of packets, but this mark value is kept in the conntrack session
instead of the individual packets.
-config IP_NF_CONNTRACK_SECMARK
- bool 'Connection tracking security mark support'
- depends on IP_NF_CONNTRACK && NETWORK_SECMARK
- help
- This option enables security markings to be applied to
- connections. Typically they are copied to connections from
- packets using the CONNSECMARK target and copied back from
- connections to packets with the same target, with the packets
- being originally labeled via SECMARK.
-
- If unsure, say 'N'.
-
config IP_NF_CONNTRACK_EVENTS
bool "Connection tracking events (EXPERIMENTAL)"
depends on EXPERIMENTAL && IP_NF_CONNTRACK
tristate 'Connection tracking netlink interface (EXPERIMENTAL)'
depends on EXPERIMENTAL && IP_NF_CONNTRACK && NETFILTER_NETLINK
depends on IP_NF_CONNTRACK!=y || NETFILTER_NETLINK!=m
- depends on IP_NF_NAT=n || IP_NF_NAT
help
This option enables support for a netlink-based userspace interface
config IP_NF_AMANDA
tristate "Amanda backup protocol support"
depends on IP_NF_CONNTRACK
- select TEXTSEARCH
- select TEXTSEARCH_KMP
help
If you are running the Amanda backup package <http://www.amanda.org/>
on this machine or machines that will be MASQUERADED through this
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
-config IP_NF_H323
- tristate 'H.323 protocol support (EXPERIMENTAL)'
- depends on IP_NF_CONNTRACK && EXPERIMENTAL
- help
- H.323 is a VoIP signalling protocol from ITU-T. As one of the most
- important VoIP protocols, it is widely used by voice hardware and
- software including voice gateways, IP phones, Netmeeting, OpenPhone,
- Gnomemeeting, etc.
-
- With this module you can support H.323 on a connection tracking/NAT
- firewall.
-
- This module supports RAS, Fast Start, H.245 Tunnelling, Call
- Forwarding, RTP/RTCP and T.120 based audio, video, fax, chat,
- whiteboard, file transfer, etc. For more information, please
- visit http://nath323.sourceforge.net/.
-
- If you want to compile it as a module, say 'M' here and read
- Documentation/modules.txt. If unsure, say 'N'.
-
-config IP_NF_SIP
- tristate "SIP protocol support (EXPERIMENTAL)"
- depends on IP_NF_CONNTRACK && EXPERIMENTAL
- help
- SIP is an application-layer control protocol that can establish,
- modify, and terminate multimedia sessions (conferences) such as
- Internet telephony calls. With the ip_conntrack_sip and
- the ip_nat_sip modules you can support the protocol on a connection
- tracking/NATing firewall.
-
- To compile it as a module, choose M here. If unsure, say Y.
-
config IP_NF_QUEUE
tristate "IP Userspace queueing via NETLINK (OBSOLETE)"
help
To compile it as a module, choose M here. If unsure, say N.
+config IP_NF_MATCH_MULTIPORT
+ tristate "Multiple port match support"
+ depends on IP_NF_IPTABLES
+ help
+ Multiport matching allows you to match TCP or UDP packets based on
+ a series of source or destination ports: normally a rule can only
+ match a single range of ports.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config IP_NF_MATCH_TOS
tristate "TOS match support"
depends on IP_NF_IPTABLES
To compile it as a module, choose M here. If unsure, say N.
-config IP_NF_MATCH_AH
- tristate "AH match support"
+config IP_NF_MATCH_AH_ESP
+ tristate "AH/ESP match support"
depends on IP_NF_IPTABLES
help
- This match extension allows you to match a range of SPIs
- inside AH header of IPSec packets.
+ These two match extensions (`ah' and `esp') allow you to match a
+ range of SPIs inside AH or ESP headers of IPSec packets.
To compile it as a module, choose M here. If unsure, say N.
help
This option adds a new iptables `hashlimit' match.
- As opposed to `limit', this match dynamically creates a hash table
+ As opposed to `limit', this match dynamically crates a hash table
of limit buckets, based on your selection of source/destination
ip addresses and/or ports.
destination IP' or `500pps from any given source IP' with a single
IPtables rule.
+config IP_NF_MATCH_POLICY
+ tristate "IPsec policy match support"
+ depends on IP_NF_IPTABLES && XFRM
+ help
+ Policy matching allows you to match packets based on the
+ IPsec policy that was used during decapsulation/will
+ be used during encapsulation.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
# `filter', generic and specific targets
config IP_NF_FILTER
tristate "Packet filtering"
To compile it as a module, choose M here. If unsure, say N.
config IP_NF_TARGET_ULOG
- tristate "ULOG target support"
+ tristate "ULOG target support (OBSOLETE)"
depends on IP_NF_IPTABLES
---help---
default IP_NF_NAT if IP_NF_PPTP=y
default m if IP_NF_PPTP=m
-config IP_NF_NAT_H323
- tristate
- depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
- default IP_NF_NAT if IP_NF_H323=y
- default m if IP_NF_H323=m
-
-config IP_NF_NAT_SIP
- tristate
- depends on IP_NF_IPTABLES!=n && IP_NF_CONNTRACK!=n && IP_NF_NAT!=n
- default IP_NF_NAT if IP_NF_SIP=y
- default m if IP_NF_SIP=m
-
# mangle + specific targets
config IP_NF_MANGLE
tristate "Packet mangling"
Allows altering the ARP packet payload: source and destination
hardware and network addresses.
-config IP_NF_SET
- tristate "IP set support"
- depends on INET && NETFILTER
- help
- This option adds IP set support to the kernel.
- In order to define and use sets, you need the userspace utility
- ipset(8).
-
- To compile it as a module, choose M here. If unsure, say N.
-
-config IP_NF_SET_MAX
- int "Maximum number of IP sets"
- default 256
- range 2 65534
- depends on IP_NF_SET
- help
- You can define here default value of the maximum number
- of IP sets for the kernel.
-
- The value can be overriden by the 'max_sets' module
- parameter of the 'ip_set' module.
-
-config IP_NF_SET_HASHSIZE
- int "Hash size for bindings of IP sets"
- default 1024
- depends on IP_NF_SET
- help
- You can define here default value of the hash size for
- bindings of IP sets.
-
- The value can be overriden by the 'hash_size' module
- parameter of the 'ip_set' module.
-
-config IP_NF_SET_IPMAP
- tristate "ipmap set support"
- depends on IP_NF_SET
- help
- This option adds the ipmap set type support.
-
- To compile it as a module, choose M here. If unsure, say N.
-
-config IP_NF_SET_MACIPMAP
- tristate "macipmap set support"
- depends on IP_NF_SET
- help
- This option adds the macipmap set type support.
-
- To compile it as a module, choose M here. If unsure, say N.
-
-config IP_NF_SET_PORTMAP
- tristate "portmap set support"
- depends on IP_NF_SET
- help
- This option adds the portmap set type support.
-
- To compile it as a module, choose M here. If unsure, say N.
-
-config IP_NF_SET_IPHASH
- tristate "iphash set support"
- depends on IP_NF_SET
- help
- This option adds the iphash set type support.
-
- To compile it as a module, choose M here. If unsure, say N.
-
-config IP_NF_SET_NETHASH
- tristate "nethash set support"
- depends on IP_NF_SET
- help
- This option adds the nethash set type support.
-
- To compile it as a module, choose M here. If unsure, say N.
-
-config IP_NF_SET_IPPORTHASH
- tristate "ipporthash set support"
- depends on IP_NF_SET
- help
- This option adds the ipporthash set type support.
-
- To compile it as a module, choose M here. If unsure, say N.
-
-config IP_NF_SET_IPTREE
- tristate "iptree set support"
- depends on IP_NF_SET
- help
- This option adds the iptree set type support.
-
- To compile it as a module, choose M here. If unsure, say N.
-
-config IP_NF_MATCH_SET
- tristate "set match support"
- depends on IP_NF_SET
- help
- Set matching matches against given IP sets.
- You need the ipset utility to create and set up the sets.
-
- To compile it as a module, choose M here. If unsure, say N.
-
-config IP_NF_TARGET_SET
- tristate "SET target support"
- depends on IP_NF_SET
- help
- The SET target makes possible to add/delete entries
- in IP sets.
- You need the ipset utility to create and set up the sets.
-
- To compile it as a module, choose M here. If unsure, say N.
-
-
endmenu