1# SPDX-License-Identifier: GPL-2.0-only 2# 3# Bridge netfilter configuration 4# 5# 6menuconfig NF_TABLES_BRIDGE 7 depends on BRIDGE && NETFILTER && NF_TABLES 8 select NETFILTER_FAMILY_BRIDGE 9 tristate "Ethernet Bridge nf_tables support" 10 11if NF_TABLES_BRIDGE 12 13config NFT_BRIDGE_META 14 tristate "Netfilter nf_table bridge meta support" 15 help 16 Add support for bridge dedicated meta key. 17 18config NFT_BRIDGE_REJECT 19 tristate "Netfilter nf_tables bridge reject support" 20 depends on NFT_REJECT 21 depends on NF_REJECT_IPV4 22 depends on NF_REJECT_IPV6 23 help 24 Add support to reject packets. 25 26config NF_LOG_BRIDGE 27 tristate "Bridge packet logging" 28 select NF_LOG_COMMON 29 30endif # NF_TABLES_BRIDGE 31 32config NF_CONNTRACK_BRIDGE 33 tristate "IPv4/IPV6 bridge connection tracking support" 34 depends on NF_CONNTRACK 35 default n 36 help 37 Connection tracking keeps a record of what packets have passed 38 through your machine, in order to figure out how they are related 39 into connections. This is used to enhance packet filtering via 40 stateful policies. Enable this if you want native tracking from 41 the bridge. This provides a replacement for the `br_netfilter' 42 infrastructure. 43 44 To compile it as a module, choose M here. If unsure, say N. 45 46menuconfig BRIDGE_NF_EBTABLES 47 tristate "Ethernet Bridge tables (ebtables) support" 48 depends on BRIDGE && NETFILTER && NETFILTER_XTABLES 49 select NETFILTER_FAMILY_BRIDGE 50 help 51 ebtables is a general, extensible frame/packet identification 52 framework. Say 'Y' or 'M' here if you want to do Ethernet 53 filtering/NAT/brouting on the Ethernet bridge. 54 55if BRIDGE_NF_EBTABLES 56 57# 58# tables 59# 60config BRIDGE_EBT_BROUTE 61 tristate "ebt: broute table support" 62 help 63 The ebtables broute table is used to define rules that decide between 64 bridging and routing frames, giving Linux the functionality of a 65 brouter. See the man page for ebtables(8) and examples on the ebtables 66 website. 67 68 To compile it as a module, choose M here. If unsure, say N. 69 70config BRIDGE_EBT_T_FILTER 71 tristate "ebt: filter table support" 72 help 73 The ebtables filter table is used to define frame filtering rules at 74 local input, forwarding and local output. See the man page for 75 ebtables(8). 76 77 To compile it as a module, choose M here. If unsure, say N. 78 79config BRIDGE_EBT_T_NAT 80 tristate "ebt: nat table support" 81 help 82 The ebtables nat table is used to define rules that alter the MAC 83 source address (MAC SNAT) or the MAC destination address (MAC DNAT). 84 See the man page for ebtables(8). 85 86 To compile it as a module, choose M here. If unsure, say N. 87# 88# matches 89# 90config BRIDGE_EBT_802_3 91 tristate "ebt: 802.3 filter support" 92 help 93 This option adds matching support for 802.3 Ethernet frames. 94 95 To compile it as a module, choose M here. If unsure, say N. 96 97config BRIDGE_EBT_AMONG 98 tristate "ebt: among filter support" 99 help 100 This option adds the among match, which allows matching the MAC source 101 and/or destination address on a list of addresses. Optionally, 102 MAC/IP address pairs can be matched, f.e. for anti-spoofing rules. 103 104 To compile it as a module, choose M here. If unsure, say N. 105 106config BRIDGE_EBT_ARP 107 tristate "ebt: ARP filter support" 108 help 109 This option adds the ARP match, which allows ARP and RARP header field 110 filtering. 111 112 To compile it as a module, choose M here. If unsure, say N. 113 114config BRIDGE_EBT_IP 115 tristate "ebt: IP filter support" 116 help 117 This option adds the IP match, which allows basic IP header field 118 filtering. 119 120 To compile it as a module, choose M here. If unsure, say N. 121 122config BRIDGE_EBT_IP6 123 tristate "ebt: IP6 filter support" 124 depends on BRIDGE_NF_EBTABLES && IPV6 125 help 126 This option adds the IP6 match, which allows basic IPV6 header field 127 filtering. 128 129 To compile it as a module, choose M here. If unsure, say N. 130 131config BRIDGE_EBT_LIMIT 132 tristate "ebt: limit match support" 133 help 134 This option adds the limit match, which allows you to control 135 the rate at which a rule can be matched. This match is the 136 equivalent of the iptables limit match. 137 138 If you want to compile it as a module, say M here and read 139 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 140 141config BRIDGE_EBT_MARK 142 tristate "ebt: mark filter support" 143 help 144 This option adds the mark match, which allows matching frames based on 145 the 'nfmark' value in the frame. This can be set by the mark target. 146 This value is the same as the one used in the iptables mark match and 147 target. 148 149 To compile it as a module, choose M here. If unsure, say N. 150 151config BRIDGE_EBT_PKTTYPE 152 tristate "ebt: packet type filter support" 153 help 154 This option adds the packet type match, which allows matching on the 155 type of packet based on its Ethernet "class" (as determined by 156 the generic networking code): broadcast, multicast, 157 for this host alone or for another host. 158 159 To compile it as a module, choose M here. If unsure, say N. 160 161config BRIDGE_EBT_STP 162 tristate "ebt: STP filter support" 163 help 164 This option adds the Spanning Tree Protocol match, which 165 allows STP header field filtering. 166 167 To compile it as a module, choose M here. If unsure, say N. 168 169config BRIDGE_EBT_VLAN 170 tristate "ebt: 802.1Q VLAN filter support" 171 help 172 This option adds the 802.1Q vlan match, which allows the filtering of 173 802.1Q vlan fields. 174 175 To compile it as a module, choose M here. If unsure, say N. 176# 177# targets 178# 179config BRIDGE_EBT_ARPREPLY 180 tristate "ebt: arp reply target support" 181 depends on BRIDGE_NF_EBTABLES && INET 182 help 183 This option adds the arp reply target, which allows 184 automatically sending arp replies to arp requests. 185 186 To compile it as a module, choose M here. If unsure, say N. 187 188config BRIDGE_EBT_DNAT 189 tristate "ebt: dnat target support" 190 help 191 This option adds the MAC DNAT target, which allows altering the MAC 192 destination address of frames. 193 194 To compile it as a module, choose M here. If unsure, say N. 195 196config BRIDGE_EBT_MARK_T 197 tristate "ebt: mark target support" 198 help 199 This option adds the mark target, which allows marking frames by 200 setting the 'nfmark' value in the frame. 201 This value is the same as the one used in the iptables mark match and 202 target. 203 204 To compile it as a module, choose M here. If unsure, say N. 205 206config BRIDGE_EBT_REDIRECT 207 tristate "ebt: redirect target support" 208 help 209 This option adds the MAC redirect target, which allows altering the MAC 210 destination address of a frame to that of the device it arrived on. 211 212 To compile it as a module, choose M here. If unsure, say N. 213 214config BRIDGE_EBT_SNAT 215 tristate "ebt: snat target support" 216 help 217 This option adds the MAC SNAT target, which allows altering the MAC 218 source address of frames. 219 220 To compile it as a module, choose M here. If unsure, say N. 221# 222# watchers 223# 224config BRIDGE_EBT_LOG 225 tristate "ebt: log support" 226 help 227 This option adds the log watcher, that you can use in any rule 228 in any ebtables table. It records info about the frame header 229 to the syslog. 230 231 To compile it as a module, choose M here. If unsure, say N. 232 233config BRIDGE_EBT_NFLOG 234 tristate "ebt: nflog support" 235 help 236 This option enables the nflog watcher, which allows to LOG 237 messages through the netfilter logging API, which can use 238 either the old LOG target, the old ULOG target or nfnetlink_log 239 as backend. 240 241 This option adds the nflog watcher, that you can use in any rule 242 in any ebtables table. 243 244 To compile it as a module, choose M here. If unsure, say N. 245 246endif # BRIDGE_NF_EBTABLES 247