xref: /openbmc/linux/net/bridge/netfilter/Kconfig (revision 160b8e75) 
1#
2# Bridge netfilter configuration
3#
4#
5menuconfig NF_TABLES_BRIDGE
6	depends on BRIDGE && NETFILTER && NF_TABLES
7	select NETFILTER_FAMILY_BRIDGE
8	tristate "Ethernet Bridge nf_tables support"
9
10if NF_TABLES_BRIDGE
11
12config NFT_BRIDGE_META
13	tristate "Netfilter nf_table bridge meta support"
14	depends on NFT_META
15	help
16	  Add support for bridge dedicated meta key.
17
18config NFT_BRIDGE_REJECT
19	tristate "Netfilter nf_tables bridge reject support"
20	depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6
21	help
22	  Add support to reject packets.
23
24config NF_LOG_BRIDGE
25	tristate "Bridge packet logging"
26	select NF_LOG_COMMON
27
28endif # NF_TABLES_BRIDGE
29
30menuconfig BRIDGE_NF_EBTABLES
31	tristate "Ethernet Bridge tables (ebtables) support"
32	depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
33	select NETFILTER_FAMILY_BRIDGE
34	help
35	  ebtables is a general, extensible frame/packet identification
36	  framework. Say 'Y' or 'M' here if you want to do Ethernet
37	  filtering/NAT/brouting on the Ethernet bridge.
38
39if BRIDGE_NF_EBTABLES
40
41#
42# tables
43#
44config BRIDGE_EBT_BROUTE
45	tristate "ebt: broute table support"
46	help
47	  The ebtables broute table is used to define rules that decide between
48	  bridging and routing frames, giving Linux the functionality of a
49	  brouter. See the man page for ebtables(8) and examples on the ebtables
50	  website.
51
52	  To compile it as a module, choose M here.  If unsure, say N.
53
54config BRIDGE_EBT_T_FILTER
55	tristate "ebt: filter table support"
56	help
57	  The ebtables filter table is used to define frame filtering rules at
58	  local input, forwarding and local output. See the man page for
59	  ebtables(8).
60
61	  To compile it as a module, choose M here.  If unsure, say N.
62
63config BRIDGE_EBT_T_NAT
64	tristate "ebt: nat table support"
65	help
66	  The ebtables nat table is used to define rules that alter the MAC
67	  source address (MAC SNAT) or the MAC destination address (MAC DNAT).
68	  See the man page for ebtables(8).
69
70	  To compile it as a module, choose M here.  If unsure, say N.
71#
72# matches
73#
74config BRIDGE_EBT_802_3
75	tristate "ebt: 802.3 filter support"
76	help
77	  This option adds matching support for 802.3 Ethernet frames.
78
79	  To compile it as a module, choose M here.  If unsure, say N.
80
81config BRIDGE_EBT_AMONG
82	tristate "ebt: among filter support"
83	help
84	  This option adds the among match, which allows matching the MAC source
85	  and/or destination address on a list of addresses. Optionally,
86	  MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
87
88	  To compile it as a module, choose M here.  If unsure, say N.
89
90config BRIDGE_EBT_ARP
91	tristate "ebt: ARP filter support"
92	help
93	  This option adds the ARP match, which allows ARP and RARP header field
94	  filtering.
95
96	  To compile it as a module, choose M here.  If unsure, say N.
97
98config BRIDGE_EBT_IP
99	tristate "ebt: IP filter support"
100	help
101	  This option adds the IP match, which allows basic IP header field
102	  filtering.
103
104	  To compile it as a module, choose M here.  If unsure, say N.
105
106config BRIDGE_EBT_IP6
107	tristate "ebt: IP6 filter support"
108	depends on BRIDGE_NF_EBTABLES && IPV6
109	help
110	  This option adds the IP6 match, which allows basic IPV6 header field
111	  filtering.
112
113	  To compile it as a module, choose M here.  If unsure, say N.
114
115config BRIDGE_EBT_LIMIT
116	tristate "ebt: limit match support"
117	help
118	  This option adds the limit match, which allows you to control
119	  the rate at which a rule can be matched. This match is the
120	  equivalent of the iptables limit match.
121
122	  If you want to compile it as a module, say M here and read
123	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
124
125config BRIDGE_EBT_MARK
126	tristate "ebt: mark filter support"
127	help
128	  This option adds the mark match, which allows matching frames based on
129	  the 'nfmark' value in the frame. This can be set by the mark target.
130	  This value is the same as the one used in the iptables mark match and
131	  target.
132
133	  To compile it as a module, choose M here.  If unsure, say N.
134
135config BRIDGE_EBT_PKTTYPE
136	tristate "ebt: packet type filter support"
137	help
138	  This option adds the packet type match, which allows matching on the
139	  type of packet based on its Ethernet "class" (as determined by
140	  the generic networking code): broadcast, multicast,
141	  for this host alone or for another host.
142
143	  To compile it as a module, choose M here.  If unsure, say N.
144
145config BRIDGE_EBT_STP
146	tristate "ebt: STP filter support"
147	help
148	  This option adds the Spanning Tree Protocol match, which
149	  allows STP header field filtering.
150
151	  To compile it as a module, choose M here.  If unsure, say N.
152
153config BRIDGE_EBT_VLAN
154	tristate "ebt: 802.1Q VLAN filter support"
155	help
156	  This option adds the 802.1Q vlan match, which allows the filtering of
157	  802.1Q vlan fields.
158
159	  To compile it as a module, choose M here.  If unsure, say N.
160#
161# targets
162#
163config BRIDGE_EBT_ARPREPLY
164	tristate "ebt: arp reply target support"
165	depends on BRIDGE_NF_EBTABLES && INET
166	help
167	  This option adds the arp reply target, which allows
168	  automatically sending arp replies to arp requests.
169
170	  To compile it as a module, choose M here.  If unsure, say N.
171
172config BRIDGE_EBT_DNAT
173	tristate "ebt: dnat target support"
174	help
175	  This option adds the MAC DNAT target, which allows altering the MAC
176	  destination address of frames.
177
178	  To compile it as a module, choose M here.  If unsure, say N.
179
180config BRIDGE_EBT_MARK_T
181	tristate "ebt: mark target support"
182	help
183	  This option adds the mark target, which allows marking frames by
184	  setting the 'nfmark' value in the frame.
185	  This value is the same as the one used in the iptables mark match and
186	  target.
187
188	  To compile it as a module, choose M here.  If unsure, say N.
189
190config BRIDGE_EBT_REDIRECT
191	tristate "ebt: redirect target support"
192	help
193	  This option adds the MAC redirect target, which allows altering the MAC
194	  destination address of a frame to that of the device it arrived on.
195
196	  To compile it as a module, choose M here.  If unsure, say N.
197
198config BRIDGE_EBT_SNAT
199	tristate "ebt: snat target support"
200	help
201	  This option adds the MAC SNAT target, which allows altering the MAC
202	  source address of frames.
203
204	  To compile it as a module, choose M here.  If unsure, say N.
205#
206# watchers
207#
208config BRIDGE_EBT_LOG
209	tristate "ebt: log support"
210	help
211	  This option adds the log watcher, that you can use in any rule
212	  in any ebtables table. It records info about the frame header
213	  to the syslog.
214
215	  To compile it as a module, choose M here.  If unsure, say N.
216
217config BRIDGE_EBT_NFLOG
218	tristate "ebt: nflog support"
219	help
220	  This option enables the nflog watcher, which allows to LOG
221	  messages through the netfilter logging API, which can use
222	  either the old LOG target, the old ULOG target or nfnetlink_log
223	  as backend.
224
225	  This option adds the nflog watcher, that you can use in any rule
226	  in any ebtables table.
227
228	  To compile it as a module, choose M here.  If unsure, say N.
229
230endif # BRIDGE_NF_EBTABLES
231