1# SPDX-License-Identifier: GPL-2.0-only 2# 3# Bridge netfilter configuration 4# 5# 6menuconfig NF_TABLES_BRIDGE 7 depends on BRIDGE && NETFILTER && NF_TABLES 8 select NETFILTER_FAMILY_BRIDGE 9 tristate "Ethernet Bridge nf_tables support" 10 11if NF_TABLES_BRIDGE 12 13config NFT_BRIDGE_META 14 tristate "Netfilter nf_table bridge meta support" 15 help 16 Add support for bridge dedicated meta key. 17 18config NFT_BRIDGE_REJECT 19 tristate "Netfilter nf_tables bridge reject support" 20 depends on NFT_REJECT 21 depends on NF_REJECT_IPV4 22 depends on NF_REJECT_IPV6 23 help 24 Add support to reject packets. 25 26endif # NF_TABLES_BRIDGE 27 28config NF_CONNTRACK_BRIDGE 29 tristate "IPv4/IPV6 bridge connection tracking support" 30 depends on NF_CONNTRACK 31 default n 32 help 33 Connection tracking keeps a record of what packets have passed 34 through your machine, in order to figure out how they are related 35 into connections. This is used to enhance packet filtering via 36 stateful policies. Enable this if you want native tracking from 37 the bridge. This provides a replacement for the `br_netfilter' 38 infrastructure. 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42# old sockopt interface and eval loop 43config BRIDGE_NF_EBTABLES_LEGACY 44 tristate 45 46menuconfig BRIDGE_NF_EBTABLES 47 tristate "Ethernet Bridge tables (ebtables) support" 48 depends on BRIDGE && NETFILTER && NETFILTER_XTABLES 49 select NETFILTER_FAMILY_BRIDGE 50 help 51 ebtables is a general, extensible frame/packet identification 52 framework. Say 'Y' or 'M' here if you want to do Ethernet 53 filtering/NAT/brouting on the Ethernet bridge. 54 55if BRIDGE_NF_EBTABLES 56 57# 58# tables 59# 60config BRIDGE_EBT_BROUTE 61 tristate "ebt: broute table support" 62 select BRIDGE_NF_EBTABLES_LEGACY 63 help 64 The ebtables broute table is used to define rules that decide between 65 bridging and routing frames, giving Linux the functionality of a 66 brouter. See the man page for ebtables(8) and examples on the ebtables 67 website. 68 69 To compile it as a module, choose M here. If unsure, say N. 70 71config BRIDGE_EBT_T_FILTER 72 tristate "ebt: filter table support" 73 select BRIDGE_NF_EBTABLES_LEGACY 74 help 75 The ebtables filter table is used to define frame filtering rules at 76 local input, forwarding and local output. See the man page for 77 ebtables(8). 78 79 To compile it as a module, choose M here. If unsure, say N. 80 81config BRIDGE_EBT_T_NAT 82 tristate "ebt: nat table support" 83 select BRIDGE_NF_EBTABLES_LEGACY 84 help 85 The ebtables nat table is used to define rules that alter the MAC 86 source address (MAC SNAT) or the MAC destination address (MAC DNAT). 87 See the man page for ebtables(8). 88 89 To compile it as a module, choose M here. If unsure, say N. 90# 91# matches 92# 93config BRIDGE_EBT_802_3 94 tristate "ebt: 802.3 filter support" 95 help 96 This option adds matching support for 802.3 Ethernet frames. 97 98 To compile it as a module, choose M here. If unsure, say N. 99 100config BRIDGE_EBT_AMONG 101 tristate "ebt: among filter support" 102 help 103 This option adds the among match, which allows matching the MAC source 104 and/or destination address on a list of addresses. Optionally, 105 MAC/IP address pairs can be matched, f.e. for anti-spoofing rules. 106 107 To compile it as a module, choose M here. If unsure, say N. 108 109config BRIDGE_EBT_ARP 110 tristate "ebt: ARP filter support" 111 help 112 This option adds the ARP match, which allows ARP and RARP header field 113 filtering. 114 115 To compile it as a module, choose M here. If unsure, say N. 116 117config BRIDGE_EBT_IP 118 tristate "ebt: IP filter support" 119 help 120 This option adds the IP match, which allows basic IP header field 121 filtering. 122 123 To compile it as a module, choose M here. If unsure, say N. 124 125config BRIDGE_EBT_IP6 126 tristate "ebt: IP6 filter support" 127 depends on BRIDGE_NF_EBTABLES && IPV6 128 help 129 This option adds the IP6 match, which allows basic IPV6 header field 130 filtering. 131 132 To compile it as a module, choose M here. If unsure, say N. 133 134config BRIDGE_EBT_LIMIT 135 tristate "ebt: limit match support" 136 help 137 This option adds the limit match, which allows you to control 138 the rate at which a rule can be matched. This match is the 139 equivalent of the iptables limit match. 140 141 If you want to compile it as a module, say M here and read 142 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 143 144config BRIDGE_EBT_MARK 145 tristate "ebt: mark filter support" 146 help 147 This option adds the mark match, which allows matching frames based on 148 the 'nfmark' value in the frame. This can be set by the mark target. 149 This value is the same as the one used in the iptables mark match and 150 target. 151 152 To compile it as a module, choose M here. If unsure, say N. 153 154config BRIDGE_EBT_PKTTYPE 155 tristate "ebt: packet type filter support" 156 help 157 This option adds the packet type match, which allows matching on the 158 type of packet based on its Ethernet "class" (as determined by 159 the generic networking code): broadcast, multicast, 160 for this host alone or for another host. 161 162 To compile it as a module, choose M here. If unsure, say N. 163 164config BRIDGE_EBT_STP 165 tristate "ebt: STP filter support" 166 help 167 This option adds the Spanning Tree Protocol match, which 168 allows STP header field filtering. 169 170 To compile it as a module, choose M here. If unsure, say N. 171 172config BRIDGE_EBT_VLAN 173 tristate "ebt: 802.1Q VLAN filter support" 174 help 175 This option adds the 802.1Q vlan match, which allows the filtering of 176 802.1Q vlan fields. 177 178 To compile it as a module, choose M here. If unsure, say N. 179# 180# targets 181# 182config BRIDGE_EBT_ARPREPLY 183 tristate "ebt: arp reply target support" 184 depends on BRIDGE_NF_EBTABLES && INET 185 help 186 This option adds the arp reply target, which allows 187 automatically sending arp replies to arp requests. 188 189 To compile it as a module, choose M here. If unsure, say N. 190 191config BRIDGE_EBT_DNAT 192 tristate "ebt: dnat target support" 193 help 194 This option adds the MAC DNAT target, which allows altering the MAC 195 destination address of frames. 196 197 To compile it as a module, choose M here. If unsure, say N. 198 199config BRIDGE_EBT_MARK_T 200 tristate "ebt: mark target support" 201 help 202 This option adds the mark target, which allows marking frames by 203 setting the 'nfmark' value in the frame. 204 This value is the same as the one used in the iptables mark match and 205 target. 206 207 To compile it as a module, choose M here. If unsure, say N. 208 209config BRIDGE_EBT_REDIRECT 210 tristate "ebt: redirect target support" 211 help 212 This option adds the MAC redirect target, which allows altering the MAC 213 destination address of a frame to that of the device it arrived on. 214 215 To compile it as a module, choose M here. If unsure, say N. 216 217config BRIDGE_EBT_SNAT 218 tristate "ebt: snat target support" 219 help 220 This option adds the MAC SNAT target, which allows altering the MAC 221 source address of frames. 222 223 To compile it as a module, choose M here. If unsure, say N. 224# 225# watchers 226# 227config BRIDGE_EBT_LOG 228 tristate "ebt: log support" 229 help 230 This option adds the log watcher, that you can use in any rule 231 in any ebtables table. It records info about the frame header 232 to the syslog. 233 234 To compile it as a module, choose M here. If unsure, say N. 235 236config BRIDGE_EBT_NFLOG 237 tristate "ebt: nflog support" 238 help 239 This option enables the nflog watcher, which allows to LOG 240 messages through the netfilter logging API, which can use 241 either the old LOG target, the old ULOG target or nfnetlink_log 242 as backend. 243 244 This option adds the nflog watcher, that you can use in any rule 245 in any ebtables table. 246 247 To compile it as a module, choose M here. If unsure, say N. 248 249endif # BRIDGE_NF_EBTABLES 250