Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | # |
| 2 | # Bridge netfilter configuration |
| 3 | # |
| 4 | |
| 5 | menu "Bridge: Netfilter Configuration" |
Patrick McHardy | 33b8e77 | 2007-12-17 22:47:05 -0800 | [diff] [blame] | 6 | depends on BRIDGE && BRIDGE_NETFILTER |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 7 | |
| 8 | config BRIDGE_NF_EBTABLES |
| 9 | tristate "Ethernet Bridge tables (ebtables) support" |
| 10 | help |
| 11 | ebtables is a general, extensible frame/packet identification |
| 12 | framework. Say 'Y' or 'M' here if you want to do Ethernet |
| 13 | filtering/NAT/brouting on the Ethernet bridge. |
| 14 | # |
| 15 | # tables |
| 16 | # |
| 17 | config BRIDGE_EBT_BROUTE |
| 18 | tristate "ebt: broute table support" |
| 19 | depends on BRIDGE_NF_EBTABLES |
| 20 | help |
| 21 | The ebtables broute table is used to define rules that decide between |
| 22 | bridging and routing frames, giving Linux the functionality of a |
| 23 | brouter. See the man page for ebtables(8) and examples on the ebtables |
| 24 | website. |
| 25 | |
| 26 | To compile it as a module, choose M here. If unsure, say N. |
| 27 | |
| 28 | config BRIDGE_EBT_T_FILTER |
| 29 | tristate "ebt: filter table support" |
| 30 | depends on BRIDGE_NF_EBTABLES |
| 31 | help |
| 32 | The ebtables filter table is used to define frame filtering rules at |
| 33 | local input, forwarding and local output. See the man page for |
| 34 | ebtables(8). |
| 35 | |
| 36 | To compile it as a module, choose M here. If unsure, say N. |
| 37 | |
| 38 | config BRIDGE_EBT_T_NAT |
| 39 | tristate "ebt: nat table support" |
| 40 | depends on BRIDGE_NF_EBTABLES |
| 41 | help |
| 42 | The ebtables nat table is used to define rules that alter the MAC |
| 43 | source address (MAC SNAT) or the MAC destination address (MAC DNAT). |
| 44 | See the man page for ebtables(8). |
| 45 | |
| 46 | To compile it as a module, choose M here. If unsure, say N. |
| 47 | # |
| 48 | # matches |
| 49 | # |
| 50 | config BRIDGE_EBT_802_3 |
| 51 | tristate "ebt: 802.3 filter support" |
| 52 | depends on BRIDGE_NF_EBTABLES |
| 53 | help |
| 54 | This option adds matching support for 802.3 Ethernet frames. |
| 55 | |
| 56 | To compile it as a module, choose M here. If unsure, say N. |
| 57 | |
| 58 | config BRIDGE_EBT_AMONG |
| 59 | tristate "ebt: among filter support" |
| 60 | depends on BRIDGE_NF_EBTABLES |
| 61 | help |
| 62 | This option adds the among match, which allows matching the MAC source |
| 63 | and/or destination address on a list of addresses. Optionally, |
| 64 | MAC/IP address pairs can be matched, f.e. for anti-spoofing rules. |
| 65 | |
| 66 | To compile it as a module, choose M here. If unsure, say N. |
| 67 | |
| 68 | config BRIDGE_EBT_ARP |
| 69 | tristate "ebt: ARP filter support" |
| 70 | depends on BRIDGE_NF_EBTABLES |
| 71 | help |
| 72 | This option adds the ARP match, which allows ARP and RARP header field |
| 73 | filtering. |
| 74 | |
| 75 | To compile it as a module, choose M here. If unsure, say N. |
| 76 | |
| 77 | config BRIDGE_EBT_IP |
| 78 | tristate "ebt: IP filter support" |
| 79 | depends on BRIDGE_NF_EBTABLES |
| 80 | help |
| 81 | This option adds the IP match, which allows basic IP header field |
| 82 | filtering. |
| 83 | |
| 84 | To compile it as a module, choose M here. If unsure, say N. |
| 85 | |
Kuo-lang Tseng | 93f6515 | 2008-06-09 15:55:45 -0700 | [diff] [blame^] | 86 | config BRIDGE_EBT_IP6 |
| 87 | tristate "ebt: IP6 filter support" |
| 88 | depends on BRIDGE_NF_EBTABLES |
| 89 | help |
| 90 | This option adds the IP6 match, which allows basic IPV6 header field |
| 91 | filtering. |
| 92 | |
| 93 | To compile it as a module, choose M here. If unsure, say N. |
| 94 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 95 | config BRIDGE_EBT_LIMIT |
| 96 | tristate "ebt: limit match support" |
| 97 | depends on BRIDGE_NF_EBTABLES |
| 98 | help |
| 99 | This option adds the limit match, which allows you to control |
| 100 | the rate at which a rule can be matched. This match is the |
| 101 | equivalent of the iptables limit match. |
| 102 | |
| 103 | If you want to compile it as a module, say M here and read |
| 104 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| 105 | |
| 106 | config BRIDGE_EBT_MARK |
| 107 | tristate "ebt: mark filter support" |
| 108 | depends on BRIDGE_NF_EBTABLES |
| 109 | help |
| 110 | This option adds the mark match, which allows matching frames based on |
| 111 | the 'nfmark' value in the frame. This can be set by the mark target. |
| 112 | This value is the same as the one used in the iptables mark match and |
| 113 | target. |
| 114 | |
| 115 | To compile it as a module, choose M here. If unsure, say N. |
| 116 | |
| 117 | config BRIDGE_EBT_PKTTYPE |
| 118 | tristate "ebt: packet type filter support" |
| 119 | depends on BRIDGE_NF_EBTABLES |
| 120 | help |
| 121 | This option adds the packet type match, which allows matching on the |
| 122 | type of packet based on its Ethernet "class" (as determined by |
| 123 | the generic networking code): broadcast, multicast, |
| 124 | for this host alone or for another host. |
| 125 | |
| 126 | To compile it as a module, choose M here. If unsure, say N. |
| 127 | |
| 128 | config BRIDGE_EBT_STP |
| 129 | tristate "ebt: STP filter support" |
| 130 | depends on BRIDGE_NF_EBTABLES |
| 131 | help |
| 132 | This option adds the Spanning Tree Protocol match, which |
| 133 | allows STP header field filtering. |
| 134 | |
| 135 | To compile it as a module, choose M here. If unsure, say N. |
| 136 | |
| 137 | config BRIDGE_EBT_VLAN |
| 138 | tristate "ebt: 802.1Q VLAN filter support" |
| 139 | depends on BRIDGE_NF_EBTABLES |
| 140 | help |
| 141 | This option adds the 802.1Q vlan match, which allows the filtering of |
| 142 | 802.1Q vlan fields. |
| 143 | |
| 144 | To compile it as a module, choose M here. If unsure, say N. |
| 145 | # |
| 146 | # targets |
| 147 | # |
| 148 | config BRIDGE_EBT_ARPREPLY |
| 149 | tristate "ebt: arp reply target support" |
Adrian Bunk | eb3f8f5 | 2005-07-19 14:00:13 -0700 | [diff] [blame] | 150 | depends on BRIDGE_NF_EBTABLES && INET |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 151 | help |
| 152 | This option adds the arp reply target, which allows |
| 153 | automatically sending arp replies to arp requests. |
| 154 | |
| 155 | To compile it as a module, choose M here. If unsure, say N. |
| 156 | |
| 157 | config BRIDGE_EBT_DNAT |
| 158 | tristate "ebt: dnat target support" |
| 159 | depends on BRIDGE_NF_EBTABLES |
| 160 | help |
| 161 | This option adds the MAC DNAT target, which allows altering the MAC |
| 162 | destination address of frames. |
| 163 | |
| 164 | To compile it as a module, choose M here. If unsure, say N. |
| 165 | |
| 166 | config BRIDGE_EBT_MARK_T |
| 167 | tristate "ebt: mark target support" |
| 168 | depends on BRIDGE_NF_EBTABLES |
| 169 | help |
| 170 | This option adds the mark target, which allows marking frames by |
| 171 | setting the 'nfmark' value in the frame. |
| 172 | This value is the same as the one used in the iptables mark match and |
| 173 | target. |
| 174 | |
| 175 | To compile it as a module, choose M here. If unsure, say N. |
| 176 | |
| 177 | config BRIDGE_EBT_REDIRECT |
| 178 | tristate "ebt: redirect target support" |
| 179 | depends on BRIDGE_NF_EBTABLES |
| 180 | help |
| 181 | This option adds the MAC redirect target, which allows altering the MAC |
| 182 | destination address of a frame to that of the device it arrived on. |
| 183 | |
| 184 | To compile it as a module, choose M here. If unsure, say N. |
| 185 | |
| 186 | config BRIDGE_EBT_SNAT |
| 187 | tristate "ebt: snat target support" |
| 188 | depends on BRIDGE_NF_EBTABLES |
| 189 | help |
| 190 | This option adds the MAC SNAT target, which allows altering the MAC |
| 191 | source address of frames. |
| 192 | |
| 193 | To compile it as a module, choose M here. If unsure, say N. |
| 194 | # |
| 195 | # watchers |
| 196 | # |
| 197 | config BRIDGE_EBT_LOG |
| 198 | tristate "ebt: log support" |
| 199 | depends on BRIDGE_NF_EBTABLES |
| 200 | help |
| 201 | This option adds the log watcher, that you can use in any rule |
| 202 | in any ebtables table. It records info about the frame header |
| 203 | to the syslog. |
| 204 | |
| 205 | To compile it as a module, choose M here. If unsure, say N. |
| 206 | |
| 207 | config BRIDGE_EBT_ULOG |
Bart De Schuymer | d5228a4 | 2005-12-13 23:14:08 -0800 | [diff] [blame] | 208 | tristate "ebt: ulog support (OBSOLETE)" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 209 | depends on BRIDGE_NF_EBTABLES |
| 210 | help |
Bart De Schuymer | d5228a4 | 2005-12-13 23:14:08 -0800 | [diff] [blame] | 211 | This option enables the old bridge-specific "ebt_ulog" implementation |
| 212 | which has been obsoleted by the new "nfnetlink_log" code (see |
| 213 | CONFIG_NETFILTER_NETLINK_LOG). |
| 214 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 215 | This option adds the ulog watcher, that you can use in any rule |
| 216 | in any ebtables table. The packet is passed to a userspace |
| 217 | logging daemon using netlink multicast sockets. This differs |
| 218 | from the log watcher in the sense that the complete packet is |
| 219 | sent to userspace instead of a descriptive text and that |
| 220 | netlink multicast sockets are used instead of the syslog. |
| 221 | |
| 222 | To compile it as a module, choose M here. If unsure, say N. |
| 223 | |
Peter Warasin | e7bfd0a | 2008-04-14 11:15:54 +0200 | [diff] [blame] | 224 | config BRIDGE_EBT_NFLOG |
| 225 | tristate "ebt: nflog support" |
| 226 | depends on BRIDGE_NF_EBTABLES |
| 227 | help |
| 228 | This option enables the nflog watcher, which allows to LOG |
| 229 | messages through the netfilter logging API, which can use |
| 230 | either the old LOG target, the old ULOG target or nfnetlink_log |
| 231 | as backend. |
| 232 | |
| 233 | This option adds the ulog watcher, that you can use in any rule |
| 234 | in any ebtables table. |
| 235 | |
| 236 | To compile it as a module, choose M here. If unsure, say N. |
| 237 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 238 | endmenu |