2019-05-19 06:07:45 -06:00
|
|
|
# SPDX-License-Identifier: GPL-2.0-only
|
2005-04-16 16:20:36 -06:00
|
|
|
#
|
|
|
|
|
# Bridge netfilter configuration
|
|
|
|
|
#
|
netfilter: add nftables
This patch adds nftables which is the intended successor of iptables.
This packet filtering framework reuses the existing netfilter hooks,
the connection tracking system, the NAT subsystem, the transparent
proxying engine, the logging infrastructure and the userspace packet
queueing facilities.
In a nutshell, nftables provides a pseudo-state machine with 4 general
purpose registers of 128 bits and 1 specific purpose register to store
verdicts. This pseudo-machine comes with an extensible instruction set,
a.k.a. "expressions" in the nftables jargon. The expressions included
in this patch provide the basic functionality, they are:
* bitwise: to perform bitwise operations.
* byteorder: to change from host/network endianess.
* cmp: to compare data with the content of the registers.
* counter: to enable counters on rules.
* ct: to store conntrack keys into register.
* exthdr: to match IPv6 extension headers.
* immediate: to load data into registers.
* limit: to limit matching based on packet rate.
* log: to log packets.
* meta: to match metainformation that usually comes with the skbuff.
* nat: to perform Network Address Translation.
* payload: to fetch data from the packet payload and store it into
registers.
* reject (IPv4 only): to explicitly close connection, eg. TCP RST.
Using this instruction-set, the userspace utility 'nft' can transform
the rules expressed in human-readable text representation (using a
new syntax, inspired by tcpdump) to nftables bytecode.
nftables also inherits the table, chain and rule objects from
iptables, but in a more configurable way, and it also includes the
original datatype-agnostic set infrastructure with mapping support.
This set infrastructure is enhanced in the follow up patch (netfilter:
nf_tables: add netlink set API).
This patch includes the following components:
* the netlink API: net/netfilter/nf_tables_api.c and
include/uapi/netfilter/nf_tables.h
* the packet filter core: net/netfilter/nf_tables_core.c
* the expressions (described above): net/netfilter/nft_*.c
* the filter tables: arp, IPv4, IPv6 and bridge:
net/ipv4/netfilter/nf_tables_ipv4.c
net/ipv6/netfilter/nf_tables_ipv6.c
net/ipv4/netfilter/nf_tables_arp.c
net/bridge/netfilter/nf_tables_bridge.c
* the NAT table (IPv4 only):
net/ipv4/netfilter/nf_table_nat_ipv4.c
* the route table (similar to mangle):
net/ipv4/netfilter/nf_table_route_ipv4.c
net/ipv6/netfilter/nf_table_route_ipv6.c
* internal definitions under:
include/net/netfilter/nf_tables.h
include/net/netfilter/nf_tables_core.h
* It also includes an skeleton expression:
net/netfilter/nft_expr_template.c
and the preliminary implementation of the meta target
net/netfilter/nft_meta_target.c
It also includes a change in struct nf_hook_ops to add a new
pointer to store private data to the hook, that is used to store
the rule list per chain.
This patch is based on the patch from Patrick McHardy, plus merged
accumulated cleanups, fixes and small enhancements to the nftables
code that has been done since 2009, which are:
From Patrick McHardy:
* nf_tables: adjust netlink handler function signatures
* nf_tables: only retry table lookup after successful table module load
* nf_tables: fix event notification echo and avoid unnecessary messages
* nft_ct: add l3proto support
* nf_tables: pass expression context to nft_validate_data_load()
* nf_tables: remove redundant definition
* nft_ct: fix maxattr initialization
* nf_tables: fix invalid event type in nf_tables_getrule()
* nf_tables: simplify nft_data_init() usage
* nf_tables: build in more core modules
* nf_tables: fix double lookup expression unregistation
* nf_tables: move expression initialization to nf_tables_core.c
* nf_tables: build in payload module
* nf_tables: use NFPROTO constants
* nf_tables: rename pid variables to portid
* nf_tables: save 48 bits per rule
* nf_tables: introduce chain rename
* nf_tables: check for duplicate names on chain rename
* nf_tables: remove ability to specify handles for new rules
* nf_tables: return error for rule change request
* nf_tables: return error for NLM_F_REPLACE without rule handle
* nf_tables: include NLM_F_APPEND/NLM_F_REPLACE flags in rule notification
* nf_tables: fix NLM_F_MULTI usage in netlink notifications
* nf_tables: include NLM_F_APPEND in rule dumps
From Pablo Neira Ayuso:
* nf_tables: fix stack overflow in nf_tables_newrule
* nf_tables: nft_ct: fix compilation warning
* nf_tables: nft_ct: fix crash with invalid packets
* nft_log: group and qthreshold are 2^16
* nf_tables: nft_meta: fix socket uid,gid handling
* nft_counter: allow to restore counters
* nf_tables: fix module autoload
* nf_tables: allow to remove all rules placed in one chain
* nf_tables: use 64-bits rule handle instead of 16-bits
* nf_tables: fix chain after rule deletion
* nf_tables: improve deletion performance
* nf_tables: add missing code in route chain type
* nf_tables: rise maximum number of expressions from 12 to 128
* nf_tables: don't delete table if in use
* nf_tables: fix basechain release
From Tomasz Bursztyka:
* nf_tables: Add support for changing users chain's name
* nf_tables: Change chain's name to be fixed sized
* nf_tables: Add support for replacing a rule by another one
* nf_tables: Update uapi nftables netlink header documentation
From Florian Westphal:
* nft_log: group is u16, snaplen u32
From Phil Oester:
* nf_tables: operational limit match
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2013-10-14 03:00:02 -06:00
|
|
|
#
|
2014-04-14 06:41:28 -06:00
|
|
|
menuconfig NF_TABLES_BRIDGE
|
2014-05-25 06:48:33 -06:00
|
|
|
depends on BRIDGE && NETFILTER && NF_TABLES
|
2017-12-07 08:28:26 -07:00
|
|
|
select NETFILTER_FAMILY_BRIDGE
|
2018-03-27 03:53:07 -06:00
|
|
|
bool "Ethernet Bridge nf_tables support"
|
2005-04-16 16:20:36 -06:00
|
|
|
|
2014-04-14 06:41:28 -06:00
|
|
|
if NF_TABLES_BRIDGE
|
2014-06-27 05:36:11 -06:00
|
|
|
config NFT_BRIDGE_REJECT
|
|
|
|
|
tristate "Netfilter nf_tables bridge reject support"
|
|
|
|
|
depends on NFT_REJECT && NFT_REJECT_IPV4 && NFT_REJECT_IPV6
|
|
|
|
|
help
|
|
|
|
|
Add support to reject packets.
|
|
|
|
|
|
2014-06-22 16:28:18 -06:00
|
|
|
config NF_LOG_BRIDGE
|
|
|
|
|
tristate "Bridge packet logging"
|
2016-10-27 12:49:42 -06:00
|
|
|
select NF_LOG_COMMON
|
2014-06-22 16:28:18 -06:00
|
|
|
|
2014-04-14 06:41:28 -06:00
|
|
|
endif # NF_TABLES_BRIDGE
|
|
|
|
|
|
2008-10-08 03:35:17 -06:00
|
|
|
menuconfig BRIDGE_NF_EBTABLES
|
2005-04-16 16:20:36 -06:00
|
|
|
tristate "Ethernet Bridge tables (ebtables) support"
|
2014-05-25 06:48:33 -06:00
|
|
|
depends on BRIDGE && NETFILTER && NETFILTER_XTABLES
|
2017-12-07 08:28:26 -07:00
|
|
|
select NETFILTER_FAMILY_BRIDGE
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
|
|
|
|
ebtables is a general, extensible frame/packet identification
|
|
|
|
|
framework. Say 'Y' or 'M' here if you want to do Ethernet
|
|
|
|
|
filtering/NAT/brouting on the Ethernet bridge.
|
2008-10-08 03:35:17 -06:00
|
|
|
|
|
|
|
|
if BRIDGE_NF_EBTABLES
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
#
|
|
|
|
|
# tables
|
|
|
|
|
#
|
|
|
|
|
config BRIDGE_EBT_BROUTE
|
|
|
|
|
tristate "ebt: broute table support"
|
|
|
|
|
help
|
|
|
|
|
The ebtables broute table is used to define rules that decide between
|
|
|
|
|
bridging and routing frames, giving Linux the functionality of a
|
|
|
|
|
brouter. See the man page for ebtables(8) and examples on the ebtables
|
|
|
|
|
website.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config BRIDGE_EBT_T_FILTER
|
|
|
|
|
tristate "ebt: filter table support"
|
|
|
|
|
help
|
|
|
|
|
The ebtables filter table is used to define frame filtering rules at
|
|
|
|
|
local input, forwarding and local output. See the man page for
|
|
|
|
|
ebtables(8).
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config BRIDGE_EBT_T_NAT
|
|
|
|
|
tristate "ebt: nat table support"
|
|
|
|
|
help
|
|
|
|
|
The ebtables nat table is used to define rules that alter the MAC
|
|
|
|
|
source address (MAC SNAT) or the MAC destination address (MAC DNAT).
|
|
|
|
|
See the man page for ebtables(8).
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
#
|
|
|
|
|
# matches
|
|
|
|
|
#
|
|
|
|
|
config BRIDGE_EBT_802_3
|
|
|
|
|
tristate "ebt: 802.3 filter support"
|
|
|
|
|
help
|
|
|
|
|
This option adds matching support for 802.3 Ethernet frames.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config BRIDGE_EBT_AMONG
|
|
|
|
|
tristate "ebt: among filter support"
|
|
|
|
|
help
|
|
|
|
|
This option adds the among match, which allows matching the MAC source
|
|
|
|
|
and/or destination address on a list of addresses. Optionally,
|
|
|
|
|
MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config BRIDGE_EBT_ARP
|
|
|
|
|
tristate "ebt: ARP filter support"
|
|
|
|
|
help
|
|
|
|
|
This option adds the ARP match, which allows ARP and RARP header field
|
|
|
|
|
filtering.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config BRIDGE_EBT_IP
|
|
|
|
|
tristate "ebt: IP filter support"
|
|
|
|
|
help
|
|
|
|
|
This option adds the IP match, which allows basic IP header field
|
|
|
|
|
filtering.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2008-06-09 16:55:45 -06:00
|
|
|
config BRIDGE_EBT_IP6
|
|
|
|
|
tristate "ebt: IP6 filter support"
|
2008-06-17 17:16:13 -06:00
|
|
|
depends on BRIDGE_NF_EBTABLES && IPV6
|
2008-06-09 16:55:45 -06:00
|
|
|
help
|
|
|
|
|
This option adds the IP6 match, which allows basic IPV6 header field
|
|
|
|
|
filtering.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2005-04-16 16:20:36 -06:00
|
|
|
config BRIDGE_EBT_LIMIT
|
|
|
|
|
tristate "ebt: limit match support"
|
|
|
|
|
help
|
|
|
|
|
This option adds the limit match, which allows you to control
|
|
|
|
|
the rate at which a rule can be matched. This match is the
|
|
|
|
|
equivalent of the iptables limit match.
|
|
|
|
|
|
|
|
|
|
If you want to compile it as a module, say M here and read
|
2019-06-12 11:52:48 -06:00
|
|
|
<file:Documentation/kbuild/modules.rst>. If unsure, say `N'.
|
2005-04-16 16:20:36 -06:00
|
|
|
|
|
|
|
|
config BRIDGE_EBT_MARK
|
|
|
|
|
tristate "ebt: mark filter support"
|
|
|
|
|
help
|
|
|
|
|
This option adds the mark match, which allows matching frames based on
|
|
|
|
|
the 'nfmark' value in the frame. This can be set by the mark target.
|
|
|
|
|
This value is the same as the one used in the iptables mark match and
|
|
|
|
|
target.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config BRIDGE_EBT_PKTTYPE
|
|
|
|
|
tristate "ebt: packet type filter support"
|
|
|
|
|
help
|
|
|
|
|
This option adds the packet type match, which allows matching on the
|
|
|
|
|
type of packet based on its Ethernet "class" (as determined by
|
|
|
|
|
the generic networking code): broadcast, multicast,
|
|
|
|
|
for this host alone or for another host.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config BRIDGE_EBT_STP
|
|
|
|
|
tristate "ebt: STP filter support"
|
|
|
|
|
help
|
|
|
|
|
This option adds the Spanning Tree Protocol match, which
|
|
|
|
|
allows STP header field filtering.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config BRIDGE_EBT_VLAN
|
|
|
|
|
tristate "ebt: 802.1Q VLAN filter support"
|
|
|
|
|
help
|
|
|
|
|
This option adds the 802.1Q vlan match, which allows the filtering of
|
|
|
|
|
802.1Q vlan fields.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
#
|
|
|
|
|
# targets
|
|
|
|
|
#
|
|
|
|
|
config BRIDGE_EBT_ARPREPLY
|
|
|
|
|
tristate "ebt: arp reply target support"
|
2005-07-19 15:00:13 -06:00
|
|
|
depends on BRIDGE_NF_EBTABLES && INET
|
2005-04-16 16:20:36 -06:00
|
|
|
help
|
|
|
|
|
This option adds the arp reply target, which allows
|
|
|
|
|
automatically sending arp replies to arp requests.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config BRIDGE_EBT_DNAT
|
|
|
|
|
tristate "ebt: dnat target support"
|
|
|
|
|
help
|
|
|
|
|
This option adds the MAC DNAT target, which allows altering the MAC
|
|
|
|
|
destination address of frames.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config BRIDGE_EBT_MARK_T
|
|
|
|
|
tristate "ebt: mark target support"
|
|
|
|
|
help
|
|
|
|
|
This option adds the mark target, which allows marking frames by
|
|
|
|
|
setting the 'nfmark' value in the frame.
|
|
|
|
|
This value is the same as the one used in the iptables mark match and
|
|
|
|
|
target.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config BRIDGE_EBT_REDIRECT
|
|
|
|
|
tristate "ebt: redirect target support"
|
|
|
|
|
help
|
|
|
|
|
This option adds the MAC redirect target, which allows altering the MAC
|
|
|
|
|
destination address of a frame to that of the device it arrived on.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
|
|
|
|
config BRIDGE_EBT_SNAT
|
|
|
|
|
tristate "ebt: snat target support"
|
|
|
|
|
help
|
|
|
|
|
This option adds the MAC SNAT target, which allows altering the MAC
|
|
|
|
|
source address of frames.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
#
|
|
|
|
|
# watchers
|
|
|
|
|
#
|
|
|
|
|
config BRIDGE_EBT_LOG
|
|
|
|
|
tristate "ebt: log support"
|
|
|
|
|
help
|
|
|
|
|
This option adds the log watcher, that you can use in any rule
|
|
|
|
|
in any ebtables table. It records info about the frame header
|
|
|
|
|
to the syslog.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2008-04-14 03:15:54 -06:00
|
|
|
config BRIDGE_EBT_NFLOG
|
|
|
|
|
tristate "ebt: nflog support"
|
|
|
|
|
help
|
|
|
|
|
This option enables the nflog watcher, which allows to LOG
|
|
|
|
|
messages through the netfilter logging API, which can use
|
|
|
|
|
either the old LOG target, the old ULOG target or nfnetlink_log
|
|
|
|
|
as backend.
|
|
|
|
|
|
2008-07-08 03:37:07 -06:00
|
|
|
This option adds the nflog watcher, that you can use in any rule
|
2008-04-14 03:15:54 -06:00
|
|
|
in any ebtables table.
|
|
|
|
|
|
|
|
|
|
To compile it as a module, choose M here. If unsure, say N.
|
|
|
|
|
|
2008-10-08 03:35:17 -06:00
|
|
|
endif # BRIDGE_NF_EBTABLES
|