This target replaced the old obsolete QUEUE target.
+
+	  As opposed to QUEUE, it supports 65535 different queues,
+	  not just one.
+
+config ADK_KERNEL_NETFILTER_XT_TARGET_LOG
+	tristate '"LOG" target support'
+	depends on ADK_KERNEL_IP_NF_FILTER
+	help
+	  This option adds a `LOG' target, which allows you to create rules in
+	  any iptables table which records the packet header to the syslog.
+
+config ADK_KERNEL_NETFILTER_XT_TARGET_TCPMSS
+	tristate '"TCPMSS" target support'
+	select ADK_KERNEL_NETFILTER_XTABLES
+	help
+
+endmenu
diff --git a/target/linux/config/Config.in.netfilter.ip4 b/target/linux/config/Config.in.netfilter.ip4
index d26e61b8e..a29c212cd 100644
--- a/target/linux/config/Config.in.netfilter.ip4
+++ b/target/linux/config/Config.in.netfilter.ip4
@@ -1,27 +1,11 @@
-config ADK_KERNEL_NF_CONNTRACK_IPV4
-	prompt 'IPv4 connection tracking support (required for NAT)'
+config ADK_KERNEL_NF_NAT
 	tristate
-	select ADK_KERNEL_NF_CONNTRACK
-	select ADK_KERNEL_NETFILTER_XT_MATCH_CONNTRACK
-	default m if ADK_PACKAGE_IPTABLES
-	default n
-	help
-	  Connection tracking keeps a record of what packets have passed
-	  through your machine, in order to figure out how they are related
-	  into connections.
-
-config ADK_KERNEL_IP_NF_CT_ACCT
-	bool 'Connection tracking flow accounting'
-	depends on ADK_KERNEL_NF_CONNTRACK
-	help
-	  If this option is enabled, the connection tracking code will
-	  keep per-flow packet and byte counters.
 
-	  Those counters can be used for flow-based accounting or the
-	  `connbytes' match.
+config ADK_KERNEL_NF_NAT_IPV4
+	tristate
 
 config ADK_KERNEL_IP_NF_IPTABLES
-	tristate 'IP tables support (required for filtering/masq/NAT)'
+	tristate 'IP tables support'
 	select ADK_KERNEL_NETFILTER_XTABLES
 	default m if ADK_PACKAGE_IPTABLES
 	default n
@@ -32,33 +16,56 @@ config ADK_KERNEL_IP_NF_IPTABLES
 	  either of those.
 
 config ADK_KERNEL_IP_NF_FILTER
-	tristate 'Packet Filtering'
+	tristate 'IP Packet Filtering table support'
 	depends on ADK_KERNEL_IP_NF_IPTABLES
 	default m if ADK_PACKAGE_IPTABLES
 	default n
 	help
 	  Packet filtering defines a table `filter', which has a series of
 	  rules for simple packet filtering at local input, forwarding and
-	  local output.  See the man page for iptables(8).
+	  local output.
 
-config ADK_KERNEL_NF_NAT
-	tristate
+config ADK_KERNEL_IP_NF_NAT
+	tristate 'IP NAT table support'
+	select ADK_KERNEL_NETFILTER_XT_NAT
+	select ADK_KERNEL_NF_NAT
+	select ADK_KERNEL_NF_NAT_IPV4
+	depends on ADK_KERNEL_IP_NF_IPTABLES
+	default m if ADK_PACKAGE_IPTABLES
 	default n
 	help
-	  The Full NAT option allows masquerading, port forwarding and other
-	  forms of full Network Address Port Translation.  It is controlled by
-	  the `nat' table in iptables: see the man page for iptables(8).
 
-config ADK_KERNEL_NF_NAT_IPV4
-	tristate 'Full NAT'
-	select ADK_KERNEL_NF_NAT
+config ADK_KERNEL_IP_NF_MANGLE
+	tristate 'IP Packet mangling table support'
 	depends on ADK_KERNEL_IP_NF_IPTABLES
+	default n
+	help
+	  This option adds a `mangle' table to iptables: see the man page for
+	  iptables(8).  This table is used for various packet alterations
+	  which can effect how the packet is routed.
+
+config ADK_KERNEL_NF_CONNTRACK_IPV4
+	tristate 'IP connection tracking support (required for NAT)'
+	select ADK_KERNEL_NF_CONNTRACK
+	select ADK_KERNEL_NETFILTER_XT_MATCH_CONNTRACK
 	default m if ADK_PACKAGE_IPTABLES
 	default n
 	help
-	  The Full NAT option allows masquerading, port forwarding and other
-	  forms of full Network Address Port Translation.  It is controlled by
-	  the `nat' table in iptables: see the man page for iptables(8).
+	  Connection tracking keeps a record of what packets have passed
+	  through your machine, in order to figure out how they are related
+	  into connections.
+
+config ADK_KERNEL_IP_NF_CT_ACCT
+	bool 'Connection tracking flow accounting'
+	depends on ADK_KERNEL_NF_CONNTRACK
+	help
+	  If this option is enabled, the connection tracking code will
+	  keep per-flow packet and byte counters.
+
+	  Those counters can be used for flow-based accounting or the
+	  `connbytes' match.
+
+menu "IP target support"
 
 config ADK_KERNEL_IP_NF_TARGET_MASQUERADE
 	tristate 'MASQUERADE target support'
@@ -83,7 +90,7 @@ config ADK_KERNEL_IP_NF_TARGET_REJECT
 	  than silently being dropped.
 
 config ADK_KERNEL_IP_NF_TARGET_ULOG
-	tristate 'ULOG target support (ipv4 only)'
+	tristate 'ULOG target support'
 	depends on ADK_KERNEL_IP_NF_FILTER
 	help
 	  This option enables the old IPv4-only "ipt_ULOG" implementation
@@ -116,13 +123,6 @@ config ADK_KERNEL_IP_NF_TARGET_NETMAP
 	  address part intact. It is similar to Fast NAT, except that
 	  Netfilter's connection tracking doesn't work well with Fast NAT.
 
-config ADK_KERNEL_IP_NF_MANGLE
-	tristate 'Packet mangling'
-	help
-	  This option adds a `mangle' table to iptables: see the man page for
-	  iptables(8).  This table is used for various packet alterations
-	  which can effect how the packet is routed.
-
 config ADK_KERNEL_IP_NF_TARGET_ECN
 	tristate 'ECN target support'
 	depends on ADK_KERNEL_IP_NF_MANGLE
@@ -134,3 +134,5 @@ config ADK_KERNEL_IP_NF_TARGET_ECN
 	  an IP packet.  This is particularly useful, if you need to work around
 	  existing ECN blackholes on the internet, but don't want to disable
 	  ECN support in general.
+
+endmenu