1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
|
# SPDX-License-Identifier: GPL-2.0-only
#
# Bridge netfilter configuration
#
#
menuconfig NF_TABLES_BRIDGE
depends on BRIDGE && NETFILTER && NF_TABLES
select NETFILTER_FAMILY_BRIDGE
tristate "Ethernet Bridge nf_tables support"
if NF_TABLES_BRIDGE
config NFT_BRIDGE_META
tristate "Netfilter nf_table bridge meta support"
help
Add support for bridge dedicated meta key.
config NFT_BRIDGE_REJECT
tristate "Netfilter nf_tables bridge reject support"
depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6
help
Add support to reject packets.
config NF_LOG_BRIDGE
tristate "Bridge packet logging"
select NF_LOG_COMMON
endif # NF_TABLES_BRIDGE
config NF_CONNTRACK_BRIDGE
tristate "IPv4/IPV6 bridge connection tracking support"
depends on NF_CONNTRACK
default n
help
Connection tracking keeps a record of what packets have passed
through your machine, in order to figure out how they are related
into connections. This is used to enhance packet filtering via
stateful policies. Enable this if you want native tracking from
the bridge. This provides a replacement for the `br_netfilter'
infrastructure.
To compile it as a module, choose M here. If unsure, say N.
menuconfig BRIDGE_NF_EBTABLES
tristate "Ethernet Bridge tables (ebtables) support"
depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
select NETFILTER_FAMILY_BRIDGE
help
ebtables is a general, extensible frame/packet identification
framework. Say 'Y' or 'M' here if you want to do Ethernet
filtering/NAT/brouting on the Ethernet bridge.
if BRIDGE_NF_EBTABLES
#
# tables
#
config BRIDGE_EBT_BROUTE
tristate "ebt: broute table support"
help
The ebtables broute table is used to define rules that decide between
bridging and routing frames, giving Linux the functionality of a
brouter. See the man page for ebtables(8) and examples on the ebtables
website.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_T_FILTER
tristate "ebt: filter table support"
help
The ebtables filter table is used to define frame filtering rules at
local input, forwarding and local output. See the man page for
ebtables(8).
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_T_NAT
tristate "ebt: nat table support"
help
The ebtables nat table is used to define rules that alter the MAC
source address (MAC SNAT) or the MAC destination address (MAC DNAT).
See the man page for ebtables(8).
To compile it as a module, choose M here. If unsure, say N.
#
# matches
#
config BRIDGE_EBT_802_3
tristate "ebt: 802.3 filter support"
help
This option adds matching support for 802.3 Ethernet frames.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_AMONG
tristate "ebt: among filter support"
help
This option adds the among match, which allows matching the MAC source
and/or destination address on a list of addresses. Optionally,
MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_ARP
tristate "ebt: ARP filter support"
help
This option adds the ARP match, which allows ARP and RARP header field
filtering.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_IP
tristate "ebt: IP filter support"
help
This option adds the IP match, which allows basic IP header field
filtering.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_IP6
tristate "ebt: IP6 filter support"
depends on BRIDGE_NF_EBTABLES && IPV6
help
This option adds the IP6 match, which allows basic IPV6 header field
filtering.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_LIMIT
tristate "ebt: limit match support"
help
This option adds the limit match, which allows you to control
the rate at which a rule can be matched. This match is the
equivalent of the iptables limit match.
If you want to compile it as a module, say M here and read
<file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
config BRIDGE_EBT_MARK
tristate "ebt: mark filter support"
help
This option adds the mark match, which allows matching frames based on
the 'nfmark' value in the frame. This can be set by the mark target.
This value is the same as the one used in the iptables mark match and
target.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_PKTTYPE
tristate "ebt: packet type filter support"
help
This option adds the packet type match, which allows matching on the
type of packet based on its Ethernet "class" (as determined by
the generic networking code): broadcast, multicast,
for this host alone or for another host.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_STP
tristate "ebt: STP filter support"
help
This option adds the Spanning Tree Protocol match, which
allows STP header field filtering.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_VLAN
tristate "ebt: 802.1Q VLAN filter support"
help
This option adds the 802.1Q vlan match, which allows the filtering of
802.1Q vlan fields.
To compile it as a module, choose M here. If unsure, say N.
#
# targets
#
config BRIDGE_EBT_ARPREPLY
tristate "ebt: arp reply target support"
depends on BRIDGE_NF_EBTABLES && INET
help
This option adds the arp reply target, which allows
automatically sending arp replies to arp requests.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_DNAT
tristate "ebt: dnat target support"
help
This option adds the MAC DNAT target, which allows altering the MAC
destination address of frames.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_MARK_T
tristate "ebt: mark target support"
help
This option adds the mark target, which allows marking frames by
setting the 'nfmark' value in the frame.
This value is the same as the one used in the iptables mark match and
target.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_REDIRECT
tristate "ebt: redirect target support"
help
This option adds the MAC redirect target, which allows altering the MAC
destination address of a frame to that of the device it arrived on.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_SNAT
tristate "ebt: snat target support"
help
This option adds the MAC SNAT target, which allows altering the MAC
source address of frames.
To compile it as a module, choose M here. If unsure, say N.
#
# watchers
#
config BRIDGE_EBT_LOG
tristate "ebt: log support"
help
This option adds the log watcher, that you can use in any rule
in any ebtables table. It records info about the frame header
to the syslog.
To compile it as a module, choose M here. If unsure, say N.
config BRIDGE_EBT_NFLOG
tristate "ebt: nflog support"
help
This option enables the nflog watcher, which allows to LOG
messages through the netfilter logging API, which can use
either the old LOG target, the old ULOG target or nfnetlink_log
as backend.
This option adds the nflog watcher, that you can use in any rule
in any ebtables table.
To compile it as a module, choose M here. If unsure, say N.
endif # BRIDGE_NF_EBTABLES
|