Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 1 | # |
| 2 | # Bridge netfilter configuration |
| 3 | # |
| 4 | |
Jan Engelhardt | 20f3c56 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 5 | menuconfig BRIDGE_NF_EBTABLES |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 6 | tristate "Ethernet Bridge tables (ebtables) support" |
Bart De Schuymer | 9823d9f | 2011-07-29 16:40:30 +0200 | [diff] [blame] | 7 | depends on BRIDGE && NETFILTER |
Jan Engelhardt | 043ef46 | 2008-10-08 11:35:15 +0200 | [diff] [blame] | 8 | select NETFILTER_XTABLES |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 9 | help |
| 10 | ebtables is a general, extensible frame/packet identification |
| 11 | framework. Say 'Y' or 'M' here if you want to do Ethernet |
| 12 | filtering/NAT/brouting on the Ethernet bridge. |
Jan Engelhardt | 20f3c56 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 13 | |
| 14 | if BRIDGE_NF_EBTABLES |
| 15 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 16 | # |
| 17 | # tables |
| 18 | # |
| 19 | config BRIDGE_EBT_BROUTE |
| 20 | tristate "ebt: broute table support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 21 | help |
| 22 | The ebtables broute table is used to define rules that decide between |
| 23 | bridging and routing frames, giving Linux the functionality of a |
| 24 | brouter. See the man page for ebtables(8) and examples on the ebtables |
| 25 | website. |
| 26 | |
| 27 | To compile it as a module, choose M here. If unsure, say N. |
| 28 | |
| 29 | config BRIDGE_EBT_T_FILTER |
| 30 | tristate "ebt: filter table support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 31 | help |
| 32 | The ebtables filter table is used to define frame filtering rules at |
| 33 | local input, forwarding and local output. See the man page for |
| 34 | ebtables(8). |
| 35 | |
| 36 | To compile it as a module, choose M here. If unsure, say N. |
| 37 | |
| 38 | config BRIDGE_EBT_T_NAT |
| 39 | tristate "ebt: nat table support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 40 | help |
| 41 | The ebtables nat table is used to define rules that alter the MAC |
| 42 | source address (MAC SNAT) or the MAC destination address (MAC DNAT). |
| 43 | See the man page for ebtables(8). |
| 44 | |
| 45 | To compile it as a module, choose M here. If unsure, say N. |
| 46 | # |
| 47 | # matches |
| 48 | # |
| 49 | config BRIDGE_EBT_802_3 |
| 50 | tristate "ebt: 802.3 filter support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 51 | help |
| 52 | This option adds matching support for 802.3 Ethernet frames. |
| 53 | |
| 54 | To compile it as a module, choose M here. If unsure, say N. |
| 55 | |
| 56 | config BRIDGE_EBT_AMONG |
| 57 | tristate "ebt: among filter support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 58 | help |
| 59 | This option adds the among match, which allows matching the MAC source |
| 60 | and/or destination address on a list of addresses. Optionally, |
| 61 | MAC/IP address pairs can be matched, f.e. for anti-spoofing rules. |
| 62 | |
| 63 | To compile it as a module, choose M here. If unsure, say N. |
| 64 | |
| 65 | config BRIDGE_EBT_ARP |
| 66 | tristate "ebt: ARP filter support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 67 | help |
| 68 | This option adds the ARP match, which allows ARP and RARP header field |
| 69 | filtering. |
| 70 | |
| 71 | To compile it as a module, choose M here. If unsure, say N. |
| 72 | |
| 73 | config BRIDGE_EBT_IP |
| 74 | tristate "ebt: IP filter support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 75 | help |
| 76 | This option adds the IP match, which allows basic IP header field |
| 77 | filtering. |
| 78 | |
| 79 | To compile it as a module, choose M here. If unsure, say N. |
| 80 | |
Kuo-lang Tseng | 93f6515 | 2008-06-09 15:55:45 -0700 | [diff] [blame] | 81 | config BRIDGE_EBT_IP6 |
| 82 | tristate "ebt: IP6 filter support" |
Randy Dunlap | f586287 | 2008-06-17 16:16:13 -0700 | [diff] [blame] | 83 | depends on BRIDGE_NF_EBTABLES && IPV6 |
Kuo-lang Tseng | 93f6515 | 2008-06-09 15:55:45 -0700 | [diff] [blame] | 84 | help |
| 85 | This option adds the IP6 match, which allows basic IPV6 header field |
| 86 | filtering. |
| 87 | |
| 88 | To compile it as a module, choose M here. If unsure, say N. |
| 89 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 90 | config BRIDGE_EBT_LIMIT |
| 91 | tristate "ebt: limit match support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 92 | help |
| 93 | This option adds the limit match, which allows you to control |
| 94 | the rate at which a rule can be matched. This match is the |
| 95 | equivalent of the iptables limit match. |
| 96 | |
| 97 | If you want to compile it as a module, say M here and read |
| 98 | <file:Documentation/kbuild/modules.txt>. If unsure, say `N'. |
| 99 | |
| 100 | config BRIDGE_EBT_MARK |
| 101 | tristate "ebt: mark filter support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 102 | help |
| 103 | This option adds the mark match, which allows matching frames based on |
| 104 | the 'nfmark' value in the frame. This can be set by the mark target. |
| 105 | This value is the same as the one used in the iptables mark match and |
| 106 | target. |
| 107 | |
| 108 | To compile it as a module, choose M here. If unsure, say N. |
| 109 | |
| 110 | config BRIDGE_EBT_PKTTYPE |
| 111 | tristate "ebt: packet type filter support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 112 | help |
| 113 | This option adds the packet type match, which allows matching on the |
| 114 | type of packet based on its Ethernet "class" (as determined by |
| 115 | the generic networking code): broadcast, multicast, |
| 116 | for this host alone or for another host. |
| 117 | |
| 118 | To compile it as a module, choose M here. If unsure, say N. |
| 119 | |
| 120 | config BRIDGE_EBT_STP |
| 121 | tristate "ebt: STP filter support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 122 | help |
| 123 | This option adds the Spanning Tree Protocol match, which |
| 124 | allows STP header field filtering. |
| 125 | |
| 126 | To compile it as a module, choose M here. If unsure, say N. |
| 127 | |
| 128 | config BRIDGE_EBT_VLAN |
| 129 | tristate "ebt: 802.1Q VLAN filter support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 130 | help |
| 131 | This option adds the 802.1Q vlan match, which allows the filtering of |
| 132 | 802.1Q vlan fields. |
| 133 | |
| 134 | To compile it as a module, choose M here. If unsure, say N. |
| 135 | # |
| 136 | # targets |
| 137 | # |
| 138 | config BRIDGE_EBT_ARPREPLY |
| 139 | tristate "ebt: arp reply target support" |
Adrian Bunk | eb3f8f5 | 2005-07-19 14:00:13 -0700 | [diff] [blame] | 140 | depends on BRIDGE_NF_EBTABLES && INET |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 141 | help |
| 142 | This option adds the arp reply target, which allows |
| 143 | automatically sending arp replies to arp requests. |
| 144 | |
| 145 | To compile it as a module, choose M here. If unsure, say N. |
| 146 | |
| 147 | config BRIDGE_EBT_DNAT |
| 148 | tristate "ebt: dnat target support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 149 | help |
| 150 | This option adds the MAC DNAT target, which allows altering the MAC |
| 151 | destination address of frames. |
| 152 | |
| 153 | To compile it as a module, choose M here. If unsure, say N. |
| 154 | |
| 155 | config BRIDGE_EBT_MARK_T |
| 156 | tristate "ebt: mark target support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 157 | help |
| 158 | This option adds the mark target, which allows marking frames by |
| 159 | setting the 'nfmark' value in the frame. |
| 160 | This value is the same as the one used in the iptables mark match and |
| 161 | target. |
| 162 | |
| 163 | To compile it as a module, choose M here. If unsure, say N. |
| 164 | |
| 165 | config BRIDGE_EBT_REDIRECT |
| 166 | tristate "ebt: redirect target support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 167 | help |
| 168 | This option adds the MAC redirect target, which allows altering the MAC |
| 169 | destination address of a frame to that of the device it arrived on. |
| 170 | |
| 171 | To compile it as a module, choose M here. If unsure, say N. |
| 172 | |
| 173 | config BRIDGE_EBT_SNAT |
| 174 | tristate "ebt: snat target support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 175 | help |
| 176 | This option adds the MAC SNAT target, which allows altering the MAC |
| 177 | source address of frames. |
| 178 | |
| 179 | To compile it as a module, choose M here. If unsure, say N. |
| 180 | # |
| 181 | # watchers |
| 182 | # |
| 183 | config BRIDGE_EBT_LOG |
| 184 | tristate "ebt: log support" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 185 | help |
| 186 | This option adds the log watcher, that you can use in any rule |
| 187 | in any ebtables table. It records info about the frame header |
| 188 | to the syslog. |
| 189 | |
| 190 | To compile it as a module, choose M here. If unsure, say N. |
| 191 | |
| 192 | config BRIDGE_EBT_ULOG |
Bart De Schuymer | d5228a4 | 2005-12-13 23:14:08 -0800 | [diff] [blame] | 193 | tristate "ebt: ulog support (OBSOLETE)" |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 194 | help |
Bart De Schuymer | d5228a4 | 2005-12-13 23:14:08 -0800 | [diff] [blame] | 195 | This option enables the old bridge-specific "ebt_ulog" implementation |
| 196 | which has been obsoleted by the new "nfnetlink_log" code (see |
| 197 | CONFIG_NETFILTER_NETLINK_LOG). |
| 198 | |
Linus Torvalds | 1da177e | 2005-04-16 15:20:36 -0700 | [diff] [blame] | 199 | This option adds the ulog watcher, that you can use in any rule |
| 200 | in any ebtables table. The packet is passed to a userspace |
| 201 | logging daemon using netlink multicast sockets. This differs |
| 202 | from the log watcher in the sense that the complete packet is |
| 203 | sent to userspace instead of a descriptive text and that |
| 204 | netlink multicast sockets are used instead of the syslog. |
| 205 | |
| 206 | To compile it as a module, choose M here. If unsure, say N. |
| 207 | |
Peter Warasin | e7bfd0a | 2008-04-14 11:15:54 +0200 | [diff] [blame] | 208 | config BRIDGE_EBT_NFLOG |
| 209 | tristate "ebt: nflog support" |
Peter Warasin | e7bfd0a | 2008-04-14 11:15:54 +0200 | [diff] [blame] | 210 | help |
| 211 | This option enables the nflog watcher, which allows to LOG |
| 212 | messages through the netfilter logging API, which can use |
| 213 | either the old LOG target, the old ULOG target or nfnetlink_log |
| 214 | as backend. |
| 215 | |
Patrick McHardy | 58de786 | 2008-07-08 02:37:07 -0700 | [diff] [blame] | 216 | This option adds the nflog watcher, that you can use in any rule |
Peter Warasin | e7bfd0a | 2008-04-14 11:15:54 +0200 | [diff] [blame] | 217 | in any ebtables table. |
| 218 | |
| 219 | To compile it as a module, choose M here. If unsure, say N. |
| 220 | |
Jan Engelhardt | 20f3c56 | 2008-10-08 11:35:17 +0200 | [diff] [blame] | 221 | endif # BRIDGE_NF_EBTABLES |