add bridging firewall stuff

- tested with a transparent squid proxy
- fix some minor other stuff
- not completely ready

1 files changed, 243 insertions, 4 deletions

diff --git a/target/linux/config/Config.in.netfilter b/target/linux/config/Config.in.netfilter
index a4dc9b7c7..fc3c2682f 100644
--- a/target/linux/config/Config.in.netfilter
+++ b/target/linux/config/Config.in.netfilter
@@ -8,6 +8,10 @@ config ADK_KERNEL_NETFILTER_ADVANCED
 	bool
 	default n
 
+config ADK_KERNEL_BRIDGE_NETFILTER
+	bool
+	default n
+
 config ADK_KERNEL_NETFILTER_XTABLES
 	bool
 	select ADK_KERNEL_NETFILTER
@@ -397,7 +401,7 @@ config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ULOG
 
 config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REDIRECT
 	tristate 'REDIRECT target support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_NAT
+	depends on ADK_KPACKAGE_KMOD_NF_NAT
 	help
 	  REDIRECT is a special case of NAT: all incoming connections are
 	  mapped onto the incoming interface's address, causing the packets to
@@ -406,7 +410,7 @@ config ADK_KPACKAGE_KMOD_IP_NF_TARGET_REDIRECT
 
 config ADK_KPACKAGE_KMOD_IP_NF_TARGET_NETMAP
 	tristate 'NETMAP target support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_NAT
+	depends on ADK_KPACKAGE_KMOD_NF_NAT
 	help
 	  NETMAP is an implementation of static 1:1 NAT mapping of network
 	  addresses. It maps the network address part, while keeping the host
@@ -415,14 +419,14 @@ config ADK_KPACKAGE_KMOD_IP_NF_TARGET_NETMAP
 
 config ADK_KPACKAGE_KMOD_IP_NF_TARGET_SAME
 	tristate 'SAME target support'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_NAT
+	depends on ADK_KPACKAGE_KMOD_NF_NAT
 	help
 	  This option adds a `SAME' target, which works like the standard SNAT
 	  target, but attempts to give clients the same IP for all connections.
 
 config ADK_KPACKAGE_KMOD_IP_NF_MANGLE
 	tristate 'Packet mangling'
-	depends on ADK_KPACKAGE_KMOD_IP_NF_IPTABLES
+	depends on ADK_KPACKAGE_KMOD_NF_NAT
 	help
 	  This option adds a `mangle' table to iptables: see the man page for
 	  iptables(8).  This table is used for various packet alterations
@@ -441,4 +445,239 @@ config ADK_KPACKAGE_KMOD_IP_NF_TARGET_ECN
 	  ECN support in general.
 
 endmenu
+
+menu "Ethernet bridge firewalling"
+
+config ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	tristate 'Ethernet Bridge tables (ebtables) support'
+	select ADK_KERNEL_BRIDGE_NETFILTER
+	help
+	  ebtables is a general, extensible frame/packet identification
+	  framework. Say 'Y' or 'M' here if you want to do Ethernet
+	  filtering/NAT/brouting on the Ethernet bridge.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_BROUTE
+	tristate "ebt: broute table support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  The ebtables broute table is used to define rules that decide between
+	  bridging and routing frames, giving Linux the functionality of a
+	  brouter. See the man page for ebtables(8) and examples on the ebtables
+	  website.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_T_FILTER
+	tristate "ebt: filter table support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  The ebtables filter table is used to define frame filtering rules at
+	  local input, forwarding and local output. See the man page for
+	  ebtables(8).
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_T_NAT
+	tristate "ebt: nat table support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  The ebtables nat table is used to define rules that alter the MAC
+	  source address (MAC SNAT) or the MAC destination address (MAC DNAT).
+	  See the man page for ebtables(8).
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+#
+# matches
+#
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_802_3
+	tristate "ebt: 802.3 filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds matching support for 802.3 Ethernet frames.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_AMONG
+	tristate "ebt: among filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the among match, which allows matching the MAC source
+	  and/or destination address on a list of addresses. Optionally,
+	  MAC/IP address pairs can be matched, f.e. for anti-spoofing rules.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_ARP
+	tristate "ebt: ARP filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the ARP match, which allows ARP and RARP header field
+	  filtering.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_IP
+	tristate "ebt: IP filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the IP match, which allows basic IP header field
+	  filtering.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_IP6
+	tristate "ebt: IP6 filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES && ADK_KPACKAGE_KMOD_IPV6
+	help
+	  This option adds the IP6 match, which allows basic IPV6 header field
+	  filtering.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_LIMIT
+	tristate "ebt: limit match support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the limit match, which allows you to control
+	  the rate at which a rule can be matched. This match is the
+	  equivalent of the iptables limit match.
+
+	  If you want to compile it as a module, say M here and read
+	  <file:Documentation/kbuild/modules.txt>.  If unsure, say `N'.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_MARK
+	tristate "ebt: mark filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the mark match, which allows matching frames based on
+	  the 'nfmark' value in the frame. This can be set by the mark target.
+	  This value is the same as the one used in the iptables mark match and
+	  target.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_PKTTYPE
+	tristate "ebt: packet type filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the packet type match, which allows matching on the
+	  type of packet based on its Ethernet "class" (as determined by
+	  the generic networking code): broadcast, multicast,
+	  for this host alone or for another host.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_STP
+	tristate "ebt: STP filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the Spanning Tree Protocol match, which
+	  allows STP header field filtering.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_VLAN
+	tristate "ebt: 802.1Q VLAN filter support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the 802.1Q vlan match, which allows the filtering of
+	  802.1Q vlan fields.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+#
+# targets
+#
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_ARPREPLY
+	tristate "ebt: arp reply target support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the arp reply target, which allows
+	  automatically sending arp replies to arp requests.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_DNAT
+	tristate "ebt: dnat target support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the MAC DNAT target, which allows altering the MAC
+	  destination address of frames.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_MARK_T
+	tristate "ebt: mark target support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the mark target, which allows marking frames by
+	  setting the 'nfmark' value in the frame.
+	  This value is the same as the one used in the iptables mark match and
+	  target.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_REDIRECT
+	tristate "ebt: redirect target support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the MAC redirect target, which allows altering the MAC
+	  destination address of a frame to that of the device it arrived on.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_SNAT
+	tristate "ebt: snat target support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the MAC SNAT target, which allows altering the MAC
+	  source address of frames.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+#
+# watchers
+#
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_LOG
+	tristate "ebt: log support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option adds the log watcher, that you can use in any rule
+	  in any ebtables table. It records info about the frame header
+	  to the syslog.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_ULOG
+	tristate "ebt: ulog support (OBSOLETE)"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option enables the old bridge-specific "ebt_ulog" implementation
+	  which has been obsoleted by the new "nfnetlink_log" code (see
+	  CONFIG_NETFILTER_NETLINK_LOG).
+
+	  This option adds the ulog watcher, that you can use in any rule
+	  in any ebtables table. The packet is passed to a userspace
+	  logging daemon using netlink multicast sockets. This differs
+	  from the log watcher in the sense that the complete packet is
+	  sent to userspace instead of a descriptive text and that
+	  netlink multicast sockets are used instead of the syslog.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+config ADK_KPACKAGE_KMOD_BRIDGE_EBT_NFLOG
+	tristate "ebt: nflog support"
+	depends on ADK_KPACKAGE_KMOD_BRIDGE_NF_EBTABLES
+	help
+	  This option enables the nflog watcher, which allows to LOG
+	  messages through the netfilter logging API, which can use
+	  either the old LOG target, the old ULOG target or nfnetlink_log
+	  as backend.
+
+	  This option adds the nflog watcher, that you can use in any rule
+	  in any ebtables table.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
+
+endmenu
+
 endmenu