netfilter: nf_conntrack: add support for "conntrack zones"

Normally, each connection needs a unique identity. Conntrack zones allow to specify a numerical zone using the CT target, connections in different zones can use the same identity. Example: iptables -t raw -A PREROUTING -i veth0 -j CT --zone 1 iptables -t raw -A OUTPUT -o veth1 -j CT --zone 1 Signed-off-by: Patrick McHardy <kaber@trash.net>
author: Patrick McHardy <kaber@trash.net> 2010-02-15 18:13:33 +0100
committer: Patrick McHardy <kaber@trash.net> 2010-02-15 18:13:33 +0100
commit: 5d0aa2ccd4699a01cfdf14886191c249d7b45a01 (patch)
tree: 6ea81b5eede26bd6a04bcc3cd79770c334139381 /net/netfilter/Kconfig
parent: 8fea97ec1772bbf553d89187340ef624d548e115 (diff)
1 files changed, 13 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 4469d45261f4..18d77b5c351a 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -83,6 +83,19 @@ config NF_CONNTRACK_SECMARK
 
 	  If unsure, say 'N'.
 
+config NF_CONNTRACK_ZONES
+	bool  'Connection tracking zones'
+	depends on NETFILTER_ADVANCED
+	depends on NETFILTER_XT_TARGET_CT
+	help
+	  This option enables support for connection tracking zones.
+	  Normally, each connection needs to have a unique system wide
+	  identity. Connection tracking zones allow to have multiple
+	  connections using the same identity, as long as they are
+	  contained in different zones.
+
+	  If unsure, say `N'.
+
 config NF_CONNTRACK_EVENTS
 	bool "Connection tracking events"
 	depends on NETFILTER_ADVANCED
author	Patrick McHardy <kaber@trash.net>	2010-02-15 18:13:33 +0100
committer	Patrick McHardy <kaber@trash.net>	2010-02-15 18:13:33 +0100
commit	5d0aa2ccd4699a01cfdf14886191c249d7b45a01 (patch)
tree	6ea81b5eede26bd6a04bcc3cd79770c334139381 /net/netfilter/Kconfig
parent	8fea97ec1772bbf553d89187340ef624d548e115 (diff)