OSCL-LXR

0001 # SPDX-License-Identifier: GPL-2.0-only
0002 #
0003 # Bridge netfilter configuration
0004 #
0005 #
0006 menuconfig NF_TABLES_BRIDGE
0007         depends on BRIDGE && NETFILTER && NF_TABLES
0008         select NETFILTER_FAMILY_BRIDGE
0009         tristate "Ethernet Bridge nf_tables support"
0010
0011 if NF_TABLES_BRIDGE
0012
0013 config NFT_BRIDGE_META
0014         tristate "Netfilter nf_table bridge meta support"
0015         help
0016           Add support for bridge dedicated meta key.
0017
0018 config NFT_BRIDGE_REJECT
0019         tristate "Netfilter nf_tables bridge reject support"
0020         depends on NFT_REJECT
0021         depends on NF_REJECT_IPV4
0022         depends on NF_REJECT_IPV6
0023         help
0024           Add support to reject packets.
0025
0026 endif # NF_TABLES_BRIDGE
0027
0028 config NF_CONNTRACK_BRIDGE
0029         tristate "IPv4/IPV6 bridge connection tracking support"
0030         depends on NF_CONNTRACK
0031         default n
0032         help
0033           Connection tracking keeps a record of what packets have passed
0034           through your machine, in order to figure out how they are related
0035           into connections. This is used to enhance packet filtering via
0036           stateful policies. Enable this if you want native tracking from
0037           the bridge. This provides a replacement for the `br_netfilter'
0038           infrastructure.
0039
0040           To compile it as a module, choose M here.  If unsure, say N.
0041
0042 menuconfig BRIDGE_NF_EBTABLES
0043         tristate "Ethernet Bridge tables (ebtables) support"
0044         depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
0045         select NETFILTER_FAMILY_BRIDGE
0046         help
0047           ebtables is a general, extensible frame/packet identification
0048           framework. Say 'Y' or 'M' here if you want to do Ethernet
0049           filtering/NAT/brouting on the Ethernet bridge.
0050
0051 if BRIDGE_NF_EBTABLES
0052
0053 #
0054 # tables
0055 #
0056 config BRIDGE_EBT_BROUTE
0057         tristate "ebt: broute table support"
0058         help
0059           The ebtables broute table is used to define rules that decide between
0060           bridging and routing frames, giving Linux the functionality of a
0061           brouter. See the man page for ebtables(8) and examples on the ebtables
0062           website.
0063
0064           To compile it as a module, choose M here.  If unsure, say N.
0065
0066 config BRIDGE_EBT_T_FILTER
0067         tristate "ebt: filter table support"
0068         help
0069           The ebtables filter table is used to define frame filtering rules at
0070           local input, forwarding and local output. See the man page for
0071           ebtables(8).
0072
0073           To compile it as a module, choose M here.  If unsure, say N.
0074
0075 config BRIDGE_EBT_T_NAT
0076         tristate "ebt: nat table support"
0077         help
0078           The ebtables nat table is used to define rules that alter the MAC
0079           source address (MAC SNAT) or the MAC destination address (MAC DNAT).
0080           See the man page for ebtables(8).
0081
0082           To compile it as a module, choose M here.  If unsure, say N.
0083 #
0084 # matches
0085 #
0086 config BRIDGE_EBT_802_3
0087         tristate "ebt: 802.3 filter support"
0088         help
0089           This option adds matching support for 802.3 Ethernet frames.
0090
0091           To compile it as a module, choose M here.  If unsure, say N.
0092
0093 config BRIDGE_EBT_AMONG
0094         tristate "ebt: among filter support"
0095         help
0096           This option adds the among match, which allows matching the MAC source
0097           and/or destination address on a list of addresses. Optionally,
0098           MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
0099
0100           To compile it as a module, choose M here.  If unsure, say N.
0101
0102 config BRIDGE_EBT_ARP
0103         tristate "ebt: ARP filter support"
0104         help
0105           This option adds the ARP match, which allows ARP and RARP header field
0106           filtering.
0107
0108           To compile it as a module, choose M here.  If unsure, say N.
0109
0110 config BRIDGE_EBT_IP
0111         tristate "ebt: IP filter support"
0112         help
0113           This option adds the IP match, which allows basic IP header field
0114           filtering.
0115
0116           To compile it as a module, choose M here.  If unsure, say N.
0117
0118 config BRIDGE_EBT_IP6
0119         tristate "ebt: IP6 filter support"
0120         depends on BRIDGE_NF_EBTABLES && IPV6
0121         help
0122           This option adds the IP6 match, which allows basic IPV6 header field
0123           filtering.
0124
0125           To compile it as a module, choose M here.  If unsure, say N.
0126
0127 config BRIDGE_EBT_LIMIT
0128         tristate "ebt: limit match support"
0129         help
0130           This option adds the limit match, which allows you to control
0131           the rate at which a rule can be matched. This match is the
0132           equivalent of the iptables limit match.
0133
0134           If you want to compile it as a module, say M here and read
0135           <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.
0136
0137 config BRIDGE_EBT_MARK
0138         tristate "ebt: mark filter support"
0139         help
0140           This option adds the mark match, which allows matching frames based on
0141           the 'nfmark' value in the frame. This can be set by the mark target.
0142           This value is the same as the one used in the iptables mark match and
0143           target.
0144
0145           To compile it as a module, choose M here.  If unsure, say N.
0146
0147 config BRIDGE_EBT_PKTTYPE
0148         tristate "ebt: packet type filter support"
0149         help
0150           This option adds the packet type match, which allows matching on the
0151           type of packet based on its Ethernet "class" (as determined by
0152           the generic networking code): broadcast, multicast,
0153           for this host alone or for another host.
0154
0155           To compile it as a module, choose M here.  If unsure, say N.
0156
0157 config BRIDGE_EBT_STP
0158         tristate "ebt: STP filter support"
0159         help
0160           This option adds the Spanning Tree Protocol match, which
0161           allows STP header field filtering.
0162
0163           To compile it as a module, choose M here.  If unsure, say N.
0164
0165 config BRIDGE_EBT_VLAN
0166         tristate "ebt: 802.1Q VLAN filter support"
0167         help
0168           This option adds the 802.1Q vlan match, which allows the filtering of
0169           802.1Q vlan fields.
0170
0171           To compile it as a module, choose M here.  If unsure, say N.
0172 #
0173 # targets
0174 #
0175 config BRIDGE_EBT_ARPREPLY
0176         tristate "ebt: arp reply target support"
0177         depends on BRIDGE_NF_EBTABLES && INET
0178         help
0179           This option adds the arp reply target, which allows
0180           automatically sending arp replies to arp requests.
0181
0182           To compile it as a module, choose M here.  If unsure, say N.
0183
0184 config BRIDGE_EBT_DNAT
0185         tristate "ebt: dnat target support"
0186         help
0187           This option adds the MAC DNAT target, which allows altering the MAC
0188           destination address of frames.
0189
0190           To compile it as a module, choose M here.  If unsure, say N.
0191
0192 config BRIDGE_EBT_MARK_T
0193         tristate "ebt: mark target support"
0194         help
0195           This option adds the mark target, which allows marking frames by
0196           setting the 'nfmark' value in the frame.
0197           This value is the same as the one used in the iptables mark match and
0198           target.
0199
0200           To compile it as a module, choose M here.  If unsure, say N.
0201
0202 config BRIDGE_EBT_REDIRECT
0203         tristate "ebt: redirect target support"
0204         help
0205           This option adds the MAC redirect target, which allows altering the MAC
0206           destination address of a frame to that of the device it arrived on.
0207
0208           To compile it as a module, choose M here.  If unsure, say N.
0209
0210 config BRIDGE_EBT_SNAT
0211         tristate "ebt: snat target support"
0212         help
0213           This option adds the MAC SNAT target, which allows altering the MAC
0214           source address of frames.
0215
0216           To compile it as a module, choose M here.  If unsure, say N.
0217 #
0218 # watchers
0219 #
0220 config BRIDGE_EBT_LOG
0221         tristate "ebt: log support"
0222         help
0223           This option adds the log watcher, that you can use in any rule
0224           in any ebtables table. It records info about the frame header
0225           to the syslog.
0226
0227           To compile it as a module, choose M here.  If unsure, say N.
0228
0229 config BRIDGE_EBT_NFLOG
0230         tristate "ebt: nflog support"
0231         help
0232           This option enables the nflog watcher, which allows to LOG
0233           messages through the netfilter logging API, which can use
0234           either the old LOG target, the old ULOG target or nfnetlink_log
0235           as backend.
0236
0237           This option adds the nflog watcher, that you can use in any rule
0238           in any ebtables table.
0239
0240           To compile it as a module, choose M here.  If unsure, say N.
0241
0242 endif # BRIDGE_NF_EBTABLES