[mirror_ubuntu-artful-kernel.git] / net / bridge / netfilter / Kconfig

#
# Bridge netfilter configuration
#
#
menuconfig NF_TABLES_BRIDGE
	depends on BRIDGE && NETFILTER && NF_TABLES
	tristate "Ethernet Bridge nf_tables support"

if NF_TABLES_BRIDGE

config NFT_BRIDGE_META
	tristate "Netfilter nf_table bridge meta support"
	depends on NFT_META
	help
	  Add support for bridge dedicated meta key.

config NFT_BRIDGE_REJECT
	tristate "Netfilter nf_tables bridge reject support"
	depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6
	help
	  Add support to reject packets.

config NF_LOG_BRIDGE
	tristate "Bridge packet logging"
	select NF_LOG_COMMON

endif # NF_TABLES_BRIDGE

menuconfig BRIDGE_NF_EBTABLES
	tristate "Ethernet Bridge tables (ebtables) support"
	depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
	help
	  ebtables is a general, extensible frame/packet identification
	  framework. Say 'Y' or 'M' here if you want to do Ethernet
	  filtering/NAT/brouting on the Ethernet bridge.

if BRIDGE_NF_EBTABLES

#
# tables
#
config BRIDGE_EBT_BROUTE
	tristate "ebt: broute table support"
	help
	  The ebtables broute table is used to define rules that decide between
	  bridging and routing frames, giving Linux the functionality of a
	  brouter. See the man page for ebtables(8) and examples on the ebtables
	  website.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_T_FILTER
	tristate "ebt: filter table support"
	help
	  The ebtables filter table is used to define frame filtering rules at
	  local input, forwarding and local output. See the man page for
	  ebtables(8).

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_T_NAT
	tristate "ebt: nat table support"
	help
	  The ebtables nat table is used to define rules that alter the MAC
	  source address (MAC SNAT) or the MAC destination address (MAC DNAT).
	  See the man page for ebtables(8).

	  To compile it as a module, choose M here.  If unsure, say N.
#
# matches
#
config BRIDGE_EBT_802_3
	tristate "ebt: 802.3 filter support"
	help
	  This option adds matching support for 802.3 Ethernet frames.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_AMONG
	tristate "ebt: among filter support"
	help
	  This option adds the among match, which allows matching the MAC source
	  and/or destination address on a list of addresses. Optionally,
	  MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_ARP
	tristate "ebt: ARP filter support"
	help
	  This option adds the ARP match, which allows ARP and RARP header field
	  filtering.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_IP
	tristate "ebt: IP filter support"
	help
	  This option adds the IP match, which allows basic IP header field
	  filtering.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_IP6
	tristate "ebt: IP6 filter support"
	depends on BRIDGE_NF_EBTABLES && IPV6
	help
	  This option adds the IP6 match, which allows basic IPV6 header field
	  filtering.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_LIMIT
	tristate "ebt: limit match support"
	help
	  This option adds the limit match, which allows you to control
	  the rate at which a rule can be matched. This match is the
	  equivalent of the iptables limit match.

	  If you want to compile it as a module, say M here and read
	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.

config BRIDGE_EBT_MARK
	tristate "ebt: mark filter support"
	help
	  This option adds the mark match, which allows matching frames based on
	  the 'nfmark' value in the frame. This can be set by the mark target.
	  This value is the same as the one used in the iptables mark match and
	  target.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_PKTTYPE
	tristate "ebt: packet type filter support"
	help
	  This option adds the packet type match, which allows matching on the
	  type of packet based on its Ethernet "class" (as determined by
	  the generic networking code): broadcast, multicast,
	  for this host alone or for another host.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_STP
	tristate "ebt: STP filter support"
	help
	  This option adds the Spanning Tree Protocol match, which
	  allows STP header field filtering.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_VLAN
	tristate "ebt: 802.1Q VLAN filter support"
	help
	  This option adds the 802.1Q vlan match, which allows the filtering of
	  802.1Q vlan fields.

	  To compile it as a module, choose M here.  If unsure, say N.
#
# targets
#
config BRIDGE_EBT_ARPREPLY
	tristate "ebt: arp reply target support"
	depends on BRIDGE_NF_EBTABLES && INET
	help
	  This option adds the arp reply target, which allows
	  automatically sending arp replies to arp requests.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_DNAT
	tristate "ebt: dnat target support"
	help
	  This option adds the MAC DNAT target, which allows altering the MAC
	  destination address of frames.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_MARK_T
	tristate "ebt: mark target support"
	help
	  This option adds the mark target, which allows marking frames by
	  setting the 'nfmark' value in the frame.
	  This value is the same as the one used in the iptables mark match and
	  target.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_REDIRECT
	tristate "ebt: redirect target support"
	help
	  This option adds the MAC redirect target, which allows altering the MAC
	  destination address of a frame to that of the device it arrived on.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_SNAT
	tristate "ebt: snat target support"
	help
	  This option adds the MAC SNAT target, which allows altering the MAC
	  source address of frames.

	  To compile it as a module, choose M here.  If unsure, say N.
#
# watchers
#
config BRIDGE_EBT_LOG
	tristate "ebt: log support"
	help
	  This option adds the log watcher, that you can use in any rule
	  in any ebtables table. It records info about the frame header
	  to the syslog.

	  To compile it as a module, choose M here.  If unsure, say N.

config BRIDGE_EBT_NFLOG
	tristate "ebt: nflog support"
	help
	  This option enables the nflog watcher, which allows to LOG
	  messages through the netfilter logging API, which can use
	  either the old LOG target, the old ULOG target or nfnetlink_log
	  as backend.

	  This option adds the nflog watcher, that you can use in any rule
	  in any ebtables table.

	  To compile it as a module, choose M here.  If unsure, say N.

endif # BRIDGE_NF_EBTABLES
Commit	Line	Data
1da177e4 LT	1	#
	2	# Bridge netfilter configuration
	3	#
96518518	4	#
f5efc696	5	menuconfig NF_TABLES_BRIDGE
1708803e	6	depends on BRIDGE && NETFILTER && NF_TABLES
96518518	7	tristate "Ethernet Bridge nf_tables support"
1da177e4	8
f5efc696 TB	9	if NF_TABLES_BRIDGE
	10
	11	config NFT_BRIDGE_META
	12	tristate "Netfilter nf_table bridge meta support"
	13	depends on NFT_META
	14	help
	15	Add support for bridge dedicated meta key.
	16
85f5b308 PNA	17	config NFT_BRIDGE_REJECT
	18	tristate "Netfilter nf_tables bridge reject support"
	19	depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6
	20	help
	21	Add support to reject packets.
	22
960649d1 PNA	23	config NF_LOG_BRIDGE
960649d1 PNA	24	tristate "Bridge packet logging"
1fddf4ba	25	select NF_LOG_COMMON
960649d1	26
f5efc696 TB	27	endif # NF_TABLES_BRIDGE
f5efc696 TB	28
20f3c56f	29	menuconfig BRIDGE_NF_EBTABLES
1da177e4	30	tristate "Ethernet Bridge tables (ebtables) support"
1708803e	31	depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
1da177e4 LT	32	help
	33	ebtables is a general, extensible frame/packet identification
	34	framework. Say 'Y' or 'M' here if you want to do Ethernet
	35	filtering/NAT/brouting on the Ethernet bridge.
20f3c56f JE	36
	37	if BRIDGE_NF_EBTABLES
	38
1da177e4 LT	39	#
	40	# tables
	41	#
	42	config BRIDGE_EBT_BROUTE
	43	tristate "ebt: broute table support"
1da177e4 LT	44	help
	45	The ebtables broute table is used to define rules that decide between
	46	bridging and routing frames, giving Linux the functionality of a
	47	brouter. See the man page for ebtables(8) and examples on the ebtables
	48	website.
	49
	50	To compile it as a module, choose M here. If unsure, say N.
	51
	52	config BRIDGE_EBT_T_FILTER
	53	tristate "ebt: filter table support"
1da177e4 LT	54	help
	55	The ebtables filter table is used to define frame filtering rules at
	56	local input, forwarding and local output. See the man page for
	57	ebtables(8).
	58
	59	To compile it as a module, choose M here. If unsure, say N.
	60
	61	config BRIDGE_EBT_T_NAT
	62	tristate "ebt: nat table support"
1da177e4 LT	63	help
	64	The ebtables nat table is used to define rules that alter the MAC
	65	source address (MAC SNAT) or the MAC destination address (MAC DNAT).
	66	See the man page for ebtables(8).
	67
	68	To compile it as a module, choose M here. If unsure, say N.
	69	#
	70	# matches
	71	#
	72	config BRIDGE_EBT_802_3
	73	tristate "ebt: 802.3 filter support"
1da177e4 LT	74	help
	75	This option adds matching support for 802.3 Ethernet frames.
	76
	77	To compile it as a module, choose M here. If unsure, say N.
	78
	79	config BRIDGE_EBT_AMONG
	80	tristate "ebt: among filter support"
1da177e4 LT	81	help
	82	This option adds the among match, which allows matching the MAC source
	83	and/or destination address on a list of addresses. Optionally,
	84	MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
	85
	86	To compile it as a module, choose M here. If unsure, say N.
	87
	88	config BRIDGE_EBT_ARP
	89	tristate "ebt: ARP filter support"
1da177e4 LT	90	help
	91	This option adds the ARP match, which allows ARP and RARP header field
	92	filtering.
	93
	94	To compile it as a module, choose M here. If unsure, say N.
	95
	96	config BRIDGE_EBT_IP
	97	tristate "ebt: IP filter support"
1da177e4 LT	98	help
	99	This option adds the IP match, which allows basic IP header field
	100	filtering.
	101
	102	To compile it as a module, choose M here. If unsure, say N.
	103
93f65158 KT	104	config BRIDGE_EBT_IP6
93f65158 KT	105	tristate "ebt: IP6 filter support"
f586287e	106	depends on BRIDGE_NF_EBTABLES && IPV6
93f65158 KT	107	help
	108	This option adds the IP6 match, which allows basic IPV6 header field
	109	filtering.
	110
	111	To compile it as a module, choose M here. If unsure, say N.
	112
1da177e4 LT	113	config BRIDGE_EBT_LIMIT
1da177e4 LT	114	tristate "ebt: limit match support"
1da177e4 LT	115	help
	116	This option adds the limit match, which allows you to control
	117	the rate at which a rule can be matched. This match is the
	118	equivalent of the iptables limit match.
	119
	120	If you want to compile it as a module, say M here and read
	121	<file:Documentation/kbuild/modules.txt>. If unsure, say `N'.
	122
	123	config BRIDGE_EBT_MARK
	124	tristate "ebt: mark filter support"
1da177e4 LT	125	help
	126	This option adds the mark match, which allows matching frames based on
	127	the 'nfmark' value in the frame. This can be set by the mark target.
	128	This value is the same as the one used in the iptables mark match and
	129	target.
	130
	131	To compile it as a module, choose M here. If unsure, say N.
	132
	133	config BRIDGE_EBT_PKTTYPE
	134	tristate "ebt: packet type filter support"
1da177e4 LT	135	help
	136	This option adds the packet type match, which allows matching on the
	137	type of packet based on its Ethernet "class" (as determined by
	138	the generic networking code): broadcast, multicast,
	139	for this host alone or for another host.
	140
	141	To compile it as a module, choose M here. If unsure, say N.
	142
	143	config BRIDGE_EBT_STP
	144	tristate "ebt: STP filter support"
1da177e4 LT	145	help
	146	This option adds the Spanning Tree Protocol match, which
	147	allows STP header field filtering.
	148
	149	To compile it as a module, choose M here. If unsure, say N.
	150
	151	config BRIDGE_EBT_VLAN
	152	tristate "ebt: 802.1Q VLAN filter support"
1da177e4 LT	153	help
	154	This option adds the 802.1Q vlan match, which allows the filtering of
	155	802.1Q vlan fields.
	156
	157	To compile it as a module, choose M here. If unsure, say N.
	158	#
	159	# targets
	160	#
	161	config BRIDGE_EBT_ARPREPLY
	162	tristate "ebt: arp reply target support"
eb3f8f5e	163	depends on BRIDGE_NF_EBTABLES && INET
1da177e4 LT	164	help
	165	This option adds the arp reply target, which allows
	166	automatically sending arp replies to arp requests.
	167
	168	To compile it as a module, choose M here. If unsure, say N.
	169
	170	config BRIDGE_EBT_DNAT
	171	tristate "ebt: dnat target support"
1da177e4 LT	172	help
	173	This option adds the MAC DNAT target, which allows altering the MAC
	174	destination address of frames.
	175
	176	To compile it as a module, choose M here. If unsure, say N.
	177
	178	config BRIDGE_EBT_MARK_T
	179	tristate "ebt: mark target support"
1da177e4 LT	180	help
	181	This option adds the mark target, which allows marking frames by
	182	setting the 'nfmark' value in the frame.
	183	This value is the same as the one used in the iptables mark match and
	184	target.
	185
	186	To compile it as a module, choose M here. If unsure, say N.
	187
	188	config BRIDGE_EBT_REDIRECT
	189	tristate "ebt: redirect target support"
1da177e4 LT	190	help
	191	This option adds the MAC redirect target, which allows altering the MAC
	192	destination address of a frame to that of the device it arrived on.
	193
	194	To compile it as a module, choose M here. If unsure, say N.
	195
	196	config BRIDGE_EBT_SNAT
	197	tristate "ebt: snat target support"
1da177e4 LT	198	help
	199	This option adds the MAC SNAT target, which allows altering the MAC
	200	source address of frames.
	201
	202	To compile it as a module, choose M here. If unsure, say N.
	203	#
	204	# watchers
	205	#
	206	config BRIDGE_EBT_LOG
	207	tristate "ebt: log support"
1da177e4 LT	208	help
	209	This option adds the log watcher, that you can use in any rule
	210	in any ebtables table. It records info about the frame header
	211	to the syslog.
	212
	213	To compile it as a module, choose M here. If unsure, say N.
	214
e7bfd0a1 PW	215	config BRIDGE_EBT_NFLOG
e7bfd0a1 PW	216	tristate "ebt: nflog support"
e7bfd0a1 PW	217	help
	218	This option enables the nflog watcher, which allows to LOG
	219	messages through the netfilter logging API, which can use
	220	either the old LOG target, the old ULOG target or nfnetlink_log
	221	as backend.
	222
58de7862	223	This option adds the nflog watcher, that you can use in any rule
e7bfd0a1 PW	224	in any ebtables table.
	225
	226	To compile it as a module, choose M here. If unsure, say N.
	227
20f3c56f	228	endif # BRIDGE_NF_EBTABLES