1# SPDX-License-Identifier: GPL-2.0-only 2# 3# Bridge netfilter configuration 4# 5# 6menuconfig NF_TABLES_BRIDGE 7 depends on BRIDGE && NETFILTER && NF_TABLES 8 select NETFILTER_FAMILY_BRIDGE 9 tristate "Ethernet Bridge nf_tables support" 10 11if NF_TABLES_BRIDGE 12 13config NFT_BRIDGE_META 14 tristate "Netfilter nf_table bridge meta support" 15 help 16 Add support for bridge dedicated meta key. 17 18config NFT_BRIDGE_REJECT 19 tristate "Netfilter nf_tables bridge reject support" 20 depends on NFT_REJECT 21 depends on NF_REJECT_IPV4 22 depends on NF_REJECT_IPV6 23 help 24 Add support to reject packets. 25 26endif # NF_TABLES_BRIDGE 27 28config NF_CONNTRACK_BRIDGE 29 tristate "IPv4/IPV6 bridge connection tracking support" 30 depends on NF_CONNTRACK 31 default n 32 help 33 Connection tracking keeps a record of what packets have passed 34 through your machine, in order to figure out how they are related 35 into connections. This is used to enhance packet filtering via 36 stateful policies. Enable this if you want native tracking from 37 the bridge. This provides a replacement for the `br_netfilter' 38 infrastructure. 39 40 To compile it as a module, choose M here. If unsure, say N. 41 42menuconfig BRIDGE_NF_EBTABLES 43 tristate "Ethernet Bridge tables (ebtables) support" 44 depends on BRIDGE && NETFILTER && NETFILTER_XTABLES 45 select NETFILTER_FAMILY_BRIDGE 46 help 47 ebtables is a general, extensible frame/packet identification 48 framework. Say 'Y' or 'M' here if you want to do Ethernet 49 filtering/NAT/brouting on the Ethernet bridge. 50 51if BRIDGE_NF_EBTABLES 52 53# 54# tables 55# 56config BRIDGE_EBT_BROUTE 57 tristate "ebt: broute table support" 58 help 59 The ebtables broute table is used to define rules that decide between 60 bridging and routing frames, giving Linux the functionality of a 61 brouter. See the man page for ebtables(8) and examples on the ebtables 62 website. 63 64 To compile it as a module, choose M here. If unsure, say N. 65 66config BRIDGE_EBT_T_FILTER 67 tristate "ebt: filter table support" 68 help 69 The ebtables filter table is used to define frame filtering rules at 70 local input, forwarding and local output. See the man page for 71 ebtables(8). 72 73 To compile it as a module, choose M here. If unsure, say N. 74 75config BRIDGE_EBT_T_NAT 76 tristate "ebt: nat table support" 77 help 78 The ebtables nat table is used to define rules that alter the MAC 79 source address (MAC SNAT) or the MAC destination address (MAC DNAT). 80 See the man page for ebtables(8). 81 82 To compile it as a module, choose M here. If unsure, say N. 83# 84# matches 85# 86config BRIDGE_EBT_802_3 87 tristate "ebt: 802.3 filter support" 88 help 89 This option adds matching support for 802.3 Ethernet frames. 90 91 To compile it as a module, choose M here. If unsure, say N. 92 93config BRIDGE_EBT_AMONG 94 tristate "ebt: among filter support" 95 help 96 This option adds the among match, which allows matching the MAC source 97 and/or destination address on a list of addresses. Optionally, 98 MAC/IP address pairs can be matched, f.e. for anti-spoofing rules. 99 100 To compile it as a module, choose M here. If unsure, say N. 101 102config BRIDGE_EBT_ARP 103 tristate "ebt: ARP filter support" 104 help 105 This option adds the ARP match, which allows ARP and RARP header field 106 filtering. 107 108 To compile it as a module, choose M here. If unsure, say N. 109 110config BRIDGE_EBT_IP 111 tristate "ebt: IP filter support" 112 help 113 This option adds the IP match, which allows basic IP header field 114 filtering. 115 116 To compile it as a module, choose M here. If unsure, say N. 117 118config BRIDGE_EBT_IP6 119 tristate "ebt: IP6 filter support" 120 depends on BRIDGE_NF_EBTABLES && IPV6 121 help 122 This option adds the IP6 match, which allows basic IPV6 header field 123 filtering. 124 125 To compile it as a module, choose M here. If unsure, say N. 126 127config BRIDGE_EBT_LIMIT 128 tristate "ebt: limit match support" 129 help 130 This option adds the limit match, which allows you to control 131 the rate at which a rule can be matched. This match is the 132 equivalent of the iptables limit match. 133 134 If you want to compile it as a module, say M here and read 135 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. 136 137config BRIDGE_EBT_MARK 138 tristate "ebt: mark filter support" 139 help 140 This option adds the mark match, which allows matching frames based on 141 the 'nfmark' value in the frame. This can be set by the mark target. 142 This value is the same as the one used in the iptables mark match and 143 target. 144 145 To compile it as a module, choose M here. If unsure, say N. 146 147config BRIDGE_EBT_PKTTYPE 148 tristate "ebt: packet type filter support" 149 help 150 This option adds the packet type match, which allows matching on the 151 type of packet based on its Ethernet "class" (as determined by 152 the generic networking code): broadcast, multicast, 153 for this host alone or for another host. 154 155 To compile it as a module, choose M here. If unsure, say N. 156 157config BRIDGE_EBT_STP 158 tristate "ebt: STP filter support" 159 help 160 This option adds the Spanning Tree Protocol match, which 161 allows STP header field filtering. 162 163 To compile it as a module, choose M here. If unsure, say N. 164 165config BRIDGE_EBT_VLAN 166 tristate "ebt: 802.1Q VLAN filter support" 167 help 168 This option adds the 802.1Q vlan match, which allows the filtering of 169 802.1Q vlan fields. 170 171 To compile it as a module, choose M here. If unsure, say N. 172# 173# targets 174# 175config BRIDGE_EBT_ARPREPLY 176 tristate "ebt: arp reply target support" 177 depends on BRIDGE_NF_EBTABLES && INET 178 help 179 This option adds the arp reply target, which allows 180 automatically sending arp replies to arp requests. 181 182 To compile it as a module, choose M here. If unsure, say N. 183 184config BRIDGE_EBT_DNAT 185 tristate "ebt: dnat target support" 186 help 187 This option adds the MAC DNAT target, which allows altering the MAC 188 destination address of frames. 189 190 To compile it as a module, choose M here. If unsure, say N. 191 192config BRIDGE_EBT_MARK_T 193 tristate "ebt: mark target support" 194 help 195 This option adds the mark target, which allows marking frames by 196 setting the 'nfmark' value in the frame. 197 This value is the same as the one used in the iptables mark match and 198 target. 199 200 To compile it as a module, choose M here. If unsure, say N. 201 202config BRIDGE_EBT_REDIRECT 203 tristate "ebt: redirect target support" 204 help 205 This option adds the MAC redirect target, which allows altering the MAC 206 destination address of a frame to that of the device it arrived on. 207 208 To compile it as a module, choose M here. If unsure, say N. 209 210config BRIDGE_EBT_SNAT 211 tristate "ebt: snat target support" 212 help 213 This option adds the MAC SNAT target, which allows altering the MAC 214 source address of frames. 215 216 To compile it as a module, choose M here. If unsure, say N. 217# 218# watchers 219# 220config BRIDGE_EBT_LOG 221 tristate "ebt: log support" 222 help 223 This option adds the log watcher, that you can use in any rule 224 in any ebtables table. It records info about the frame header 225 to the syslog. 226 227 To compile it as a module, choose M here. If unsure, say N. 228 229config BRIDGE_EBT_NFLOG 230 tristate "ebt: nflog support" 231 help 232 This option enables the nflog watcher, which allows to LOG 233 messages through the netfilter logging API, which can use 234 either the old LOG target, the old ULOG target or nfnetlink_log 235 as backend. 236 237 This option adds the nflog watcher, that you can use in any rule 238 in any ebtables table. 239 240 To compile it as a module, choose M here. If unsure, say N. 241 242endif # BRIDGE_NF_EBTABLES 243