1 # SPDX-License-Identifier: GPL-2.0-only
3 # Bridge netfilter configuration
6 menuconfig NF_TABLES_BRIDGE
7 depends on BRIDGE && NETFILTER && NF_TABLES
8 select NETFILTER_FAMILY_BRIDGE
9 tristate "Ethernet Bridge nf_tables support"
13 config NFT_BRIDGE_META
14 tristate "Netfilter nf_table bridge meta support"
16 Add support for bridge dedicated meta key.
18 config NFT_BRIDGE_REJECT
19 tristate "Netfilter nf_tables bridge reject support"
21 depends on NF_REJECT_IPV4
22 depends on NF_REJECT_IPV6
24 Add support to reject packets.
26 endif # NF_TABLES_BRIDGE
28 config NF_CONNTRACK_BRIDGE
29 tristate "IPv4/IPV6 bridge connection tracking support"
30 depends on NF_CONNTRACK
33 Connection tracking keeps a record of what packets have passed
34 through your machine, in order to figure out how they are related
35 into connections. This is used to enhance packet filtering via
36 stateful policies. Enable this if you want native tracking from
37 the bridge. This provides a replacement for the `br_netfilter'
40 To compile it as a module, choose M here. If unsure, say N.
42 menuconfig BRIDGE_NF_EBTABLES
43 tristate "Ethernet Bridge tables (ebtables) support"
44 depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
45 select NETFILTER_FAMILY_BRIDGE
47 ebtables is a general, extensible frame/packet identification
48 framework. Say 'Y' or 'M' here if you want to do Ethernet
49 filtering/NAT/brouting on the Ethernet bridge.
56 config BRIDGE_EBT_BROUTE
57 tristate "ebt: broute table support"
59 The ebtables broute table is used to define rules that decide between
60 bridging and routing frames, giving Linux the functionality of a
61 brouter. See the man page for ebtables(8) and examples on the ebtables
64 To compile it as a module, choose M here. If unsure, say N.
66 config BRIDGE_EBT_T_FILTER
67 tristate "ebt: filter table support"
69 The ebtables filter table is used to define frame filtering rules at
70 local input, forwarding and local output. See the man page for
73 To compile it as a module, choose M here. If unsure, say N.
75 config BRIDGE_EBT_T_NAT
76 tristate "ebt: nat table support"
78 The ebtables nat table is used to define rules that alter the MAC
79 source address (MAC SNAT) or the MAC destination address (MAC DNAT).
80 See the man page for ebtables(8).
82 To compile it as a module, choose M here. If unsure, say N.
86 config BRIDGE_EBT_802_3
87 tristate "ebt: 802.3 filter support"
89 This option adds matching support for 802.3 Ethernet frames.
91 To compile it as a module, choose M here. If unsure, say N.
93 config BRIDGE_EBT_AMONG
94 tristate "ebt: among filter support"
96 This option adds the among match, which allows matching the MAC source
97 and/or destination address on a list of addresses. Optionally,
98 MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
100 To compile it as a module, choose M here. If unsure, say N.
102 config BRIDGE_EBT_ARP
103 tristate "ebt: ARP filter support"
105 This option adds the ARP match, which allows ARP and RARP header field
108 To compile it as a module, choose M here. If unsure, say N.
111 tristate "ebt: IP filter support"
113 This option adds the IP match, which allows basic IP header field
116 To compile it as a module, choose M here. If unsure, say N.
118 config BRIDGE_EBT_IP6
119 tristate "ebt: IP6 filter support"
120 depends on BRIDGE_NF_EBTABLES && IPV6
122 This option adds the IP6 match, which allows basic IPV6 header field
125 To compile it as a module, choose M here. If unsure, say N.
127 config BRIDGE_EBT_LIMIT
128 tristate "ebt: limit match support"
130 This option adds the limit match, which allows you to control
131 the rate at which a rule can be matched. This match is the
132 equivalent of the iptables limit match.
134 If you want to compile it as a module, say M here and read
135 <file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
137 config BRIDGE_EBT_MARK
138 tristate "ebt: mark filter support"
140 This option adds the mark match, which allows matching frames based on
141 the 'nfmark' value in the frame. This can be set by the mark target.
142 This value is the same as the one used in the iptables mark match and
145 To compile it as a module, choose M here. If unsure, say N.
147 config BRIDGE_EBT_PKTTYPE
148 tristate "ebt: packet type filter support"
150 This option adds the packet type match, which allows matching on the
151 type of packet based on its Ethernet "class" (as determined by
152 the generic networking code): broadcast, multicast,
153 for this host alone or for another host.
155 To compile it as a module, choose M here. If unsure, say N.
157 config BRIDGE_EBT_STP
158 tristate "ebt: STP filter support"
160 This option adds the Spanning Tree Protocol match, which
161 allows STP header field filtering.
163 To compile it as a module, choose M here. If unsure, say N.
165 config BRIDGE_EBT_VLAN
166 tristate "ebt: 802.1Q VLAN filter support"
168 This option adds the 802.1Q vlan match, which allows the filtering of
171 To compile it as a module, choose M here. If unsure, say N.
175 config BRIDGE_EBT_ARPREPLY
176 tristate "ebt: arp reply target support"
177 depends on BRIDGE_NF_EBTABLES && INET
179 This option adds the arp reply target, which allows
180 automatically sending arp replies to arp requests.
182 To compile it as a module, choose M here. If unsure, say N.
184 config BRIDGE_EBT_DNAT
185 tristate "ebt: dnat target support"
187 This option adds the MAC DNAT target, which allows altering the MAC
188 destination address of frames.
190 To compile it as a module, choose M here. If unsure, say N.
192 config BRIDGE_EBT_MARK_T
193 tristate "ebt: mark target support"
195 This option adds the mark target, which allows marking frames by
196 setting the 'nfmark' value in the frame.
197 This value is the same as the one used in the iptables mark match and
200 To compile it as a module, choose M here. If unsure, say N.
202 config BRIDGE_EBT_REDIRECT
203 tristate "ebt: redirect target support"
205 This option adds the MAC redirect target, which allows altering the MAC
206 destination address of a frame to that of the device it arrived on.
208 To compile it as a module, choose M here. If unsure, say N.
210 config BRIDGE_EBT_SNAT
211 tristate "ebt: snat target support"
213 This option adds the MAC SNAT target, which allows altering the MAC
214 source address of frames.
216 To compile it as a module, choose M here. If unsure, say N.
220 config BRIDGE_EBT_LOG
221 tristate "ebt: log support"
223 This option adds the log watcher, that you can use in any rule
224 in any ebtables table. It records info about the frame header
227 To compile it as a module, choose M here. If unsure, say N.
229 config BRIDGE_EBT_NFLOG
230 tristate "ebt: nflog support"
232 This option enables the nflog watcher, which allows to LOG
233 messages through the netfilter logging API, which can use
234 either the old LOG target, the old ULOG target or nfnetlink_log
237 This option adds the nflog watcher, that you can use in any rule
238 in any ebtables table.
240 To compile it as a module, choose M here. If unsure, say N.
242 endif # BRIDGE_NF_EBTABLES