[linux-2.6-block.git] / net / bridge / netfilter / Kconfig

# SPDX-License-Identifier: GPL-2.0-only
#
# Bridge netfilter configuration
#
#
menuconfig NF_TABLES_BRIDGE
	depends on BRIDGE && NETFILTER && NF_TABLES
	select NETFILTER_FAMILY_BRIDGE
	bool "Ethernet Bridge nf_tables support"

if NF_TABLES_BRIDGE
config NFT_BRIDGE_REJECT
	tristate "Netfilter nf_tables bridge reject support"
	depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6
	help
	  Add support to reject packets.

config NF_LOG_BRIDGE
	tristate "Bridge packet logging"
	select NF_LOG_COMMON

endif # NF_TABLES_BRIDGE

menuconfig BRIDGE_NF_EBTABLES
	tristate "Ethernet Bridge tables (ebtables) support"
	depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
	select NETFILTER_FAMILY_BRIDGE
	help
	  ebtables is a general, extensible frame/packet identification
	  framework. Say 'Y' or 'M' here if you want to do Ethernet
	  filtering/NAT/brouting on the Ethernet bridge.

if BRIDGE_NF_EBTABLES

#
# tables
#
config BRIDGE_EBT_BROUTE
	tristate "ebt: broute table support"
	help
	  The ebtables broute table is used to define rules that decide between
	  bridging and routing frames, giving Linux the functionality of a
	  brouter. See the man page for ebtables(8) and examples on the ebtables
	  website.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_T_FILTER
	tristate "ebt: filter table support"
	help
	  The ebtables filter table is used to define frame filtering rules at
	  local input, forwarding and local output. See the man page for
	  ebtables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_T_NAT
	tristate "ebt: nat table support"
	help
	  The ebtables nat table is used to define rules that alter the MAC
	  source address (MAC SNAT) or the MAC destination address (MAC DNAT).
	  See the man page for ebtables(8).

	  To compile it as a module, choose M here.  If unsure, say N.
#
# matches
#
config BRIDGE_EBT_802_3
	tristate "ebt: 802.3 filter support"
	help
	  This option adds matching support for 802.3 Ethernet frames.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_AMONG
	tristate "ebt: among filter support"
	help
	  This option adds the among match, which allows matching the MAC source
	  and/or destination address on a list of addresses. Optionally,
	  MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_ARP
	tristate "ebt: ARP filter support"
	help
	  This option adds the ARP match, which allows ARP and RARP header field
	  filtering.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_IP
	tristate "ebt: IP filter support"
	help
	  This option adds the IP match, which allows basic IP header field
	  filtering.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_IP6
	tristate "ebt: IP6 filter support"
	depends on BRIDGE_NF_EBTABLES && IPV6
	help
	  This option adds the IP6 match, which allows basic IPV6 header field
	  filtering.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_LIMIT
	tristate "ebt: limit match support"
	help
	  This option adds the limit match, which allows you to control
	  the rate at which a rule can be matched. This match is the
	  equivalent of the iptables limit match.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.rst>.  If unsure, say `N'.

config BRIDGE_EBT_MARK
	tristate "ebt: mark filter support"
	help
	  This option adds the mark match, which allows matching frames based on
	  the 'nfmark' value in the frame. This can be set by the mark target.
	  This value is the same as the one used in the iptables mark match and
	  target.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_PKTTYPE
	tristate "ebt: packet type filter support"
	help
	  This option adds the packet type match, which allows matching on the
	  type of packet based on its Ethernet "class" (as determined by
	  the generic networking code): broadcast, multicast,
	  for this host alone or for another host.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_STP
	tristate "ebt: STP filter support"
	help
	  This option adds the Spanning Tree Protocol match, which
	  allows STP header field filtering.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_VLAN
	tristate "ebt: 802.1Q VLAN filter support"
	help
	  This option adds the 802.1Q vlan match, which allows the filtering of
	  802.1Q vlan fields.

	  To compile it as a module, choose M here.  If unsure, say N.
#
# targets
#
config BRIDGE_EBT_ARPREPLY
	tristate "ebt: arp reply target support"
	depends on BRIDGE_NF_EBTABLES && INET
	help
	  This option adds the arp reply target, which allows
	  automatically sending arp replies to arp requests.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_DNAT
	tristate "ebt: dnat target support"
	help
	  This option adds the MAC DNAT target, which allows altering the MAC
	  destination address of frames.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_MARK_T
	tristate "ebt: mark target support"
	help
	  This option adds the mark target, which allows marking frames by
	  setting the 'nfmark' value in the frame.
	  This value is the same as the one used in the iptables mark match and
	  target.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_REDIRECT
	tristate "ebt: redirect target support"
	help
	  This option adds the MAC redirect target, which allows altering the MAC
	  destination address of a frame to that of the device it arrived on.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_SNAT
	tristate "ebt: snat target support"
	help
	  This option adds the MAC SNAT target, which allows altering the MAC
	  source address of frames.

	  To compile it as a module, choose M here.  If unsure, say N.
#
# watchers
#
config BRIDGE_EBT_LOG
	tristate "ebt: log support"
	help
	  This option adds the log watcher, that you can use in any rule
	  in any ebtables table. It records info about the frame header
	  to the syslog.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_NFLOG
	tristate "ebt: nflog support"
	help
	  This option enables the nflog watcher, which allows to LOG
	  messages through the netfilter logging API, which can use
	  either the old LOG target, the old ULOG target or nfnetlink_log
	  as backend.

	  This option adds the nflog watcher, that you can use in any rule
	  in any ebtables table.

	  To compile it as a module, choose M here.  If unsure, say N.

endif # BRIDGE_NF_EBTABLES
Commit	Line	Data
ec8f24b7	1	# SPDX-License-Identifier: GPL-2.0-only
1da177e4 LT	2	#
	3	# Bridge netfilter configuration
	4	#
96518518	5	#
f5efc696	6	menuconfig NF_TABLES_BRIDGE
1708803e	7	depends on BRIDGE && NETFILTER && NF_TABLES
2a95183a	8	select NETFILTER_FAMILY_BRIDGE
02c7b25e	9	bool "Ethernet Bridge nf_tables support"
1da177e4	10
f5efc696	11	if NF_TABLES_BRIDGE
85f5b308 PNA	12	config NFT_BRIDGE_REJECT
	13	tristate "Netfilter nf_tables bridge reject support"
	14	depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6
	15	help
	16	Add support to reject packets.
	17
960649d1 PNA	18	config NF_LOG_BRIDGE
960649d1 PNA	19	tristate "Bridge packet logging"
1fddf4ba	20	select NF_LOG_COMMON
960649d1	21
f5efc696 TB	22	endif # NF_TABLES_BRIDGE
f5efc696 TB	23
20f3c56f	24	menuconfig BRIDGE_NF_EBTABLES
1da177e4	25	tristate "Ethernet Bridge tables (ebtables) support"
1708803e	26	depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
2a95183a	27	select NETFILTER_FAMILY_BRIDGE
1da177e4 LT	28	help
	29	ebtables is a general, extensible frame/packet identification
	30	framework. Say 'Y' or 'M' here if you want to do Ethernet
	31	filtering/NAT/brouting on the Ethernet bridge.
20f3c56f JE	32
	33	if BRIDGE_NF_EBTABLES
	34
1da177e4 LT	35	#
	36	# tables
	37	#
	38	config BRIDGE_EBT_BROUTE
	39	tristate "ebt: broute table support"
1da177e4 LT	40	help
	41	The ebtables broute table is used to define rules that decide between
	42	bridging and routing frames, giving Linux the functionality of a
	43	brouter. See the man page for ebtables(8) and examples on the ebtables
	44	website.
	45
	46	To compile it as a module, choose M here. If unsure, say N.
	47
	48	config BRIDGE_EBT_T_FILTER
	49	tristate "ebt: filter table support"
1da177e4 LT	50	help
	51	The ebtables filter table is used to define frame filtering rules at
	52	local input, forwarding and local output. See the man page for
	53	ebtables(8).
	54
	55	To compile it as a module, choose M here. If unsure, say N.
	56
	57	config BRIDGE_EBT_T_NAT
	58	tristate "ebt: nat table support"
1da177e4 LT	59	help
	60	The ebtables nat table is used to define rules that alter the MAC
	61	source address (MAC SNAT) or the MAC destination address (MAC DNAT).
	62	See the man page for ebtables(8).
	63
	64	To compile it as a module, choose M here. If unsure, say N.
	65	#
	66	# matches
	67	#
	68	config BRIDGE_EBT_802_3
	69	tristate "ebt: 802.3 filter support"
1da177e4 LT	70	help
	71	This option adds matching support for 802.3 Ethernet frames.
	72
	73	To compile it as a module, choose M here. If unsure, say N.
	74
	75	config BRIDGE_EBT_AMONG
	76	tristate "ebt: among filter support"
1da177e4 LT	77	help
	78	This option adds the among match, which allows matching the MAC source
	79	and/or destination address on a list of addresses. Optionally,
	80	MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
	81
	82	To compile it as a module, choose M here. If unsure, say N.
	83
	84	config BRIDGE_EBT_ARP
	85	tristate "ebt: ARP filter support"
1da177e4 LT	86	help
	87	This option adds the ARP match, which allows ARP and RARP header field
	88	filtering.
	89
	90	To compile it as a module, choose M here. If unsure, say N.
	91
	92	config BRIDGE_EBT_IP
	93	tristate "ebt: IP filter support"
1da177e4 LT	94	help
	95	This option adds the IP match, which allows basic IP header field
	96	filtering.
	97
	98	To compile it as a module, choose M here. If unsure, say N.
	99
93f65158 KT	100	config BRIDGE_EBT_IP6
93f65158 KT	101	tristate "ebt: IP6 filter support"
f586287e	102	depends on BRIDGE_NF_EBTABLES && IPV6
93f65158 KT	103	help
	104	This option adds the IP6 match, which allows basic IPV6 header field
	105	filtering.
	106
	107	To compile it as a module, choose M here. If unsure, say N.
	108
1da177e4 LT	109	config BRIDGE_EBT_LIMIT
1da177e4 LT	110	tristate "ebt: limit match support"
1da177e4 LT	111	help
	112	This option adds the limit match, which allows you to control
	113	the rate at which a rule can be matched. This match is the
	114	equivalent of the iptables limit match.
	115
	116	If you want to compile it as a module, say M here and read
cd238eff	117	<file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
1da177e4 LT	118
	119	config BRIDGE_EBT_MARK
	120	tristate "ebt: mark filter support"
1da177e4 LT	121	help
	122	This option adds the mark match, which allows matching frames based on
	123	the 'nfmark' value in the frame. This can be set by the mark target.
	124	This value is the same as the one used in the iptables mark match and
	125	target.
	126
	127	To compile it as a module, choose M here. If unsure, say N.
	128
	129	config BRIDGE_EBT_PKTTYPE
	130	tristate "ebt: packet type filter support"
1da177e4 LT	131	help
	132	This option adds the packet type match, which allows matching on the
	133	type of packet based on its Ethernet "class" (as determined by
	134	the generic networking code): broadcast, multicast,
	135	for this host alone or for another host.
	136
	137	To compile it as a module, choose M here. If unsure, say N.
	138
	139	config BRIDGE_EBT_STP
	140	tristate "ebt: STP filter support"
1da177e4 LT	141	help
	142	This option adds the Spanning Tree Protocol match, which
	143	allows STP header field filtering.
	144
	145	To compile it as a module, choose M here. If unsure, say N.
	146
	147	config BRIDGE_EBT_VLAN
	148	tristate "ebt: 802.1Q VLAN filter support"
1da177e4 LT	149	help
	150	This option adds the 802.1Q vlan match, which allows the filtering of
	151	802.1Q vlan fields.
	152
	153	To compile it as a module, choose M here. If unsure, say N.
	154	#
	155	# targets
	156	#
	157	config BRIDGE_EBT_ARPREPLY
	158	tristate "ebt: arp reply target support"
eb3f8f5e	159	depends on BRIDGE_NF_EBTABLES && INET
1da177e4 LT	160	help
	161	This option adds the arp reply target, which allows
	162	automatically sending arp replies to arp requests.
	163
	164	To compile it as a module, choose M here. If unsure, say N.
	165
	166	config BRIDGE_EBT_DNAT
	167	tristate "ebt: dnat target support"
1da177e4 LT	168	help
	169	This option adds the MAC DNAT target, which allows altering the MAC
	170	destination address of frames.
	171
	172	To compile it as a module, choose M here. If unsure, say N.
	173
	174	config BRIDGE_EBT_MARK_T
	175	tristate "ebt: mark target support"
1da177e4 LT	176	help
	177	This option adds the mark target, which allows marking frames by
	178	setting the 'nfmark' value in the frame.
	179	This value is the same as the one used in the iptables mark match and
	180	target.
	181
	182	To compile it as a module, choose M here. If unsure, say N.
	183
	184	config BRIDGE_EBT_REDIRECT
	185	tristate "ebt: redirect target support"
1da177e4 LT	186	help
	187	This option adds the MAC redirect target, which allows altering the MAC
	188	destination address of a frame to that of the device it arrived on.
	189
	190	To compile it as a module, choose M here. If unsure, say N.
	191
	192	config BRIDGE_EBT_SNAT
	193	tristate "ebt: snat target support"
1da177e4 LT	194	help
	195	This option adds the MAC SNAT target, which allows altering the MAC
	196	source address of frames.
	197
	198	To compile it as a module, choose M here. If unsure, say N.
	199	#
	200	# watchers
	201	#
	202	config BRIDGE_EBT_LOG
	203	tristate "ebt: log support"
1da177e4 LT	204	help
	205	This option adds the log watcher, that you can use in any rule
	206	in any ebtables table. It records info about the frame header
	207	to the syslog.
	208
	209	To compile it as a module, choose M here. If unsure, say N.
	210
e7bfd0a1 PW	211	config BRIDGE_EBT_NFLOG
e7bfd0a1 PW	212	tristate "ebt: nflog support"
e7bfd0a1 PW	213	help
	214	This option enables the nflog watcher, which allows to LOG
	215	messages through the netfilter logging API, which can use
	216	either the old LOG target, the old ULOG target or nfnetlink_log
	217	as backend.
	218
58de7862	219	This option adds the nflog watcher, that you can use in any rule
e7bfd0a1 PW	220	in any ebtables table.
	221
	222	To compile it as a module, choose M here. If unsure, say N.
	223
20f3c56f	224	endif # BRIDGE_NF_EBTABLES