11da177e4SLinus Torvalds# 21da177e4SLinus Torvalds# Bridge netfilter configuration 31da177e4SLinus Torvalds# 41da177e4SLinus Torvalds 51da177e4SLinus Torvaldsmenu "Bridge: Netfilter Configuration" 61da177e4SLinus Torvalds depends on BRIDGE && NETFILTER 71da177e4SLinus Torvalds 81da177e4SLinus Torvaldsconfig BRIDGE_NF_EBTABLES 91da177e4SLinus Torvalds tristate "Ethernet Bridge tables (ebtables) support" 101da177e4SLinus Torvalds help 111da177e4SLinus Torvalds ebtables is a general, extensible frame/packet identification 121da177e4SLinus Torvalds framework. Say 'Y' or 'M' here if you want to do Ethernet 131da177e4SLinus Torvalds filtering/NAT/brouting on the Ethernet bridge. 141da177e4SLinus Torvalds# 151da177e4SLinus Torvalds# tables 161da177e4SLinus Torvalds# 171da177e4SLinus Torvaldsconfig BRIDGE_EBT_BROUTE 181da177e4SLinus Torvalds tristate "ebt: broute table support" 191da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 201da177e4SLinus Torvalds help 211da177e4SLinus Torvalds The ebtables broute table is used to define rules that decide between 221da177e4SLinus Torvalds bridging and routing frames, giving Linux the functionality of a 231da177e4SLinus Torvalds brouter. See the man page for ebtables(8) and examples on the ebtables 241da177e4SLinus Torvalds website. 251da177e4SLinus Torvalds 261da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 271da177e4SLinus Torvalds 281da177e4SLinus Torvaldsconfig BRIDGE_EBT_T_FILTER 291da177e4SLinus Torvalds tristate "ebt: filter table support" 301da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 311da177e4SLinus Torvalds help 321da177e4SLinus Torvalds The ebtables filter table is used to define frame filtering rules at 331da177e4SLinus Torvalds local input, forwarding and local output. See the man page for 341da177e4SLinus Torvalds ebtables(8). 351da177e4SLinus Torvalds 361da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 371da177e4SLinus Torvalds 381da177e4SLinus Torvaldsconfig BRIDGE_EBT_T_NAT 391da177e4SLinus Torvalds tristate "ebt: nat table support" 401da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 411da177e4SLinus Torvalds help 421da177e4SLinus Torvalds The ebtables nat table is used to define rules that alter the MAC 431da177e4SLinus Torvalds source address (MAC SNAT) or the MAC destination address (MAC DNAT). 441da177e4SLinus Torvalds See the man page for ebtables(8). 451da177e4SLinus Torvalds 461da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 471da177e4SLinus Torvalds# 481da177e4SLinus Torvalds# matches 491da177e4SLinus Torvalds# 501da177e4SLinus Torvaldsconfig BRIDGE_EBT_802_3 511da177e4SLinus Torvalds tristate "ebt: 802.3 filter support" 521da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 531da177e4SLinus Torvalds help 541da177e4SLinus Torvalds This option adds matching support for 802.3 Ethernet frames. 551da177e4SLinus Torvalds 561da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 571da177e4SLinus Torvalds 581da177e4SLinus Torvaldsconfig BRIDGE_EBT_AMONG 591da177e4SLinus Torvalds tristate "ebt: among filter support" 601da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 611da177e4SLinus Torvalds help 621da177e4SLinus Torvalds This option adds the among match, which allows matching the MAC source 631da177e4SLinus Torvalds and/or destination address on a list of addresses. Optionally, 641da177e4SLinus Torvalds MAC/IP address pairs can be matched, f.e. for anti-spoofing rules. 651da177e4SLinus Torvalds 661da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 671da177e4SLinus Torvalds 681da177e4SLinus Torvaldsconfig BRIDGE_EBT_ARP 691da177e4SLinus Torvalds tristate "ebt: ARP filter support" 701da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 711da177e4SLinus Torvalds help 721da177e4SLinus Torvalds This option adds the ARP match, which allows ARP and RARP header field 731da177e4SLinus Torvalds filtering. 741da177e4SLinus Torvalds 751da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 761da177e4SLinus Torvalds 771da177e4SLinus Torvaldsconfig BRIDGE_EBT_IP 781da177e4SLinus Torvalds tristate "ebt: IP filter support" 791da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 801da177e4SLinus Torvalds help 811da177e4SLinus Torvalds This option adds the IP match, which allows basic IP header field 821da177e4SLinus Torvalds filtering. 831da177e4SLinus Torvalds 841da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 851da177e4SLinus Torvalds 861da177e4SLinus Torvaldsconfig BRIDGE_EBT_LIMIT 871da177e4SLinus Torvalds tristate "ebt: limit match support" 881da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 891da177e4SLinus Torvalds help 901da177e4SLinus Torvalds This option adds the limit match, which allows you to control 911da177e4SLinus Torvalds the rate at which a rule can be matched. This match is the 921da177e4SLinus Torvalds equivalent of the iptables limit match. 931da177e4SLinus Torvalds 941da177e4SLinus Torvalds If you want to compile it as a module, say M here and read 951da177e4SLinus Torvalds <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. 961da177e4SLinus Torvalds 971da177e4SLinus Torvaldsconfig BRIDGE_EBT_MARK 981da177e4SLinus Torvalds tristate "ebt: mark filter support" 991da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 1001da177e4SLinus Torvalds help 1011da177e4SLinus Torvalds This option adds the mark match, which allows matching frames based on 1021da177e4SLinus Torvalds the 'nfmark' value in the frame. This can be set by the mark target. 1031da177e4SLinus Torvalds This value is the same as the one used in the iptables mark match and 1041da177e4SLinus Torvalds target. 1051da177e4SLinus Torvalds 1061da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 1071da177e4SLinus Torvalds 1081da177e4SLinus Torvaldsconfig BRIDGE_EBT_PKTTYPE 1091da177e4SLinus Torvalds tristate "ebt: packet type filter support" 1101da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 1111da177e4SLinus Torvalds help 1121da177e4SLinus Torvalds This option adds the packet type match, which allows matching on the 1131da177e4SLinus Torvalds type of packet based on its Ethernet "class" (as determined by 1141da177e4SLinus Torvalds the generic networking code): broadcast, multicast, 1151da177e4SLinus Torvalds for this host alone or for another host. 1161da177e4SLinus Torvalds 1171da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 1181da177e4SLinus Torvalds 1191da177e4SLinus Torvaldsconfig BRIDGE_EBT_STP 1201da177e4SLinus Torvalds tristate "ebt: STP filter support" 1211da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 1221da177e4SLinus Torvalds help 1231da177e4SLinus Torvalds This option adds the Spanning Tree Protocol match, which 1241da177e4SLinus Torvalds allows STP header field filtering. 1251da177e4SLinus Torvalds 1261da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 1271da177e4SLinus Torvalds 1281da177e4SLinus Torvaldsconfig BRIDGE_EBT_VLAN 1291da177e4SLinus Torvalds tristate "ebt: 802.1Q VLAN filter support" 1301da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 1311da177e4SLinus Torvalds help 1321da177e4SLinus Torvalds This option adds the 802.1Q vlan match, which allows the filtering of 1331da177e4SLinus Torvalds 802.1Q vlan fields. 1341da177e4SLinus Torvalds 1351da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 1361da177e4SLinus Torvalds# 1371da177e4SLinus Torvalds# targets 1381da177e4SLinus Torvalds# 1391da177e4SLinus Torvaldsconfig BRIDGE_EBT_ARPREPLY 1401da177e4SLinus Torvalds tristate "ebt: arp reply target support" 1411da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 1421da177e4SLinus Torvalds help 1431da177e4SLinus Torvalds This option adds the arp reply target, which allows 1441da177e4SLinus Torvalds automatically sending arp replies to arp requests. 1451da177e4SLinus Torvalds 1461da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 1471da177e4SLinus Torvalds 1481da177e4SLinus Torvaldsconfig BRIDGE_EBT_DNAT 1491da177e4SLinus Torvalds tristate "ebt: dnat target support" 1501da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 1511da177e4SLinus Torvalds help 1521da177e4SLinus Torvalds This option adds the MAC DNAT target, which allows altering the MAC 1531da177e4SLinus Torvalds destination address of frames. 1541da177e4SLinus Torvalds 1551da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 1561da177e4SLinus Torvalds 1571da177e4SLinus Torvaldsconfig BRIDGE_EBT_MARK_T 1581da177e4SLinus Torvalds tristate "ebt: mark target support" 1591da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 1601da177e4SLinus Torvalds help 1611da177e4SLinus Torvalds This option adds the mark target, which allows marking frames by 1621da177e4SLinus Torvalds setting the 'nfmark' value in the frame. 1631da177e4SLinus Torvalds This value is the same as the one used in the iptables mark match and 1641da177e4SLinus Torvalds target. 1651da177e4SLinus Torvalds 1661da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 1671da177e4SLinus Torvalds 1681da177e4SLinus Torvaldsconfig BRIDGE_EBT_REDIRECT 1691da177e4SLinus Torvalds tristate "ebt: redirect target support" 1701da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 1711da177e4SLinus Torvalds help 1721da177e4SLinus Torvalds This option adds the MAC redirect target, which allows altering the MAC 1731da177e4SLinus Torvalds destination address of a frame to that of the device it arrived on. 1741da177e4SLinus Torvalds 1751da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 1761da177e4SLinus Torvalds 1771da177e4SLinus Torvaldsconfig BRIDGE_EBT_SNAT 1781da177e4SLinus Torvalds tristate "ebt: snat target support" 1791da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 1801da177e4SLinus Torvalds help 1811da177e4SLinus Torvalds This option adds the MAC SNAT target, which allows altering the MAC 1821da177e4SLinus Torvalds source address of frames. 1831da177e4SLinus Torvalds 1841da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 1851da177e4SLinus Torvalds# 1861da177e4SLinus Torvalds# watchers 1871da177e4SLinus Torvalds# 1881da177e4SLinus Torvaldsconfig BRIDGE_EBT_LOG 1891da177e4SLinus Torvalds tristate "ebt: log support" 1901da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 1911da177e4SLinus Torvalds help 1921da177e4SLinus Torvalds This option adds the log watcher, that you can use in any rule 1931da177e4SLinus Torvalds in any ebtables table. It records info about the frame header 1941da177e4SLinus Torvalds to the syslog. 1951da177e4SLinus Torvalds 1961da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 1971da177e4SLinus Torvalds 1981da177e4SLinus Torvaldsconfig BRIDGE_EBT_ULOG 1991da177e4SLinus Torvalds tristate "ebt: ulog support" 2001da177e4SLinus Torvalds depends on BRIDGE_NF_EBTABLES 2011da177e4SLinus Torvalds help 2021da177e4SLinus Torvalds This option adds the ulog watcher, that you can use in any rule 2031da177e4SLinus Torvalds in any ebtables table. The packet is passed to a userspace 2041da177e4SLinus Torvalds logging daemon using netlink multicast sockets. This differs 2051da177e4SLinus Torvalds from the log watcher in the sense that the complete packet is 2061da177e4SLinus Torvalds sent to userspace instead of a descriptive text and that 2071da177e4SLinus Torvalds netlink multicast sockets are used instead of the syslog. 2081da177e4SLinus Torvalds 2091da177e4SLinus Torvalds To compile it as a module, choose M here. If unsure, say N. 2101da177e4SLinus Torvalds 2111da177e4SLinus Torvaldsendmenu 212