Merge tag 'nf-next-24-01-29' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next

	return table->flags & NFT_TABLE_F_OWNER;

}

static inline bool nft_table_is_orphan(const struct nft_table *table)

{

	return (table->flags & (NFT_TABLE_F_OWNER | NFT_TABLE_F_PERSIST)) ==

			NFT_TABLE_F_PERSIST;

}

static inline bool nft_base_chain_netdev(int family, u32 hooknum)

{

	return family == NFPROTO_NETDEV ||

 * enum nft_table_flags - nf_tables table flags

 *

 * @NFT_TABLE_F_DORMANT: this table is not active

 * @NFT_TABLE_F_OWNER:   this table is owned by a process

 * @NFT_TABLE_F_PERSIST: this table shall outlive its owner

 */

enum nft_table_flags {

	NFT_TABLE_F_DORMANT	= 0x1,

	NFT_TABLE_F_OWNER	= 0x2,

	NFT_TABLE_F_PERSIST	= 0x4,

};

#define NFT_TABLE_F_MASK	(NFT_TABLE_F_DORMANT | \

				 NFT_TABLE_F_OWNER)

				 NFT_TABLE_F_OWNER | \

				 NFT_TABLE_F_PERSIST)

/**

 * enum nft_table_attributes - nf_tables table netlink attributes

	  To compile it as a module, choose M here.  If unsure, say N.

# old sockopt interface and eval loop

config BRIDGE_NF_EBTABLES_LEGACY

	tristate

menuconfig BRIDGE_NF_EBTABLES

	tristate "Ethernet Bridge tables (ebtables) support"

	depends on BRIDGE && NETFILTER && NETFILTER_XTABLES

#

config BRIDGE_EBT_BROUTE

	tristate "ebt: broute table support"

	select BRIDGE_NF_EBTABLES_LEGACY

	help

	  The ebtables broute table is used to define rules that decide between

	  bridging and routing frames, giving Linux the functionality of a

config BRIDGE_EBT_T_FILTER

	tristate "ebt: filter table support"

	select BRIDGE_NF_EBTABLES_LEGACY

	help

	  The ebtables filter table is used to define frame filtering rules at

	  local input, forwarding and local output. See the man page for

config BRIDGE_EBT_T_NAT

	tristate "ebt: nat table support"

	select BRIDGE_NF_EBTABLES_LEGACY

	help

	  The ebtables nat table is used to define rules that alter the MAC

	  source address (MAC SNAT) or the MAC destination address (MAC DNAT).

# connection tracking

obj-$(CONFIG_NF_CONNTRACK_BRIDGE) += nf_conntrack_bridge.o

obj-$(CONFIG_BRIDGE_NF_EBTABLES) += ebtables.o

obj-$(CONFIG_BRIDGE_NF_EBTABLES_LEGACY) += ebtables.o

# tables

obj-$(CONFIG_BRIDGE_EBT_BROUTE) += ebtable_broute.o

	tristate

	default n

# old sockopt interface and eval loop

config IP_NF_IPTABLES_LEGACY

	tristate

config NF_SOCKET_IPV4

	tristate "IPv4 socket lookup support"

	help

config IP_NF_MATCH_RPFILTER

	tristate '"rpfilter" reverse path filter match support'

	depends on NETFILTER_ADVANCED

	depends on IP_NF_MANGLE || IP_NF_RAW

	depends on IP_NF_MANGLE || IP_NF_RAW || NFT_COMPAT

	help

	  This option allows you to match packets whose replies would

	  go out via the interface the packet came in.

config IP_NF_FILTER

	tristate "Packet filtering"

	default m if NETFILTER_ADVANCED=n

	select IP_NF_IPTABLES_LEGACY

	help

	  Packet filtering defines a table `filter', which has a series of

	  rules for simple packet filtering at local input, forwarding and

config IP_NF_TARGET_REJECT

	tristate "REJECT target support"

	depends on IP_NF_FILTER

	depends on IP_NF_FILTER || NFT_COMPAT

	select NF_REJECT_IPV4

	default m if NETFILTER_ADVANCED=n

	help

	default m if NETFILTER_ADVANCED=n

	select NF_NAT

	select NETFILTER_XT_NAT

	select IP6_NF_IPTABLES_LEGACY

	help

	  This enables the `nat' table in iptables. This allows masquerading,

	  port forwarding and other forms of full Network Address Port

config IP_NF_MANGLE

	tristate "Packet mangling"

	default m if NETFILTER_ADVANCED=n

	select IP_NF_IPTABLES_LEGACY

	help

	  This option adds a `mangle' table to iptables: see the man page for

	  iptables(8).  This table is used for various packet alterations

config IP_NF_TARGET_ECN

	tristate "ECN target support"

	depends on IP_NF_MANGLE

	depends on IP_NF_MANGLE || NFT_COMPAT

	depends on NETFILTER_ADVANCED

	help

	  This option adds a `ECN' target, which can be used in the iptables mangle

# raw + specific targets

config IP_NF_RAW

	tristate  'raw table support (required for NOTRACK/TRACE)'

	select IP_NF_IPTABLES_LEGACY

	help

	  This option adds a `raw' table to iptables. This table is the very

	  first in the netfilter framework and hooks in at the PREROUTING

	tristate "Security table"

	depends on SECURITY

	depends on NETFILTER_ADVANCED

	select IP_NF_IPTABLES_LEGACY

	help

	  This option adds a `security' table to iptables, for use

	  with Mandatory Access Control (MAC) policy.

# ARP tables

config IP_NF_ARPTABLES

	tristate "ARP tables support"

	select NETFILTER_XTABLES

	select NETFILTER_FAMILY_ARP

	depends on NETFILTER_ADVANCED

	help

	  arptables is a general, extensible packet identification framework.

	  The ARP packet filtering and mangling (manipulation)subsystems

	  use this: say Y or M here if you want to use either of those.

	  To compile it as a module, choose M here.  If unsure, say N.

	tristate

if IP_NF_ARPTABLES

config NFT_COMPAT_ARP

	tristate

	depends on NF_TABLES_ARP && NFT_COMPAT

	default m if NFT_COMPAT=m

	default y if NFT_COMPAT=y

config IP_NF_ARPFILTER

	tristate "ARP packet filtering"

	tristate "arptables-legacy packet filtering support"

	select IP_NF_ARPTABLES

	help

	  ARP packet filtering defines a table `filter', which has a series of

	  rules for simple ARP packet filtering at local input and

	  local output.  On a bridge, you can also specify filtering rules

	  for forwarded ARP packets. See the man page for arptables(8).

	  local output.  This is only needed for arptables-legacy(8).

	  Neither arptables-nft nor nftables need this to work.

	  To compile it as a module, choose M here.  If unsure, say N.

config IP_NF_ARP_MANGLE

	tristate "ARP payload mangling"

	depends on IP_NF_ARPTABLES || NFT_COMPAT_ARP

	help

	  Allows altering the ARP packet payload: source and destination

	  hardware and network addresses.

endif # IP_NF_ARPTABLES

	  This option is needed by both arptables-legacy and arptables-nft.

	  It is not used by nftables.

endmenu