tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
1# SPDX-License-Identifier: GPL-2.0-only
2#
3# Bridge netfilter configuration
4#
5#
6menuconfig NF_TABLES_BRIDGE
7 depends on BRIDGE && NETFILTER && NF_TABLES
8 select NETFILTER_FAMILY_BRIDGE
9 tristate "Ethernet Bridge nf_tables support"
10
11if NF_TABLES_BRIDGE
12
13config NFT_BRIDGE_META
14 tristate "Netfilter nf_table bridge meta support"
15 help
16 Add support for bridge dedicated meta key.
17
18config NFT_BRIDGE_REJECT
19 tristate "Netfilter nf_tables bridge reject support"
20 depends on NFT_REJECT
21 depends on NF_REJECT_IPV4
22 depends on NF_REJECT_IPV6
23 help
24 Add support to reject packets.
25
26endif # NF_TABLES_BRIDGE
27
28config NF_CONNTRACK_BRIDGE
29 tristate "IPv4/IPV6 bridge connection tracking support"
30 depends on NF_CONNTRACK
31 default n
32 help
33 Connection tracking keeps a record of what packets have passed
34 through your machine, in order to figure out how they are related
35 into connections. This is used to enhance packet filtering via
36 stateful policies. Enable this if you want native tracking from
37 the bridge. This provides a replacement for the `br_netfilter'
38 infrastructure.
39
40 To compile it as a module, choose M here. If unsure, say N.
41
42# old sockopt interface and eval loop
43config BRIDGE_NF_EBTABLES_LEGACY
44 tristate
45
46menuconfig BRIDGE_NF_EBTABLES
47 tristate "Ethernet Bridge tables (ebtables) support"
48 depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
49 select NETFILTER_FAMILY_BRIDGE
50 help
51 ebtables is a general, extensible frame/packet identification
52 framework. Say 'Y' or 'M' here if you want to do Ethernet
53 filtering/NAT/brouting on the Ethernet bridge.
54
55if BRIDGE_NF_EBTABLES
56
57#
58# tables
59#
60config BRIDGE_EBT_BROUTE
61 tristate "ebt: broute table support"
62 select BRIDGE_NF_EBTABLES_LEGACY
63 help
64 The ebtables broute table is used to define rules that decide between
65 bridging and routing frames, giving Linux the functionality of a
66 brouter. See the man page for ebtables(8) and examples on the ebtables
67 website.
68
69 To compile it as a module, choose M here. If unsure, say N.
70
71config BRIDGE_EBT_T_FILTER
72 tristate "ebt: filter table support"
73 select BRIDGE_NF_EBTABLES_LEGACY
74 help
75 The ebtables filter table is used to define frame filtering rules at
76 local input, forwarding and local output. See the man page for
77 ebtables(8).
78
79 To compile it as a module, choose M here. If unsure, say N.
80
81config BRIDGE_EBT_T_NAT
82 tristate "ebt: nat table support"
83 select BRIDGE_NF_EBTABLES_LEGACY
84 help
85 The ebtables nat table is used to define rules that alter the MAC
86 source address (MAC SNAT) or the MAC destination address (MAC DNAT).
87 See the man page for ebtables(8).
88
89 To compile it as a module, choose M here. If unsure, say N.
90#
91# matches
92#
93config BRIDGE_EBT_802_3
94 tristate "ebt: 802.3 filter support"
95 help
96 This option adds matching support for 802.3 Ethernet frames.
97
98 To compile it as a module, choose M here. If unsure, say N.
99
100config BRIDGE_EBT_AMONG
101 tristate "ebt: among filter support"
102 help
103 This option adds the among match, which allows matching the MAC source
104 and/or destination address on a list of addresses. Optionally,
105 MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
106
107 To compile it as a module, choose M here. If unsure, say N.
108
109config BRIDGE_EBT_ARP
110 tristate "ebt: ARP filter support"
111 help
112 This option adds the ARP match, which allows ARP and RARP header field
113 filtering.
114
115 To compile it as a module, choose M here. If unsure, say N.
116
117config BRIDGE_EBT_IP
118 tristate "ebt: IP filter support"
119 help
120 This option adds the IP match, which allows basic IP header field
121 filtering.
122
123 To compile it as a module, choose M here. If unsure, say N.
124
125config BRIDGE_EBT_IP6
126 tristate "ebt: IP6 filter support"
127 depends on BRIDGE_NF_EBTABLES && IPV6
128 help
129 This option adds the IP6 match, which allows basic IPV6 header field
130 filtering.
131
132 To compile it as a module, choose M here. If unsure, say N.
133
134config BRIDGE_EBT_LIMIT
135 tristate "ebt: limit match support"
136 help
137 This option adds the limit match, which allows you to control
138 the rate at which a rule can be matched. This match is the
139 equivalent of the iptables limit match.
140
141 If you want to compile it as a module, say M here and read
142 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
143
144config BRIDGE_EBT_MARK
145 tristate "ebt: mark filter support"
146 help
147 This option adds the mark match, which allows matching frames based on
148 the 'nfmark' value in the frame. This can be set by the mark target.
149 This value is the same as the one used in the iptables mark match and
150 target.
151
152 To compile it as a module, choose M here. If unsure, say N.
153
154config BRIDGE_EBT_PKTTYPE
155 tristate "ebt: packet type filter support"
156 help
157 This option adds the packet type match, which allows matching on the
158 type of packet based on its Ethernet "class" (as determined by
159 the generic networking code): broadcast, multicast,
160 for this host alone or for another host.
161
162 To compile it as a module, choose M here. If unsure, say N.
163
164config BRIDGE_EBT_STP
165 tristate "ebt: STP filter support"
166 help
167 This option adds the Spanning Tree Protocol match, which
168 allows STP header field filtering.
169
170 To compile it as a module, choose M here. If unsure, say N.
171
172config BRIDGE_EBT_VLAN
173 tristate "ebt: 802.1Q VLAN filter support"
174 help
175 This option adds the 802.1Q vlan match, which allows the filtering of
176 802.1Q vlan fields.
177
178 To compile it as a module, choose M here. If unsure, say N.
179#
180# targets
181#
182config BRIDGE_EBT_ARPREPLY
183 tristate "ebt: arp reply target support"
184 depends on BRIDGE_NF_EBTABLES && INET
185 help
186 This option adds the arp reply target, which allows
187 automatically sending arp replies to arp requests.
188
189 To compile it as a module, choose M here. If unsure, say N.
190
191config BRIDGE_EBT_DNAT
192 tristate "ebt: dnat target support"
193 help
194 This option adds the MAC DNAT target, which allows altering the MAC
195 destination address of frames.
196
197 To compile it as a module, choose M here. If unsure, say N.
198
199config BRIDGE_EBT_MARK_T
200 tristate "ebt: mark target support"
201 help
202 This option adds the mark target, which allows marking frames by
203 setting the 'nfmark' value in the frame.
204 This value is the same as the one used in the iptables mark match and
205 target.
206
207 To compile it as a module, choose M here. If unsure, say N.
208
209config BRIDGE_EBT_REDIRECT
210 tristate "ebt: redirect target support"
211 help
212 This option adds the MAC redirect target, which allows altering the MAC
213 destination address of a frame to that of the device it arrived on.
214
215 To compile it as a module, choose M here. If unsure, say N.
216
217config BRIDGE_EBT_SNAT
218 tristate "ebt: snat target support"
219 help
220 This option adds the MAC SNAT target, which allows altering the MAC
221 source address of frames.
222
223 To compile it as a module, choose M here. If unsure, say N.
224#
225# watchers
226#
227config BRIDGE_EBT_LOG
228 tristate "ebt: log support"
229 help
230 This option adds the log watcher, that you can use in any rule
231 in any ebtables table. It records info about the frame header
232 to the syslog.
233
234 To compile it as a module, choose M here. If unsure, say N.
235
236config BRIDGE_EBT_NFLOG
237 tristate "ebt: nflog support"
238 help
239 This option enables the nflog watcher, which allows to LOG
240 messages through the netfilter logging API, which can use
241 either the old LOG target, the old ULOG target or nfnetlink_log
242 as backend.
243
244 This option adds the nflog watcher, that you can use in any rule
245 in any ebtables table.
246
247 To compile it as a module, choose M here. If unsure, say N.
248
249endif # BRIDGE_NF_EBTABLES