~hc/RK356X_SDK_RELEASE.git

..	..	@@ -1,3 +1,4 @@
	1	+# SPDX-License-Identifier: GPL-2.0-only
1	2	menu "Core Netfilter Configuration"
2	3	depends on NET && INET && NETFILTER
3	4
..	..	@@ -19,7 +20,7 @@
19	20	bool
20	21
21	22	config NETFILTER_NETLINK_ACCT
22		-tristate "Netfilter NFACCT over NFNETLINK interface"
	23	+ tristate "Netfilter NFACCT over NFNETLINK interface"
23	24	depends on NETFILTER_ADVANCED
24	25	select NETFILTER_NETLINK
25	26	help
..	..	@@ -33,7 +34,7 @@
33	34	help
34	35	If this option is enabled, the kernel will include support
35	36	for queueing packets via NFNETLINK.
36		-
	37	+
37	38	config NETFILTER_NETLINK_LOG
38	39	tristate "Netfilter LOG over NFNETLINK interface"
39	40	default m if NETFILTER_ADVANCED=n
..	..	@@ -117,9 +118,8 @@
117	118
118	119	config NF_CONNTRACK_PROCFS
119	120	bool "Supply CT list in procfs (OBSOLETE)"
120		- default y
121	121	depends on PROC_FS
122		- ---help---
	122	+ help
123	123	This option enables for the list of known conntrack entries
124	124	to be shown in procfs under net/netfilter/nf_conntrack. This
125	125	is considered obsolete in favor of using the conntrack(8)
..	..	@@ -174,7 +174,7 @@
174	174	If unsure, say Y.
175	175
176	176	config NF_CT_PROTO_GRE
177		- tristate
	177	+ bool
178	178
179	179	config NF_CT_PROTO_SCTP
180	180	bool 'SCTP protocol connection tracking support'
..	..	@@ -222,8 +222,6 @@
222	222	of Network Address Translation on them.
223	223
224	224	This is FTP support on Layer 3 independent connection tracking.
225		- Layer 3 independent connection tracking is experimental scheme
226		- which generalize ip_conntrack to support other layer 3 protocols.
227	225
228	226	To compile it as a module, choose M here. If unsure, say N.
229	227
..	..	@@ -337,7 +335,7 @@
337	335	help
338	336	SIP is an application-layer control protocol that can establish,
339	337	modify, and terminate multimedia sessions (conferences) such as
340		- Internet telephony calls. With the ip_conntrack_sip and
	338	+ Internet telephony calls. With the nf_conntrack_sip and
341	339	the nf_nat_sip modules you can support the protocol on a connection
342	340	tracking/NATing firewall.
343	341
..	..	@@ -396,27 +394,13 @@
396	394	the enqueued via NFNETLINK.
397	395
398	396	config NF_NAT
399		- tristate
400		-
401		-config NF_NAT_NEEDED
402		- bool
403		- depends on NF_NAT
404		- default y
405		-
406		-config NF_NAT_PROTO_DCCP
407		- bool
408		- depends on NF_NAT && NF_CT_PROTO_DCCP
409		- default NF_NAT && NF_CT_PROTO_DCCP
410		-
411		-config NF_NAT_PROTO_UDPLITE
412		- bool
413		- depends on NF_NAT && NF_CT_PROTO_UDPLITE
414		- default NF_NAT && NF_CT_PROTO_UDPLITE
415		-
416		-config NF_NAT_PROTO_SCTP
417		- bool
418		- default NF_NAT && NF_CT_PROTO_SCTP
419		- depends on NF_NAT && NF_CT_PROTO_SCTP
	397	+ tristate "Network Address Translation support"
	398	+ depends on NF_CONNTRACK
	399	+ default m if NETFILTER_ADVANCED=n
	400	+ help
	401	+ The NAT option allows masquerading, port forwarding and other
	402	+ forms of full Network Address Port Translation. This can be
	403	+ controlled by iptables, ip6tables or nft.
420	404
421	405	config NF_NAT_AMANDA
422	406	tristate
..	..	@@ -446,6 +430,9 @@
446	430	config NF_NAT_REDIRECT
447	431	bool
448	432
	433	+config NF_NAT_MASQUERADE
	434	+ bool
	435	+
449	436	config NETFILTER_SYNPROXY
450	437	tristate
451	438
..	..	@@ -453,13 +440,14 @@
453	440
454	441	config NF_TABLES
455	442	select NETFILTER_NETLINK
	443	+ select LIBCRC32C
456	444	tristate "Netfilter nf_tables support"
457	445	help
458	446	nftables is the new packet classification framework that intends to
459	447	replace the existing {ip,ip6,arp,eb}_tables infrastructure. It
460	448	provides a pseudo-state machine with an extensible instruction-set
461	449	(also known as expressions) that the userspace 'nft' utility
462		- (http://www.netfilter.org/projects/nftables) uses to build the
	450	+ (https://www.netfilter.org/projects/nftables) uses to build the
463	451	rule-set. It also comes with the generic set infrastructure that
464	452	allows you to construct mappings between matchings and actions
465	453	for performance lookups.
..	..	@@ -467,14 +455,6 @@
467	455	To compile it as a module, choose M here.
468	456
469	457	if NF_TABLES
470		-
471		-config NF_TABLES_SET
472		- tristate "Netfilter nf_tables set infrastructure"
473		- help
474		- This option enables the nf_tables set infrastructure that allows to
475		- look up for elements in a set and to build one-way mappings between
476		- matchings and actions.
477		-
478	458	config NF_TABLES_INET
479	459	depends on IPV6
480	460	select NF_TABLES_IPV4
..	..	@@ -538,6 +518,7 @@
538	518	config NFT_MASQ
539	519	depends on NF_CONNTRACK
540	520	depends on NF_NAT
	521	+ select NF_NAT_MASQUERADE
541	522	tristate "Netfilter nf_tables masquerade support"
542	523	help
543	524	This option adds the "masquerade" expression that you can use
..	..	@@ -547,6 +528,7 @@
547	528	depends on NF_CONNTRACK
548	529	depends on NF_NAT
549	530	tristate "Netfilter nf_tables redirect support"
	531	+ select NF_NAT_REDIRECT
550	532	help
551	533	This options adds the "redirect" expression that you can use
552	534	to perform NAT in the redirect flavour.
..	..	@@ -554,6 +536,7 @@
554	536	config NFT_NAT
555	537	depends on NF_CONNTRACK
556	538	select NF_NAT
	539	+ depends on NF_TABLES_IPV4 \|\| NF_TABLES_IPV6
557	540	tristate "Netfilter nf_tables nat module"
558	541	help
559	542	This option adds the "nat" expression that you can use to perform
..	..	@@ -625,6 +608,13 @@
625	608	The lookup will be delegated to the IPv4 or IPv6 FIB depending
626	609	on the protocol of the packet.
627	610
	611	+config NFT_XFRM
	612	+ tristate "Netfilter nf_tables xfrm/IPSec security association matching"
	613	+ depends on XFRM
	614	+ help
	615	+ This option adds an expression that you can use to extract properties
	616	+ of a packets security association.
	617	+
628	618	config NFT_SOCKET
629	619	tristate "Netfilter nf_tables socket match support"
630	620	depends on IPV6 \|\| IPV6=n
..	..	@@ -650,6 +640,17 @@
650	640	select NF_TPROXY_IPV6 if NF_TABLES_IPV6
651	641	help
652	642	This makes transparent proxy support available in nftables.
	643	+
	644	+config NFT_SYNPROXY
	645	+ tristate "Netfilter nf_tables SYNPROXY expression support"
	646	+ depends on NF_CONNTRACK && NETFILTER_ADVANCED
	647	+ select NETFILTER_SYNPROXY
	648	+ select SYN_COOKIES
	649	+ help
	650	+ The SYNPROXY expression allows you to intercept TCP connections and
	651	+ establish them using syncookies before they are passed on to the
	652	+ server. This allows to avoid conntrack and server resource usage
	653	+ during SYN-flood attacks.
653	654
654	655	if NF_TABLES_NETDEV
655	656
..	..	@@ -688,7 +689,7 @@
688	689	tristate "Netfilter flow table mixed IPv4/IPv6 module"
689	690	depends on NF_FLOW_TABLE
690	691	help
691		- This option adds the flow table mixed IPv4/IPv6 support.
	692	+ This option adds the flow table mixed IPv4/IPv6 support.
692	693
693	694	To compile it as a module, choose M here.
694	695
..	..	@@ -716,7 +717,7 @@
716	717	config NETFILTER_XT_MARK
717	718	tristate 'nfmark target and match support'
718	719	default m if NETFILTER_ADVANCED=n
719		- ---help---
	720	+ help
720	721	This option adds the "MARK" target and "mark" match.
721	722
722	723	Netfilter mark matching allows you to match packets based on the
..	..	@@ -732,7 +733,7 @@
732	733	depends on NF_CONNTRACK
733	734	depends on NETFILTER_ADVANCED
734	735	select NF_CONNTRACK_MARK
735		- ---help---
	736	+ help
736	737	This option adds the "CONNMARK" target and "connmark" match.
737	738
738	739	Netfilter allows you to store a mark value per connection (a.k.a.
..	..	@@ -759,7 +760,7 @@
759	760	tristate "AUDIT target support"
760	761	depends on AUDIT
761	762	depends on NETFILTER_ADVANCED
762		- ---help---
	763	+ help
763	764	This option adds a 'AUDIT' target, which can be used to create
764	765	audit records for packets dropped/accepted.
765	766
..	..	@@ -769,7 +770,7 @@
769	770	tristate "CHECKSUM target support"
770	771	depends on IP_NF_MANGLE \|\| IP6_NF_MANGLE
771	772	depends on NETFILTER_ADVANCED
772		- ---help---
	773	+ help
773	774	This option adds a `CHECKSUM' target, which can be used in the iptables mangle
774	775	table to work around buggy DHCP clients in virtualized environments.
775	776
..	..	@@ -798,7 +799,7 @@
798	799	depends on NF_CONNTRACK
799	800	depends on NETFILTER_ADVANCED
800	801	select NETFILTER_XT_CONNMARK
801		- ---help---
	802	+ help
802	803	This is a backwards-compat option for the user's convenience
803	804	(e.g. when running oldconfig). It selects
804	805	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
..	..	@@ -847,7 +848,7 @@
847	848	tristate '"HL" hoplimit target support'
848	849	depends on IP_NF_MANGLE \|\| IP6_NF_MANGLE
849	850	depends on NETFILTER_ADVANCED
850		- ---help---
	851	+ help
851	852	This option adds the "HL" (for IPv6) and "TTL" (for IPv4)
852	853	targets, which enable the user to change the
853	854	hoplimit/time-to-live value of the IP header.
..	..	@@ -862,7 +863,7 @@
862	863	tristate '"HMARK" target support'
863	864	depends on IP6_NF_IPTABLES \|\| IP6_NF_IPTABLES=n
864	865	depends on NETFILTER_ADVANCED
865		- ---help---
	866	+ help
866	867	This option adds the "HMARK" target.
867	868
868	869	The target allows you to create rules in the "raw" and "mangle" tables
..	..	@@ -906,7 +907,7 @@
906	907	echo netfilter-ssh > /sys/class/leds/<ledname>/trigger
907	908
908	909	For more information on the LEDs available on your system, see
909		- Documentation/leds/leds-class.txt
	910	+ Documentation/leds/leds-class.rst
910	911
911	912	config NETFILTER_XT_TARGET_LOG
912	913	tristate "LOG target support"
..	..	@@ -924,7 +925,7 @@
924	925	tristate '"MARK" target support'
925	926	depends on NETFILTER_ADVANCED
926	927	select NETFILTER_XT_MARK
927		- ---help---
	928	+ help
928	929	This is a backwards-compat option for the user's convenience
929	930	(e.g. when running oldconfig). It selects
930	931	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
..	..	@@ -932,7 +933,7 @@
932	933	config NETFILTER_XT_NAT
933	934	tristate '"SNAT and DNAT" targets support'
934	935	depends on NF_NAT
935		- ---help---
	936	+ help
936	937	This option enables the SNAT and DNAT targets.
937	938
938	939	To compile it as a module, choose M here. If unsure, say N.
..	..	@@ -940,7 +941,7 @@
940	941	config NETFILTER_XT_TARGET_NETMAP
941	942	tristate '"NETMAP" target support'
942	943	depends on NF_NAT
943		- ---help---
	944	+ help
944	945	NETMAP is an implementation of static 1:1 NAT mapping of network
945	946	addresses. It maps the network address part, while keeping the host
946	947	address part intact.
..	..	@@ -990,13 +991,27 @@
990	991	tristate "REDIRECT target support"
991	992	depends on NF_NAT
992	993	select NF_NAT_REDIRECT
993		- ---help---
	994	+ help
994	995	REDIRECT is a special case of NAT: all incoming connections are
995	996	mapped onto the incoming interface's address, causing the packets to
996	997	come to the local machine instead of passing through. This is
997	998	useful for transparent proxies.
998	999
999	1000	To compile it as a module, choose M here. If unsure, say N.
	1001	+
	1002	+config NETFILTER_XT_TARGET_MASQUERADE
	1003	+ tristate "MASQUERADE target support"
	1004	+ depends on NF_NAT
	1005	+ default m if NETFILTER_ADVANCED=n
	1006	+ select NF_NAT_MASQUERADE
	1007	+ help
	1008	+ Masquerading is a special case of NAT: all outgoing connections are
	1009	+ changed to seem to come from a particular interface's address, and
	1010	+ if the interface goes down, those connections are lost. This is
	1011	+ only useful for dialup accounts with dynamic IP address (ie. your IP
	1012	+ address will be different on next dialup).
	1013	+
	1014	+ To compile it as a module, choose M here. If unsure, say N.
1000	1015
1001	1016	config NETFILTER_XT_TARGET_TEE
1002	1017	tristate '"TEE" - packet cloning to alternate destination'
..	..	@@ -1006,7 +1021,7 @@
1006	1021	depends on IP6_NF_IPTABLES \|\| !IP6_NF_IPTABLES
1007	1022	select NF_DUP_IPV4
1008	1023	select NF_DUP_IPV6 if IP6_NF_IPTABLES
1009		- ---help---
	1024	+ help
1010	1025	This option adds a "TEE" target with which a packet can be cloned and
1011	1026	this clone be rerouted to another nexthop.
1012	1027
..	..	@@ -1028,7 +1043,7 @@
1028	1043	on Netfilter connection tracking and NAT, unlike REDIRECT.
1029	1044	For it to work you will have to configure certain iptables rules
1030	1045	and use policy routing. For more information on how to set it up
1031		- see Documentation/networking/tproxy.txt.
	1046	+ see Documentation/networking/tproxy.rst.
1032	1047
1033	1048	To compile it as a module, choose M here. If unsure, say N.
1034	1049
..	..	@@ -1042,7 +1057,7 @@
1042	1057	the tables, chains, rules.
1043	1058
1044	1059	If you want to compile it as a module, say M here and read
1045		- <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
	1060	+ <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1046	1061
1047	1062	config NETFILTER_XT_TARGET_SECMARK
1048	1063	tristate '"SECMARK" target support'
..	..	@@ -1058,7 +1073,7 @@
1058	1073	tristate '"TCPMSS" target support'
1059	1074	depends on IPV6 \|\| IPV6=n
1060	1075	default m if NETFILTER_ADVANCED=n
1061		- ---help---
	1076	+ help
1062	1077	This option adds a `TCPMSS' target, which allows you to alter the
1063	1078	MSS value of TCP SYN packets, to control the maximum size for that
1064	1079	connection (usually limiting it to your outgoing interface's MTU
..	..	@@ -1096,12 +1111,12 @@
1096	1111	config NETFILTER_XT_MATCH_ADDRTYPE
1097	1112	tristate '"addrtype" address type match support'
1098	1113	default m if NETFILTER_ADVANCED=n
1099		- ---help---
	1114	+ help
1100	1115	This option allows you to match what routing thinks of an address,
1101	1116	eg. UNICAST, LOCAL, BROADCAST, ...
1102	1117
1103	1118	If you want to compile it as a module, say M here and read
1104		- <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
	1119	+ <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1105	1120
1106	1121	config NETFILTER_XT_MATCH_BPF
1107	1122	tristate '"bpf" match support'
..	..	@@ -1117,7 +1132,7 @@
1117	1132	depends on NETFILTER_ADVANCED
1118	1133	depends on CGROUPS
1119	1134	select CGROUP_NET_CLASSID
1120		- ---help---
	1135	+ help
1121	1136	Socket/process control group matching allows you to match locally
1122	1137	generated packets based on which net_cls control group processes
1123	1138	belong to.
..	..	@@ -1126,7 +1141,7 @@
1126	1141	tristate '"cluster" match support'
1127	1142	depends on NF_CONNTRACK
1128	1143	depends on NETFILTER_ADVANCED
1129		- ---help---
	1144	+ help
1130	1145	This option allows you to build work-load-sharing clusters of
1131	1146	network servers/stateful firewalls without having a dedicated
1132	1147	load-balancing router/server/switch. Basically, this match returns
..	..	@@ -1146,7 +1161,7 @@
1146	1161	comments in your iptables ruleset.
1147	1162
1148	1163	If you want to compile it as a module, say M here and read
1149		- <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
	1164	+ <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1150	1165
1151	1166	config NETFILTER_XT_MATCH_CONNBYTES
1152	1167	tristate '"connbytes" per-connection counter match support'
..	..	@@ -1157,14 +1172,14 @@
1157	1172	number of bytes and/or packets for each direction within a connection.
1158	1173
1159	1174	If you want to compile it as a module, say M here and read
1160		- <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
	1175	+ <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1161	1176
1162	1177	config NETFILTER_XT_MATCH_CONNLABEL
1163	1178	tristate '"connlabel" match support'
1164	1179	select NF_CONNTRACK_LABELS
1165	1180	depends on NF_CONNTRACK
1166	1181	depends on NETFILTER_ADVANCED
1167		- ---help---
	1182	+ help
1168	1183	This match allows you to test and assign userspace-defined labels names
1169	1184	to a connection. The kernel only stores bit values - mapping
1170	1185	names to bits is done by userspace.
..	..	@@ -1177,7 +1192,7 @@
1177	1192	depends on NF_CONNTRACK
1178	1193	depends on NETFILTER_ADVANCED
1179	1194	select NETFILTER_CONNCOUNT
1180		- ---help---
	1195	+ help
1181	1196	This match allows you to match against the number of parallel
1182	1197	connections to a server per client IP address (or address block).
1183	1198
..	..	@@ -1186,7 +1201,7 @@
1186	1201	depends on NF_CONNTRACK
1187	1202	depends on NETFILTER_ADVANCED
1188	1203	select NETFILTER_XT_CONNMARK
1189		- ---help---
	1204	+ help
1190	1205	This is a backwards-compat option for the user's convenience
1191	1206	(e.g. when running oldconfig). It selects
1192	1207	CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
..	..	@@ -1223,7 +1238,7 @@
1223	1238	and DCCP flags.
1224	1239
1225	1240	If you want to compile it as a module, say M here and read
1226		- <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
	1241	+ <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1227	1242
1228	1243	config NETFILTER_XT_MATCH_DEVGROUP
1229	1244	tristate '"devgroup" match support'
..	..	@@ -1252,7 +1267,7 @@
1252	1267	config NETFILTER_XT_MATCH_ECN
1253	1268	tristate '"ecn" match support'
1254	1269	depends on NETFILTER_ADVANCED
1255		- ---help---
	1270	+ help
1256	1271	This option adds an "ECN" match, which allows you to match against
1257	1272	the IPv4 and TCP header ECN fields.
1258	1273
..	..	@@ -1288,14 +1303,14 @@
1288	1303	depends on NETFILTER_ADVANCED
1289	1304	help
1290	1305	Helper matching allows you to match packets in dynamic connections
1291		- tracked by a conntrack-helper, ie. ip_conntrack_ftp
	1306	+ tracked by a conntrack-helper, ie. nf_conntrack_ftp
1292	1307
1293	1308	To compile it as a module, choose M here. If unsure, say Y.
1294	1309
1295	1310	config NETFILTER_XT_MATCH_HL
1296	1311	tristate '"hl" hoplimit/TTL match support'
1297	1312	depends on NETFILTER_ADVANCED
1298		- ---help---
	1313	+ help
1299	1314	HL matching allows you to match packets based on the hoplimit
1300	1315	in the IPv6 header, or the time-to-live field in the IPv4
1301	1316	header of the packet.
..	..	@@ -1312,7 +1327,7 @@
1312	1327	config NETFILTER_XT_MATCH_IPRANGE
1313	1328	tristate '"iprange" address range match support'
1314	1329	depends on NETFILTER_ADVANCED
1315		- ---help---
	1330	+ help
1316	1331	This option adds a "iprange" match, which allows you to match based on
1317	1332	an IP address range. (Normal iptables only matches on single addresses
1318	1333	with an optional mask.)
..	..	@@ -1333,7 +1348,7 @@
1333	1348	tristate '"l2tp" match support'
1334	1349	depends on NETFILTER_ADVANCED
1335	1350	default L2TP
1336		- ---help---
	1351	+ help
1337	1352	This option adds an "L2TP" match, which allows you to match against
1338	1353	L2TP protocol header fields.
1339	1354
..	..	@@ -1371,7 +1386,7 @@
1371	1386	tristate '"mark" match support'
1372	1387	depends on NETFILTER_ADVANCED
1373	1388	select NETFILTER_XT_MARK
1374		- ---help---
	1389	+ help
1375	1390	This is a backwards-compat option for the user's convenience
1376	1391	(e.g. when running oldconfig). It selects
1377	1392	CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
..	..	@@ -1413,7 +1428,7 @@
1413	1428	config NETFILTER_XT_MATCH_OWNER
1414	1429	tristate '"owner" match support'
1415	1430	depends on NETFILTER_ADVANCED
1416		- ---help---
	1431	+ help
1417	1432	Socket owner matching allows you to match locally-generated packets
1418	1433	based on who created the socket: the user or group. It is also
1419	1434	possible to check whether a socket actually exists.
..	..	@@ -1459,7 +1474,7 @@
1459	1474	byte counter.
1460	1475
1461	1476	If you want to compile it as a module, say M here and read
1462		- <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
	1477	+ <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1463	1478
1464	1479	config NETFILTER_XT_MATCH_QUOTA2
1465	1480	tristate '"quota2" match support'
..	..	@@ -1502,16 +1517,16 @@
1502	1517	This option adds a `realm' match, which allows you to use the realm
1503	1518	key from the routing subsystem inside iptables.
1504	1519
1505		- This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
	1520	+ This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
1506	1521	in tc world.
1507	1522
1508	1523	If you want to compile it as a module, say M here and read
1509		- <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
	1524	+ <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1510	1525
1511	1526	config NETFILTER_XT_MATCH_RECENT
1512	1527	tristate '"recent" match support'
1513	1528	depends on NETFILTER_ADVANCED
1514		- ---help---
	1529	+ help
1515	1530	This match is used for creating one or many lists of recently
1516	1531	used addresses and then matching against that/those list(s).
1517	1532
..	..	@@ -1523,12 +1538,12 @@
1523	1538	depends on NETFILTER_ADVANCED
1524	1539	default IP_SCTP
1525	1540	help
1526		- With this option enabled, you will be able to use the
	1541	+ With this option enabled, you will be able to use the
1527	1542	`sctp' match in order to match on SCTP source/destination ports
1528	1543	and SCTP chunk types.
1529	1544
1530	1545	If you want to compile it as a module, say M here and read
1531		- <file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
	1546	+ <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1532	1547
1533	1548	config NETFILTER_XT_MATCH_SOCKET
1534	1549	tristate '"socket" match support'
..	..	@@ -1594,7 +1609,7 @@
1594	1609	config NETFILTER_XT_MATCH_TIME
1595	1610	tristate '"time" match support'
1596	1611	depends on NETFILTER_ADVANCED
1597		- ---help---
	1612	+ help
1598	1613	This option adds a "time" match, which allows you to match based on
1599	1614	the packet arrival time (at the machine which netfilter is running)
1600	1615	on) or departure time/date (for locally generated packets).
..	..	@@ -1608,7 +1623,7 @@
1608	1623	config NETFILTER_XT_MATCH_U32
1609	1624	tristate '"u32" match support'
1610	1625	depends on NETFILTER_ADVANCED
1611		- ---help---
	1626	+ help
1612	1627	u32 allows you to extract quantities of up to 4 bytes from a packet,
1613	1628	AND them with specified masks, shift them by specified amounts and
1614	1629	test whether the results are in any of a set of specified ranges.