212 lines
6.5 KiB
Plaintext
212 lines
6.5 KiB
Plaintext
#
|
|
# Bridge netfilter configuration
|
|
#
|
|
|
|
menu "Bridge: Netfilter Configuration"
|
|
depends on BRIDGE && NETFILTER
|
|
|
|
config BRIDGE_NF_EBTABLES
|
|
tristate "Ethernet Bridge tables (ebtables) support"
|
|
help
|
|
ebtables is a general, extensible frame/packet identification
|
|
framework. Say 'Y' or 'M' here if you want to do Ethernet
|
|
filtering/NAT/brouting on the Ethernet bridge.
|
|
#
|
|
# tables
|
|
#
|
|
config BRIDGE_EBT_BROUTE
|
|
tristate "ebt: broute table support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
The ebtables broute table is used to define rules that decide between
|
|
bridging and routing frames, giving Linux the functionality of a
|
|
brouter. See the man page for ebtables(8) and examples on the ebtables
|
|
website.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_T_FILTER
|
|
tristate "ebt: filter table support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
The ebtables filter table is used to define frame filtering rules at
|
|
local input, forwarding and local output. See the man page for
|
|
ebtables(8).
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_T_NAT
|
|
tristate "ebt: nat table support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
The ebtables nat table is used to define rules that alter the MAC
|
|
source address (MAC SNAT) or the MAC destination address (MAC DNAT).
|
|
See the man page for ebtables(8).
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
#
|
|
# matches
|
|
#
|
|
config BRIDGE_EBT_802_3
|
|
tristate "ebt: 802.3 filter support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds matching support for 802.3 Ethernet frames.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_AMONG
|
|
tristate "ebt: among filter support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the among match, which allows matching the MAC source
|
|
and/or destination address on a list of addresses. Optionally,
|
|
MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_ARP
|
|
tristate "ebt: ARP filter support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the ARP match, which allows ARP and RARP header field
|
|
filtering.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_IP
|
|
tristate "ebt: IP filter support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the IP match, which allows basic IP header field
|
|
filtering.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_LIMIT
|
|
tristate "ebt: limit match support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the limit match, which allows you to control
|
|
the rate at which a rule can be matched. This match is the
|
|
equivalent of the iptables limit match.
|
|
|
|
If you want to compile it as a module, say M here and read
|
|
<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
|
|
|
|
config BRIDGE_EBT_MARK
|
|
tristate "ebt: mark filter support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the mark match, which allows matching frames based on
|
|
the 'nfmark' value in the frame. This can be set by the mark target.
|
|
This value is the same as the one used in the iptables mark match and
|
|
target.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_PKTTYPE
|
|
tristate "ebt: packet type filter support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the packet type match, which allows matching on the
|
|
type of packet based on its Ethernet "class" (as determined by
|
|
the generic networking code): broadcast, multicast,
|
|
for this host alone or for another host.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_STP
|
|
tristate "ebt: STP filter support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the Spanning Tree Protocol match, which
|
|
allows STP header field filtering.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_VLAN
|
|
tristate "ebt: 802.1Q VLAN filter support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the 802.1Q vlan match, which allows the filtering of
|
|
802.1Q vlan fields.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
#
|
|
# targets
|
|
#
|
|
config BRIDGE_EBT_ARPREPLY
|
|
tristate "ebt: arp reply target support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the arp reply target, which allows
|
|
automatically sending arp replies to arp requests.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_DNAT
|
|
tristate "ebt: dnat target support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the MAC DNAT target, which allows altering the MAC
|
|
destination address of frames.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_MARK_T
|
|
tristate "ebt: mark target support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the mark target, which allows marking frames by
|
|
setting the 'nfmark' value in the frame.
|
|
This value is the same as the one used in the iptables mark match and
|
|
target.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_REDIRECT
|
|
tristate "ebt: redirect target support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the MAC redirect target, which allows altering the MAC
|
|
destination address of a frame to that of the device it arrived on.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_SNAT
|
|
tristate "ebt: snat target support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the MAC SNAT target, which allows altering the MAC
|
|
source address of frames.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
#
|
|
# watchers
|
|
#
|
|
config BRIDGE_EBT_LOG
|
|
tristate "ebt: log support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the log watcher, that you can use in any rule
|
|
in any ebtables table. It records info about the frame header
|
|
to the syslog.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
config BRIDGE_EBT_ULOG
|
|
tristate "ebt: ulog support"
|
|
depends on BRIDGE_NF_EBTABLES
|
|
help
|
|
This option adds the ulog watcher, that you can use in any rule
|
|
in any ebtables table. The packet is passed to a userspace
|
|
logging daemon using netlink multicast sockets. This differs
|
|
from the log watcher in the sense that the complete packet is
|
|
sent to userspace instead of a descriptive text and that
|
|
netlink multicast sockets are used instead of the syslog.
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
endmenu
|