tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / net / bridge / netfilter / Kconfig
at master 7.9 kB view raw
1# SPDX-License-Identifier: GPL-2.0-only 2# 3# Bridge netfilter configuration 4# 5# 6menuconfig NF_TABLES_BRIDGE 7 depends on BRIDGE && NETFILTER && NF_TABLES 8 select NETFILTER_FAMILY_BRIDGE 9 tristate "Ethernet Bridge nf_tables support" 10 11if NF_TABLES_BRIDGE 12 13config NFT_BRIDGE_META 14 tristate "Netfilter nf_table bridge meta support" 15 help 16 Add support for bridge dedicated meta key. 17 18config NFT_BRIDGE_REJECT 19 tristate "Netfilter nf_tables bridge reject support" 20 depends on NFT_REJECT 21 depends on NF_REJECT_IPV4 22 depends on NF_REJECT_IPV6 23 help 24 Add support to reject packets. 25 26endif # NF_TABLES_BRIDGE 27 28config NF_CONNTRACK_BRIDGE 29 tristate "IPv4/IPV6 bridge connection tracking support" 30 depends on NF_CONNTRACK 31 default n 32 help 33 Connection tracking keeps a record of what packets have passed 34 through your machine, in order to figure out how they are related 35 into connections. This is used to enhance packet filtering via 36 stateful policies. Enable this if you want native tracking from 37 the bridge. This provides a replacement for the `br_netfilter' 38 infrastructure. 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42# old sockopt interface and eval loop 43config BRIDGE_NF_EBTABLES_LEGACY 44 tristate "Legacy EBTABLES support" 45 depends on BRIDGE && NETFILTER_XTABLES_LEGACY 46 depends on NETFILTER_XTABLES 47 default n 48 help 49 Legacy ebtables packet/frame classifier. 50 This is not needed if you are using ebtables over nftables 51 (iptables-nft). 52 53menuconfig BRIDGE_NF_EBTABLES 54 tristate "Ethernet Bridge tables (ebtables) support" 55 depends on BRIDGE && NETFILTER && NETFILTER_XTABLES 56 select NETFILTER_FAMILY_BRIDGE 57 help 58 ebtables is a general, extensible frame/packet identification 59 framework. Say 'Y' or 'M' here if you want to do Ethernet 60 filtering/NAT/brouting on the Ethernet bridge. 61 62if BRIDGE_NF_EBTABLES 63 64# 65# tables 66# 67config BRIDGE_EBT_BROUTE 68 tristate "ebt: broute table support" 69 depends on BRIDGE_NF_EBTABLES_LEGACY 70 help 71 The ebtables broute table is used to define rules that decide between 72 bridging and routing frames, giving Linux the functionality of a 73 brouter. See the man page for ebtables(8) and examples on the ebtables 74 website. 75 76 To compile it as a module, choose M here. If unsure, say N. 77 78config BRIDGE_EBT_T_FILTER 79 tristate "ebt: filter table support" 80 depends on BRIDGE_NF_EBTABLES_LEGACY 81 help 82 The ebtables filter table is used to define frame filtering rules at 83 local input, forwarding and local output. See the man page for 84 ebtables(8). 85 86 To compile it as a module, choose M here. If unsure, say N. 87 88config BRIDGE_EBT_T_NAT 89 tristate "ebt: nat table support" 90 depends on BRIDGE_NF_EBTABLES_LEGACY 91 help 92 The ebtables nat table is used to define rules that alter the MAC 93 source address (MAC SNAT) or the MAC destination address (MAC DNAT). 94 See the man page for ebtables(8). 95 96 To compile it as a module, choose M here. If unsure, say N. 97# 98# matches 99# 100config BRIDGE_EBT_802_3 101 tristate "ebt: 802.3 filter support" 102 help 103 This option adds matching support for 802.3 Ethernet frames. 104 105 To compile it as a module, choose M here. If unsure, say N. 106 107config BRIDGE_EBT_AMONG 108 tristate "ebt: among filter support" 109 help 110 This option adds the among match, which allows matching the MAC source 111 and/or destination address on a list of addresses. Optionally, 112 MAC/IP address pairs can be matched, f.e. for anti-spoofing rules. 113 114 To compile it as a module, choose M here. If unsure, say N. 115 116config BRIDGE_EBT_ARP 117 tristate "ebt: ARP filter support" 118 help 119 This option adds the ARP match, which allows ARP and RARP header field 120 filtering. 121 122 To compile it as a module, choose M here. If unsure, say N. 123 124config BRIDGE_EBT_IP 125 tristate "ebt: IP filter support" 126 help 127 This option adds the IP match, which allows basic IP header field 128 filtering. 129 130 To compile it as a module, choose M here. If unsure, say N. 131 132config BRIDGE_EBT_IP6 133 tristate "ebt: IP6 filter support" 134 depends on BRIDGE_NF_EBTABLES && IPV6 135 help 136 This option adds the IP6 match, which allows basic IPV6 header field 137 filtering. 138 139 To compile it as a module, choose M here. If unsure, say N. 140 141config BRIDGE_EBT_LIMIT 142 tristate "ebt: limit match support" 143 help 144 This option adds the limit match, which allows you to control 145 the rate at which a rule can be matched. This match is the 146 equivalent of the iptables limit match. 147 148 If you want to compile it as a module, say M here and read 149 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 150 151config BRIDGE_EBT_MARK 152 tristate "ebt: mark filter support" 153 help 154 This option adds the mark match, which allows matching frames based on 155 the 'nfmark' value in the frame. This can be set by the mark target. 156 This value is the same as the one used in the iptables mark match and 157 target. 158 159 To compile it as a module, choose M here. If unsure, say N. 160 161config BRIDGE_EBT_PKTTYPE 162 tristate "ebt: packet type filter support" 163 help 164 This option adds the packet type match, which allows matching on the 165 type of packet based on its Ethernet "class" (as determined by 166 the generic networking code): broadcast, multicast, 167 for this host alone or for another host. 168 169 To compile it as a module, choose M here. If unsure, say N. 170 171config BRIDGE_EBT_STP 172 tristate "ebt: STP filter support" 173 help 174 This option adds the Spanning Tree Protocol match, which 175 allows STP header field filtering. 176 177 To compile it as a module, choose M here. If unsure, say N. 178 179config BRIDGE_EBT_VLAN 180 tristate "ebt: 802.1Q VLAN filter support" 181 help 182 This option adds the 802.1Q vlan match, which allows the filtering of 183 802.1Q vlan fields. 184 185 To compile it as a module, choose M here. If unsure, say N. 186# 187# targets 188# 189config BRIDGE_EBT_ARPREPLY 190 tristate "ebt: arp reply target support" 191 depends on BRIDGE_NF_EBTABLES && INET 192 help 193 This option adds the arp reply target, which allows 194 automatically sending arp replies to arp requests. 195 196 To compile it as a module, choose M here. If unsure, say N. 197 198config BRIDGE_EBT_DNAT 199 tristate "ebt: dnat target support" 200 help 201 This option adds the MAC DNAT target, which allows altering the MAC 202 destination address of frames. 203 204 To compile it as a module, choose M here. If unsure, say N. 205 206config BRIDGE_EBT_MARK_T 207 tristate "ebt: mark target support" 208 help 209 This option adds the mark target, which allows marking frames by 210 setting the 'nfmark' value in the frame. 211 This value is the same as the one used in the iptables mark match and 212 target. 213 214 To compile it as a module, choose M here. If unsure, say N. 215 216config BRIDGE_EBT_REDIRECT 217 tristate "ebt: redirect target support" 218 help 219 This option adds the MAC redirect target, which allows altering the MAC 220 destination address of a frame to that of the device it arrived on. 221 222 To compile it as a module, choose M here. If unsure, say N. 223 224config BRIDGE_EBT_SNAT 225 tristate "ebt: snat target support" 226 help 227 This option adds the MAC SNAT target, which allows altering the MAC 228 source address of frames. 229 230 To compile it as a module, choose M here. If unsure, say N. 231# 232# watchers 233# 234config BRIDGE_EBT_LOG 235 tristate "ebt: log support" 236 help 237 This option adds the log watcher, that you can use in any rule 238 in any ebtables table. It records info about the frame header 239 to the syslog. 240 241 To compile it as a module, choose M here. If unsure, say N. 242 243config BRIDGE_EBT_NFLOG 244 tristate "ebt: nflog support" 245 help 246 This option enables the nflog watcher, which allows to LOG 247 messages through the netfilter logging API, which can use 248 either the old LOG target, the old ULOG target or nfnetlink_log 249 as backend. 250 251 This option adds the nflog watcher, that you can use in any rule 252 in any ebtables table. 253 254 To compile it as a module, choose M here. If unsure, say N. 255 256endif # BRIDGE_NF_EBTABLES