• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1# SPDX-License-Identifier: GPL-2.0-only
2#
3# Bridge netfilter configuration
4#
5#
6menuconfig NF_TABLES_BRIDGE
7	depends on BRIDGE && NETFILTER && NF_TABLES
8	select NETFILTER_FAMILY_BRIDGE
9	tristate "Ethernet Bridge nf_tables support"
10
11if NF_TABLES_BRIDGE
12
13config NFT_BRIDGE_META
14	tristate "Netfilter nf_table bridge meta support"
15	help
16	  Add support for bridge dedicated meta key.
17
18config NFT_BRIDGE_REJECT
19	tristate "Netfilter nf_tables bridge reject support"
20	depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6
21	help
22	  Add support to reject packets.
23
24config NF_LOG_BRIDGE
25	tristate "Bridge packet logging"
26	select NF_LOG_COMMON
27
28endif # NF_TABLES_BRIDGE
29
30config NF_CONNTRACK_BRIDGE
31	tristate "IPv4/IPV6 bridge connection tracking support"
32	depends on NF_CONNTRACK
33	default n
34	help
35	  Connection tracking keeps a record of what packets have passed
36	  through your machine, in order to figure out how they are related
37	  into connections. This is used to enhance packet filtering via
38	  stateful policies. Enable this if you want native tracking from
39	  the bridge. This provides a replacement for the `br_netfilter'
40	  infrastructure.
41
42	  To compile it as a module, choose M here.  If unsure, say N.
43
44menuconfig BRIDGE_NF_EBTABLES
45	tristate "Ethernet Bridge tables (ebtables) support"
46	depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
47	select NETFILTER_FAMILY_BRIDGE
48	help
49	  ebtables is a general, extensible frame/packet identification
50	  framework. Say 'Y' or 'M' here if you want to do Ethernet
51	  filtering/NAT/brouting on the Ethernet bridge.
52
53if BRIDGE_NF_EBTABLES
54
55#
56# tables
57#
58config BRIDGE_EBT_BROUTE
59	tristate "ebt: broute table support"
60	help
61	  The ebtables broute table is used to define rules that decide between
62	  bridging and routing frames, giving Linux the functionality of a
63	  brouter. See the man page for ebtables(8) and examples on the ebtables
64	  website.
65
66	  To compile it as a module, choose M here.  If unsure, say N.
67
68config BRIDGE_EBT_T_FILTER
69	tristate "ebt: filter table support"
70	help
71	  The ebtables filter table is used to define frame filtering rules at
72	  local input, forwarding and local output. See the man page for
73	  ebtables(8).
74
75	  To compile it as a module, choose M here.  If unsure, say N.
76
77config BRIDGE_EBT_T_NAT
78	tristate "ebt: nat table support"
79	help
80	  The ebtables nat table is used to define rules that alter the MAC
81	  source address (MAC SNAT) or the MAC destination address (MAC DNAT).
82	  See the man page for ebtables(8).
83
84	  To compile it as a module, choose M here.  If unsure, say N.
85#
86# matches
87#
88config BRIDGE_EBT_802_3
89	tristate "ebt: 802.3 filter support"
90	help
91	  This option adds matching support for 802.3 Ethernet frames.
92
93	  To compile it as a module, choose M here.  If unsure, say N.
94
95config BRIDGE_EBT_AMONG
96	tristate "ebt: among filter support"
97	help
98	  This option adds the among match, which allows matching the MAC source
99	  and/or destination address on a list of addresses. Optionally,
100	  MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
101
102	  To compile it as a module, choose M here.  If unsure, say N.
103
104config BRIDGE_EBT_ARP
105	tristate "ebt: ARP filter support"
106	help
107	  This option adds the ARP match, which allows ARP and RARP header field
108	  filtering.
109
110	  To compile it as a module, choose M here.  If unsure, say N.
111
112config BRIDGE_EBT_IP
113	tristate "ebt: IP filter support"
114	help
115	  This option adds the IP match, which allows basic IP header field
116	  filtering.
117
118	  To compile it as a module, choose M here.  If unsure, say N.
119
120config BRIDGE_EBT_IP6
121	tristate "ebt: IP6 filter support"
122	depends on BRIDGE_NF_EBTABLES && IPV6
123	help
124	  This option adds the IP6 match, which allows basic IPV6 header field
125	  filtering.
126
127	  To compile it as a module, choose M here.  If unsure, say N.
128
129config BRIDGE_EBT_LIMIT
130	tristate "ebt: limit match support"
131	help
132	  This option adds the limit match, which allows you to control
133	  the rate at which a rule can be matched. This match is the
134	  equivalent of the iptables limit match.
135
136	  If you want to compile it as a module, say M here and read
137	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
138
139config BRIDGE_EBT_MARK
140	tristate "ebt: mark filter support"
141	help
142	  This option adds the mark match, which allows matching frames based on
143	  the 'nfmark' value in the frame. This can be set by the mark target.
144	  This value is the same as the one used in the iptables mark match and
145	  target.
146
147	  To compile it as a module, choose M here.  If unsure, say N.
148
149config BRIDGE_EBT_PKTTYPE
150	tristate "ebt: packet type filter support"
151	help
152	  This option adds the packet type match, which allows matching on the
153	  type of packet based on its Ethernet "class" (as determined by
154	  the generic networking code): broadcast, multicast,
155	  for this host alone or for another host.
156
157	  To compile it as a module, choose M here.  If unsure, say N.
158
159config BRIDGE_EBT_STP
160	tristate "ebt: STP filter support"
161	help
162	  This option adds the Spanning Tree Protocol match, which
163	  allows STP header field filtering.
164
165	  To compile it as a module, choose M here.  If unsure, say N.
166
167config BRIDGE_EBT_VLAN
168	tristate "ebt: 802.1Q VLAN filter support"
169	help
170	  This option adds the 802.1Q vlan match, which allows the filtering of
171	  802.1Q vlan fields.
172
173	  To compile it as a module, choose M here.  If unsure, say N.
174#
175# targets
176#
177config BRIDGE_EBT_ARPREPLY
178	tristate "ebt: arp reply target support"
179	depends on BRIDGE_NF_EBTABLES && INET
180	help
181	  This option adds the arp reply target, which allows
182	  automatically sending arp replies to arp requests.
183
184	  To compile it as a module, choose M here.  If unsure, say N.
185
186config BRIDGE_EBT_DNAT
187	tristate "ebt: dnat target support"
188	help
189	  This option adds the MAC DNAT target, which allows altering the MAC
190	  destination address of frames.
191
192	  To compile it as a module, choose M here.  If unsure, say N.
193
194config BRIDGE_EBT_MARK_T
195	tristate "ebt: mark target support"
196	help
197	  This option adds the mark target, which allows marking frames by
198	  setting the 'nfmark' value in the frame.
199	  This value is the same as the one used in the iptables mark match and
200	  target.
201
202	  To compile it as a module, choose M here.  If unsure, say N.
203
204config BRIDGE_EBT_REDIRECT
205	tristate "ebt: redirect target support"
206	help
207	  This option adds the MAC redirect target, which allows altering the MAC
208	  destination address of a frame to that of the device it arrived on.
209
210	  To compile it as a module, choose M here.  If unsure, say N.
211
212config BRIDGE_EBT_SNAT
213	tristate "ebt: snat target support"
214	help
215	  This option adds the MAC SNAT target, which allows altering the MAC
216	  source address of frames.
217
218	  To compile it as a module, choose M here.  If unsure, say N.
219#
220# watchers
221#
222config BRIDGE_EBT_LOG
223	tristate "ebt: log support"
224	help
225	  This option adds the log watcher, that you can use in any rule
226	  in any ebtables table. It records info about the frame header
227	  to the syslog.
228
229	  To compile it as a module, choose M here.  If unsure, say N.
230
231config BRIDGE_EBT_NFLOG
232	tristate "ebt: nflog support"
233	help
234	  This option enables the nflog watcher, which allows to LOG
235	  messages through the netfilter logging API, which can use
236	  either the old LOG target, the old ULOG target or nfnetlink_log
237	  as backend.
238
239	  This option adds the nflog watcher, that you can use in any rule
240	  in any ebtables table.
241
242	  To compile it as a module, choose M here.  If unsure, say N.
243
244endif # BRIDGE_NF_EBTABLES
245