netfilter: netns nf_conntrack: per-netns net.netfilter.nf_conntrack_log_invalid sysctl

[linux-2.6-omap-h63xx.git] / net / netfilter / Kconfig

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index c1fc0f1a641c622abd6ad7c9c2640e6eec38f16e..4a464857f2169e6a0bd9e7c4f49bd3d5ee4d7b91 100644 (file)
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -33,9 +33,8 @@ config NF_CONNTRACK
          into connections.
 
          This is required to do Masquerading or other kinds of Network
-         Address Translation (except for Fast NAT).  It can also be used to
-         enhance packet filtering (see `Connection state match support'
-         below).
+         Address Translation.  It can also be used to enhance packet
+         filtering (see `Connection state match support' below).
 
          To compile it as a module, choose M here.  If unsure, say N.
 
@@ -50,6 +49,15 @@ config NF_CT_ACCT
          Those counters can be used for flow-based accounting or the
          `connbytes' match.
 
+         Please note that currently this option only sets a default state.
+         You may change it at boot time with nf_conntrack.acct=0/1 kernel
+         paramater or by loading the nf_conntrack module with acct=0/1.
+
+         You may also disable/enable it on a running system with:
+          sysctl net.netfilter.nf_conntrack_acct=0/1
+
+         This option will be removed in 2.6.29.
+
          If unsure, say `N'.
 
 config NF_CONNTRACK_MARK
@@ -90,6 +98,7 @@ config NF_CT_PROTO_DCCP
        tristate 'DCCP protocol connection tracking support (EXPERIMENTAL)'
        depends on EXPERIMENTAL && NF_CONNTRACK
        depends on NETFILTER_ADVANCED
+       default IP_DCCP
        help
          With this option enabled, the layer 3 independent connection
          tracking code will be able to do state tracking on DCCP connections.
@@ -104,6 +113,7 @@ config NF_CT_PROTO_SCTP
        tristate 'SCTP protocol connection tracking support (EXPERIMENTAL)'
        depends on EXPERIMENTAL && NF_CONNTRACK
        depends on NETFILTER_ADVANCED
+       default IP_SCTP
        help
          With this option enabled, the layer 3 independent connection
          tracking code will be able to do state tracking on SCTP connections.
@@ -532,6 +542,7 @@ config NETFILTER_XT_MATCH_DCCP
        tristate '"dccp" protocol match support'
        depends on NETFILTER_XTABLES
        depends on NETFILTER_ADVANCED
+       default IP_DCCP
        help
          With this option enabled, you will be able to use the iptables
          `dccp' match in order to match on DCCP source/destination ports
@@ -721,10 +732,29 @@ config NETFILTER_XT_MATCH_REALM
          If you want to compile it as a module, say M here and read
          <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
 
+config NETFILTER_XT_MATCH_RECENT
+       tristate '"recent" match support'
+       depends on NETFILTER_XTABLES
+       depends on NETFILTER_ADVANCED
+       ---help---
+       This match is used for creating one or many lists of recently
+       used addresses and then matching against that/those list(s).
+
+       Short options are available by using 'iptables -m recent -h'
+       Official Website: <http://snowman.net/projects/ipt_recent/>
+
+config NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
+       bool 'Enable obsolete /proc/net/ipt_recent'
+       depends on NETFILTER_XT_MATCH_RECENT && PROC_FS
+       ---help---
+       This option enables the old /proc/net/ipt_recent interface,
+       which has been obsoleted by /proc/net/xt_recent.
+
 config NETFILTER_XT_MATCH_SCTP
        tristate  '"sctp" protocol match support (EXPERIMENTAL)'
        depends on NETFILTER_XTABLES && EXPERIMENTAL
        depends on NETFILTER_ADVANCED
+       default IP_SCTP
        help
          With this option enabled, you will be able to use the 
          `sctp' match in order to match on SCTP source/destination ports