[linux-block.git] / net / bridge / netfilter / Kconfig

# SPDX-License-Identifier: GPL-2.0-only
#
# Bridge netfilter configuration
#
#
menuconfig NF_TABLES_BRIDGE
	depends on BRIDGE && NETFILTER && NF_TABLES
	select NETFILTER_FAMILY_BRIDGE
	tristate "Ethernet Bridge nf_tables support"

if NF_TABLES_BRIDGE

config NFT_BRIDGE_META
	tristate "Netfilter nf_table bridge meta support"
	help
	  Add support for bridge dedicated meta key.

config NFT_BRIDGE_REJECT
	tristate "Netfilter nf_tables bridge reject support"
	depends on NFT_REJECT
	depends on NF_REJECT_IPV4
	depends on NF_REJECT_IPV6
	help
	  Add support to reject packets.

endif # NF_TABLES_BRIDGE

config NF_CONNTRACK_BRIDGE
	tristate "IPv4/IPV6 bridge connection tracking support"
	depends on NF_CONNTRACK
	default n
	help
	  Connection tracking keeps a record of what packets have passed
	  through your machine, in order to figure out how they are related
	  into connections. This is used to enhance packet filtering via
	  stateful policies. Enable this if you want native tracking from
	  the bridge. This provides a replacement for the `br_netfilter'
	  infrastructure.

	  To compile it as a module, choose M here.  If unsure, say N.

menuconfig BRIDGE_NF_EBTABLES
	tristate "Ethernet Bridge tables (ebtables) support"
	depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
	select NETFILTER_FAMILY_BRIDGE
	help
	  ebtables is a general, extensible frame/packet identification
	  framework. Say 'Y' or 'M' here if you want to do Ethernet
	  filtering/NAT/brouting on the Ethernet bridge.

if BRIDGE_NF_EBTABLES

#
# tables
#
config BRIDGE_EBT_BROUTE
	tristate "ebt: broute table support"
	help
	  The ebtables broute table is used to define rules that decide between
	  bridging and routing frames, giving Linux the functionality of a
	  brouter. See the man page for ebtables(8) and examples on the ebtables
	  website.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_T_FILTER
	tristate "ebt: filter table support"
	help
	  The ebtables filter table is used to define frame filtering rules at
	  local input, forwarding and local output. See the man page for
	  ebtables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_T_NAT
	tristate "ebt: nat table support"
	help
	  The ebtables nat table is used to define rules that alter the MAC
	  source address (MAC SNAT) or the MAC destination address (MAC DNAT).
	  See the man page for ebtables(8).

	  To compile it as a module, choose M here.  If unsure, say N.
#
# matches
#
config BRIDGE_EBT_802_3
	tristate "ebt: 802.3 filter support"
	help
	  This option adds matching support for 802.3 Ethernet frames.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_AMONG
	tristate "ebt: among filter support"
	help
	  This option adds the among match, which allows matching the MAC source
	  and/or destination address on a list of addresses. Optionally,
	  MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_ARP
	tristate "ebt: ARP filter support"
	help
	  This option adds the ARP match, which allows ARP and RARP header field
	  filtering.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_IP
	tristate "ebt: IP filter support"
	help
	  This option adds the IP match, which allows basic IP header field
	  filtering.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_IP6
	tristate "ebt: IP6 filter support"
	depends on BRIDGE_NF_EBTABLES && IPV6
	help
	  This option adds the IP6 match, which allows basic IPV6 header field
	  filtering.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_LIMIT
	tristate "ebt: limit match support"
	help
	  This option adds the limit match, which allows you to control
	  the rate at which a rule can be matched. This match is the
	  equivalent of the iptables limit match.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.

config BRIDGE_EBT_MARK
	tristate "ebt: mark filter support"
	help
	  This option adds the mark match, which allows matching frames based on
	  the 'nfmark' value in the frame. This can be set by the mark target.
	  This value is the same as the one used in the iptables mark match and
	  target.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_PKTTYPE
	tristate "ebt: packet type filter support"
	help
	  This option adds the packet type match, which allows matching on the
	  type of packet based on its Ethernet "class" (as determined by
	  the generic networking code): broadcast, multicast,
	  for this host alone or for another host.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_STP
	tristate "ebt: STP filter support"
	help
	  This option adds the Spanning Tree Protocol match, which
	  allows STP header field filtering.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_VLAN
	tristate "ebt: 802.1Q VLAN filter support"
	help
	  This option adds the 802.1Q vlan match, which allows the filtering of
	  802.1Q vlan fields.

	  To compile it as a module, choose M here.  If unsure, say N.
#
# targets
#
config BRIDGE_EBT_ARPREPLY
	tristate "ebt: arp reply target support"
	depends on BRIDGE_NF_EBTABLES && INET
	help
	  This option adds the arp reply target, which allows
	  automatically sending arp replies to arp requests.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_DNAT
	tristate "ebt: dnat target support"
	help
	  This option adds the MAC DNAT target, which allows altering the MAC
	  destination address of frames.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_MARK_T
	tristate "ebt: mark target support"
	help
	  This option adds the mark target, which allows marking frames by
	  setting the 'nfmark' value in the frame.
	  This value is the same as the one used in the iptables mark match and
	  target.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_REDIRECT
	tristate "ebt: redirect target support"
	help
	  This option adds the MAC redirect target, which allows altering the MAC
	  destination address of a frame to that of the device it arrived on.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_SNAT
	tristate "ebt: snat target support"
	help
	  This option adds the MAC SNAT target, which allows altering the MAC
	  source address of frames.

	  To compile it as a module, choose M here.  If unsure, say N.
#
# watchers
#
config BRIDGE_EBT_LOG
	tristate "ebt: log support"
	help
	  This option adds the log watcher, that you can use in any rule
	  in any ebtables table. It records info about the frame header
	  to the syslog.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_NFLOG
	tristate "ebt: nflog support"
	help
	  This option enables the nflog watcher, which allows to LOG
	  messages through the netfilter logging API, which can use
	  either the old LOG target, the old ULOG target or nfnetlink_log
	  as backend.

	  This option adds the nflog watcher, that you can use in any rule
	  in any ebtables table.

	  To compile it as a module, choose M here.  If unsure, say N.

endif # BRIDGE_NF_EBTABLES
Commit	Line	Data
ec8f24b7	1	# SPDX-License-Identifier: GPL-2.0-only
1da177e4 LT	2	#
	3	# Bridge netfilter configuration
	4	#
96518518	5	#
f5efc696	6	menuconfig NF_TABLES_BRIDGE
1708803e	7	depends on BRIDGE && NETFILTER && NF_TABLES
2a95183a	8	select NETFILTER_FAMILY_BRIDGE
dfee0e99	9	tristate "Ethernet Bridge nf_tables support"
1da177e4	10
f5efc696	11	if NF_TABLES_BRIDGE
30e103fe	12
	13	config NFT_BRIDGE_META
	14	tristate "Netfilter nf_table bridge meta support"
	15	help
	16	Add support for bridge dedicated meta key.
	17
85f5b308 PNA	18	config NFT_BRIDGE_REJECT
85f5b308 PNA	19	tristate "Netfilter nf_tables bridge reject support"
fa538f7c	20	depends on NFT_REJECT
fd2d6bc4 RD	21	depends on NF_REJECT_IPV4
fd2d6bc4 RD	22	depends on NF_REJECT_IPV6
85f5b308 PNA	23	help
	24	Add support to reject packets.
	25
fc2f14f8 PNA	26	endif # NF_TABLES_BRIDGE
fc2f14f8 PNA	27
3c171f49 PNA	28	config NF_CONNTRACK_BRIDGE
	29	tristate "IPv4/IPV6 bridge connection tracking support"
	30	depends on NF_CONNTRACK
	31	default n
	32	help
	33	Connection tracking keeps a record of what packets have passed
	34	through your machine, in order to figure out how they are related
	35	into connections. This is used to enhance packet filtering via
	36	stateful policies. Enable this if you want native tracking from
	37	the bridge. This provides a replacement for the `br_netfilter'
	38	infrastructure.
	39
	40	To compile it as a module, choose M here. If unsure, say N.
	41
20f3c56f	42	menuconfig BRIDGE_NF_EBTABLES
1da177e4	43	tristate "Ethernet Bridge tables (ebtables) support"
1708803e	44	depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
2a95183a	45	select NETFILTER_FAMILY_BRIDGE
1da177e4 LT	46	help
	47	ebtables is a general, extensible frame/packet identification
	48	framework. Say 'Y' or 'M' here if you want to do Ethernet
	49	filtering/NAT/brouting on the Ethernet bridge.
20f3c56f JE	50
	51	if BRIDGE_NF_EBTABLES
	52
1da177e4 LT	53	#
	54	# tables
	55	#
	56	config BRIDGE_EBT_BROUTE
	57	tristate "ebt: broute table support"
1da177e4 LT	58	help
	59	The ebtables broute table is used to define rules that decide between
	60	bridging and routing frames, giving Linux the functionality of a
	61	brouter. See the man page for ebtables(8) and examples on the ebtables
	62	website.
	63
	64	To compile it as a module, choose M here. If unsure, say N.
	65
	66	config BRIDGE_EBT_T_FILTER
	67	tristate "ebt: filter table support"
1da177e4 LT	68	help
	69	The ebtables filter table is used to define frame filtering rules at
	70	local input, forwarding and local output. See the man page for
	71	ebtables(8).
	72
	73	To compile it as a module, choose M here. If unsure, say N.
	74
	75	config BRIDGE_EBT_T_NAT
	76	tristate "ebt: nat table support"
1da177e4 LT	77	help
	78	The ebtables nat table is used to define rules that alter the MAC
	79	source address (MAC SNAT) or the MAC destination address (MAC DNAT).
	80	See the man page for ebtables(8).
	81
	82	To compile it as a module, choose M here. If unsure, say N.
	83	#
	84	# matches
	85	#
	86	config BRIDGE_EBT_802_3
	87	tristate "ebt: 802.3 filter support"
1da177e4 LT	88	help
	89	This option adds matching support for 802.3 Ethernet frames.
	90
	91	To compile it as a module, choose M here. If unsure, say N.
	92
	93	config BRIDGE_EBT_AMONG
	94	tristate "ebt: among filter support"
1da177e4 LT	95	help
	96	This option adds the among match, which allows matching the MAC source
	97	and/or destination address on a list of addresses. Optionally,
	98	MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
	99
	100	To compile it as a module, choose M here. If unsure, say N.
	101
	102	config BRIDGE_EBT_ARP
	103	tristate "ebt: ARP filter support"
1da177e4 LT	104	help
	105	This option adds the ARP match, which allows ARP and RARP header field
	106	filtering.
	107
	108	To compile it as a module, choose M here. If unsure, say N.
	109
	110	config BRIDGE_EBT_IP
	111	tristate "ebt: IP filter support"
1da177e4 LT	112	help
	113	This option adds the IP match, which allows basic IP header field
	114	filtering.
	115
	116	To compile it as a module, choose M here. If unsure, say N.
	117
93f65158 KT	118	config BRIDGE_EBT_IP6
93f65158 KT	119	tristate "ebt: IP6 filter support"
f586287e	120	depends on BRIDGE_NF_EBTABLES && IPV6
93f65158 KT	121	help
	122	This option adds the IP6 match, which allows basic IPV6 header field
	123	filtering.
	124
	125	To compile it as a module, choose M here. If unsure, say N.
	126
1da177e4 LT	127	config BRIDGE_EBT_LIMIT
1da177e4 LT	128	tristate "ebt: limit match support"
1da177e4 LT	129	help
	130	This option adds the limit match, which allows you to control
	131	the rate at which a rule can be matched. This match is the
	132	equivalent of the iptables limit match.
	133
	134	If you want to compile it as a module, say M here and read
cd238eff	135	<file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1da177e4 LT	136
	137	config BRIDGE_EBT_MARK
	138	tristate "ebt: mark filter support"
1da177e4 LT	139	help
	140	This option adds the mark match, which allows matching frames based on
	141	the 'nfmark' value in the frame. This can be set by the mark target.
	142	This value is the same as the one used in the iptables mark match and
	143	target.
	144
	145	To compile it as a module, choose M here. If unsure, say N.
	146
	147	config BRIDGE_EBT_PKTTYPE
	148	tristate "ebt: packet type filter support"
1da177e4 LT	149	help
	150	This option adds the packet type match, which allows matching on the
	151	type of packet based on its Ethernet "class" (as determined by
	152	the generic networking code): broadcast, multicast,
	153	for this host alone or for another host.
	154
	155	To compile it as a module, choose M here. If unsure, say N.
	156
	157	config BRIDGE_EBT_STP
	158	tristate "ebt: STP filter support"
1da177e4 LT	159	help
	160	This option adds the Spanning Tree Protocol match, which
	161	allows STP header field filtering.
	162
	163	To compile it as a module, choose M here. If unsure, say N.
	164
	165	config BRIDGE_EBT_VLAN
	166	tristate "ebt: 802.1Q VLAN filter support"
1da177e4 LT	167	help
	168	This option adds the 802.1Q vlan match, which allows the filtering of
	169	802.1Q vlan fields.
	170
	171	To compile it as a module, choose M here. If unsure, say N.
	172	#
	173	# targets
	174	#
	175	config BRIDGE_EBT_ARPREPLY
	176	tristate "ebt: arp reply target support"
eb3f8f5e	177	depends on BRIDGE_NF_EBTABLES && INET
1da177e4 LT	178	help
	179	This option adds the arp reply target, which allows
	180	automatically sending arp replies to arp requests.
	181
	182	To compile it as a module, choose M here. If unsure, say N.
	183
	184	config BRIDGE_EBT_DNAT
	185	tristate "ebt: dnat target support"
1da177e4 LT	186	help
	187	This option adds the MAC DNAT target, which allows altering the MAC
	188	destination address of frames.
	189
	190	To compile it as a module, choose M here. If unsure, say N.
	191
	192	config BRIDGE_EBT_MARK_T
	193	tristate "ebt: mark target support"
1da177e4 LT	194	help
	195	This option adds the mark target, which allows marking frames by
	196	setting the 'nfmark' value in the frame.
	197	This value is the same as the one used in the iptables mark match and
	198	target.
	199
	200	To compile it as a module, choose M here. If unsure, say N.
	201
	202	config BRIDGE_EBT_REDIRECT
	203	tristate "ebt: redirect target support"
1da177e4 LT	204	help
	205	This option adds the MAC redirect target, which allows altering the MAC
	206	destination address of a frame to that of the device it arrived on.
	207
	208	To compile it as a module, choose M here. If unsure, say N.
	209
	210	config BRIDGE_EBT_SNAT
	211	tristate "ebt: snat target support"
1da177e4 LT	212	help
	213	This option adds the MAC SNAT target, which allows altering the MAC
	214	source address of frames.
	215
	216	To compile it as a module, choose M here. If unsure, say N.
	217	#
	218	# watchers
	219	#
	220	config BRIDGE_EBT_LOG
	221	tristate "ebt: log support"
1da177e4 LT	222	help
	223	This option adds the log watcher, that you can use in any rule
	224	in any ebtables table. It records info about the frame header
	225	to the syslog.
	226
	227	To compile it as a module, choose M here. If unsure, say N.
	228
e7bfd0a1 PW	229	config BRIDGE_EBT_NFLOG
e7bfd0a1 PW	230	tristate "ebt: nflog support"
e7bfd0a1 PW	231	help
	232	This option enables the nflog watcher, which allows to LOG
	233	messages through the netfilter logging API, which can use
	234	either the old LOG target, the old ULOG target or nfnetlink_log
	235	as backend.
	236
58de7862	237	This option adds the nflog watcher, that you can use in any rule
e7bfd0a1 PW	238	in any ebtables table.
	239
	240	To compile it as a module, choose M here. If unsure, say N.
	241
20f3c56f	242	endif # BRIDGE_NF_EBTABLES