# SPDX-License-Identifier: GPL-2.0-only
|
#
|
# Bridge netfilter configuration
|
#
|
#
|
menuconfig NF_TABLES_BRIDGE
|
depends on BRIDGE && NETFILTER && NF_TABLES
|
select NETFILTER_FAMILY_BRIDGE
|
tristate "Ethernet Bridge nf_tables support"
|
|
if NF_TABLES_BRIDGE
|
|
config NFT_BRIDGE_META
|
tristate "Netfilter nf_table bridge meta support"
|
help
|
Add support for bridge dedicated meta key.
|
|
config NFT_BRIDGE_REJECT
|
tristate "Netfilter nf_tables bridge reject support"
|
depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6
|
help
|
Add support to reject packets.
|
|
config NF_LOG_BRIDGE
|
tristate "Bridge packet logging"
|
select NF_LOG_COMMON
|
|
endif # NF_TABLES_BRIDGE
|
|
config NF_CONNTRACK_BRIDGE
|
tristate "IPv4/IPV6 bridge connection tracking support"
|
depends on NF_CONNTRACK
|
default n
|
help
|
Connection tracking keeps a record of what packets have passed
|
through your machine, in order to figure out how they are related
|
into connections. This is used to enhance packet filtering via
|
stateful policies. Enable this if you want native tracking from
|
the bridge. This provides a replacement for the `br_netfilter'
|
infrastructure.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
menuconfig BRIDGE_NF_EBTABLES
|
tristate "Ethernet Bridge tables (ebtables) support"
|
depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
|
select NETFILTER_FAMILY_BRIDGE
|
help
|
ebtables is a general, extensible frame/packet identification
|
framework. Say 'Y' or 'M' here if you want to do Ethernet
|
filtering/NAT/brouting on the Ethernet bridge.
|
|
if BRIDGE_NF_EBTABLES
|
|
#
|
# tables
|
#
|
config BRIDGE_EBT_BROUTE
|
tristate "ebt: broute table support"
|
help
|
The ebtables broute table is used to define rules that decide between
|
bridging and routing frames, giving Linux the functionality of a
|
brouter. See the man page for ebtables(8) and examples on the ebtables
|
website.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_T_FILTER
|
tristate "ebt: filter table support"
|
help
|
The ebtables filter table is used to define frame filtering rules at
|
local input, forwarding and local output. See the man page for
|
ebtables(8).
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_T_NAT
|
tristate "ebt: nat table support"
|
help
|
The ebtables nat table is used to define rules that alter the MAC
|
source address (MAC SNAT) or the MAC destination address (MAC DNAT).
|
See the man page for ebtables(8).
|
|
To compile it as a module, choose M here. If unsure, say N.
|
#
|
# matches
|
#
|
config BRIDGE_EBT_802_3
|
tristate "ebt: 802.3 filter support"
|
help
|
This option adds matching support for 802.3 Ethernet frames.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_AMONG
|
tristate "ebt: among filter support"
|
help
|
This option adds the among match, which allows matching the MAC source
|
and/or destination address on a list of addresses. Optionally,
|
MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_ARP
|
tristate "ebt: ARP filter support"
|
help
|
This option adds the ARP match, which allows ARP and RARP header field
|
filtering.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_IP
|
tristate "ebt: IP filter support"
|
help
|
This option adds the IP match, which allows basic IP header field
|
filtering.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_IP6
|
tristate "ebt: IP6 filter support"
|
depends on BRIDGE_NF_EBTABLES && IPV6
|
help
|
This option adds the IP6 match, which allows basic IPV6 header field
|
filtering.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_LIMIT
|
tristate "ebt: limit match support"
|
help
|
This option adds the limit match, which allows you to control
|
the rate at which a rule can be matched. This match is the
|
equivalent of the iptables limit match.
|
|
If you want to compile it as a module, say M here and read
|
<file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
|
|
config BRIDGE_EBT_MARK
|
tristate "ebt: mark filter support"
|
help
|
This option adds the mark match, which allows matching frames based on
|
the 'nfmark' value in the frame. This can be set by the mark target.
|
This value is the same as the one used in the iptables mark match and
|
target.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_PKTTYPE
|
tristate "ebt: packet type filter support"
|
help
|
This option adds the packet type match, which allows matching on the
|
type of packet based on its Ethernet "class" (as determined by
|
the generic networking code): broadcast, multicast,
|
for this host alone or for another host.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_STP
|
tristate "ebt: STP filter support"
|
help
|
This option adds the Spanning Tree Protocol match, which
|
allows STP header field filtering.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_VLAN
|
tristate "ebt: 802.1Q VLAN filter support"
|
help
|
This option adds the 802.1Q vlan match, which allows the filtering of
|
802.1Q vlan fields.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
#
|
# targets
|
#
|
config BRIDGE_EBT_ARPREPLY
|
tristate "ebt: arp reply target support"
|
depends on BRIDGE_NF_EBTABLES && INET
|
help
|
This option adds the arp reply target, which allows
|
automatically sending arp replies to arp requests.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_DNAT
|
tristate "ebt: dnat target support"
|
help
|
This option adds the MAC DNAT target, which allows altering the MAC
|
destination address of frames.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_MARK_T
|
tristate "ebt: mark target support"
|
help
|
This option adds the mark target, which allows marking frames by
|
setting the 'nfmark' value in the frame.
|
This value is the same as the one used in the iptables mark match and
|
target.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_REDIRECT
|
tristate "ebt: redirect target support"
|
help
|
This option adds the MAC redirect target, which allows altering the MAC
|
destination address of a frame to that of the device it arrived on.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_SNAT
|
tristate "ebt: snat target support"
|
help
|
This option adds the MAC SNAT target, which allows altering the MAC
|
source address of frames.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
#
|
# watchers
|
#
|
config BRIDGE_EBT_LOG
|
tristate "ebt: log support"
|
help
|
This option adds the log watcher, that you can use in any rule
|
in any ebtables table. It records info about the frame header
|
to the syslog.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
config BRIDGE_EBT_NFLOG
|
tristate "ebt: nflog support"
|
help
|
This option enables the nflog watcher, which allows to LOG
|
messages through the netfilter logging API, which can use
|
either the old LOG target, the old ULOG target or nfnetlink_log
|
as backend.
|
|
This option adds the nflog watcher, that you can use in any rule
|
in any ebtables table.
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
endif # BRIDGE_NF_EBTABLES
|
