| # SPDX-License-Identifier: GPL-2.0-only |
| # |
| # Bridge netfilter configuration |
| # |
| # |
| menuconfig NF_TABLES_BRIDGE |
| depends on BRIDGE && NETFILTER && NF_TABLES |
| select NETFILTER_FAMILY_BRIDGE |
| bool "Ethernet Bridge nf_tables support" |
| |
| if NF_TABLES_BRIDGE |
| |
| config NFT_BRIDGE_META |
| tristate "Netfilter nf_table bridge meta support" |
| help |
| Add support for bridge dedicated meta key. |
| |
| config NFT_BRIDGE_REJECT |
| tristate "Netfilter nf_tables bridge reject support" |
| depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6 |
| help |
| Add support to reject packets. |
| |
| config NF_LOG_BRIDGE |
| tristate "Bridge packet logging" |
| select NF_LOG_COMMON |
| |
| config NF_CONNTRACK_BRIDGE |
| tristate "IPv4/IPV6 bridge connection tracking support" |
| depends on NF_CONNTRACK |
| default n |
| help |
| Connection tracking keeps a record of what packets have passed |
| through your machine, in order to figure out how they are related |
| into connections. This is used to enhance packet filtering via |
| stateful policies. Enable this if you want native tracking from |
| the bridge. This provides a replacement for the `br_netfilter' |
| infrastructure. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| endif # NF_TABLES_BRIDGE |
| |
| menuconfig BRIDGE_NF_EBTABLES |
| tristate "Ethernet Bridge tables (ebtables) support" |
| depends on BRIDGE && NETFILTER && NETFILTER_XTABLES |
| select NETFILTER_FAMILY_BRIDGE |
| help |
| ebtables is a general, extensible frame/packet identification |
| framework. Say 'Y' or 'M' here if you want to do Ethernet |
| filtering/NAT/brouting on the Ethernet bridge. |
| |
| if BRIDGE_NF_EBTABLES |
| |
| # |
| # tables |
| # |
| config BRIDGE_EBT_BROUTE |
| tristate "ebt: broute table support" |
| help |
| The ebtables broute table is used to define rules that decide between |
| bridging and routing frames, giving Linux the functionality of a |
| brouter. See the man page for ebtables(8) and examples on the ebtables |
| website. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_T_FILTER |
| tristate "ebt: filter table support" |
| help |
| The ebtables filter table is used to define frame filtering rules at |
| local input, forwarding and local output. See the man page for |
| ebtables(8). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_T_NAT |
| tristate "ebt: nat table support" |
| help |
| The ebtables nat table is used to define rules that alter the MAC |
| source address (MAC SNAT) or the MAC destination address (MAC DNAT). |
| See the man page for ebtables(8). |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| # |
| # matches |
| # |
| config BRIDGE_EBT_802_3 |
| tristate "ebt: 802.3 filter support" |
| help |
| This option adds matching support for 802.3 Ethernet frames. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_AMONG |
| tristate "ebt: among filter support" |
| help |
| This option adds the among match, which allows matching the MAC source |
| and/or destination address on a list of addresses. Optionally, |
| MAC/IP address pairs can be matched, f.e. for anti-spoofing rules. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_ARP |
| tristate "ebt: ARP filter support" |
| help |
| This option adds the ARP match, which allows ARP and RARP header field |
| filtering. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_IP |
| tristate "ebt: IP filter support" |
| help |
| This option adds the IP match, which allows basic IP header field |
| filtering. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_IP6 |
| tristate "ebt: IP6 filter support" |
| depends on BRIDGE_NF_EBTABLES && IPV6 |
| help |
| This option adds the IP6 match, which allows basic IPV6 header field |
| filtering. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_LIMIT |
| tristate "ebt: limit match support" |
| help |
| This option adds the limit match, which allows you to control |
| the rate at which a rule can be matched. This match is the |
| equivalent of the iptables limit match. |
| |
| If you want to compile it as a module, say M here and read |
| <file:Documentation/kbuild/modules.rst>. If unsure, say `N'. |
| |
| config BRIDGE_EBT_MARK |
| tristate "ebt: mark filter support" |
| help |
| This option adds the mark match, which allows matching frames based on |
| the 'nfmark' value in the frame. This can be set by the mark target. |
| This value is the same as the one used in the iptables mark match and |
| target. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_PKTTYPE |
| tristate "ebt: packet type filter support" |
| help |
| This option adds the packet type match, which allows matching on the |
| type of packet based on its Ethernet "class" (as determined by |
| the generic networking code): broadcast, multicast, |
| for this host alone or for another host. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_STP |
| tristate "ebt: STP filter support" |
| help |
| This option adds the Spanning Tree Protocol match, which |
| allows STP header field filtering. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_VLAN |
| tristate "ebt: 802.1Q VLAN filter support" |
| help |
| This option adds the 802.1Q vlan match, which allows the filtering of |
| 802.1Q vlan fields. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| # |
| # targets |
| # |
| config BRIDGE_EBT_ARPREPLY |
| tristate "ebt: arp reply target support" |
| depends on BRIDGE_NF_EBTABLES && INET |
| help |
| This option adds the arp reply target, which allows |
| automatically sending arp replies to arp requests. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_DNAT |
| tristate "ebt: dnat target support" |
| help |
| This option adds the MAC DNAT target, which allows altering the MAC |
| destination address of frames. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_MARK_T |
| tristate "ebt: mark target support" |
| help |
| This option adds the mark target, which allows marking frames by |
| setting the 'nfmark' value in the frame. |
| This value is the same as the one used in the iptables mark match and |
| target. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_REDIRECT |
| tristate "ebt: redirect target support" |
| help |
| This option adds the MAC redirect target, which allows altering the MAC |
| destination address of a frame to that of the device it arrived on. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_SNAT |
| tristate "ebt: snat target support" |
| help |
| This option adds the MAC SNAT target, which allows altering the MAC |
| source address of frames. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| # |
| # watchers |
| # |
| config BRIDGE_EBT_LOG |
| tristate "ebt: log support" |
| help |
| This option adds the log watcher, that you can use in any rule |
| in any ebtables table. It records info about the frame header |
| to the syslog. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| config BRIDGE_EBT_NFLOG |
| tristate "ebt: nflog support" |
| help |
| This option enables the nflog watcher, which allows to LOG |
| messages through the netfilter logging API, which can use |
| either the old LOG target, the old ULOG target or nfnetlink_log |
| as backend. |
| |
| This option adds the nflog watcher, that you can use in any rule |
| in any ebtables table. |
| |
| To compile it as a module, choose M here. If unsure, say N. |
| |
| endif # BRIDGE_NF_EBTABLES |