Red Hat Enterprise Linux 5 Administration Unleashed

Using IPTables Match Extensions 489policyMatches policy used by IPsec for packet handling.--dir must be in or out. Match if the policy is used for decapsulation orencapsulation. The value of in only works in the PREROUTING, INPUT, and FORWARDchains. The value of out only works in the POSTROUTING, OUTPUT, and FORWARDchains.--pol Set to ipsec to match packets subject to IPsec processing. Set tonone to match packets not subject to IPsec processing.--strictIf used, the rule only matches the packet if the policy matches exactly. If notused, the rule matches if any rule of the policy matches the defined policy.--reqid Match the reqid of the policy rule.--spi Match the SPI of the SA.--proto Match the encapsulation protocol, where is either ah, esp, or iocomp.--mode Match the encapsulation mode, where is tunnel or transport.--tunnel-src /Match the source end-point address of a tunnel mode SA. Can only be used ifmode is set to tunnel. The mask is optional.--tunnel-dst /Match the destination end-point address of a tunnel mode SA. Can only be usedif mode is set to tunnel.--nextStart the next element in the policy specification. Only valid when --strict isalso used.24psdTry to detect TCP and UDP port scans.--psd-weight-threshold When detecting a port scan sequence, the total weight of the latest TCP or UDPpackets with different destination ports from the same host.--psd-delay-threshold When detecting a port scan sequence, the delay in hundredths of a second forthe TCP or UDP packets with different destination ports from the same host.