tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1# SPDX-License-Identifier: GPL-2.0-only
2#
3# Bridge netfilter configuration
4#
5#
6menuconfig NF_TABLES_BRIDGE
7 depends on BRIDGE && NETFILTER && NF_TABLES
8 select NETFILTER_FAMILY_BRIDGE
9 tristate "Ethernet Bridge nf_tables support"
10
11if NF_TABLES_BRIDGE
12
13config NFT_BRIDGE_META
14 tristate "Netfilter nf_table bridge meta support"
15 help
16 Add support for bridge dedicated meta key.
17
18config NFT_BRIDGE_REJECT
19 tristate "Netfilter nf_tables bridge reject support"
20 depends on NFT_REJECT
21 depends on NF_REJECT_IPV4
22 depends on NF_REJECT_IPV6
23 help
24 Add support to reject packets.
25
26config NF_LOG_BRIDGE
27 tristate "Bridge packet logging"
28 select NF_LOG_COMMON
29
30endif # NF_TABLES_BRIDGE
31
32config NF_CONNTRACK_BRIDGE
33 tristate "IPv4/IPV6 bridge connection tracking support"
34 depends on NF_CONNTRACK
35 default n
36 help
37 Connection tracking keeps a record of what packets have passed
38 through your machine, in order to figure out how they are related
39 into connections. This is used to enhance packet filtering via
40 stateful policies. Enable this if you want native tracking from
41 the bridge. This provides a replacement for the `br_netfilter'
42 infrastructure.
43
44 To compile it as a module, choose M here. If unsure, say N.
45
46menuconfig BRIDGE_NF_EBTABLES
47 tristate "Ethernet Bridge tables (ebtables) support"
48 depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
49 select NETFILTER_FAMILY_BRIDGE
50 help
51 ebtables is a general, extensible frame/packet identification
52 framework. Say 'Y' or 'M' here if you want to do Ethernet
53 filtering/NAT/brouting on the Ethernet bridge.
54
55if BRIDGE_NF_EBTABLES
56
57#
58# tables
59#
60config BRIDGE_EBT_BROUTE
61 tristate "ebt: broute table support"
62 help
63 The ebtables broute table is used to define rules that decide between
64 bridging and routing frames, giving Linux the functionality of a
65 brouter. See the man page for ebtables(8) and examples on the ebtables
66 website.
67
68 To compile it as a module, choose M here. If unsure, say N.
69
70config BRIDGE_EBT_T_FILTER
71 tristate "ebt: filter table support"
72 help
73 The ebtables filter table is used to define frame filtering rules at
74 local input, forwarding and local output. See the man page for
75 ebtables(8).
76
77 To compile it as a module, choose M here. If unsure, say N.
78
79config BRIDGE_EBT_T_NAT
80 tristate "ebt: nat table support"
81 help
82 The ebtables nat table is used to define rules that alter the MAC
83 source address (MAC SNAT) or the MAC destination address (MAC DNAT).
84 See the man page for ebtables(8).
85
86 To compile it as a module, choose M here. If unsure, say N.
87#
88# matches
89#
90config BRIDGE_EBT_802_3
91 tristate "ebt: 802.3 filter support"
92 help
93 This option adds matching support for 802.3 Ethernet frames.
94
95 To compile it as a module, choose M here. If unsure, say N.
96
97config BRIDGE_EBT_AMONG
98 tristate "ebt: among filter support"
99 help
100 This option adds the among match, which allows matching the MAC source
101 and/or destination address on a list of addresses. Optionally,
102 MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
103
104 To compile it as a module, choose M here. If unsure, say N.
105
106config BRIDGE_EBT_ARP
107 tristate "ebt: ARP filter support"
108 help
109 This option adds the ARP match, which allows ARP and RARP header field
110 filtering.
111
112 To compile it as a module, choose M here. If unsure, say N.
113
114config BRIDGE_EBT_IP
115 tristate "ebt: IP filter support"
116 help
117 This option adds the IP match, which allows basic IP header field
118 filtering.
119
120 To compile it as a module, choose M here. If unsure, say N.
121
122config BRIDGE_EBT_IP6
123 tristate "ebt: IP6 filter support"
124 depends on BRIDGE_NF_EBTABLES && IPV6
125 help
126 This option adds the IP6 match, which allows basic IPV6 header field
127 filtering.
128
129 To compile it as a module, choose M here. If unsure, say N.
130
131config BRIDGE_EBT_LIMIT
132 tristate "ebt: limit match support"
133 help
134 This option adds the limit match, which allows you to control
135 the rate at which a rule can be matched. This match is the
136 equivalent of the iptables limit match.
137
138 If you want to compile it as a module, say M here and read
139 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
140
141config BRIDGE_EBT_MARK
142 tristate "ebt: mark filter support"
143 help
144 This option adds the mark match, which allows matching frames based on
145 the 'nfmark' value in the frame. This can be set by the mark target.
146 This value is the same as the one used in the iptables mark match and
147 target.
148
149 To compile it as a module, choose M here. If unsure, say N.
150
151config BRIDGE_EBT_PKTTYPE
152 tristate "ebt: packet type filter support"
153 help
154 This option adds the packet type match, which allows matching on the
155 type of packet based on its Ethernet "class" (as determined by
156 the generic networking code): broadcast, multicast,
157 for this host alone or for another host.
158
159 To compile it as a module, choose M here. If unsure, say N.
160
161config BRIDGE_EBT_STP
162 tristate "ebt: STP filter support"
163 help
164 This option adds the Spanning Tree Protocol match, which
165 allows STP header field filtering.
166
167 To compile it as a module, choose M here. If unsure, say N.
168
169config BRIDGE_EBT_VLAN
170 tristate "ebt: 802.1Q VLAN filter support"
171 help
172 This option adds the 802.1Q vlan match, which allows the filtering of
173 802.1Q vlan fields.
174
175 To compile it as a module, choose M here. If unsure, say N.
176#
177# targets
178#
179config BRIDGE_EBT_ARPREPLY
180 tristate "ebt: arp reply target support"
181 depends on BRIDGE_NF_EBTABLES && INET
182 help
183 This option adds the arp reply target, which allows
184 automatically sending arp replies to arp requests.
185
186 To compile it as a module, choose M here. If unsure, say N.
187
188config BRIDGE_EBT_DNAT
189 tristate "ebt: dnat target support"
190 help
191 This option adds the MAC DNAT target, which allows altering the MAC
192 destination address of frames.
193
194 To compile it as a module, choose M here. If unsure, say N.
195
196config BRIDGE_EBT_MARK_T
197 tristate "ebt: mark target support"
198 help
199 This option adds the mark target, which allows marking frames by
200 setting the 'nfmark' value in the frame.
201 This value is the same as the one used in the iptables mark match and
202 target.
203
204 To compile it as a module, choose M here. If unsure, say N.
205
206config BRIDGE_EBT_REDIRECT
207 tristate "ebt: redirect target support"
208 help
209 This option adds the MAC redirect target, which allows altering the MAC
210 destination address of a frame to that of the device it arrived on.
211
212 To compile it as a module, choose M here. If unsure, say N.
213
214config BRIDGE_EBT_SNAT
215 tristate "ebt: snat target support"
216 help
217 This option adds the MAC SNAT target, which allows altering the MAC
218 source address of frames.
219
220 To compile it as a module, choose M here. If unsure, say N.
221#
222# watchers
223#
224config BRIDGE_EBT_LOG
225 tristate "ebt: log support"
226 help
227 This option adds the log watcher, that you can use in any rule
228 in any ebtables table. It records info about the frame header
229 to the syslog.
230
231 To compile it as a module, choose M here. If unsure, say N.
232
233config BRIDGE_EBT_NFLOG
234 tristate "ebt: nflog support"
235 help
236 This option enables the nflog watcher, which allows to LOG
237 messages through the netfilter logging API, which can use
238 either the old LOG target, the old ULOG target or nfnetlink_log
239 as backend.
240
241 This option adds the nflog watcher, that you can use in any rule
242 in any ebtables table.
243
244 To compile it as a module, choose M here. If unsure, say N.
245
246endif # BRIDGE_NF_EBTABLES